DISCARDED: Tales From the Threat Research Trenches

Hosted by Proofpoint

Technology

Website RSS feed

Episodes

105

Latest episode

Jun 2026

Language

About the show

DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more. Welcome to DISCARDED

Listen to episodes

60 recent

June 9, 2026Episode 1031 hr 5 min

Diving Into the DBIR: Vulnerabilities, AI, and Supply Chain

Send us fan mail!Hello to all our Cyber Pals!Host Selena Larson is joined by guest host Sarah Sabotka as they chat with returning guest: Alex Pinto, Associate Director of Threat Intelligence at Verizon Business, and the architect behind the Verizon Data Breach Investigations Report. Alex joins hosts Selena Larson and Sarah Sabatka to break down the most important findings from this year's report — and there's a lot to unpack.From vulnerabilities overtaking credential abuse as the leading initial access vector, to the sobering reality that organizations are patching more but getting worse outcomes, this year's DBIR paints a complex picture of a threat landscape under pressure. The team also digs into the rise of pretexting and voice-based social engineering, what the data actually says about GenAI and threat actors (spoiler: mostly reinventing the wheel — for now), and why third-party and supply chain compromises are quietly becoming one of the biggest stories in security.They discuss:The VERIS framework and why standardization in threat intelligence mattersRansomware taxonomy, data extortion, and why classification is still a headachePretexting vs. phishing — and why they require completely different defensesVulnerability exploitation as the new number one initial access vectorPatching capacity and why outcomes are getting worse despite more effortWhat the DBIR data actually shows about GenAI usage by threat actorsThird-party and supply chain breaches — up 60% year over yearShadow AI and the emerging DLP problem no one's fully ready forA sneak peek at Verizon's upcoming cost-of-a-data-breach reportThe DBIR drops once a year — make sure you're getting the most out of it with this breakdown straight from the source, all 121 nutritious, fiber-rich pages of it.Resources Mentioned:2026 DBIRFor more information about Proofpoint, check out our website.Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

May 27, 2026Episode 10246 min

"Always Intentional": A CISO's Pragmatic Take on the Agentic Era

Send us fan mail!What does it actually look like to bring AI into a threat intelligence program at one of the internet's most iconic companies?Hello to all our Cyber Pals!Host Selena Larson is joined by guest host, Sarah Sabotka as they chat with Sean Zadig, Chief Information Security Officer (and "Chief Paranoid") at Yahoo, for a candid conversation about the evolving intersection of AI and cybersecurity.Sean shares how Yahoo's security team, the Paranoids, is navigating the agentic AI transformation: from running a company-wide "skill-a-thon" to get every team member building Claude-powered tools, to rethinking legacy infrastructure from the ground up. He also opens up about what keeps him up at night; including the looming threat of AI-powered exploit frameworks like Mythos, the growing signal-to-noise problem in threat intel feeds, and the very real risk of analyst burnout as the pace of the industry accelerates.But Sean's outlook is surprisingly optimistic. He argues that defenders have a home-field advantage, that the best code ever written is just 12–18 months away, and that the goal of AI in security shouldn't be doing more with fewer people–it should be building more resilient teams.For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

May 12, 2026Episode 10153 min

A Device Code Explosion: The New Era of AI-Enabled Phishing

Send us fan mail!Hello to all our Cyber Sunbeams!Host Selena Larson is joined by guest host, Sarah Sabotka as they chat with Jake Gionet to unpack one of the fastest-growing threats in today’s cyber landscape: device code phishing.What started as a niche technique used in red team exercises has quickly evolved into a widely adopted method for account takeover—fueled by publicly available phishing kits and accelerated by AI-assisted tooling. The trio breaks down how device code phishing works, why it’s suddenly everywhere, and how attackers are exploiting legitimate authentication flows to bypass traditional defenses.They also explore the rise of “phishing-as-a-service” platforms like Evil Tokens, the surprising lack of sophistication behind many campaigns, and how AI is both enabling attackers and exposing their mistakes. Along the way, they dig into real-world examples, threat actor missteps, and the blurry line between innovation and imitation in cybercrime.If you’ve been hearing the buzz around device code phishing and want a clear, grounded explanation—without the hype—this episode delivers. Plus, practical insights on what defenders should actually focus on as these techniques continue to evolve.Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeoverhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeoverFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

April 28, 2026Episode 1001 hr 0 min

Champagne with Our Campaigns: A 100th Episode Happy Hour

Send us fan mail!Hello to all our Cyber Pals, Cyber Centaurs, Cyber Stars, and listeners who have been with us for 100 episodes! It’s our 100th episode—and we’re raising a glass to celebrate. 🥂Host Selena Larson is joined by long-time guest hosts, Sarah Sabotka and Tim Kromphardt, and honorary host, VP of Proofpoint Threat Research Daniel Blackford, for this commemorative episode of Discarded! We reflect on the journey so far, revisit standout moments, and look ahead to what’s next in cybersecurity.From unforgettable guests and inside jokes to real lessons learned from years of tracking threat actors, this episode is part celebration, part reflection, and part unfiltered cyber chat.We dig into:Favorite podcast guests and the insights that stuck with usThe reality vs. hype of AI in cybersecurity (and what’s actually useful)How threat actors are evolving—and where they’re… notThe surprising truth about targeting, myths in the industry, and why attackers don’t need to be sophisticated to be effectiveBehind-the-scenes looks at the tools and research we’re building right nowPlus, we answer listener questions, share a few laughs (and a few drinks), and talk about what the next 100 episodes might hold.Whether you’ve been with us since episode one or just discovered the show, this milestone episode is a thank-you to our listeners—and a reminder that cybersecurity is as much about people as it is about technology.Cheers to 100 episodes. 🍾Resources Mentioned:https://www.nytimes.com/2026/04/04/technology/ai-chatbots-teen-roleplay.htmlFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

April 14, 2026Episode 9933 min

Magic Packets & Stealth Backdoors: The Art of Detection Engineering

Send us fan mail!Hello to all our Cyber Daffodils! Host Selena Larson, and guest Host, Tim Kromphardt, sit down with Stuart Del Caliz, Senior Threat Detection Engineer at Proofpoint, to unpack the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.From magic packets and port knocking to sophisticated backdoors like BPFdoor, Stuart shares how attackers design covert communication methods—and how defenders work to uncover them without overwhelming security teams with noise. The conversation blends deep technical insight with real-world analogies (think speakeasy knocks and undercover “internet cops”) to make complex detection strategies easier to understand.You’ll also hear:How detection engineers balance accuracy and performance when writing IDS/IPS signaturesWhy some advanced malware can remain undetected for years—and whether we’re simply not seeing itHow historic leaks like Shadow Brokers still influence modern attack techniquesThe role of “pattern matching” in identifying evolving malware behaviorsHow file metadata and revoked certificates can reveal threats hiding in plain sightWhy community collaboration and feedback loops are critical to stronger detectionsWhether you’re a security practitioner or deep in the trenches, this episode offers a closer look at the craft of detection engineering—and the constant challenge of writing high-fidelity detections against increasingly evasive threat techniques.Resources Mentioned:https://community.emergingthreats.net/https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/https://www.wired.com/story/nsa-hacking-tools-stolen-hackers/https://github.com/x0rz/EQGRPFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

March 26, 2026Episode 9838 min

Regional Threats, Global Impact: A TA2725 Case Study

Send us fan mail!Hello to all our Cyber Pals! Guest host Sarah Sabotka sits down with Senior Threat Researcher Jared Peck to unpack one of the most dynamic and persistent cybercrime groups operating today: TA2725, also known as “Grana.”From its roots in Latin America to its global reach, TA2725 stands out for its adaptability—and its relentless pursuit of financial gain. Jared shares how the group evolved from a high-volume malware operator into a multifaceted threat actor running phishing, fraud, and malware campaigns simultaneously. The conversation dives into how Grana targets regions like Brazil and Mexico, why their tactics shift across geographies, and what makes their operations uniquely complex.You’ll also hear:How threat actors “graduate” to official TA designations (and why it’s a big win for researchers)The impact of law enforcement disruptions on major malware operations like GrandoreiroWhy Latin America’s banking infrastructure shapes cybercrime tactics differentlyThe rise (and fall) of RMM tools in TA2725’s playbookWhat clues reveal whether activity comes from one group—or an entire cybercrime “service” ecosystemWhether you’re in cybersecurity or just curious about how modern cybercrime operates, this episode offers a fascinating look at a threat actor that refuses to stay in one lane—and what that means for organizations worldwide.For more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

March 10, 2026Episode 9742 min

TrustConnect RAT: Inside a Vibe-Coded Malware Ecosystem

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Tommy Madjar, Senior Threat Researcher from Proofpoint, to unpack one of the strangest malware investigations of the year: TrustConnect RAT.What started as a seemingly legitimate remote management tool quickly unraveled into a bizarre, fast-evolving ecosystem of “vibe-coded” malware. TrustConnect masqueraded as a polished RMM platform—complete with fake testimonials, inflated customer counts, and even an extended validation (EV) code-signing certificate to appear trustworthy. But beneath the surface? Sloppy AI-generated web panels, exposed administrative pages, and a backend that literally labeled infected machines as “victims.”Tommy walks through how the team discovered the malware, why attackers are increasingly building their own fake RMM platforms instead of abusing legitimate ones, and how the use of EV certificates helped the malware evade detection across security tools. The conversation also dives into:The explosion of legitimate RMM abuse in cybercrimeHow AI-assisted “vibe coding” is lowering the barrier to entry for malware developmentThe surprising operational security failures that exposed both the malware author and their customersConnections to past crimeware activity and possible ties to known actorsThe rapid evolution of the “Connect” malware family, including newly spotted variantsHow Proofpoint disrupted the operation by working with partners to revoke certificates and take down infrastructureAlong the way, the team explores a broader theme: what happens when threat actors move fast with AI—but don’t fully understand security fundamentals? Resources Mentioned:https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-ratFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

