Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Change Healthcare Ransomware 2024: Deep Dive
The Change Healthcare ransomware attack knocked US healthcare payments offline for weeks. A missing MFA on a Citrix portal was the root cause United confirmed.
XZ Utils Backdoor: One Year Retrospective
A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?
ProxyNotShell Postmortem: What the Exchange CVEs Taught About Patch Triage
ProxyNotShell forced enterprises to triage Exchange Server patching under pressure with confusing vendor guidance. A look back at CVE-2022-41040 and CVE-2022-41082.
Microsoft Midnight Blizzard Source Code Theft 2024
Midnight Blizzard moved from email exfiltration to Microsoft source code repositories. The pivot from stolen OAuth tokens to code access is the supply chain lesson.
Incident Response Playbook for a Compromised Dependency
A concrete, timed playbook for the 72 hours after a critical dependency advisory — inventory, reachability, containment, remediation, and retrospective.
Hugging Face Model Hub Supply Chain Risks in 2025
Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model supply chain.
Two Years of Item 1.05: What the Notable 8-K Filings Tell Us
From UnitedHealth to AT&T to Snowflake's downstream effects, two years of Item 1.05 filings reveal patterns in materiality, vendor incidents, and update cadence.
Heroku OAuth Token Leak Postmortem and Lessons
A retrospective on the Heroku OAuth token incident, what the public timeline revealed about supply chain trust assumptions, and the durable lessons for platform teams.
UA-Parser-JS October 2021: A Deep Dive on the Attack
The ua-parser-js compromise of October 2021 paired credential theft with cryptominer and password stealer payloads. A close look at what happened and why.
How to set up centralized logging with the ELK stack
A hands-on guide to setting up ELK stack centralized logging: installing Elasticsearch, Logstash, and Kibana, shipping logs with Beats, and building SIEM-style alerts.
debug/chalk npm Compromise Sept 2025: Deep Dive
A phishing campaign against a prolific npm maintainer poisoned chalk, debug, and several other packages with a Web3 hijacker. Here is the full breakdown.
How to build a disaster recovery and backup strategy
A step-by-step guide to building a disaster recovery backup strategy: RTO/RPO planning, backup architecture, automation, a DR plan checklist, and testing.