SecureWorld News

Navigating Chinese-Nexus Threats Amidst High-Level Summits

CamS@secureworld.io (Cam Sivesind) — Fri, 15 May 2026 14:19:00 GMT

While President Donald Trump and President Xi Jinping meet in China this week for high-stakes diplomatic talks, the digital front remains a theater of persistent conflict.

Two recent research breakthroughs from Darktrace—the discovery of an updated FDMTP backdoor and the comprehensive Crimson Echo report—reveal a sobering truth: regardless of the diplomatic optics, Chinese-nexus cyber tradecraft is becoming more sophisticated, automated, and deeply embedded in our critical infrastructure.

For cybersecurity professionals, these reports serve as a reminder that "cyber peace" is not a product of summits but a result of architectural resilience and behavioral detection.

Let's break it all down.

1. The FDMTP backdoor: sophistication in the 'shadows'

Darktrace's latest findings on the updated FDMTP (File Download and Message Transmission Protocol) backdoor highlight a significant evolution in malware design. This is not a "smash-and-grab" tool; it is a surgical instrument for long-term persistence.

Advanced evasion: The updated backdoor uses highly customized communication protocols to bypass standard signature-based detection. It mimics legitimate traffic, effectively hiding within the "noise" of a standard enterprise network.
Targeted environmental logic: Much like the ZionSiphon malware analyzed earlier this year, the FDMTP backdoor performs environment checks to ensure it has reached a high-value target before fully activating its payload.
Living-off-the-land (LotL): The campaign relies heavily on LotL techniques, using legitimate administrative tools already present on the system to move laterally, making it nearly invisible to traditional antivirus solutions.

2. Crimson Echo: the 'low and slow' strategy

The Crimson Echo report provides the broader context for these individual attacks. Through behavioral analysis, Darktrace has mapped the core "DNA" of Chinese-nexus tradecraft, characterized by a "low and slow" approach.

Long-term persistence: Unlike financially motivated cybercriminals who want a quick payout, Chinese state-sponsored threat actors often maintain access to networks for months or even years. Their objective is intelligence gathering and "pre-positioning" for future disruptions.
Exploiting the edge: There is a sustained focus on internet-facing device exploitation. By targeting the "logical perimeter"—VPNs, routers, and firewalls—attackers gain a foothold that allows them to bypass internal security layers.
Critical infrastructure targeting: The report identifies a consistent interest in sectors like energy, water, and manufacturing. This matches the trends seen in CISA's CI Fortify initiative, where the goal is to establish "sleeper cells" within the systems that sustain public life.

3. What this means for U.S. enterprises and the public

The disconnect between the high-level diplomacy in Beijing and the active campaigns in the SOC creates a "maturity mirage." U.S. enterprises must realize that diplomatic de-escalation does not equal a reduction in cyber risk.

For enterprises: Strategic patience is the adversary's greatest weapon. You must assume that pre-positioning has already occurred. This requires a shift from perimeter defense to runtime-first visibility, where the most trusted signal is the behavior of the software and identities already inside your network.
For the public: The "invisible front" of this geopolitical tension directly impacts the reliability of essential services. The public should be aware that the security of their data and infrastructure is a permanent component of national security, regardless of the current diplomatic climate.

4. Strategic mandates for cybersecurity professionals

Darktrace's research dictates a shift in how we manage the "convergence crunch" of high-velocity threats and human-led defense.

Prioritize behavioral anomaly detection: Since FDMTP and LotL techniques bypass signatures, you must monitor for deviations in "normal" behavior. If a legitimate admin tool starts scanning a subnet for ICS protocols (like Modbus or S7), it must trigger an immediate response.
Hardening the "workforce identity gap": Attackers are logging in, not breaking in. Move toward Forensic Identity Verification for all remote access and administrative workflows to ensure that a compromised credential doesn't lead to a path to privilege.
Audit fourth-party risk: As organizations consolidate their stacks, they often increase their reliance on a few large platforms. The Crimson Echo report suggests that these central hubs are becoming primary targets for nation-state actors seeking a cascading impact.
Assume the "ghost in the machine": With the rise of AI-specific packages in production, security teams must treat AI agents and service accounts with the same Zero Trust rigor applied to human users.

We asked a few experts from solution providers for their take on the reports.

