KrebsOnSecurity
KrebsOnSecurity is an independent, investigative cybersecurity news site authored by Brian Krebs, a former Washington Post reporter. Since its launch in late 2009, the platform has become one of the most influential voices in the information security (infosec) industry. It is primarily known for "breaking" massive security stories—such as the 2013 Target data breach—and for its deep dives into the mechanics of profit-seeking cybercrime.
The site is distinguished by its:
Investigative Depth: Beyond reporting that a breach occurred, the site often identifies the specific threat actors, their infrastructure, and the underground marketplaces where stolen data is sold.
Focus on Cybercrime: Extensive coverage of "bulletproof hosting," botnets, carding forums, and the software used by Eastern European cybercrime syndicates.
Consumer Advocacy: Detailed warnings about retail breaches, online banking fraud, and "swatting" (a dangerous harassment tactic of which Brian Krebs himself has been a target).
Technical Policy Analysis: Critical reviews of how government and corporate policies impact the security and privacy of everyday internet users.
Core Pillars of the KrebsOnSecurity Platform
The reporting on KrebsOnSecurity is built around several recurring themes that provide a holistic view of the digital threat landscape.
Data Breach Investigations
The platform is often the first to report on major corporate hacks. By maintaining a vast network of sources in the financial and security sectors, the site identifies patterns of fraudulent activity—such as "spikes" in stolen credit card data—and traces them back to the compromised source.
"Muckraking" and Attributing Cybercrime
A hallmark of the site is the "outing" of cybercriminals. By connecting digital footprints, email addresses, and server registrations, Krebs frequently identifies the real-world identities of hackers, sometimes leading directly to international arrests and the dismantling of illegal hosting providers (e.g., McColo or EstDomains).
Patch Tuesday and Threat Briefs
The site provides regular, easy-to-understand updates on "Patch Tuesday," where it analyzes the latest security fixes from Microsoft, Adobe, and Apple. It helps users prioritize which updates are critical versus those that are minor.
Why KrebsOnSecurity is Critical for Security Professionals
Security practitioners use KrebsOnSecurity as a "first-alert" system and a technical case study library.
Risk Prioritization: CISOs use the site's reporting on emerging attack vectors to determine where to allocate defensive resources.
Intelligence on Attackers: Incident responders study the "modus operandi" of specific hacking groups described on the site to better recognize those same patterns in their own network logs.
Vendor Accountability: By exposing companies that have failed to secure their data or ignored vulnerability reports, the site pushes for higher security standards across the tech industry.
Frequently Asked Questions
Who is Brian Krebs?
Brian Krebs is a renowned investigative journalist who covered security and technology for The Washington Post for 14 years before launching KrebsOnSecurity. He is also the author of the New York Times bestseller Spam Nation, which explores the inner workings of the global cybercrime economy.
Is KrebsOnSecurity for technical or non-technical readers?
The site strikes a balance. While it covers complex technical topics such as botnets and code exploits, the writing is journalistic and accessible. It is equally valuable to high-level executives seeking a risk overview and to technical analysts seeking specific indicators of compromise (IoCs).
How does the site differ from other security blogs?
Security software vendors run most security blogs. KrebsOnSecurity is independent and funded primarily through advertising and speaking engagements. This independence allows for a "muckraking" style of journalism that often criticizes major tech companies or government agencies when they fail to protect users.
ThreatNG acts as a technical extension of investigative news sources like KrebsOnSecurity. In contrast, Brian Krebs uncovers the "who" and "why" behind global cybercrime syndicates and major data breaches. ThreatNG provides the "where" and "how" by identifying if those same criminal tactics or infrastructure are targeting your specific organization. By ingesting feeds from KrebsOnSecurity and similar sources, ThreatNG enables a proactive defense that keeps pace with the speed of modern investigative journalism.
External Discovery: Seeing Through the Eyes of an Investigative Reporter
ThreatNG performs purely external, unauthenticated discovery to map an organization's digital footprint. This mirrors the reconnaissance phase of both a high-level investigative journalist and a sophisticated threat actor.
Mapping the Unmanaged Surface: ThreatNG identifies internet-facing assets such as subdomains, cloud buckets, and IP ranges that may have been forgotten or "orphaned."
Shadow IT Identification: If a report on KrebsOnSecurity highlights a vulnerability in a specific niche software, ThreatNG discovers if any business units are running that software without the security team's knowledge.
Ecosystem and Supply Chain Visibility: The platform discovers the digital presence of third-party partners and subsidiaries, ensuring that a breach at a vendor (a common topic for Krebs) is flagged as a risk to your primary organization.
External Assessment: In-Depth Susceptibility Analysis
Following discovery, ThreatNG conducts detailed external assessments to provide context on the extent to which discovered assets are susceptible to the attack vectors currently trending in the news.
Web Application and Hijack Susceptibility
ThreatNG assesses web applications for weaknesses that could result in complete compromise.
Example: If a news feed reports a new "credential stuffing" technique used by botnets, ThreatNG assesses your login pages for inadequate rate limiting or session management flaws that would make that technique successful.
Subdomain Takeover Susceptibility
ThreatNG evaluates DNS records to find "dangling" entries—subdomains pointing to inactive services.
Example: ThreatNG might find a subdomain pointing to an expired Amazon S3 bucket. An attacker could claim that bucket and host a malicious "update" file, a sophisticated tactic often used by groups covered in investigative deep dives.
BEC and Phishing Susceptibility
ThreatNG analyzes domain permutations and email security headers (SPF/DKIM/DMARC).
Example: By monitoring for "typosquatted" domains (domains that look like your brand), ThreatNG can warn you of an impending phishing campaign before the first email is even sent to your employees.
Continuous Monitoring and Intelligence Repositories
ThreatNG provides an "uninterrupted watch" over your digital landscape, ensuring your defense evolves as quickly as the news cycle.
Intelligence Repositories: ThreatNG leverages deep repositories containing data on dark web marketplaces, compromised credentials, and ransomware gang activities.
Live Feed Correlation: When a report breaks regarding a new ransomware group’s infrastructure, ThreatNG automatically cross-references that infrastructure with your environment to see if any of your assets are communicating with known malicious IPs.
Real-Time Alerts: The platform alerts you the moment a new vulnerability is disclosed or a search engine indexes a previously hidden asset.
Investigation Modules: Deep Forensic Deep-Dives
The Investigation Modules allow security analysts to perform the same type of "muckraking" or deep-dive research seen on KrebsOnSecurity, but focused exclusively on their own company.
Sensitive Code Exposure
This module scans public code repositories (like GitHub) and "paste" sites for leaked secrets.
Example: ThreatNG could find a hardcoded database password in a public repository, allowing your team to rotate the credential before a botnet discovers it.
Dark Web Presence
This module monitors underground forums for mentions of your organization or your executives.
Example: If a threat actor on a carding forum is selling a "new lead list" containing your corporate emails, ThreatNG provides the intelligence to trigger a proactive password reset for those accounts.
Reporting: Translating Investigation into Business Risk
ThreatNG provides a variety of reports that translate technical findings into formats suitable for different stakeholders.
Ransomware Susceptibility Reports: These provide a clear score indicating the likelihood that the organization will be a victim based on current external exposures.
Executive and Prioritized Reports: These translate complex technical risks into business-level "eXposure Priority" (XP) scores, helping leaders understand the implications of the threats reported in the news.
Cooperation with Complementary Solutions
ThreatNG provides the vital "outside-in" perspective that enhances several complementary solutions. By working in cooperation with these tools, ThreatNG ensures that external intelligence leads to internal protection.
Cooperation with SIEM and XDR: ThreatNG feeds external risk data (like a newly discovered lookalike domain) into a SIEM. This allows the SIEM to flag any internal traffic going to that suspicious domain, catching a phishing attack in its early stages.
Cooperation with Vulnerability Scanners: While internal scanners test known servers, ThreatNG finds the "unknown" servers. Once found, these assets can be handed off to the internal scanner for a credentialed, deep-level scan.
Cooperation with SOAR Platforms: SOAR (Security Orchestration, Automation, and Response) tools use ThreatNG's alerts to automate defenses. For instance, if ThreatNG detects an exposed administrative port, the SOAR platform can automatically update firewall rules to close that port until it can be reviewed.
Frequently Asked Questions
How does ThreatNG use investigative news feeds?
ThreatNG monitors reputable sources like KrebsOnSecurity to identify the latest tactics and infrastructure used by cybercriminals. It then scans your organization's external footprint to see if you have the specific vulnerabilities or exposures that those criminals are currently targeting.
What are investigation modules in the context of ThreatNG?
Investigation modules are specialized tools that search for deep-level risks that standard scanners miss, such as secrets in public code repositories, mentions on the dark web, and sensitive documents indexed by search engines.
Does ThreatNG require agents or internal access?
No. ThreatNG performs purely external, unauthenticated discovery. This means it requires no connectors, software agents, or internal credentials, allowing it to see your organization exactly as a motivated attacker would.
