In early February 2026, Silent Push Analysts detected a Cobalt Strike Command and Control (C2) configuration tied to a ransomware affiliate using CountLoader and Cobalt Strike payloads with a unique watermark.
As we reviewed the Check Point Research incident response report on The Gentlemen Ransomware-as-a-Service (RaaS), we detected the mentioned Cobalt Strike IP address, which we had found 2.5 months before public reporting, and attribute this incident to the same ransomware actor that we discussed in our CountLoader research.
Our Indicators of Future Attack® (IOFA) block downstream attacks involving Cobalt Strike, which ransomware actors and Advanced Persistent Threats (APTs) often leverage.
We previously reported identifying more than 10,000 infected IP addresses as part of the RaaS-related SystemBC botnet malware family in our February 2026 blog and March 2026 client report.
Detection Timeline
Jul-Aug 2025
Discovery
Silent Push identifies CountLoader, a new malware loader in 3 versions. Cobalt Strike watermarks 1473793097 and 1357776117 are fingerprinted to a single affiliate.
Sep 18 2025
Public Research Published
Silent Push links the watermarks to Black Basta, Qilin, and LockBit ransomware activity in the CountLoader blog.
Feb 8 2026
IOFA Issued
91.107.247[.]163 flagged as a Cobalt Strike C2. Customers receive automated blocking via firewall, SIEM, and EDR feeds.
Feb 2026
10,000+ Infections Identified
Silent Push maps over 10,000 infected IPs tied to the RaaS-related SystemBC botnet. Client report distributed March 2026.
Apr 22 2026
Check Point DFIR Report Published
Check Point identifies 91.107.247[.]163 as the C2 in The Gentlemen RaaS intrusion. Silent Push had flagged the same IP 76 days earlier.
76
Days between IOFA and public disclosure
Silent Push customers had blocking in place on this infrastructure before Check Point published their report, and before any victims were publicly named.
Share
We urge all organizations to take protective measures by setting up automated blocking via integrating the Cobalt Strike IOFA feed directly into their firewall, SIEM, or EDR via an API or STIX/TAXII feed.
Executive Summary
Silent Push has been tracking ransomware threat actors for several years. Following the deep-dive research and reporting in July-August 2025, chronicling our discovery of a new malware loader we named “CountLoader, on September 18, 2025, we published a public blog, “CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions,” sharing our findings.
Our analysis highlights a critical intersection between malware infrastructure and specific threat actors: the discovery of Cobalt Strike watermarks (1473793097) and (1357776117). These unique license identifiers provide the technical “fingerprint” to link the activity directly to a ransomware affiliate with verifiable ties to the Black Basta, LockBit, and Qilin attacks.
We were inspired by the recent Digital Forensics and Incident Response (DFIR) report from Check Point, which highlights an intrusion involving SystemBC and Cobalt Strike. From this, our research team was able to tie our earlier ransomware affiliate findings to the Gentlemen RaaS.
Since Cobalt Strike is often used by APTs and ransomware actors, we urge organizations to block infrastructure related to our Cobalt Strike IOFA feeds.
Incident
The Check Point DFIR report highlights the use of a Cobalt Strike C2 at IP address 91.107.247[.]163, tied to the intrusion and eventual ransomware deployment by the RaaS, The Gentlemen.
The Cobalt Strike C2 IP was flagged as an IoFA in our report on February 8, 2026.
Silent Push Total View of IP address: 91.107.247[.]163
We found the indicator using the same unique Cobalt Strike detection method we developed in our analysis of CountLoader. We can attribute this ransomware intrusion with high confidence to the same ransomware actor that is part of the Black Basta, LockBit, and Qilin ransomware groups. Additionally, with the DFIR report from Checkpoint, we can tie this same actor to also be leveraging The Gentlemen ransomware.
Our unique detection methodology ensures that our tracking remains persistent even when a threat actor pivots between ransomware groups; by identifying the individual behind the keyboard rather than just the brand they serve, we maintain a high-confidence trail on this affiliate throughout their three-year tenure across LockBit, Black Basta, Qilin, and now The Gentlemen.
Historic Incidents
In our CountLoader blog, we highlight external research tied to the observed Cobalt Strike watermark (and, by extension, the CountLoader campaign we have been tracking) directly to BlackBasta, Qilin, and LockBit ransomware activity. To provide additional background, we are listing several external sources to highlight the historical trail of this threat actor (below):
We also offer a free Community Edition, giving security practitioners and researchers introductory access to the Silent Push platform and datasets.
Continuing to Track RaaS
Our preemptive cyber defense and research teams will continue to track and report on RaaS groups, including The Gentlemen, LockBit, Black Basta, and Qilin, as well as on the abuse of Cobalt Strike, throughout 2026.
If you or your organization has any information to share regarding the findings in this report, we would welcome the opportunity to collaborate.
Following U.S. Treasury sanctions in 2025, Triad Nexus has matured its operational security, employing geographic fencing to blind U.S. investigators while simultaneously laundering its infrastructure through account muling and a rotating network of “clean” front companies.
The network has industrialized brand theft on a global scale; its catalog includes “pixel-perfect” clones of everything from high-end luxury goods to public services.
To counter the automated obfuscation used by Triad Nexus, SilentPush’s CNAME Chain Lookup provides a quick forensic method for multi-tiered redirection path analysis and exposing the underlying “laundered” infrastructure for real-time defense.
Executive Summary
Triad Nexus is responsible for over $300 million in daily reported losses, totaling billions annually, driven largely by sophisticated “pig-butchering” and virtual currency scams. Individual victim losses average $150,000, highlighting the high conversion nature of its operations. Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets.
Triad Nexus continues to pose a direct risk to corporate brand integrity and customer trust. The group manages an industrialized catalog of impersonation assets targeting:
Banking and Fintech: Payment portals for more than 25 global institutions (including Wells Fargo and Bank of America) used for large-scale credential harvesting and “pig-butchering” scams.
Luxury Retail: High-fidelity clones of brands such as Tiffany and Cartier to intercept high-value consumer transactions.
Global Logistics: Exploitation of services, including the Vietnam Post, to facilitate regional personally identifiable information (PII) theft.
Standard reactive security measures are insufficient against Triad Nexus’ automated rotation of deceptive infrastructure. Mitigation requires a shift toward preemptive cyber defense and high-fidelity visibility.
Triad Nexus is a sprawling cybercrime ecosystem rooted in organized crime groups across Asia. Historically identified by its reliance on the FUNNULL Content Delivery Network (CDN), the network has facilitated a massive surge in investment scams, money laundering, and illegal gambling operations since at least 2020. The illicit network serves as the primary backbone for “pig-butchering” schemes and fraudulent financial portals that target global consumers.
In addition to these fraud operations, the group specializes in high-fidelity brand impersonation, weaponizing the digital identities of Global 2000 companies to deceive victims.
The Audacity of “Infrastructure Laundering”
An effective technique in the Triad Nexus’ arsenal is “Infrastructure Laundering.” Rather than relying solely on low-reputation servers, Triad Nexus weaponizes “account mules” to steal or illicitly acquire accounts at major enterprise cloud providers. This provides its scams with the “appearance of legitimacy,” high speed, and professional performance that even tech-savvy Western audiences can’t resist.
Our team’s investigation reveals that the “bulletproof” backbone of this operation remains AS152194 (CTG Server Limited). However, to prevent total takedowns, the group segments its infrastructure into multiple ASN pools, preventing investigators from identifying the entire network.
The major providers currently being exploited in these laundering schemes include:
Amazon (AS16509)
Cloudflare (AS13335)
Google (AS396982)
Microsoft (AS8075)
An Industrialized Catalog of Brand Impersonation
Triad Nexus is linked to the majority of virtual currency investment scam websites reported to the FBI. The network has industrialized brand theft on a global scale.
Its catalog includes “pixel-perfect” clones of everything from high-end luxury brands to public services. We have documented active campaigns impersonating:
Financial & Investment: iTrustCapital, Western Union, MoneyGram, and Etsy.
Public Services: TripAdvisor and a sophisticated, deceptive clone of the Vietnam Post (vietnampost[.]vn).
To facilitate its rapid fund siphoning, Triad Nexus sites offer payment portals linked to over 25 global financial giants, including Goldman Sachs, Royal Bank of Canada, Bank of America, and Wells Fargo.
Its cryptocurrency acceptance is equally broad, supporting not only BTC and ETH, but also USDC, TRON, MATIC, and TRC20 tokens.
Geographic Evasion and the U.S. Block
In a cynical attempt to evade law enforcement monitoring post-sanctions, Triad Nexus implemented a counterintuitive “U.S. Block.” Visitors attempting to access many of their sites from U.S. IP addresses are being met with a “451 Unavailable for Legal Reasons” error message stating, “The region has been denied.”
As the network continues to withdraw from direct U.S. exposure to avoid detection, it has been pivotally expanding into the Spanish, Vietnamese, and Indonesian markets. Using localized templates to target these regions, its goal is to ensure its illicit profits continue to flow even as it hides from the U.S. Treasury’s primary gaze.
The Rise of Clean Front Companies
Before the May 2025 sanctions were issued, Triad Nexus was already taking steps to further distance itself from the tainted “FUNNULL” brand. The group launched a series of “clean” front companies—entities that use professional branding and egregious lies to manufacture trust. They include:
Bole CDN (cdnbl[.]com): In a classic case of temporal fraud, the site claims to have served 10,000 clients since 2015. Domain records, however, prove it was registered in March 2025.
CDN1[.]ai: This front falsely claims to work with global brands such as Nestlé to lure in legitimate developers.
Other Fronts: Investigators have identified Yunray[.]ai, CDN5[.]com, and CTGCDN as part of the network’s shell game.
The fronts often rely on human operators for recruitment, specifically utilizing the Telegram account t[.]me/sara5433 to communicate with prospective buyers. Because they lack any visible “FUNNULL” branding, the entities are nearly impossible for the average user to identify as malicious.
Fighting Back with CNAME Chain Mapping
As Triad Nexus adopts automation in its infrastructure defense, we documented a shift from using nine primary, stable CNAME domains for routing traffic to over 175 randomly generated CNAME domains, each of which connects clusters of malicious client websites to acquired IP addresses.
Diagram of a CNAME chain between an IP and a client domain cluster
Mapping the infrastructure now requires the CNAME Chain Lookup.
Traditional lookups only show a single link, but CNAME Chain Mapping reveals the entire automated path used to hide the final destination. A typical malicious chain now looks like this:
Client Domain (e.g., tripdsdvjea[.]com)
Intermediary CNAME 1 (e.g., kanejwo[.]com)
Intermediary CNAME 2 (e.g., iiauuw[.]com)
Final A Record (The laundered IP address, often found on AS152194)
Triad Nexus’ FUNNULL CDN clearly takes “infrastructure as code” to heart, as it automates CNAME domain changes across vast amounts of client domains.
One example of an interesting Triad Nexus FUNNULL client domain that provides visibility into the technique of new CDNs and CNAMEs naming conventions is alicdn9858[.]com (Total View), which actually has CNAME records from FUNNULL dating back to 2022 alongside 11 different FUNNULL CNAME domains, the first of which was mapped in July 2022, from funnull[.]vip.
In the image shown above, we can see that the domain rotated through the following CNAMEs:
funnull[.]org
funnull[.]vip
funnull6[.]com
funnull301[.]com
fn01[.]vip
fn02[.]vip
fn03[.]vip
fc686[.]xyz
dns888[.]xyz
kanejwo[.]com
attackcdn[.]com
From the list above, it is clear that significant pattern diversity is at play here. “FUNNULL,” “FN,” or “FC” are no longer referenced in the new CNAME domains, a previously typical pattern.
We can also see how Triad Nexus uniquely mapped its infrastructure to continue infrastructure laundering on trusted service providers such as Amazon, using kanejwo[.]com as an example CNAME domain. Reviewing the A records confirms that this CNAME maps to successful exploitation of Amazon’s reputation. It was detected in September 2025, when its IP addresses were mapped to the CNAME.
Interestingly, in this example, Amazon appears to have the network on its radar, as FUNNULL has seemingly stopped actively mapping stolen Amazon IPs to it.
Another interesting, recently-discovered Triad Nexus CNAME, cdn899[.]com, (Total View) has a history dating back to December 2020, with this domain mapped to numerous IPs across various ASNs. In April 2024, Amazon IPs were mapped here for a month before being removed. Then, for four months, neither the CNAME nor its client infrastructure resolved.
After this period, in September 2024, Cloudflare IPs were once again mapped to this CNAME, and they have been live for over 14 months as of the time of writing. The Cloudflare IPs propagate through the CNAME because Cloudflare Name Server records were set up for that cdn899[.]com CNAME domain, (as shown below):
Screenshot of FUNNULL CNAME records for cdn899[.]com showing unusually long-term A records from Cloudflare
Additionally, cdn899[.]com is mapped to enterprise cloud hosts, where it can be seen assisting in the resolution of a network of fake casino websites used for money laundering alongside other low-quality adult and gambling content, all targeted to Chinese audiences.
Reinforcing the clustering hypothesis, each CNAME appears to be set up differently. This aligns with our 2024 report, in which we determined that the unique CNAMEs and CNAME subdomains themselves were what helped segment the client infrastructure. It even helped differentiate the types of scams being run, although that pattern no longer holds entirely true.
Examples of FUNNULL CNAMEs more accurately showcase all three techniques: automated CNAME failover, the new CNAME naming schema, and infrastructure laundering.
The CNAME mapping domain smaooe[.]com (Forward A Lookup), switched between DNS A records from Amazon IPs, Cloudie (ASN 55933), CTG Server (ASN 152194), and briefly one IP address from the Netherlands, RoyaleHosting (ASN 212477), all in June of 2025. It has only recently stopped having enterprise IPs mapped to it; the last one was Microsoft, which lasted from September 2025 to early October 2025. As of this writing (April 2026), the only IP mapped to it is from ASN 55933, Cloudie, based in Hong Kong.
CNAME domain ddge[.]ru(Forward A Lookup) has been mapped to IPs from nearly 40 different ASNs throughout 2025, including IPs from Amazon’s 16509 ASN. On any given week, these mappings only last about a month before they are removed. What’s worth noting about this example is the shortened timeframe. Previously, some Amazon IPs were mapped for months at a time, with one IP mapped for seven consecutive months in 2025 and another for five.
Some of the new Triad Nexus CNAMEs are directly impersonating other major CDNs, such as the CNAME domain dnycdn[.]com, which appears to impersonate the Oracle-owned Dyn domain registration and hosting service.
This CNAME has been mapped to multiple enterprise services; however, it has had Microsoft IPs from ASN 8075 routinely mapped to it for months at a time, with only a few Microsoft IPs mapped there from June 2025 until November 2025. Cloudflare IPs have also remained mapped there for months, with Cloudflare Name Server records remaining associated for nearly seven months.
CNAME Chain Complexity Requires New Tools – Silent Push Delivers!
While investigating Triad Nexus’ complex CNAME chains and IP address acquisition schemes, our team realized we needed a new way to map the entire CNAME chain, rather than manually performing multiple CNAME forward/reverse queries for each domain.
So we built something new!
Using the new Silent Push CNAME Chain Lookup tool, defenders can now submit any of the previously seen CNAME domains into the form’s “chain_domain” field, which then returns lists of the entire CNAME chains seen, along with the host mapped through the chain and the IP addresses mapped to that host.
This new tool offers multiple search options that return the full scope of CNAME domains, CNAME chains, and the IPs used to keep a given domain online. It is, essentially, the perfect tool for researching networks that chain together client domains and their IP addresses with multiple CNAME domains.
Learn how SOC teams are using the Context Graph to get ahead of campaigns, cut alert noise, and give their AI security workflows data they can actually trust.
Why IOCs always arrive after the attacker is already operational, and what to do instead
Live walkthrough: the Context Graph surfacing a staging environment in real time
How to push IOFAs into your existing SIEM and SOAR without adding manual steps
Why agentic AI security tools hallucinate on noisy feeds, and what deterministic signals fix
Malicious infrastructure is designed to be resilient and difficult to identify.
In this cyber defense workshop, you’ll learn how to investigate malware infrastructure starting from a sample, then pivoting through DNS, hosting, and certificate data to build out a fuller picture of attacker networks.
Date: 21 April, 2026
Time: 10am ET // 3pm CEST // 10am SGT // 12pm AEST
Location: Online – Zoom
Requirements: Silent Push free Community Edition | Sign-up here
Security teams know the familiar routine: an alert triggers in the Security Information and Event Management (SIEM) system, prompting a manual scramble to determine if the indicator is malicious. A series of “Browser Tab Olympics” ensues as team members rush to pivot across multiple point tools, refresh external threat feeds, and cross-reference internal spreadsheets to investigate a single observable. Welcome to the hidden cost of tool integration chaos, colloquially known among defenders as the “Pivot Penalty.”
Technical truth scattered across disconnected silos
When an organization’s data lives across separate SIEMs, threat intelligence platforms, and EDR tools, there is no single source of context. Investigations slow down, and both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) suffer. SOC analysts lose time to manual legwork, and Incident Response (IR) teams frequently revisit the same incident, trying to understand the full scope of a threat.
According to IBM’s 2025 Cost of a Data Breach Report, it takes organizations an average of 241 days to identify and contain a breach, a nine-year low, with the global average breach costing $4.44 million. And in the US, that number climbs even higher: American organizations now face a record average of $10.22 million per breach. Every day of delay compounds the damage.
Fragmentation Frustration
According to the Panaseer 2022 Security Leaders Peer Report, the average organization manages 76 security tools, a 19% increase driven by cloud adoption and the shift to remote work. While each tool was purchased to protect, together, they often create a significant visibility gap. Teams burn valuable hours manually reconstructing data that their security stack should be handling automatically.
That manual reconstruction is a workflow bottleneck, and the human cost is real. According to a Tines report, 71% of SOC analysts report burnout, with alert fatigue cited as a primary driver. The SANS 2024 SOC Survey found that 66% of SOC teams say they cannot keep pace with the volume of alerts they receive. When senior analysts spend their time on manual research rather than strategic threat hunting, teams feel perpetually behind, and turnover follows.
The Core Blind Spot
Most traditional security solutions focus on internal telemetry or the artifacts of past failures, known as Indicators of Compromise (IOCs). The problem is that IOCs only reflect what has already happened. They are a record of a match you may have already lost.
Legacy tools miss the preparation phase entirely, forcing organizations into a reactive race against a fully deployed adversary. Without upstream visibility into how adversaries build and stage their infrastructure, teams remain locked in a cycle of responding to alerts long after the groundwork for an attack has been laid.
Eliminate the Pivot Penalty with the Context Graph
Effective defense means identifying adversarial behavior earlier, not simply reacting faster. We remove the pivot penalty by doing the correlation work before your investigation begins.
Our platform is built on the Context Graph, an engine that continuously maps the global internet dataset to identify adversary infrastructure as it is being staged. It automatically pre-correlates technical relationships across active DNS records, WHOIS history, SSL certificates, and web content.
When management patterns emerge that match the way adversaries build and operate campaigns, the Context Graph converts them into Indicators of Future Attack® (IOFA): verified signals of a staging ground that exists right now, before it has been used against anyone.
The results speak for themselves. In a real-world deployment at a Fortune 500 media and entertainment company, our platform provided an average of 104 days of detection lead time, with a median lead time of 117 days. In some cases, the lead time exceeded 200 days. Threats from groups including FIN7, Lazarus, and Sapphire Sleet were identified in our dataset months before those indicators appeared in the customer’s SIEM.
Instead of manually connecting signals across tools, we consolidate more than 10 data types into a single view, enriching observables with 70 to 100 or more contextual attributes and proprietary risk scores. This eliminates manual legwork and lets teams link a single indicator to an entire adversary campaign in seconds rather than minutes.
By moving from probability-based guessing to deterministic technical truth, security teams can achieve three specific outcomes:
Accelerated triage. Replace manual data gathering with single-click verification of any IP address or domain.
Reduced alert noise. Suppress low-fidelity signals and focus energy only on verified attacker-controlled infrastructure.
Neutralize before compromise. Identify malicious management patterns during the staging phase to block threats before they reach your perimeter.
Moving left of boom, putting strategy in place before a breach occurs, is foundational to modern defense. By eliminating tool sprawl and the pivot penalty that comes with it, teams can finally give their analysts the capacity to focus on strategic hunting rather than manual data entry.
Get Started
Interested in learning more about the Silent Push preemptive cyber defense platform?
Talk to one of our platform experts to see how Silent Push can help your team neutralize threats before they reach your perimeter.
We also offer a free Community Edition, giving security practitioners and researchers introductory access to the Silent Push platform and datasets.
FAQs
What is the pivot penalty in a security operations center?
The pivot penalty is the time lost when analysts move between different security tools to verify a single alert. According to the Panaseer 2022 Security Leaders Peer Report, organizations manage an average of 76 security tools, forcing teams to manually cross-reference data across SIEMs, spreadsheets, and threat feeds. This fragmented process slows investigations and contributes to analyst burnout.
How does tool sprawl affect incident response times?
Tool sprawl increases MTTD and MTTR by creating data silos. According to the IBM 2024 Cost of a Data Breach Report, organizations take an average of 258 days to identify and contain a breach. Analysts spend hours manually reconstructing data because technical context is scattered across disconnected platforms, giving adversaries more time to operate undetected.
What are Indicators of Future Attack (IOFA)?
Indicators of Future Attack are proactive signals that identify malicious infrastructure during the setup phase. Unlike traditional indicators that record past breaches, IOFAs expose attacker staging grounds before weaponization, enabling security teams to block threats weeks or months before an attack launches.
How does the Context Graph reduce manual data gathering?
The Context Graph continuously maps global internet data to identify patterns of attacker behavior. It connects billions of signals across DNS records, certificates, and web content, providing analysts with deterministic technical truth without requiring manual pivots across point tools. In one documented deployment, this translated into a median 117-day detection lead time over traditional SIEM-based approaches.
Why is deterministic data better than probability scores?
Deterministic data gives a clear answer rather than an inferred score. Probability scores generate large volumes of low-confidence alerts, contributing to noise and analyst fatigue. Verified technical context enables organizations to automate defensive actions with confidence, as findings are based on known adversary infrastructure.
Most SOCs are built to respond. This video makes the case for building one that acts first.
Watch the video below to see how Indicators of Future Attack® (IOFA) change the way security teams operate.
IOFA give SOC teams verified signals tied to adversary infrastructure that’s still in staging, before a campaign launches. That’s the difference between reacting to a breach and stopping one.
Download our Preemptive Cyber Defense Blueprint for SOC Teams belowto learn more.
Learn how to identify and track Bulletproof Hosting networks, spot key WHOIS red flags, and assess how legal actions disrupt and reshape these illicit ecosystems.
Get a behind-the-scenes look at how APTs selectively use Bulletproof Hosting to bypass takedowns. Silent Push and CyberSec Oy share first-hand findings from mapping this infrastructure.
You will leave this webinar with a clearer understanding of how and why these threat actors actually use Bulletproof Hosting and how to apply a practical workflow for identifying these networks, despite their complexity.
Threat actors have a process, and most security tools are designed to respond to it after the fact. Preemptive cyber defense changes that by identifying adversary infrastructure during the preparation phase, before anything malicious lands.
Before a phishing campaign reaches an inbox, before a command-and-control (C2) server receives its first callback, there is a period of preparation. Infrastructure gets registered and aged. Servers come online, DNS records resolve, and certificates rotate. The attacker’s process is methodical, and because it is methodical, it leaves a trail.
Most security tools are watching the wrong part of that timeline. By the time an Indicator of Compromise (IOC) surfaces in your stack, the attacker has already completed the preparation phase. The infrastructure has been live and operational for weeks. Your tools are doing their job, just after the window to act has already closed.
