Iranian Cyber Threats, AI Agent Risks & Detection Lessons from the Frontline Security Engineer

This week, we explore the latest on Iranian nation-state threats escalate against US infrastructure while AWS enhances threat intelligence automation and Google releases new AI security frameworks. We also learn practical approaches to building detection and response pipelines from scratch in cloud-native environments, featuring insights from security engineer from Lime, Geet Pradhan on scaling security operations with limited resources.

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic is - Building Cloud Detection Pipelines - What Lime’s Security Lead Learned from Scratch! (continue reading) 

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

This week brings heightened cybersecurity concerns as the Department of Homeland Security issued a terrorism advisory warning of increased Iranian cyber threats targeting US networks, while major cloud providers continue advancing their security capabilities. AWS unveiled significant threat intelligence integrations at re:Inforce 2025, and Google DeepMind released new frameworks for securing AI deployments against prompt injection attacks.

Against this backdrop of evolving threats and advancing defensive capabilities, we dive deep into the practical challenges of building detection and response pipelines in cloud environments. Our featured expert, Geet Pradhan, Senior Security Engineer at Lime, shares hard-earned lessons from building a complete SecOps pipeline from scratch, offering invaluable guidance for security professionals navigating similar challenges in distributed, cloud-native organizations.

📰 THIS WEEK'S SECURITY NEWS

⚠️ National Terrorism Advisory Warns of Iranian Cyber Threats

The Department of Homeland Security issued an advisory on June 22, 2025, warning that ongoing Iran conflict is creating a heightened threat environment in the United States. The advisory specifically mentions that low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.

Why This Matters: This represents an active, government-confirmed escalation in nation-state cyber threat levels targeting US infrastructure. The advisory specifically mentions cyber threats alongside physical terrorism concerns, indicating a multi-vector threat landscape. Cloud security teams should expect increased reconnaissance and attack attempts against critical infrastructure, especially in sectors supporting government operations. This necessitates enhanced monitoring of east-west traffic and unusual authentication patterns—exactly the type of comprehensive visibility that requires robust detection and response pipelines.

☁️ AWS re:Inforce 2025 Unveils Major Security Platform Updates

At AWS re:Inforce 2025 (June 16-18), AWS announced additional security capabilities focused on simplifying security at scale, including a new Network Firewall managed rule group that offers protection against active threats relevant to workloads in AWS. The feature uses the Amazon threat intelligence system MadPot to continuously track attack infrastructure, including malware hosting URLs, botnet command and control servers, and crypto mining pools.

Why This Matters: These updates represent AWS's commitment to automated threat intelligence integration and simplified security management at scale. The MadPot threat intelligence integration provides real-time IOC feeds directly into network security controls, reducing the gap between threat discovery and protection deployment. For cloud architects, the simplified WAF console and automated certificate provisioning through CloudFront integration significantly reduces configuration complexity while maintaining security standards. This aligns perfectly with the need for scalable detection pipelines that can handle the dynamic nature of cloud environments.

♻️ Google DeepMind Releases AI Security Framework for Prompt Injection

Google DeepMind unveiled a new security framework for protecting models against indirect prompt injection—a threat where bad actors manipulate instructions given to an LLM. This takes on new consequences in an agentic world, where attackers could trick an AI agent into exfiltrating internal documents by embedding hidden instructions in seemingly normal emails or calendar invites.

Why This Matters: As organizations rapidly deploy AI agents with access to sensitive cloud resources, prompt injection represents a new attack vector for data exfiltration and privilege escalation. About 14% of data loss incidents so far in 2025 involved employees accidentally sharing sensitive corporate information with third-party generative AI tools, highlighting the urgent need for AI security controls in enterprise environments. This framework provides the first systematic approach to securing agentic AI deployments in cloud environments—yet another log source and detection use case that security teams must integrate into their pipelines.

CLOUD SECURITY TOPIC OF THE WEEK

Building Cloud Detection Pipelines - What Lime’s Security Lead Learned from Scratch! 

How do you build a comprehensive security detection and response capability when starting from zero in a distributed, multi-cloud environment?

This week's focus examines the practical realities of constructing effective SecOps pipelines that can scale across hundreds of AWS accounts, integrate diverse log sources, and provide actionable alerts without overwhelming small security teams.

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

  • Detection and Response Pipeline: An end-to-end system for ingesting logs and events, identifying malicious or anomalous activity, and enabling security teams to respond effectively. In cloud environments, this includes API-driven log aggregation, automated alerting, and distributed notification systems.

  • SIEM (Security Information and Event Management): A platform that provides real-time analysis of security alerts generated by applications and network hardware, serving as the central aggregation point for security logs.

  • GuardDuty: AWS's threat detection service that uses machine learning to analyze CloudTrail logs, DNS logs, and VPC Flow Logs to identify malicious activity.

  • Sigma Rules: An open-source standard for writing detection rules in a vendor-agnostic format, allowing security teams to share and adapt detection logic across different SIEM platforms.

  • Alert Fatigue: The phenomenon where security analysts become overwhelmed by the volume of security alerts, leading to decreased responsiveness and potential oversight of genuine threats.

