TNS

Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.

REQUIRED

It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.

The New Stack does not sell your information or share it with unaffiliated third parties. By continuing, you agree to our Terms of Use and Privacy Policy.

Welcome and thank you for joining The New Stack community!

Please answer a few simple questions to help us deliver the news and resources you are interested in.

REQUIRED

Great to meet you!

Tell us a bit about your job so we can cover the topics you find most relevant.

REQUIRED

Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Follow TNS on your favorite social media networks.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

1 of 2

VOXPOP

As a JavaScript developer, what non-React tools do you use most often?

✓

Angular

✓

Astro

✓

Svelte

✓

Vue.js

✓

Other

✓

I only use React

✓

I don't use JavaScript

Thanks for your opinion! Subscribe below to get the final results, published exclusively in our TNS Update newsletter:

NEW! Try Stackie AI

ARCHITECTURE

Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage

ENGINEERING

AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly

OPERATIONS

AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering

PROGRAMMING

C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript

CHANNELS

Podcasts Ebooks Events Webinars Newsletter TNS RSS Feeds

THE NEW STACK

About / Contact Sponsors Advertise With Us Contributions

PODCASTS EBOOKS EVENTS WEBINARS NEWSLETTER CONTRIBUTE

ARCHITECTURE ENGINEERING OPERATIONS PROGRAMMING

Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage

Agentic development hinges on verification. For cloud-native software, that is a runtime problem.

Jun 11th 2026 10:00am, by Arjun Iyer

Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem

May 29th 2026 10:00am, by Adriana Villela and Josh Lee

How Jaeger hit 8.6× compression on 10 million spans with ClickHouse

May 24th 2026 11:00am, by Mahad Zaryab

After becoming cloud computing’s telemetry standard, OpenTelemetry graduates into the AI infrastructure era

May 21st 2026 10:00am, by Paul Sawers

Why agent harnesses fail inside cloud-native systems

May 13th 2026 9:00am, by Arjun Iyer

AWS can now mathematically prove your VMs are isolated

Jun 10th 2026 12:46pm, by Frederic Lardinois

Microsoft wants to make service mesh invisible

Apr 8th 2026 1:11pm, by Frederic Lardinois

Edera spent years calling KVM less secure. Here's why it changed its mind.

Mar 25th 2026 2:22pm, by Steven J. Vaughan-Nichols

Minimus aims to solve one of open-source's long-festering problems

Mar 24th 2026 3:00am, by Adrian Bridgwater

How to deploy Pi-Hole with Docker and stop ads on every device on your LAN

Mar 23rd 2026 7:44am, by Jack Wallen

When your data model is the bottleneck: lessons from Medium’s feature store

Jun 9th 2026 10:40am, by Cynthia Dunlop

For years, Apache Cassandra handed this work to your team — 6.0 takes it back

Jun 8th 2026 10:00am, by Anil Inamdar

Autonomous agents have met their biggest challenge yet: The database.

Jun 4th 2026 2:53pm, by Chris J. Preimesberger

Why the need for humans won't disappear in the age of autonomous databases

Jun 4th 2026 1:18pm, by Chris J. Preimesberger

Asana says its new AI "chief of staff" turns your Slack chaos into trackable work

Jun 4th 2026 12:21pm, by Frederic Lardinois

Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop

Jun 4th 2026 3:30pm, by Meredith Shubel

How to get operational data off the factory floor without creating an IT breach

Jun 3rd 2026 3:55pm, by Alex Wilhelm

Edge-forward: Akamai eyes sweet spot between centralized & decentralized AI inference

