🔬 Cloud Threat Research

About This Page

Threat research is how the cloud security community learns from real attacks. This page collects the research teams, reports, feeds, and frameworks that cloud defenders actually read. Where possible, we link directly to the research output (a blog, a feed URL, or a report) rather than a vendor marketing page.

Spot something missing? Submit a PR on GitHub or email admin@csoh.org.

🧠 Vendor Research Teams

The fastest path to fresh, technical threat intel. These are the teams whose telemetry — incident-response engagements, agent fleets, sandbox detonations, honeypots — surfaces novel cloud-attacker behavior weeks or months before it lands in MITRE ATT&CK or the next annual report. Each team writes from a slightly different vantage (CSPM, EDR, IR consulting, IaaS provider, runtime), so cross-referencing two or three on the same incident usually fills in details any one source misses. Subscribe to a handful via RSS, weight the ones whose stack overlaps yours (cloud provider, K8s distro, EDR vendor), and treat the detections they publish as starter content for your own SIEM or hunt program.

Wiz Research

Cloud-native vulnerability research — tenant isolation failures, shared-responsibility gaps, and novel CSP bugs (e.g. ChaosDB, ExtraReplica, OMIGOD).

Research Multi-Cloud Vulnerabilities

Unit 42 (Palo Alto Networks)

Threat intelligence on ransomware, APTs, cloud attack trends, and the annual Unit 42 Cloud Threat Report.

Threat Intel APT Ransomware

Mandiant / Google Cloud Threat Intel

Incident response telemetry, nation-state tracking (UNC/APT groups), and the annual M-Trends report.

Threat Intel APT GCP

Microsoft Threat Intelligence

Tracks actors like Storm-0558, Midnight Blizzard, and Octo Tempest — with deep Azure/Entra ID attack detail.

Threat Intel Azure Entra ID

Google Threat Analysis Group (TAG)

Nation-state actor tracking, 0-day exploitation analysis, and coordinated disclosure research.

Threat Intel Nation-State 0-day

CrowdStrike Counter Adversary Ops

Adversary tracking (Scattered Spider, Cozy Bear, etc.), breakout-time stats, and the annual Global Threat Report.

Threat Intel Adversary Tracking

SentinelLabs

In-depth malware reverse engineering and cloud intrusion analysis (e.g. LABRAT cryptojacking, Scarleteel).

Malware Analysis Reverse Engineering

Datadog Security Labs

Cloud detection engineering research, attack path analysis, and the annual State of Cloud Security report.

Detection Engineering AWS Multi-Cloud

Sysdig Threat Research (TRT)

Container and Kubernetes attack research — cryptojacking operations, runtime exploits, and supply-chain threats.

Containers Kubernetes Runtime

Aqua Nautilus

Cloud-native threat research focused on container registries, package repositories, and CI/CD supply chain attacks.

Containers Supply Chain

Permiso Security

Identity-centric cloud threat research: LUCR-3 (Scattered Spider), AWS privilege escalation, and IdP abuse.

Identity AWS

Cado Security Labs

Cloud incident response and forensics research — covers novel malware families targeting AWS, Azure, and GCP.

Incident Response Forensics

Google Cloud Security Blog

Product security research and detection content from Google Cloud, Chronicle, and BeyondCorp.

GCP Detection Engineering

AWS Security Bulletins

Official AWS advisories for vulnerabilities affecting AWS services, open-source projects, and shared infrastructure.

AWS Advisories

Microsoft Security Response Center

MSRC advisories and vulnerability disclosure posts for Microsoft cloud, OS, and identity products.

Azure Advisories

IBM X-Force

Threat intelligence research and the annual X-Force Threat Intelligence Index with cloud attack trend data.

Threat Intel Reports

Cisco Talos Intelligence

One of the largest commercial threat intel teams — ClamAV, Snort, ransomware tracking, and deep adversary playbooks.

Threat Intel Ransomware

Proofpoint Threat Insight

Research into phishing, BEC, and cloud account takeover campaigns — primary source for SaaS/M365 threats.

