The Cyber Resilience Brief: A SafeBreach Podcast

Iranian cyber operations are entering a new era.In this final episode of our Iran cyber series, we explore how Iranian APT groups are evolving — leveraging AI, targeting supply chains, and bypassing the billion-dollar security stacks built to stop them.Hosts Tova Dvorin and Adrian Culley break down the emerging threats shaping 2026, including:• Autonomous malware powered by localized LLMs• “Skeleton key” attacks targeting MSPs and IT providers• Adversarial AI collaboration between Iran, Russia, and North Korea• Why identity trust is collapsing in the age of deepfakes• The role of continuous automated red teaming in modern cyber defenseThe perimeter is gone.Your weakest vendor may now be your biggest risk.Learn how security leaders can adapt before the next generation of attacks arrives.

June 2025 marked a turning point in cyber warfare.In this episode of The Cyber Resilience Brief, Tova Dvorin and offensive engineer Adrian Cully break down the cyber escalation that followed Operation Rising Lion — what some analysts now describe as Iran’s 12 days of cyber war.As missiles struck Iranian strategic targets, coordinated hacktivist groups like Cyber Avengers and Handala launched psychological operations, mass SMS spoofing campaigns, and attacks targeting operational technology (OT) systems — including Unitronics PLCs used in water and industrial facilities worldwide.The impact quickly spread beyond the Middle East. U.S. water utilities were targeted, supply chain vulnerabilities were exploited, and retaliatory cyberattacks struck financial infrastructure.In this episode, we explore:How hybrid warfare is collapsing the gap between physical and cyber attacksThe rise of state-linked hacktivist groupsWhy OT and critical infrastructure are increasingly global targetsHow adversaries exploit the IT/OT bridge to reach industrial systemsWhat security leaders must learn from the June 2025 escalationCyber conflict is no longer a secondary theater — it’s where escalation begins.

Iran’s APT42 — also known as Charming Kitten or Mint Sandstorm — is redefining social engineering with generative AI, deepfake voice cloning, and long-term phishing campaigns.In this episode of the Cyber Resilience Brief, we break down how Iranian state-sponsored threat actors are using AI-powered phishing, MFA fatigue attacks, credential harvesting, and hack-and-leak operations to target journalists, political campaigns, academics, and enterprise executives.You’ll learn:How APT42 builds months-long AI-generated relationships before deploying malwareHow deepfake voice notes are being used to bypass verificationHow compromised email accounts fuel election interference and information warfareWhy MFA fatigue and session token abuse remain critical enterprise risksHow adversarial exposure validation (AEV) and continuous automated red teaming help security teams detect post-phishing lateral movementAs AI becomes agentic and scalable, social engineering attacks are evolving from mass phishing to precision psychological operations.This isn’t just cyber espionage. It’s AI-driven influence warfare.Stay safe. Stay resilient.

In this episode of The Cyber Resilience Brief, we break down the modern reality of Iranian cyber warfare and industrial espionage. Host Tova Dvorin and offensive security engineer Adrian Culley analyze the tactics, techniques, and procedures (TTPs) of APT33, OilRig (APT34), and MuddyWater — three of the most active Iranian state-sponsored threat actors targeting energy, aviation, manufacturing, government, and critical infrastructure.From intellectual property theft and aerospace breaches to DNS tunneling, living-off-the-land techniques, cloud-based command-and-control (C2), and wiper malware, we unpack how these groups evolved into stealthy, high-end cyber espionage operators.You’ll also learn how adversarial exposure validation (AEV), breach and attack simulation (BAS), and continuous automated red teaming (CART) help security leaders validate defenses against real-world nation-state threats.If you're a CISO, security architect, threat intelligence analyst, or cyber resilience leader, this episode delivers actionable insight into defending against advanced persistent threats (APTs).Subscribe for expert analysis on cyber resilience, exposure management, and defending against state-sponsored cyber attacks.

In Part 2 of our Russia cyber threat series, we unpack the Western cybercrime ecosystem powering Russian ransomware operations.We examine Scattered Spider, LAPSUS$, and Shiny Hunters, and how social engineering, SIM swapping, MFA bypass, and AI-driven voice spoofing are breaching Fortune 100 companies — without zero-days.Learn how access brokers commoditize breaches, why help desks are prime targets, and what this shift means for CISOs and security teams.If you’re only testing firewalls, you’re missing the real risk.Listen now to understand how modern ransomware campaigns succeed — and what your security program must test to stay ahead.

In this special bonus episode of The Cyber Resilience Brief, host Tova Dvorin is joined by SafeBreach threat research expert Adrian Culley to examine DynoWiper, a destructive nation-state wiper malware observed targeting Poland’s energy sector.First detected in late December 2025, DynoWiper has been linked to attacks on Polish wind farms and combined heat and power (CHP) plants, signaling a shift away from financially motivated ransomware toward pure disruption of critical infrastructure.The episode explores:How DynoWiper operates without command-and-control infrastructureWhy attribution points to Russian state-linked actors, including FSB Centre 16 (Static Tundra) and GRU Unit 7445 (Sandworm)Why traditional, point-in-time security testing fails against internally staged attacksHow Continuous Threat Exposure Management (CTEM) and Adversarial Exposure Validation (AEV) help organizations identify and close exposure gaps before destructive payloads are deployedWhile activity has been observed in Poland, the tactics discussed are highly relevant to energy and critical infrastructure operators worldwide.Cyber resilience isn’t a one-time achievement — it’s a continuous process of validation.

In this episode, Tova Dvorin and Adrian Culley break down the realities of Russian intelligence and cyber security, separating myth from fact. They explore how Russian state actors rely on proxy actors and cybercriminal marketplaces rather than direct operations, and why attribution challenges make cyber attacks so difficult to trace.The discussion highlights the difference between state-sponsored cyber activity and financially motivated cybercrime—and why defenders must rethink traditional assumptions. The episode closes with a look at why continuous threat exposure management is critical for staying ahead of evolving cyber threats.Topics include: Russian cyber threats, proxy actors, attribution challenges, and modern cybersecurity strategy.

Episode 2 of 6 – Iran’s Cyber Program ExplainedIn Iran’s Cyber Shadow War: IRGC, MOIS, and the Battle for Control, we continue our deep-dive into Iran’s cyber operations by exposing the internal power struggle driving its most dangerous digital attacks.Iran does not operate a single, unified cyber command. Instead, two rival organizations—the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS)—run competing cyber missions with very different goals, tactics, and tradecraft. One favors loud, destructive attacks designed to intimidate and disrupt. The other specializes in quiet cyber espionage, long-term access, and intelligence collection.In this episode, we break down how this rivalry fuels Iranian state-sponsored cyber activity, why both agencies often target the same victims, and how their competition creates real risk for Western governments, critical infrastructure, energy, finance, and private enterprises. We also explore Iran’s use of contractor-based hacking groups, providing speed, innovation, and plausible deniability—while making attribution and defense significantly harder.For CISOs and security teams, this episode explains what Iran’s divided cyber command means for detection, dwell time, and continuous adversarial exposure validation—and why defenders must be prepared for both stealthy intrusions and sudden, destructive attacks.🎧 In this episode:• Iran’s cyber shadow war explained• IRGC vs. MOIS: rivalry, missions, and tactics• State-sponsored hacking and contractor ecosystems• Cyber espionage vs. cyber disruption• What Iran’s internal competition means for defendersThis is Episode 2 of a 6-part series unpacking how Iran builds, deploys, and evolves its cyber power—and what organizations must do to stay ahead.

How did Iran evolve from a regional actor into one of the world’s most disruptive cyber threat forces? In the first episode of our Iran threat series, we trace the pivotal moments that shaped Iran’s modern cyber doctrine — from the Stuxnet attack on Natanz to the rise of destructive wiper malware like Shamoon and today’s era of stealthy, persistent access operations. Host Tova Dvorin is joined by Adrian Culley, Offensive Cyber Security Engineer at SafeBreach, to unpack how Iran turned humiliation into capability, embraced a contractor-based APT model, and weaponized cyber operations as a tool of retaliation and asymmetric warfare. You’ll learn: Why Stuxnet was Iran’s cyber “Big Bang” moment How Shamoon marked the birth of destructive, message-driven attacks The evolution from noisy disruption to long-term persistence Why Iranian APTs target financial services, energy, and supply chains What today’s geopolitical instability means for Western enterprises and critical infrastructure How CTEM, BAS, and Continuous Automated Red Teaming (CART) help organizations detect and stop Iranian threat actors before they strike If you’re a CISO, security leader, or threat intelligence professional, this episode explains why guessing is no longer an option — and why continuous adversarial exposure validation is now essential to defending against Iranian cyber operations.

China. Russia. Iran. North Korea. As geopolitical tensions escalate—especially involving China and Iran—their cyber activity isn’t slowing down. It’s converging. In this episode of The Cyber Resilience Brief, Tova Dvorin and Adrian Culley unpack CRINK: an intelligence-community term rarely used in the commercial market, but critical for defenders to understand now. CRINK isn’t a formal alliance so much as it’s a shared playbook. Chinese pre-positioning, Russian disruption, Iranian sabotage, and North Korean cybercrime combine into a full-spectrum, asymmetric threat targeting critical infrastructure and enterprises. If your security strategy relies on alerts, assumptions, or patching alone, you’re already behind. This episode explains why—and how to move from guessing to proving your defenses work.

