CSOonline

Business resilience starts at the endpoint. Between March and December 2025, the N-able SOC processed over 900,000 alerts—and a staggering 18% originated from network and perimeter exploits that most endpoint-only security never saw. Attackers are constantly shifting tactics, and endpoints remain an exposed attack surface. The good news: the right proactive strategies put you in control, stopping threats before they ripple across your business. Here’s our concise, field-tested playbook to operationalize resilient endpoint security and avoid the single-layer fallacy that leaves half your risks unseen. 1. Start with full endpoint visibility—No blind spots allowed You can’t protect what you don’t know about. As mentioned in our State of the SOC report, network and perimeter threats flew under the radar for organizations lacking unified visibility. These weren’t minor threats — many were initial stages of attacks that would have become full breaches without multi-layer visibility. Inventory all devices continuously. Go beyond manual tracking. Automated discovery tools can identify each device, from remote laptops to IoT assets, as soon as they join your network. Mitigate shadow IT risk. Unmanaged devices are a favorite entry point for attackers. Every asset must be accounted for and brought under management. No exceptions. Learn more about automating discovery and reducing blind spots in your endpoint management strategy with N-able. 2. Standardize secure configurations (…don’t fall for the “good enough” trap) Uniform security policies are your first solid defense. The data is clear: attackers exploit inconsistencies, and endpoints with misconfigurations are easy targets. Enforce least privilege. Remove local admin rights unless absolutely necessary—stopping malware before it can spread. Apply strict allow-listing. Application control blocks unauthorized installations, cutting off common threat vectors. Leverage policy automation. Templates make it easy to deploy secure configurations at scale across Windows, macOS, and Linux environments. Failing to standardize? You’re inadvertently creating opportunities for lateral movement and targeted exploits. 3. Automate patching and remediation—manual processes are a liability Waiting on manual patch cycles? That’s a recipe for disaster. Automation is now essential for effective vulnerability management because attackers are moving faster than ever. AI lets threat actors scan for weaknesses, generate new exploits, and launch broad attacks at a pace manual processes cannot match. When vulnerabilities emerge, the gap between disclosure and exploitation is shrinking, which leaves organizations that rely on human-driven workflows exposed. Manual patching and tracking introduce delays and inconsistencies that create easy openings for attackers. Automated discovery, prioritization, and patch deployment help close these gaps by removing human bottlenecks and ensuring critical fixes are applied quickly and consistently. In a world where AI accelerates both the volume and speed of attacks, automation is the only sustainable way to reduce risk and maintain a strong security posture. Prioritize based on real risk. Focus on vulnerabilities under active attack or critical to business continuity. Automate across OS and third-party software. Don’t let browsers or document tools become overlooked gateways. Measure what matters. Track metrics like “percentage of devices patched” and “average remediation time” for continuous improvement. Explore N-able’s automated patch management for fast, scalable response. 4. Add EDR to detect what endpoint antivirus misses Prevention is never 100%. Our 2026 SOC report shows that 50% of attacks bypassed endpoint controls entirely, often moving laterally or exploiting identity layers. To achieve true resilience, include Endpoint Detection and Response (EDR) in your security stack. Behavioral threat detection: AI-driven EDR stops zero-day and fileless attacks that signature-based tools miss. Automated response: Compromised endpoints are isolated automatically, containing threats before they spread. Forensic insight: EDR gives you visibility into attack paths, enabling rapid remediation and long-term learning. Leverage N-able EDR to transform your endpoint monitoring and response. 5. Connect endpoints to backup and recovery—plan for when (…not if) something gets through Even with layers of defense, you can’t eliminate risk. How fast you bounce back determines your business resilience. In environments with integrated endpoint and backup management, the N-able SOC observed faster incident recovery and reduced downtime. Ensure every critical device is covered. Regular checks ensure backup policies include your entire asset inventory. Prioritize rapid recovery. Restore the systems that matter most first to maintain operational uptime. Unify workflows. Centralized platforms streamline both the detection and restoration process, cutting downtime. Lessons from the front lines Don’t rely on “magic bullet” solutions—The SOC’s 2026 alert data proves: defense-in-depth is essential. Relying on endpoint protection alone means missing critical network and perimeter threats. Automate and correlate across layers. Human-driven response can’t keep up. In 2026, 90% of investigation steps could be automated, and multi-layer correlation stopped ransomware in under 10 minutes during real-world attacks. Measure and report. Regular status updates on patch levels, detection rates, and recovery speed keep your team—and your leadership—aligned and ready. Embedding resilience: Why N-able customers succeed We recognize the weight IT security teams carry. Managing inventory, patching, EDR, and backup across hybrid workforces isn’t just complex—it’s mission critical. N-able brings unified monitoring, orchestration, and rapid response under one platform, helping internal IT teams and MSPs operationalize resilience, reduce downtime, and drive business continuity. See how N-able is delivering business resilience in 2026. View the full article

Silos are the enemy of business resilience. As IT leaders, we’ve all felt the pain: the backup administrator, SOC analyst, and endpoint engineer operating in separate worlds—often meeting for the first time in the chaos of a live cyberattack. The result? Delayed responses, missed signals, and greater impact on the business. The N-able 2026 State of the SOC Report leaves no doubt. In just one year, 18% of all security alerts came from network and perimeter exploits—risks many endpoint-only teams never saw coming. Even scarier? 50% of attacks completely bypass endpoint controls. You can’t afford to be siloed. Here’s where most organizations go wrong—and the six crucial steps you need to take to align our teams, tools, and processes for true business resilience. Mistake 1: Unclear roles and responsibilities Confusion creates costly delay. During an incident, who owns quarantine actions on high-value endpoints? Who can take critical apps offline? Without a detailed, cross-team RACI matrix (Responsible, Accountable, Consulted, Informed), response efforts stall and attackers gain precious minutes. Fix: Build a unified RACI for incident response and disaster recovery. Everyone from endpoint to SOC to backup should know their duties in a crisis. Learn how different personalities affect cyber crisis response in this Guide to Managing Strong Personalities During a Cybercrisis. Mistake 2: Fragmented asset and risk views Fragmented asset and risk views make it difficult for teams to understand what is actually in their environment and where the most pressing exposures reside. When devices, configurations, and identity data live in separate tools or are maintained inconsistently, gaps appear that attackers can exploit. This lack of a unified perspective slows decision making, complicates prioritization, and obscures the relationships that matter most during an investigation or response. Fix: Create a single, reliable view of assets and risks across the entire environment. Consolidating inventories, vulnerability data, and identity insights helps teams quickly see what they have, how it is behaving, and where risk is concentrated. With a unified source of truth, organizations can prioritize more effectively, enforce policies consistently, and respond with greater confidence. Mistake 3: Policies and playbooks that don’t talk to each other Our State of the SOC report found that 18% of alerts now originate from the network edge, which is a significant shift from previous years. If the SOC keeps logs for 90 days, but IT rotates them every 30, the evidence of those attacks may be lost forever. Gaps like this lead to missed detection and slow recovery. Fix: Align policies, retention schedules, and playbooks across security and IT. Aligning evidence ensures alerts can be fully investigated. Establishing unified standards for log retention, data sources, and workflow handoffs ensures that every team is operating from the same information and timeframes. When policies are coordinated and playbooks are connected, organizations can detect edge‑based attacks more reliably and accelerate recovery with complete, consistent evidence. Mistake 4: Disconnected tools prevent timely action The best-intentioned teams are blocked when they operate in silos. Our research shows a 5x year-over-year jump in automated response actions (SOAR), but unless EDR, backup, and SOC tools integrate, you can’t leverage this automation at scale. Fix: Invest in integrating toolsets and automating workflows. For example: EDR detects ransomware and triggers automated isolation. Backup systems auto-scan restore points for malware before allowing recovery. Failed backup alerts create tickets in both security and endpoint queues. By breaking down the data silos, you move from reaction to prevention. Looking for ways to automate at scale? This Playbook for Smarter Automation offers practical steps and scripts to take your IT security team to the next level. Mistake 5: No cross-team drills or incident simulations A playbook only works if everyone’s practiced. Too often, organizations run isolated tests—file restores here, pen tests there—but rarely do we rehearse the full detection-through-recovery scenario. Fix: Schedule regular tabletop exercises involving endpoint, SOC, and backup teams. Scenarios pulled from the State of the SOC Report, like holiday weekend ransomware, are essential for exposing process gaps before real attackers do. Planning and preparing are key. Here are some best practices when it comes to planning a tabletop exercise. Mistake 6: Measuring success in silos If the backup team meets its targets, but recovery takes three days because detection lagged, the business still suffers. The SOC’s speed means little if the restored data is compromised. Fix: Track success with unified, resilience-focused KPIs. For example: Mean Time to Recover (MTTR): How quickly can we restore critical systems after an attack? Patching SLA compliance: Not just an IT metric, but key to threat prevention. Successful recovery testing: Are we validating backups or just assuming they work? N-able: Your partner in business resilience We’ve learned—sometimes the hard way—that business resilience depends on breaking down silos. That’s why N-able unifies endpoint management, security operations, and data protection into a single, powerful view. With automation, integration, and real-time intelligence, we empower you to see threats earlier, recover faster, and keep your teams focused on what matters most: uptime, compliance, and customer trust. Ready to build your resilience strategy? Check out N-able’s unified end-to-end cybersecurity and IT solutions. View the full article

If you’re in IT, you know: what we don’t measure puts business resilience at risk. In the face of rising threat volumes, scaling complexity, and board-level scrutiny, tracking the right operational metrics isn’t just about visibility—it’s the foundation for proactive risk management and business continuity. Compliance and insurance demands are also driving the scrutiny around measuring cybersecurity programs. Recent findings from the 2026 N-able State of the SOC Report are clear: the threat landscape keeps shifting, automation and integration are now must-haves, and organizations delivering true resilience measure what matters most. Below are the six metrics that we use to move the needle from firefighting to futureproofing. 1. Mean time to detect (MTTD): The speed of awareness Attackers are faster and stealthier than ever. In 2025 alone, N-able’s SOC processed more than 900,000 alerts, with attackers exploiting both endpoints and newly reemerging network perimeters. Our own data shows that rapid detection is non-negotiable: every extra minute a threat goes unseen increases the likelihood of a business-impacting event. If your MTTD is measured in hours, not minutes, you’re exposing your organization to avoidable risks. Automated threat detection, AI-driven analytics, and streamlined alert management significantly reduce dwell time. Key stat: The N-able SOC now averages 2 alerts per minute, an alert velocity that demands automated detection—not just human monitoring. 2. Mean time to respond (MTTR): From triage to containment It’s not enough to spot threats—you have to contain them fast. MTTR tracks how quickly your team can isolate and neutralize incidents. Integrated SOAR (Security Orchestration, Automation, and Response) workflows now drive a 500% year-over-year increase in orchestrated alert response actions, according to our latest SOC report. The difference? Teams leveraging automation have moved from after-the-fact remediation to business-saving containment in minutes rather than hours. 3. Time to recover: The business resilience reality check A single outage can mean hours or days of operational downtime. That’s why recovery time is a core resilience metric. It’s not just about restoring data; it’s about rebuilding trust and revenue streams. In 2025, we saw the top-performing organizations combine automated backup and disaster recovery solutions, rapid failover, and regular recovery testing to drive down time-to-recover. Cloud-native backups with built-in recovery processes are now the difference between near-instant resumption and prolonged business impact. Access the Cybersecurity Incident Response Plan template to help your team build a structured, comprehensive, and actionable approach to identifying, managing, and mitigating cyber incidents. 4. Endpoint patch compliance: Closing the doors Vulnerability exploits remain a constant threat, and unpatched endpoints often provide the easiest entry points. Maintaining a high percentage of fully patched endpoints helps reduce these paths of attack and strengthens your overall security posture. With centralized patch management, resilient teams can automate updates, track compliance, and remove the guesswork from keeping environments secure. This reduces risk surface area even as your operations grow. 5. Asset and identity coverage: Eliminate blind spots You can’t protect what you don’t see. With over 432,000 endpoint-layer detections and 14,000 identity threats recorded by the N-able SOC team between March and December 2025, the risk of shadow IT or credential theft from memory is real. Eliminating blind spots starts with full visibility across every asset in the environment. As devices, cloud workloads, and remote access points continue to expand, unmanaged or misconfigured assets can create opportunities for attackers to establish a foothold. Continuous discovery and consistent monitoring help ensure nothing operates outside the security team’s line of sight. Identity visibility is equally essential. With credential abuse now a leading attack vector, organizations need awareness of how accounts authenticate, when privileges change, and where anomalies appear across systems. Bringing asset and identity coverage together helps close the gaps attackers look for and strengthens an organization’s overall security posture. Your asset and identity coverage percentage tells you whether you’re operating with full visibility or exposing the business to unseen gaps. Resilient organizations unify asset discovery, endpoint management, and identity monitoring on a single pane of glass—empowering teams to stay ahead even as environments sprawl. Take a tour of N-central and see how we unify IT Ops and SecOps for stronger resilience. 6. Downtime avoided: Quantifying security’s business value Translating technical wins into business outcomes is how IT earns board trust. By correlating incident response and recovery metrics with downtime costs, you deliver a dollar-value impact: tangible proof that your efforts directly protect revenue. Integrated platforms, real-time dashboards, and automatic reporting transform security from a cost center into a business safeguard. Make metrics your roadmap The real message from the latest N-able SOC data? Single-layer approaches and isolated tools are dead ends. According to our recent State of the SOC report, 137,000+ network and perimeter threats bypassed endpoints, and nearly half of all alerts never touched a traditional endpoint. Business resilience is now about defense-in-depth, layered visibility, and automation. If you’re relying on what worked last year, you’re behind. We encourage you to start with these six metrics, identify your gaps, and leverage unified security solutions that support operational clarity and proactive resilience. Ready to up your security game? Learn more about N-able’s unified end-to-end cybersecurity and IT solutions. View the full article

