RedNovember shows why AI-led SecOps wins on edge attacks

AI in Defense & National Security••By 3L3C

RedNovember’s edge-device intrusions show why AI-led SecOps matters. Learn how to detect, prioritize, and respond faster to APT-style campaigns.

RedNovemberAPTedge securitythreat intelligencesecurity operationsincident responsepublic sector
Share:

Featured image for RedNovember shows why AI-led SecOps wins on edge attacks

RedNovember shows why AI-led SecOps wins on edge attacks

RedNovember isn’t winning because it has exotic malware. It’s winning because it’s fast, opportunistic, and really good at turning other people’s perimeter devices into its front door.

Recorded Future’s Insikt Group assesses RedNovember as highly likely a Chinese state-sponsored cyber-espionage group (previously TAG-100, overlapping with Storm-2077). Between June 2024 and July 2025, the group blended weaponized proof-of-concept (PoC) exploits with mostly open-source tooling—then aimed that combo at the most common choke points in government and defense networks: VPNs, firewalls, load balancers, and internet-facing email portals.

This post is part of our AI in Defense & National Security series, and I’m going to take a firm stance: if your detection and response around edge infrastructure isn’t AI-assisted, you’re volunteering to be late. RedNovember is a clean case study of why.

RedNovember’s playbook: scale first, precision later

Answer first: RedNovember succeeds by scanning widely for exposed edge services, exploiting quickly after PoC release, and using reliable commodity frameworks (Pantegana, Cobalt Strike, SparkRAT) to establish control.

A lot of teams still picture cyber-espionage as bespoke malware and stealthy implants. The reality here is simpler: RedNovember repeatedly targeted perimeter appliances and external portals because they offer three advantages:

  1. They’re exposed by design. A VPN gateway has to be reachable.
  2. They’re under-monitored. Logging is often thin, fragmented, or not forwarded.
  3. They’re patch-lag magnets. Ops friction, maintenance windows, and vendor complexity add time.

Insikt Group observed RedNovember reconnoitering and likely compromising edge devices and services including SonicWall, Cisco ASA, F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, Fortinet FortiGate, Outlook Web Access (OWA), and Ivanti Connect Secure (ICS).

The pattern that matters for defenders isn’t just “they scanned.” It’s the tempo:

  • Vulnerability disclosed
  • PoC published
  • Surge targeting begins
  • Follow-on tooling appears (C2, loaders, remote admin)

That tempo is exactly where AI-driven threat detection and automated security operations outperform human-only triage.

Why open-source tooling changes the defensive math

Answer first: Open-source backdoors and frameworks reduce attacker cost and increase attacker scale, which forces defenders to respond with automation and behavior-based detection.

RedNovember leaned on:

  • Pantegana (Go-based backdoor / C2 framework)
  • Cobalt Strike (post-exploitation framework)
  • SparkRAT (open-source RAT)
  • LESLIELOADER (Go-based loader used to load SparkRAT and Cobalt Strike in memory)

This mix has two big implications:

  • Attribution gets messy. Commodity tools blur fingerprints.
  • Detection can’t rely on “known bad malware.” You need to spot behaviors: unusual outbound beacons, anomalous admin access, suspicious device-to-internet traffic patterns, and lateral movement precursors.

That’s an AI problem—because the volume of edge telemetry and the variability of “normal” across agencies, bases, and contractors quickly overwhelms manual analysis.

Why government and defense are in the blast radius

Answer first: RedNovember’s targeting reflects intelligence collection priorities—diplomacy, defense industrial base (DIB), aerospace, space research, and strategically important regions.

Insikt Group identified likely victims spanning:

  • Government ministries and directorates across multiple regions
  • Intergovernmental organizations in Southeast Asia
  • US defense contractors (at least two likely compromised)
  • European aerospace/manufacturing entities
  • Space-focused research organizations
  • Law firms and media (often high-value for policy, negotiation, and narrative insights)

The story isn’t “they targeted everything.” It’s that they targeted what connects to national power:

  • Defense production and engineering know-how
  • Foreign policy communications
  • Space and aerospace R&D
  • Semiconductor-related research ecosystems

And they did it using access paths that many organizations still treat as “network plumbing.”

Edge devices are strategic targets because they’re strategic dependencies

Answer first: VPNs, firewalls, and email portals sit at the intersection of identity, remote access, and trusted traffic—compromising them collapses multiple security layers at once.

In defense and national security environments, edge devices are more than IT:

  • They enable coalition connectivity.
  • They support surge operations and remote work.
  • They’re often shared across enclaves.

When an edge device is compromised, defenders frequently lose:

  • Visibility (limited telemetry)
  • Integrity (tampered configs, malicious rules)
  • Containment speed (rebuild/replace is slower than patching an endpoint)

That’s why this campaign maps so cleanly to the AI-in-security argument: humans are good at investigating; AI is good at noticing first.

Where AI-driven security operations actually helps (and where it doesn’t)

Answer first: AI helps most when it’s used to detect anomalies, connect weak signals across tools, and automate first-response actions—especially at the edge.

AI won’t magically patch your VPN. It won’t replace good architecture. But for RedNovember-style operations, it can materially reduce dwell time and triage load.

Here are the AI use cases I’d prioritize if you’re defending government, defense contractors, or critical tech.

1) Behavior-based anomaly detection for edge infrastructure

Answer first: Use AI models to baseline “normal” edge device behavior and alert on deviations tied to exploitation and C2.

Examples of edge anomalies worth modeling:

  • New outbound destinations from VPN/firewall management planes
  • Unexpected egress from appliances that usually don’t initiate connections
  • Sudden spikes in auth failures followed by successful logins
  • Configuration changes outside maintenance windows
  • Rare admin accounts authenticating from unusual geographies

Because RedNovember used common frameworks, network behavior becomes the differentiator—not malware family names.

2) AI-assisted threat intelligence correlation

Answer first: AI can continuously correlate external threat intelligence with internal telemetry to prioritize what matters today, not last quarter.

The report highlights a recurring operational reality: PoC publication triggers exploitation waves. An AI-assisted pipeline can:

  • Monitor vulnerability and exploit chatter
  • Match it to your asset inventory (which edge devices do you actually run?)
  • Elevate patch priority when exploitation is active
  • Generate detection content (queries, rules, watchlists) tuned to your environment

This is where many programs fail: they treat vulnerability management and detection engineering as separate. RedNovember punishes that separation.

3) Automated containment for “edge is acting weird” events

Answer first: Automation should handle the first 5–15 minutes: isolate, snapshot, preserve evidence, and block known bad—while humans investigate.

For edge incidents, the right automation is cautious but decisive:

  • Temporarily restrict management access to a break-glass subnet
  • Block outbound traffic to known suspicious destinations (after validation)
  • Trigger credential resets for privileged accounts used on the device
  • Create a forensic snapshot of configs and volatile data (where possible)
  • Open a case with pre-filled context: device role, changes, recent logins, related alerts

The goal isn’t “auto-remediate everything.” It’s stop the bleeding and preserve signal.

A practical rule: if a perimeter device is compromised, your response clock is measured in minutes—not days.

Lessons from RedNovember: a defensive checklist you can act on this week

Answer first: Focus on edge exposure reduction, exploit-speed patching, and AI-assisted monitoring that treats perimeter devices like high-value assets.

This is the part most teams skip because it’s unglamorous. Don’t skip it.

Prioritize what RedNovember keeps going after

Start by listing every internet-facing instance of:

  • VPN gateways (ICS, GlobalProtect, FortiGate, Sophos, SonicWall)
  • Firewalls/load balancers (Cisco ASA, F5 BIG-IP)
  • Email portals (OWA)
  • Virtualization or remote access front ends (VDI portals)

Then answer two blunt questions:

  1. Do we have reliable logs off the device?
  2. Can we detect unusual outbound traffic from it?

If either answer is “no,” that device is a visibility gap attackers will exploit.

Build a “PoC-to-protection” sprint motion

RedNovember’s surge targeting after PoC release should push you toward a formal motion:

  1. Exploit becomes public
  2. Confirm exposure (asset + version)
  3. Apply compensating controls within 24 hours (WAF/IPS rules, access restrictions)
  4. Patch within your risk window (often 72 hours for exposed edge)
  5. Add detection content and validate it against telemetry

AI can help here by ranking the patch queue based on real exploitation signals and your exposure.

Treat spearphishing as the second door, not the first

While edge exploitation is prominent, Insikt Group also documented spearphishing lures and malicious documents, including content tied to Follina exploitation and typosquatted domains.

For defense and national security organizations, that means:

  • Tighten attachment and link detonation policies for high-risk roles
  • Monitor for in-memory loaders behavior (like LESLIELOADER patterns)
  • Use AI to classify unusual document execution chains, not just known signatures

What to do if you think RedNovember is testing your perimeter

Answer first: Assume your edge device is part of the incident scope, preserve evidence, and hunt for C2-like traffic and follow-on access.

If you see reconnaissance-like behavior (scans, unusual web requests to portals, repeated auth attempts), don’t wait for a confirmed compromise.

Action steps that work in real environments:

  • Verify software versions and patch status for exposed appliances immediately
  • Review admin logins and config changes for the last 30 days
  • Hunt for abnormal outbound connections from edge devices
  • Check for new local users, API tokens, or authentication bypass indicators
  • Segment management interfaces and enforce MFA where supported
  • Increase alerting for post-exploitation behaviors (new services, scheduled tasks, web shells)

If your team is already using AI in cybersecurity operations, this is where it pays off: correlating weak signals across firewall logs, VPN auth, DNS, proxy, and endpoint activity—fast.

Where this goes next for AI in Defense & National Security

RedNovember is a reminder that modern cyber-espionage often looks like operations at scale: exploit waves, commodity tooling, and rapid pivots into whatever edge device is easiest this week.

That creates a clear mandate for defense and national security programs: pair threat intelligence with AI-driven detection and automation so you can react at machine speed—then investigate at human depth.

If you’re assessing your 2026 security roadmap right now, ask yourself one pointed question: when the next PoC drops for a widely deployed VPN or firewall, will your program know you’re exposed, deploy detections, and contain suspicious behavior inside the first hour—or will you find out after data has already moved?