Skip to main content

Trusted Cybersecurity

AI Solutions

Building a secure and resilient future for all society.
Operate at trusted machine speed. Speaks the Language of Security

Meet your personal AI cyber security expert -

Powered by an extensive knowledge base covering all facets of cyber security, serves as an invaluable advisor to augment your team’s capabilities. draws upon vetted, referenceable open-source data spanning security disciplines, multiple industry frameworks, adversary tactics, intelligence, policy, regulations, governance approaches and more.

With authoritative insights on the latest threats, security innovations, resilience strategies and industry best practices, delivers trusted, consistent and actionable recommendations tailored to your requirements.

Stay ahead of emerging risks, make informed decisions faster and proactively strengthen defenses with’s AI-powered security recommendations.

Get On The Waitlist
ccoe blackwire

Blackwire Labs Elevates Trust in AI-Powered Cybersecurity with the Cybersecurity Community of Excellence (CCOE)

  • Professional group with a mission to increase trust in AI-powered cybersecurity

  • Validates & provides training materials, builds expert prompts and ensures quality

  • Community-driven, drawing inspiration from projects like Github and OpsTrust

Learn More About CCOE

Find out how we help companies in various industries.

User Request

Hi Blackwire, I am the CIO of a small defense contractor who is required to comply with the CMMC (Cybersecurity Maturity Model Certification) 2.0 standards and I need to understand which levels I will be required to meet, and what the compliance timeline looks like for my company? We sell a SAAS application to non-defense government agencies which does not store PII.

Please format the response with references and in an action item format so my teams can start to prioritize efforts. Solution
Executive Summary

Understanding the requirements of the Cybersecurity Maturity Model Certification (CMMC) 2.0 and aligning your company’s cybersecurity practices accordingly is a critical step towards ensuring the protection of sensitive information and maintaining eligibility for Department of Defense (DoD) contracts.

As a small defense contractor selling a SAAS application to non-defense government agencies without storing PII, you will likely fall under CMMC Level 1, which requires basic safeguarding of Federal Contract Information (FCI) 1 7.

Here’s an action item format to guide your compliance efforts:
  1. Assess Current Cybersecurity Posture: Review your existing cybersecurity measures against the CMMC Level 1 requirements, which are based on the National Institute of Standards and Technology (NIST) SP 800-171 Rev 2 1 5.
  2. Identify Gaps and Prioritize Remediation: Determine where your cybersecurity practices may fall short of CMMC Level 1 standards. Prioritize actions to remediate these gaps, potentially using a Plan of Action and Milestones (POA&M)6.
  3. Implement Required Controls: Ensure that basic cybersecurity controls are in place as per NIST guidelines, which include but are not limited to access control, identification and authentication, and information protection 1.

  4. Prepare for Self-Assessment: As CMMC 2.0 allows for self-assessment at Level 1, prepare your internal team or hire a consultant to conduct a thorough self-assessment 1 6.

  5. Document Compliance: Maintain comprehensive documentation of your cybersecurity practices and self-assessment results to demonstrate compliance with CMMC Level 1 1 6 .

  6. Monitor Compliance Timeline: Stay informed on the phased implementation timeline of CMMC 2.0, which will introduce requirements over a three-year period, and monitor for any updates that may affect your company 1 2 .

  7. Engage with C MMC Resources: Utilize resources provided by the DoD, such as training and guidance on achieving CMMC compliance, to support your efforts 10.

  8. Submit Affirmations: When required, submit affirmations of compliance in the Supplier Performance Risk System (SPRS) as part of the contract award process 10 .

  9. Stay Informed on Evolving Requirements: Keep abreast of changes to NIST SP 800–171 Rev 2 and NIST SP 800–172, as CMMC requirements will evolve alongside these standards 3 8 .

  10. Plan for Future Assessments: Although Level 1 currently allows for self-assessment, be prepared for the possibility of third-party assessments in the future, as the CMMC framework may adapt and introduce new requirements or assessment procedures 3 8 .

It’s imperative to integrate these action items into your company’s strategic planning to ensure a smooth transition to CMMC compliance. Your proactive approach will not only safeguard your eligibility for DoD contracts but also enhance your overall cybersecurity posture.

Reflecting on the specific nature of your SAAS application and its clientele, what are the specific challenges you anticipate in aligning your company’s cybersecurity practices with the CMMC 2.0 standards? Addressing these challenges early will be key to a successful compliance journey.

CCOE Certified Sources

DoD: 2023 – Cybersecurity Maturity Model

In accordance with the the loss of intellectual property and solicitations and contracts when the implementation plan described in 32 assets, and thwart access to sensitive contractor or a subcontractor at any tier CFR 170.3(e), CMMC compliance or unclassified information by the nation’s may have FCI residing in or transiting certification requirements will apply to adversaries. through its information system(s)…..

User Request

I’m an incident responder working at a community bank. We just experienced a
ransomware attack attributed to the threat group Scattered Spider.

Please provide me with any intelligence on this threat group, signatures I can deploy to
investigate this threat and any remediation recommendations.

Please deliver in a format which can be easily displayed on a website or report. Solution

Executive Summary
  • Scattered Spider is a sophisticated threat group engaging in ransomware attacks and data
    extortion, known for targeting the commercial facilities sectors and subsectors 9.
  • The group uses a variety of social engineering techniques to infiltrate networks, including
    impersonation of IT staff and exploitation of vulnerabilities in systems like ForgeRock
    OpenAM 1 10.
Threat Actor Profile: Scattered Spider
  • Initial Access & Credential Theft : Utilizes phishing, smishing, and voice phishing to gain
    network access 3 6 10.
  • Persistence & Privilege Escalation : Establishes persistence by registering their own
    MFA tokens and adding federated identity providers for SSO environments 1 4.
  • Discovery & Lateral Movement : Conducts extensive reconnaissance to identify valuable
    assets and uses cloud instances for lateral movement 5 7.
  • Data Exfiltration & Encryption : Exfiltrates sensitive data to multiple locations,
    including cloud storage, and has recently started encrypting victim files post-exfiltration 8 10
Indicators of Compromise (IOCs)
  • Tools Used : Lists of legitimate tools repurposed for malicious activities, such as, Mimikatz, and Ngrok 2 5.
  • TTPs : Detailed tactics, techniques, and procedures employed by Scattered Spider, aligned
    with MITRE ATT&CK framework 3 4 5.
Mitigation Strategies
  • Application Controls : Implement application controls to manage software execution and prevent unauthorized software installation 1 .
  • Secure by Design : Adopt secure-by-design principles in software development to mitigate ransomware techniques 1.
  • For reporting suspicious activity or seeking assistance, contact local FBI field offices or CISA’s 24/7 Operations Center 9.
  • Vigilance and proactive measures are paramount. Organizations must stay informed of the evolving TTPs of Scattered Spider and update their defenses accordingly.

This format provides a comprehensive overview, focusing on actionable intelligence and strategic mitigation. It’s designed to inform and guide stakeholders in enhancing their cybersecurity posture against this specific threat actor.

Would this structure meet the needs of your stakeholders for clarity and actionability? Additionally, are there any specific formatting or content guidelines you require for this documentation?”

CCOE Certified Sources

Scattered Spider threat actors has been observed encrypting VMware ESXi servers. Scattered Spider threat actors exfiltrate data to Exfiltration Over Web Service: T1567.002 multiple sites including U.S.-based data centers Exfiltration to Cloud Storage and…

Scattered Spider IOCs – OccamSec html Share Scattered Spider – IOC’s Feb 06,2023 • 2 min read IOC’s to detect this threat actor. SCATTERED SPIDER is a threat actor group known for financially motivated attacks targeting mobile carrier networks/telecommunications industry, BPO…

Man-in-the-Middle [T1557] network traffic monitoring Firewall, Web Proxy, DNS, Application Layer Protocol [T1071], C2 Network Traffic, Cloud C2 domains, IP addresses Protocol Tunneling [T1572] activity logs, IDS/IPS Exfiltration Over C2 Channel Firewall, Web Proxy, DNS, Domains,

User Request

Hi Blackwire, I am a CIO at a small company developing an application that will help support doctors in working with their patients health data. I’m unfamilar with the specific requirements for HIPAA surrounding access to and storage of client data. I need to create a formal policy which will pass an audit and for which my company can align our processes and technology. Please create a policy formatted for this purpose with references to relevant HIPAA controls that the policy meets to ensure our firm and client data is secure. Solution

MYCOMPANYNAME Client ePHI Data Handling Policy

1. Purpose

This policy is dedicated to ensuring the secure handling of electronic protected health information (ePHI) entrusted to MYCOMPANYNAME by our clients. In adherence to the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, this policy is designed to safeguard ePHI against unauthorized access, disclosure, alteration, and destruction 1 .

