Almost every major breach in the past five years could have been prevented by a patch released months earlier. Here is why patching keeps failing as an organisational practice and how the better operators run it differently.
Jesse William McGraw
Jesse William McGraw
Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.
Modern phishing is not the misspelled-prince email of legend. It is a multi-stage, infrastructure-heavy operation with adversary-in-the-middle proxies, legitimate cloud abuse, and AI-generated copy. Here is what a 2026 campaign actually looks like, end to end.
Not all multi-factor authentication is equal. SMS codes, authenticator apps, push notifications, and hardware security keys defend against very different attacks — and only some of them survive a determined phisher in 2026.
Zero Trust is the most-used and least-understood security buzzword of the decade. Here is what it actually means, where the original NIST model came from, and how to evaluate whether a vendor is selling you the architecture or just the sticker.
Endpoint Detection and Response, Extended Detection and Response, Managed Detection and Response — the alphabet soup of modern endpoint defence is real but confusing. Here is what each tier actually does, where it stops working, and how to choose.
Play — also known as PlayCrypt — does not run an open RaaS. It runs a closed shop with vetted affiliates, an unusual aesthetic, and a steady cadence of attacks against cities, schools, and managed service providers. Quietly, it has become one of the most prolific operators of the post-LockBit era.
Hive was a top-tier RaaS that hit hospitals, schools, and Costa Rica’s public sector — until the FBI quietly infiltrated its infrastructure for seven months, harvested decryption keys, and dismantled the operation in January 2023.
DarkSide ran for less than a year before its attack on Colonial Pipeline rewrote the politics of ransomware in May 2021. Then it disappeared, rebranded as BlackMatter, and seeded what would eventually become BlackCat/ALPHV. A short, consequential life.
Akira launched in March 2023 with a 1980s green-screen aesthetic and rapidly became one of the most active ransomware operations in the world, riding waves of Cisco VPN exploitation and a steady stream of mid-market victims. Here is what makes it distinctive.
Black Basta walked out of the Conti collapse in 2022 and rapidly became one of the top RaaS programs in the world, with a particular taste for healthcare and critical infrastructure. Then internal chats leaked again — and the playbook started looking familiar.