Shane Barney, CISO at Keeper Security, said:

"What stands out in this campaign is the attackers' ability to maintain access over an extended period while adapting techniques and infrastructure along the way. This kind of activity reflects how modern threat campaigns are designed to operate over time, rather than rely on a single point of entry. In today's threat landscape, organizations must account for both initial compromise and ongoing activity within their environment. Attackers are increasingly using legitimate processes and modular tooling, which can make malicious behavior more difficult to distinguish from normal operations."
"This is where detection strategies need to evolve. Indicator-based approaches still play a role, but they are not sufficient on their own against campaigns that can quickly change artifacts. Behavioral monitoring, particularly around process execution, network activity, and privileged access, provides stronger signals when something is not operating as expected. Privileged access also remains a key area of focus. Managing how access is granted, monitored, and validated over time helps reduce the likelihood of prolonged, undetected activity and limits the scope of what can be accessed if a system is compromised."
"Ultimately, this type of campaign reinforces the need for continuous visibility and control across the environment. The goal is not just to prevent access but to detect and contain it quickly if it occurs."

Heath Renfrow, Co-Founder and CISO at Fenix24, said:

"The most important takeaway from this research is that modern nation-state cyber operations are no longer built around a single malware strain or a single point of compromise. What we are seeing from China-linked actors like Mustang Panda is highly modular, adaptive tradecraft designed to survive disruption, evade signature-based detection, and maintain persistence through constantly evolving infrastructure and tooling."
"The use of legitimate executables, DLL sideloading, CDN impersonation, and plugin-based remote access frameworks highlights how sophisticated actors are increasingly blending into normal enterprise operations rather than relying on overtly malicious behavior. Organizations should understand that traditional IOC-driven security models are becoming less effective against these types of campaigns."
"Security teams need to shift focus from purely prevention-based thinking toward operational resilience and behavioral detection. The critical questions are no longer just 'Can we stop the intrusion?' but also 'Can we rapidly detect abnormal behavior, contain lateral movement, validate identity trust, and recover critical business functions quickly if compromise occurs?'"
"This research also reinforces the growing importance of continuous validation of identity systems, endpoint visibility, backup integrity, and dependency mapping. Nation-state actors are designing campaigns to adapt in real time, meaning defenders must build environments that are equally adaptive and resilient."
"As AI capabilities continue to accelerate globally, both offensive and defensive cyber operations will become faster, more automated, and more difficult to distinguish from legitimate activity. Organizations that rely solely on static defenses or periodic assessments will increasingly struggle against these evolving threats."

Summits provide headlines, but tradecraft provides the reality. As President Trump and President Xi discuss trade and global stability, the digital front remains a contest of persistence versus detection.

Hardening Large-Scale Events Against Deepfake Disruptions

CamS@secureworld.io (Cam Sivesind) — Thu, 14 May 2026 12:33:01 GMT

As the world moves into the heavy event season of 2026—anchored by the FIFA World Cup—the digital battlefield has expanded into the physical arena. A new whitepaper from the Center for Internet Security (CIS), "Deepfakes and Synthetic Media: The Emerging Threat to Large-Scale Public Gatherings," issues a stark warning: AI-generated content is no longer just a disinformation problem, it is a Tier 1 operational and public safety risk.

For cybersecurity professionals, this marks the end of the maturity mirage where deepfakes were viewed as a future concern. The tools for creating highly persuasive, fabricated audio and video are now widely accessible, lowering the barrier for sophisticated influence operations that can trigger real-world chaos.

Large-scale gatherings—concerts, festivals, political conventions, and sporting events—create unique vulnerabilities. They concentrate large, emotionally-charged audiences within compressed timeframes. In these environments, a single 15-second deepfake video can shift public perception faster than official channels can respond. CIS identifies a few key threat actor motivations:

Operational disruption: Using synthetic media to trigger false evacuations, misdirect crowds, or disrupt transit logistics
Psychological impact: Creating "synthetic panic" by spoofing emergency alerts or official voices (e.g., local police or event organizers) to report non-existent threats
Reputational sabotage: Attacking the integrity of event sponsors, athletes, or political figures to cause long-term brand damage

The CIS whitepaper dictates a shift from traditional network security to Information Integrity Management. If you are charged with securing a large-scale event, you must be aware of three emerging frontiers:

1. The workforce identity gap at scale

Attackers are using deepfake audio to target event help desks and volunteer onboarding. By impersonating staff or high-ranking officials, they can gain unauthorized physical or digital access.

The action: Move beyond "vocal recognition" as a trust signal. Implement Forensic Identity Verification and "out-of-band" authentication for all high-risk requests, especially those involving facility access or credential recovery.

