In 2020, a foreign intelligence service walked through the front doors of the US Treasury, the Department of Homeland Security, and parts of the Department of Defense. They were invited by a software update that every security check confirmed was completely legitimate. Because it was.

The full technical breakdown covers the SUNBURST backdoor architecture — the build pipeline compromise, the 12-14 day sandbox evasion, DNS covert command-and-control, and the selective activation of approximately 100 of 18,000 infected networks. It documents how FireEye’s investigation of its own breach exposed one of the largest intelligence operations in history, the three missing controls and what each would and would not have stopped against a nation-state adversary, and the formal attribution to APT29 and the Russian SVR.

It also covers what changed after — from Executive Order 14028 mandating software bills of materials, to the SEC case against SolarWinds that was dismissed in November 2025.

Zerodaylogs Ep03 Solarwinds Technicalbreakdown

48.7KB ∙ PDF file

Download

Download

Okta processes billions of authentication requests per month for over eighteen thousand organisations. It is the invisible gatekeeper sitting between employees and every system they log into — at governments, banks, and technology companies across the globe. It was breached in 2022. Twenty months later, it was breached again.

The full technical breakdown covers both breaches: the 2022 Lapsus$ contractor compromise and the 2023 HAR file session cookie theft, including the November 29th expanded disclosure revealing the full customer contact list harvest. It documents the three missing controls, the downstream impact on Cloudflare, 1Password, and BeyondTrust, and how a service account credential moved outside every corporate security control through Chrome’s password sync.

It also covers what good vendor accountability looks like — contractual disclosure timelines, independent verification over self-reported questionnaires, and why the vendors trusted most deeply are structurally the highest-risk link in the chain.

Zerodaylogs Ep02 Okta Technicalbreakdown

46.5KB ∙ PDF file

Download

Download

In September 2023, a group of attackers brought MGM Resorts to a standstill. No software vulnerability was exploited. No sophisticated malware was deployed. The public record shows a single phone call to an IT help desk.

The full technical breakdown covers the complete attack timeline, the step-by-step attack chain from LinkedIn reconnaissance through SAML token forgery to ESXi ransomware deployment, the three missing controls that would each have independently broken the chain, and what the post-breach remediation confirms about what was absent.

Written for two audiences: security practitioners who want the precise technical record, and everyone else who wants to understand what this breach means for them personally.

Zerodaylogs Ep01 Mgm Technicalbreakdown

35.2KB ∙ PDF file

Download

Download