2. Scope

This policy pertains to all MYCOMPANYNAME employees, contractors, and any other workforce members who may come into contact with or manage ePHI on behalf of our clients.

3. ePHI Data Access

Access to ePHI shall be strictly controlled. Only authorized personnel, whose job roles require it, will be granted access to ePHI. Such access will be granted on the least privilege basis and will be monitored and audited to prevent and detect any unauthorized use 2 6 .

4. Data Protection Measures

MYCOMPANYNAME will implement and maintain appropriate technical safeguards to protect ePHI. This includes the use of encryption for ePHI at rest and in transit, ensuring the integrity of ePHI, and implementing robust access control measures to prevent unauthorized access 8 .

5. Incident and Reporting

In the event of a suspected or actual breach of ePHI, MYCOMPANYNAME will activate its incident protocol to contain, assess, and manage the incident. All breaches will be documented and reported as required by HIPAA and applicable state laws 8 .

6. Training and Awareness

All workforce members will be provided with training on the proper handling of ePHI and the requirements of this policy. Regular awareness campaigns will be conducted to ensure continued vigilance in the protection of client data 2 .

7. Policy Enforcement

Violations of this policy will be met with appropriate disciplinary action, up to and including termination of employment. MYCOMPANYNAME is committed to enforcing this policy to maintain the highest level of confidentiality and integrity of our clients’ ePHI 2 .

8. Review and Update

This policy will be reviewed annually or as required by changes in law or operational practices. Any amendments will be communicated promptly to all workforce members.

9. Documentation and Record Keeping

All actions taken in relation to the access, handling, and protection of ePHI will be documented. Records will be maintained in accordance with HIPAA requirements, ensuring that they are available for audit purposes 6 .

MYCOMPANYNAME is dedicated to the rigorous protection of ePHI and to upholding our clients’ trust. We understand the gravity of our responsibility and are committed to continuously improving our security posture to meet and exceed industry standards 9 .

10. Risk Management

We will conduct regular risk assessments to identify potential vulnerabilities to the confidentiality, integrity, and availability of ePHI and implement measures to mitigate identified risks in line with HIPAA Security Rule requirements 10 .

11. Business Associate Agreements

When engaging with third parties that may have access to ePHI, MYCOMPANYNAME will execute Business Associate Agreements to ensure that these partners also adhere to HIPAA-compliant practices for the handling of ePHI 4 .

12. Audit Controls

Audit controls will be implemented to regularly review access and activity in systems containing ePHI.

CCOE Certified Sources

NIST: 2022 – NIST SP 800-66r2 ipd 2 3 Implementing the Health Insurance 4 Portability and Accountability Act 5 (HIPAA) Security Rule: 6 A Cybersecurity Resource Guide

been granted permission to view, alter, retrieve, and store • Have staff members been provided copies of their job ePHI and at what times, under what circumstances, and for descriptions and informed of the access granted to them, …

What Are HIPAA Security Rules? – Palo Alto Networks

While not all cyberthreats can be identified in advance, covered entities are responsible to protect patients’ information against threats already in play. 3. Protect against impermissible uses or disclosures. This is important for providers because it covers …

Summary of the HIPAA Security Rule |

HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released

User Request

Hi Blackwire, I am a security engineer working at midsize managed security services firm, we support multiple small businesses and store their log data in a single SPLUNK cloud instance. One specific client has experienced a compromise of a server with the IP, I need to create a query in SPL to return any communications to or from that IP which were not on port 80 or port 443. Please have this return in a table with CUSTOMERNAME as a title. Please provide the query I need to run in SPLUNK. Solution
Executive Summary

