// SND — Intelligence & Analysis

FIELD NOTES

Observations from the network edge. Threat analysis, supply chain intelligence, and operational security research from the DIB perimeter.

Filter //
// Featured — Long Form Analysis
Analysis Featured 2026-03-25
All the Way Down: Chinese Five-Layer Attack Infrastructure and the CMMC Gap
How the People's Liberation Army Strategic Support Force operationalizes supply chain compromise against the Defense Industrial Base — and why compliance alone is not defense.

The small defense contractor manufacturing precision components in a converted warehouse outside Raleigh has one thing in common with Lockheed Martin: they both touch controlled unclassified information that the People's Republic of China wants. The difference is that Lockheed has a security operations center. The small manufacturer has a firewall they haven't logged into since 2019.

This is the gap that Chinese cyber operations have systematically exploited for two decades. Not through novel zero days or sophisticated malware — through patience, persistence, and the reliable availability of soft targets in the defense supply chain. CMMC Level 2 is a necessary response to this reality. It is not a sufficient one.

This analysis maps China's five-layer attack infrastructure against the CMMC control framework, identifies the specific gaps that compliance does not close, and argues that detection capability — not just hardening — is the missing piece for small DIB manufacturers operating without dedicated security staff.

Read full analysis
// Recent — Field Observations
Threat Intel 2026-03-25
TeamPCP and the Trivy Supply Chain Cascade: What the DIB Should Know
A credential theft campaign that began with a misconfigured GitHub Actions workflow trigger and incomplete incident response metastasized across five software ecosystems in five days — compromising Trivy, Checkmarx KICS, and LiteLLM. The attack harvested 300GB of compressed credentials and is actively being weaponized. The mechanism — pull_request_target workflow exposure, PAT theft, mutable Git tag poisoning — is a textbook example of why CI/CD pipeline hygiene matters even for organizations that don't write code. If your vendors do, you're downstream of their risk.
MAR 25
2026
Observation Coming soon
HorizonCheck: DNS Assessment as a First-Pass DIB Risk Signal
A contractor's external DNS posture reveals more about their internal security maturity than almost any other passive indicator. SPF misconfiguration, missing DMARC enforcement, and stale PTR records are not just email hygiene issues — they are signals of how seriously an organization treats its perimeter. Notes on the HorizonCheck tooling and what it finds in practice.
SOON
Research Coming soon
Deception Infrastructure for Small Networks: Canary Tokens, Honey Credentials, and the Asymmetric Advantage
The economics of deception favor the defender at small scale. A single well-placed honey credential costs nothing and teaches everything. As AI-driven attack tooling becomes more aggressive and less discriminating, deception infrastructure becomes proportionally more effective — automated attackers enumerate everything, which means they reliably touch the bait. Notes toward a practical deception layer for DIB environments.
SOON
Analysis Coming soon
ShieldGate: The Case for a TIC/EINSTEIN Architecture Extended to Defense Contractors
The federal government protects its own network perimeter with Trusted Internet Connections and the EINSTEIN detection system. Defense contractors handling the same controlled information operate with no equivalent. This paper proposes a DIB egress gateway architecture that brings TIC-style visibility to the supply chain — and argues that CMMC Phase 2 enforcement creates the market conditions to make it viable.
SOON