Phishing SaaS

📊 Annual Threat Reports

The strategic-level documents that set the conversation each year — read by CISOs, board members, and the practitioners who have to translate the findings into roadmaps. They're worth reading critically: each report is part marketing, part field data, and the vendors disagree as much as they agree (one will call ransomware the top threat, another will name initial-access brokers, a third valid-account abuse). That disagreement is itself useful — it tells you what's noisy in their telemetry vs. yours. Skim two or three each year, extract the numbers that matter (median dwell time, top initial-access vectors, ransom-pay rates, breach cost per record) and use them to ground budget conversations in something other than hype. Most are free downloads behind a form.

Mandiant M-Trends

Annual analysis of attacker behavior from Mandiant's incident response engagements — includes dwell time stats and cloud-specific TTPs.

Report IR

CrowdStrike Global Threat Report

Cloud intrusion growth rates, eCrime & nation-state actor profiles, and breakout-time benchmarks.

Report Adversary Tracking

Unit 42 Cloud Threat Report

Dedicated to cloud posture and attack data from Palo Alto telemetry — config drift, exposed credentials, and misconfigurations.

Report Cloud Posture

Verizon DBIR

The industry-standard Data Breach Investigations Report — thousands of incidents analyzed, with growing cloud coverage.

Report Breaches

IBM X-Force Threat Intelligence Index

Annual trends on initial access vectors, top attacked industries, and cloud credential abuse.

Report Threat Intel

Datadog State of Cloud Security

Real-world cloud posture data — IMDSv2 adoption, long-lived credentials, and public storage exposure across thousands of accounts.

Report Cloud Posture

CSA Top Threats to Cloud Computing

Cloud Security Alliance's ranked list of cloud threats, updated periodically with real incident case studies (the "Pandemic Eleven").

Report Framework

ENISA Threat Landscape

European Union's annual threat landscape report — a useful non-US perspective on cloud, supply chain, and ransomware trends.

Report EU

Sophos State of Ransomware

Annual survey of ransomware victims — includes ransom payment rates, recovery costs, and attack entry points.

Report Ransomware

💥 Notable Cloud Incidents & Post-Mortems

Real attacks beat tabletop scenarios — actual adversaries make moves a red team wouldn't think of, defenders miss things in ways no checklist predicts, and the fallout (regulatory, financial, reputational) makes the lesson stick. Each incident here has either a vendor post-mortem, a CISA advisory, or court documents detailed enough to reconstruct the attack step-by-step. Read them looking for recurring patterns rather than one-off vulnerabilities: identity sprawl and over-permissive roles, secrets committed to source, weak tenant isolation, supply-chain compromise, and gaps between provider and customer responsibility keep showing up across years and clouds. Start with our own step-by-step kill chains mapped to MITRE ATT&CK Cloud, then drill into the primary sources to see what each company actually disclosed (and, sometimes, what they tried not to).

🧭 CSOH Breach Kill Chains

Our in-house collection: Capital One, Storm-0558, SolarWinds, LastPass, MGM, Snowflake — all mapped to MITRE ATT&CK Cloud.

CSOH Original MITRE Mapped

Capital One (2019)

SSRF → IMDSv1 → over-privileged IAM role → 106M records exfiltrated from S3. The case that made AWS ship IMDSv2.

AWS SSRF IAM

Storm-0558 (2023)

Microsoft's own post-mortem on how a stolen consumer signing key was used to forge tokens for enterprise Exchange Online accounts.

Azure Token Forgery

SolarWinds / SUNBURST (2020)

Supply-chain compromise that pivoted to Azure AD / M365 via Golden SAML. CISA's remediation guide is the canonical reference.

Supply Chain Azure AD

LastPass (2022–23)

Home-PC Plex exploit → keylogger → master password → AWS S3 customer vault exfiltration. 33M customers affected.

