Research & Field Notes

On-Prem Red Team AI — engineering notes from the front line

Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.

Manufacturing RansomwareNIS2 EnforcementNitrogen Ransomware
Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete
West Pharmaceutical disclosed encryption-plus-exfiltration on 2026-05-07; Foxconn confirmed a Nitrogen ransomware breach on 2026-05-12. The post-incident audit question — what controls were active and provable — is no longer hypothetical.
May 19, 2026·08:308 min read
Supply ChainSLSA ProvenanceCI/CD Security
Signed Is Not Safe: When SLSA Provenance Ships Malware
Mini Shai-Hulud pushed npm packages carrying valid SLSA Build Level 3 provenance and Sigstore signatures. Supply-chain trust just broke a layer deeper — and runtime traffic is the last line that still sees it.
May 18, 2026·15:308 min read
Exfiltration-Only RansomwareTraffic AnalysisCritical Infrastructure
Exfiltration-Only Ransomware: Why Wire-Speed Traffic ML Is Now the Last Line of Defense
Q1 2026 ransomware operators are skipping encryption and going straight to data theft. The new kill chain is silent unless you can spot exfiltration as it happens — at wire speed, on your network, not in tomorrow's SIEM digest.
May 17, 2026·18:455 min read
AI RansomwareCritical InfrastructureGenerative Pentest
Generative Pentest vs AI Ransomware: A Defense Playbook for the 2026 Threat Landscape
AI-augmented ransomware, state-aligned wipers, and live-fire attacks on European utilities have reshaped what \"adequate defense\" means in 2026. This is the engineering case for continuous, generative penetration testing — and how to deploy it without giving up data sovereignty.
May 17, 2026·08:307 min read
Red Team AIPentestOperations
AI vs. Human Red Teamer: Where Autonomy Actually Pays
Honest take from a team that builds both AI and human-led red team campaigns. We split the offensive security workflow into eight phases and look at exactly where an AI agent beats a senior pentester, where it doesn't, and where the right answer is hybrid.
May 15, 2026·15:455 min read
NIS2DORACompliance
NIS2, DORA and the End of the Annual Pentest
NIS2 and DORA both push the same uncomfortable idea: security testing must be continuous and evidence-backed. Annual pentests no longer satisfy auditors. We map the regulatory requirements to a continuous AI pentest model and explain what an audit looks like when evidence is generated automatically.
May 13, 2026·11:304 min read
Red Team AIOn-PremiseArchitecture
Red Team AI: Why On-Prem Beats Cloud for Enterprise Pentesting
Cloud-hosted AI pentest tools force you to ship your attack surface to a third party. We argue that on-prem AI red teams are the only viable path for regulated industries — and explain the architecture that makes it possible on a single appliance.
May 12, 2026·09:154 min read

Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete

Signed Is Not Safe: When SLSA Provenance Ships Malware

Exfiltration-Only Ransomware: Why Wire-Speed Traffic ML Is Now the Last Line of Defense

Generative Pentest vs AI Ransomware: A Defense Playbook for the 2026 Threat Landscape

AI vs. Human Red Teamer: Where Autonomy Actually Pays

NIS2, DORA and the End of the Annual Pentest

Red Team AI: Why On-Prem Beats Cloud for Enterprise Pentesting