A current Huntress threat hunter disclosed to a ransomware actor that law enforcement had reached out about him, and Huntress should treat the episode as a Huntress insider threat alarm, not a personnel footnote, according to The Register Security.

Huntress Insider Threat Alarm Puts Client Trust on Trial
XOOMAR Intelligence
Analyst Take
That is the hard center of this story. Huntress CEO Kyle Hanslovan says the disclosure “was not illegal” but “reflected poor judgment.” Former Huntress security operations analyst Ben Folland says it “meet[s] the definition of an insider threat.” The gap between those two phrases is where customer trust lives or dies.
“In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor,” Hanslovan said.
This is not a pile-on. It is a demand that a cybersecurity vendor apply the same severity to itself that it would demand from a client after sensitive information reached the wrong hands.
Huntress insider threat alarm is the right frame
Cybersecurity firms don’t sell software alone. They sell judgment under pressure. They sell discretion. They sell the promise that when their people sit near sensitive systems, attacker chatter, victim data, and law enforcement leads, those people won’t freelance with privileged information.
Hanslovan said he is aware of “questionable, long-term threat actor communications” between a Huntress threat hunter who remains employed at the firm and a cybercriminal. That alone should trigger an insider-risk lens inside any security company.
Intent matters legally. It matters for employment decisions. It matters for criminal liability. But customers care about something more immediate: whether someone with trusted access used sensitive knowledge in a way that could harm security.
That is the line Huntress risks blurring. A mistake inside a ticket queue is one thing. Warning a ransomware operator that law enforcement has reached out is different. It sits closer to access misuse than ordinary bad judgment.
A threat hunter contacting Devman crosses the core rule of defense
Threat hunters hold unusual power. They may see attacker infrastructure, victim environments, internal detections, sensitive escalations, and at times law enforcement coordination. Their work can require contact with hostile actors, but that contact cannot be casual, private, or self-directed when investigations are involved.
Devman, according to the source material, is a ransomware operator believed to be located in Russia who uses modified DragonForce code built on leaked Conti source code. Folland alleged that Devman was “actively and publicly targeting my family and me.”
The practical danger is obvious. Alerting a ransomware criminal about law enforcement interest can help that criminal change behavior, protect infrastructure, shift communications, or identify who may be cooperating. The source does not establish that any of that happened here. It does not need to. The risk is enough to demand severity.
Normal researcher contact with criminals has guardrails. There should be approvals, logging, purpose, documentation, and review. The moment law enforcement contact enters the picture, the threshold gets higher.
Recent XOOMAR coverage of Ransomware Crews Weaponize BlueHammer Vulnerability and AI Agent Turns Langflow Ransomware Attack Into Secret Hunt focused on attacker tactics. This case turns the lens inward. Defenders can become the weak point when internal controls fail to match the sensitivity of the work.
“Poor judgment” is too soft for the customer-risk signal
Hanslovan’s wording may be legally careful. It may be HR-safe. It may reflect what Huntress believes it can prove. But “poor judgment” lands badly when the alleged conduct involves passing law enforcement information to a ransomware actor.
Folland’s counterclaim is sharper. In a Tuesday LinkedIn post, he said the communications between the Huntress analyst and Devman “meet the definition of an insider threat.” He further claimed that when the FBI reached out to the Huntress employee for intel on Devman, “She immediately forwarded the exact FBI communications to the threat actor, including screenshots containing FBI agent names.”
The Register said it contacted the FBI for comment and did not receive a response. Huntress declined to comment further.
Here is the distinction customers will make:
| Huntress framing | Customer-risk framing |
|---|---|
| “Poor judgment” | A trusted employee disclosed sensitive law enforcement contact to a threat actor |
| No evidence found of illegal conduct | Legal intent is not the only security issue |
| No evidence found of insider activity | Access misuse can be an insider-risk event even without spy-movie sabotage |
| Stronger researcher policies implemented | Customers need to know what controls changed and why |
Analysis: Huntress may be correct that the known facts do not prove illegal conduct or formal insider activity. But a Huntress insider threat concern does not require a cinematic mole selling secrets in a parking garage. It can be a trusted person using sensitive access or information in a way that undermines security.
Customers don’t just want a softer label. They want to know Huntress examined the incident through the harshest relevant lens.
Cybersecurity vendors need controls built for bad calls
Hanslovan wrote that, after the investigation, Huntress implemented stronger policies for researchers, coached teammates on engaging with threat actors, and took administrative actions. He also wrote: “While we haven't found evidence of illegal conduct, insider activity, or additional disclosures, we are continuing our investigation. Due to the privacy rights of our teammates, we will not comment further on the investigation.”
That is not enough for a trust business.
Huntress does not need to publish private personnel details. It should publish the control categories it tightened. Customers should be able to understand, at a high level, whether the company now has:
- Need-to-know access: Limits on who can view law enforcement communications and sensitive investigation material.
- Logged external contact: Required records for threat actor communications tied to company work.
- Two-person approval: Mandatory review before sensitive information is shared outside the company.
- Law enforcement rules: Clear escalation steps when an agency contacts an employee about a threat actor.
- Researcher oversight: Review of long-running contact between employees and criminals.
Employee trust is not a control. Good security firms design systems for stress, ego, curiosity, loyalty conflicts, and bad calls. If a process only works when every employee makes the perfect decision, it is not a process. It is wishful thinking.
This matters more in managed security because vendors often sit inside the nervous system of their customers. Their analysts, tools, alerts, and integrations become part of the customer’s risk profile. Internal behavior at the vendor is not an internal-only issue.
Huntress may be avoiding a premature verdict, but that cannot mean soft accountability
The strongest counterargument deserves respect. Companies must be careful with employee allegations. Intent may be disputed. Authorization may be disputed. Legal exposure may be real. Defamation risk and labor obligations can shape every sentence an executive publishes.
Cybersecurity work also gets messy. Researchers may talk to criminals, victims, brokers, law enforcement, and other researchers. Context can decide whether a message is legitimate intelligence work or reckless disclosure.
Hanslovan may be choosing narrow language because the investigation is ongoing. He said Huntress had not found evidence of illegal conduct, insider activity, or further disclosures. That matters.
But caution in legal wording should not become softness in security accountability.
A company can avoid declaring an employee an insider threat while still saying the behavior triggered insider-risk controls. It can protect privacy while describing process failures. It can decline to litigate personnel facts in public while showing customers that the firm treated the event as severe.
That is the standard Huntress should meet.
Huntress can rebuild trust by publishing what changed
The path forward is not another vague statement. Huntress should disclose, at a high level, what changed after the ransomware probe alert.
Not names. Not private HR records. Not operational secrets that would help attackers. Customers need the structure: the policy changes, access restrictions, communication review process, and customer notification standards that now apply when employees interact with threat actors or law enforcement.
Security vendors tell customers to report suspicious activity, preserve evidence, and be transparent about material risks. They should accept the same discipline when the suspicious activity is inside their own walls.
The unresolved tension is simple. Huntress says it found poor judgment but not insider activity. Folland says the conduct meets the definition of an insider threat. The FBI has not commented, according to The Register. Huntress says the investigation continues.
Until more facts emerge, every security company should treat this case as a tabletop exercise. Ask who can see law enforcement communications. Ask who can talk to criminals. Ask whether those conversations are logged. Ask what happens when someone crosses the line.
In cybersecurity, trust is not protected by careful wording. It is protected by controls, candor, and consequences.
Impact Analysis
- Cybersecurity vendors rely on customer trust that employees will safeguard sensitive threat intelligence and law enforcement information.
- The incident raises questions about how Huntress handles insider-risk behavior within its own security operations.
- How the company responds may affect customer confidence in its judgment, transparency, and internal controls.
Competing Frames for the Huntress Disclosure
| Perspective | Characterization | Implication |
|---|---|---|
| Huntress CEO Kyle Hanslovan | Disclosure was “not illegal” but showed “poor judgment” | Frames the incident as a personnel or judgment issue |
| Former Huntress analyst Ben Folland | Says it “meet[s] the definition of an insider threat” | Frames the incident as a serious internal security risk |
Sources
- [1] The Register Security
- [2] Huntress CEO says threat hunter used ‘poor judgment’ in alerting ransomware crim about law enforcement probe – CyberSwissGuards
- [3] Huntress and FBI: Huntress CEO says threat hunter used 'poor judgment' in alerting ransomware crim about law enforcement probe
- [4] Huntress CEO says threat hunter used 'poor judgment' in alerting
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityRansomware Crews Weaponize BlueHammer Vulnerability
BlueHammer was exploited before Microsoft patched Defender. CISA now says ransomware crews used the flaw.
CybersecuritySelf-Destructing Mistic Backdoor Hides Ransomware Footholds
Mistic runs payloads in memory, then erases itself, giving suspected access brokers cleaner footholds for ransomware crews.
CybersecurityBest Antivirus for Remote Workers That Won't Kill Speed
Remote work puts the security perimeter on your laptop. The right antivirus blocks phishing and ransomware without killing speed.
CybersecurityBest Antivirus for Freelancers That Stops Client Data Theft
Freelancers need antivirus that stops phishing, ransomware, and data theft without slowing down client work.
CybersecurityAI Agent Turns Langflow Ransomware Attack Into Secret Hunt
An exposed Langflow flaw let JadePuffer use an AI agent to hunt secrets, pivot, and prep ransomware faster than manual crews.
TechnologyTiny Fan Rescues Qi2 Chargers From Their Heat Trap
The Kuxiu D5 shows fan-cooled Qi2 chargers aren't a gimmick. They're a practical fix for wireless charging's heat problem.
Global TrendsGermany's 58,700 Far-Right Extremists Rattle Democracy
Germany now counts 58,700 far-right extremists, and the BfV says right-wing extremism is the top threat to its democracy.
Global TrendsFour Dead as South Africa Anti-Foreigner Protests Spread
A migrant deadline with no legal force has become a street-level threat after Durban protests and weeks of violence left at least four dead.
FintechWall Street Bets on Morgan Stanley Digital Trust Charter
Morgan Stanley Digital Trust cleared a key OCC hurdle, signaling Wall Street wants regulated control of crypto custody infrastructure.
Global TrendsSept. 8 Deadline Threatens Disney Settlement Claim Cash
Eligible YouTube TV and DirecTV streaming subscribers must file a Disney settlement claim by Sept. 8, 2026, or miss any payout.
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.