Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The Domain Name System (DNS) is a critical component of internet infrastructure, responsible for translating human-readable domain names into IP addresses. However, the ubiquitous nature and often-overlooked security aspects of DNS make it a prime target for malicious actors. This blog post investigates the tools used for data exfiltration over DNS, the techniques involved, and the countermeasures to mitigate these threats.

In today’s fast-moving digital world, cybersecurity is no longer just an IT concern: it is a business imperative, and a game-changer. For many years, cybersecurity was perceived as a necessary expense, a cost center that consumed expensive resources mainly to mitigate risks and to prevent threats. But leading organizations now realize that strong cybersecurity is not just about protection, but it is a real driver of growth, customer trust, and competitive advantage.

The Model Context Protocol (MCP) is a standardized framework that enables large language models (LLMs) to interact with external tools, APIs, and data sources. While MCP offers powerful integration capabilities across software development, data analysis, automation, and security operations, it also introduces serious security risks. This post provides a technical overview of how MCP works, its architecture, and real-world use cases.

Netskope Threat Labs is pleased to announce the release of a new open-source tool that detects supply chain attacks. Our new tool, Behavioral Evaluation of Application Metrics (BEAM), requires no endpoint agent deployment and will analyze the network traffic you are already capturing in your organization to determine if your applications are communicating with unusual hosts that could be part of an attack. This tool is the subject of a 2025 Black Hat USA briefing.

Large language models (LLMs) are transforming enterprise operations, but their growing use introduces a critical security challenge: securing how they access sensitive data and integrate with existing tools. This is where Model Context Protocol (MCP) servers become a vital, yet often overlooked, part of AI security. These servers act as the crucial link, enabling LLMs to securely connect with diverse data sources and tools, significantly expanding attack surfaces that demand our immediate attention.

Any organization that’s undergone a security transformation knows the promise of zero trust network access (ZTNA): secure, least-privilege access to private applications, anywhere, on any device. But turning that promise into operational reality is often far from simple. Between fragmented tools, complex configurations, and sprawling environments, implementing ZTNA can quickly become a manual, time-consuming, and error-prone process.

As someone that’s been in the industry for over 20 years, I’ve seen my fair share of online scams. But this is the kind of story you hear and can’t quite believe. At the last RSA cybersecurity conference, a colleague of mine–someone who lives and breathes digital security, a CISO–admitted he’d been taken in by an online romance scam. My first thought was, how?

SASE has transformed how organizations approach secure networking, uniting security and connectivity into a single, cloud-delivered model. As one of the original architects of SASE (along with Neil MacDonald), I was invited at ONUG Dallas to reflect on the state of SASE and what we might have missed in our original research.

In September 2024, Netskope Threat Labs reported on the XWorm malware and its infection chain. We revealed new XWorm command and control (C2) commands and dissected its notable features. After nearly a year of tracking this malware, we discovered a new version (version 6.0) in the wild, which introduced new features such as process protection and enhanced anti-analysis capabilities.