On June 25, 2026, a former Huntress SOC analyst broke his silence on LinkedIn with a post describing an alleged insider inside the company accused of passing communications from U.S. law enforcement to the DevMan ransomware group. Huntress, a threat intelligence vendor focused on small and mid-sized businesses, now finds itself under scrutiny over an allegation that strikes at a raw nerve in the cybersecurity industry: who guards the data of those who guard everyone else.
- Ben Folland, a former Huntress security operations analyst whose last day was February 19, 2026, says he discovered in December 2025 that a Huntress employee was passing communications from U.S. law enforcement to the DevMan ransomware gang.
- CEO Kyle Hanslovan acknowledges that an employee showed "poor judgment in communicating with a cybercriminal," but frames the episode as part of routine intelligence gathering and forcefully denies the insider narrative.
- Hanslovan cites "ongoing active coordination with law enforcement and legal proceedings" as the reason he cannot provide a full public account.
- Folland has promised to release documentary evidence — FBI communications, phone recordings, internal memos — within two weeks of June 25, 2026.
Folland's Allegations: From the FBI's Shadow to Pre-IPO Silence
According to The Register, Ben Folland launched his public campaign on LinkedIn with a Pinocchio GIF and clown emojis, then explained his reasons for resigning in a letter shared on the platform. The core allegation: in December 2025, Folland discovered that "another Huntress employee passed communications from US law enforcement to a cybercriminal, DevMan, who is actively and publicly targeting my family and me."
Folland asserts that the accused individual was identified by the FBI but continues to work for Huntress. The former analyst further alleges the company concealed the incident from December 2025 onward, prioritizing an imminent IPO over transparency: "With an IPO on the horizon, it appears their priority was not transparency, but keeping this away from the press."
"Since December 2025, I believe Huntress has been actively trying to conceal a serious security incident from its partners, customers, and employees involving an insider who is still employed at the company" — Ben Folland, former Huntress analyst, LinkedIn post
The Register contacted Folland but received no response. The dossier does not document whether the promised evidence has actually been published.
Huntress's Response: Poor Judgment, Not Betrayal
Kyle Hanslovan, Huntress CEO, responded through a spokesperson and directly on Reddit. He acknowledged that "a former employee raised concerns that a teammate exercised poor judgment in communicating with a cybercriminal," but immediately contextualized: "By nature of our work as security researchers, teammates occasionally need to communicate with possible cybercriminals to gather intel."
Hanslovan explicitly denied two pillars of Folland's narrative: the insider designation and the subordination of security to IPO interests. On Reddit he wrote: "We sure af didn't prioritize an IPO over the safety of our partners, customers, or team." He also cited "ongoing active coordination with law enforcement and legal proceedings" as the barrier to a full public accounting.
The dossier does not document the identity of the accused individual or the exact nature of the transmitted communications. It also does not establish whether the communications with DevMan were authorized by the company.
The Intelligence-Gathering Dilemma: Operational Boundary or Red Line
The episode raises a structural question for the cybersecurity sector. Threat intelligence companies operate in a permanent gray zone: contact with threat actors, including ransomware groups, is instrumental to collecting indicators of compromise, understanding TTPs, and protecting customers. The line between "controlled communication for defensive purposes" and "criminal contamination" — whether intentional or through negligence — is thin and poorly defined at the industry level.
The dossier does not specify Huntress's internal protocols for such interactions or any legal or compliance oversight. What emerges is a fundamental discrepancy: for Folland, the contact crossed the threshold into collaboration by passing law enforcement data; for Hanslovan, it was a judgment error during legitimate activity.
What to Do Now
For Huntress customers, the case raises concrete questions for which the company has provided no definitive answers. The immediate priority is to assess whether their threat intelligence provider has offered clear communication on the incident documented since December 2025.
Threat intelligence professionals should verify that their service contracts include notification clauses for unauthorized contact with threat actors. The absence of clear industry standards on intelligence-gathering boundaries makes this verification a customer responsibility.
For security analysts, the Folland case highlights the personal risk of reporting internal anomalies: Folland left the company over a "conflict of interest" and went public only after months of silence. Documenting the internal escalation path before going external is a relevant defensive practice.
The sector awaits the evidence Folland promised within two weeks of June 25, 2026. Its publication — or absence — will determine whether the allegations can be independently verified or remain, for now, a dispute between a former employee and his company.
Editor's Closing Note
The Huntress case remains, at time of writing, a collision of incompatible narratives: the intentional insider versus the judgment error, the pre-IPO cover-up versus transparency blocked by ongoing investigations. Both versions have documented weak points — Folland has not responded to comment requests or published evidence; Hanslovan has not explained why an employee with "poor judgment" remains in role if the FBI was actually involved.
The cybersecurity industry cannot afford to ignore the structural lesson: when a company that sells protection becomes the subject of allegations that undermine its integrity, independent verification is the only currency that matters. Until new developments, the verdict is suspended — but the questions the case raises about boundaries, accountability, and transparency in threat intelligence are not.
Information is based on the cited source and current as of publication.
Sources
- https://www.theregister.com/cyber-crime/2026/06/25/ex-huntress-analyst-claims-company-insider-fed-info-to-a-ransomware-crim-social-media-drama-ensues/5262538
- https://www.huntress.com/blog/klue-breach-investigation
- https://nvd.nist.gov/vuln/detail/CVE-2026-41940
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments