ExtraHop @ExtraHop

We stripped out security data to save our analysts from burnout. Now, it’s crippling our AI. For years, security teams have aggressively suppressed "noisy" background telemetry. It was a necessary survival tactic. Human capacity is finite, and shielding analysts from alert fatigue and burnout was the priority. But as we pivot to the agentic SOC, this strategy backfires. AI agents don't get fatigued, and they don't suffer from cognitive overload. They thrive on the baseline noise humans hate. When we slice up our data streams to keep human workloads manageable, we inadvertently starve our LLMs of the context they need to operate autonomously. By stripping away the background data, we force AI agents to: ➡️ Rely on guesswork ➡️ Waste capacity ➡️ Keep humans in the loop True autonomy requires feeding the machine the whole story, not just the highly edited highlights. Read our latest breakdown on how filtering your data caps your AI’s performance ceiling: xtra.li/4e9RFVD

🆕 Threat deep dive: How the Interlock ransomware group evades detection Key evasion and attack tactics include: ▪️ Memory-Resident Webshells: Dropping Java class files directly into memory on vulnerable Cisco Secure FMC devices to intercept commands and completely evade traditional antivirus disk scans. ▪️ Hotta Killer: Deploying a custom defense-evasion utility designed to blind security tools before their ransomware encryptors are ever launched. ▪️ Advanced Proxying: Configuring compromised Linux servers with HAProxy to obscure data exfiltration, while using cron jobs to automatically wipe system logs every 5 minutes. Get the full attack chain breakdown on the ExtraHop blog 🔗 xtra.li/4x8Z9kg

As organizations rush to scale AI into production, Kubernetes (K8s) is the go-to orchestration platform. But is your AI infrastructure secure? The very features that make Kubernetes so powerful -- distributed clusters, rapid workload scaling, and encrypted traffic -- are creating critical blind spots that threat actors are actively exploiting. If you want to protect your proprietary models and datasets, you need to know the 3 major opportunities attackers look for to compromise K8s clusters: 1️⃣ Limited workload visibility that makes it easier to hide malicious lateral movement 2️⃣ Supply chain vulnerabilities that can lead to host-level takeovers 3️⃣ Decentralized data that can cause delayed incident response ExtraHop's Heath Mullins breaks down how attackers exploit these flaws, providing actionable insights so your security team is ready to defend your infrastructure and confidently scale your AI initiatives 👉 xtra.li/4o6JHBe

Unlike static applications, AI introduces dynamic, unpredictable risks, like autonomous agents operating with unchecked privileges and prompt injections bypassing standard firewalls. To close these governance gaps, security teams need a sharper framework: 1️⃣ Track: Establish continuous visibility into every LLM and agent. 2️⃣ Monitor: Shift to behavioral analysis to spot anomalous AI actions in real-time. 3️⃣ Enforce: Move from static, written policies to active network enforcement. If you are trying to build out an oversight architecture for your organization's AI, here is a practical breakdown of how to close those gaps: xtra.li/3RxRaND

Coming up: CrowdStrike and ExtraHop team up for "5 Requirements for a Modern SOC" and you're invited! Join us Thursday, June 11, where we'll teach you how to: 💥 Outpace rapidly evolving threat actors 🛠️ Fix the visibility & burnout challenges crippling modern SOCs 🚀 Smart-charge your defense by putting AI to work Register today: xtra.li/4uQunuA

Siloed cybersecurity tools are no match for sophisticated adversaries. In a complex attack landscape, real success requires an interconnected ecosystem. This reality was put to the test on a global stage at NATO Locked Shields 2026, the world’s largest, most prestigious, and most complex live-fire cyber defense exercise. We are incredibly proud to share that the ExtraHop NDR platform was chosen play a critical role in this mission, providing the foundational network intelligence required to power the Joint Cyber Defense Stack against massive, coordinated nation-state simulations. In our latest blog, Sarah Cleveland breaks down what an operation of this unprecedented scale proved about modern cyber defense: 🤝 Orchestrating a Unified Front: Success depends on a layered framework where network detection, asset visibility, and malware analysis work in concert to close operational gaps before adversaries can exploit them. 🎯 The Power of Network Ground Truth: An integrated defense stack only functions if you have immediate, real-time network intelligence to capture threats in motion and seamlessly trigger the rest of your security infrastructure. ⚡ Cutting Through Live-Fire Noise: Unified decryption combined with live-fire PCAP analysis gives defenders the definitive tactical advantage needed to outpace advanced threat actors. Read Sarah’s full breakdown from the front lines of NATO Locked Shields 2026: xtra.li/49obhnw

🚀 Big news! We're expanding our partnership with Ignition into North America! After seeing incredible success collaborating across EMEA and APJ, we are thrilled to bring this momentum across the Atlantic to drive innovation for the agentic SOC. As security teams increasingly pivot to AI-powered defenses, high-fidelity network telemetry is everything. Poor data sidelines AI models, but ExtraHop's modern NDR platform decrypts and decodes network traffic in real-time and at scale, providing the foundational context that autonomous security operations need to act with machine-speed precision. Through this expanded partnership with Ignition (an Exclusive Networks company), we are bringing these powerful capabilities to North American enterprises, eliminating critical visibility gaps, and restoring the advantage to the defender. 🔗 Learn more: xtra.li/3ROFwOd

What does it take to run a modern, enterprise-grade #NDR platform? It requires an architectural foundation built for both deep visibility and advanced security automation. Look for capabilities like... 🔹 Full-stack intelligence & rich network context: Deep analysis across the entire network layer, including encrypted traffic and complex protocols, lets you see every user, device, and workload to provide the high-fidelity ground truth needed to fuel an agentic SOC. 🔹 Enterprise scale: Massive engineering capacity supporting high-throughput hybrid environments up to 400 Gbps ensures your team never drops packets or misses critical behaviors. 🔹 Tool consolidation: A single, consolidated pipeline unifying NDR, network performance monitoring, and packet forensics eliminates visibility gaps and operational overhead. We believe these core strengths are a major reason why ExtraHop was named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response once again. Read our co-founder Raja Mukerji’s full breakdown here: xtra.li/4uVmX9i

❌ Stop managing alerts. ✅ Start solving incidents. If your security team is spending more time correlating data than actually stopping threats, it’s time to pivot to an evidence-first approach. We are teaming up with Zscaler for an exclusive webinar on how to build an actionable, high-fidelity security framework. If you're looking to elevate your hybrid environment's defenses with robust SSE visibility and airtight Zero Trust enforcement, this one is for you. We’ll teach you how to: 👤 Accelerate threat investigations with deep, identity-first context 🔍 Validate incidents instantly with packet-level ground truth 🛡️ Supercharge response speed and drastically level up your team's detection confidence ⏳ Reclaim lost hours by reducing manual correlation Secure your spot here: xtra.li/43nXnhs

As threats evolve, your SOC needs to keep pace. Is your team ready? Join experts from CrowdStrike and ExtraHop for our upcoming webinar, "5 Requirements for a Modern SOC," where we’ll dive into: ▪️ How attackers have modernized their playbook (and why old defenses are failing) ▪️ Navigating the burnout, alert fatigue, and visibility gaps stalling today’s security teams ▪️ Practical ways to weaponize AI to cut through the noise and accelerate your response time 🗓 Date: Thursday, June 11, 2026 ⏰ Time: 10am PT/1pm ET 📍 Register: xtra.li/4uQunuA

The wait is over. ExtraHop is a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response for the second year running, and the report is now ready for you to explore! The report provides a deep dive into the state of the market and how our "Ability to Execute" and "Completeness of Vision" placed us in the Leaders' quadrant. Why we believe ExtraHop continues to set the standard: ➡️ Visibility for the Agentic SOC: We provide the high-fidelity network telemetry required to fuel AI agents with certainty. ➡️ Eliminating Blind Spots: We help enterprises eliminate AI blind spots by monitoring new, unmanaged attack surfaces in real-time. ➡️ Performance at Scale: We offer the speed needed to secure modern, highly-dispersed enterprises. ➡️ Modernizing the Stack: We help security teams ditch slow and redundant legacy tools by unifying NDR, IDS, and forensics into one scalable solution. Get your complimentary copy of the report out now: xtra.li/4wHg51d

Enterprise AI is scaling fast, but the security infrastructure built to monitor it wasn't designed for this level of volume. Standard security systems were built for human-scale workloads, not 24/7 machine-to-machine activity. When traffic spikes, standard security tools simply can't process it all. Instead of giving an error, they fail silently, ignoring critical data to keep up. The result? Invisible security gaps where threat actors can move around, elevate their access, and hide in plain sight. We break down AI's latest challenge on the blog 👉 xtra.li/4dur8Sy

We’ve got some "extra" big news to share! For the second year in a row, ExtraHop is a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR)! The landscape has changed. With AI-powered threats moving faster than ever and the rush to bring AI into the enterprise creating new blind spots, the SOC is under more pressure than ever to keep up. Whether it’s surfacing sophisticated, high-velocity threats or providing the ground truth needed to make the agentic SOC a reality, ExtraHop gives you the clarity to act when every second counts. We aren't just watching the network; we’re helping you defend the future of the enterprise. 👀 Want the full story? We’ll share the report very soon. Keep your eyes glued to the ExtraHop feed to see the data, the insights, and why ExtraHop is a Leader once again.

