Our Latest Black Hat Asia Talk: Introducing the RFC Analyzer Our Latest Black Hat Asia Talk: Introducing the RFC Analyzer Arad Inbar, a security researcher from our research group at DREAM, recently presented at Black Hat Singapore. The talk focused on using protocol specifications, specifically RFCs, as a primary surface

How We Discovered The Microsoft’s Plan For Mitigating Local NTLM Relay One of the most powerful ways to understand what a security patch actually fixes is to reverse engineer the binaries before and after the update. Vendors rarely disclose full vulnerability details immediately, but the code always tells the truth.

Six Lessons From Making Our AI Security Agent Explainable We built an AI agent for security teams. It analyzes configs, hunts for vulnerabilities, investigates threats. Here’s what we underestimated: security people are paid to be paranoid. They don’t trust systems they can’t audit. And honestly? They shouldn’t. So we built

Port 23, 30 Years Later: A Pre-Auth LINEMODE Bug in GNU Telnetd (CVE-2026-32746) A bug rooted in Telnet’s early-1990s LINEMODE logic survived into modern GNU Inetutils telnetd, leaving a pre-auth memory corruption path reachable before /bin/login, before passwords, and before PAM. Summary CVE-2026-32746 is a pre-auth out-of-bounds write in GNU

A vulnerability scanner trusted to protect a CI pipeline was the entry point. An AI proxy handling your LLM API keys was the target. The credentials stolen from the first were used to compromise the second - and the cascade didn't stop there.

AI didn't just make developers faster. It collapsed the cost of code itself. The bottleneck is no longer writing code. It's designing the system the code will live inside.

Vulnerability advisory: Pre-Auth Remote Code Execution via Buffer Overflow in telnetd LINEMODE SLC Handler This advisory is published in the public interest to enable defenders to assess exposure and apply mitigations. Responsible disclosure practices apply. Advisory ID: VULN-TELNETD-SLC-2025 Date: 2026-03-13 CVE ID: CVE-2026-32746 Severity: Critical CVSS 3.1 Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

When a Missile Alert App Becomes an Intelligence Tool In the middle of a war, trust is maybe the most fragile asset. Missile alert apps are not just software for civilians in Israel and in War Zones. They are lifelines. People rely on them for seconds that can save lives.

Hey Claude, Security is not just Code! Claude Code Security versus Dream Security Anthropic’s Claude Code Security announcement triggered predictable reactions across the industry. Excitement, curiosity, and in some corners, anxiety. Whenever a frontier LLM vendor steps into anything labeled “security,” the same question surfaces: is this the beginning of

In January 2026, Dream uncovered a targeted supply-chain attack in Southeast Asia, where malicious updates were delivered through MicroWorld Technologies’ eScan antivirus infrastructure. Dubbed Verglas internally, the campaign replaced a trusted component with a trojanized version, enabling remote access and blocking future updates to prevent cleanup. Building on earlier reports

Between late Dec 2025 and mid-Jan 2026, a covert cyber-espionage campaign targeted diplomatic, election, and policy officials by exploiting trust rather than technical vulnerabilities. Attackers distributed malicious documents masquerading as diplomatic briefings or materials that appeared credible, timely, and aligned with real geopolitical events. Simply opening the files triggered compromise,

Most organizations unknowingly carry generic AD permissions that are broader than intended and silently create privilege-escalation and MFA-bypass risk. Dream demonstrates how simple LDAP writes combined with Duo directory sync bypass MFA (phone import + SMS). The core problem isn’t exotic exploits; it’s unseen, overbroad permissions. Dream addresses this by

Dream’s Identity Researcher is an LLM-powered tool that finds hidden privilege escalation routes in Active Directory by identifying tiering violations where lower-tier objects can access Tier 0 assets. These misconfigurations are common and often create silent paths to full-domain compromise, but now with the Identity Researcher, they are exposed before

This analysis of the F5 BIG-IP breach showcases how Dream’s Posture Engine transforms static visibility into genuine defensive intelligence. Powered by CLM and Dream’s cyber ontology, the platform reveals how misconfigurations and privilege relationships create real attack paths by prioritizing risks based on exploitability and impact. In the F5 supply

This report links nine coordinated phishing campaigns from 2025 to the Iranian APT group MuddyWater, revealing a single, consistent operational footprint across attacks targeting governments and diplomatic sectors worldwide. Through analysis of shared C2 behavior, VBS loaders, and repeated staging logic, the investigation connects previously isolated incidents into one unified

In August 2025, Dream uncovered a large-scale Iran-nexus spear-phishing campaign that used a compromised Omani MFA mailbox to target governments worldwide. Attributed to the MOIS-aligned Homeland Justice group, the operation deployed malicious diplomatic-themed emails containing macro-encoded payloads. Analysis revealed a far broader campaign than initially believed, using 104 compromised accounts

Dream is launching its AI Cyber Factory, built on the NVIDIA Enterprise AI Factory validated design and powered by NVIDIA NIM microservices, to deliver adaptive, secure, and autonomous cyber defense for national infrastructure. Unlike traditional tools that provide fragmented visibility and manual workflows, Dream’s platform continuously monitors, interprets, and responds