AWS S3 Credential Theft

Scattered Spider / MGM (2023)

CISA joint advisory covering Scattered Spider (Octo Tempest, UNC3944) tradecraft — help-desk social engineering, Okta abuse, Azure pivot.

Social Eng Okta Azure

Snowflake / UNC5537 (2024)

Infostealer-harvested credentials used against Snowflake tenants without MFA — impacted 165+ organizations.

Snowflake Infostealer

Uber (2022)

Contractor MFA fatigue → PAM vault credentials → domain admin, AWS, GCP, Slack. Uber's own disclosure.

MFA Fatigue Multi-Cloud

Microsoft AI SAS Token Leak (2023)

38TB of internal data exposed via an overprivileged, long-lived Azure SAS token on a public GitHub repo. Discovered by Wiz.

Azure SAS Token

Codecov (2021)

Docker image credential compromise leading to bash uploader tampering — a supply-chain attack that exposed customer CI secrets.

Supply Chain CI/CD

Okta Support System (2023)

Okta's own post-mortem on the HAR-file compromise affecting 100% of customer support tickets.

Identity SaaS

CISA Cybersecurity Advisories

US government post-incident advisories (AA-series) — the most detailed public documentation of major ongoing campaigns.

CISA Advisories

🎯 IOC Feeds & Threat Intel Platforms

The atomic layer of threat intelligence: IPs, domains, file hashes, C2 beacons, malicious certificates, and the platforms that aggregate and enrich them. IOCs are perishable — adversaries rotate infrastructure on hours-to-days timescales — so use them for retrospective hunts and high-confidence blocklists, not as a substitute for behavioral detection. The real value comes from feeding them into your SIEM, EDR, or DNS sinkhole so a hit pages someone, and from using enrichment platforms (VirusTotal, GreyNoise, Censys, Shodan) to triage alerts in seconds instead of hours. Most of these sources offer a free community tier and a paid commercial tier; the free tiers are usually enough for a small team to bootstrap a hunt program.

AlienVault OTX

Open Threat Exchange — community-contributed IOC "pulses" with IPs, hashes, domains, and CVEs. Free API.

IOCs Community Free API

abuse.ch (URLhaus, ThreatFox, MalwareBazaar)

High-signal feeds for malicious URLs, malware samples, and C2 infrastructure. Free non-commercial use.

IOCs Malware C2

VirusTotal

File, URL, IP, and domain reputation — the industry's default triage tool. VT Intelligence for hunting requires a paid plan.

Enrichment Malware

MISP

Open-source threat intelligence platform used by CERTs and enterprises for sharing, correlating, and storing IOCs.

Platform Open Source

Shodan

Search engine for internet-exposed services — find your own exposed S3, RDS, Kubernetes API servers before attackers do.

Recon Enrichment

GreyNoise

Tells you whether an IP is part of internet-wide scan noise or targeted activity — cuts false positives on scan-based detections.

Enrichment Scan Data

Censys Search

Internet scanning and attack-surface search — track adversary infrastructure (Cobalt Strike beacons, phishing kits) across the IPv4 space.

Recon Attack Surface

CIRCL.lu

Luxembourg CERT — hosts public passive DNS, pDNS, SSL cert history, and hashlookup services for free.

Enrichment Passive DNS

Feodo Tracker

Live feed of botnet C2 IPs (Emotet, Dridex, TrickBot, IcedID) — perfect for blocklist automation.

C2 Blocklist

Spamhaus

Long-running IP/domain reputation feeds — SBL, XBL, PBL, and the Botnet Controller List (BCL) are widely used at perimeters.

Reputation Blocklist

IBM X-Force Exchange

Collaborative threat intelligence platform for IOC enrichment and sharing. Free tier includes API access.

Enrichment IOCs

OSINT Framework

Tree of open-source intelligence resources — useful when pivoting from an IOC to actor attribution.

OSINT Directory

🗺️ Attack Frameworks & Matrices

Shared vocabularies for talking about attacker behavior, defender countermeasures, and detection coverage. MITRE ATT&CK is the lingua franca — its Cloud, Containers, and Kubernetes matrices show up in nearly every serious threat report — and D3FEND maps countermeasures back to those same techniques so you can reason about defensive coverage instead of just attacker creativity. Specialized matrices (Microsoft's Kubernetes Threat Matrix, OWASP's Cloud-Native Top 10) zoom in on environments where ATT&CK is too generic to be actionable. The practical move: pick one technique your team has missed in a recent incident, find every public detection rule for it (Sigma, Elastic, Splunk), measure your current coverage, and close the gap. Repeat. Over a quarter or two this turns into a real detection-engineering program rather than a wall of unread alerts.

MITRE ATT&CK — Cloud Matrix

The canonical tactics/techniques mapping for AWS, Azure AD, GCP, Office 365, and SaaS attacks.

Framework MITRE

MITRE ATT&CK — Containers Matrix

Tactics and techniques focused on container runtimes and Kubernetes — including escapes and orchestrator abuse.

Framework Containers

MITRE D3FEND

Defensive technique knowledge graph — pairs with ATT&CK to map what you can actually do about each technique.

Framework Defense

Microsoft Kubernetes Threat Matrix

Kubernetes-specific threat matrix modeled on ATT&CK — still the best starting point for K8s threat modeling.

Kubernetes Framework

OWASP Cloud-Native Top 10

OWASP's ranked list of cloud-native application risks — complements ATT&CK with an application-layer view.

Framework AppSec

TheHive Project

Open-source SOAR/IR platform that pairs with MISP for case management and observable enrichment.

Platform Open Source

Sigma Rules

Generic, vendor-agnostic detection rule format. The public rule repo is a goldmine of ready-to-translate detections.

Detection Engineering Open Source

Elastic Detection Rules

Elastic's public repo of tested detections — includes cloud-focused rules for AWS, Azure, GCP, and O365.

Detection Engineering Open Source

🏛️ Government & Regulatory Advisories

Authoritative, attribution-grade detail you can't get anywhere else. CISA, NCSC, NSA, FBI, ACSC, and their counterparts have visibility into incidents most vendors don't — federal IR engagements, classified telemetry, sector-wide ISAC reporting — and they declassify enough of it into public advisories for defenders to act on. Joint advisories (multi-agency, often multi-country) are where you'll find the cleanest technical write-ups of active nation-state campaigns, including specific TTPs, IOCs, and recommended mitigations. The KEV catalog deserves special attention — if a CVE lands there, it has been observed in real attacks and your patching SLA for it should be days, not quarters. Subscribe to the email lists or RSS feeds for at least your home country's national CERT and CISA's advisories; both are free and signal-dense.

CISA Advisories

US Cybersecurity and Infrastructure Security Agency — alerts, binding directives, and joint advisories.

US Advisories

CISA Known Exploited Vulnerabilities (KEV)

Authoritative list of CVEs observed being exploited in the wild. Patch these first.

Vulnerabilities KEV

FBI IC3 Industry Alerts

FBI's public alerts on ongoing criminal campaigns — BEC, ransomware, cryptocurrency theft.

FBI Advisories

NSA Cybersecurity Advisories

NSA's public guidance — includes cloud security hardening documents and joint advisories with CISA.

NSA Advisories

UK NCSC

UK's National Cyber Security Centre — advisories and guidance, strong on supply chain and secure-by-default cloud guidance.

UK Advisories

Australian Cyber Security Centre (ACSC)

ACSC advisories — often first to publish on APAC-targeted campaigns and the source of the Essential Eight controls.

AU Advisories

NIST National Vulnerability Database

US government CVE enrichment — CVSS scores, CPE matching, references.

Vulnerabilities CVE

CVE.org

The authoritative CVE Program — search, watch feeds, and access the raw CVE records.

Vulnerabilities CVE

🤝 Help Us Keep This Current

Threat research moves fast and this page will go stale if the community doesn't help. Know a team, report, or feed we should add? Noticed a broken link?