ShadowTalk: Powered by ReliaQuest

Hosted by ReliaQuest

Technology Business Careers NewsInterviews guests

Website RSS feed

Episodes

477

Latest episode

Jun 2026

Language

About the show

Want to hear what industry experts really think about the cyber threats they face? ShadowTalk is a weekly cybersecurity podcast, made by practitioners for practitioners, featuring analytical insights on the latest cybersecurity news and threat research. Threat Intelligence Analyst John Dilgen brings extensive expertise in cyber threat intelligence and incident response, specializing in researching threats impacting ReliaQuest customers. John and his guests provide practical perspectives on the week’s top cybersecurity news and share knowledge and best practices to help businesses mitigate the most pertinent cyber threats. With over 1,000 customers worldwide and 1,200 teammates across six global operating centers, ReliaQuest delivers security outcomes for the most trusted enterprise brands in the world. Learn more at www.reliaquest.com .

Listen to episodes

60 recent

June 10, 202623 min

China-Linked Cyber Espionage: How OP-512 Exploited Legacy IIS Servers and Evaded Detection

Your team built defenses around known China-linked clusters. The file hashes are tracked. The behavioral patterns are documented. What those weren't built to catch is a new cluster that studied those exact defenses and engineered around them. A China-linked attacker compromised an internet-facing IIS server, maintained access for over 75 days, and came back on fresh infrastructure.With four China-linked clusters converging on the same legacy IIS stack in twelve months, defenders building detection programs around yesterday's cluster are already behind the next one.Join hosts Alex and John as they discuss:How OP-512 engineered its tooling to evade defensesWhy killing a malicious process is incompleteWhat advantage cross-source correlation providesTwo questions your organization should be asking right now:When your detection sources each generate a separate low-confidence signal from the same host, does anything in your current workflow correlate those signals automatically?Do you have internet-facing IIS servers running end-of-life .NET in your environment, and does your vulnerability-management workflow prioritize correctly?Resources: https://linktr.ee/ReliaQuestShadowTalkAlexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.

June 3, 202620 min

SonicWall, MFA Bypass, IABs: Why Patched Devices Are Still Handing Attackers Initial Access

Your team patches the device. The firmware version matches the advisory. The ticket closes. The device comes off the remediation queue. What your workflow never tracked is that the advisory also required six manual LDAP configuration steps — and without them, the authentication bypass still works. An initial access broker authenticated through the VPN, reached a domain-joined file server, and was gone in under 40 minutes. Your dashboard still showed a clean queue.With initial access brokers operating on disciplined, sub-hour timelines and patch-management workflows built around a single completion step, defenders are closing tickets on devices that are still wide open.Join hosts Tehman and John as they discuss:How a firmware update can still leave a device fully exploitableHow initial access brokers progressed their attack in under 40 minutesWhy teams that prioritize from a single vulnerability score alone are behind Two questions your organization should be asking right now:Does your patch-management workflow include a separate item for post-patch manual configuration requirements?When CISA, NVD, and the vendor publish different CVSS scores for the same CVE, does your vulnerability-management policy specify which authority takes precedence — and does it supplement static scoring with a dynamic signal like EPSS? Tune in for expert insights, practical takeaways, and the full threat report: https://linktr.ee/ReliaQuestShadowTalkTehman Tariq: Sr. Manager of Cyber Operations at ReliaQuest. He has spent a majority of my career leading our Incident Response, Security Architecture, and Detection teams. As well has working hand in hand with CISOs to introduce automation allowing for the maturity of their security programs.John Dilgen: John Dilgen is a Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.

