Huntress Insider Threat: When Threat Hunters Aid Ransomware Criminals

Direct answer: The Huntress incident reveals a critical vulnerability in cybersecurity firms: the very threat hunters trusted to defend clients can become liabilities when they engage adversaries without oversight.

Key data point: Former Huntress analyst Ben Folland alleges that a current employee forwarded FBI communications—including agent names—to Devman, a Russian ransomware operator using modified DragonForce code built on leaked Conti source code.

Why it matters: For enterprise security buyers, this breach of trust undermines the core value proposition of managed detection and response (MDR) services. If a vendor's own staff cannot be trusted to protect sensitive law enforcement intel, client data and network access may also be at risk.

Background: The Huntress Incident Unfolds

On June 30, 2026, Huntress CEO Kyle Hanslovan acknowledged in a blog post that a current threat hunter had engaged in "questionable, long-term threat actor communications" with a cybercriminal known as Devman. In one exchange, the employee disclosed that law enforcement had contacted them about Devman. Hanslovan characterized this as "poor judgment" but not illegal or indicative of insider activity.

However, former Huntress security operations analyst Ben Folland, who left the company in February 2026, publicly contradicted this assessment. Folland claimed the employee—still employed at Huntress—"immediately forwarded the exact FBI communications to the threat actor, including screenshots containing FBI agent names." According to Folland, the FBI notified him of this incident, and the employee refused to cooperate with investigators because they "wanted Devman."

Devman is a ransomware operator believed to be based in Russia, using modified DragonForce ransomware built on leaked Conti source code. The FBI had reached out to the Huntress employee for intelligence on Devman, but instead of cooperating, the employee allegedly tipped off the criminal.

Strategic Analysis: The Insider Threat Dilemma

Who Gains?

Competing MDR providers: Rivals such as CrowdStrike, SentinelOne, and Palo Alto Networks can position themselves as more trustworthy alternatives. They can highlight their own insider threat programs and strict communication policies with adversaries.

Regulators and law enforcement: The incident underscores the need for stricter oversight of cybersecurity firms' interactions with criminals. It may accelerate regulatory frameworks requiring mandatory reporting of threat actor communications and insider threat controls.

Who Loses?

Huntress: The company faces severe reputational damage. Clients may question whether their sensitive data and network access are safe with a vendor that cannot control its own analysts. Potential customer churn and difficulty attracting top talent are likely.

Ben Folland: The former analyst who blew the whistle may face backlash from industry peers and potential legal exposure if his allegations are not fully substantiated.

The current Huntress analyst: She is now under FBI investigation and could face legal consequences for obstruction of justice or unauthorized disclosure of law enforcement information.

Market Impact

The cybersecurity industry will likely tighten protocols for threat hunter communications with adversaries. This may include mandatory logging, approval workflows, and real-time monitoring of analyst interactions. While these measures reduce operational flexibility, they are necessary to restore trust. The cost of compliance will increase, potentially raising MDR service prices.

Outlook & Next Steps

Over the next 30 days, watch for:

• Huntress client announcements: Any major customer departures or public statements of concern will signal the depth of the trust erosion.
• FBI actions: If the Department of Justice charges the analyst, it will set a precedent for criminal liability in such cases.
• Industry responses: Competitors may release white papers or policy updates emphasizing their own insider threat controls.
• Regulatory signals: Look for proposed rules from CISA or other agencies requiring cybersecurity firms to report threat actor communications.

For enterprise security leaders, this incident is a wake-up call. When evaluating MDR providers, insist on transparency about their insider threat programs, communication policies with adversaries, and incident response protocols. The cost of switching vendors is high, but the cost of a compromised insider is far higher.

Source: The Register