Skip to content
Chimera readability score 59 out of 100, Graduate reading level.

- Black Lotus is using AI to fight increasing threats from hackers that are also using AI
- Its AI and human teams are tracking about 2.3 million threats every day
- Black Lotus today announced a new product with Palo Alto Networks
Lumen Technologies has operated a threat intelligence group called Black Lotus Labs since 2019, and these days it’s got more work than ever due to increased threats from AI.
Michelle Lee, senior director of Threat Intelligence at Black Lotus Labs, said AI is helping the attackers. And her colleague Craig D’Abreo, VP of Product Management at Black Lotus, said AI is increasing the sophistication and speed of attacks.
But AI is also helping defenders such as Black Lotus because it can process a massive amount of alerts and events much more efficiently than humans. Agentic security operation center (SOC) agents can parse through data at the speed of computers and push the highest threats immediately to a human analyst.
“Previously, you would have a single SOC analyst that's looking at thousands of events and alerts,” said D’Abreo. “They can miss a lot of things. Those are the type of challenges that most of our customers are facing.”
Lumen offers 24/7 SOC operations with agentic capabilities, and it also offers the unique capability of providing visibility from its own global IP backbone network.
Lee said, “We leverage the global telemetry that occurs across the backbone to understand adversaries' networks. We can discover their points of presence around the world and block that criminal activity.”
When Black Lotus discovers security threats it then takes action to shut down that activity with help from law enforcement, its customers and even other service providers. Black Lotus takes in about 200 billion NetFlow sessions and DNS queries every day, which wouldn’t be possible without the assistance of AI.
“AI and analytics and the teams behind it are tracking about 2.3 million threats every single day,” said D’Abreo.
Lee said, “We've got human intelligence and we've got AI intelligence working together at tremendous scale to detect millions of threats a day automatically. We increasingly think about our AI assets as part of our scale.”
It’s a good thing that Black Lotus is using AI because threat actors are definitely using it, too.
Lee said that increasingly, ransomware actors are targeting edge devices, whether they be a VPN gateway, a mail server or a firewall. Once they gain access to an enterprise’s network via these entry points, they can steal data and use AI to accelerate threats.
In fact, one of the botnets that Black Lotus has been tracking recently takes advantage of Android-based malware. “They infect the Android device, and then they have a point of presence wherever that device goes,” said Lee.
What motivates threat actors?
It might seem as if the motivation for hackers and threat actors is obvious: money.
But Lee said there are several other motivations, as well. She said information stealing is a big motivation. “We’re seeing adversaries not only interested in encrypting a network and holding a company up for ransom, which definitely is alive and well, but we see actors increasingly trading in information on the underground ecosystem.”
Threat actors also like to compete against each other for status. Lee said a large DDoS attack dubbed “Kimwolf” took down gaming sites and other internet infrastructure “for what appears to be clout.”
There are also security threats from nations that want to infiltrate networks for long-term spying. They get a foothold into a network with a “zero-day” attack that exploits a software vulnerability, and no one at the enterprise knows they’re there. Then they can harvest information for years.
New product with Palo Alto Networks
Today, Lumen announced that it’s created a new product with Palo Alto Networks to combine Lumen's managed detection and response capabilities and threat intelligence from Black Lotus Labs with Palo Alto Networks’ software.
“This technology basically integrates all the different telemetry from customers' environments like logs, server information, endpoint information,” said D’Abreo. “We collect all of that, and then we pump in Black Lotus' data. The one thing that they don't get with other service providers is the Black Lotus Labs' threat intelligence, because we're taking all of that data from our network and then pumping it into the solution, so it enriches our analysts' events and alerts that they see for better detection and response.”
Black Lotus also works with security software from other companies such as Microsoft and AWS.
More about Black Lotus Labs:
A single telecom accounted for 20% of DDoS attacks in Q1, Lumen finds

Facts Only

* Black Lotus Labs operated a threat intelligence group since 2019.
* The group tracks about 2.3 million threats every day using AI and human teams.
* Agentic security operation center (SOC) agents process data quickly to push high threats to human analysts.
* Lumen offers 24/7 SOC operations with agentic capabilities and visibility from its global IP backbone network.
* Black Lotus processes about 200 billion NetFlow sessions and DNS queries daily with AI assistance.
* Threat actors use AI to increase the sophistication and speed of attacks.
* Ransomware actors target edge devices like VPN gateways, mail servers, or firewalls.
* One tracked botnet utilizes Android-based malware for establishing presence.
* Motivations for threat actors include information stealing, financial gain (ransom), and status competition through activities like DDoS attacks.
* A new product was announced combining Lumen's capabilities with Palo Alto Networks software.

Executive Summary

Black Lotus Labs, operating since 2019, tracks approximately 2.3 million threats daily by combining human intelligence and AI to manage security events. This team leverages agentic capabilities in a Security Operations Center (SOC) to process massive amounts of data efficiently, allowing for rapid threat detection. The organization utilizes global telemetry from its IP backbone network to map adversary networks and block criminal activity. Black Lotus recently announced a new product with Palo Alto Networks, integrating their threat intelligence with customer environmental telemetry and Black Lotus's unique threat intelligence to enrich detection and response capabilities. Furthermore, the threat actors themselves utilize AI to increase the sophistication and speed of attacks, targeting entry points like edge devices and exploiting information trading motivations alongside financial gain and status competition.

Full Take

The narrative highlights a critical pivot in cybersecurity defense: the arms race between AI-enabled offense and AI-enabled defense. The core tension lies in the asymmetry of processing power; defenders rely on AI to manage overwhelming data volumes, while attackers leverage it for increased velocity and stealth. The implication is that traditional human-centric analysis models are insufficient against current threat dynamics, forcing an evolution toward autonomous, massive-scale intelligence systems. The use of global backbone telemetry demonstrates a shift from perimeter defense to holistic network awareness, suggesting that control over the underlying infrastructure (the transport layer) provides a significant intelligence advantage. The motivations for threat actors—shifting from purely financial motives to information arbitrage and status seeking—suggest a maturation of adversarial strategy beyond simple extortion. The new product integration with Palo Alto Networks exemplifies an effort to operationalize this advanced intelligence by embedding external, deep context directly into response mechanisms. The ongoing battle involves not just blocking threats, but understanding the entire adversarial ecosystem, including the very technology being deployed for offense.
Lumen’s Black Lotus Labs counters network security threats with AI — Arc Codex