2. Synthetic phishing and "vibe-coded" social engineering

Standard phishing filters often fail to catch hyper-personalized, AI-generated content. For an event like the World Cup, attackers can use deepfake imagery to create perfectly forged "urgent" policy updates or security alerts sent to thousands of staff members simultaneously.

3. The "detection vs. correction" lag

The whitepaper highlights that while AI can help detect deepfakes, the "correction lag"—the time it takes to debunk a viral lie—is the attacker's greatest asset.

The action: Establish a "single source of truth" protocol before the event begins. This involves pre-verifying official communication channels and using digital signatures or watermarking for all public-facing emergency announcements.

The CIS report offers a practical roadmap for hardening the human perimeter:

Establish a crisis communication vault: Pre-record "all clear" and emergency messages with verified watermarks to ensure the public can distinguish between synthetic and legitimate instructions.
Monitor "alternative" information channels: Threat actors often test deepfakes on niche platforms before pushing them to mainstream social media. Real-time monitoring of these "canary" channels is essential for early detection.
Integrate cyber and physical response: If a deepfake triggers a crowd surge, it is no longer just an "IT incident." Security planners must treat synthetic media as a potential trigger for kinetic emergencies, requiring a unified response from the SOC and physical security teams.

The 2026 threat landscape is defined by the convergence crunch of AI speed and physical reality. As the CIS whitepaper concludes, cybersecurity professionals can no longer rely on "seeing is believing." To protect the public in the age of synthetic media, cybersecurity professionals must move from being data defenders to truth architects.

The Dual-Front War: Navigating AI as Both Engine and Target

CamS@secureworld.io (Cam Sivesind) — Wed, 13 May 2026 13:08:00 GMT

The traditional cybersecurity perimeter has shifted. According to the latest research from Google Threat Intelligence, the world is now operating in a dual-front threat environment: one where artificial intelligence is being weaponized as a high-velocity engine for adversary operations, and another where the AI models themselves have become high-value targets.

Building on its February 2026 findings regarding the "Distillation, Experimentation, and Integration" phase of adversarial AI, Google's latest report clarifies a critical pivot. We are moving past the era of "AI hype" and into a period of functional exploitation.

The most significant trend identified is the use of AI to bridge the initial access gap. Adversaries are no longer manually hunting for entry points; they are using AI to commoditize vulnerability exploitation.

Threat actors are using LLMs to scan massive datasets of public code and configurations to identify "vibe coding" errors—logical flaws like Insecure Direct Object References (IDOR) that AI-assisted developers often overlook. It's automated reconnaissance at scale.

The report highlights a surge in AI-generated social engineering that bypasses legacy "don't click the link" training—hyper-personalized phishing. By using synthetic audio and hyper-personalized context, attackers are successfully targeting the workforce identity gap at the help desk to bypass MFA.

The time between the disclosure of a vulnerability and the appearance of an AI-generated exploit has shrunk to minutes. As seen in recent analysis of discovery models like Mythos, the remediation gap is now the primary metric of risk.

As enterprises integrate AI into their core business logic, the models, data pipelines, and agentic workflows have become the primary targets for nation-state and financially motivated actors.

Attackers are moving beyond simple data theft to logic corruption. By injecting malicious instructions into an LLM's data stream, they can "defang" defensive agents or force an AI to leak sensitive corporate telemetry.

The report tracks a 25x growth in AI-specific packages in production environments. This explosion has created a massive Non-Human Identity (NHI) problem, where over-privileged service accounts tied to AI agents provide an unmonitored path to privilege. Call it the "Ghost in the Machine."

Employees uploading sensitive code or PII into unmanaged AI tools remains a top-tier risk, creating a "maturity mirage" where an organization believes it is secure while its most valuable data is being used to train external models. It's data leakage via shadow AI.

Google's report makes it clear: the "hustle hard" era of manual defense cannot survive this velocity. Security professionals must pivot to a runtime-first, identity-centric architecture.

Legacy IAM is too static for ephemeral AI workloads. Identity management must evolve into automated enforcement that can revoke a compromised AI agent's permissions in milliseconds.

Don't get buried in AI-generated vulnerability lists. Use automated attack path validation to focus remediation on the flaws that actually lead to your most critical AI assets. Validate the attack path, not just the bug.

Since AI makes impersonation easier, move toward Forensic Identity Verification for high-risk interactions like account recovery and remote onboarding. Defenders must harden the help desk.

Treat your AI models like critical infrastructure. Implement Secure-by-Design principles for your data pipelines and use runtime monitoring (like Falco) to detect anomalies in how your models are interacting with the network.

The 2026 threat landscape is defined by the "convergence crunch." Cybersecurity professionals are defending against machine-speed adversaries while protecting the very machines we use to defend ourselves. In this environment, resilience isn't found in a longer list of tools; it is found in the architectural simplification that allows a SOC to see, understand, and stop an AI-driven threat before it reaches a path to privilege.

Agent Observability Shouldn't Just Be About Vulnerabilities

Rick Doten — Tue, 12 May 2026 11:49:00 GMT

Business leadership and boards are pushing for the use of AI and expecting to see ROI. CISOs are looking at agent monitoring tools that tell them about vulnerabilities, not business value.

I've talked to well more than a dozen startups over the last year who are focusing on AI agent security—from discovering what risks they have, evaluating attack surface, determining the accounts agents use and data they access, and even observing chain of thought to determine drift. While these are important for risk management, briefing this information to the leadership or board is not helping the AI rollout goals.

What leadership wants to know is how are agents being used? What business process are they supporting? Are we seeing productivity gains; do we see ROI toward our business goals? What are successful uses that we can operationalize and scale? They need this information to help them make decisions, not just give them metrics on use or vulnerabilities.

Most organizations are looking for fast AI adoption, but don't have strategy or governance, so they can't evaluate what's working. They are accepting the AI risks in the meantime. They expect the CISO to manage these risks as they evolve, without hampering experimentation or slowing the rollout.

And this isn't trivial. Enumerating what agents are running in an organization is not deterministic like the way we normally look for file names, app versions, or hashes. It is done through observing API traffic or API logs, triggers, code repos, account use, tool access, and data access. Developers are spinning up MCP servers, business units are connecting SaaS-embedded agents, and end-users are running desktop assistants. And these are the legitimate cases where the users are using sanctioned tools. Not to mention agents interacting with platforms not purchased or licensed by IT.

Building a real inventory of AI agents across the enterprise requires methodology, tooling, and persistent effort. The security teams are building something that didn't exist before: a live map of where autonomous processes are running inside the business.

That map is exactly what leadership needs—and the security team is the only function positioned to provide it. If we're already doing the hard work of finding agents, characterizing their behavior, and understanding what data and accounts they touch, we can also describe their business function and observed outcomes. This requires CISOs to work with business stakeholders to categorize what they're seeing to gain context for the agent's purpose and behavior. CISOs can choose to stop at "here are the risks" or go further and say, "here is what the business is actually doing with AI, and here is where it appears to be working."

Image prompted by Rick Doten and generated by Gemini

My suggestion is not to just brief the leadership and board how many agents are running and what accounts they use or the types of data they touch. Use that telemetry to show what categories of projects or tasks are being automated. Are most of the agents used by end-users on their desktop for personal assistance by filtering email, managing calendars, summarizing news, or creating presentations? Are some used by business analytics to collect data, analyze, and generate reports? Others used by IT to automate tasks, clean up logs, create tickets, collect data for reports? Agents used by security might be for log analysis, evidence collection, data correlation, or vulnerability prioritization. How many are used by software development for code generation, code review, and testing? And what others used by Marketing, HR, Finance, Sales, and Service desk exist?

That is what leadership wants to know: what is being automated, and what is working. This is important since many organizations don't have a clear AI strategy and plan. They need to know what different departments are doing with AI, and what positive outcomes they are seeing.

By having this information, leaders can ask questions about effectiveness, cost, and reliability of these outcomes. And they can make decisions on which area to put more investment in. Or to adjust their goals.

Each leader will have different goals. The CISO might choose to increase the focus used for report generation, that helps with compliance. Or use in security operations for evidence collection, and incident isolation, or want to increase use in vulnerability remediation to close more tickets faster. The CIO might want to grow use in development.

When business leaders see where agents are deployed and what outcomes they're producing, they can make real resource decisions. Here are examples of what is possible when security-sourced observability gets paired with business context:

Sales gets better analysis of pipeline prioritization and improved close rates through follow-up consistency.
Finance teams are using agents to run "what-if" simulations for capital allocation, reducing capital expenditure and improving revenue forecasting.
Manufacturing and supply chain agents can analyze demand signals and logistics constraints to reroute orders to prevent stockouts and reduced inventory carrying costs.
Customer service agents now have permissions to access databases, process refunds, and update accounts end-to-end. They can resolve issues instead of just recording them to solve customer problems faster, increasing first contact resolution rates.
Healthcare organizations are using agents trained on denial patterns to identify coding mismatches and documentation gaps before submission to reduce denials.

