Skip to main content
JS
Jacob Santos

Jacob Santos

Threat Hunter, Researcher and Builder

Sr. Threat Researcher | Trend AI
17
Articles
14
Threads
10+
Tools
10+
Talks
Experience

Hi, I'm Jacob Santos

Senior threat researcher who hunts for emerging threats, builds operational security tools, and shares findings through research and workshops.

LinkedIn · jacobsantos.d@gmail.com · Get in Touch
20+
Blog Articles
15+
Microstories
15+
Tools Built
10+
Talks & Training

Featured Research

Latest published threat analysis and intelligence

View all
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Deep-dive analysis of Warlock (Water Manaul) ransomware operations revealing new TTPs including persistent BYOVD techniques, TightVNC and Yuze remote access tools, and 15-day dwell time before LockBit-derived ransomware deployment.

RansomwareDefense EvasionAPT
Five New Rust-Based Ransomware Families Identified

Five New Rust-Based Ransomware Families Identified

Thread analyzing five distinct ransomware groups written in Rust identified in early December 2025, signaling an accelerated shift in how threat actors build and scale attacks.

RansomwareRust
Agenda Ransomware: Continued Linux-on-Windows Campaign

Agenda Ransomware: Continued Linux-on-Windows Campaign

Thread on a new Agenda ransomware campaign continuing the group's use of Linux binaries on Windows systems, with new techniques and tooling building on earlier 2025 attacks.

RansomwareCross-Platform
PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

Uncovered PureRAT targeting job seekers using renamed Foxit PDF Reader for DLL side-loading and Python-based shellcode loaders.

RATSocial EngineeringDLL Sideloading

What I Do

Combining threat research with automation and intelligence dissemination.

Threat Research

Deep-dive analysis of ransomware families, APT campaigns, and adversary tooling. Published on the company research blog.

Security Tooling

Building production tools adopted team-wide — AI pipelines, threat intel platforms, MCP servers, desktop applications, and Confluence integrations.

Intelligence Dissemination

Delivering advanced threat defense workshops for multinational participants, government agencies, and enterprises across multiple countries.

From the Blog

Practical insights from the field

All posts

Infrastructure Hunting Beyond IOCs

2026-02-05

Moving up the Pyramid of Pain — from hash-based detection to hunting adversary infrastructure through behavioral fingerprints and network patterns.

threat-intelligencesecurity

MCP Servers for Threat Intelligence

2026-01-15

How I set up Model Context Protocol servers to bridge AI assistants with threat intelligence platforms — and what I learned about tool design along the way.

mcpaiautomation

What Ransomware Hunting Actually Looks Like

2025-12-08

The daily reality of proactive ransomware hunting — from YARA triggers and VirusTotal dashboards to naming new families and building attack chains from telemetry.

ransomwarethreat-intelligencesecurity

Let's connect

Open to research collaborations, interesting problems, and new opportunities.

Get in Touch Background & Experience