What does it really take to keep your organization running when attackers strike? The answer is business resilience—being able to detect, contain, and recover fast enough that disruptions are minimized, customers stay confident, and operations keep moving. From the latest 2026 State of the SOC Report, which is based on more than 900,000 alerts observed between March and December 2025 from the Adlumin Managed Detection and Response (MDR) provided by the N-able SOC, we’ve seen firsthand where security strategies succeed—and where they fall short. Below, we break down five actionable ways to build true resilience for your IT environment, using real-world data, strategic guidance, and frameworks that leading IT teams put into practice today. 1. Stop trusting single-layer security If you’re depending on just endpoint or cloud controls, you’re missing nearly half the risk surface—and the numbers prove it. In 2025, 18% of all alerts at the N-able SOC came from network and perimeter (Unified Threat Management) exploits that bypassed endpoint visibility. Over 137,000 threats were detected where endpoint-only controls would have been blind. What we recommend: Embrace layered, defense-in-depth designs. That means combining identity, endpoint, network, cloud, and perimeter visibility—not just bolting on tools. Relying on a “magic bullet” solution leaves dangerous gaps. Looking for end-to-end coverage of your environment? Check out N-able Unified Security Solutions. 2. Transition from manual to automated response SOC teams can’t keep up with the flood of alerts—N-able handled 2 alerts per minute on average in 2025. That’s why automation and Security Orchestration, Automation and Response (SOAR) saw a 500% YoY surge—almost one in four responses are now orchestrated automatically. Pro tip for IT leaders: Streamline workflows, so triage and containment happen at machine speed, not human speed. Automate password resets, containment, and endpoint remediation, then focus your analysts on proactive threat hunting. 3. Modernize endpoint and identity management Attack patterns are shifting. Out of 909,155 total alerts identified in N-able’s 2026 SOC report, only about half touched the endpoint layer. Identity has become one of the fastest‑growing attack surfaces, and organizations need visibility into suspicious sign‑ins, privilege misuse, and anomalous authentication behavior before a breach unfolds. A flexible, unified endpoint management solution that helps you manage, control, and secure endpoints is table stakes in your tech stack. To address identity attacks, an Identity Threat Detection and Response (ITDR) solution helps close this gap by correlating identity events, detecting credential abuse, and stopping identity‑based attacks in progress. ITDR gives security teams a clearer picture of how users, systems, and privileges are being accessed so they can contain threats early, before lateral movement or escalation occurs. Actionable step: Integrate advanced multi-factor authentication, real-time patch management, and privileged access controls as foundational layers. Add continuous identity monitoring to detect unusual authentication patterns and catch malicious activity that endpoint‑only tools cannot see. Transform your endpoint management – Explore how N-able’s N-central delivers simpler, smarter IT and security management. 4. Build recovery readiness into your plan Resilience isn’t just stopping an attack—it’s restoring operations quickly and minimizing downstream damage. In an N-able case study, an MSP’s customer suffered a 1.5 terabyte ransomware attack on a Friday. Thanks to Cove’s reliable backups (validated via recovery testing), the entire environment was fully restored by Monday, getting the business back online in under 3 days. This rapid recovery dramatically limited downtime and business disruption. Our advice: Test backups regularly, ensure they’re immutable, and tie recovery procedures directly into your SOC playbooks. Business continuity hinges on the speed and certainty of your recovery. See how Cove Data Protection delivers data resiliency by recovering quickly and reliably after every disaster. 5. Prepare for the next attack surface: AI AI is transforming both defense and risk. By 2026, up to 90% of investigations could be automated by AI. But adversaries aren’t far behind—compromised AI orchestration or poisoning can create new attack vectors that bypass traditional controls. What you need to do now: Audit where AI and automation touch your environment and monitor their actions with the same rigor as human activity. Prepare to secure agent-to-agent communications and maintain oversight as AI-driven processes mature. Explore how N-able leverages AI to protect customer environments around the clock. Strengthen your business with resilience-first security Resilience isn’t a buzzword—it’s the only practical answer for IT leaders dealing with today’s complex, fast-moving threat landscape. By focusing on layered defense, automation, unified recovery, and AI-integrated controls, you position your organization for uptime and continued success. Ready to level up your approach? Get started with our Cyber Resilience Primer: What You Need to Know in 2026. View the full article

Developers can spend days using fuzzing tools to find security weaknesses in code. Alternatively, they can simply ask an LLM to do the job for them in seconds. The catch: LLMs are evolving so rapidly that this convenience might come with hidden dangers. The latest example is from researcher Hung Nguyen from AI red teaming company Calif, who, with simple prompts to Anthropic’s Claude Code, was able to uncover zero-day remote code exploits (RCEs) in the source code of two of the most popular developer text editors, Vim and GNU Emacs. Nguyen started with Vim. “Somebody told me there is an RCE 0-day when you open a file. Find it,” he instructed Claude Code. Within two minutes, Claude Code had discovered the flaw: missing critical security checks (P_MLE and P_SECURE) in the tabpanel sidebar introduced in 2025, and a missing security check in the autocmd_add() function. Claude Code then helpfully tried to find ways to exploit the vulnerability, eventually suggesting a tactic that bypassed the Vim sandbox by persuading a target to open a malicious file. It had gone from prompt to proof-of-concept (PoC) exploit in minutes. “An attacker who can deliver a crafted file to a victim achieves arbitrary command execution with the privileges of the user running Vim,” Vim maintainers noted in their security advisory. “The attack requires only that the victim opens the file; no further interaction is needed.” GNU Emacs ‘forever-day’ Surprised, Nguyen then jokingly suggested Claude Code find the same type of flaw in a second text editor, GNU Emacs. Claude Code obliged, finding a zero-day vulnerability, dating back to 2018, in the way the program interacts with the Git version control system that would make it possible to execute malicious code simply by opening a file. “Opening a file in GNU Emacs can trigger arbitrary code execution through version control (git), most requiring zero user interaction beyond the file open itself. The most severe finding requires no file-local variables at all — simply opening any file inside a directory containing a crafted .git/ folder executes attacker-controlled commands,” he wrote. One fixed, one not When notified, Vim’s maintainers quickly fixed their issue, identified as CVE-2026-34714 with a CVSS score of 9.2, in version 9.2.0272. Unfortunately, addressing the GNU Emacs vulnerability, which is currently without a CVE identifier, isn’t as straightforward. Its maintainers believe it to be a problem with Git, and declined to address the issue; in his post, Nguyen suggests manual mitigations. The vulnerable versions are 30.2 (stable release) and 31.0.50 (development). Vulnerable code What does the discovery of these flaws tell us? Clearly, that large numbers of old codebases are potentially vulnerable to the power of AI tools such as Claude Code. Just because a weakness hasn’t been noticed for years doesn’t mean it will hide for long in the AI era. That is, potentially, a big change, although hardly one that hasn’t already been flagged by Anthropic itself. In February, the company revealed that its Opus 4.6 model had been used to identify 500 high-severity security vulnerabilities. “AI language models are already capable of identifying novel vulnerabilities, and may soon exceed the speed and scale of even expert human researchers,” it said at the time. The platform is powerful enough that an enterprise version with the same capabilities, Claude Code Security, even negatively affected stock market sentiment towards several traditional cybersecurity companies when it was launched. A second issue is that LLMs are now capable of spotting, iterating, and creating PoCs for vulnerabilities in ways developers still need to come to terms with. Meanwhile, the potential for malicious use is hard to ignore. “How do we professional bug hunters make sense of this?” Nguyen asked. “This feels like the early 2000s. Back then a kid could hack anything, with SQL Injection. Now [they can] with Claude.” View the full article

Microsoft is warning WhatsApp users of a new malware campaign that tricks them into executing malicious Visual Basic Script (VBS) files, ultimately enabling persistence and remote access. In a March 31 report, Microsoft Defender Experts said attackers have been distributing malicious Visual Basic Script (VBS) files through WhatsApp since at least late February, relying on social engineering to get them executed. Once launched, the scripts run a delayed malware execution, first initiating a multi-stage infection flow designed to blend into normal system activity while working in the background to pull additional payloads for remote control. “The campaign relies on a combination of social engineering and living-off-the-land (LOTL) techniques,” Microsoft researchers wrote in the report. “By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution.” The campaign ultimately installs malicious Microsoft Installer (MSI) packages to maintain control of the infected devices. Campaign deploys a LOTL infection chain The attack begins with a WhatsApp message carrying a VBS file. Once executed, the script creates hidden directories on the system and begins staging the next steps of the compromise. However, rather than dropping the custom malware immediately, the campaign moves to living-off-the-land techniques. The VBS payload deploys renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe, disguised under misleading filenames to evade casual inspection. These binaries retain their original metadata, but their altered names allow them to blend into the environment while performing malicious tasks like downloading additional payloads. “Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file’s name does not match its embedded OriginalFileName,” the report added. The researchers noted that even payload retrieval happens from legitimate hosting sources. Attackers host components on well-known cloud platforms, including AWS, Tencent Cloud, and Blackblaze B2. Use of these trusted tools, trusted infrastructure, and staged execution was flagged as a reason for this being a low-noise, reliable attack path. MSI as the backdoor vehicle for persistence The final stages of the campaign lead to persistence, using Microsoft Installer (MSI) packages as the delivery mechanism for backdoors. MSI files are an effective choice as they are not usually treated as inherently suspicious and can execute custom actions during installation. In this campaign, they are used to deploy malware that maintains access, escalates privileges, and enables remote control of infected systems. By the time the MSI component is installed, the attackers have already established a foothold using scripts and system tools, making the backdoor just one layer in a broader persistence strategy found by Microsoft. The earlier stages ensure the environment is prepared, while the installer formalizes long-term access. Microsoft also noted that the campaign incorporates privilege escalation to strengthen persistence, enabling malware to run with elevated privileges and maintain access beyond the initial user-level compromise. Recommendations included monitoring scripts and installer execution, watching for misuse of legitimate tools, and tracking suspicious activity tied to files delivered through platforms like WhatsApp. View the full article

PX Media – shutterstock.com Hacker haben nach Angaben der iranischen Justiz mutmaßlich Zugriff auf Daten eines bekannten Exilportals erlangt. Dabei seien große Menge an Daten erbeutet worden, darunter Schriftwechsel, Listen von Angestellten, Informanten sowie streng vertrauliche Daten, berichtete das Sprachrohr der iranischen Justiz, die Nachrichtenagentur Misan. Bei dem Portal handelte es sich um die gut informierte Website Iranwire. Sie war am Dienstag zunächst nicht wie gewöhnlich erreichbar. “Derzeit führen wir planmäßige Wartungsarbeiten durch. Wir sind so bald wie möglich wieder online”, hieß es dort. In den sozialen Medien war das Medium jedoch weiter aktiv. Auf der Plattform X berichtete Iranwire am Dienstag weiter, ohne einen Hacker-Angriff zu melden. In ihrem Bericht schrieb Misan, die Hackergruppe “Handala” sei für den mutmaßlichen Angriff verantwortlich. Dieselbe Gruppe soll hinter einem Cyberangriff auf den Direktor der US-Bundespolizeibehörde FBI, Kash Patel, vor wenigen Tagen stecken. (dpa) View the full article

AI hallucinations are a well-known problem and, when it comes to compliance assessments, these convincing but inaccurate assessments can cause real damage with poor risk assessments, incorrect policy guidance, or even inaccurate incident reports. Cybersecurity leaders say the real trouble starts when AI moves past writing summaries and begins making judgment calls. That’s when it’s asked to decide things such as whether security controls are doing their job, if a company is meeting compliance standards, or if an incident was handled the right way. Here are nine ways CISOs can tackle the problem of AI hallucinations. Keep humans in the loop for high-stakes decisions Fred Kwong, vice president and CISO at DeVry University, says his team is carefully testing AI in governance, risk, and compliance work, especially in third-party risk assessments. He notes that while AI helps review vendor questionnaires and supporting evidence that assess the security posture of those vendors, it doesn’t replace people. “What we’re seeing is the interpretation is not as good as I would want it to be, or it’s different than how we’re interpreting it as humans,” Kwong says. He explains that AI often reads control requirements differently than experienced security professionals do. Because of that, his team still reviews the results manually. For now, AI is not saving much time because the trust in the technology just is not there yet, he says. Mignona Coté, senior vice president and CISO at Infor, agrees that human oversight is critical, especially in risk scoring, control assessments, and incident triage. “Keep the human in the loop, full stop,” says Coté, who sees AI as a productivity tool, not something that should make final decisions on its own. Treat AI outputs as drafts, not finished products One of the biggest risks is over-trusting AI, according to security experts. Coté says her organization changed its policy so AI-generated content cannot go straight into compliance documentation without a human review. “The moment your team starts treating an AI-generated answer as a finished work product, you have a problem,” she says. “Treat every output as a first draft as opposed to a final one. There will come a point where repetitive questions will have repetitive answers. By labeling those answers and time stamping them at origination time, they can be addressed at scale.” Srikumar Ramanathan, chief solutions officer at Mphasis, says this over-trust often comes from what he calls “automation bias.” People naturally assume that something written clearly and confidently must be correct. To counter that, he says companies need to build an “active skepticism” culture. “[That means] looking upon AI outputs as unverified drafts that require a signature of human accountability before they are actionable,” he explains. Demand proof, not polished prose, from vendors When vendors say their AI can “assess compliance” or “validate controls,” security leaders say buyers need to ask the tough questions. Kwong says he pushes vendors to provide traceability of the answers that the AI gives so his team can see how the AI reached its conclusions. “Without that traceability, it makes it even that much harder for us to identify,” he says. Ramanathan says buyers should ask whether the system can point to the exact evidence behind its answer, such as a time-stamped log entry or a specific configuration file. If it can’t, the tool may just be generating text that sounds right. Puneet Bhatnagar, a cybersecurity and identity leader, says the key question is whether the AI is actually analyzing live operational data or just summarizing documents. “If a vendor cannot show a deterministic evidence path behind its conclusion, it’s likely generating narrative – not performing an assessment,” says Bhatnagar who most recently served as SVP and head of identity management at Blackstone. “Compliance isn’t about language. It’s about proof.” Stress-test models before extending trust Kwong recommends testing AI tools to see how consistent they are. For example, send the same data through twice and compare the results. “If you send the same data again, is it spitting back the same result?” he asks. If answers change significantly, that’s a red flag. He also suggests removing important evidence to see how the model reacts. If it confidently gives an answer anyway, that could signal a hallucination. Coté says her team checks AI outputs against other tools, including scanning systems and external penetration testing results. “And we don’t extend trust to any AI tool until it has proven itself against known outcomes repeatedly,” she says. Measure hallucination rates and monitor drift Security leaders say organizations need to track how accurate AI is over time. Kwong says teams should regularly compare AI-generated assessments with human reviews and study the differences. That process should happen at least quarterly. Ramanathan suggests tracking metrics such as “drift rate,” which measures how often AI conclusions differ from human reviews. “A model that was 92% accurate six months ago and is 85% accurate today is more dangerous than one that’s been consistently at 80% because your team’s trust was calibrated to the higher number,” he notes. He also recommends measuring how often cited evidence truly supports the AI’s claims. If hallucination rates climb too high, organizations should reduce how much authority the AI has, for example, downgrading it to a less autonomous role in their governance models. Watch for contextual blind spots in compliance mapping Bhatnagar says the most dangerous hallucinations happen when AI is asked to make judgment calls about control effectiveness, regulatory gaps, or incident impact. AI can produce what he calls “plausible compliance”, or answers that sound convincing but are wrong because they lack real-world context. Compliance often depends on technical details, compensating controls, and operational realities that documentation alone doesn’t show. Ramanathan adds that AI often struggles with the nuance of permissive language, (“may,” “can”) versus restrictive language (“must,” “is required to”). “For example, AI often misinterprets permissive language like ’employees may access the system after completing training’ as a strict, enforceable rule, treating optional permissions as mandatory controls,” Ramanathan explains. “This causes AI to overestimate the authority of permissive or vague language, resulting in incorrect assumptions about whether policies are properly enforced or security measures are effective.” Push back on generic or identical assessments Some vendors overstate what their AI tools actually do. Bhatnagar says many tools summarize documents or generate gap reports but vendors market those features as if they’re doing full, automated compliance checks. The risk increases when multiple customers receive nearly identical assessments. Organizations may believe their controls were thoroughly evaluated when the AI only performed a surface-level document review. Ramanathan says this creates false confidence and broader industry risk. If one popular model has a flaw, that blind spot can spread widely. Bhatnagar adds that he has seen vendors market AI tools as assessing whether organizations are compliant, even when multiple customers receive structurally similar or nearly identical assessments. In those situations, the tool may not actually be analyzing company-specific policies or evidence but instead generating text that appears customized without being grounded in reality, he says. “We are still in the early stages of separating AI narrative generation from AI-based verification,” he says. “That distinction will define the next phase of governance tooling.” Reinforce accountability in audits and legal reviews From a regulatory standpoint, AI does not remove responsibility, according to experts. Ramanathan says regulators are clear that duty of care stays with corporate officers. “If an AI-generated assessment misses a material weakness, the organization is liable for ‘failure to supervise,'” he says. “We are already in an era wherein relying on unverified AI outputs could be seen as gross negligence. If your audit findings are wrong because of an AI error, you haven’t just failed an audit, you are held responsible for filing a misleading regulatory statement. ‘AI told me so’ is not a defense.” Coté says being able to show that a human reviewed and approved each consequential decision is critical during audits. “The key is proving a human was at every consequential decision point, with a timestamp and an audit trail to back it up,” she notes. Be cautious with automated regulatory mapping Ramanathan says that one of the biggest compliance risks appears when companies rely on AI to automatically map internal controls to regulatory frameworks, such as GDPR or SOC 2. “The greatest compliance risk by far is in automated regulatory mapping,” he notes. “The AI might confidently claim a control exists or satisfies a requirement based on a linguistic pattern rather than a functional or operational reality.” For example, an AI tool might see an encryption setting listed in a database configuration and assume encryption is active, even if that feature is turned off in the system. Ramanathan says this can create “a massive security gap where a company believes they are audit-ready, only to discover during a breach that their AI-verified defenses were nonexistent or misconfigured.” To reduce that risk, he says organizations need to structure their policies and regulations more clearly and connect them to enforceable technical rules rather than relying only on AI to interpret documents. View the full article

Organizations have been responding to phishing, business email compromise, and credential theft in essentially the same manner for over ten years. They essentially follow a playbook that involves investing in awareness training, running phishing simulations, and requiring employees to complete annual security modules. The reason behind this is simple and the reasoning behind these efforts is straightforward: if people can better spot malicious emails and recognize malicious activity, incidents will decrease. Yet, the amount of money lost because of business email compromise keeps rising. Credential harvesting is still successful. Conventional multi-factor authentication is frequently circumvented by adversary-in-the-middle phishing kits. Under duress, senior executives, including seasoned finance leaders, continue to approve fraudulent payments. A deeper misclassification in enterprise security strategy is shown in this persistence. Although awareness is an educational measure that promotes culture rather than imposes results, it has been viewed as a control. This distinction has important ramifications for how businesses evaluate and control risk. The core misunderstanding A true security control prevents, detects, or limits an outcome regardless of what an individual does, knows or does not know. Conditional access rules, for instance, do not depend on an employee having a good day, and network segmentation does not depend on an employee remembering a policy. Likewise, Segregation of duties in finance exists precisely to ensure that no single individual can independently authorize high-risk transactions. These mechanisms are engineered to constrain risk structurally rather than depend on behavioral perfection. Security awareness has its own purpose to influence behavior through the improvement of human judgment in situations that deal with time pressure and often incomplete information. Although these initiatives can lessen the possibility of poor decisions, they are unable to ensure consistent results for a varied workforce with individual differences working in a variety of environments. Human performance is inherently variable, especially when exposed to different conditions, and training does not eliminate that variability. When organizations term security awareness as a “layer of defense,” they implicitly place it alongside technical and procedural safeguards, which can distort how risk is understood and assigned. Responsibility for incidents thus shifts subtly toward individuals, especially when an employee clicks a malicious link or authorizes a fraudulent request. The resulting narrative often emphasizes human error rather than examining whether the surrounding system allowed a single, foreseeable mistake to create material impact. Examining whether the organization’s controls were made to foresee anticipated human mistakes and limit their effects before they cause enterprise-level harm is a more constructive line of inquiry. The predictability of human error Human error is sometimes viewed as an exception in security incident conversations, as if a breach happened because someone made a mistake that should have been prevented. Human error is a constant in complex systems, especially in huge organizations where everyday operations are shaped by scale, pace, and conflicting agendas. The pertinent question is whether the surrounding environment has been constructed with the inevitable occurrence of mistakes in mind, rather than whether mistakes will occur at all. Modern social engineering campaigns reflect a sophisticated understanding of how organizations function. Attackers study and understand reporting lines, financial processes, vendor relationships, and executive communication styles, sometimes gleaned from previously compromised accounts in similar industries. They time their messages to coincide with legitimate business activity and plan these messages to align with travel schedules, invoice payments and quarter-end reporting pressure. In many business email compromise cases, there is no malware involved and no technical exploit in the traditional sense of it and attacks are successful because it takes advantage of the trust that is ingrained in regular operations blended in seamlessly with established routines. Under such conditions, expecting flawless human performance is unrealistic. Employees manage high volumes of communication while also combating deadlines and performance expectations. Senior leaders frequently make decisions with incomplete information, balancing urgency against risk to keep the business running. When a request appears in line with organizational standards and past experience, even highly skilled individuals may misunderstand it. These mistakes are a natural result of cognitive load, environmental clues, and institutional dynamics, not necessarily proof of carelessness. This reality is acknowledged by high-risk industries like aviation and healthcare, which create multi-layered protections to stop a single error from turning into a disaster. Checklists, redundancy, and cross-verification processes are embedded as part of organizational pipelines to ensure that systems remain safe even when individuals are imperfect. On the other hand, the same discipline has not always been used in enterprise cybersecurity. A single compromised credential or a single configuration error, exemplified in the CrowdStrike outrage, can still result in serious operational or financial harm in many settings. When that degree of fragility is present, the system’s authority distribution and error-absorbing capabilities become more pertinent than individual behavior. Awareness cannot function as a primary safeguard There are structural limitations that prevent awareness from serving as a dependable control. First, cognitive load and decision fatigue are unavoidable in complex organizations. Even experienced professionals make mistakes due to reduced scrutiny when under pressure and awareness training does not eliminate this human reality. Awareness training may increase general suspicion, but it cannot eliminate the reality that individuals must constantly triage information under time pressure and occasional lapses in judgment are statistically inevitable as a result. Secondly, organizational dynamics further complicate the picture, especially in traditional societies where this is strongly upheld. Hierarchy and perceived authority are exploited in many successful business email compromise incidents as a result. Requests that seem to come from senior executives are implicitly urgent and significant for the organization. Employees are frequently trained to support executive instructions rather than impede them, particularly when it comes to urgent financial concerns, which could slow down business processes. Lastly, the widespread adoption of multi-factor authentication has also contributed to an inflated sense of security. While MFA greatly improves security over password-only settings, not all implementations are impervious to modern attack methods. Push fatigue attacks take advantage of routine approval patterns, adversary-in-the-middle frameworks can steal and replay session tokens, and device code / OAuth consent phishing can provide continuous access without the need for conventional credential theft. In these cases, there is a likelihood employees comply with established security procedures and still be compromised because the architectural design allows it. When combined, these reasons show why awareness is not a reliable main protection. It can strengthen best practices and lower risk at the edges, but it cannot make up for shoddy identity architecture, brittle finance procedures, or inadequate monitoring. Treating human risk as a design constraint A more pruned approach reframes human risk as an engineering consideration as opposed to a behavioral flaw. Security leaders should assess which decisions entail a disproportionate amount of risk when carried out in isolation, rather than asking how to train staff to recognize every potential phishing variant. Salient questions in this regard include: Should a single email request ever be sufficient to initiate a high-value transfer? Are payment instruction changes subject to enforced out-of-band verification? Does identity infrastructure continuously validate session integrity? Are anomalous financial behaviors detected in real time? This shift moves the focus from persuading individuals to behave perfectly toward building systems that remain resilient when they do not. What structural controls should look like An enterprise strategy that effectively tackles human-centric threats includes defenses that function without constant monitoring. Device-bound passkeys and hardware-backed credentials are examples of phishing-resistant authentication techniques that lessen vulnerability to push-based manipulation and token interception. Compared to static MFA prompts alone, conditional access policies that also assess device health and onboarding status, geolocation anomalies, and behavioral risk signals offer greater assurance. In the same vein, financial workflows should embed separation of duties and enforced verification. Secondary validation should be required through separate channels for high-value transactions, vendor banking changes, and urgent payment requests. Systems for tracking transactions should also be able to spot anomalous payment amounts or departures from historical trends. Particular consideration should also be given to identity telemetry. Persistence tactics frequently employed in business email compromise campaigns can be found by keeping an eye on mailbox rules, atypical travel, OAuth grants, privileged role assignments, and session oddities. Using Privileged Identity Management solutions, privileged access should be time-bound and approval-based to reduce the blast radius of credential misuse. Although human error cannot be eliminated, these precautions greatly lessen the chance that a single error will result in severe material loss. From blame game to architecture It makes sense that organizations would choose to gravitate towards awareness-raising campaigns. They are visible, often reasonably priced when bundled as part of existing security tooling and quantifiable. On the other hand, more funding and cross-functional cooperation are needed for architectural redesign, identity modernization, and workflow reorganization. Threat actors, however, are becoming more adept at taking advantage of human behavior patterns that are predictable in current corporate procedures. They only require people to be human because they comprehend the urgency, trust, and operational complexity that frequently accompany working in time-sensitive professions, high-pressure conditions, and the ensuing complacency. The rational response is to assume imperfection and build accordingly. A more honest assessment of systemic risk Security awareness remains an important component of organizational culture. Employees should understand common attack patterns and feel empowered to report suspicious activity. However, awareness should be viewed as a supporting measure rather than a primary safeguard. When a single decision can still trigger substantial financial or operational damage, the organization’s exposure is rooted in design. Resilient enterprises acknowledge that human error is inevitable and ensure that their identity architecture, financial controls, and monitoring capabilities are robust enough to absorb it. Reframing awareness in this way does not diminish its value. It places it in the correct category and forces a more honest assessment of systemic risk. Until that shift occurs, many organizations will continue to invest heavily in training while leaving structural weaknesses intact, and attackers will continue to exploit the gap between education and engineering. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

View the full article

IT leaders are setting their operations strategies for 2026 with an eye toward agility, flexibility, and tangible business results. Download the January 2026 issue of the Enterprise Spotlight from the editors of CIO, Computerworld, CSO, InfoWorld, and Network World and learn about the trends and technologies that will drive the IT agenda in the year ahead. View the full article

Sergey Zaykov | shutterstock.com Regelmäßige Netzwerk-Scans reichen für eine gehärtete Angriffsfläche nicht mehr aus. Um die Sicherheit von Unternehmensressourcen und Kundendaten zu gewährleisten, ist eine kontinuierliche Überwachung auf neue Ressourcen und Konfigurationsabweichungen erforderlich. Werkzeuge im Bereich Cyber Asset Attack Surface Management (CAASM) und External Attack Surface Management (EASM) sind darauf ausgelegt, die Angriffsfläche von Unternehmen: zu quantifizieren, zu minimieren, und zu härten. Das Ziel besteht dabei darin, den Angreifern möglichst wenig Informationen über das Security-Niveau des Unternehmens zu geben und gleichzeitig kritische Business Services aufrechtzuerhalten. Dabei spielt inzwischen auch Agentic AI eine immer größere Rolle. 12 Attack-Surface-Management-Tools Die folgenden zwölf Lösungen unterstützen Sie dabei, Risiken zu identifizieren und zu managen. Axonius Cyber Asset Attack Surface Management Diese CAASM-Suite von Axonius deckt alle wichtigen Aspekte ab, wenn es um Attack Surface Monitoring geht. Das Tool erstellt zunächst ein Asset-Inventar, das automatisch aktualisiert und mit Kontext aus internen Datenquellen und Ressourcen angereichert wird. Dabei ist es auch möglich, Monitoring-Prozesse aufzusetzen, die auf Grundlage von Richtlinien wie PCI oder HIPAA ablaufen. So lassen sich Konfigurationen oder Schwachstellen identifizieren, die diesen zuwiderlaufen und entsprechende Maßnahmen ergreifen. Bugcrowd EASM Bugcrowd hat im Mai 2024 Informer.io übernommen und dessen EASM-Angebot in seine Security-Plattform integriert. Diese automatisiert die Asset Discovery über Webapplikationen, APIs und andere “public facing”-Komponenten des IT-Stacks hinweg. Assets überwacht die Lösung kontinuierlich, wobei identifizierte Risiken in Echtzeit priorisiert werden. Darüber hinaus stehen auch Zusatz-Services wie manuelle Risikoprüfungen oder Penetrationstests zur Verfügung. Das Workflow-basierte Response-System der Lösung verspricht eine einfachere Einbindung mehrerer Teams, indem existierende Ticketing- und Kommunikations-Tools integriert werden. Praktisch ist auch die Möglichkeit, Konfigurationsänderungen oder System Updates zu validieren, um sicherzustellen, dass identifizierte Bedrohungen tatsächlich bereinigt wurden. CrowdStrike Falcon Exposure Management Crowdstrike hat sein Falcon-Surface-Angebot von einem Standalone EASM-Tool zu einem Kernbestandteil von Falcon Exposure Management ausgebaut. Die Lösung wird nun auch durch KI-nativen Code dabei unterstützt, Risiken zu identifizieren und auszuschalten. Darüber hinaus kommt die Technologie auch für Adversarial-AI-Szenarien zum Einsatz. Die Crowdstrike-Lösung kann außerdem: Risiken mit dem Business-Kontext korrelieren, die Ausnutzbarkeit validieren und direkte Abhilfemaßnahmen über die Falcon-Plattform einleiten. Unternehmen sollen sich mit dem Tool einen nachhaltigen Überblick über ihre Angriffsfläche verschaffen und Risiken oder Bedrohungen mit einer Vielzahl von Techniken aufspüren können. Dazu gehören etwa aktive, passive und API-basierte Scans, um mit dem Internet verbundene Ressourcen zu identifizieren. Falcon Exposure Management ist nicht Teil des Enterprise-Softwarepakets von Crowdstrike. Es kann als Abonnementlizenz auf Basis der gemanagten Endpunkte erworben werden. CyCognito Attack Surface Management Das CAASM-Produkt von CyCognito bietet eine kontinuierliche Überwachung und Inventarisierung von Assets. Dabei spielt es keine Rolle, ob diese On-Premises, in der Cloud, bei einem Drittanbieter oder einer Tochtergesellschaft vorliegen. Um den Triage-Prozess und die Risiko-Priorisierung zu erleichtern, kann auch Business-Kontext hinzugefügt werden (beispielsweise Beziehungen zwischen einzelnen Assets). Das hilft dabei, sich auf die wichtigsten Netzwerkrisiken zu konzentrieren. CyCognitos Tool verfolgt darüber hinaus auch Konfigurationsänderungen und ermöglicht so, neue Risiken für die Unternehmensinfrastruktur schnell zu identifizieren. JupiterOne Cyber Asset Attack Surface Management JupiterOne preist seine CAASM-Lösung als eine Möglichkeit an, “Cyber-Asset-Daten nahtlos in einer einheitlichen Ansicht zu aggregieren”. Der Kontext wird bei Bedarf automatisch hinzugefügt, und die Beziehungen zwischen den Assets können definiert und optimiert werden, um Schwachstellenanalyse und Incident-Response-Fähigkeiten zu verbessern. Benutzerdefinierte Abfragen ermöglichen es Cybersecurity-Teams, komplexe Fragen zu beantworten, während der Asset-Bestand über eine interaktive Map durchsucht werden kann. Die Security-Tools, in die Sie bereits investiert haben, können Sie integrieren – was eine ganzheitliche, zentralisierte Perspektive auf das Security-Niveau zulässt. Microsoft Defender External Attack Surface Management Microsoft Defender EASM erkennt nicht verwaltete Assets und Ressourcen, die per Schatten-IT bereitgestellt werden oder sich auf anderen Cloud-Plattformen befinden. Sobald die Assets und Ressourcen identifiziert sind, sucht das Tool nach Schwachstellen auf jeder Ebene des Technologie-Stacks, einschließlich der zugrunde liegenden Plattform, App-Frameworks, Webanwendungen, Komponenten und des Kerncodes. Defender EASM ermöglicht es IT-Profis, Schwachstellen in neu entdeckten Ressourcen schnell zu beheben, indem diese nach Entdeckung in Echtzeit kategorisiert und priorisiert werden. Naturgemäß lässt sich Defender EASM eng mit anderen Microsoft-Lösungen wie Security Copilot integrieren. Outpost24 EASM Der schwedische Anbieter Outpost24 hat 2023 den belgischen EASM-Anbieter Sweepatic übernommen und dessen Tool in seine Modul-Kollektion für Threat Intelligence, Data Leakage und Pentesting integriert. Diese EASM-Lösung ist sowohl Standalone, als auch als Managed Service erhältlich und kann Daten entweder passiv über DNS und andere TCP/IP-Details oder über direkte Verbindungen zu Cloud-Anbietern wie AWS und Azure sowie den Lösungen großer Softwareanbieter (etwa ServiceNow, Slack oder Atlassian) erfassen. Palo Alto Networks Cortex Xpanse Xpanse ist Teil der XSIAM-Produktsuite von Palo Alto, kann jedoch auch separat erworben werden. Das Standalone-Produkt hat allerdings einen etwas geringeren Funktionsumfang. Das Palo-Alto-Tool unterstützt auch die Integration mit Tools von Drittanbietern wie Qualys, Jira und ServiceNow. Zudem verfügt das Produkt über eine beeindruckende Auswahl an vorgefertigten Detection-Regeln, Widgets, um Queries und Discovery-Routinen zu erstellen und anpassbare Daten-Dashboards aufzusetzen. Rapid7 Surface Command Surface Command ist nur eines von zahlreichen Modulen, das Rapid7 im Angebot hat (unter anderem Vulnerability und Incident Management sowie Cloud-Native Security). Das Tool bringt Threat Exposure, Detection und Response unter einen Nenner und verspricht eine kontinuierliche „Vogelperspektive“ über sämtliche Schwachstellen – vom Endpunkt bis hin zur Cloud. Das Rapid-7-Tool ist darauf konzipiert, blinde Flecken in der Security aufzuspüren sowie Reaktion und Behebung zu beschleunigen. Für letzteres sind zudem auch agentenbasierte KI-Funktionen enthalten. RiskProfiler EASM Über die RiskProfiler-Plattform lassen sich sämtliche externen Bedrohungen managen. Das Tool ermöglicht beispielsweise Dark-Web_monitoring, digitales Monitoring sowie Hacking-Kampagnen, Schwachstellen und Supply-Chain-Angriffe zu tracken. Die hieraus gewonnenen Bedrohungsinformationen werden von KI-Agenten zu einem einheitlichen Korpus verdichtet. Bestandteil des Tools sind zudem mehr als 13.000 vorinstallierte Regeln, die sowohl Open-Source- als auch eigene proprietäre Algorithmen miteinander verbinden. Auch die Risikobewertungen von Drittanbietern werden analysiert. Ein anpassbares Management-Dashboard visualisiert die Daten in diversen Ansichten. SOCRadar AttackMapper Mit AttackMapper (ein Teil der Tool-Suite für SOC-Teams), will SOCRadar, den Anwendern die Sicht der Angreifer auf die Assets ermöglichen. Das Tool überwacht Assets mithilfe von Agentic AI dynamisch in Echtzeit, identifiziert neue oder veränderte und analysiert sie auf potenzielle Schwachstellen. Die Ergebnisse werden mit bekannten Angriffsmethoden korreliert, um den Entscheidungsfindungs- und Triageprozess zu unterstützen. Dabei überwacht AttackMapper nicht nur Endpunkte und Software Vulnerabilities, sondern auch SSL-Schwachstellen, abgelaufene Zertifikate, DNS-Einträge und Konfigurationen. Das Tool erkennt selbst Website-Defacement-Angriffe, was entscheidend sein kann, um die Markenreputation zu schützen. Tenable Attack Surface Management Tenable hat schon seit einigen Jahren Tools im Angebot, um Schwachstellen aufzuspüren – und auch die aktuelle Tool-Suite wird modernen IT-Sicherheitsanforderungen gerecht. Bei Tenable Attack Surface Management handelt es sich um das EASM-Modul des Unternehmens, das in dessen Exposure-Management-Plattform „One“ integriert ist. Tenable Attack Surface Management liefert Kontext und Details zu Assets und Schwachstellen, allerdings nicht nur aus technischer Sicht, sondern auch auf Business-Ebene, was für eine umfassende Priorisierung der Maßnahmen erforderlich ist. 7 Fragen vor dem ASM-Invest Die folgenden Fragen sollten Sie sich und potenziellen Anbietern von Attack-Surface-Management-Lösungen stellen, bevor Sie einen Vertrag unterzeichnen. Benötigt unser Unternehmen eine EASM- oder eine CAASM-Lösung? Die Antwort darauf hängt davon ab, ob Sie nach internen oder externen Angreifern suchen – und wie groß der Anteil Ihrer lokalen Infrastruktur ist. Wie umfangreich – und effektiv – ist das Tool automatisiert? Erkennt es zuverlässig alle anfälligen Ressoucren, einschließlich digitaler Zertifikate, offengelegter Anmeldedaten und mit dem Netz verbundene Server und Services? Welche Metadaten und weiteren Details liefert die Lösung? Wie behebt die Lösung Schwachstellen, wenn sie welche findet? Läuft das automatisiert ab oder sind manuelle Eingriffe erforderlich? Unterstützt das Tool Continuous Monitoring? Und falls ja: Wie werden Veränderungen nachgehalten? Welche Schwachstellen werden wie mit anderen SOC-Tools geteilt oder integriert? Gibt es unterschiedliche Dashboards für Management- und andere Zwecke? Beziehungsweise: Wie lässt sich das Tool auf unterschiedliche Benutzergruppen anpassen? Wie sieht ihre Preisgestaltung im Detail aus? Stellen Sie sicher, dass Sie das Preisgefüge des Anbieters Ihrer Wahl wirklich verstehen. In den meisten Fällen sind Sie dabei mit komplexen, nutzungsabhängigen Abrechnungsmodellen konfrontiert. (fm) View the full article

An Anthropic employee accidentally exposed the entire proprietary source code for its AI programming tool, Claude Code, by including a source map file in a version of the tool posted on Anthropic’s open npm registry account, a risky mistake, says an AI expert. “A compromised source map is a security risk,” said US-based cybersecurity and AI expert Joseph Steinberg. “A hacker can use a source map to reconstruct the original source code and [see] how it works. Any secrets within that code – if someone coded in an API key, for example – is at risk, as is all of the logic. And any vulnerabilities found in the logic could become clear to the hacker who can then exploit the vulnerabilities.” However, Anthropic spokesperson told CSO, “no sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.” But it wasn’t the first time this had happened; according to Fortune and other news sources, the same thing happened last month. Don’t expose .map files Map files shouldn’t be left in the final version of code published on open source registries, where anyone can download a package; they can be sources of useful information for hackers. According to developer Kuber Mehta, who published a blog on the latest incident, when someone publishes a JavaScript/TypeScript package to npm, the build toolchain often generates source map files (.map files). These files are a bridge between the minified/bundled production code and the original source; they exist so that when something crashes in production, the stack trace can point to the actual line of code in the original file, not to some unintelligible reference. What’s available in these files? “Every file. Every comment. Every internal constant. Every system prompt. All of it, sitting right there in a JSON file that npm happily serves to anyone who runs npm pack or even just browses the package contents,” said Mehta. “The mistake is almost always the same: someone forgets to add *.map to their .npmignore or doesn’t configure their bundler to skip source map generation for production builds,” Mehta said. “With Bun’s bundler (which Claude Code uses), source maps are generated by default unless you explicitly turn them off.” Think of a source map as a file that shows what parts of minified computer code, which is not easily understandable to humans, are doing, shown in the human-readable source code, said Steinberg. For example, he said, it may indicate that the code in a specific portion of the executable code is performing the instructions that appear in some specific snippet of source code. A source map can help with debugging, he added. Without it, he said, many errors would be identified as coming from a larger portion of code, rather than showing exactly where the errors occur. The world learned of this incident when security researcher Chaofan Shou posted this message early Tuesday on X: “Claude code source code has been leaked via a map file in their npm registry!”, along with a link to the file. A common error Leaving source map files in a package “is an incredibly common mistake developers make quite often,” said secure coding trainer Tanya Janca. “In this specific situation, it is more serious than it would be somewhere else, mostly because of the incredibly high value of the intellectual property involved, and because now malicious actors can analyze the source code directly for vulnerabilities instead of having to reverse engineer it, which adds time, cost, and complexity.” Ideally, Janca said, developers should harden their build environment, so they don’t ship debug information/features with production. She offered these tips to developers: disable source maps in the build/bundler tool; add the .maps file to the .npmignore / package.json files field to explicitly exclude it, even if it was generated during the build by accident; exclude the .maps files from the list of published artifacts in the continuous integration/continuous deployment environment; carefully separate debug builds from production builds if there are differences; even the comments could be incredibly sensitive. A critical layer Any exposure of source code or system-level logic is significant, because it shows how controls are implemented, commented Dan Schiappa, president of technology and services at Arctic Wolf. With this information exposed, the number of people who now understand how the model enforces behavior, manages access, and handles edge cases increases, he said. “In AI systems, that layer is especially critical,” he added. “The orchestration, prompts, and workflows effectively define how the system operates. If those are exposed, it can make it easier to identify weaknesses or manipulate outcomes. Knowing that attackers are still discovering the most optimal ways to leverage AI means that in any instance where a tool could be compromised, there are likely cybercriminals waiting in the wings.” This article originally appeared on InfoWorld. View the full article

Attackers compromised the npm account of the lead maintainer of Axios, a widely used JavaScript HTTP client library, and used it to publish malicious versions of the package that deployed a cross-platform remote access trojan on developer machines. The incident represents the highest-impact npm supply chain attack on record given Axios’ approximately 100 million weekly downloads and its presence in frontend frameworks, backend services, and countless enterprise applications. Luckily the trojanized versions, [email protected] and [email protected], were detected by multiple security companies monitoring the npm registry within minutes of publication, triggering a rapid response that saw the malicious packages removed by the npm team between two to three hours later. That said, given the high download activity this project sees, the short time window was enough to impact a significant number of developer environments. According to cloud security firm Wiz, Axios is used in 80% of cloud and code environments; the company observed execution of the malware in roughly 3% of impacted environments. Researchers with security firm Snyk noted that “even a two-hour malicious window represents an enormous potential blast radius” given the library’s popularity. Almost 175,000 other projects on npm list Axios as a dependency, meaning this had a huge cascade effect through the ecosystem. The attack follows a series of supply chain attacks that impacted multiple open-source projects across different package repositories over the past several weeks, most of them attributed to a group known as TeamPCP. However, the Google Threat Intelligence Group (GTIG) has attributed the Axios attack to a North Korean threat actor it tracks as UNC1069. “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst with GTIG. “The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.” In their analysis, Snyk researchers also noted the sophistication of techniques involved in the attack. “The attacker also showed meaningful operational sophistication, pre-staging the malicious dependency, using a ‘clean’ version history, double-obfuscating the dropper, building platform-specific RATs, and implementing anti-forensic self-deletion,” the Snyk researchers said in their report. “This was not opportunistic.” How the attack unfolded Attackers began preparing the Axios attack roughly 18 hours before when an account named nrwise published a package called [email protected]. This was a clean decoy designed to establish registry history and legitimacy. The malicious payload arrived later the same day in [email protected], which contained a postinstall hook that would execute a dropper script when it was pulled in by a different package as a dependency. Shortly after midnight UTC on March 31 a new version of the Axios package, [email protected], was published on npm followed by [email protected] 39 minutes later. Both listed [email protected] as a dependency in their package.json files, but the rest of the components remained unchanged. A package that appears in the manifest but has zero usage or imports in the codebase is called a phantom dependency and is a high-confidence indicator of compromise, according to researchers at StepSecurity. Another indicator was that these versions appeared only on npm and not in the project’s GitHub repo as tagged releases. Axios’ legitimate 1.x releases were configured to use npm’s OIDC Trusted Publisher mechanism bound to GitHub Actions, but the 1.14.1 release was published manually via a stolen token with no corresponding commit or tag in the repository. In comments on GitHub, the project’s principal maintainer Jason Saayman acknowledged that while v1.x had trusted publishing configured, the v0.x branch still relied on a legacy long-lived token. A community member further pointed out that the v1.x publish workflow still passed NODE_AUTH_TOKEN to npm, which takes precedence over OIDC when both are present, meaning the long-lived token was also being used for v1.x rather than the intended trusted publishing mechanism. Cross-platform malware The obfuscated and encrypted postinstall script contacted a command-and-control (C2) server on a domain registered the day before by the attackers and downloaded platform-specific second-stage RAT payloads. On macOS, the binary is written to /Library/Caches/com.apple.act.mond and can self-sign injected payloads via codesign —force —deep —sign, bypassing macOS Gatekeeper protections. The malware fingerprints the system, collects hostname, username, macOS version, boot and install times, CPU architecture, and running processes, and then reaches out to the C2 server every 60 seconds. On Windows machines the payload is a PowerShell script copied to %PROGRAMDATA%\wt.exe, masquerading as Windows Terminal. The malware establishes persistence through a registry Run key named “MicrosoftUpdate” and a re-download batch file. Meanwhile Linux systems receive a Python script stored as /tmp/ld.py that gets executed via nohup python3. The RAT supports four commands: peinject for deploying additional binaries, runscript for executing shell or AppleScript code, rundir for directory enumeration, and kill for self-termination. According to researchers from security firm Socket, after execution the malware attempts to erase its tracks by deleting setup.js, removing the malicious package.json that contained the postinstall hook and replacing it with a clean copy that reports version 4.2.0 instead of 4.2.1. This means users running npm list in an affected project directory will see [email protected], potentially misleading them into believing the installed version predates the attack. Detection and maintainer response Security firms monitoring npm flagged [email protected] within minutes after it was published, triggering a series of responses, including by the npm registry team that removed the packages. However, the Axios project itself had difficulty containing the issue because the incident happened during the lead maintainer’s nighttime. A core collaborator of the project responded to the community-reported issue on GitHub also within minutes, but his permissions were lower than those of the maintainer whose token was compromised. This underscores a potential incident response gap open-source projects might face, because even if project contributors notice a breach immediately, the attacker could have higher privileges than them through a stolen token and could slow down attempts at damage control. In the recent Trivy compromise, attackers flooded the GitHub issue with spam comments from bots to make it harder for maintainers to respond and communicate with the community. Prepare for more compromises The cascade effect of the Axios incident became visible as dependency scanning tools flagged hundreds of downstream projects that had pulled the malicious versions. One user posted warnings to more than 50 repositories after detecting plain-crypto-js in their lockfiles, while another identified dozens more, from personal blogs to enterprise apps. This demonstrates how quickly the compromise of a popular npm package propagates through the ecosystem, even if the breach is detected within a few hours. Organizations should audit lockfiles and installed dependencies for the malicious versions immediately. If the malicious versions were installed, assume the development environments are fully compromised. Security teams should isolate affected systems, rotate all credentials present on them such as npm tokens, cloud provider keys, SSH private keys, CI/CD secrets, etc. “Do not rotate in place; revoke and reissue,” the Snyk researchers advised. “Do not attempt to clean compromised systems. Rebuild from a known-clean snapshot.” In the long term, organizations should enforce npm ci —ignore-scripts in CI/CD pipelines to prevent postinstall hooks from executing during automated builds and consider package age policies such as npm’s minimumReleaseAge setting. This gives development teams the ability to block the installation of packages that don’t have a minimum age, which would have blocked this attack since “plain-crypto-js” existed for less than 24 hours before being pulled into Axios’ dependency tree. The use of AI tools like Claude Code or OpenAI Codex in enterprise environments via their respective desktop apps extend the impact past developer environments. These tools are increasingly being used by non-developers in their work workflows, and LLMs tend to rely heavily on the npm and PyPI ecosystems for CLI tools. View the full article

A vulnerability misclassified five months ago as a denial-of-service issue in F5 BIG-IP Access Policy Manager (APM) turned out to be a critical pre-authentication remote code execution flaw that is now under active exploitation. Hackers are using it to deploy a persistent malware program that runs with root privileges. The CVE-2025-53521 vulnerability was first disclosed in October 2025 as a DoS issue with a CVSS severity score of 7.5. F5 updated the advisory Friday, reclassifying it as remote code execution and raising its score to CVSS 9.8 in light of “new information” it has received. The same day, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and the Netherlands Cyber Security Centre reported seeing active exploitation. BIG-IP APM is F5’s secure access solution that allows enterprises, service providers, and government agencies to control authentication, authorization, and VPN access across remote, mobile, and cloud environments. The Shadowserver Foundation currently tracks over 240,000 F5 BIG-IP instances on the internet, but it’s not clear how many run vulnerable versions. “When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn’t immediately signal urgency, and many system administrators likely prioritized it accordingly,” Benjamin Harris, CEO of offensive security firm watchTowr, told CSO. “Fast-forward to today’s big ‘yikes’ moment: The situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That’s a very different risk profile than what was initially communicated.” Patching is only part of the equation and the immediate focus for security teams should be on determining whether the flaw has already been exploited in their environments, Harris noted. The vulnerability affects BIG-IP APM versions 17.1.0 to 17.1.2, 17.5.0 to 17.5.1, 16.1.0 to 16.1.6, and 15.1.0 to 15.1.10. F5 released patches in versions 17.1.3, 17.5.1.3, 16.1.6.1, and 15.1.10.8. The company also published a knowledge base article with indicators of compromise, attacker TTPs, and hardening guidance against the observed malware. How the attack works BIG-IP APM is only affected when configured on a virtual server, which is a limiting factor for the attacks, but is not an unusual deployment. Successful exploitation grants attackers root-level access and full control of the underlying operating system. The company tracks the deployed malware program as “c05d5254” and notes that it creates files at /run/bigtlog.pipe and /run/bigstart.ltm and makes changes to system binaries, including /usr/bin/umount and /usr/sbin/httpd. Attackers have also been observed modifying the sys-eicheck utility, which relies on RPM integrity checks to verify on-disk executables. Log analysis can reveal patterns related to the attack. The user “f5hubblelcdadmin” accessing the iControl REST API from localhost, SELinux disable commands in auditd logs and Base64-encoded data written to files followed by execution of `/run/bigstart.ltm` all indicate successful intrusion. F5 also observed threat actors using HTTP 201 response codes with CSS content-type headers to disguise malicious traffic. Mitigation Organizations that applied the October 2025 updates are already protected, as the original patches also address the RCE vector, but systems running vulnerable versions require immediate patching and compromise assessment. Organizations should not assume their systems are clean based solely on patching because UCS backup files from compromised systems can contain copies of the malware. F5 recommends rebuilding configurations from scratch rather than restoring from backup if the compromise timeframe is uncertain. The sys-eicheck utility can identify integrity failures in /usr/bin/umount and /usr/sbin/httpd, though attackers have targeted the components this tool relies on. View the full article

OpenAI has fixed two flaws in its AI stack that could allow AI agents to move sensitive data in unintended ways. The issues, disclosed by researchers at BeyondTrust and Check Point Research, affect the OpenAI Codex coding agent and ChatGPT’s code execution environment, respectively. One enabled GitHub token theft through command injection, while the other exposed a hidden channel for silently leaking user data. Both bugs have now been patched, but researchers warn that giving AI tools autonomy to execute code and interact with external systems creates a long-term risk, allowing attackers to carry out malicious actions without ever breaking the model itself. Codex command injection turns branch names into backdoors Researchers at BeyondTrust found that Codex, OpenAI’s coding agent that executes tasks in cloud containers, was vulnerable to a command injection bug concerning the GitHub branch name parameter. When Codex attempts a task, it clones a repository and authenticates using a short-lived GitHub token. The issue stemmed from how it handled user-controlled input during this setup phase. Specifically, the branch name parameter was not properly sanitized, allowing attackers to inject arbitrary shell commands into the environments. A maliciously crafted branch name could execute code inside the container, exposing the very token Codex used to access the repository. Researchers demonstrated that the token could then be exfiltrated via task output or external network requests. This effectively turns a routine developer workflow into a potential credential theft vector. GitHub tokens often grant broad access to private repositories, making them highly valuable in supply chain attacks. According to a BeyondTrust blog post, the issue was disclosed to OpenAI, which acted quickly to address it by tightening input validation around the vulnerable parameter and hardening how commands are constructed in the execution environment. The fix was rolled out before public disclosure, with no evidence of active exploitation reported, the post added. Input validation failures seem to have gone up with AI workflows, leading to classic command injection vulnerabilities. ChatGPT’s hidden outbound channel leaks user data OpenAI has reportedly fixed a parallel bug in ChatGPT that goes beyond credential theft. Check Point researchers uncovered a hidden outbound communication path in ChatGPT’s code execution runtime that could be triggered with a single malicious prompt. This channel successfully bypassed the platform’s expected safeguards around external data sharing. Instead of requiring explicit user approval, the runtime could transmit data, such as chat messages, uploaded files, or generated outputs, to an external server without any visible alerts. CheckPoint researchers demonstrated crafting a prompt that leverages this behavior, allowing the runtime to package and transmit private chat data to an external server. Basically, a normal-looking conversation could be turned into a covert data exfiltration pipeline. The same mechanism could also be abused by a backdoored or malicious custom GPT, allowing it to siphon off sensitive information without user awareness, the researchers said, adding that the channel could potentially be used to establish remote shell access within the execution environment. While no active exploitation has been reported, the researchers note significant implications. OpenAI fixed the issue around the same time as the Codex flaw patching by tightening controls around outbound communication in the code execution environment. OpenAI did not immediately respond to CSO’s request for comments on either of the flaws. View the full article

As every CISO knows, maintaining a strong cybersecurity posture is costly. What’s not so well known is that there are many ways cybersecurity can be enhanced with the help of relatively trivial investments. Simply by thinking creatively, a security leader can substantially boost enterprise protection at a minimal cost. Could your organization benefit from some extra low-cost protection? If so, here are eight ways to improve enterprise cybersecurity without seriously denting your budget. 1. Enforce MFA better Risk mitigation should start with fundamentals, says Trevor Horwitz, CISO at compliance technology services firm TrustNet. “MFA directly supports confidentiality and access control, which are core security objectives,” he states. “In almost every breach we analyze, compromised credentials are involved.” Most organizations already have access to this capability. Turn it on, especially for privileged access, Horwitz advises. Randy Gross, CISO at certification firm CompTIA, agrees. “Begin by clearly defining the crown jewels and the next tier of important systems, then enforce MFA and least privilege across those environments,” he recommends. “Next, establish time-bound remediation expectations for the meaningful vulnerabilities in those systems before expanding attention to the broader environment.” 2. Take full advantage of your existing tools A practical way to strengthen enterprise security without incurring additional significant spend is to ensure you’re fully leveraging the capabilities of solutions already present within your organization, says Gary Brickhouse, CISO at security services firm GuidePoint Security. “Most organizations have invested heavily in security solutions, yet most are only using a portion of what those tools can do,” he explains. “By optimizing and operationalizing existing technologies, organizations can realize a reduction in cybersecurity risk with little spend.” Brickhouse says this approach is highly effective because it focuses on improving operational maturity rather than adding more technology solutions. “This tactic also increases ROI by helping to ensure organization are getting the most value from solutions they already own,” he says. 3. Conduct tabletop exercises Don’t underestimate the power of tabletop exercises, advises Ryan Davis, CISO at IT services provider New Charter Technologies. “They almost guarantee a positive action, and the only cost is in time,” he says. A tabletop exercise requires participants to view scenarios from an execution perspective rather than a theoretical position. “Practicing for unexpected scenarios enables teams to exercise muscles they wouldn’t normally use,” Davis says. “It allows team members to ask questions they may not typically ask in everyday scenarios because there isn’t time or an obvious need to do so.” He adds that the approach also quickly highlights strengths that don’t need further attention, as well as gaps that need to be closed. 4. Utilize the application layer An effective way to bolster coverage and reduce overall risk is to include the application layer in your cybersecurity strategy, says Bill Oliver, managing director at cybersecurity platform provider SecurityBridge. He notes that ERP systems sit at the core of your company’s operations and have been targeted by bad actors for years. “Monitoring your ERP systems for missing security patches, bad security configurations, real-time security events, and so on can give you great cybersecurity protection at a relatively low cost as compared to other cybersecurity initiatives,” he says. “Understanding what security events are happening in real time, will greatly bolster your company’s cybersecurity program and correct a weakness that has been there since day one.” 5. Implement passkeys Passkeys eliminate the single biggest attack vector most organizations face: stolen or phished credentials, says John Coursen, CISO at Fortify Cyber, a firm that helps regulated industries secure their infrastructure. “They remove the human element from authentication,” he explains. Coursen notes that passwords tend to get reused, phished, and stuffed into credential databases. “Passkeys can’t be phished, because there’s no shared secret to steal.” Coursen observes that most modern identity providers, such as Azure AD and Okta, already support passkeys. “The tech isn’t hard to implement — it’s the behavior change and getting users to adopt it.” Start with your highest-risk users, Coursen advises, including executives, finance teams, and anyone with access to sensitive client data or wire transfer authority. 6. Aim for the heart Target what attackers actually exploit, suggests Mike Wilkes, CISO at security technology provider Aikido Security. “Set up redundant DNS providers — they’re low-cost, high-impact, and massively underused,” he says. “Put Cloudflare’s free plan in front of your public-facing apps, and you get DDoS mitigation and a WAF layer instantly.” Turn on SPF, DMARC, and DKIM, since email is still the No. 1 initial access vector and these DNS controls take just an afternoon to implement. “Enable MFA everywhere using the free Google Authenticator,” Wilkes says, while also recommending checking DNS records and auditing MFA for gaps. 7. Consider human risk management At a time when the vast majority of cyberattacks involve people, human risk management is a critical and cost-effective way to keep the enterprise safe, says Matt Lindley, chief innovation and security officer at cybersecurity awareness training firm NINJIO. Human risk management works because it addresses the most urgent cyberthreat most enterprises face by establishing a culture of cybersecurity at every level of the organization, Lindley says. “Instead of treating employees as the weak links in an organization’s cybersecurity posture, they should be regarded as its greatest security assets,” he states. “When employees are empowered to identify, report, and thwart cyberattacks, the enterprise now has a distributed and adaptive layer of cybersecurity.” Effective human risk management requires security leaders to provide engaging, actionable, and personalized security awareness training, Lindley says. It also demands a high degree of accountability. He notes that security leaders should be able to determine whether behavioral interventions are actually working by using benchmarks beyond vanity metrics, such as completion rates. “This means providing data on phish reporting and other real-world improvements to the organization’s cybersecurity posture, all of which will generate buy-in across the C-suite,” he says. 8. Double-down on cybersecurity fundamentals One of the most effective low-cost security strategies is to double down on fundamentals such as identity protection, patching, visibility, and user awareness, says Jeff Foresman, vice president of cybersecurity at technology services firm Resultant. Most organizations already have the tools they need through platforms like Microsoft and Google, as well as their endpoint and email security stacks, Foresman says. The real opportunity, he notes, lies in better configuration and disciplined execution, such as enforcing MFA everywhere, reducing unnecessary admin access, patching Internet-facing systems quickly, and improving phishing reporting and response. “Those steps alone significantly reduce real-world risk,” Foresman says. Foresman notes that a fundamentalist approach works by targeting how attackers actually gain access. The majority of breaches still begin with compromised credentials, phishing, exposed systems, or misconfigurations, not advanced zero-day exploits, he explains. By focusing on identity, email, and attack surface reduction, organizations can address the most common entry points. “It’s practical, measurable, and tied to the breach patterns we see every day, rather than theoretical controls,” Foresman says. See also: How MFA gets hacked — and strategies to prevent it Redefining multifactor authentication: Why we need passkeys Human risk management: CISOs’ solution to the security awareness training paradox CISOs must rethink the tabletop, as 57% of incidents have never been rehearsed Phishing training needs a new hook — here’s how to rethink your approach View the full article

Over the last four years, I’ve watched organizations get blindsided by threats that originated in a third-party network. More than 35% of data breaches are caused by a compromised vendor or partner, not by any failure in the organization’s controls. While many organizations know that the biggest threats to their security come from forces entirely outside their control, that risk is accelerating this year. Some of those forces come from beyond their network and even far beyond their region. International conflict is influencing attacker behavior in ways that are showing up far from conflict zones. AI-driven automation is reducing the effort required to exploit systems and people. Third-party risk continues to be the most common reason well-defended organizations still suffer serious incidents. These three factors are creating an environment that is heightening cybersecurity risk. I work with organizations that invest in security, quantify risk and take resilience seriously. Yet when something truly disruptive happens, it is rarely because a basic control was missing. Security is only as strong as the weakest link in a chain that extends far beyond an organization’s firewall — and those weak links are multiplying. Geopolitics amplify cyber risk, particularly for OT networks For a long time, geopolitical conflicts felt like a separate category of risk. If you did not operate in or near a conflict zone, it was easy to assume it posed little risk to your organization or your security posture. In my experience, that assumption no longer holds. In my previous position, we had an office in Israel, so I was always alert and aware of tensions and conflicts in that area. What I see consistently is that techniques used in active geopolitical conflicts do not stay contained to that geographic area or digital environment. The techniques and tactics are tested, refined and then used by criminal groups and other threat actors. Eventually, they surface in environments that have nothing to do with the original conflict. The 2026 WEF Global Cybersecurity Outlook reflects this shift, identifying geopolitical instability as a primary driver of cyber risk, and how those tensions have translated into repeated cyber and kinetic disruptions to various sectors like energy, telecom and water. While it is much less likely that the U.S. will be hit with a kinetic attack, we are and have been getting hit with battle-tested cyberattacks. The network that is often targeted by these kinds of attacks is the Operational Technology (OT) network and IoT devices. The report correctly ties this to real safety and continuity impacts, not just data loss, which matches my experience. As a leader, you need to expect some kind of spillover from active warzones to your environment and plan accordingly. Defense in depth is more than a slogan; it’s a way to avoid, mitigate or transfer this kind of risk. What I have seen forward-looking organizations do is elevate OT security to the board level so that OT risk is added to the Risk Register as board oversight. Organizations that I work with, where life and health concerns are top of mind, have segmented their network to reduce the blast radius of an attack. The best defense is to implement a ransomware resilient backup solution that has immutable backups with a 3-2-1-1 strategy, where that extra 1 is an immutable copy. Once the board has been made aware of the risk, the budget typically follows. AI is accelerating both the attackers and your defenses, but governance is often missing What I see generative AI doing in cybersecurity is accelerating what attackers can do and lowering the cost of entry for new criminal gangs. Cyberattacks are more potent because the technology makes it easier to target victims, create deepfake videos or explicit and lewd pictures or fake their voices. Cyber defense tools are getting better, but make no mistake, we are in an arms race with the attackers, criminals and nation-states. At the same time, organizations are expanding their attack surface by leaps and bounds through internal AI adoption. Chatbots, AI assistants, GPT models and internal AI tools are all new vectors for attack. Agentic AI tools are very easy to build, but are often given more access and privileges than needed. Agents that can read and compose emails, and create and delete appointments and contacts, can provide significant benefits while also creating havoc if there isn’t a human in the loop or proper governance in place. Many organizations are deploying AI faster than they can secure it. In practice, organizations often follow two paths. The first is a big splashy AI project that usually costs millions of dollars, but often doesn’t have a clear goal, clean data, or appropriate governance in place before the project starts. In this case, the project stalls as policies and decisions are made. Budgets are blown, timelines slip, project dates get extended, or not, and then the project is either abandoned or brought in-house now that internal staff have learned enough from the consultants. The second path is slower, smaller and often internally driven. This smaller project is more organic and often focused on a particular project or need of the organization. The budget for this smaller project is minimal until the proof of concept is viable, and it can demonstrate a ROI. Because the smaller project is slower, policy and governance can be developed alongside it. Leaders should assume that AI models can be manipulated and exploited. AI models will have data leakage issues without robust data governance policies and controls. Also, prompt-injection attacks cannot totally be prevented; you need strong guardrails and to evaluate the data model and guardrails on a regular basis. What I have seen successful companies do to address the governance issue is create an AI Risk Council that has the CISO, CAIO, CTO, Legal and Risk, and the Council, at a minimum, has veto power for model release and is given time to do AI pentesting. Organizations with strong risk programs have tended to adopt the NIST risk management framework. It’s a great guide to get started on an AI governance program for any project. Cyber inequity is a systemic business risk Even if you do everything right, a partner that’s connected to your network can create a vulnerability. Vendors and partners might not operate with the same level of cyber maturity that you do. I have firsthand experience with four organizations that have suffered data breaches, even though their own security programs held. In each case, a vendor or partner was compromised first. The effect was the same every time. Company data was compromised, and the organization had to respond as if it had failed. Pointing the finger at the third party was not going to help customers who had data stolen or restore their trust. Criminal gangs are opportunistic; they will attack the weakest link, and if your suppliers do not invest in the same level of controls that you do, or that you need, that is a risk to your business the moment systems are integrated. Many leaders still underestimate this exposure because it feels indirect, but cyber inequality is a systemic risk to your business. I saw this become more visible during the pandemic, when supply chain disruptions forced organizations to examine dependencies that they had not fully mapped. The lesson remains relevant now. As organizations rely more heavily on external partners, the gap between internal and external exposure continues to widen. If these risks feel overwhelming, don’t panic. While this quickly evolving threat landscape is the new normal, cybersecurity professionals like this dynamic environment. We like change. The organizations that respond best have realistic incident response and business continuity plans that assume a partner will eventually be compromised. They involve internal teams early and work closely with trusted partners so that when disruption occurs, response is coordinated rather than reactive. Organizations can’t eliminate these external pressures, but they can plan for them. The leaders I see succeed assume disruption, invest in resilience and prepare for failures that start outside their control. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

Writing a conference preview is an act of professional speculation. You read the agenda, map the schedule session density, and make your personal best call about where the intellectual energy will concentrate. From my perspective going in, RSA Conference 2026 outlined a defining tension for CISOs today: how to enable AI adoption fast enough to stay competitive while securing the enterprise against a threat landscape AI itself is reshaping. Now that RSAC 2026 has run its course, it’s worth holding pre-event predictions, such as my five key priorities for CISOs and their teams, against what actually emerged from the sessions, VC panels, and hallway conversations that tend to be more candid than anything on stage. The verdict: the frame held. In fact, there was very little conversation without AI being front and center. At the Moscone Center in San Francisco I kept hearing, ‘We live in unprecedented times’ — a cliché that I do believe is true. My own surprises were mostly matters of AI emphasis and velocity with stronger and perhaps sharper commercial edges than I expected. The AI saturation hypothesis was confirmed My RSAC 2026 preview argued that AI was no longer a track but had become the event itself, with approximately 40% of the agenda AI-weighted across every cyber domain. That certainly bore out on stage. Every panel, whether focused on investment, products, identity, or offensive capability, returned to AI. Yoav Leitersdorf of YL Ventures put this bluntly: “Everyone only wants to talk about AI, and if you aren’t doing AI, investors don’t want to talk to you.” Kevin Mandia from Ballistic Ventures at the RSA Annual Executive Dinner noted that we have to take humans out of the loop, so that AI versus AI is the new paradigm. He explained that AI agents have been introduced into red teaming exercises and are capable of operating at scale and with speed. So, while AI compresses the attack cycle, AI can also “automate” existing teams to improve their response from 5 days to 5 minutes. What my preview couldn’t fully anticipate was the degree to which the AI narrative forked into two distinct commercial pressures running simultaneously. Dave DeWalt of NightDragon captured both sides: AI as a tool for defense and offense, but also AI as a structural force flattening the competitive landscape between established vendors and startups. His observation that Series A funding is now looking to be $100 million — and that he’d never seen capital deploy this fast — landed with impact. RSAC 2026 felt less like a learning event and more like a deal-making environment with educational sessions attached. Securing the AI stack: Yes, but the threat surface has grown The first technical priority I offered for CISOs in my conference preview was securing the AI stack — RAG workflows, LLM data pipelines, vector databases, and model APIs — on the basis that prompt injection, training data poisoning, and model inversion attacks were no longer theoretical. The floor validated this but added dimensions my preview had underweighted. Mike Leland of Island framed the enterprise AI risk surface comprehensively: data leakage, shadow AI, prompt injection, copyright and IP infringement, hallucinations, and data residency. These aren’t sequential concerns — they arrive simultaneously the moment an organization allows AI tools into the environment. The AI red teaming conversation surfaced with more commercial urgency than anticipated. Frontier Labs’ Brian Singer described environments where AI attackers operate at 1,000 times the speed of human adversaries, pushing the securing-the-stack conversation from defensive posture into something more active. While my preview was right about the topic, it underestimated the operational tempo. On the conference floor I caught up with Singulr CEO Shiv Agarwaland Richard Bird, Singulr’s CSO and chief strategyofficer,whose platform is attempting to solve this visibility problem at scale. Their starting point was blunt: “AI usage is going out of control at the enterprise. The CIO, the CSO, they need some level of control, but without stopping or slowing down innovation.” What Singulr’s discovery work is revealing is more of an issue than most boards appreciate. Bird told me that across enterprise assessments, they consistently surface between 350 and 430 AI services and features in active use, the overwhelming majority of which were never formally sanctioned. The shadow AI problem isn’t theoretical. It’s already deployed. He offered a more nuanced risk framing than most vendors I encountered: context matters as much as the tool itself. “ChatGPT is a very well-contracted and approved AI service,” he said. “But if someone is using it with a personal account and model training has not been turned off, it brings the same risk as a service put up by two people in a garage.” Unfortunately sanction alone doesn’t confer safety. Non-human identity: The standout theme of the conference My preview identified non-human identity (NHI) governance as rapidly becoming one of the most consequential operational gaps in enterprise security. This proved to be my most prescient call. It wasn’t just a track; it became a through-line across multiple panels. Ross Haleliuk noted bluntly that machine identities already outnumber human ones. Mark McClain, founder of SailPoint, reframed the entire identity management problem around agent intent and context: Humans we assumed were at an office or working remotely, but do we understand the intention of an AI agent, and do we have guardrail policies capable of reasoning about that? McClain’s framing felt the most intellectually honest moment of the conference on this topic. He acknowledged that new technology was coming that would put his own platform under pressure, while simultaneously arguing that anyone who believes you can master the agentic world in isolation without human oversight is being misled. The infrastructure question was taken further in my conversation with Noam Issachar and Jake Turetsky of Jazz, whose platform is building what they describe as a control plane for the agentic layer. Their framing was architecturally provocative: “AI is the new infrastructure. An AI agent can conduct and take action for something that looks like data transformation and never go into the lower tiers of the technology stack.” In their view, the agent layer is becoming the new HTTP — a data transport and transformation tier that sits above traditional infrastructure but below application logic. What they found most troubling was the governance vacuum that currently exists in that space: “If AI is truly transformational, then why is there no transformation of processes, policies, and governance to reflect the fact that traffic management is already happening there?” It’s a fair challenge. The architecture has moved faster than the frameworks built to govern it. AI governance: Present, but absorbed into broader conversations The compliance priority in my preview centered on the EU AI Act and the need for CISOs to develop defensible licence-to-operate frameworks for AI deployment. This theme was present at RSAC but was somewhat absorbed into broader discussions about regulatory alignment rather than treated as a standalone priority. VP of Google Threat Intelligence Sandra Joyce’s exchange with Richard Horne of the NCSC touched on the tension between defenders and attackers both benefiting from AI — the NCSC providing framework standards that regulators then align to, a model of governance by reference rather than prescription. Jay Bavasi, CEO of EC Council, offered the most direct governance framing I encountered across the entire week: “Our attitude as a community has been shoot first, ask questions later. But what we should be doing is ask questions first, shoot later.” The data behind that charge is harder to dismiss than the rhetoric. Bavasi cited that 84% of Fortune 500 companies reference AI implementation in their 10-K filings. He noted that the proportion that claims to have actual AI governance in place is just 18%. With 72 countries having already launched AI regulations or frameworks, the gap between disclosure and accountability is widening, not closing. Singulr’s Bird reinforced this concern from an operational standpoint, noting that the governance conversation is still largely performative inside most enterprises — boards are discussing AI risk without the institutional mechanisms to actually manage it. In-Q-Tel’s Katie Gray offered the sharpest counterweight to the governance narrative: There has never been a better time to sell to the US government, and the DoD spends $5 billion on cyber annually. In that environment, governance conversations are less about compliance architecture and more about positioning to capture procurement. Shadow AI: Validated and commercially urgent My preview’s risk priority around shadow AI and vibe coding — unsanctioned AI tool usage largely invisible to security teams — was confirmed across multiple sessions. Leland’s readiness framework put it plainly: Do you have visibility of shadow AI tool usage across the enterprise? Can you identify and prevent inappropriate data usage with gen AI tools? Singulr’s Agarwal added a dimension that most vendors are reluctant to name. The most commonly discovered unsanctioned AI application in enterprise assessments is Grammarly — not a rogue model or an exotic data exfiltration tool, a writing assistant that most employees assume is benign and most IT teams have never thought to classify as AI risk. His broader point about risk posture deserves to sit with board directors: “Your monthly board report is kind of useless in a way because your risk position today versus this morning is different.” A static governance snapshot of a dynamic and real-time threat surface is a category error, not a reporting format. Team8’s Amir Zilberstein flagged investment in a reimagined DLP category on exactly this basis, the old category was hated, but AI-driven classification changes what’s possible. What my preview missed Two things the pre-event article didn’t fully anticipate: First, the capital concentration dynamic. Amir Zilberstein’s observation that more funding is going to fewer companies, combined with David DeWalt’s seed and Series A figures, describes a market consolidating at the top even as it fragments at the bottom. The 9,900 cyber companies DeWalt cited aren’t all going to survive contact with AI titans crossing over from the SaaS world. Second, the workforce conversation. This was the thread I found most unresolved across every conversation I had on stage and off. Many speakers quoted Jensen Huang’s 1:2,000 agent-to-human ratio framing. Then I’d note Yoav Leitersdorf counsel to keep R&D flat and grow through AI, and Mark McClain’s observation that AI agents operate at a speed humans physically cannot match — these signals point to a structural workforce shift that cybersecurity leadership hasn’t fully internalized yet. EC Council’s Bavasi was the most direct voice on this. He pushed back on the premise that CISOs should own AI wholesale: “CISOs are already suffering. A thousand things are already going on. It is one of the most short-lived jobs in the world. And you’re about to throw a behemoth to them.” He cited 4 million cybersecurity jobs unfilled today, with that figure likely to double as the agentic layer matures — not because demand shrinks, but because the skill profile required is fundamentally different. Bavasi also landed what I’d call the most confronting statistic of the week — not about threat actors, but about the industry’s own readiness: “We are living in an era where AI agents already have a social media community of their own. We live in an era where humans are being threatened and blackmailed and we still haven’t figured out how we’re going to implement responsible AI governance and ethics,” he said. Closing observation While my preview was focused on what CISOs needed to learn at RSAC, what the floor revealed was that some of that may require them to rethink how their teams are built, how their governance is structured, and how they report to boards, which are asking AI governance questions but receiving answers designed for a different era. The intelligence is accumulating. The institutional response is lagging. That gap was the real story of RSAC 2026. View the full article