The Shadow War is already underway — and it’s being fought in cyberspace. In this episode of The Cyber Resilience Brief, host Tova Dvorin and cybersecurity strategist Adrian Culley explore how escalating global tensions are redefining modern warfare and what that means for CISOs and security teams today. We break down how nation-state cyber threats from Russia, China, Iran, and North Korea are operating in a state of persistent engagement — planting access, stealing data, disrupting critical infrastructure, and preparing for future conflict. Learn why reactive security is no longer enough and how Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Adversarial Exposure Validation (AEV) help organizations defend against advanced persistent threats. The Shadow War isn’t coming — it’s already here.

Offensive cybersecurity didn’t start with phishing or ransomware; it began with codebreaking, curiosity, and a drive to understand how systems fail. In this episode of The Cyber Resilience Brief, host Tova Dvorin and SafeBreach Senior Sales Engineer Adrian Culley explore the evolution of offensive security — from early hacking and penetration testing to modern Breach and Attack Simulation (BAS) and continuous adversarial exposure validation. You’ll learn why point-in-time testing is no longer enough, how BAS enables safe testing of live production environments, and what CISOs need to build measurable, continuously validated cyber resilience.

Emennet Pasargad is one of the most active and aggressive Iranian cyber threat groups operating today — tied directly to the Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command. In this episode of Cyber Resilience Brief, SafeBreach Senior Sales Engineer Adrian Culley breaks down who Emennet Pasargad really is, how they operate through shell companies and phishing campaigns, and why their tactics pose both cybersecurity and geopolitical risks. You’ll learn how this Iranian nation-state group abuses email, malware delivery, and command-and-control infrastructure — and why traditional security awareness training isn’t enough. More importantly, we explore how adversary emulation, continuous control validation, and real-world attack simulation can help organizations identify gaps, harden defenses, and stop IRGC-linked attacks before they cause damage. Key topics include: Who Emennet Pasargad is and their ties to the IRGC Common tactics, techniques, and procedures (TTPs), including phishing and lateral movement The difference between cyber simulation vs. adversary emulation How organizations can proactively defend against Iranian cyber threats Why continuous cyber resilience testing is now a regulatory and business imperative For more information on protective measures against Iranian threat actors, check out our SafeBreach blog post.

Threat-led red teaming is no longer optional in Europe — it’s becoming the foundation of cyber resilience. In this episode of The Cyber Resilience Brief, host Tova Dvorin is joined by Adrian Culley, SafeBreach’s offensive security expert for Europe and the UK, to break down the TIBER-EU framework and why it’s reshaping how financial institutions and critical infrastructure organizations approach cyber defense. Originally developed by the European Central Bank, TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) goes far beyond traditional penetration testing. It simulates real-world adversaries, real attack paths, and real operational pressure — aligning tightly with modern regulations such as DORA, NIS2, and the EU Cyber Resilience Act. In this episode, we cover: What TIBER-EU is and why regulators are embracing intelligence-led red teaming How DORA and TIBER-EU work together to enforce continuous operational resilience Why point-in-time penetration tests are no longer enough The evolving role of Breach & Attack Simulation (BAS) in preparing for TIBER-EU assessments How Adversary Exposure Validation (AEV) reveals real blast radius and business impact Why Continuous Automated Red Teaming (CART) is emerging as the “always-on” complement to regulator-mandated tests Whether you’re a CISO, security architect, red teamer, or risk leader, this episode explains how Europe’s regulatory frameworks are pushing the industry toward continuous, adversary-centric security validation — and why organizations outside the EU should be paying close attention. 🎙️ If cyber resilience is a journey — TIBER-EU defines the terrain.  

In this episode of the Cyber Resilience Brief, hosts Tova Dvorin and Adrian Culley clearly and practically explain some of the most commonly used — and most commonly misunderstood — terms in modern cybersecurity. Together, they break down: What Breach and Attack Simulation (BAS) actually means in practice How Advanced Persistent Threats (APTs) operate — and why persistence matters What Adversarial Exposure Validation (AEV) is (and what it isn’t) How CTEM (Continuous Threat Exposure Management) connects these concepts The difference between attack simulation and adversary emulation This episode focuses on plain-language explanations, real-world context, and why these terms exist in the first place. If you’ve ever heard these acronyms used interchangeably — or wanted a grounded explanation you can actually reuse — this episode is for you.

The Jaguar Land Rover cyberattack has already cost the UK billions — and exposed a critical weakness in modern cybersecurity: supply chain risk. In this episode of The Cyber Resilience Brief, SafeBreach hosts Tova Dvorin and Adrian Culley sit down with Steve Cobb, CISO of SecurityScorecard, to unpack what really happened, why groups like Scattered Spider, ShinyHunters, and Lapsus are becoming more coordinated, and what CISOs must do now to protect against cascading third-party failures. We break down: How the Jaguar Land Rover breach unfolded Why third-party and fourth-party risk is now first-party risk The rise of coordinated cybercrime collectives Why “trust but validate” must be the new supply chain mantra Actionable steps to strengthen resilience and visibility across vendors What the JLR incident means for national security, global operations, and the future of supply chain cybersecurity Whether you're a CISO, resilience leader, threat analyst, or supply chain security professional, this episode delivers essential insights into one of the most significant cyberattacks in UK history.

In Episode 33 of The Cyber Resilience Brief, hosts Tova Dvorin and Adrian Culley revisit the BRICKSTORM threat—this time through the lens of the new CISA, NSA, and Canadian Cyber Centre joint advisory. While Episode 24 explored BRICKSTORM’s origin, stealth techniques, and UNC5221’s long-term espionage campaign, this episode focuses on what’s changed, and why BRICKSTORM remains a critical concern for defenders in 2025 and into 2026. Tova and Adrian break down the advisory’s latest findings, including expanded targeting of government and IT sectors, advanced persistence mechanisms, and new insights into how attackers leverage VMware environments to maintain full, covert control of compromised systems. The conversation underscores a central message: these tactics aren’t static. BRICKSTORM is evolving, and organizations must evolve their defenses too. That means shifting from occasional checks to continuous validation, embracing Breach and Attack Simulation (BAS), and operationalizing threat exposure management to match the pace of modern threat actors. What’s New in This Episode Key updates from the CISA/NSA/CCCS advisory on BRICKSTORM Evolving persistence and communication-hiding techniques How attackers continue to exploit VMware and web-facing infrastructure Why high-value organizations remain prime targets The growing need for continuous, proactive security validation How BAS helps validate Zero Trust and uncover blind spots before adversaries do For more information on SafeBreach's BRICKSTORM coverage, click here to read our blog. 

In this episode of The Cyber Resilience Brief, host Tova Dvorin and offensive security expert Adrian Culley expose The Com—the decentralized cybercrime collective behind threat groups like Lapsus$, Scattered Spider (UNC 3944 / Octo Tempest), and ShinyHunters. Together, they break down how this teenage-to-young-adult adversary ecosystem has weaponized vishing, MFA fatigue, SIM-swapping, and cloud exfiltration to breach giants including Microsoft, Okta, Nvidia, MGM Resorts, and more. You’ll learn: How The Com evolved from Lapsus$ chaos into a professionalized extortion machine Why help desks—not firewalls—are their favorite initial access vector Their signature TTPs: vishing, MFA bypass, living-off-the-land, cloud data theft, and ephemeral IOCs How adversarial exposure validation (AEV), BAS, CART, and phishing-resistant MFA (FIDO2/WebAuthn) shut them down Practical resilience steps you can implement today A must-listen for CISOs, security leaders, and anyone tracking modern identity-based cyber threats. Stay safe. Stay safe with SafeBreach.

In this final episode of our November Critical Infrastructure series, The Cyber Resilience Brief host Tova Dvorin and SafeBreach offensive engineer Adrian Culley explore what it truly means to measure resilience — not just talk about it. They break down how the CISA resilience framework (“Know, Assess, Plan, and Continuously Improve”) connects directly to modern validation tools like Breach and Attack Simulation (BAS), Adversary Exposure Validation (AEV), and Continuous Red Teaming (CART). Discover how organizations can move from tabletop exercises to quantifiable, data-driven resilience metrics, bridging the gap between security plans and operational reality. Learn how continuous validation transforms cyber defense from a cost center into a measurable return on security investment (ROSI) — and why resilience should be treated as a living capability that evolves alongside adversaries.

As IT and OT environments converge, critical infrastructure faces an evolving threat landscape where cyberattacks can have real-world, physical consequences. In this episode of The Cyber Resilience Brief, host Tova Dvorin and Adrian Culley, Offensive Cybersecurity Engineer at SafeBreach, explore how Continuous Automated Red Teaming (CART) delivers a unified approach to testing and securing IT/OT boundaries. Learn how continuous validation, segmentation assurance, and evidence-based remediation help organizations protect industrial control systems (ICS) and SCADA environments—without disrupting operations. Discover how to align with CISA’s resilience principles, reduce mean time to remediation (MTTR), and strengthen cyber-physical resilience through continuous, safe validation.