Phil Stokes, Author at SentinelOne

Gabriel Bernadett-Shapiro & Silas Cutler (Censys) / January 29, 2026

Analysis of 175,000 open-source AI hosts across 130 countries reveals a vast compute layer susceptible to resource hijacking and code execution attacks.

labs

LLMs in the SOC (Part 1) | Why Benchmarks Fail Security Operations Teams

Gabriel Bernadett-Shapiro & Edir Garcia Lazo / January 20, 2026

LLM cybersecurity benchmarks fail to measure what defenders need: faster detection, reduced containment time, and better decisions under pressure.

labs

Security Research

Inside the LLM | Understanding AI & the Mechanics of Modern Attacks

Phil Stokes / January 13, 2026

Learn how attackers exploit tokenization, embeddings and LLM attention mechanisms to bypass LLM security filters and hijack model behavior.

labs

Security & Intelligence

LLMs & Ransomware | An Operational Accelerator, Not a Revolution

Gabriel Bernadett-Shapiro, Jim Walter & Alex Delamotte / December 15, 2025

LLMs make competent ransomware crews faster and novices more dangerous. The risk is not superintelligent malware, but rather industrialized extortion.

labs

Security Research

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Alex Delamotte, Vitaly Kamluk & Gabriel Bernadett-Shapiro / September 19, 2025

LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.

labs

Adversary

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Aleksandar Milenkoski, Sreekar Madabushi (Validin) & Kenneth Kinion (Validin) / September 4, 2025

DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.

sentinelone

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

From the Front Lines | 11 minute read

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Phil Stokes & Raffaele Sabato / July 2, 2025

NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts.

labs

Security Research

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Tom Hegel, Kenneth Kinion (Validin) & Sreekar Madabushi (Validin) / May 8, 2025

FreeDrain is a modern, scalable phishing operation exploiting weaknesses in free publishing platforms to steal cryptocurrency on a global scale.

labs

Crimeware

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale

Alex Delamotte & Jim Walter / April 9, 2025

AkiraBot uses OpenAI to generate custom outreach messages to spam chat widgets and website contact forms at scale.

Phil Stokes

Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails

LLMs in the SOC (Part 1) | Why Benchmarks Fail Security Operations Teams

Inside the LLM | Understanding AI & the Mechanics of Modern Attacks

LLMs & Ransomware | An Operational Accelerator, Not a Revolution

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale