Graham Cluley

Graham Cluley is an award-winning independent cybersecurity researcher, blogger, and podcaster who has been a prominent figure in the information security industry since the early 1990s. He is best known for his ability to translate complex technical threats into accessible, engaging, and often humorous content for both security professionals and the general public.

Cluley’s career highlights include:

• Antivirus Pioneer: He programmed the first-ever Windows version of Dr Solomon's Anti-Virus Toolkit.

• Industry Leadership: He held senior technology and communications roles at major security firms, including Sophos and McAfee.

• Smashing Security Podcast: He co-hosts this multi-award-winning weekly podcast, which has surpassed ten million downloads and focuses on "cybercrime, hacking, and rogue AI."

• Hall of Fame Inductee: In 2011, he was inducted into the InfoSecurity Europe Hall of Fame for his lifelong contributions to the field.

Core Pillars of Graham Cluley’s Security Coverage

The content found on GrahamCluley.com and throughout his various media appearances centers on the human impact of digital threats.

Cybersecurity Awareness and Education

Cluley is a fierce advocate for the "human firewall." His reporting often focuses on how social engineering, phishing, and poor password hygiene lead to significant breaches. He is credited with popularizing the phrase, "The cloud is just someone else's computer," highlighting the inherent risks of off-premises data storage.

Data Breaches and Privacy Blunders

A significant portion of his blog is dedicated to documenting corporate data leaks and privacy failures. He provides critical analysis of how companies respond to breaches, often calling out "security theater" and opaque corporate jargon used to downplay the severity of an incident.

Scams and Online Fraud

From WhatsApp "hijacking" to sophisticated romance scams and "quishing" (QR code phishing), Cluley tracks the evolving tactics fraudsters use to exploit everyday internet users. His goal is to provide actionable advice that individuals can use to protect their digital lives.

Why Graham Cluley is a Vital Resource for Infosec Professionals

While he is highly accessible to non-technical audiences, Cluley remains a "must-read" for industry veterans for several reasons:

• Real-Time Threat Intelligence: He provides rapid commentary on "Patch Tuesday" and critical zero-day vulnerabilities, helping IT teams prioritize their responses.

• Cross-Industry Perspective: By collaborating with law enforcement and serving as an expert witness, he offers a unique perspective on the legal and investigative aspects of cybercrime.

• Communication Best Practices: Security leaders follow Cluley to learn how to communicate risk to their own boardrooms and employees without using "tech waffle."

Frequently Asked Questions

Does Graham Cluley still work for an antivirus company?

No. Since 2013, Graham Cluley has worked as an independent security analyst. This independence allows him to provide unbiased critiques of the security industry and its players.

What is the "Smashing Security" podcast?

It is a weekly show hosted by Graham Cluley and Carole Theriault. Unlike typical dry tech podcasts, it uses a lighthearted, entertaining format to discuss serious security news, often featuring guest experts from around the globe.

Where can I find Graham Cluley's latest research?

His primary hub is GrahamCluley.com, where he publishes daily updates. He is also a frequent keynote speaker at major conferences like RSA, Black Hat, and Infosecurity Europe.

ThreatNG functions as a technical execution layer for the human-centric security warnings popularized by experts like Graham Cluley. While Cluley highlights the "human firewall" and the risks of "privacy blunders" and "social engineering," ThreatNG provides the External Attack Surface Management (EASM) capabilities to identify where those theoretical risks manifest in an organization's actual digital footprint. By drawing on Cluley’s research alongside other intelligence sources, ThreatNG identifies emerging threat vectors and applies them to an organization's specific external assets.

External Discovery: Seeing Through the Eyes of an Attacker

ThreatNG uses a "zero-input," purely external discovery process to map an organization's entire online presence. It acts precisely as an adversary (or a researcher like Cluley) would, identifying assets without requiring internal agents or credentials.

• Asset Inventory and Shadow IT: ThreatNG identifies subdomains, cloud buckets, and APIs. For example, if Cluley reports on a surge in "cloud misconfigurations," ThreatNG discovers "orphaned" or unsanctioned S3 buckets that belong to your organization but are not under official IT management.

• Technology Stack Identification: The platform identifies the software and versions running on your external perimeter. If news breaks regarding a vulnerability in a standard CMS or VPN gateway, ThreatNG shows you exactly where that specific technology is deployed.

• Ecosystem and Subsidiary Visibility: Discovery extends beyond the primary domain to include subsidiaries and third-party partners, providing a holistic view of the "interconnected risk" Cluley often discusses.

External Assessment: Deep-Dive Susceptibility Examples

Once assets are discovered, ThreatNG conducts a deep external assessment to determine how easily those assets could be compromised by the threats currently trending in the news.

Web Application Hijack Susceptibility

This assessment analyzes the externally accessible components of web applications to identify entry points for attackers.

• Example: If a news feed identifies a new method of session hijacking, ThreatNG assesses your public-facing login pages for the absence of secure cookie flags or session regeneration protocols, and provides a "hijack susceptibility score" from A to F.

Subdomain Takeover Susceptibility

ThreatNG evaluates DNS records to find "dangling" entries—subdomains pointing to decommissioned or unclaimed third-party services.

• Example: An organization might have a DNS record for marketing.company.com pointing to an expired Heroku app. ThreatNG identifies this state, allowing the team to remove the record before an attacker claims the app name and hosts a phishing site on the legitimate corporate domain.

BEC and Phishing Susceptibility

The platform analyzes email security headers (SPF, DKIM, DMARC) and searches for lookalike domains.

• Example: By detecting "typosquatted" domains registered by bad actors (e.g., cornpany.com instead of company.com), ThreatNG provides early warning of a phishing infrastructure being built before the first email is sent.

Continuous Monitoring and Reporting

ThreatNG ensures that security is an ongoing process rather than a point-in-time check, providing real-time awareness of an evolving attack surface.

• Uninterrupted Watch: ThreatNG continuously monitors for changes, such as a new exposed API or a developer accidentally opening a database port.

• Actionable Reporting: The platform generates "eXposure Priority" (XP) scores that translate technical vulnerabilities into business risk. This allows leadership to see a real-world "Ransomware Susceptibility" rating based on actual external exposures.

• Live Feed Correlation: When an expert like Graham Cluley breaks a story about a new "quishing" (QR code phishing) trend, ThreatNG uses its intelligence to monitor for related brand-impersonation assets.

Investigation Modules: Granular Risk Examples

The Investigation Modules enable security teams to drill down into specific high-risk areas, providing forensic-level detail on potential breaches.

Sensitive Code Exposure Module

This module scans public code repositories, such as GitHub, for inadvertently leaked secrets.

• Example: ThreatNG might find a hardcoded AWS Access Key or a database connection string in a developer’s public repository. This discovery allows for immediate revocation before an attacker uses the key to access sensitive data.

Dark Web Presence Module

This module monitors underground marketplaces and forums for mentions of the organization.

• Example: If a news report mentions a new "credential harvesting" kit, ThreatNG uses its dark web module to see if your employee logins or corporate email addresses are already appearing in "fullz" (complete data sets) sold on criminal forums.

Search Engine Exploitation Module

ThreatNG assesses how much sensitive information is indexed by search engines.

• Example: It may be discovered that an "admin" directory or a backup database file (.bak) is visible via Google search. This allows attackers to find privileged folders without even scanning your network.

Cooperation with Complementary Solutions

ThreatNG provides the "outside-in" intelligence that fuels and directs internal security tools. By working in cooperation with these complementary solutions, organizations can close the gap between discovery and remediation.

• Cooperation with SIEM and XDR: ThreatNG feeds external risk data—like a newly discovered malicious lookalike domain—into a SIEM. This enables the SIEM to immediately alert analysts if any internal user attempts to connect to that domain.

• Cooperation with Vulnerability Management (VM): While internal scanners test known servers, ThreatNG identifies the "unknown" or "shadow" assets. These are then passed to the VM tool for a deeper, credentialed scan to find specific software bugs.

• Cooperation with SOAR Platforms: SOAR (Security Orchestration, Automation, and Response) tools use ThreatNG's alerts to automate defenses. For instance, if ThreatNG detects an exposed administrative port on a cloud resource, the SOAR platform can automatically update firewall rules to close that port until it is appropriately secured.

Frequently Asked Questions

How does ThreatNG use intelligence from experts like Graham Cluley?

ThreatNG monitors reputable research and news feeds to identify emerging threat actor tactics and global trends. It then automatically scans your organization’s specific digital footprint to see if you have the vulnerabilities—such as weak email security or exposed secrets—that those threats exploit.

What is the benefit of ThreatNG’s "Outside-In" perspective?

It allows you to see your organization exactly as a motivated attacker would. By identifying exposed assets and vulnerabilities before they are exploited, you can proactively harden your perimeter and reduce your overall attack surface.

Can ThreatNG help with regulatory compliance?

Yes. ThreatNG provides specialized reporting for U.S. SEC filings, helping publicly traded companies meet their requirements for disclosing material cybersecurity risks and oversight.