SentinelOne

$100K. One world title. 400+ flags pulled from live attack campaigns. Your move. The Threat Hunting World Championship 2026 opened June 2. Compete against threat hunters around the world in brand-new 30-minute capture-the-flag rounds. The Top 200 players per region will advance to the September Regional Finals. Three regional champs earn an all-expenses-paid trip to OneCon26 in Vegas to compete live for the world title. With a charity donation made in their names. $100K+ pool. Every round pays. Compete from your seat. Enter now and start earning your rank today. → https://t.co/KijGe590Yq

Law enforcement dismantled massive cryptocurrency fraud rings, a Chinese cybercrime group expanded its global phishing footprint, and attackers exploited a critical authentication bypass in Palo Alto VPN portals. This is the Good, Bad & Ugly. ⬇️ ✅ GOOD - Spanish National Police arrested a suspect connected to a massive data leak exposing sensitive government employee information. - The U.S. Treasury officially sanctioned Iran's largest cryptocurrency exchange, Nobitex, for facilitating ransomware payments. - The DoJ disrupted widespread transnational cryptocurrency investment fraud networks across Southeast Asia, freezing $3.8 million in stolen digital assets. ⚠️ BAD - China-linked threat actor TA4922 is aggressively expanding its financially-motivated phishing campaigns into Europe and South America. - Attackers shift victim communications to out-of-band channels like WhatsApp and Teams to bypass enterprise security controls. - The group uses DLL side-loading to deploy advanced remote access trojans and secondary executables to harvest sensitive corporate data. 🤢 UGLY - Palo Alto Networks confirmed that threat actors are actively exploiting a critical authentication bypass vulnerability in GlobalProtect VPN portals. - Attackers retrieve public keys via standard HTTPS sessions to generate forged authentication cookies, frequently targeting local administrator accounts. - CISA added the flaw to its Known Exploited Vulnerabilities catalog as attackers successfully secured full VPN IP assignments to access internal networks. Full breakdown → https://t.co/bW0qxmB6g3

The market is moving from detections and alerts to autonomously anticipating and stopping threats. SentinelOne just earned Latio's inaugural SOC Platform Leader designation—validation that we're one of very few vendors with the architecture to make that shift real. Learn more about the recognition→ https://t.co/4si8HUcNcI Register for the webinar → https://t.co/vFTRLS3nTh Why it matters: SOC transformation projects fail when teams bolt automation onto fragmented tools. You can't automate your way out of point solutions. The machine runs faster, but so does the noise. True transformation requires rebuilding the foundation. That's rare. What's new: Latio recognized SentinelOne as a SOC Platform Leader because our architecture is fundamentally different—not bolted-together point solutions, but one unified data plane, one AI analyst (Purple AI) running cross-domain investigations from endpoint to cloud to identity. The outcome: your team finds threats faster. What makes transformation real: - Unified architecture removes integration debt and vendor finger-pointing—cross-domain investigations run at machine speed - Purple AI operationalizes triage, hunting, and escalation natively, learning from your data across endpoints, cloud, and identity - Singularity AI Data Pipelines embeds pre-ingestion normalization and enrichment—signal reaches your decision loop, not noise

Gamaredon is one of the most active espionage actors targeting Ukraine. The group relies on relentless spearphishing and fast operational tempo to compromise military and government organizations. That access is what Turla exploited. The research also examines Kazuar v2 and v3 — Turla's flagship backdoor — and what those versions reveal about how sophisticated implants are sustained inside contested networks.

Law enforcement took down a Russian-linked hosting network, a ransomware group escalated to dispatching physical operatives for data extortion, and a massive supply chain campaign targets developer environments and AI tools. This is the Good, Bad & Ugly. ⬇️ ✅ GOOD - Dutch authorities dismantled Stark Industries, seizing 800 servers used to enable pro-Russian DDoS and disinformation campaigns. - A Romanian hacker received a 56-month federal prison sentence for breaching the Oregon state government network and stealing PII. ⚠️ BAD - The FBI warns that Silent Ransom Group is targeting U.S. legal and financial institutions with in-person data extortion schemes. - Attackers use typosquatted helpdesk domains, and if remote access fails, deliberately dispatch physical operatives to manually insert USBs into company computers. - The attackers then harass employees and clients by phone to force financial negotiations under the threat of leaking proprietary data. 🤢 UGLY - Security researchers uncovered TrapDoor, a massive supply chain attack spreading credential-stealing malware across npm, PyPI, and https://t.co/gWl4xitMMS. - The campaign leverages registry-specific execution methods to harvest sensitive developer secrets, cloud credentials, and cryptocurrency wallets. - Threat actors uniquely implant poisoned files designed to trick AI coding assistants into autonomously executing malicious security scans. Full breakdown → https://t.co/lSmtwNJtWB

From day one, SentinelOne was architected to stop novel, machine-speed threats. We were purpose built to be a Leader in the AI era. For the sixth consecutive year, Gartner has named SentinelOne a Leader in the Gartner® Magic Quadrant™ for Endpoint Protection. What's driving the recognition: ✅ Autonomous detection and response at machine speed ✅ Unified visibility across endpoint, identity, cloud, and AI ✅ AI usage control through the Prompt Security acquisition ✅ AI-native from day one — not retrofitted 📖 Read the full report: https://t.co/y6zw5jbSi1

~50% of SentinelOne's ARR now comes from emerging solutions. That's what platform expansion looks like. This quarter, our emerging solutions — AI, Data, Cloud, and more — reached half of our total ARR, alongside record net new ARR growth and the launch of Purple AI Auto-Investigations. 📈 Q1 FY2027 highlights: $1.163B ARR — +23% YoY $277M Revenue — +21% YoY Record net new ARR growth 4% Operating Margin (non-GAAP) — ~550 bps improvement YoY 22% Adjusted FCF Margin (non-GAAP) — ~230 bps improvement YoY $0.04 EPS (non-GAAP) — +83% YoY ~50% of ARR from Emerging Solutions Securing modern enterprises requires machine-speed defense — and infrastructure built for what's next, not retrofitted for it. Thank you to our customers, partners, and Sentinels. 🔗 Read the press release: https://t.co/zwGnQNgfYp 🎧 Listen to the call: https://t.co/Mbvde8VwtS

From day one, SentinelOne was architected to stop novel, machine-speed threats. We were purpose built to be a Leader in the AI era. For the sixth consecutive year, Gartner has named SentinelOne a Leader in the Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Autonomous detection. Machine-speed response. Built for this moment. 📖 Read the report: https://t.co/PoZoRFayFA

Law enforcement took down cybercrime operations and attacker-controlled VPNs, a multi-brand spoofing macOS infostealer slips past OS mitigations, and Microsoft Defender faces zero-day exploits. This is the Good, Bad & Ugly. ⬇️ ✅ GOOD - INTERPOL coordinates 201 arrests across the MENA region in a massive cybercrime sweep. - Ukraine identifies an infostealer operator behind 28,000 stolen credentials. - International police seize a dedicated commercial VPN provider used explicitly for ransomware exfiltration. ⚠️ BAD - SentinelOne identifies "SHub Reaper," a new macOS stealer variant that impersonates Apple, Google, and Microsoft in a single attack chain. - Bypasses Apple's new Terminal security mitigations by abusing the native AppleScript URL handler. Acts as both a smash-and-grab credential thief and a persistent backdoor for remote access. 🤢 UGLY - Microsoft warns that attackers are actively exploiting two new Windows Defender zero-day vulnerabilities in the wild. - Security flaws (CVE-2026-41091 & CVE-2026-45498) allow privilege escalation to SYSTEM level and DoS on core endpoint engines. - CISA sounds the alarm, ordering federal agencies to secure all Windows endpoints urgently. Full breakdown → https://t.co/ACBtrudPnX

Semantic robustness ≠ architectural security. You can have an unbreakable intent classifier and still have defenseless architecture. Blocking meaning doesn't block structure. And the attackers already know this. The question is whether your guardrails do. Read the full case study: https://t.co/oNAJH3GBtH

We wrapped a phishing payload in JSON and asked for "test data." The system generated working malicious code. We encoded a forbidden instruction in Base64 and asked it to "decode and execute." It did. We chained the two into a compound attack — and the system handed over a near-verbatim copy of its own system prompt. The lesson isn't that this bot was weak. It wasn't. The lesson is that every guardrail it had was watching for the wrong thing.

What it does once it's in: - Harvests browser data, keychain credentials, and crypto wallets (Exodus, Atomic, Ledger Live, Electrum, Trezor Suite) - Runs an AMOS-style Filegrabber against Desktop and Documents — .docx, .key, .wallet, .rdp, and more — capped at 150MB, uploaded in 70MB chunks - Replaces legitimate wallet apps with compromised versions to intercept future activity - Installs a persistent backdoor disguised as GoogleUpdate, capable of executing remote code on demand