SENTINEL Threat Briefing

Threat Briefing

Everything on this page is real — no simulation. Actively exploited vulnerabilities from CISA, recently disclosed breaches, live internet attack trends, and analyst commentary, each linked to its original source. If a data source is unreachable, its section says so; nothing here is ever invented.

Loading live data…
SANS Infocon
global threat level
KEV added · 7 days
newly confirmed exploited
Attack volume · today
vs 30-day peak
Newest breach
accounts exposed

Recently disclosed breaches source: Have I Been Pwned ·

Newly added to the HIBP catalog — note that disclosure often lags the breach itself by months. Click a breach to see the full entry and check whether your own email appears in it.

Loading…

Internet attack activity sources: Cloudflare Radar, SANS ISC ·

Two independent vantage points on the same internet: application-layer attacks observed across Cloudflare's network, and what the SANS Internet Storm Center's volunteer sensor network sees hitting exposed ports.

Attack volume — last 30 days

Top origins — 24h (Radar)

Loading…

Most-attacked ports (ISC)

Loading…

Actively exploited vulnerabilities source: CISA KEV catalog + FIRST.org EPSS ·

The complete catalog of vulnerabilities with confirmed in-the-wild exploitation. If you run any of this software, the due date is CISA's patch deadline for US federal agencies — a good benchmark for everyone. EPSS estimates the probability of exploitation in the next 30 days.

CVEVendor / ProductVulnerabilityEPSSAddedPatch due
Loading the full catalog…

Analyst commentary source: SANS ISC handler diaries ·

Short, practical write-ups from working incident handlers — what they're seeing on real sensors and networks right now.

Loading…

Learn the vocabulary

The terms this page (and the security news) assume you know.

CVE
A unique ID for a publicly known software vulnerability (e.g. CVE-2026-12345), assigned by the CVE Program so everyone can talk about the same flaw.
KEV
CISA's Known Exploited Vulnerabilities catalog — the subset of CVEs with confirmed real-world exploitation. If it's in KEV, attackers are actively using it.
EPSS
Exploit Prediction Scoring System — a data-driven estimate (0–100%) of how likely a vulnerability is to be exploited in the next 30 days. Useful for prioritizing patches.
CVSS
A severity score (0–10) describing how bad a vulnerability could be if exploited. Severity and likelihood are different questions — that's why EPSS exists too.
IoC
Indicator of Compromise — an artifact (IP address, domain, file hash) associated with malicious activity, used to detect or block it.
Defanged
A hostile address written so it can't be clicked accidentally: hxxp instead of http, [.] instead of dots. You'll see this wherever IoCs are shared responsibly.
Infocon
SANS ISC's overall internet threat level (green / yellow / orange / red), raised when a widespread, disruptive threat is in progress.
Ransomware
Malware that encrypts (and usually steals) data, demanding payment. KEV entries flagged "ransomware" are known entry points for these campaigns.
C2
Command and control — the infrastructure attackers use to direct compromised machines. Blocking known C2 addresses cuts malware off from its operator.
Layer-7 attack
An attack aimed at the application itself (web requests, logins, APIs) rather than raw network flooding — harder to distinguish from legitimate traffic.
Data breach
An incident where protected data is exposed or stolen. "Breach date" is when it happened; "disclosed" is when the world found out — often much later.
Patch deadline
KEV entries carry a date by which US federal agencies must remediate. It doubles as a sensible urgency signal for any organization.