Writing a conference preview is an act of professional speculation. You read the agenda, map the schedule session density, and make your personal best call about where the intellectual energy will concentrate. From my perspective going in, RSA Conference 2026 outlined a defining tension for CISOs today: how to enable AI adoption fast enough to stay competitive while securing the enterprise against a threat landscape AI itself is reshaping. Now that RSAC 2026 has run its course, it’s worth holding pre-event predictions, such as my five key priorities for CISOs and their teams, against what actually emerged from the sessions, VC panels, and hallway conversations that tend to be more candid than anything on stage. The verdict: the frame held. In fact, there was very little conversation without AI being front and center. At the Moscone Center in San Francisco I kept hearing, ‘We live in unprecedented times’ — a cliché that I do believe is true. My own surprises were mostly matters of AI emphasis and velocity with stronger and perhaps sharper commercial edges than I expected. The AI saturation hypothesis was confirmed My RSAC 2026 preview argued that AI was no longer a track but had become the event itself, with approximately 40% of the agenda AI-weighted across every cyber domain. That certainly bore out on stage. Every panel, whether focused on investment, products, identity, or offensive capability, returned to AI. Yoav Leitersdorf of YL Ventures put this bluntly: “Everyone only wants to talk about AI, and if you aren’t doing AI, investors don’t want to talk to you.” Kevin Mandia from Ballistic Ventures at the RSA Annual Executive Dinner noted that we have to take humans out of the loop, so that AI versus AI is the new paradigm. He explained that AI agents have been introduced into red teaming exercises and are capable of operating at scale and with speed. So, while AI compresses the attack cycle, AI can also “automate” existing teams to improve their response from 5 days to 5 minutes. What my preview couldn’t fully anticipate was the degree to which the AI narrative forked into two distinct commercial pressures running simultaneously. Dave DeWalt of NightDragon captured both sides: AI as a tool for defense and offense, but also AI as a structural force flattening the competitive landscape between established vendors and startups. His observation that Series A funding is now looking to be $100 million — and that he’d never seen capital deploy this fast — landed with impact. RSAC 2026 felt less like a learning event and more like a deal-making environment with educational sessions attached. Securing the AI stack: Yes, but the threat surface has grown The first technical priority I offered for CISOs in my conference preview was securing the AI stack — RAG workflows, LLM data pipelines, vector databases, and model APIs — on the basis that prompt injection, training data poisoning, and model inversion attacks were no longer theoretical. The floor validated this but added dimensions my preview had underweighted. Mike Leland of Island framed the enterprise AI risk surface comprehensively: data leakage, shadow AI, prompt injection, copyright and IP infringement, hallucinations, and data residency. These aren’t sequential concerns — they arrive simultaneously the moment an organization allows AI tools into the environment. The AI red teaming conversation surfaced with more commercial urgency than anticipated. Frontier Labs’ Brian Singer described environments where AI attackers operate at 1,000 times the speed of human adversaries, pushing the securing-the-stack conversation from defensive posture into something more active. While my preview was right about the topic, it underestimated the operational tempo. On the conference floor I caught up with Singulr AI CEO Shiv Agarwaland Richard Bird, Singulr AI’s CSO and chief strategyofficer,whose platform is attempting to solve this visibility problem at scale. Their starting point was blunt: “AI usage is going out of control at the enterprise. The CIO, the CSO, they need some level of control, but without stopping or slowing down innovation.” What Singulr AI’s discovery work is revealing is more of an issue than most boards appreciate. Bird told me that across enterprise assessments, they consistently surface between 350 and 430 AI services and features in active use, the overwhelming majority of which were never formally sanctioned. The shadow AI problem isn’t theoretical. It’s already deployed. He offered a more nuanced risk framing than most vendors I encountered: context matters as much as the tool itself. “ChatGPT is a very well-contracted and approved AI service,” he said. “But if someone is using it with a personal account and model training has not been turned off, it brings the same risk as a service put up by two people in a garage.” Unfortunately sanction alone doesn’t confer safety. Non-human identity: The standout theme of the conference My preview identified non-human identity (NHI) governance as rapidly becoming one of the most consequential operational gaps in enterprise security. This proved to be my most prescient call. It wasn’t just a track; it became a through-line across multiple panels. Ross Haleliuk noted bluntly that machine identities already outnumber human ones. Mark McClain, founder of SailPoint, reframed the entire identity management problem around agent intent and context: Humans we assumed were at an office or working remotely, but do we understand the intention of an AI agent, and do we have guardrail policies capable of reasoning about that? McClain’s framing felt the most intellectually honest moment of the conference on this topic. He acknowledged that new technology was coming that would put his own platform under pressure, while simultaneously arguing that anyone who believes you can master the agentic world in isolation without human oversight is being misled. The infrastructure question was taken further in my conversation with Noam Issachar and Jake Turetsky of Jazz, whose platform is building what they describe as a control plane for the agentic layer. Their framing was architecturally provocative: “AI is the new infrastructure. An AI agent can conduct and take action for something that looks like data transformation and never go into the lower tiers of the technology stack.” In their view, the agent layer is becoming the new HTTP — a data transport and transformation tier that sits above traditional infrastructure but below application logic. What they found most troubling was the governance vacuum that currently exists in that space: “If AI is truly transformational, then why is there no transformation of processes, policies, and governance to reflect the fact that traffic management is already happening there?” It’s a fair challenge. The architecture has moved faster than the frameworks built to govern it. AI governance: Present, but absorbed into broader conversations The compliance priority in my preview centered on the EU AI Act and the need for CISOs to develop defensible licence-to-operate frameworks for AI deployment. This theme was present at RSAC but was somewhat absorbed into broader discussions about regulatory alignment rather than treated as a standalone priority. VP of Google Threat Intelligence Sandra Joyce’s exchange with Richard Horne of the NCSC touched on the tension between defenders and attackers both benefiting from AI — the NCSC providing framework standards that regulators then align to, a model of governance by reference rather than prescription. Jay Bavisi, CEO of EC Council, offered the most direct governance framing I encountered across the entire week: “Our attitude as a community has been shoot first, ask questions later. But what we should be doing is ask questions first, shoot later.” The data behind that charge is harder to dismiss than the rhetoric. Bavisi cited that 84% of Fortune 500 companies reference AI implementation in their 10-K filings. He noted that the proportion that claims to have actual AI governance in place is just 18%. With 72 countries having already launched AI regulations or frameworks, the gap between disclosure and accountability is widening, not closing. Singulr AI’s Bird reinforced this concern from an operational standpoint, noting that the governance conversation is still largely performative inside most enterprises — boards are discussing AI risk without the institutional mechanisms to actually manage it. In-Q-Tel’s Katie Gray offered the sharpest counterweight to the governance narrative: There has never been a better time to sell to the US government, and the DoD spends $5 billion on cyber annually. In that environment, governance conversations are less about compliance architecture and more about positioning to capture procurement. Shadow AI: Validated and commercially urgent My preview’s risk priority around shadow AI and vibe coding — unsanctioned AI tool usage largely invisible to security teams — was confirmed across multiple sessions. Leland’s readiness framework put it plainly: Do you have visibility of shadow AI tool usage across the enterprise? Can you identify and prevent inappropriate data usage with gen AI tools? Singulr AI’s Agarwal added a dimension that most vendors are reluctant to name. The most commonly discovered unsanctioned AI application in enterprise assessments is Grammarly — not a rogue model or an exotic data exfiltration tool, a writing assistant that most employees assume is benign and most IT teams have never thought to classify as AI risk. His broader point about risk posture deserves to sit with board directors: “Your monthly board report is kind of useless in a way because your risk position today versus this morning is different.” A static governance snapshot of a dynamic and real-time threat surface is a category error, not a reporting format. Team8’s Amir Zilberstein flagged investment in a reimagined DLP category on exactly this basis, the old category was hated, but AI-driven classification changes what’s possible. What my preview missed Two things the pre-event article didn’t fully anticipate: First, the capital concentration dynamic. Amir Zilberstein’s observation that more funding is going to fewer companies, combined with David DeWalt’s seed and Series A figures, describes a market consolidating at the top even as it fragments at the bottom. The 9,900 cyber companies DeWalt cited aren’t all going to survive contact with AI titans crossing over from the SaaS world. Second, the workforce conversation. This was the thread I found most unresolved across every conversation I had on stage and off. Many speakers quoted Jensen Huang’s 1:2,000 agent-to-human ratio framing. Then I’d note Yoav Leitersdorf counsel to keep R&D flat and grow through AI, and Mark McClain’s observation that AI agents operate at a speed humans physically cannot match — these signals point to a structural workforce shift that cybersecurity leadership hasn’t fully internalized yet. EC Council’s Bavasi was the most direct voice on this. He pushed back on the premise that CISOs should own AI wholesale: “CISOs are already suffering. A thousand things are already going on. It is one of the most short-lived jobs in the world. And you’re about to throw a behemoth to them.” He cited 4 million cybersecurity jobs unfilled today, with that figure likely to double as the agentic layer matures — not because demand shrinks, but because the skill profile required is fundamentally different. Bavasi also landed what I’d call the most confronting statistic of the week — not about threat actors, but about the industry’s own readiness: “We are living in an era where AI agents already have a social media community of their own. We live in an era where humans are being threatened and blackmailed and we still haven’t figured out how we’re going to implement responsible AI governance and ethics,” he said. Closing observation While my preview was focused on what CISOs needed to learn at RSAC, what the floor revealed was that some of that may require them to rethink how their teams are built, how their governance is structured, and how they report to boards, which are asking AI governance questions but receiving answers designed for a different era. The intelligence is accumulating. The institutional response is lagging. That gap was the real story of RSAC 2026. View the full article

Writing a conference preview is an act of professional speculation. You read the agenda, map the schedule session density, and make your personal best call about where the intellectual energy will concentrate. From my perspective going in, RSA Conference 2026 outlined a defining tension for CISOs today: how to enable AI adoption fast enough to stay competitive while securing the enterprise against a threat landscape AI itself is reshaping. Now that RSAC 2026 has run its course, it’s worth holding pre-event predictions, such as my five key priorities for CISOs and their teams, against what actually emerged from the sessions, VC panels, and hallway conversations that tend to be more candid than anything on stage. The verdict: the frame held. In fact, there was very little conversation without AI being front and center. At the Moscone Center in San Francisco I kept hearing, ‘We live in unprecedented times’ — a cliché that I do believe is true. My own surprises were mostly matters of AI emphasis and velocity with stronger and perhaps sharper commercial edges than I expected. The AI saturation hypothesis was confirmed My RSAC 2026 preview argued that AI was no longer a track but had become the event itself, with approximately 40% of the agenda AI-weighted across every cyber domain. That certainly bore out on stage. Every panel, whether focused on investment, products, identity, or offensive capability, returned to AI. Yoav Leitersdorf of YL Ventures put this bluntly: “Everyone only wants to talk about AI, and if you aren’t doing AI, investors don’t want to talk to you.” Kevin Mandia from Ballistic Ventures at the RSA Annual Executive Dinner noted that we have to take humans out of the loop, so that AI versus AI is the new paradigm. He explained that AI agents have been introduced into red teaming exercises and are capable of operating at scale and with speed. So, while AI compresses the attack cycle, AI can also “automate” existing teams to improve their response from 5 days to 5 minutes. What my preview couldn’t fully anticipate was the degree to which the AI narrative forked into two distinct commercial pressures running simultaneously. Dave DeWalt of NightDragon captured both sides: AI as a tool for defense and offense, but also AI as a structural force flattening the competitive landscape between established vendors and startups. His observation that Series A funding is now looking to be $100 million — and that he’d never seen capital deploy this fast — landed with impact. RSAC 2026 felt less like a learning event and more like a deal-making environment with educational sessions attached. Securing the AI stack: Yes, but the threat surface has grown The first technical priority I offered for CISOs in my conference preview was securing the AI stack — RAG workflows, LLM data pipelines, vector databases, and model APIs — on the basis that prompt injection, training data poisoning, and model inversion attacks were no longer theoretical. The floor validated this but added dimensions my preview had underweighted. Mike Leland of Island framed the enterprise AI risk surface comprehensively: data leakage, shadow AI, prompt injection, copyright and IP infringement, hallucinations, and data residency. These aren’t sequential concerns — they arrive simultaneously the moment an organization allows AI tools into the environment. The AI red teaming conversation surfaced with more commercial urgency than anticipated. Frontier Labs’ Brian Singer described environments where AI attackers operate at 1,000 times the speed of human adversaries, pushing the securing-the-stack conversation from defensive posture into something more active. While my preview was right about the topic, it underestimated the operational tempo. On the conference floor I caught up with Singulr AI CEO Shiv Agarwaland Richard Bird, Singulr AI’s CSO and chief strategyofficer,whose platform is attempting to solve this visibility problem at scale. Their starting point was blunt: “AI usage is going out of control at the enterprise. The CIO, the CSO, they need some level of control, but without stopping or slowing down innovation.” What Singulr AI’s discovery work is revealing is more of an issue than most boards appreciate. Bird told me that across enterprise assessments, they consistently surface between 350 and 430 AI services and features in active use, the overwhelming majority of which were never formally sanctioned. The shadow AI problem isn’t theoretical. It’s already deployed. He offered a more nuanced risk framing than most vendors I encountered: context matters as much as the tool itself. “ChatGPT is a very well-contracted and approved AI service,” he said. “But if someone is using it with a personal account and model training has not been turned off, it brings the same risk as a service put up by two people in a garage.” Unfortunately sanction alone doesn’t confer safety. Non-human identity: The standout theme of the conference My preview identified non-human identity (NHI) governance as rapidly becoming one of the most consequential operational gaps in enterprise security. This proved to be my most prescient call. It wasn’t just a track; it became a through-line across multiple panels. Ross Haleliuk noted bluntly that machine identities already outnumber human ones. Mark McClain, founder of SailPoint, reframed the entire identity management problem around agent intent and context: Humans we assumed were at an office or working remotely, but do we understand the intention of an AI agent, and do we have guardrail policies capable of reasoning about that? McClain’s framing felt the most intellectually honest moment of the conference on this topic. He acknowledged that new technology was coming that would put his own platform under pressure, while simultaneously arguing that anyone who believes you can master the agentic world in isolation without human oversight is being misled. The infrastructure question was taken further in my conversation with Noam Issachar and Jake Turetsky of Jazz, who are building a new DLP for AI. Jazz, which won CrowdStrike’s 2026 Cybersecurity Startup Accelerator at the show, has developed an engine and an agentic investigator that collects rich context and uses it to drive investigations. Instead of relying on static rules, it understands behavior in context and evaluates it against your organization’s intent and policies. AI governance: Present, but absorbed into broader conversations The compliance priority in my preview centered on the EU AI Act and the need for CISOs to develop defensible licence-to-operate frameworks for AI deployment. This theme was present at RSAC but was somewhat absorbed into broader discussions about regulatory alignment rather than treated as a standalone priority. VP of Google Threat Intelligence Sandra Joyce’s exchange with Richard Horne of the NCSC touched on the tension between defenders and attackers both benefiting from AI — the NCSC providing framework standards that regulators then align to, a model of governance by reference rather than prescription. Jay Bavisi, CEO of EC Council, offered the most direct governance framing I encountered across the entire week: “Our attitude as a community has been shoot first, ask questions later. But what we should be doing is ask questions first, shoot later.” The data behind that charge is harder to dismiss than the rhetoric. Bavisi cited that 84% of Fortune 500 companies reference AI implementation in their 10-K filings. He noted that the proportion that claims to have actual AI governance in place is just 18%. With 72 countries having already launched AI regulations or frameworks, the gap between disclosure and accountability is widening, not closing. Singulr AI’s Bird reinforced this concern from an operational standpoint, noting that the governance conversation is still largely performative inside most enterprises — boards are discussing AI risk without the institutional mechanisms to actually manage it. In-Q-Tel’s Katie Gray offered the sharpest counterweight to the governance narrative: There has never been a better time to sell to the US government, and the DoD spends $5 billion on cyber annually. In that environment, governance conversations are less about compliance architecture and more about positioning to capture procurement. Shadow AI: Validated and commercially urgent My preview’s risk priority around shadow AI and vibe coding — unsanctioned AI tool usage largely invisible to security teams — was confirmed across multiple sessions. Leland’s readiness framework put it plainly: Do you have visibility of shadow AI tool usage across the enterprise? Can you identify and prevent inappropriate data usage with gen AI tools? Singulr AI’s Agarwal added a dimension that most vendors are reluctant to name. The most commonly discovered unsanctioned AI application in enterprise assessments is Grammarly — not a rogue model or an exotic data exfiltration tool, a writing assistant that most employees assume is benign and most IT teams have never thought to classify as AI risk. His broader point about risk posture deserves to sit with board directors: “Your monthly board report is kind of useless in a way because your risk position today versus this morning is different.” A static governance snapshot of a dynamic and real-time threat surface is a category error, not a reporting format. Team8’s Amir Zilberstein flagged investment in a reimagined DLP category on exactly this basis, the old category was hated, but AI-driven classification changes what’s possible. What my preview missed Two things the pre-event article didn’t fully anticipate: First, the capital concentration dynamic. Amir Zilberstein’s observation that more funding is going to fewer companies, combined with David DeWalt’s seed and Series A figures, describes a market consolidating at the top even as it fragments at the bottom. The 9,900 cyber companies DeWalt cited aren’t all going to survive contact with AI titans crossing over from the SaaS world. Second, the workforce conversation. This was the thread I found most unresolved across every conversation I had on stage and off. Many speakers quoted Jensen Huang’s 1:2,000 agent-to-human ratio framing. Then I’d note Yoav Leitersdorf counsel to keep R&D flat and grow through AI, and Mark McClain’s observation that AI agents operate at a speed humans physically cannot match — these signals point to a structural workforce shift that cybersecurity leadership hasn’t fully internalized yet. EC Council’s Bavasi was the most direct voice on this. He pushed back on the premise that CISOs should own AI wholesale: “CISOs are already suffering. A thousand things are already going on. It is one of the most short-lived jobs in the world. And you’re about to throw a behemoth to them.” He cited 4 million cybersecurity jobs unfilled today, with that figure likely to double as the agentic layer matures — not because demand shrinks, but because the skill profile required is fundamentally different. Bavasi also landed what I’d call the most confronting statistic of the week — not about threat actors, but about the industry’s own readiness: “We are living in an era where AI agents already have a social media community of their own. We live in an era where humans are being threatened and blackmailed and we still haven’t figured out how we’re going to implement responsible AI governance and ethics,” he said. Closing observation While my preview was focused on what CISOs needed to learn at RSAC, what the floor revealed was that some of that may require them to rethink how their teams are built, how their governance is structured, and how they report to boards, which are asking AI governance questions but receiving answers designed for a different era. The intelligence is accumulating. The institutional response is lagging. That gap was the real story of RSAC 2026. View the full article