Meet DINDOOR: The new backdoor bypassing your EDR 👋 In early 2026, Iranian state-sponsored group MuddyWater began moving away from traditional executables and toward specialized runtimes. From U.S. financial institutions to Canadian NGOs and Israeli aerospace software firms, the reach of this campaign is global and its methods are evolving. The ExtraHop research team breaks down the latest threat on the blog: xtra.li/4eKhCx4

How did the EU Commission get breached? It started with a tool meant to improve security. 1️⃣ Attackers compromised the Trivy vulnerability scanner, turning a trusted security tool into a credential stealer. 2️⃣ Attackers then used stolen AWS API keys to enter the environment, hunt for more secrets and create new keys on existing accounts to stay under the radar. 3️⃣ Because they had valid credentials, their reconnaissance looked like normal admin activity. They spent 5 days inside before being caught by a spike in network traffic. The Result: 350GB exfiltrated. 71 clients affected. Details on the blog: xtra.li/42WHTAN

Cloud provider logs are built for *their* needs — platform uptime, billing accuracy, service reliability. Not yours. So when attackers move laterally across your environment, when subtle anomalies start stacking up, when regulators demand a precise account of a breach, you're working from a filtered, incomplete record you don't control. And you probably don't know it yet. The organizations that find out the hard way face: ❌ Longer dwell times ❌ Higher remediation costs ❌ Regulatory and legal exposure from evidence gaps The ones that get ahead of it? They stop relying on provider logs as their source of truth, and start owning the evidence layer themselves. Our co-founder Raja Mukerji breaks it down on the blog 👉 xtra.li/4tTl252

🚨 A new high-severity vulnerability Linux kernel vulnerability (CVE-2026-31431) has been identified, affecting major distributions since 2017. Dubbed "Copy Fail," it allows an attacker to gain total control of a Linux system by manipulating how the kernel handles data in real-time. Because it never modifies files on the disk, it bypasses many of the standard "gatekeeper" security tools that organizations have relied on for decades. What you need to know: → How the exploit works: It utilizes a "double-free" bug in Netfilter to gain arbitrary kernel read/write access. → Why it’s a major risk: It is highly reliable and has public exploit code available, making it a "turn-key" solution for attackers already inside a network. → The Patching Paradox: With public exploit code now widely available and highly reliable, this becomes a race against time for IT teams to move beyond "monthly" patch cycles and prioritize kernel updates for any Internet-facing or multi-user systems. More on the blog: xtra.li/4uq5DJg

When your channel managers are recognized on CRN's Women of the Channel list, it says something about what your partners are experiencing every day. Congratulations to Michelle Marchand and Virginia Ku on this well-earned recognition! Michelle and Virginia work directly with ExtraHop's partners, helping them build the expertise and confidence to guide their customers toward stronger, more resilient security postures. That kind of hands-on partnership is what turns a reseller relationship into a trusted security advisor. For our partners: this is the caliber of people in your corner. 🔗 xtra.li/48CPwzP

⚠️ IN THE HEADLINES: A sophisticated new campaign is tricking users into pasting malicious code to deploy MIMICRAT -- a RAT built for long-term espionage. MIMICRAT is built to evade detection by blending its Command and Control (C2) traffic with normal web activity and disabling EDR logging. With endpoint visibility actively compromised by the malware, defenders need network-level telemetry to keep an eye out for: → Disguised HTTP/S traffic → Domain fronting → Anomalous internal-to-external proxy activity More details here: xtra.li/3ORw5wj

A "by design" flaw in the Anthropic Model Context Protocol (MCP) allows attackers to weaponize normal AI workflows. The core issue? The protocol... ⚠️ Executes commands before validating if they are legitimate. ⚠️ Bypasses EDR and firewalls by hiding in uninspected east-west AI traffic. ⚠️ Weaponizes normal workflows to quietly exfiltrate sensitive data. Stop relying on signature-based rules. Learn the how you can better secure your agentic future: xtra.li/3P6j4PG