Our latest Forecast Card looks at ShinyHunters' SaaS playbook and asks a simple, uncomfortable question: in 2H 2026, do they make more money selling data, access, and tokens than they do collecting ransoms?
The signals point that way. Vishing → Salesforce Connected Apps → Okta/M365 pivots don't just enable extortion — they mint immediately brokerable assets. When big brands keep saying "no," rational actors don't get angrier… they get more liquid.
Defenders who only think "ransom" miss the real shift: the market for access, datasets, and CI/CD secrets is already there. Your detection strategy should reflect that.
If you were running this operation, would you chase payments — or optimize for resale?
Read the forecast and the detection takeaways here →
#AlphaHunt #ThreatIntel #CloudSecurity #IdentitySecurity #Detection