Apr 1st 2026 7:00am, by Adrian Bridgwater

Developers are coding to a moving target, and nobody knows where AI lands next

Mar 3rd 2026 7:33am, by Adrian Bridgwater

Cloudflare’s new Markdown support shows how the web is evolving for AI agents

Mar 2nd 2026 4:30am, by David Eastman

Why Terraform is green when your cloud is broken

Apr 28th 2026 9:00am, by Joe Karlsson

The one Slack message that proved our elite engineering team was flying blind

Apr 26th 2026 11:00am, by Joe Karlsson

The operational gap is real, and it's getting wider

Mar 26th 2026 8:00am, by Yevgeny Pats

Why "automated" infrastructure might cost more than you think

Feb 24th 2026 4:00am, by Justyn Roberts

Why 40% of AI projects will be canceled by 2027 (and how to stay in the other 60%)

Feb 13th 2026 6:00am, by Alex Drag

Why Linux creator Linus Torvalds gets angry hearing "99% of code is AI"

May 29th 2026 10:34am, by B. Cameron Gain

Sparky Linux 9 brings a rolling release to Debian

Mar 30th 2026 8:00am, by Jack Wallen

Edera spent years calling KVM less secure. Here's why it changed its mind.

Mar 25th 2026 2:22pm, by Steven J. Vaughan-Nichols

Your Kubernetes isn't ready for AI workloads, and drift is the reason

Mar 25th 2026 8:43am, by TNS Staff

Linux kernel scale is swamping an already-flawed CVE system

Mar 20th 2026 4:30am, by Jed Salazar

Tetrate launches open source marketplace to simplify Envoy adoption

Mar 11th 2026 10:52am, by Adrian Bridgwater

OpenTelemetry roadmap: Sampling rates and collector improvements ahead

Feb 24th 2026 11:00am, by B. Cameron Gain

Merging To Test Is Killing Your Microservices Velocity

Dec 16th 2025 7:00am, by Arjun Iyer

IBM’s Confluent Acquisition Is About Event-Driven AI

Dec 11th 2025 6:00am, by Joab Jackson

Deploy Agentic AI Workflows With Kubernetes and Terraform

Nov 26th 2025 9:00am, by Oladimeji Sowole

Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised

Jun 10th 2026 12:40pm, by Meredith Shubel

Databricks wants to kill the "email me a file" problem for AI agent skills

Jun 10th 2026 10:00am, by Frederic Lardinois

For years, Apache Cassandra handed this work to your team — 6.0 takes it back

Jun 8th 2026 10:00am, by Anil Inamdar

Microsoft just made the agent runtime free — and kept everything around it

Jun 7th 2026 11:00am, by Janakiram MSV

Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle?

Jun 5th 2026 3:01pm, by Adrian Bridgwater

From system of record to system of control: How NetBox Labs is making network engineers “masters of intent.”

Apr 28th 2026 11:00am, by Doug Sillars

Beyond the VPN: Cloudflare Mesh builds a private network for the age of AI agents

Apr 14th 2026 11:04am, by Adrian Bridgwater

Model Flop Utilization is the metric Aria Networks says will define the AI infrastructure era

Apr 7th 2026 9:00am, by Adrian Bridgwater

How to deploy Pi-Hole with Docker and stop ads on every device on your LAN

Mar 23rd 2026 7:44am, by Jack Wallen

Why flat Kubernetes networks fail at scale

Mar 20th 2026 7:00am, by Reza Ramezanpour

Why Postgres wants NVMe on the hot path, and S3 everywhere else

Apr 17th 2026 9:00am, by Alasdair Brown

Scaling Btrfs to petabytes in production: a 74% cost reduction story

Mar 18th 2026 5:00am, by Motiejus Jakštys

What is KubeVirt and why it’s growing

Mar 17th 2026 9:00am, by Tiago Castro

S3 is the new network: Rethinking data architecture for the cloud era

Feb 2nd 2026 4:00am, by Max Liu

Agoda’s secret to 50x scale: Getting the database basics right

Jan 28th 2026 7:00am, by Cynthia Dunlop

AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly

AI agents need infrastructure: Why Europe’s regional cloud strategy matters

Jun 11th 2026 10:00am, by Kevin Cochrane

Ramp bets forward deployed engineers can do what off-the-shelf finance AI can't

Jun 10th 2026 9:00am, by Matthew Burns

Anthropic launches Claude Mythos/Fable 5, but you better try it soon

Jun 9th 2026 3:30pm, by Frederic Lardinois

Spring is 23 years old. AI just made it a security emergency.

Jun 9th 2026 2:48pm, by Darryl K. Taft

Microsoft's pitch to enterprises: Ditch Azure Repos for GitHub, despite its rocky reliability record

Jun 8th 2026 3:05pm, by Paul Sawers

Beyond the stack trace: why AI requires a new debugging paradigm

Jun 11th 2026 1:00pm, by Zziwa Raymond Ian

How to delegate 40% of tickets to AI

Jun 11th 2026 10:30am, by Zohar Einy

Agentic development hinges on verification. For cloud-native software, that is a runtime problem.

Jun 11th 2026 10:00am, by Arjun Iyer

Transform your AI coding agent into a deterministic Java Spring expert

Jun 11th 2026 9:00am, by Raquel Pau

Cleaner AI training data, fewer bugs: Sonar's SonarSweep explained

Jun 11th 2026 8:00am, by Joe Tyler

Anthropic's $300M Stainless deal lands hardest on OpenAI and Google

May 23rd 2026 10:00am, by Janakiram MSV

The API portal is the clearest signal of whether your company can handle AI agents

May 12th 2026 1:23pm, by Charles Humble

AI teams are spending months on web scrapers that SerpApi replaces with one API call

May 12th 2026 10:00am, by Carly Page

Why JSON Schema matters more than ever in the age of generative AI

Apr 28th 2026 1:00pm, by Charles Humble

SmartBear's Swagger update targets the API drift problem AI coding tools created

Apr 19th 2026 10:00am, by Darryl K. Taft

Why PHP performance keeps getting bumped from the roadmap

May 6th 2026 10:00am, by Matthew Weier O’Phinney

Why Postgres wants NVMe on the hot path, and S3 everywhere else

Apr 17th 2026 9:00am, by Alasdair Brown

Expo bets big on React Native’s agentic future

Apr 16th 2026 11:37am, by Paul Sawers

From clobbered drafts to real-time sync

Apr 14th 2026 10:00am, by David Moore

Moving beyond the “magic scaling sauce” myth

Apr 2nd 2026 9:30am, by TNS Staff

Databricks wants to kill the "email me a file" problem for AI agent skills

Jun 10th 2026 10:00am, by Frederic Lardinois

When your data model is the bottleneck: lessons from Medium’s feature store

Jun 9th 2026 10:40am, by Cynthia Dunlop

For years, Apache Cassandra handed this work to your team — 6.0 takes it back

Jun 8th 2026 10:00am, by Anil Inamdar

Rayfin: Microsoft's answer to the gap between vibe coding and enterprise production

Jun 2nd 2026 3:46pm, by Darryl K. Taft

Microsoft bets the enterprise AI race will be won on data context, not model power

Jun 2nd 2026 3:40pm, by Darryl K. Taft

Google wants to make the web agent-ready

May 19th 2026 1:45pm, by Frederic Lardinois

Expo bets big on React Native’s agentic future

Apr 16th 2026 11:37am, by Paul Sawers

Digital Experience Monitoring belongs in the modern developer workflow

Apr 3rd 2026 10:00am, by Kayla Bondy

WebMCP turns any Chrome web page into an MCP server for AI agents

Mar 17th 2026 11:50am, by David Eastman

Confluent adds A2A support, anomaly detection, and Queues for Kafka in major platform update

Mar 3rd 2026 10:21am, by Jelani Harper

Cleaner AI training data, fewer bugs: Sonar's SonarSweep explained

Jun 11th 2026 8:00am, by Joe Tyler

Google's DiffusionGemma is 4x faster than its other Gemma models

Jun 10th 2026 1:18pm, by Frederic Lardinois

Fable 5: Guardrails and burn rate are annoying users, who say it's still better than Opus 4.8