We built the Silent Push Context Graph for that window.
The Context Graph continuously maps the internet’s DNA, tracking how infrastructure is created, changed, and managed across DNS, WHOIS, certificates, and hosting data every single day. Critically, it analyzes everything, not just known-bad infrastructure. Future threats do not emerge from known-bad sources alone. They grow from what looks ordinary today. Think clean domains on legitimate hosting providers, servers that have not yet received a single malicious instruction, certificates that look identical to thousands of others…
Threat actors deliberately stage their operations inside normal-looking infrastructure because they know most tools are only watching the parts of the internet that have already been flagged. The Context Graph watches everything, because that is the only way to see what is coming.
Three stages of the Silent Push Context Graph; Collect, Build Context and Operationalize.
When management patterns emerge that match the way adversaries build and operate campaigns, the Context Graph turns them into Indicators of Future Attack® (IOFA): verified signals of a staging ground that exists right now, before it has been used against anyone.
Unlike risk scores based on domain age or registration history, IOFAs are grounded in how infrastructure is actively being built and managed, following the same operational tactics, techniques, and procedures (TTPs) that adversaries use every single time. Even when they rotate hosting providers or change subnets, the process stays consistent. The Context Graph knows those processes, which is how it surfaces what is coming before it arrives.
For security teams, this changes the fundamental shape of defense. Instead of catching up to the last campaign, you have lead time on the next one. Instead of remediating what has already happened, you block the staging ground before the campaign ever leaves it.
A Source of Truth Your Security Workflows Can Trust
Security teams are increasingly running automated workflows and AI-assisted triage inside their SIEM and SOAR platforms. The quality of those workflows depends entirely on the quality of the data feeding them. Noisy probability scores and unverified threat feeds produce unreliable automation: false positives that burn analyst time, automated responses that act on the wrong signals, and AI agents that draw flawed conclusions from data without clear provenance.
Our platform was built to be machine-consumable from the ground up. Every signal carries clear data provenance. The APIs are designed explicitly for automated triage. When your security workflows reason from deterministic signals rather than probability guesses, they stop generating noise and start taking actions you can trust. For teams building agentic security workflows, the Context Graph provides the kind of reliable, pre-correlated intelligence that makes safe automation possible.
The Context Graph for AI & Agentic Security
Here is what that looks like in practice for SOC and IR teams.
SOC teams: automated triage and noise suppression. Automated workflows can consume the Context Graph directly into SIEM or SOAR platforms to automatically validate, enrich, and act on alerts. The Threat Check API provides an instant, deterministic true or false answer on any indicator, eliminating manual cross-referencing entirely. Instead of analysts spending hours pivoting between tools to verify a single alert, the enrichment happens automatically and only verified threats reach the queue. Mean time to detect and mean time to triage both drop significantly.
IR teams: instant scoping and complete eradication. During an active incident, automated systems leveraging the Context Graph can take a single IOC and immediately pivot to map the adversary’s entire infrastructure footprint. Connected DNS history, certificate chains, and IP clusters surface in seconds rather than hours. IR teams can generate comprehensive blocklists that cover the full scope of the adversary’s operation, not just the entry point they found first, which is what prevents the same attacker from returning through infrastructure you missed.
Blocking pre-weaponized threats automatically. Because the Context Graph operates upstream in the attack lifecycle, automated workflows can operationalize IOFAs to neutralize staging infrastructure before an attack ever launches. Instead of automating the response to threats that have already reached your perimeter, you automate the prevention of threats that have not arrived yet.
The distinction matters. If your security automation is focused solely on clearing alert queues faster, you are still playing the attacker’s game, just at greater speed. Embedding the Context Graph into your workflows moves your automation to a point in the timeline where the adversary still has options you can take away.
How the Context Graph Fits Into Your Security Stack
The Context Graph is not a replacement for the tools your team already uses. Historical threat intelligence, internet scanning, noise filtering: these are real capabilities and they belong in a mature security stack. What none of them cover is the preparation phase, the window between when an adversary starts building their infrastructure and when it goes active.
Preemptive cyber defense does not replace legacy security. It fills the gap that legacy security was never designed to cover.
The Context Graph integrates directly into existing SIEM, SOAR, and TIP workflows via a fully API-first architecture, feeding verified indicators into the platforms your team already works in. Your analysts spend less time pivoting between systems and more time acting on intelligence that has already been correlated and verified.
Get Started
Interested in seeing the Context Graph in action? Talk to one of our platform experts about how Silent Push can help your team neutralize threats before they reach your perimeter.
Such recognition of innovation alongside some of the most groundbreaking organizations is a welcome accolade for the Silent Push team’s commitment to preemptive cyber defense and encourages it to stay the course in defining this new security technology.
Silent Push Co-Founder and CEO Ken Bagnall acknowledged both the Silent Push team and its users:
“Huge congratulations to our incredible team, whose dedication to preemptive defense makes this possible. We’d also like to thank our customers for their continued trust and partnership.”
The Fast Company article points out that protecting data was difficult enough when (malicious) hackers were human. Now, generative AI further tilts the playing field, emboldening attackers to continually evolve to evade defenders.
The article continues, stating that some “Companies’ CEOs insist that good cybersecurity is no longer a cost center but a revenue accelerator—helping to make enterprises’ AI systems stronger, instilling trust, and speeding up usage.” It also takes the position that “Weak security weakens the already fragile sense of trust many of us have around AI…Just one gnarly hack or leak by an AI agent could be enough to squash trillion-dollar dreams of adoption.”
Detect Adversary Infrastructure In Staging, Before It Impacts Your Organization
Legacy security solutions cannot keep ahead of threat actors. Silent Push technology builds on the success of traditional defense methods, ultimately evolving the security stacks of modern organizations with solutions that neutralize threats before they compromise networks.
Silent Push is continually improving modern threat defense, helping organizations stay ahead of threats with our Indicators of Future Attack® and innovative solutions such as Traffic Origin.
Traffic Origin
Trust is a liability in an era where it only costs a few dollars to rent domestic identities and clean residential IPs. Accurate compliance requires more than simply checking a passport; it requires verifying how connections behave on both physical and technical levels. Without the ability to identify upstream points of origin, defensive readiness remains reactive and incomplete, leaving organizations at risk of missing critical windows to block professional fraudsters and “invisible insiders” before they slip past existing security measures.
Silent Push Traffic Origin unmasks deceptive network paths that operatives use to hide their true location. We help you spot the residential proxies and suspicious connection patterns that state-sponsored groups use to bypass traditional geofencing and let you flag high-risk infrastructure and individuals before an attack occurs.
We use a proprietary global observation network to analyze traffic signals, enabling the platform to identify the countries associated with an IP address. This reveals the true physical origin of web traffic, not just where a proxy server sits.
By providing the visibility needed to ensure your KYC (Know Your Customer), AML (Anti-Money Laundering), and fraud workflows are grounded in technical truth rather than digital deception, Traffic Origin can help protect your organization.
Traffic Origin complements our proprietary residential proxy data, which identifies tens of millions of residential proxy IPs and their service providers. Together, these two solutions can help customers differentiate between innocuous residential IPs and those rented for global criminal use.
Exciting Developments on the Horizon
Working to shape a safer today and tomorrow, we recently updated the Silent Push platform with new search capabilities and a what’s new section to see the latest enhancements at a glance.
In the coming weeks, we will be sharing new developments on our unique AI-powered technology and how it provides deterministic certainty in place of typical cybersecurity guesswork.
Book a Demo – Sign Up for Community Edition
Interested in learning more about Silent Push preemptive cyber defense technology?
Start a conversation with one of our platform experts to see how our solutions can protect you and your organization by neutralizing threats before an attack is fully launched.
We also offer a free subscription to our Community Edition, which gives cyber defenders and researchers introductory access to the Silent Push platform and datasets.
![Screenshot of Silent Push Total View of IP Address 91.107.247[.]163](https://www.silentpush.com/wp-content/uploads/gnt-image-2.png)