Tayler Derden | shutterstock.com Nach jahrelangen Cybercrime-Angriffen auf mehr als Hundert Unternehmen und Einrichtungen in Deutschland haben Ermittler zwei zentrale Verdächtige identifiziert. Der eine sei der mutmaßliche Kopf von zwei Hackergruppen, der andere der mutmaßliche Programmierer der von diesen Gruppen genutzten Schadsoftware. Dies teilten das bei der Generalstaatsanwaltschaft Karlsruhe eingerichtete Cybercrime-Zentrum und das Landeskriminalamt Baden-Württemberg mit. Es sei eine weltweite Fahndung nach den beiden Gesuchten eingeleitet worden. Laut den Haftbefehlen sollen die beiden Männer zwischen 2019 und 2021 an Angriffen der Gruppen auf insgesamt 130 Unternehmen und Einrichtungen in Deutschland beteiligt gewesen sein. In 25 Fällen sei das geforderte Lösegeld bezahlt worden. Der Gesamtlösegeldschaden belaufe sich auf rund 1,8 Millionen Euro. Wirtschaftlicher Schaden in Höhe von rund 35 Millionen Euro Diese Attacken führten in Deutschland laut der Mitteilung zu wirtschaftlichen Schäden in Höhe von rund 35 Millionen Euro. Alleine einem Unternehmen aus Baden-Württemberg sei ein Schaden in Höhe von rund 9 Millionen Euro entstanden. Bei Ransomware-Angriffen verschlüsseln Cyberkriminelle laut dem Bundesamt für Sicherheit in der Informationstechnik die Daten auf Servern und Computern ihrer Opfer mit hochkomplexer Schadsoftware. Eine Entschlüsselung wird nur gegen Zahlung eines Lösegelds (englisch: ransom) in Aussicht gestellt – meist in schwer nachverfolgbarem Bitcoin. Häufig drohen die Täter zusätzlich mit der Veröffentlichung sensibler gestohlener Daten auf sogenannten Leak-Sites im Darknet, um Druck zu erhöhen. Bereits im Januar war ein wichtiges Mitglied einer der beiden Hackergruppen, der berüchtigten «GandCrab», wegen Computersabotage und Erpressung mit einer manipulierten Software zu einer Gefängnisstrafe von sieben Jahren verurteilt worden. Als mutmaßliches Gruppenmitglied soll er die Netzwerke von 22 deutschen Unternehmen und öffentlichen Einrichtungen lahmgelegt haben – darunter Krankenhäuser, Kliniken und die Württembergischen Staatstheater in Stuttgart. (dpa/ad) View the full article

Tayler Derden | shutterstock.com Nach jahrelangen Cybercrime-Angriffen auf mehr als Hundert Unternehmen und Einrichtungen in Deutschland haben Ermittler zwei zentrale Verdächtige identifiziert. Der eine sei der mutmaßliche Kopf von zwei Hackergruppen, der andere der mutmaßliche Programmierer der von diesen Gruppen genutzten Schadsoftware. Dies teilten das bei der Generalstaatsanwaltschaft Karlsruhe eingerichtete Cybercrime-Zentrum und das Landeskriminalamt Baden-Württemberg mit. Es sei eine weltweite Fahndung nach den beiden Gesuchten eingeleitet worden. Laut den Haftbefehlen sollen die beiden Männer zwischen 2019 und 2021 an Angriffen der Gruppen auf insgesamt 130 Unternehmen und Einrichtungen in Deutschland beteiligt gewesen sein. In 25 Fällen sei das geforderte Lösegeld bezahlt worden. Der Gesamtlösegeldschaden belaufe sich auf rund 1,8 Millionen Euro. Wirtschaftlicher Schaden in Höhe von rund 35 Millionen Euro Diese Attacken führten in Deutschland laut der Mitteilung zu wirtschaftlichen Schäden in Höhe von rund 35 Millionen Euro. Alleine einem Unternehmen aus Baden-Württemberg sei ein Schaden in Höhe von rund 9 Millionen Euro entstanden. Bei Ransomware-Angriffen verschlüsseln Cyberkriminelle laut dem Bundesamt für Sicherheit in der Informationstechnik die Daten auf Servern und Computern ihrer Opfer mit hochkomplexer Schadsoftware. Eine Entschlüsselung wird nur gegen Zahlung eines Lösegelds (englisch: ransom) in Aussicht gestellt – meist in schwer nachverfolgbarem Bitcoin. Häufig drohen die Täter zusätzlich mit der Veröffentlichung sensibler gestohlener Daten auf sogenannten Leak-Sites im Darknet, um Druck zu erhöhen. Bereits im Januar war ein wichtiges Mitglied einer der beiden Hackergruppen, der berüchtigten «GandCrab», wegen Computersabotage und Erpressung mit einer manipulierten Software zu einer Gefängnisstrafe von sieben Jahren verurteilt worden. Als mutmaßliches Gruppenmitglied soll er die Netzwerke von 22 deutschen Unternehmen und öffentlichen Einrichtungen lahmgelegt haben – darunter Krankenhäuser, Kliniken und die Württembergischen Staatstheater in Stuttgart. (dpa/ad) View the full article

Yet another critical flaw in a Fortinet product has come to light as attackers continue to target the company, this time by actively exploiting a critical SQL injection vulnerability in the cybersecurity company’s management server. The vulnerability, (CVE-2026-21643), allows unauthenticated threat actors to execute arbitrary code on unpatched systems via specifically-crafted HTTP requests. These low-complexity attacks target the FortiClient Endpoint Management Server (EMS), a widely-used cybersecurity tool. The CVE was being abused as recently as four days ago, according to research from red-teaming company Defused Cyber, and reflects a concerning trend for the cybersecurity giant, which serves more than 900,000 customers. “This is Fortinet’s seventh SQL CVE over the past 12 months, and that’s frankly seven too many,” said David Shipley of Beauceron Security. Gives broad access to sensitive data FortiClient EMS provides centralized management, deployment, and monitoring for FortiClient endpoint agents across numerous platforms. CVE-2026-21643 was discovered internally by Fortinet’s security team and published on February 6. It impacts FortiClient EMS version 7.4.4 when multi-tenant mode is enabled. Single-site deployments are not impacted. Enterprises should patch immediately, security experts warn, by upgrading to version 7.4.5 or later. As of publication time, Fortinet had not yet updated its security advisory to flag the active exploitation of the CVE. The flaw is described as “an improper neutralization of special elements” used in a SQL command vulnerability. This means that a single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database, according to a deep dive report by pentesting company Bishop Fox. An attacker who can reach the EMS web interface over HTTPS “needs no credentials to exploit this,” it said. “This gives attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints,” the researchers wrote. They pointed out that the endpoint returns database error messages and has no lockout protections, allowing attackers to quickly extract sensitive data. The Shadowserver Foundation, a nonprofit security watchdog, is currently tracking more than 2,400 FortiClient EMS instances with web interfaces exposed to the internet, the majority of them in the US and Europe. And Shodan, a search engine for internet-connected devices, reported 1,000 publicly-exposed instances of FortiClient EMS. SQL injection a top app security issue Beauceron’s Shipley underscored the dangers of SQL injection, pointing out that the vulnerability was the first on the OWASP top 10 application security risks when the open source foundation was launched more than 20 years ago. The attack type has remained in the top spot for most of that time, “for good reason.” “You don’t want these kinds of bugs to lead to remote code execution, [but] in multi-site setups of this service, that’s what you can get,” said Shipley. Victor Okorie, advisory director in the security and privacy practice at Info-Tech Research Group, agreed with Shipley’s assessment that SQL injection vulnerabilities are particularly dangerous. Most existing controls do not catch flaws like this, he pointed out, allowing for credential theft, enabling lateral movement due to the “implicit trust” of the EMS, and permitting manipulation and exfiltration of sensitive data. Attackers can execute unauthorized commands and bypass authentication completely, “which makes getting in a breeze.” “The bad actor’s playbook consists of ‘get in,’ ‘take control,’ and ‘profit,’ and this is something we should always remember when reviewing vulnerabilities being exploited in the wild,” said Okorie. Highlights importance of zero trust Fortinet has been a prime target for threat actors of late, with attackers using AI to exploit weakly-protected firewalls, launching zero-day attacks against customer devices, and stealing FortiGate firewall credentials. The company has also been criticized for “silent” patching after disclosing zero-day vulnerabilities in some of its equipment. All told, the US Cybersecurity and Infrastructure Security Agency (CISA) lists 24 Fortinet vulnerabilities actively being exploited. This highlights the importance of a zero-trust architecture, said Okorie. Organizations should check whether their EMS is internet-facing, he advised; if it is, they should remove it from direct exposure to the internet and place it behind a secure access gateway. Enterprises should also inspect HTTP traffic logs for anomalous SQL syntax embedded within the ‘Site’ header. “Old dogs don’t really need new tricks, and that can be applicable here,” said Okorie. Because Fortinet vulnerabilities have been used in ransomware campaigns, “there is a sense of familiarity” for attackers, who continue to identify and exploit weaknesses. Fortinet must be ‘more proactive’ “Fortinet seems to have an issue resolving entire bug classes,” added Beauceron’s Shipley. They seem to keep playing “bug whack-a-mole,” fixing the immediate problem but not taking the time to review codebases in depth to uncover the same flawed code in other areas. “Attackers, on the other hand, smell blood,” he noted. Once they find this kind of bug repeated, they will refine their hacking attempts to discover more instances of it. With AI tools speeding up attackers’ work, Fortinet must be more proactive on bug hunts, said Shipley. But that being said, he observed, the company’s revenue continued to grow in 2025 by more than 14%, “so the market isn’t exactly sending a strong signal that they should care [about this] more.” View the full article

Security researchers are warning that applications using AI frameworks without proper safeguards can expose sensitive information in basic, yet critical, non-AI ways. According to a recent Cyera analysis, widely used AI orchestration tools, LangChain and LangGraph, are vulnerable to critical input validation flaws that could allow attackers to access sensitive enterprise data. In a recent blog post, the cybersecurity company outlined how a newly discovered flaw in LangChain, along with two similarly-themed previously reported ones, can be exploited to retrieve different categories of data, including local files, API keys, and stored application state. “The biggest threat to your enterprise AI data might not be as complex as you think,” Cyera researchers said in the post. The issues often hide in the “invisible, foundational plumbing” that connects AI to business workflows, the researchers argued, adding that all the flaws are now fixed by the tools’ maintainers but need to be applied immediately across integrations to avoid impact. Path Traversal becomes the latest in a series of input validation bugs Cyera disclosed a new path traversal vulnerability and analyzed it alongside two previously reported flaws, showing how each maps to specific components in LangChain and LangGraph and enables access to a different class of data. The path traversal issue, tracked as CVE-2026-34070, arises from how a LangChain feature resolves file paths when loading prompt templates or external resources. By supplying crafted input, an attacker can traverse directories and read arbitrary files from the host system, potentially exposing configuration files and credentials. The flaw received a severity rating of CVSS 7.5 out of 10. One of the older flaws, an unsafe deserialization flaw identified as CVE-2025-68664, stemmed from the handling of serialized objects within the LangChain framework. The issue lets an application process untrusted serialized data, allowing an attacker to inject malicious payloads interpreted as trusted objects, enabling access to sensitive runtime data such as API keys and environment variables. The flaw had received a critical 9.3/10.0 rating when it was disclosed in December 2025. The other older flaw, an SQL injection vulnerability in LangGraph’s checkpointing mechanism, was found to allow manipulation of backend queries. Exploiting this flaw could grant access to stored application data, including conversation history and workflow state tied to AI agents. Tracked with the CVE ID CVE-2025-67644, the flaw was assigned a high-severity rating of CVSS 7.3 out of 10. Together, Cyera researchers pointed out, the three flaws (along with others of the kind) highlight how widely used AI frameworks can expose different layers of enterprise data, effectively turning LangChain and LangGraph into a new attack surface. Back to the basics The exploit technique described in the report relies on insufficient input validation and unsafe handling of data across key integration points in AI pipelines. In each case, attacker-controlled input, whether through prompts, serialized payloads, or query parameters, can influence how the framework interacts with the filesystem or database. For the most recent path traversal bug, the risk is driven by a lack of strict path validation and sandboxing. Mitigations include enforcing allowlists for file access and restricting directory boundaries. In the case of deserialization, the issue lies in treating external data as trusted. Cyera recommends avoiding unsafe deserialization methods and ensuring that only validated, expected data structures are processed. For SQL injection, the company recommended using parameterized queries and strengthening input sanitization. Across all three cases, the guidance aligned with established secure coding practices. View the full article