Phil Stokes, Author at SentinelOne

Phil Stokes / March 19, 2026

Single-tool LLM analysis produces reports that look authoritative but aren't. A serial consensus pipeline catches artifacts and hallucinations at source.

labs

AI Research

From Narrative to Knowledge Graph | LLM-Driven Information Extraction in Cyber Threat Intelligence

Aleksandar Milenkoski & Razvan Gabriel Cirstea / March 9, 2026

LLMs can turn CTI narratives into structured intelligence at scale, but speed-accuracy trade-offs demand careful design for operational defense workflows.

labs

AI Research

Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails

Gabriel Bernadett-Shapiro & Silas Cutler (Censys) / January 29, 2026

Analysis of 175,000 open-source AI hosts across 130 countries reveals a vast compute layer susceptible to resource hijacking and code execution attacks.

labs

AI Research

LLMs in the SOC (Part 1) | Why Benchmarks Fail Security Operations Teams

Gabriel Bernadett-Shapiro & Edir Garcia Lazo / January 20, 2026

LLM cybersecurity benchmarks fail to measure what defenders need: faster detection, reduced containment time, and better decisions under pressure.

labs

AI Research

Inside the LLM | Understanding AI & the Mechanics of Modern Attacks

Phil Stokes / January 13, 2026

Learn how attackers exploit tokenization, embeddings and LLM attention mechanisms to bypass LLM security filters and hijack model behavior.

labs

AI Research

LLMs & Ransomware | An Operational Accelerator, Not a Revolution

Gabriel Bernadett-Shapiro, Jim Walter & Alex Delamotte / December 15, 2025

LLMs make competent ransomware crews faster and novices more dangerous. The risk is not superintelligent malware, but rather industrialized extortion.

labs

AI Research

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Alex Delamotte, Vitaly Kamluk & Gabriel Bernadett-Shapiro / September 19, 2025

LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.

labs

Adversary

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Aleksandar Milenkoski, Sreekar Madabushi (Validin) & Kenneth Kinion (Validin) / September 4, 2025

DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.

labs

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

Phil Stokes & Dinesh Devadoss / July 10, 2025

ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets.

labs

Advanced Persistent Threat

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Phil Stokes & Raffaele Sabato / July 2, 2025

NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts.

Phil Stokes

Building an Adversarial Consensus Engine | Multi-Agent LLMs for Automated Malware Analysis

From Narrative to Knowledge Graph | LLM-Driven Information Extraction in Cyber Threat Intelligence

Silent Brothers | Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails

LLMs in the SOC (Part 1) | Why Benchmarks Fail Security Operations Teams

Inside the LLM | Understanding AI & the Mechanics of Modern Attacks

LLMs & Ransomware | An Operational Accelerator, Not a Revolution

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware