Cisco Just Cut Talos. Six Shops Will Absorb Them in Three Weeks.

On May 14, 2026, Cisco started notifying roughly 4,000 employees of layoffs, and the cuts reach inside Talos, the 350-person threat research org that the rest of the industry treats as pre-vetted talent. If you run a CTI team, a detection startup, or a federal CTI shop and you wait for these names to surface on LinkedIn, you will lose them to CrowdStrike, Mandiant, Unit 42, Microsoft MSTIC, Sophos X-Ops, or GreyNoise before your recruiter finishes a Boolean string.

This is a sourcing playbook for the next few weeks. Not a generic "how to hire security researchers" piece. The pool is small, the credential is narrow, and the buyer set is genuinely closed unless you move now.

Why Talos is different from a normal RIF cohort

Cisco posted about $15.8 billion in Q3 FY2026 revenue, up roughly 12% year-over-year. These are not distressed cuts. Cisco's internal memo, reported by Reuters, frames the reduction as reallocation toward AI, security, silicon, optics, and quantum networking. KORE1's reporting confirms that legacy switching, routing, and parts of Talos and Splunk security are the donor orgs funding that pivot.

That matters for two reasons.

First, the displaced Talos researchers are self-selected. Cisco is re-slotting some Talos heads into its new AI security org internally. The ones in market are the ones who did not get the internal landing pad. That is not automatically a red flag. In most cases it means they refused a worse role, refused to relocate, or were on a team whose charter just got vaporized. Interrogate it; do not assume it.

Second, Talos has a credential moat. The peer labs recognize each other's research output explicitly. When Microsoft, CrowdStrike, Palo Alto's Unit 42, and Google's Mandiant announced a shared threat-actor taxonomy effort, they were essentially publishing the membership list of the club. A Talos byline routes a resume to that list automatically. If you are not on the list, you are racing it.

$15.8B

The competitive set is six shops, and you probably aren't one of them

Name them out loud so you know who you are bidding against:

• CrowdStrike Counter Adversary Operations, run by Adam Meyers.
• Mandiant / Google Cloud Threat Intelligence, the post-acquisition home for a lot of the old FireEye reverse engineers.
• Palo Alto Networks Unit 42, where Michael Sikorski runs threat intel.
• Microsoft MSTIC, which processes 84 trillion threat signals daily and uses that scale as a recruiting pitch.
• Sophos X-Ops, the consolidated SophosLabs/SecOps/AI unit.
• GreyNoise, the smallest of the six but increasingly aggressive on senior reverse engineering hires.

If your seat is on that list, congratulations, you have leverage and probably an inbound channel already. If you are anyone else (a bank CTI team, a cyber insurance carrier, a Series B detection vendor, a cleared-talent SI prime), the contrarian point of this article is that your window is shorter, not longer. The Big Six will close offers in two to three weeks because they recognize the credential on sight. You do not have a quarter. You have until those offers print.

Where to actually find ex-Talos researchers

LinkedIn is the worst place to start, and it is where 90% of recruiters will start anyway. Talos researchers update LinkedIn months late, sometimes never. The high-signal surfaces are public and indexed, just not by recruiting tools.

1. Snort and ClamAV commit histories

Talos maintains Snort (the IPS) and ClamAV (the AV engine) as open-source projects. The GitHub orgs are the single best pre-vetted candidate list on the public internet. Pull the last 24 months of committers, filter out external contributors, and you have a ranked list of Talos engineers with their handles, frequently their personal email domains, and their areas of focus (rules engine vs. detection content vs. parser work).

2. blog.talosintelligence.com author archive

Every Talos blog post is bylined. The author archive page is a directory. Cross-reference bylines against the 2024 to 2026 publication cadence to identify who shipped what. Researchers who published on specific malware families (Qakbot, Lockbit derivatives, Volt Typhoon adjacent work) carry that beat into their next role. Match by topic, not by title.

3. CVE credit lines under TALOS-YYYY-####

Talos runs its own vulnerability disclosure program with TALOS-YYYY-#### identifiers. Pull the last two years of advisories. Each one credits the researcher. This is your senior vulnerability research bench, and it is fully public.

4. Conference programs

Talos researchers speak at CYBERWARCON, Virus Bulletin, LABScon, and BSides regional events. The programs are PDFs. Scrape them.

This is where describing the person in plain English beats Boolean by an order of magnitude. "Talos blog author who has published on Volt Typhoon and committed to Snort in the last 18 months" is not a LinkedIn search, but it is exactly the kind of query Refolk was built for: you describe the researcher and get a ranked shortlist pulled from GitHub, LinkedIn, and the open web in one pass.

The geography that nobody is pricing in

Talos is headquartered in Fulton, Maryland. Add the Sourcefire DC-corridor heritage (Sourcefire was acquired by Cisco in 2013, and a meaningful slice of senior Talos researchers trace back to it) and you get a disproportionate concentration of impacted researchers within commute range of Fort Meade, Cyber Command, Mandiant's Reston office, and the federal SI primes.

Cleared-talent buyers should be in this race and usually are not, because their recruiting pipelines are tuned for SF-415 forms, not for tech RIFs. If you run a CTI team at Booz, Leidos, ManTech, or a Defense Unicorns-style commercial-meets-DoD shop, the next 30 days are the cheapest senior threat research talent you will see this decade. Most of these researchers already hold or recently held clearances. You are not paying for the clearance pipeline. You are paying for the resume.

The cleared-talent buyers should be in this race and usually are not, because their pipelines are tuned for SF-86s, not for tech RIFs.

The non-Big-Six destinations that will actually land hires

Not every ex-Talos researcher wants to go to Microsoft. Some are exhausted by the politics of a 350-person org and want a smaller seat. Realistic non-Big-Six destinations that historically pick off one or two per cycle:

• Huntress (managed detection, aggressive on senior detection engineering).
• Hunters.ai (detection content roles, lots of Talos-adjacent work).
• Dragos (OT-specific, recruits the same profile for ICS/OT pivot).
• Recorded Future's Insikt Group (closest analog to Talos in research culture).
• Red Canary (detection engineering, threat research).

If you are one of these companies, you do not need to outbid Microsoft. You need to be first in the inbox with a specific, named pitch ("we want you to own the next Volt Typhoon-equivalent campaign report end to end") before the Big Six get their second screening call on the calendar.

A tenure filter that actually works

Talos was formed by combining SourceFire's Vulnerability Research Team, the Cisco Threat Research and Communications group, and the Cisco Secure Applications Group. The Sourcefire lineage is a useful sorting signal. Researchers with 10-plus years of tenure who came in through Sourcefire are the senior bench. Researchers who joined post-2018 from outside Cisco are typically the mid-level reverse engineering and detection content layer. Researchers from the Threat Research and Communications side skew toward the outreach, publication, and intel-product roles (think Nick Biasini, Head of Outreach, as the archetype).

Three buckets, three different hiring pitches. Do not send the same outreach message to all three.

Comp anchors

KORE1's reporting cites a Cisco senior principal CCIE base band of $185,000 to $240,000 per Levels.fyi, with RSUs that swung with the stock. Treat that as directional only. Senior security researcher bands at Cisco run higher than network engineering bands, and at the Big Six they run higher still. If you are competing against MSTIC or CrowdStrike for a senior reverse engineer, expect base offers in the mid-$200s with meaningful equity. If you are a Series B detection vendor, your only realistic lever is scope and ownership, not cash.

The 30 day claim, honestly

The "30 days" framing is an informed estimate, not a public statistic. The defensible version: prestige threat researchers historically clear the market in under a quarter, the credential set narrows the buyer pool, and the buyer pool moves fast because they recognize each other's targets. Compressed window. Probably four to six weeks for the senior bench, longer for mid-level researchers whose bylines are less public.

Plan as if you have three weeks of clean air before the prestige offers land, and another three weeks of overlap during which you can still win on scope, geography, or speed.

A concrete sourcing sequence

If you are a hiring manager reading this on the day it goes up:

1. Today: pull Snort and ClamAV committer lists from GitHub. Cross-reference against the Talos blog author archive.
2. This week: scrape TALOS-YYYY-#### CVE credits from the last 24 months.
3. This week: identify the 30 to 50 names that appear on at least two of the three lists.
4. Next week: reach out with a specific, beat-matched pitch. Not "we're hiring threat researchers." Something like "we want someone who can run the next campaign report on [specific actor cluster]."
5. Throughout: monitor LinkedIn for delayed signal, but treat it as confirmation, not discovery.

Steps one through three are exactly the kind of multi-surface sourcing that breaks LinkedIn-only tools. This is where Refolk earns its keep on Talos alumni recruiting: one plain-English query crosses GitHub commit graphs, the Talos blog index, CVE credit lines, and LinkedIn employment status in a single ranked list, so you are not stitching four scrapers together by hand.

What to say in the first message

Two rules for the first outreach to an ex-Talos researcher.

First, name a specific piece of their work. Not "I saw your background." Cite a blog post, a CVE, or a commit. These are people who write under their own names for a reason. The recognition matters.

Second, be honest about the scope. If you cannot offer the platform reach of MSTIC or the budget of CrowdStrike, do not pretend to. Offer something they will not get at the Big Six: a single named beat they own end to end, a smaller team, a non-corporate publication cadence, a clearance-friendly schedule, equity that could actually matter. Threat intel sourcing in 2026 is not won on comp. It is won on specificity.

FAQ

How many Talos researchers are actually affected?

The public reporting confirms Talos exposure but not a precise headcount. Talos is roughly 350 people globally; Cisco's total cut is fewer than 4,000 across all orgs. A reasonable working estimate for impacted Talos researchers is in the low dozens to low hundreds, weighted toward roles Cisco is not re-slotting into its new AI security org. Treat any specific number you see this week as a guess.

Should I avoid candidates who were laid off rather than re-slotted internally?

No. Cisco is reallocating toward AI networking and silicon, which means re-slotting decisions are about charter fit, not researcher quality. Some of the strongest senior researchers will be in market specifically because they refused a worse role or did not want to pivot off threat research into AI security tooling. Interrogate the why; do not screen on the layoff alone.

Is GitHub really better than LinkedIn for sourcing Cisco Talos researchers?

For this specific cohort, yes. Snort and ClamAV are maintained on public GitHub orgs by Talos engineers under their real identities. Commit histories give you handles, focus areas, and tenure signals months before LinkedIn updates. For hiring security researchers in 2026, open-source committer history is the single highest-signal surface, and it is the one most recruiters skip.

What is the realistic timeline before the Big Six close offers?

Three to six weeks for the senior, publicly-bylined researchers. Longer for mid-level detection engineers whose work is less visible externally. If you are not CrowdStrike, Mandiant, Unit 42, MSTIC, Sophos X-Ops, or GreyNoise, plan your outreach sequence as if you have a three-week head start and a three-week overlap, not a full quarter.