This week's issue is sponsored by Material Security

Protect Your Google Workspace with Purpose-Built Security

Your Google Workspace is the backbone of your business, yet most teams use security tools that weren’t designed to protect it.

Material Security changes that. Built specifically for Google Workspace, Material is a detection and response platform that protects Gmail, Google Drive, and accounts by proactively eliminating security gaps, stopping misconfigurations, and preventing shadow IT before they turn into costly problems.

With real-time monitoring and automatic fixes, Material keeps your workspace secure with minimal effort, reducing human error and freeing up your team to focus on work that matters.

💡Our Insights from this Practitioner 🔍

1 - The Reality of Starting from Scratch

Geet Pradhan's experience at Lime provides great insights into the practical challenges of building detection and response capabilities in modern cloud environments. As he explains: "Detection response, …, you need to be able to identify what is going wrong or anomalous or just something weird in your environment, and then responding to it. It is one of the cornerstones of security, in my opinion."

The complexity of implementation lies in the challenges, especially when dealing with cloud-native architectures that span multiple platforms and generate massive volumes of logs. Geet faced the common challenge of building comprehensive visibility without unlimited resources, a reality most security professionals will recognize.

2- The Critical Importance of Log Source Prioritization

One of the most valuable insights from Geet's experience is his approach to identifying which log sources to prioritize. Rather than following generic checklists, he advocates for a business-driven approach: "This is not a prescriptive solution. It is different for every company. Some companies who really need visibility into a particular thing. For example, we needed a lot of visibility into our administrative actions on our cloud."

This strategic thinking becomes crucial when facing the overwhelming array of potential log sources in modern cloud environments. Geet recommends starting with compliance frameworks that already exist within organizations: "Most companies have some sort of compliance that's going on in the company... find the person who's doing this because they've already done the hard part for you, they've already identified the systems or the applications or the resources in scope."

This approach provides both technical guidance (which systems to monitor) and business justification (compliance requirements), making it easier to secure resources and prioritization from leadership.

3 - Solving the Remote Workforce Challenge

Traditional SIEM implementations assume security analysts are always at their desks with full access to security platforms. Geet discovered this assumption doesn't work for distributed, global organizations: "What I didn't like is, hey, I cannot always log into the SIEM and it's annoying sometimes... In a remote workforce, there's some trust, you have to have some trust."

Their solution of pushing alerts to messaging platforms like Slack represents more than just a convenience feature. It acknowledges the human reality of security operations and builds systems that work with, rather than against, how teams actually operate. This approach enables faster initial triage and reduces the friction in security response workflows.

4 - The Art of Building Security Culture

Perhaps the most challenging aspect of implementing detection and response capabilities isn't technical - it's cultural. Geet emphasizes the critical importance of building relationships across the organization: "One of the things which you also need to in security, which I always talk about is hey, you need to be friends with everyone. Because they're gonna think of you as the police. You need to change that."

This insight reflects a mature understanding of security's role in modern organizations. Rather than acting as gatekeepers, effective security teams become enablers who understand business needs and provide guardrails that allow innovation while maintaining security posture.

The practical application of this philosophy shows up in their "Yes, and..." approach to security requests: "We have a mindset of saying, hey, let's not say no. We'll say yes and... So you wanna do something? Yes, sure. We're not gonna say no. But if you wanna do it, here's guardrail 1, 2, 3, 4, 5."

5 - Scaling Detection Logic Without Overwhelming Teams

One of the practical challenges Geet addresses is the balance between comprehensive monitoring and manageable alert volumes. His team learned this lesson through experience: "If you alert too much, what are you gonna do? You're gonna, you're not gonna sleep. And if you don't alert, you're gonna be like, oh, the world is great as we're the most secure company and there's actually a breach going on."

This "Goldilocks principle" of alerting requires careful tuning and continuous refinement. Geet recommends starting with a very small set of critical applications rather than trying to monitor everything at once: "Identify your P zeros... tier one applications... don't make them a 35 applications list. Make them 1, 2, 5, and start with that."

6 - Leveraging Existing Teams and Infrastructure

Rather than building everything from scratch, Geet leveraged existing organizational capabilities: "Your SRE org, your infrastructure org deals with this exact problem every day... we're asking them, saying, hey, I'm concerned about my export webhook to my particular workflow or automation platform... How have you solved that?"

This approach recognizes that security teams don't need to become experts in every aspect of system design and operations. Instead, they can focus on the security-specific aspects while leveraging existing expertise for scalability, reliability, and operational concerns.

Practical Implementation Milestones

For security professionals looking to implement similar capabilities, Geet offers a clear progression of milestones:

  1. Identify log sources you want to ingest - Focus on business-critical applications first

  2. Figure out ingestion methods - Not all log sources have easy API integrations

  3. Implement initial detection rules - Start with community-developed rules from Sigma, Elastic, or Splunk libraries

  4. Establish notification workflows - Ensure alerts reach the right people through channels they actually monitor

  5. Develop response procedures - Know who can act on alerts and how to reach them

Crucially, Geet emphasizes that these milestones should progress in parallel rather than sequentially: "As a single person, doing all this in parallel... there's no point if you don't know how to respond. There's no point if you don't know the alerts."

Question for you? (Reply to this email)

What would you start first with when building Detection Pipelines i a Cloud Native Environment?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast