In early August, incident responders from Artic Wolf, Huntress, and other vendors announced they had observed suspected vulnerability exploit attacks linked to Akira, a prominent ransomware operation active since early 2023. The fast-paced attacks, which affected networks with certain SonicWall perimeter security devices, put Akira actors back in the headlines after many months outside the security community’s spotlight.
Organizations not using the SonicWall devices might be quick to dismiss these reports; however, just days after their release, other researchers published details of Akira ransomware attacks they observed during the same timeframe (July 2025), which featured a distinct entry vector ( “drive-by” compromise). The incidents serve as timely reminders about several themes that security teams should consider as they start or mature their threat-led defense efforts.
Although Akira wasn’t grabbing headlines in the months before these incidents, Tidal Cyber continued to observe the group claiming significant numbers of attacks. Our Adversary Intelligence team maintains a regularly updated “Trending & Emerging Ransomware” Threat Profile, available for all Enterprise Edition users, and extortion claims heavily inform this Profile’s contents (serving as a loose proxy for possible attack volumes). Akira remained in this Threat Profile every month this year except one. This means that teams using the Profile in their Coverage Maps were able to continuously track their coverage against this group’s behaviors ahead of the most recent campaigns, even if they weren’t closely monitoring ransomware activity levels themselves.
The Tidal Cyber Threat-Led Platform empowers users to move at the speed of threat intelligence. In Akira’s case, Tidal Cyber first published CTI content around this threat in August 2023. As is often the case, this content appeared far before other trusted sources of behavioral intelligence – for example, nine months before MITRE ATT&CK®’s version of Akira objects and a separate U.S. government advisory on the group. Importantly, as we always do, after the ATT&CK v15 release, we layered our intelligence back over top of their “gold standard” versions of the objects, giving users a multi-sourced but clear, synthesized view of this threat. (Reminder: we encourage teams to also layer intelligence from a myriad of commercial and/or internal feeds & sources via our CTI integrations.) Tidal Cyber has continued to release updates to these “extended” Akira objects; for example, this week we added two new Campaigns, 13 Software, and numerous new Technique relationships to the Akira Group object.
As the pace of vulnerability disclosures increases, and attackers move faster to leverage even unreported (“zero-day”) weaknesses, remember that a security strategy focused on adversary behaviors enables defense-in-depth against exploit-based attacks (Users of the Tidal Cyber Enterprise Edition can find multiple playbooks around this use case on our Support site). Awareness of defensive coverage against key post-exploit behaviors allows teams to break out of the endless, resource-draining cycle caused by over-focus on patch management. Our fresh Akira content published this week (thanks in large part to community intelligence sharing around the campaigns) was available in our knowledge base before a CVE was even assigned to the reported SonicWall exploit activities. This underscores how a timely TTP intelligence capability can move teams’ coverage assessment efforts closer to the time of actual exploit.
Recent Akira campaign reporting was rich with technical details, but these details appeared in unstructured formats scattered throughout vendor blogs. In total, we estimate four of these blogs would take an hour simply to read, to say nothing of the considerable time required to then parse, analyze, and action findings. Processing the reports with Tidal Cyber’s AI capabilities allowed us to rapidly create and release knowledge base objects around the campaigns within a day of their publication (these objects can be immediately leveraged in Tidal Cyber’s Threat Profiles & Coverage Maps). Users can leverage our AI solutions to streamline conversion of their own sources or internal CTI into TTP intelligence for operationalization in Enterprise Edition.
Reporting on Akira’s latest campaigns yielded new behavioral intelligence related to this threat, letting teams perform rapid coverage assessments around initial access (and post-exploit) Tactics & Techniques. But we and many of our users recognize that a more granular level of intelligence is needed to ensure coverage assessments precisely align with relevant adversary activities.
Most recently, Tidal Cyber launched an industry-first Procedures Library and associated Enterprise Edition features to enable just that. Users will find an extremely deep well of Procedural-level intelligence around Akira specifically: the group accounts for some of the most Procedure Sightings in our entire knowledge base, and the most outright for a ransomware group. These Procedure objects are rich with technical details and structured relationships to relevant threat objects, behaviors, log sources, and Procedure Clusters, and they allow direct connections to relevant defensive Capabilities. This enables the level of precise detail that analysts and especially detection engineers/threat hunters and red team operators require for Threat-Led Defense operations.
Tidal Cyber is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy.
Threat-led defense moves beyond assumptions, CVE-counting, and checkbox compliance. By mapping techniques, sub-techniques, and procedures to ATT&CK, we reveal exactly where you’re exposed and how attackers actually execute TTPs.
It’s a level of precision you’ve never had before, empowering your security team to proactively reduce risk and optimize high-impact security investments.
Threat-led defense is Tidal Cyber’s unique implementation of Threat-Informed Defense, enhanced with procedure-level granularity to make CTI for more relevant and actionable.