Valid accounts
T1078, credentials stolen via helpdesk vishing, MFA bypass through push-bombing. No malware, no signature: just one extra operator with the right credentials.
Intel-driven MDR with European SOC 24·7·365. The TTPs of 287 tools and actors targeting European markets become detections before they reach you. Median containment <30 min from confirmed alert.
No endless projects, no six-month discovery. Five verified steps reduced to the minimum viable for your stack · 3 weeks from NDA to full defensive presence. Security monitoring is already active from Week 1 during onboarding · the first real alert is contained in <30 min, with detection mapped to MITRE ATT&CK against the TTPs of 287 profiled tools and actors. By Week 3: Fortgale Console provisioning, L2/L3 analyst federation on your platforms, European SOC operational H24. From that moment on, monthly threat briefings, quarterly tabletop exercises, and runbooks kept alive against your posture. Protection is not a go-live event · it's a property that grows from day 1 of integration.
First meeting · NDA · stack & probable adversaries mapping
Telemetry connectors · monitoring already active
Fortgale Console tenant · CISO/IT access
Fortgale analysts on customer platforms
SOC 24·7 · <30 min containment · European defense outpost
Across European high-tier incidents in Q1 2026, valid accounts (T1078) and phishing (T1566) drive most initial access, before any malware-based detection fires. Source: ENISA Threat Landscape · MITRE ATT&CK telemetry.
T1078, credentials stolen via helpdesk vishing, MFA bypass through push-bombing. No malware, no signature: just one extra operator with the right credentials.
T1190, exploits of file transfer, VPN, identity broker. Actors like Cl0p acquire 0-days on criminal markets and use them in targeted campaigns before CVEs are issued.
Endpoint, identity, cloud, network, lateral movement shifts the target before a single-telemetry SIEM can correlate. You need multi-domain AI correlation, not silo alerts.
From the first alert to containment, all under a single point of contact. No vendor handovers, no translation, no grey zone.
EDR · NDR · IDR · CDR, telemetry from endpoint, network, identity and cloud, normalised into a single data fabric. Vendor-agnostic: we adapt to the stack you already have.
Multi-domain AI correlation against the TTPs of 287 tools and actors profiled by our Cyber Threat Intelligence. >90% noise reduction. Only what merits the human analyst leaves tier-zero.
European SOC, analysts with decision authority. Triage, investigation, attribution to the threat actor. Embedded in your regulatory environment, time zone, language and compliance context included.
Median containment <30 min from confirmed alert. Assisted remote response: process kill, credential reset, network segmentation on demand. For major incidents, escalation to the Incident Response team.
Metrics measured on real customer telemetry in Q1 2026. Updated quarterly.
Fortgale runs your MDR service on the platform you use (or selects the optimal one with you). For each platform · a dedicated page with technical detail, observed threat intelligence and proprietary runbooks.
The CISO decides on risk. The IT lead decides on the runbook. Fortgale MDR produces evidence for both.
Ransomware is not a question of "if" but of "when". Each month the CISO receives the profile of the 3 most probable adversaries against their sector, with the Fortgale runbook already mapped to each one.
When the alert is real, decision time is containment time. Our L2/L3 analysts know your stack, share your time zone and regulatory context, and have decision authority.
When an MDR alert is confirmed, the runbook we execute has already been tested against the real adversary. We profile actors, analyse samples, track TTPs: this research becomes operational action in production, not shelfware.

ABSTRACT The FBI recently issued an advisory on Kali365, a Phishing-as-a-Service platform that abuses legitimate Microsoft OAuth flows to bypass multi-factor authentication. Kali…
Read article →
Intelligence · Phishing Kit · Q1 2026 April 24, 2026Fortgale CTI14 min readRPT-26-0424 Observation of the quarter The 2026 phishing ecosystem has outpaced traditional defenses. M…
Read article →
In the high-stakes world of venture capital and corporate funding, where millions hang in the balance and sensitive financial data flows freely, a new breed of cyber threat is em…
Read article →
In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabiliti…
Read article →
UPDATES: 27.11.2024: As mentioned by TrustWave, "Supercar Phishing Kit" has an high level of overlapping with the most recent update of "Rockstar 2FA Phishing-as-a-Service" 26.09…
Read article →
In the evolving landscape of cybersecurity threats, Fortgale is tracking PhishSurf Nebula, an advanced Cyber Espionage group active since 2021 and primarily targeting entities wi…
Read article →MDR is a managed service that combines multi-domain telemetry (endpoint, identity, cloud, network), MITRE ATT&CK-mapped detection and analysts who investigate and contain incidents. Fortgale runs it with a European SOC 24·7·365: median containment <30 min from confirmed alert. A cyber attack is not something, it is someone: MDR exists to know it, anticipate it and stop it.
The SOC is the structure that monitors; MDR is the service that, on top of the SOC, adds intel-driven detection and above all response: analysts have authority to decide and contain, not just to notify. In the Fortgale model the managed SOC and MDR are the same European outpost, with no handover between providers.
EDR is a detection technology on the endpoint. MDR is the service that operates that technology (and more: identity, cloud, network too), correlates it with Cyber Threat Intelligence and adds the analysts who decide. EDR generates alerts, MDR manages them and closes the incident.
Yes. The service is NIS2-ready: continuous monitoring, documented detection, IOC collection for the national CSIRT notification within 24 hours and the technical documentation for follow-up filings, aligned with ISO/IEC 27001, DORA and GDPR Art. 32.
Three weeks from NDA to full protection, with security monitoring already active from Week 1 during onboarding. Five steps: Discovery, Onboarding, Provisioning, Federation, Full protection. No go-live event: protection grows from day 1 of integration.
Yes, the service is vendor-agnostic: it integrates on the platform you already use, or selects an optimal one with you. Fortgale runs MDR on Microsoft Defender, CrowdStrike Falcon, SentinelOne and 7 other leading platforms, all under a single console.
In Operation Storming Tide the Fortgale team detected and contained a multi-stage intrusion (actor Mora_001) at a European logistics organisation: data exfiltration and ransomware prevented.
Read the analysis →An AiTM attack against senior executives during an investment round was intercepted before compromise. No access was gained.
Read the case →Over 100 published analyses. Attributions corroborated by third parties such as Mandiant (Google), Amazon, SentinelOne and Huntress. European SOC, 24·7·365.
What is MDR → · Why MDR is more than a SOC → · MDR vs EDR vs XDR →
We bring the Report on your sector with the most probable adversaries and a real MDR runbook mapped to your technology stack.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.