Command Zero

We're #hiring a new Marketing Manager in United States. Apply today or share this post with your network.

I'm hiring a marketing manager to join our team! Do you still believe in the power of being human in a world of AI slop? Still a fan of creating authentic content while getting the best from AI and modern tools? You can turn technical conversations into content that can make a CISO stop scrolling? Let's talk! I'm hiring a Marketing Manager who can extract compelling narratives from security architects, create weekly thought leadership content that practitioners actually want to read, drive customer marketing and manage field events. You'll work directly with me and our leaders to translate complex security operations concepts into stories that resonate—using AI tools where they help, ignoring them where the good old human ways still deliver the best content. We are expecting this person to be part cybersecurity journalist, cat herder and storyteller. Check out the job description for more: https://lnkd.in/d6mGb-pH We are not working with recruiters for this role at this time.

Who's still brute forcing passwords in 2025? That was my first thought while reviewing authentication logs during a recent threat hunting engagement. We have lockouts. We have complexity requirements. We have MFA. An entire industry of controls designed to make this obsolete. Except I was staring at steady failed login attempts across multiple accounts. So I dug deeper. Every user appeared in multiple entries in breach databases. Not one breach—multiple. The attackers were betting on password reuse. And they were winning that bet. Your users appear in breach databases. Do you know which ones do and what you're doing about it. I wrote about: → Why traditional security stacks miss distributed credential attacks → The trial signup problem nobody discusses → How to structure credential attack investigations with hunting questions and facets → Practical steps to identify and respond to breach-exposed accounts. Read more: https://lnkd.in/gXPtmxUX

Anthropic's GTG-1002 disclosure confirms something we've known was coming: Sophisticated attackers are now using AI to conduct cyberattacks at machine speed and scale. The campaign hit ~30 organizations simultaneously. The AI made thousands of requests, often multiple per second. It performed reconnaissance, developed exploits, harvested credentials, and categorized exfiltrated data—with human operators involved at just 4-6 critical decision points per campaign. This is the threat landscape shift everyone predicted. However, what most people overlook is that when attacks target 30 organizations simultaneously, the investigation must also scale accordingly. During my 24 years in this industry, I've witnessed the same investigation bottleneck repeat itself: sophisticated attacks occur, evidence is scattered across multiple systems, and analysts spend days manually piecing together what happened. Not because they lack skill. Because human-paced investigation fundamentally cannot match the scale of machine-paced attacks. Command Zero's AI augmentation wasn't an opportunistic response to recent LLM advances. It was the foundational architecture we designed from the start—because the investigation bottleneck has always been about cognitive load and tool fragmentation, not analyst expertise. The LLM progression over the past two years just finally gave us the capabilities we needed to build it properly: • Multi-step reasoning sophisticated enough to decompose complex questions • Tool use reliable enough to query across heterogeneous data sources • Domain performance strong enough to understand security concepts Our goal was never replacement. It was augmentation: AI handles the mechanical query work so analysts can focus on the analytical judgment that only humans can provide. Now, when threat actors use AI to attack at scale, defenders can investigate at matching scale. That's always been the plan. Now it's an operational reality. Full writeup: https://lnkd.in/gp5upNVB

Dov Yoran from Command Zero sat down with Kyle Alspach at CRN to chat for "Why Cybersecurity Jobs Are Likely To Resist AI Layoff Pressures." (Link in the comments!) “You need that creativity. You need to understand and piece together and review the LLM’s work,” said Dov Yoran, co-founder and CEO of Command Zero, a startup offering an LLM-powered cyber investigation platform. “I don’t see how the human goes away.” And while entry-level security analysts may find parts of their roles becoming redundant due to AI, most organizations will want to continue employing them, if only to prepare them to become higher-tier analysts over time, Yoran said. “You’ll certainly still need those Tier 2 and 3 [analysts] that have the experience,” he said. “Where are those going to come from, if you all of a sudden kill your Tier 1 footprint?”

I noticed a recent Reddit thread discussing numerous problems that many analysts and social workers face these days, including the lack of process, limited growth paths, the pain points of legacy tools, and the chaos of day-to-day operations. In this post, I dive into that thread and highlight everything wrong with the L1 soc crisis that exists in far too many organizations! https://lnkd.in/ga3YMJth

Just returning from our offsite in Playa Del Carmen, I'm reminded that now and again it's good to take a step back, breath in the air and take frequent rests. As analysts, as product developers, as humans we all need to make sure we're taking care of ourselves so we can take care of others! https://lnkd.in/gtZfzMBR

What happens when your investigating a phishing case and the data looks as though the call (email) is coming from inside the house? Last week I was investigating reports from a customer who kept getting spoofed emails that looked 100% legitimate—complete with correct sender addresses, signatures, everything. The culprit? Microsoft 365's Direct Send feature, which bypasses DKIM, SPF, and DMARC checks to let legacy devices send mail. Convenient for printers. Perfect for attackers impersonating your executives. For newer analysts, this is a nightmare scenario: every signal says "trusted internal sender" while the threat is already inside your perimeter. Here's how to spot this attack before it becomes your next incident https://lnkd.in/e44B5iU5

Modern BEC attacks move faster than most teams can investigate—not from lack of skill, but from fragmented data sources. Analysts jump between Azure AD logs, Exchange PowerShell, Graph API calls, and SharePoint activity, each requiring different query syntax, while the attack spreads. In this post, I summarize a recent BEC case showing the OAuth persistence and mail manipulation tactics attackers use, then demonstrate how Command Zero's investigation framework transforms this fragmented process into a systematic, rapid response. https://lnkd.in/gPghT9ei