Jun 10th 2026 1:11pm, by Meredith Shubel

Why Anthropic just doubled Claude Cowork limits at no charge

Jun 8th 2026 1:35pm, by Adrian Bridgwater

Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop

Jun 4th 2026 3:30pm, by Meredith Shubel

Cleaner AI training data, fewer bugs: Sonar's SonarSweep explained

Jun 11th 2026 8:00am, by Joe Tyler

Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised

Jun 10th 2026 12:40pm, by Meredith Shubel

Spring is 23 years old. AI just made it a security emergency.

Jun 9th 2026 2:48pm, by Darryl K. Taft

"A dangerous combination": The 2 factors that can "corrupt" AI agent workflows

Jun 8th 2026 9:00am, by Adrian Bridgwater

How to dramatically improve enterprise security alert tuning to battle cyberattacks

Jun 4th 2026 2:12pm, by Todd R. Weiss

Beyond the stack trace: why AI requires a new debugging paradigm

Jun 11th 2026 1:00pm, by Zziwa Raymond Ian

How to delegate 40% of tickets to AI

Jun 11th 2026 10:30am, by Zohar Einy

WeAreDevelopers is coming to the US to give unsung developers a bigger voice

Jun 11th 2026 8:42am, by Nick Lucchesi

How long before we stop reading the code?

Jun 9th 2026 9:00am, by Ankit Jain

AI teams now deploy 1,000 times a month. Your pipeline wasn't built for that.

Jun 7th 2026 12:30pm, by Paul Stovell

Edge-forward: Akamai eyes sweet spot between centralized & decentralized AI inference

Apr 1st 2026 7:00am, by Adrian Bridgwater

WebAssembly is now outperforming containers at the edge

Mar 29th 2026 9:00am, by B. Cameron Gain

WebAssembly could solve AI agents' most dangerous security gap

Mar 24th 2026 9:01am, by B. Cameron Gain

How WebAssembly plugins simplify Kubernetes extensibility

Mar 3rd 2026 2:00pm, by B. Cameron Gain

WebAssembly is everywhere. Here's how it works

Feb 25th 2026 11:00am, by Jessica Wachtel

AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering

Observability overload is drowning engineers

Jun 10th 2026 1:27pm, by Alex Wilhelm

The tokenmaxxing party is over, and Revenium is mopping up

Jun 9th 2026 6:00am, by Chris J. Preimesberger

Why Anthropic just doubled Claude Cowork limits at no charge

Jun 8th 2026 1:35pm, by Adrian Bridgwater

From Jupyter Notebook to production: How to ship AI systems that actually work

Jun 6th 2026 7:00am, by Zziwa Raymond Ian

Why agentic AI makes the ops platform the most important layer in the enterprise

Jun 4th 2026 2:35pm, by TNS Staff

AI teams now deploy 1,000 times a month. Your pipeline wasn't built for that.

Jun 7th 2026 12:30pm, by Paul Stovell

GitLab 19.0 trades its string section for a full DevSecOps orchestra

May 25th 2026 12:00pm, by Adrian Bridgwater

CI wasn't built for coding agents. Here's what comes next.

May 21st 2026 10:30am, by Anirudh Ramanathan

As agentic dev tools boom, workflow auditability becomes the constraint

May 12th 2026 8:00am, by Brian Wald

The agent code explosion is here. We need to rethink our pipelines, fast.

May 4th 2026 10:00am, by Arjun Iyer

AI agents need infrastructure: Why Europe’s regional cloud strategy matters

Jun 11th 2026 10:00am, by Kevin Cochrane

Why CPUs still matter in the age of AI agents

Jun 3rd 2026 2:54pm, by Frederic Lardinois

Why AWS scrapped OpenSearch's architecture to chase agent workloads

May 28th 2026 2:30pm, by Frederic Lardinois

AI agents need to spend money — Stripe and iWallet are building the rails

May 5th 2026 7:43am, by John Biggs

AWS lands OpenAI on Bedrock, but Trainium is the real story

Apr 29th 2026 10:54am, by Janakiram MSV

From Jupyter Notebook to production: How to ship AI systems that actually work

Jun 6th 2026 7:00am, by Zziwa Raymond Ian

The DIY platform trap that's burning out engineering teams

May 31st 2026 11:00am, by Darin Zook

GitLab 19.0 trades its string section for a full DevSecOps orchestra

May 25th 2026 12:00pm, by Adrian Bridgwater

How MCP and synthetic data are reshaping compliance in the agentic era

May 23rd 2026 9:00am, by Brian Muskoff

"Morally repugnant shortsightedness": Why open source security leaders say companies must stop freeloading on maintainers

May 21st 2026 10:00am, by Adrian Bridgwater

Why the need for humans won't disappear in the age of autonomous databases

Jun 4th 2026 1:18pm, by Chris J. Preimesberger

How to secure Kubernetes in the age of AI workloads

Jun 4th 2026 12:45pm, by Mary Branscombe

Cloud native application challenges: installing the walking skeleton

May 13th 2026 9:00am, by Manning Book Authors

Why Prometheus couldn't see Cilium metrics at 2 a.m.

May 10th 2026 10:00am, by Rishi Mondal

How Microsoft is governing thousands of Kubernetes clusters without manual intervention

May 7th 2026 6:07pm, by Adrian Bridgwater

Observability overload is drowning engineers

Jun 10th 2026 1:27pm, by Alex Wilhelm

The tokenmaxxing party is over, and Revenium is mopping up

Jun 9th 2026 6:00am, by Chris J. Preimesberger

Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem

May 29th 2026 10:00am, by Adriana Villela and Josh Lee

Debugging the undebuggable: building observability into probabilistic AI systems

May 28th 2026 7:00am, by Oladimeji Sowole

Taming the agentic influx: a blueprint for AI business observability

May 26th 2026 8:00am, by Charles Humble

The reason enterprise outages almost never start where ops teams think

May 26th 2026 9:43am, by Jennifer Riggins

I buried 20 problems in a fake P&L to see if Claude for Small Business could find them

May 22nd 2026 9:00am, by Jessica Wachtel

OpenAI brings Codex to the ChatGPT mobile app

May 14th 2026 4:13pm, by Frederic Lardinois

GitLab is betting a 19th-century economic theory will shape its AI era

May 14th 2026 1:21pm, by Paul Sawers

The new FinOps problem isn't cloud bills

May 12th 2026 7:24pm, by Frederic Lardinois

Git real: AI agents aren't just for solo developers anymore

Jun 9th 2026 3:58pm, by Janakiram MSV

Netlify CTO Dana Lawson: Writing code is no longer the job

Jun 6th 2026 10:00am, by Jennifer Riggins

Why agentic AI makes the ops platform the most important layer in the enterprise

Jun 4th 2026 2:35pm, by TNS Staff

The DIY platform trap that's burning out engineering teams

May 31st 2026 11:00am, by Darin Zook

The fix for soaring AI cloud bills exists — so why won't we trust it?

May 29th 2026 9:00am, by Jennifer Riggins

C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript

Open source USearch library jumpstarts ScyllaDB vector search

Feb 5th 2026 12:00pm, by Jelani Harper

AWS WAF vs. Google Cloud Armor: A Multicloud Security Showdown

Nov 25th 2025 10:00am, by Advait Patel

Goodbye Dashboards: Agents Deliver Answers, Not Just Reports

Nov 23rd 2025 9:00am, by Ketan Karkhanis

Rust vs. C++: a Modern Take on Performance and Safety

Oct 22nd 2025 2:00pm, by Zziwa Raymond Ian

Building a Real-Time System Monitor in Rust Terminal

Oct 15th 2025 7:05am, by Tinega Onchari

Beyond the stack trace: why AI requires a new debugging paradigm

Jun 11th 2026 1:00pm, by Zziwa Raymond Ian

The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops.

Jun 10th 2026 1:01pm, by Janakiram MSV

How long before we stop reading the code?

Jun 9th 2026 9:00am, by Ankit Jain

Claude Code's biggest upgrade yet ran 5 agents at once — here's what happened

Jun 8th 2026 3:01pm, by Jessica Wachtel

With Foundry, Microsoft bets the enterprise AI battle is about reliability, not capability

Jun 8th 2026 8:00am, by Darryl K. Taft

Go Experts: 'I Don't Want to Maintain AI-Generated Code'

Sep 28th 2025 6:00am, by David Cassel

How To Run Kubernetes Commands in Go: Steps and Best Practices

Jun 27th 2025 8:00am, by Sunny Yadav

Prepare Your Mac for Go Development

Apr 12th 2025 7:00am, by Damon M. Garn

Pagoda: A Web Development Starter Kit for Go Programmers

Mar 19th 2025 6:10am, by Loraine Lawson

Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#

Mar 18th 2025 7:00am, by David Cassel

Transform your AI coding agent into a deterministic Java Spring expert

Jun 11th 2026 9:00am, by Raquel Pau

Spring is 23 years old. AI just made it a security emergency.

Jun 9th 2026 2:48pm, by Darryl K. Taft

In the AI age, Java is more relevant than ever

Apr 8th 2026 5:30pm, by Mary Branscombe

Java 26 lands without an LTS badge. Here's why developers should care anyway.

Mar 18th 2026 9:35am, by Darryl K. Taft

62% of enterprises now use Java to power AI apps

Feb 10th 2026 12:58pm, by Darryl K. Taft

Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle?

Jun 5th 2026 3:01pm, by Adrian Bridgwater

"Real maturity problems": Not every developer is thrilled with Bun after Anthropic acquisition

May 5th 2026 1:03pm, by Adrian Bridgwater

TypeScript 6.0 RC arrives as a bridge to a faster future

Mar 14th 2026 9:00am, by Darryl K. Taft

WebAssembly is everywhere. Here's how it works

Feb 25th 2026 11:00am, by Jessica Wachtel

Wasm vs. JavaScript: Who wins at a million rows?

Feb 22nd 2026 6:00am, by Jessica Wachtel

Who will maintain the web when PHP's veterans retire?

Apr 16th 2026 2:53pm, by Darryl K. Taft

Will AI force code to evolve or make it extinct?

Mar 22nd 2026 6:00am, by David Cassel

Java 26 lands without an LTS badge. Here's why developers should care anyway.

Mar 18th 2026 9:35am, by Darryl K. Taft

TypeScript 6.0 RC arrives as a bridge to a faster future

Mar 14th 2026 9:00am, by Darryl K. Taft

Nearly half of all companies now use Rust in production, survey finds

Mar 6th 2026 10:45am, by Darryl K. Taft

How to build an AI-powered private document search app with RAG, ChromaDB, and memory

Apr 10th 2026 12:00pm, by Teri Eyenike

In the AI age, Java is more relevant than ever

Apr 8th 2026 5:30pm, by Mary Branscombe

OpenAI acquires Astral to bring open source Python developer tools to Codex — but details are still fuzzy

Mar 20th 2026 7:33am, by Meredith Shubel

Python virtual environments: isolation without the chaos

Feb 16th 2026 7:00am, by Jessica Wachtel

Statistical language R is making a comeback against Python

Feb 12th 2026 2:57pm, by Darryl K. Taft

The Rust sidecar pattern that fixes Python AI's biggest weakness

May 14th 2026 9:00am, by Boris Chabeda

Nearly half of all companies now use Rust in production, survey finds

Mar 6th 2026 10:45am, by Darryl K. Taft

Wasm vs. JavaScript: Who wins at a million rows?

Feb 22nd 2026 6:00am, by Jessica Wachtel

Open source USearch library jumpstarts ScyllaDB vector search

Feb 5th 2026 12:00pm, by Jelani Harper

The 'weird' things that happened when Clickhouse replaced C++ with Rust

Feb 4th 2026 7:26am, by B. Cameron Gain

From clobbered drafts to real-time sync

Apr 14th 2026 10:00am, by David Moore

TypeScript 6.0 RC arrives as a bridge to a faster future

Mar 14th 2026 9:00am, by Darryl K. Taft

Mastra empowers web devs to build AI agents in TypeScript

Jan 28th 2026 11:00am, by Loraine Lawson

Inferno Vet Creates Frontend Framework Built With AI in Mind

Dec 10th 2025 11:00am, by Loraine Lawson

JavaScript Utility Library Lodash Changing Governance Model

Nov 1st 2025 7:00am, by Loraine Lawson

Networking / Security

Behind the Scenes of the SUNBURST Attack

The biggest cyber attack in recent times was in December 2020, when the Sunburst malware was installed on SolarWinds’ Orion product.

Feb 19th, 2021 8:36am by Lior Sonntag and Dror Alon

👁 Featued image for: Behind the Scenes of the SUNBURST Attack

Check Point sponsored this post.

👁 Image

Lior Sonntag

Lior is a Security Researcher at Check Point Software Technologies. He is a security enthusiast who loves to break stuff and put it back together. He's passionate about various InfoSec topics such as Cloud Security, Offensive Security, Vulnerability Research and Reverse Engineering.

The biggest cyberattack in recent times came in the form of what seems like a nation-state-sponsored supply chain attack, in December when the SUNBURST malware was installed on SolarWinds’ Orion product. This made headlines worldwide for good reason — post-compromise activity included data theft through lateral movement, which is when the attacker moves through a network searching for targeted key data and assets. This attack was the work of a highly-skilled actor and the operation was conducted with significant operational security.

This attack consisted of lateral movement of the threat actor from the on-premises network to the cloud, and it was done in two phases:

Phase One: The On-Prem Golden SAML Attack. Here the threat actors gained administrative access to the organization’s Active Directory Federation Services (ADFS) server. This allowed them to forge Security Assertion Markup Language (SAML) tokens and create illegitimate registrations of SAML Trust Relationships. By impersonating a user with valid administrative credentials, the threat actors could change the configuration of the SAML Service Provider (in this case, Azure AD). From there, they successfully gained administrative access to the Azure AD.
Phase Two: Malicious activity in the Cloud. The threat actors then used the Azure Active Directory administrative credentials for malicious activities. This included (but was not limited to): enumeration of existing applications and service principals, injection of credentials into them, impersonation and execution of actions on behalf of them, and the exfiltration of sensitive data like users and mails.

👁 Image

Dror Alon

Dror is Security Research Team Leader at Check Point Software Technologies. He's a proactive researcher in the cyber domain; investigating cyber events, and identifying and resolving the security issues faced by organizations worldwide.

In this analysis, we will focus on the second attack phase, in the cloud, and present key tactics and techniques used by the nation-state actors in the malicious campaign. By using the MITRE ATT&CK framework, we will provide the most likely technical attack flow of the nation-state actor’s actions.

Reviewing Microsoft’s article, the chain of events that occurred through this attack were:

Initial Access (On-Prem): Forged SAML tokens and illegitimate registrations of SAML Trust Relationships; impersonating a user with administrative credentials (in this case, Azure AD).
Discovery: The threat actor enumerates existing applications/service principals (preferably with high traffic patterns).
Credential Access: The threat actor adds credentials to an existing application or service principal.
Privilege Escalation: The threat actor elevates the privileges of the application/service-principal, to allow access to MS Graph APIs Application permissions.
Defense Evasion and Lateral Movement: The threat actor acquires OAuth access tokens of applications, allowing them to impersonate the applications and obfuscate their activity.
Exfiltration: The threat actor calls MS Graph APIs to exfiltrate sensitive data such as users’ data and emails.

👁 Image

Here we will focus on the attack flow in the Cloud Environment after the initial authentication(i.e. steps 2-6). But first, let’s elaborate on the AzureAD Authentication and Authorization mechanisms.

In short, Authentication is proving you are who you say you are. This is done by the Identity Provider (in this case Azure AD). Authorization is the act of granting an authenticated party permission to do something. This is done by the resource the identity is trying to query, utilizing the OAuth 2.0 protocol.

👁 Image

Check Point Software Technologies is a leading provider of cyber security and threat prevention. Check Point CloudGuard provides unified cloud native security for networks, assets and workloads — automating cloud security, preventing threats, and managing posture — across multicloud environments.

Learn More

The latest from Check Point

Discovery

First, the threat actor gains an initial foothold into the Cloud Environment by compromising privileged cloud users with administrative access to the Azure AD. They then add credentials to an existing application or service principal. However, in order to do that, the threat actor needs to firstly list all the existing applications:

👁 Image

The threat actor prefers applications with high traffic patterns (e.g. mail archival applications) which can be used to obfuscate their activity. So, they decide to choose the “MailApp” (an imaginary application name) and extracts its ObjectId and ApplicationId:

👁 Image

In addition, the threat actor extracts the account’s tenantId:

👁 Image

Credential Access

Next, the threat actor creates new credentials and adds them to the application:

👁 Image

Alternatively, the threat actor can create new credentials and add them to an existing service principal associated with the MailApp application:

👁 Image

After this phase, the threat actor has the credentials of the application — which can be used to authenticate to AzureAD on behalf of the application.

Application/Service-Principal Privilege Escalation

In this step, the threat actor lists all the available permissions related to Microsoft Graph APIs:

👁 Image

The threat actor decides to add the User.ReadWrite.All permission to the MailApp application:

👁 Image

Afterward, the threat actor lists all the available permissions related to Mails and associated to the Microsoft Graph API:

👁 Image

They decide to also add the Mail.ReadWrite permission to the MailApp application:

👁 Image

The error in red indicates that an admin consent must be launched to approve this permission.

The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent to admins who have been designated as reviewers.

Due to the fact that the actor already has administrative permissions, they can launch an admin consent on their own:

👁 Image

The admin consent was successful and the Microsoft Graph APIs permissions were successfully added to the MailApp application!

Defense Evasion and Lateral Movement

Then, the actor acquired an OAuth access token for the application, by initiating an HTTP GET request which included the tenantId, objectId, appId and the secret (credentials) obtained from before:

👁 Image

This access token enabled the actor to move laterally, impersonate the MailApp application, and execute actions on behalf of it.

Exfiltration

Finally, the threat actor calls APIs with permissions assigned to the MailApp application.

The threat actor initiated an HTTP GET request, which included the access token to exfiltrate all users in the tenant and all emails related to a specific user.

👁 Image

Users exfiltration

👁 Image

Emails exfiltration

👁 Image

Emails’ subjects exfiltration

In conclusion, the SUNBURST attack was by far one of the most sophisticated attacks of our time — extending beyond on-prem and into the cloud. The threat actor executed advanced techniques to cover their tracks; using discovery, credential access, privilege escalation, lateral movement, defense evasion, and exfiltration all in one attack flow.

Since the attack, the number of victims compromised by SUNBURST continues to rise, and could happen again on any of the cloud providers. Many security vendors are offering free trials to help organizations get a handle on the security of their environment. While this is a step in the right direction, the question is, will you know what to look for and will you be prepared?

Check Point sponsored this post.

Feature image via Pixabay.

👁 Image

Learn More

The latest from Check Point

URL: https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/