Real breach investigations, written start to finish.

Each report rebuilds the full attack, from how the intruder got in to everything they did next, backed by a complete timeline and MITRE ATT&CK mapping. Investigated by Forge members in our hands-on SOC Simulator, CTF labs, and real phishing samples that hit our inbox.

Path Traversal to Persistence in 100 Minutes: A Meridian Health Systems Patient Portal Compromise

by: Jane UbaPublished on: 12/07/2026

Jane U. traces 100 minutes of an attacker's path through a healthcare patient portal: 18,454 Gobuster requests, LFI via config_viewer.php, and a systemd service named 60.

reports
Path Traversal to Persistence in 100 Minutes: A Meridian Health Systems Patient Portal Compromise

A partner-uber[.]com Impersonation Attempt: What the Headers and Auth Chain Revealed

by: Marcie TolbertPublished on: 12/07/2026

A phishing email received at MYDFIR's business inquiry inbox impersonated Uber via a hyphenated look-alike domain, sent from an IP mapped to a domain-parking service with zero email authentication configured.

reports
A partner-uber[.]com Impersonation Attempt: What the Headers and Auth Chain Revealed

The 2h30m Source Code Heist: Cobalt Strike, fodhelper, and RClone-to-MEGA at EmberForge Studios

by: Saliha TabbassumPublished on: 08/07/2026

How a game studio lost its Neon Shadows source code in 150 minutes: Cobalt Strike ISO stager, fodhelper UAC bypass, and RClone-to-MEGA exfiltration where the attacker leaked their own credentials in plaintext.

reports
The 2h30m Source Code Heist: Cobalt Strike, fodhelper, and RClone-to-MEGA at EmberForge Studios

159,298 Failed Logons Later: An RDP Brute Force That Ended in a Backdoor Account and NLBrute Deployment

by: Abdul KuyatehPublished on: 08/07/2026

159,298 failed logons before an RDP brute force succeeded on KCD-Web. NLBrute and Neshta malware, a persistent backdoor admin named "user," and deliberate registry weakening.

reports
159,298 Failed Logons Later: An RDP Brute Force That Ended in a Backdoor Account and NLBrute Deployment

Want to write reports like these?

Forge members investigate real attacks live in the SOC Simulator, CTF labs, and real phishing samples that land at MYDFIR, then publish their work here. Every report you read is the analyst's own investigation.