Running a SOC or MSSP means managing an ecosystem of products, not a single tool.

Everything has to communicate, feed into a centralized view, and deliver clean telemetry to the customers depending on you.

For Black Hills Information Security, LimaCharlie is the connective layer that makes that possible.

John Strand describes the integration across their stack as a dream, pulling everything into a centralized dashboard and giving their customers the telemetry visibility they need.

Learn more: https://limacharlie.io

Tomorrow, Ken Westin, Senior Solutions Engineer at LimaCharlie, joins Defender Fridays to share his AI story: a deliberate journey that deepened his sense of what the technology is truly capable of.

Join us live: https://info.limacharlie.io/defender-fridays?utm_source=linkedin&utm_medium=organic_social&utm_content=webinar&utm_campaign=defender_fridays&utm_term=&lead_source_detail=mastodon

Treat Claude Code like a junior analyst, not an autonomous agent.

In our second AI SecOps Workshop, Ken Westin demonstrated exactly what that looks like in practice. Attendees used Claude Code to deploy EDR agents to EC2 instances, pull in CloudTrail logs, and push detection rules from our partner Soteria, all from the terminal.

What makes it work is the foundation. LimaCharlie's API-first architecture gives Claude Code full programmatic access to the platform, so it can operate rather than just advise.

Watch the full workshop replay: https://www.youtube.com/watch?v=II_eP8-64eA&t=617s

Case management is easy to overlook.

Maxime Lamothe-Brassard makes the argument that it's the most practical place for AI agents to communicate, surface findings, and interact with human analysts.

In a recent session, he ran a simulated multistage attack with a team of AI agents handling triage end-to-end: batching detections into a single case, mapping the kill chain, and isolating the affected endpoint.

Analysts could tag agents to continue the investigation, and the full case exported as a shareable PDF.

Case management gives AI a place to communicate what it's doing, report what it finds, and hand off to other agents or human analysts, all in one visible, reviewable location.

Watch the full session: https://limacharlie.io/webinars?wchannelid=fy1wct3rkg&wmediaid=k6ztupnvgg

Analyzing an unknown binary and building detections that hold up against real runtime behavior requires both the right tooling and human judgment at every step.

On Wednesday, May 6th, Chris Botelho, Solutions Engineer at LimaCharlie, is hosting a hands-on malware analysis workshop with Claude Code.

Attendees will extract indicators using the LCRE (LimaCharlie Reverse Engineering) tool, execute the sample in a sandboxed VM, and use what they observe to write and validate detection rules based on actual runtime behavior, not just static indicators.

The session covers a structured approach to analysis that keeps human validation at the core while using AI to accelerate the work.

No Claude Code license required. This session will not be recorded.

Register: https://limacharlie.wistia.com/live/events/i3qmix87mf?utm_campaign=workshop+malware+5+6+2026&utm_source=mastodon&utm_medium=social

Users are connecting AI tools without understanding the security implications.

In this week's Intel Chat, Chris Luft and Matt Bromiley discuss a security breach at Vercel that originated from a compromised third-party AI tool used by one of its employees. The attacker gained control of the employee's Google Workspace account, which provided access to Vercel's internal environment.

Matt addresses the larger concern: developers with privileged accounts are clicking yes on everything, linking tools together and granting permissions without understanding how things chain together. Adversaries, however, understand exactly how to exploit those connections.

The solution goes beyond fixing over-permissioned MCPs. Organizations need user education around the permissions people are granting to AI tools and third-party services.

The episode also covers North Korea stealing $290M in cryptocurrency from Kelp DAO, DDoS attacks on Mastodon and BlueSky, and three ransomware negotiators sentenced for conspiring with the Black Cat group.

Subscribe to The Cybersecurity Defenders Podcast: https://limacharlie.io/podcast

Advisory AI in the SOC still requires a human to review, approve, and act on every output. The bottleneck shifts upstream, but the constraint on your operations stays the same.

Alert volume keeps climbing. Analyst-to-alert ratios stay broken. Adding a chat interface does not change the math.

AI operator-first means AI agents have the same API access as your analysts: writing and deploying detection rules, triggering response actions, running cross-tenant investigations, and updating cases, all within the same RBAC model that governs your human team.

LimaCharlie was built API-first from the start. Every function in the UI is also available via API, so agents can do the same work analysts do, scoped to exactly the permissions you set.

The new blog covers what that architecture looks like in practice and why most platforms cannot support it.

See the full post: https://limacharlie.io/blog/what-ai-operator-first-soc-looks-like

Malware analysis takes time, and extracting indicators manually before you can write a single detection rule adds to that cost.

On May 6th at 10am PT / 1pm ET, we will be hosting a hands-on workshop covering how Claude Code can accelerate that process without removing human judgment from the analysis.

You'll analyze an unknown binary, extract indicators, and use the LCRE (LimaCharlie Reverse Engineering) tool to identify configuration details, key behaviors, and signals useful for rule building.

Then you'll execute the sample in a sandboxed VM to validate detections against real runtime behavior.

No Claude Code license required. This session will not be recorded.

Save your spot: https://limacharlie.wistia.com/live/events/i3qmix87mf?utm_campaign=workshop+malware+5+6+2026&utm_source=mastodon&utm_medium=social

The early days of U.S. cyber policy were defined by agencies that had no common language and no playbook to follow.

J. Michael Daniel, President and CEO of Cyber Threat Alliance and former White House cybersecurity coordinator, talks through what it actually took to coordinate cyber policy across the federal government, build public-private partnerships that work, and stand up an intelligence sharing organization that serves the entire cybersecurity industry.

The full conversation includes:

> Why public-private partnership in cybersecurity is harder to operationalize than most people assume
> What business leaders consistently get wrong about cyber risk
> How threat intelligence sharing actually works inside the Cyber Threat Alliance
> Why all of the industry's accumulated tech debt may be coming due

Listen to the full episode: https://www.youtube.com/watch?v=I1lF6OEUnvc&t=29s

Tomorrow on Defender Fridays, Katherine McNamara, Cybersecurity Technical Solutions Architect at Cisco, joins us to discuss how AI and ML adoption in enterprise infrastructure has expanded the attack surface for AI-driven systems.

She'll walk through the security challenges unique to generative AI and ML-based architectures, and cover the four critical components: Model, Data, Application, and System, that organizations need to secure to maintain integrity.

Friday, April 24 at 10:30am PT.

https://info.limacharlie.io/defender-fridays?utm_source=linkedin&utm_medium=organic_social&utm_content=webinar&utm_campaign=defender_fridays&utm_term=&lead_source_detail=mastodon