May 27, 202629 min

Device Code, OAuth, PhaaS: How Session Token Theft is Breaking the Phishing Playbook

Your user clicked a link, landed on a real Microsoft login page, typed their password, completed MFA, and walked away thinking nothing happened. Somewhere across the internet, an attacker's device just received an authenticated session token. The password is irrelevant. The MFA prompt already fired and passed. With PhaaS platforms now converging on token-theft tradecraft and post-compromise automation executing in seconds, defenders are racing a scripted attacker with a manual playbook.Join hosts Brandon and John as they discuss:How device code phishing uses real authentication infrastructure to capture valid session tokensHow one campaign hit 35,000+ users across 13,000+ organizations in 26 countriesWhy rogue device registrations complete before the average analyst reads the alert Two questions your organization should be asking right now:Has your Conditional Access policy been reviewed specifically for device code grant flows, not whether CA policies exist, but whether they cover the OAuth flows that session-token theft actually exploits?When a phishing confirmation fires, how many manual steps stand between that alert and full token revocation with rogue device deregistration, and is that response faster than the attacker's automation?Resources: https://linktr.ee/ReliaQuestShadowTalkBrandon Tirado: Director of GreyMatter Operations for ReliaQuest. A skilled cyber defense professional with a unique combination of management and hands-on experience. With a deep understanding of adversary motives and the tactics, techniques, and procedures (TTPs) they use to achieve their goals, Brandon enjoys operationalizing his knowledge to make it more difficult for adversaries to operate within the environments of ReliaQuest customers. His managerial and hands-on experience enriches ShadowTalk with practical and strategic viewpoints. John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.

May 20, 202619 min

SQLite, Mistral, OpenAI: How AI Attacks Are Reshaping the Attack Surface

What happens when an AI agent uncovers a zero-day in hours instead of weeks, and state-backed groups are already operationalizing the same tools? With self-hosted AI infrastructure sprawling outside asset registers and supply chain worms reaching inside AI vendors themselves, defenders need a new operating model.Join hosts Tehman and John as they discuss: How an AI agent surfaced a memory-safety zero-day in SQLiteHow Mini Shai-Hulud reached Mistral AI and OpenAI devicesWhy the intel-to-action chain still runs at multi-day tempoTwo questions your organization should be asking right now:Do you have visibility into the shadow AI infrastructure, self-hosted models, and inference endpoints sitting unauthenticated on your network?When high-confidence intel lands, what's your median time from "advisory published" to "response action executed"?Resources: https://linktr.ee/ReliaQuestShadowTalkJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Tehman Tariq: Sr. Manager of Cyber Operations at ReliaQuest. He has spent a majority of my career leading our Incident Response, Security Architecture, and Detection teams. As well has working hand in hand with CISOs to introduce automation allowing for the maturity of their security programs.

May 14, 202631 min

Canvas, Trellix, Mini Shai-Hulud: How Defenders Respond When Supply Chain Attacks Become Weekly

What's driving the surge in weekly supply chain attacks, and why does the real defender problem start after the supplier gets hit? With 275 million records exposed and 8,809 institutions caught in the downstream fallout, organizations need a new playbook.Join hosts Alexandra and John as they discuss:How ShinyHunters abused admin sessionsRansomHouse's hypervisor-focused automationHow Mini Shai-Hulud compromised 170+ npm packages Two questions your organization should be asking right now:Do you have visibility into how trusted vendors authenticate, export, and move your data through native platform features?Are your software pipelines protected against poisoned packages and unauthorized publishing activity in real time?Resources: https://linktr.ee/ReliaQuestShadowTalkJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Alexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.

May 6, 202634 min

Akira, ShinyHunters, and The Gentlemen: Extortion Lessons From Early 2026

What factors have driven the top ransomware and extortion groups' success in early 2026? And how should organizations structure their defenses to protect against them?Join hosts Alexandra and John as they discuss:How Akira is exploiting unknown assets inherited through M&AWhy ShinyHunters' vishing and SaaS misconfiguration models workHow The Gentlemen grew 588% quarter-over-quarter Two questions your organization should be asking right now:Have you run a full asset discovery sweep on every environment inherited through acquisition in the last few years?Do you have automated containment rules in place for anomalous MFA device enrollment and EDR-killing behavior?Resources: https://linktr.ee/ReliaQuestShadowTalkJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Alexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.

April 29, 202626 min

What Happened to Black Basta's Playbook? The Automated Teams Phishing Threat Hitting Executives

Black Basta disbanded in February 2025, but their playbook didn't go with them. In March 2026, 77% of observed incidents targeted executives and directors, and attackers moved from first contact to malicious script execution in as little as 12 minutes. The tactic has been automated, refined, and is now running faster than most SOCs can respond. Join hosts Alexandra and John as they discuss:How attackers leverage Microsoft Teams phishing to target high-privilege accounts with alarming speedWhy automation is compressing attack timelines and sharpening target selectionThe controls that can stop it, from help desk verification to automated containment workflows Two questions your organization should be asking right now:When IT requests remote access to a senior leader's endpoint, is identity verified through a channel separate from the one the request came from?Do your highest-privilege accounts have dedicated automated containment workflows — or are they the gap in your response playbook?Resources: https://linktr.ee/ReliaQuestShadowTalkJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Alexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.

April 22, 202625 min

Did ShinyHunters Compromise Vercel? Every CISO's Cloud Security Visibility Problem

89% of organizations that suffered a SaaS breach last year believed they had appropriate visibility. They had the logs — what they lacked was detection on what mattered. The Vercel incident shows exactly how costly that gap can be. Join hosts Brandon and John as they discuss:How a third-party OAuth chain may have exposed Vercel's internal dataWhy SaaS visibility gaps leave organizations exposedThe controls that can break the attackResources: https://linktr.ee/ReliaQuestShadowTalkJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Brandon Tirado: Director of GreyMatter Operations for ReliaQuest. Brandon is a skilled cyber defense professional with a unique combination of management and hands-on experience. With a deep understanding of adversary motives and the tactics, techniques, and procedures (TTPs) they use to achieve their goals, Brandon enjoys operationalizing his knowledge to make it more difficult for adversaries to operate within the environments of ReliaQuest customers. His managerial and hands-on experience enriches ShadowTalk with practical and strategic viewpoints.

April 15, 202625 min

What Claude Mythos Means for Organizations

Resources: https://linktr.ee/ReliaQuestShadowTalkJoin hosts John and Alex, alongside special guest and ReliaQuest CTO Joe Partlow, as they discuss:How Claude Mythos autonomously generated exploitsWhy AI is accelerating CVE volumeDefense strategies organizations need nowJoe Partlow: CTO of ReliaQuest, a leading Information Security provider and is currently involved with new product initiatives along with research and development efforts. Joe has been involved the Information Security field for over 30 years, in both the defensive side and offensive capabilities. Current projects include data ingestion/analytics at scale, DFIR automation and generative AI. He is also a regular speaker and contributor at security conferences, groups and associations. Joe has a degree in Computer Information Systems and holds many industry-specific certificationsJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Alexandra Moore: Manager of Threat Intelligence at ReliaQuest, where she leads intelligence analysis and customer dissemination to help organizations understand and respond to emerging cyber threats. Prior to this, she established and scaled monitoring across Russian-language cybercriminal platforms at Digital Shadows, building collection and analytical coverage to support digital risk protection capabilities.

April 8, 202624 min

Axios and Trivy — Supply Chain Gaps Organizations Must Fix

Resources: https://linktr.ee/ReliaQuestShadowTalkJoin hosts John and Tehman as they break down two of the most consequential supply chain attacks of 2026:How DPRK actors socially engineered a NPM maintainerWhy hijacked GitHub versions are a CI/CD wake-up callThe three gaps every security team needs to closeJohn Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.Tehman Tariq: Sr. Manager of Cyber Operations at ReliaQuest. He has spent a majority of my career leading our Incident Response, Security Architecture, and Detection teams. As well has working hand in hand with CISOs to introduce automation allowing for the maturity of their security programs.

Is this your show?

Claim this listing to keep it up to date, reach guests who want to pitch you, and manage bookings with Guestify.

Claim this listing

More Technology podcasts

SowGrow Marketing Council

sgmc

BusinessMarketing

Toldjya Finance Podcast

Zac Huish, Cameron Cooke, and Paul Lamb

BusinessInvesting