01
Emerging Threats
Expertise in zero-day exploitation and edge device security, including high-profile campaigns targeting Ivanti and Citrix infrastructure.
Threat Intelligence
Tyler McLellan
Principal Threat Analyst | Emerging Threats • Automation • AI-Driven Defense
Analyzing high-impact threats at scale. Expert in major incident response, software supply chain integrity, and the intersection of AI and Cyber Threat Intelligence (CTI).
Core Specialties
Operational depth across the modern threat landscape.
Research designed to move quickly from investigation into defender action, with emphasis on high-impact intrusions and scalable analysis systems.
02
Automation & AI
Building scalable systems to detect, analyze, and disrupt global threat actor infrastructure with faster and more consistent defensive workflows.
03
Supply Chain Security
Identifying malicious NPM and PyPI packages, tracing upstream compromise, and surfacing abuse before it cascades across the software ecosystem.
04
Major Incidents
Technical lead for globally significant intrusions involving APT44, Turla, and Sandworm, with emphasis on fast-moving operational response.
Open Source
Malicious document analysis tooling since 2008.
Open-source frameworks for decoding, scoring, and extracting malicious document streams — built when maldocs were routinely missed by commercial AV. QuickSand is the current analysis framework; Cryptam and PDFExaminer are its predecessors.
QuickSand
Python analysis framework for Office documents, PDFs, MIME/email, and more. Decodes streams, scans with Yara, and scores risk for faster triage.
QuickSand overview GitHubscan.tylabs.com
Try QuickSand without installing anything. Upload a suspected document and get stream extraction, Yara matches, and a risk score.
Open scannerCryptam & PDFExaminer
Original web scanners from 2009 for embedded executables and PDF exploit analysis. Both evolved into QuickSand.
Read the storyFeatured Reports
A front page for recent investigations and flagship reporting.
Selected work spanning supply chain compromise, major incidents, and state-backed intrusion activity.
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
Featured from the current archive as a recent high-impact publication.
Read featured reportSeeking Counsel: Ongoing Targeted Campaign Against US Law Firms
Open reportWelcome to BlackFile: Inside a Vishing Extortion Operation
Open reportResearch Archive
Selected reports, investigations, and whitepapers.
Showing 13 reports
Date
Title
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
Category
Emerging Threats
Date
Title
Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
Category
Major Incident
Date
Title
Welcome to BlackFile: Inside a Vishing Extortion Operation
Category
Major Incident
Date
Title
North Korea-Nexus Threat Actor Compromises Axios NPM Package
Category
Supply Chain
Date
Title
Widespread Data Theft Targets Salesforce via Salesloft Drift
Category
Major Incident
Date
Title
APT44: Unearthing Sandworm
Category
APT / Infrastructure
Date
Title
Investigating Ivanti Connect Secure VPN Zero-Day
Category
Emerging Threats
Date
Title
Sandworm Disrupts Power in Ukraine
Category
Major Incident / OT
Date
Title
ALPHV Ransomware Affiliate UNC4466 Analysis
Category
Ransomware
Date
Title
Turla: A Galaxy of Opportunity
Category
Infrastructure
Date
Title
Cloud Metadata Abuse by UNC2903
Category
Cloud Security
Date
Title
UNC2596 and Cuba Ransomware
Category
Ransomware
Date
Title
DARKSIDE Affiliate Supply Chain Compromise
Category
Supply Chain
No reports match the current filter.
Connect
Follow ongoing research and threat intelligence work.
LinkedIn is the primary channel for professional conversation and current updates.
Visit LinkedIn