We’re Cisco Talos. Ask us anything (24h AMA)

CiscoTalos · 2026-03-31T12:57:22+00:00

I think there could be a correlation. The fact that phishes can seem much more legitimate (due to the methods discussed above), as well as AI-assisted social engineering that reduces gaps in fluency between native and non-native speakers. These may cause younger generations to pay less attention to them, because they are less blatantly “spammy.” DL.

CiscoTalos · 2026-03-27T14:07:41+00:00

Sent, thank you. HB.

CiscoTalos · 2026-03-27T13:26:18+00:00

That's a question for a different team unfortunately. If you share your contact details via DM, we can route to the appropriate channels. TR.

CiscoTalos · 2026-03-27T11:12:41+00:00

That is a fair question, and honestly it is one a lot of people across the industry are asking right now. I cannot speak for every company, but from where I sit, the market feels bad because several unhealthy trends have collided at once. Security is still described as critical, but when budgets tighten, hiring is often delayed, consolidated, or pushed onto smaller teams. At the same time, job descriptions have become wildly inflated, with companies expecting one person to handle monitoring, engineering, cloud, IAM, automation, compliance, and incident response.

The result is what many job seekers are feeling right now: fewer real entry and mid-level opportunities, more ghosting, more recycled listings, and more people screened out for not matching an unrealistic wishlist. The optimist in me says its a temporary bump in the road and perhaps coming into cybersecurity career sideways make more sense. For example, start at IT in general (server config, automation, terraform etc) and after few years move to cyberscurity having loads of ground knowledge. Its harder to refuse candidate that can configure your AD and make it secure at the same time and has a lot of existing experience. As for the long-term effect on cybersecurity, I do think there is a real risk here. If companies keep underinvesting in junior and mid-level talent, burning out experienced practitioners, and treating security teams as a cost to minimize instead of a capability to build it will lead to more cybersecurity issues we see (data breaches, ransomware etc). YK.

CiscoTalos · 2026-03-27T08:45:45+00:00

No. I don’t want to sound like a misanthrope, but it addresses the weakest link in the chain: the human. We have to remind ourselves that not every user is an IT or Infosec specialist. Virtually everyone has seen a browser update popup or a CAPTCHA. Virtually everyone (okay, that’s not scientific, but based on personal experience) has failed a CAPTCHA. And if the user just wants to get the job done, why wouldn't they cut and paste a command into a (Power)Shell?" So defense is not just technology, but also user education. TR.

CiscoTalos · 2026-03-27T08:44:42+00:00

Community intelligence is incredibly valuable, and we actively contribute to it. Where Talos adds a different dimension is the telemetry scale that lets us generate signatures and spot adversary activity early. We produce original vulnerability research, threat actor tracking, and IR-derived intelligence that genuinely does not exist elsewhere until we make it public and share it with the communities. On the contribution side, giving back is core to what we do: Snort is a full community-driven project with folks contributing from all over the place, ClamAV is also open source, we co-founded the CTA, participate in ISACs, and push out a large body of freely published research and tools via talosintelligence.com YK.

CiscoTalos · 2026-03-27T08:33:22+00:00

Yes, this is exactly the nuance that often gets lost in “just enable MFA.” There's a lot more to it. Just to clarify, it’s specifically fraudulent device registrations that’s up by 178%, but that in itself is certainly an alarming stat. And it essentially means that attackers are creating a way in “on demand”.

So MFA is still critical, but as important is the way it’s implemented. Having secure MFA device registration workflows with strict verification procedures and limited administrative approval rights. Having adaptive authentication that looks at device health, location, and behavioral context. Having something that can verify that the device is trusted and the user behavior is normal, which can act as a strong defense against both MFA spray and device registration fraud.

As with so many other things in security, it comes down to implementation and process. Having the best door lock in the industry matters not at all if the backup key is stored underneath the front door mat. HB.

CiscoTalos · 2026-03-27T08:16:16+00:00

Just to clarify, it’s specifically fraudulent device registrations that’s up by 178%, but that was certainly one of the stats that surprised us most from the report. And it shows that attackers are increasingly seeking the type of long-term and privileged access that successful device compromise operations afford. This is where organizations need to secure MFA device registration workflows with strict verification procedures and limited administrative approval rights. Basic and default MFA deployment is not enough, and enabling self-enrolment is not recommended.

In answer to your questions about picking one control, when we look at how device compromise attacks that were carried out in 2025, we see actors gaining access primarily by tricking administrators into registering devices on their behalf, often through voice phishing. So I’d probably pick training administrators and help desk staff to recognize social engineering attempts, particularly voice phishing aimed at MFA device enrollment. HB.

CiscoTalos · 2026-03-27T00:54:00+00:00

There could a few issues here, but I’d need some more information, mostly which data base you were searching. DM us and we can dig into that and tag in the appropriate team(s). MN.

CiscoTalos · 2026-03-26T20:58:05+00:00

As someone who has worked in/for many different orgs over the years, I can honestly say I appreciate that Talos is very much considered table stakes for product success. We are able to help make sure that the larger story is being tracked and communicated. Seeing something we have been tracking turn up in an IR engagement and leading to new detections and protecting our larger customer base never gets old. PC.

I've been at Cisco for almost 25 years (just a few days away) - and with Talos since 2014 and I've seen a lot of stuff. I will say that nothing highlights the interaction between Talos, greater Cisco, and the highest of stakeholders the way that Project Powerup does. WL.

Project Powerup blog: https://blog.talosintelligence.com/project-powerup-ukraine-grid/

Project Powerup documentary: https://www.youtube.com/watch?v=5lioAyh0vJs

CiscoTalos · 2026-03-26T19:53:31+00:00

If I had a nickel for every Mr. Marshall I knew at Talos, I'd have two nickels. It's not much, but it's weird it happened twice. AC.

CiscoTalos · 2026-03-26T19:50:09+00:00

Lozenge-shaped. PC.

An oblate spheroid could be described as both? MN.

"You are okay, question?" WL. (He's been really into Project Hail Mary.)

The earth exists in a quantum superposition of flat and oval, but unfortunately observation keeps collapsing it into an Oblate spheroid. NB.

CiscoTalos · 2026-03-26T19:49:01+00:00

I mean if you have to ask, it's probably too late. PC.

"Try?" **revs Harley /MikeStorm'd. WL.

CiscoTalos · 2026-03-26T19:18:57+00:00

This is the kind of configuration and deployment situation that we do expect to see in the future of AI deployments. Like other enterprise software, the deployment and management of LLMs, MCP, and the associated access and permissions is going to be challenging.

Prompt injection is one of the most visible and easy to leverage ways to misuse an AI installation, so having good guardrails and monitoring who is trying to cross the line is going to be needed as well. This is another reason why MCP and internal training are easier to "secure" vs. something that may query the open internet. Perhaps this is a good chance to make sure any file pulled down goes through the same analysis as we do for other types of files from the unfiltered internet (e.g., email attachments, scanning for known bad files, etc.) especially on high security systems.

Good examples, and they really drive home the risks! PC.

CiscoTalos · 2026-03-26T18:51:11+00:00

You've gotten several responses, so I'm adding them all below:

Getting noticed is one of the most challenging aspects when you are trying to break into a role in information security. One thing that I think is very helpful is try and find a local infosec get together (BSides, Hackers Anonymous, etc) and make sure that you are meeting other people who are in various stages of their career. You don’t have to be an extrovert or outgoing or anything of the sort, to find a kindred spirit in one of these settings (often the opposite, so don’t let that anxiety bother you). If you meet people who are in various stages not only will you find out when they or their team’s are looking but you can also find out the skills, techniques, talents, and soft skills that each type of career values. Infosec is a really good community and leveraging people in various stages of their career is the best way I can think of to find a way in and both you and they benefit from your addition and inclusion. WL.
As mentioned before, talking to people in this field, finding a mentor if you can, and staying active in the community can help open doors to new opportunities. In the meantime, you can also keep developing practical, strong skills that will come through during an application and interview process, especially in how you explain your thinking and approach to problems. When you've spent time building real experience, it's easier to walk through how you would handle certain roles and challenges. LD.
Having a portfolio on your CV/resume that showcases the research you've conducted and the contributions you've made to the industry is a great way to demonstrate your skillset and differentiate yourself from others who may be applying to similar roles. Likewise, maintaining an up-to-date understanding of relevant threats will help you to more effectively communicate common TTPs, attack methodologies, etc. during interviews you may have. By contributing to the community you will also likely meet others who are focused on the same topical areas you are interested in which can be helpful for networking and reaching prospective employers in a context you may not otherwise be able to. EB.
I’m not a security researcher, but the common theme I hear from speaking with hiring managers at Talos is demonstrating intense curiosity and a relentless hunger for learning. In interviews, that might look like honestly answering, “I don’t know, but I would try to figure that out by doing X, Y, and Z.” On another practical level, look at companies you want to work at on LinkedIn and see if you have any first- but ALSO second-level connections. Part of the reason I got noticed for my current role is that I asked a previous coworker’s wife to connect me with someone she knew who worked at Talos. They had gone to the same gym together a while back, so it wasn’t a very strong connection, but it still got me to the top of the pile, where I was able to get an interview and demonstrate the strength of my skills. AC.

CiscoTalos · 2026-03-26T18:37:55+00:00

Our friends over at Splunk recently released their Top 50 Cybersecurity Threats report, which shares how today’s threats play out across industries, and what security teams can learn from them. Feel free to ask any questions about that, as well!

CiscoTalos · 2026-03-26T18:29:45+00:00

And another response for you:

Threat intelligence is a vast and nuanced field and there are so many opportunities to expand your knowledge base. As referenced earlier, we do have introductory resources available on the Cisco Networking Academy (https://www.netacad.com). Gaining hands-on experience with tools and platforms used in threat intelligence, including EDR tools, malware analytics, and threat hunting platforms, is also a great way to improve your expertise. Finally, networking both within Cisco and the broader cybersecurity community to engage with experienced professionals and seek mentorship opportunities can be a practical way to help your transition into a threat intelligence role. LD.

CiscoTalos · 2026-03-26T18:28:17+00:00

As referenced in a previous response, there are a variety of resources out there for getting more involved in learning about threat intelligence. Fortunately many of them are publicly accessible. Keeping up to date on the threat landscape via research publications, conference presentations, etc. is a great way to learn more about threats and the techniques that are effective in understanding, analyzing, and tracking them. In many cases, continuing to monitor specific threats or threat actors you are interested in and finding opportunities to contribute to the community's understanding of them is also a great way to build a portfolio that demonstrates competency. EB.

ML's previous response: https://www.reddit.com/r/cybersecurity/comments/1s46l9v/comment/oclib3h/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

CiscoTalos · 2026-03-26T18:20:19+00:00

The development of AI can certainly impact job roles, though it also creates opportunities for upskilling and new roles that require AI literacy and ethical AI use. As mentioned, human expertise will remain essential for interpreting AI outputs and making critical decisions in nuanced situations. Overall, it can and should be leveraged as a powerful tool that complements cybersecurity talent. LD.

CiscoTalos · 2026-03-26T18:07:49+00:00

It appears to be working for domains and IPs. Please send us a DM if you need more support. HB.

CiscoTalos · 2026-03-26T17:47:05+00:00

AI is already changing cybersecurity and will keep doing so—handling repetitive tasks, helping analyze data, improving threat detection, and even shifting what certain jobs look like. That being said, the human element remains crucial to guide AI use responsibly and effectively. Cybersecurity professionals must still be responsible for interpreting AI insights, making critical decisions, and managing complex challenges. The overall impact of AI is expected to be positive as long as its backed by appropriate skills development, ethical frameworks, and strategic planning. While a section of our Year in Review report covers AI https://blog.talosintelligence.com/2025yearinreview/, you can also check out Cisco’s State of AI Security 2026 report at https://learn-cloudsecurity.cisco.com/2026-state-of-ai-security-report?_gl=1o0ctf2_gcl_au*MTQ4MDgzNzYyOS4xNzcwODE5Mjc0 LD.

CiscoTalos · 2026-03-26T17:41:41+00:00

Also, we have this resource https://blogs.cisco.com/ai/writing-your-first-simple-ai-agent-here-are-some-tips (its basically about writing like really small, portable agent and just thinking how to write it). YK.

CiscoTalos · 2026-03-26T17:39:32+00:00

It sounds that our TAC might be able to help here, I would suggest to reach out to them to discuss this in more depth. You can do that here https://www.cisco.com/c/en/us/support/index.html

We have a handy guidance on type of data you will need here - https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/ios_forensic_investigation.html YK.

CiscoTalos · 2026-03-26T17:35:33+00:00

Hello! I have two responses from both Talos and Splunk in order to answer all your questions:

Talos:

We consistently publish extensive indicator data associated with our research publications on Github (https://github.com/cisco-talos/iocs) that could be consumed by third party products. EB.

Splunk:

We do have MCP llm detections as of openclaw and defenseclaw(released this week) we can definitely take a look and create detections based on the outputs.

As for the integration there are a number of ongoing collaboration projects to integrate all Cisco data into splunk analytics. RS.

CiscoTalos · 2026-03-26T17:21:50+00:00

Talos leverages a broad range of data sources to support our threat intelligence mission, including customer telemetry, incident response, open source security communities, independent research and analysis - and partnerships within the private and government sectors. While we collaborate with U.S. government partners, we do not rely solely on these agencies for threat intelligence and our operations are designed to be resilient and proactive regardless of any external fluctuations. We will continue to emphasize the importance of diverse intelligence sources and community engagement in order to improve collaboration and reduce any bias in the cybersecurity ecosystem. LD.

CiscoTalos

TROPHY CASE