When the world is a sea of risk, you need to know your business, your people and your intellectual property are safe.
We’re your Liferaft.
As social media platforms continue to evolve, security teams must adapt their monitoring and investigation strategies to account for emerging online communities. While mainstream platforms remain important sources of information, fringe networks are gaining traction and creating new opportunities, and new challenges, for threat analysts and investigators.
Bluesky has experienced significant growth and is attracting users seeking alternatives to traditional social media platforms. Understanding how the platform is being used, the types of content shared there, and the potential security implications can help organizations strengthen their monitoring and investigative workflows.
In this edition of the Liferaft Security Spotlight Session series, Jenn Turnbull sits down with Eric Distad to discuss Bluesky, the rise of fringe networks, and what security teams should know when incorporating these platforms into their monitoring and investigation efforts.
Listen now: Bluesky Insights for Security Teams
Bluesky is a decentralized social media platform built on the AT Protocol (Authenticated Transfer Protocol), an open-source framework designed for transparent, user-controlled social networking. Unlike traditional networks controlled by a single company, Bluesky's architecture lets users own their identity and data and move between different applications built on the same protocol without losing their followers or posts. The platform grew rapidly through 2024 and 2025 and surpassed 43 million users by early 2026, with the United States accounting for more than half of its traffic and Japan ranking among its largest markets.
In a security context, "fringe networks" are emerging or alternative social platforms that sit outside the established mainstream, networks that attract migrating users, niche communities, or audiences seeking less-moderated or differently governed spaces. They matter to analysts because relevant threat signals increasingly surface on these platforms before, or instead of, appearing on larger networks. Monitoring only mainstream sources leaves blind spots that adversaries and persons of interest can exploit.
Several characteristics make Bluesky distinct from a monitoring and OSINT perspective. The vast majority of posts on the network are public records, which makes content broadly accessible for open-source intelligence. Its decentralized design means moderation and governance work differently than on centralized platforms, and portable identity allows users to carry accounts and followers across the broader AT Protocol ecosystem. Handles are often tied to verified domains, which can aid attribution but also introduces platform-specific verification nuances. For security teams, the implication is clear: as audiences fragment across emerging networks, investigative workflows must expand to capture, contextualize, and act on signals wherever they appear.
Bluesky is decentralized and built on the open AT Protocol, giving users ownership of their identity and data and the ability to move across interoperable apps. Centralized platforms, by contrast, control account, data, and feed algorithms within a single company.
Most Bluesky content is public, the platform has grown to tens of millions of users, and threat-relevant conversations increasingly migrate to emerging networks. Including Bluesky in monitoring workflows reduces blind spots that arise from watching only mainstream platforms.
Decentralization changes how moderation, attribution, and identity verification work. Portable identities and domain-based handles can both support and complicate attribution, so analysts need platform-specific knowledge to interpret indicators accurately.
At Liferaft, we turn open-source threat signals into credible, actionable intelligence so teams can move quickly from awareness to confident action.