While this could be true. We do have to be suspect that these security articles, unless very well detailed like what cloudfare publishes or many of the other great security services publish, could very well be fake news. Essentially this article gets 75% of its technical details wrong or embellishes on their details. We are then told, we can't disclose anything related to the hack beyond the fact that we saw a [insert] _____very well known type of hack performed___ on ___very large group of people___ and ____we've been investigating for awhile_____ and we know this because we saw the hackers get a password from ____one computer then hop to the next computer - then get the domain server!! jackpot______
Well, it's pretty much common practice in the business. In my own experience as an independent security researcher/bug hunter I've been in a few situations where I've been under NDAs for finding critical RCE vulnerabilities. Basically I got paid for finding them and to keep my mouth shut and I'm sure Cybereason in this case is in the same kind of situation but the scale is much bigger.
Cybereason doesn't need the marketing. Everyone in infosec knows who they are and if they say they found this I'd say it's legit.
If one is getting paid to find bugs for a company, they aren’t writing articles like this about that company. Also, I’ve been in infosec almost 20 years and have never heard of this company. Also, there is no such thing as a company that doesn’t need marketing.