February 26, 2026Episode 9650 min

AI as a Tool, Not a Replacement: Malware Research in the Age of LLMs

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Kyle Cucci, and Dr. Chris Wakelin, Threat Researchers from Proofpoint. They unpack how artificial intelligence is shaping modern malware analysis and detection workflows. The conversation explores how large language models are already embedded in day-to-day security operations—from accelerating rule creation and tooling development to helping analysts quickly interpret complex malware behavior.Drawing on real-world examples from the team’s work, the episode highlights both the promise and the limitations of AI in cybersecurity. Chris and Kyle share how AI can streamline tedious reverse-engineering tasks, compare malware variants, and surface insights faster—while emphasizing the ongoing need for expert validation, thoughtful prompting, and a human-in-the-loop approach to ensure accuracy and reliability.We also discuss:Practical ways AI is used today to support malware reverse engineering and detection developmentPrompting strategies that help reduce hallucinations and improve analysis outcomesThe role of MCP (model context protocol) and emerging agentic AI concepts in security toolingIndicators and characteristics of AI-assisted malware developmentReal-world examples of prompt injection attempts within malicious codeWhether AI-generated malware meaningfully changes defender workflows or primarily increases speed and scaleHow defenders and threat actors alike are leveraging the same AI capabilities across the threat landscapeUltimately, this episode offers a balanced look at AI’s growing influence in cybersecurity—showing how intelligent tools can amplify analyst effectiveness while reinforcing that expertise and critical thinking remain central to effective malware defense.

February 10, 2026Episode 9542 min

Snowball Learning: Getting Real About Cybersecurity Training

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Dr. Bob Hausmann, Lead Cognitive Scientist of Human Risk Management at Proofpoint. They have a timely conversation on whether cybersecurity training actually works and what it takes to make it effective.They unpack why traditional annual training and phishing simulations often fall short, and how insights from cognitive psychology can help organizations design awareness programs that truly change behavior. Drawing on Dr. Bob’s recent research, the conversation explores just-in-time nudges, microlearning, and how understanding attention, memory, and emotion can make security guidance more actionable in the moments that matter most.In this episode, they cover:Why once-a-year security training shows little impact on real-world behaviorHow just-in-time nudges work and where they fit into security awareness programsThe role of cognitive load, attention, and repetition in learning and memoryHow amygdala hijack and emotional manipulation factor into phishing successWhy foundational knowledge is critical for nudges to be effectiveThe difference between education-driven nudges and punitive approaches to trainingPractical ways organizations can design training that fits into everyday workflowsThis episode offers a research-backed, human-centered look at security awareness—showing why better outcomes depend less on blaming users and more on designing training that works with the brain, not against it.Resources Mentioned:https://www.proofpoint.com/us/blog/security-awareness-training/cybersecurity-nudges-cautionary-taleFor more information about Proofpoint, check out our website. Subscribe & Follow:Stay ahead of emerging threats, and subscribe! Happy hunting!

January 29, 2026Episode 9445 min

Emerging Threats in 2026: Inside Proofpoint’s Detection Playbook

Send us fan mail!Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Rich Gonzalez, Director of Emerging Threats at Proofpoint, to kick off 2026 with a behind-the-scenes look at how emerging threats are detected, tracked, and turned into real-world protections for defenders.They explore what it really takes to keep pace with an always-on threat landscape, from rapid response to newly released proof-of-concepts, to why certain vulnerabilities like Log4j continue to dominate attacker activity years later. The conversation also digs into alert fatigue, the realities of SOC burnout, and where automation and AI can genuinely help versus where trust, accuracy, and human judgment still matter most.In this episode, they cover:How Proofpoint’s Emerging Threats team monitors global attacker behavior and delivers fast, high-confidence detectionsWhat happens behind the scenes when a proof-of-concept drops (especially during holidays)Why some CVEs remain “evergreen” targets and never truly go awayThe balance between speed and accuracy in rule writing without overwhelming SOC teamsWhere AI and machine learning are being used today to reduce tedious work and improve triageThe risks of over-automation, hallucinations, and untrusted intelligence in security workflowsWhat’s coming in 2026, including more frequent rule releases and more detection coverageThis episode offers a candid, practitioner-driven view of modern threat detection—highlighting why adaptability, transparency, and human expertise remain essential as defenders head into 2026.