RESEARCH· field notes & teardowns· 23 articles · updated weekly

peer-reviewed · CC BY-SA 4.0

Research · field notes

Teardowns of the attacks we publish, run, and break.

Every post here ships with a runnable scenario, a CloudTrail signature, and the detection rule that should catch it. Written by the people shipping the catalogue, peer-reviewed, and never gated.

Teardown IAM · STS Critical 14 min read

The 12-second window: how AttachRolePolicy chains break detection rules built for humans.

Most off-the-shelf detection rules look for AttachUserPolicy with a human principal. The chain we walked attaches to a role, from a session token issued seconds earlier. We timed the gap, recorded the trail, and stress-tested seven detection rule sets against it.

H Himanshu Khandelwal · Apr 18, 2026 · 3 detections of 7 fired

Read teardown → Run on your sandbox

fig.01 · CloudTrail · run 2F4A 12.3s elapsed

// 14:02:11.221
→ sts:AssumeRole
  principal u/maint-bot
  → 200 (token expires 3600s)

→ iam:AttachRolePolicy
  policy arn:aws:iam::aws:policy/AdministratorAccess
  role r/admin-7f
  → 200

→ iam:CreateUser u/maint-bot-shadow → 200
→ iam:CreateAccessKey → 200

// 14:02:23.512  elapsed 12.3s
⚠ T1548.005 detected · GuardDuty · +3.1s
⚠ T1078 detected · Custom · +28.0s
✗ T1098 no rule fired · SOC review only

Topic

⌕ ⌘ K

Detection notes Apr 11, 2026

Why your GuardDuty rule for KMS-imported keys probably misses ALPHV.

GuardDuty fires on CreateKey with origin EXTERNAL - but the ALPHV variant we tracked imports material in a separate region first. We ran the chain four ways and only one triggered an alert.

AAyush K. 9 min

Teardown Apr 04, 2026

Eventual consistency in IAM, six years later. Still a race window.

Originally disclosed 2020, AWS partially mitigated by 2022. We measured the window again on five fresh accounts and got 18-second medians. The exploit hasn't been patched - it's been documented.

HHimanshu K. 11 min

Threat intel Mar 28, 2026

Mapping APT41's AWS playbook against the cloud ATT&CK matrix.

Pulled from the 2024 DOJ indictment and three IR reports. APT41 stays on three techniques 80% of the time. We've shipped two - the third's on the roadmap.

SSmita P. 14 min

Engineering Mar 19, 2026

Pulumi for adversarial infra: shaping a sandbox that looks like prod.

Most attack labs ship a clean account. Real attackers find prod-shaped accounts - noisy IAM, mixed regions, legacy roles. Here's how we shape ours to mirror that, in Pulumi.

HHimanshu K. 8 min

Detection notes Mar 12, 2026

T1556.005 in the wild: the API calls that don't make it into CloudTrail.

A short list with sources. Two of them are documented, three we found by diffing actual traffic against trail outputs. Treat as a research note, not a complete list.

AAyush K. 6 min

Field report Mar 04, 2026

What we learned from 14 detection teams running MayaTrail in private beta.

Average detection coverage gap: 41%. Most-missed technique: T1098 (account manipulation). Most surprising: half the teams already had a rule for it - it just didn't trigger on the chain we ran.

MMaya team 7 min

Teardown Feb 22, 2026

S3 enumeration patterns: how ListBucket velocity maps to real exfil.

We ran the S3 exfil chain at 12 different request velocities. Below 4 RPS the standard CloudTrail rules don't fire. The interesting band is 8-20 RPS.

HHimanshu K. 10 min

Detection notes Feb 14, 2026

Cross-region session re-use: the quiet half of T1078.

When a session originates in us-east-1 but the API calls land in ap-south-1, most off-the-shelf rules don't correlate. We rebuilt three of them to demonstrate the gap.

SSmita P. 9 min

Engineering Feb 02, 2026

Why we re-wrote our scenario runner in Go.

Python+boto3 was fine for prototyping. For peer review and reproducibility, single-binary distribution mattered. Notes on the migration and what we lost.

HHimanshu K. 5 min

Research team

Himanshu Khandelwal

Founder · Cloud security

Ayush Kumar

Detection engineering

Smita Patil

Threat intel

Rohan Mehta

Scenario engineering

Lab notes

N-014 · May 09, 2026 Reproducing the Capital One exfil chain on a current account - got the same shape, but the policy gates have shifted. Notes incoming.

N-013 · May 02, 2026 New detection rule from a beta customer for T1098 fired on our chain in 1.6s. Faster than any open-source rule we've tested. Asking permission to publish.

N-012 · Apr 24, 2026 Lambda execution-environment escape (T1611) prototype works in isolation, breaks under Pulumi destroy. Investigating teardown lifecycle.

N-011 · Apr 17, 2026 Reached out to AWS Security about the eventual-consistency window timing. Their response: documented behavior. Will not patch. Adding to teardown.