To identify the communications for the compromised server with the IP excluding ports 80 and 443, you can run the following SPL query in Splunk:

spl index=your_index_name "" NOT (dest_port=80 OR dest_port=443 OR src_port=80 OR src_port=443) | table _time, src_ip, dest_ip, src_port, dest_port, protocol | rename src_ip as "Source IP", dest_ip as "Destination IP", src_port as "Source Port", dest_port as "Destination Port", protocol as "Protocol" | eval CUSTOMERNAME="NameOfTheCustomer" | fields CUSTOMERNAME, _time, "Source IP", "Destination IP", "Source Port", "Destination Port", "Protocol"

Replace `your_index_name` with the name of the index where your logs are stored. This query searches for all events with the IP address “” as either the source or destination, excluding those where the source or destination ports are 80 or 443. The results are displayed in a table format with the CUSTOMERNAME field added for clarity.

Ensure that your Splunk environment has the necessary fields extracted for `src_ip`, `dest_ip`, `src_port`, `dest_port`, and `protocol`. If these fields are named differently in your data, adjust the query accordingly.

In your role as a security engineer, what are the specific challenges you anticipate in creating the query to return communications to or from the compromised server’s IP on ports other than 80 or 443, and how do you plan to address them? Understanding these challenges will help tailor the query to your specific needs and operational environment.

See More
Talent Shortage

A Force Multiplier - Addressing the Talent Crisis

For decades, the supply of security expertise has struggled to keep pace with the demand causing costs to rise exponentially. We help bridge the talent gap with our trusted AI solution ( Our application is built and trained by expert security practitioners as a highly scalable security advisor that operates as a capability force multiplier for organizations. Always ready to serve the needs of your team regardless of the mission.

Blackwire's company objective is to bridge this gap by harnessing security domain expertise and utilizing it as a force multiplier across organizations.

Specialized AI for Cybersecurity

Navigating the Nuances with Industry-Specific AI Language Models

While generalized AI language models are potent, the field of cybersecurity demands transparency and a nuance that is both discipline and industry specific. The models are only as good as the data they are trained on and require curated data sets, informed by real world expertise.

Minimizing Risk & Burnout

Minimizing Risk and Burnout through Data-Driven Security Approaches

Security practitioners frequently experience burnout as they chase the latest threats, regulations, and business requirements. works alongside your teams as a trusted advisor helping them not feel overwhelmed. Always transparent, our solution shows you exactly the sources it uses so your team can confidently reduce organizational risk.

Minimizing Risk & Burnout

Minimizing Risk and Burnout through Data-Driven Security Approaches

Security practitioners frequently experience burnout as they chase the latest threats, regulations, and business requirements. works alongside your teams as a trusted advisor helping them not feel overwhelmed. Always transparent, our solution shows you exactly the sources it uses so your team can confidently reduce organizational risk.

How Are We Different?

Blackwire Labs possesses several strategic advantages that will facilitate the organization’s rapid growth. These advantages include:
  • Well respected reputation as leaders & pioneers in the cybersecurity community
  • Decades of experience building global brands, capabilities & businesses across multiple sectors/industries (commercial, DoD, IC, DIB) in a variety of capacities (practitioner, executive, entrepreneur)
  • Outstanding relationships with industry leaders and experts
  • Direct knowledge of client & industry pain points
  • Access to subject matter expertise and unique data sets
  • Deep expertise in multiple cyber security disciplines and technologies


Access to scarce skill sets

Expert Network

CCOE: ensure quality & transparency


Recognized as industry pioneers & innovators


Traceable AI & human vetted


Traceable AI & human vetted

Unleash the Power of Human-AI Security Synergy

Act Now with!

Empower your cyber intelligence program and fortify your defenses by choosing from Blackwire Labs. Take action today to transform the way you approach cybersecurity.

Sign Up for a Free Demo Today!


Unleash the Power of Human-AI Security Synergy

Act Now with!

Empower your cyber intelligence program and fortify your defenses by choosing from Blackwire Labs. Take action today to transform the way you approach cybersecurity.

Sign Up for a Free Demo Today!