This is an exciting transformation of the business; CISOs are uniquely positioned with visibility they are getting in tracking the agent assets in the business to make sure they are secure, but also to help discover where AI is actually creating value. Being seen as a driver of business success is what we've been working toward for years, and we can choose to just report on risks that agents bring, or give leadership key insights to show their business value—and the insight to appropriately secure those workloads.

The Shield and the Spear: Navigating CISA's 'CI Fortify' Initiative

CamS@secureworld.io (Cam Sivesind) — Mon, 11 May 2026 15:24:00 GMT

In the landscape of modern warfare, the front line is no longer a geographical border; it is the programmable logic controller (PLC) in a water plant, the imaging server in a hospital, and the automated switch in an energy grid.

U.S. CISA's newly-announced CI Fortify initiative represents a strategic pivot from general advisory to targeted, high-stakes defense. This initiative is a direct response to the increasing machine-speed threats posed by nation-state actors—most notably Volt Typhoon—who are no longer just looking to steal data but are actively "pre-positioning" themselves to cause physical destruction.

CI Fortify is not just another best practices document; it is a mobilization effort designed to harden the critical infrastructure sectors most vulnerable to cross-domain attacks.

The American Hospital Association (AHA) has highlighted that healthcare is increasingly in the crosshairs. For hospitals, CI Fortify means a shift in focus from HIPAA-centric data privacy to operational uptime. In a nation-state attack, the goal would be to disable care delivery, making "resilience" a life-safety metric.

CI Fortify underscores that being "too small to target" is a maturity mirage. As seen in the recent food and agriculture sector reports, attackers are targeting the mid-sized providers that form the backbone of the national supply chain. Call it the end of security by obscurity.

Following the trends seen in the NASCIO-Deloitte study, CI Fortify encourages a unified defense where state and local entities share threat intelligence in real-time to prevent "cascading failures" across connected infrastructure. It's whole-of-state integration.

For the security practitioners on the ground, CI Fortify changes the rules of engagement.

They can no longer secure the IT office while ignoring the OT floor. As identified in the ZionSiphon analysis, malware is now designed specifically for ICS protocols (Modbus, S7). Professionals must gain cross-visibility to detect "living off the land" (LotL) techniques where attackers use legitimate admin tools for malicious purposes.

The security landscape has reached the human limit of manual vulnerability management. Professionals must pivot to automated attack path validation. It's no longer enough to know you have a vulnerability; CI Fortify demands you prove that a nation-state actor cannot use that flaw to reach a path to privilege.

Nation-state bad actors aren't breaking in; they are logging in using compromised credentials. Hardening the workforce identity gap at the help desk and within remote-access workflows is now a Tier 1 defensive priority.

What it means for the public

For the general public, CI Fortify is a move toward digital public safety.

The initiative aims to ensure that when someone turns on the tap, dials 911, or walks into an ER, the digital infrastructure behind those services is fortified against invisible interference.

Public safety is no longer just the job of the police or the military; it involves the cybersecurity professionals at your local utility and hospital. The public can support this by advocating for the modernization of legacy infrastructure that CI Fortify aims to protect.

ShinyHunters Hits Canvas Again: 275M Records at Risk Across 9K Schools

drewt@secureworld.io (Drew Todd) — Fri, 08 May 2026 18:46:12 GMT

The criminal extortion group ShinyHunters has struck Instructure a second time in less than a year, claiming to have stolen records tied to 275 million users across nearly 9,000 schools worldwide. The targeted platform—Canvas, which supports course delivery, assignments, grades, and messaging for more than 30 million active users—went offline for stretches this week as the company scrambled to respond. The timing is particularly damaging: finals season is underway at institutions across the country.

Instructure first disclosed a cybersecurity incident on May 1, initially describing it as contained. The company confirmed that names, email addresses, student ID numbers, and messages among users were likely accessed. In a statement, Instructure said it found no evidence that passwords, dates of birth, government identifiers, or financial data were compromised. But the exposure of private messages—which on Canvas platforms frequently include disclosures of medical conditions, accommodation requests, and Title IX communications—raises the stakes considerably.

On May 7, ShinyHunters re-emerged, defacing login pages at multiple universities with an extortion message claiming Instructure had "done some security patches" rather than negotiate. The group set a new deadline of May 12 to leak data unless contacted. Among the institutions where the ransom message appeared were Harvard, Princeton, Columbia, and Georgetown universities.

The entry point: Free-For-Teacher accounts

Instructure identified the breach vector as its Free-For-Teacher accounts. In a statement on Friday, the company said it had "confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts" and made the decision to shut down those accounts to restore confidence in the broader platform. Canvas is now reported to be fully operational for most users, though Canvas Beta and Canvas Test remain in maintenance mode.

This is the second confirmed breach of Instructure by ShinyHunters. In September 2025, the group exploited a social engineering attack against the company's Salesforce environment. That the same threat actor has now breached the same vendor twice—through different attack vectors—raises direct questions about whether the remediation following the first incident was sufficiently comprehensive.

Who is ShinyHunters?

ShinyHunters is a black-hat criminal hacking and extortion collective believed to have formed in 2019, emerging publicly in May 2020 when it offered more than 200 million stolen user records on dark web forums within a two-week span. The group's name is derived from a Pokémon video game mechanic—a nod to its members' apparent early online origins. Its operating model has remained consistent since the start: breach an organization, demand ransom, and leak or sell the data if payment is refused. The group describes this as "pay or leak."

The group has claimed responsibility for more than 400 breaches across retail, finance, telecom, aviation, and education sectors. Notable confirmed incidents include the April 2024 breach of AT&T Wireless, which exposed data on more than 110 million customers and ended with AT&T paying a $370,000 ransom; a May 2024 breach of Santander affecting staff and customers across Spain, Chile, and Uruguay; a March 2026 intrusion into the European Commission that leaked more than 350GB of data including PII and sensitive documents; and a July 2025 breach of Qantas exposing data on approximately 5.7 million customers. In April 2026, the group breached Rockstar Games via a third-party analytics integration.

Tradecraft analysis from Google's Threat Intelligence Group (GTIG), which tracks related activity under clusters UNC6661 and UNC6240, describes the group's approach as identity- and SaaS-first: voice phishing and credential harvesting to obtain SSO tokens or MFA codes, followed by lateral movement through cloud applications to exfiltrate data at scale. The group does not typically exploit exotic vulnerabilities, focusing instead on access governance failures. OAuth token misuse, misconfigured third-party integrations, and compromised contractor accounts have all served as entry points. Once inside a valid SSO session, the group moves opportunistically through any SaaS platforms the session can access.

Attribution is complicated by the fact that multiple criminal clusters have adopted ShinyHunters branding, and the group itself appears to operate as a loose collective rather than a tightly-organized hierarchy. Threat intelligence analysts describe it as arguably the most consequential financially-motivated hacking collective currently active.

A pattern, not an anomaly

Darren Guccione, CEO and Co-Founder at Keeper Security, placed this incident in the context of ShinyHunters' established methodology:

"ShinyHunters has previously targeted organizations including Google, AT&T, and Air France-KLM via Salesforce environments, and the group has demonstrated a sustained, systematic focus on cloud infrastructure and SaaS platforms rather than traditional network intrusion," Guccione said. "Whether the entry point is a misconfiguration, a social engineering interaction, or an exploited vulnerability, attackers are continuing to identify the weakest point in how access to cloud environments is governed, with the intention of moving quickly once inside."

Guccione stressed that the double-breach pattern demands more than reactive patching: "Two confirmed breaches by the same threat actor on the same platform suggest a pattern that demands scrutiny of whether remediation following the first incident went far enough. Every organization operating SaaS at scale must treat identity and access governance as a continuous discipline, not a post-incident checklist."

He highlighted Privileged Access Management (PAM) as critical to limiting blast radius when a breach occurs, emphasizing that "cloud environments require ongoing auditing of permissions, strict enforcement of least-privilege access, and robust controls over both human and non-human identities—including service accounts and third-party integrations that can quietly expand an attacker's access long after initial entry."

Why education is consistently in the crosshairs

Nathaniel Jones, VP of Security & AI Strategy and Field CISO at Darktrace, pointed to structural vulnerabilities in the education sector that make platforms like Canvas high-value targets.

"The education sector is a particularly attractive target given the high volumes of sensitive student data, limited security resources, and the critical role platforms like Canvas play in the operations of thousands of schools," Jones said. "When one platform goes down, so do its 9,000+ customers."

That concentration risk is the through-line of this incident. Canvas holds a 41% share of higher education LMS deployments in North America. A single vendor compromise cascades instantly across the entire customer base—an architecture of shared dependency that amplifies the impact of any successful breach.

Tony Jarvis, VP and Field CISO at Darktrace, extended the point to the operational security posture organizations must maintain. "Visibility of the security posture of your entire supply chain and how they interact with your own systems is critical in today's world," Jarvis said. "If you don't have that visibility, then the risk to your own systems because of one of your supplier's vulnerabilities is incredibly heightened."

Jarvis also flagged the role that AI tools are playing in lowering the bar for attackers: "AI tools similar to Mythos are only going to make this easier for criminals." He added that organizations must operate under the assumption of compromise: "What we can safely assume as defenders is that systems will have vulnerabilities that we aren't aware of, and we need to assume that we've already been compromised."

What affected users should do now

For students and educators at affected institutions, the immediate steps are straightforward: change your Canvas password, enable multi-factor authentication where available, and stay alert for phishing attempts referencing Canvas or Instructure. Given that the exposed data include names, email addresses, and student ID numbers, targeted spear-phishing campaigns are a credible near-term risk.

Several institutions have already taken protective action. The University of California ordered all campuses to block or redirect access to Canvas pending a security review. The University of Michigan advised users to log out immediately. Georgetown issued alerts urging vigilance against unsolicited messages appearing to come from Canvas.

The May 12 deadline ShinyHunters has set remains active. Whether Instructure engages or not, the data—if ShinyHunters' claims hold—have already left the institution's hands. The question now is how broadly it gets distributed.

SecureWorld News will continue to monitor developments as the deadline approaches.

Oil and Gas Sector's Confidence in OT Detection Masks Dangerous Visibility Gap

drewt@secureworld.io (Drew Todd) — Thu, 07 May 2026 23:08:57 GMT

A new survey commissioned by Tosi, an OT security monitoring vendor, released following Operation Epic Fury reveals that U.S. oil and gas operators may be dangerously overestimating their ability to detect cyberattacks against operational technology (OT) systems—and security experts say the problem runs deeper than monitoring tools can fix.

The confidence gap by the numbers

The Tosi survey—fielded in April 2026 across 100 OT decision-makers at U.S. upstream and midstream operators—found that 87% of respondents were confident they could identify an OT breach within 24 hours. But the confidence may not be warranted: more than half of those same operators said they rely primarily on traditional IT security tools, which provide limited visibility into OT environments. Only 16% reported using continuous OT monitoring as their primary detection method. (Readers should note that Tosi sells OT monitoring solutions, which gives the company a commercial interest in the findings.)

The disconnect has a name. Damon Small, a board member at Xcape, Inc., calls it a "confidence gap"—and says it stems directly from the mismatch between tool capability and environment.

"The fallout from Operation Epic Fury has exposed a massive 'confidence gap' in the oil and gas sector: 87% of operators believe they can detect a breach in 24 hours, yet only 16% have the OT-native monitoring required to actually do it," Small said. "This overconfidence stems from a reliance on IT-centric tools that are blind to the industrial protocols and physical process anomalies of a sophisticated attack."

Operation Epic Fury triggers spending surge

Operation Epic Fury, which began on February 28, appears to have been a significant forcing function for the sector. Nearly all surveyed operators said they had approved or were reviewing unplanned OT security investments, and 95% expect cybersecurity budgets to grow over the next year.

Operators cited three main drivers behind the urgency: increased threats from state-sponsored actors, deeper IT/OT integration creating larger attack surfaces, and growing dependence on remote access technologies.

Small framed the IT/OT convergence shift in stark terms: "Prior to this convergence, an adversary would have to jump over a fence and be met by a guard with a gun and a dog. Now, our enemies don't even have to be in the same time zone."

Spending alone won't close the gap

Despite the budget surge, Tosi's research found that structural and organizational challenges are slowing progress. Respondents pointed to the divide between IT and OT teams as the single biggest barrier to improving security posture—a split that attackers have learned to exploit.

"Operation Epic Fury proved that an attacker doesn't need to break your encryption if they can just walk through the cultural gap between your IT and OT teams," Small said.

But Dahvid Schloss, COO of Suzu Labs, argues the industry is still treating a symptom rather than the disease. Continuous monitoring, he says, only alerts operators after exposure has already occurred—and the real vulnerability lies in the OT device ecosystem itself.

"The 87% confidence level isn't surprising, but it is a bit concerning and showcases dangerous thinking," Schloss said. "Not because being paranoid is good, but because of what I believe to be a massive visibility gap, where organizations think they're safe because they have bolted traditional IT monitoring tools onto OT environments that weren't ever built to handle that in the first place."

The device fragility problem

Schloss pointed to a compounding issue: many OT and ICS devices were manufactured without modern resilience standards, making them brittle under abnormal traffic conditions. Security teams are frequently reluctant to test these networks aggressively because a single malformed packet can trigger real-world physical failure.

"Because of this, often these devices are fragile," Schloss said. "Security testing teams are often extremely restricted or afraid to even test these networks. Because one malformed packet could cause true real-world kinetic failure." That caution, he noted, leads to watered-down security audits that miss the most critical gaps.

His bottom line: monitoring is insufficient if the underlying devices are indefensible.

"It's like putting a Do Not Trespass sign in an open field," Schloss said. "It's only good after you catch someone breaking it, but it doesn't prevent the action. Before monitoring becomes the answer, we need to do the basics and at least put up the fence."

What security practitioners should take away

Tosi's findings point to a sector that is spending more without necessarily spending smarter. True OT resilience, according to both experts, requires a different approach than what most operators currently have in place:

Continuous, non-intrusive OT-native monitoring that can detect threats before they cross from network anomaly to physical disruption
Bridging the cultural and operational divide between IT and OT security teams
Pushing OT and ICS device manufacturers to embed modern security and resilience standards into hardware and software—not just bolt-on detection after the fact

As critical infrastructure operators absorb the lessons of Operation Epic Fury, Tosi's data suggest the hardest work isn't budgetary—it's architectural, and organizational.

Follow SecureWorld News for more cybersecurity news.

Major U.S. AI Labs Now Subject to Pre-Release Government Security Reviews

drewt@secureworld.io (Drew Todd) — Wed, 06 May 2026 22:39:09 GMT

The U.S. government has quietly secured something the AI industry has resisted for years: a seat at the table before models ship. The Commerce Department's Center for AI Standards and Innovation (CAISI) announced Tuesday that Google DeepMind, Microsoft, and Elon Musk's xAI have agreed to provide access to unreleased versions of their AI models for pre-deployment security and capability evaluations, Reuters and Bloomberg first reported. Combined with existing—and recently renegotiated—agreements from Anthropic and OpenAI, every major U.S. frontier AI lab now participates in voluntary pre-release government evaluations.

CAISI has completed more than 40 model assessments to date, including evaluations of unreleased state-of-the-art systems. Notably, developers sometimes hand over versions of their models with safety guardrails reduced specifically so the Center can probe for national security risks. The announcements arrived one day after The New York Times first reported that the Trump Administration was weighing a separate mandatory pre-release review process via Executive Order—with Anthropic's Mythos model cited as the catalyst. The voluntary agreements and any mandatory framework would run in parallel, though their interaction remains undefined.

The timing is deliberate, even if the policy mechanics are still being sorted. After years of self-regulation and voluntary safety commitments that lacked teeth, the U.S. government is establishing a consistent pre-deployment review process for the world's most powerful AI systems. Whether that's ultimately good for security—or primarily good for the companies being reviewed—depends heavily on what happens inside that process.

A center with a complicated history

Before assessing what CAISI's expanded agreements mean, it's worth understanding what CAISI actually is—and the turbulence surrounding it. The Center was originally established in 2023 under the Biden Administration as the AI Safety Institute. The Trump Administration renamed it last year, with Commerce Secretary Howard Lutnick framing the rebrand as a move away from what he called regulation "under the guise of national security."

The Center still lacks permanent legal standing. Its appointed director, Collin Burns—a former Anthropic and OpenAI researcher—was pushed out just four days into the job after White House officials raised concerns about his ties to Anthropic, given the administration's ongoing dispute with the company. (That dispute has its own edge: the Pentagon designated Anthropic a supply chain risk in March after the company refused to lower guardrails on autonomous weapons, though a federal judge later called that designation "Orwellian.") Burns had relocated across the country and given up Anthropic equity to take the position.

CAISI Director Chris Fall, who took over after Burns was ousted, said of the new agreements: "Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications."

This context matters. An oversight body with an unstable leadership history, no permanent legal standing, and a complicated relationship with at least one of the companies it's evaluating is not a picture of institutional strength. That doesn't mean the work is without value. But it does set a bar for scrutiny that the framework's boosters should welcome, not deflect.

The internet parallel nobody wants to repeat

There's a well-worn cautionary tale embedded in the CAISI rationale: the early internet was engineered for resilience and openness, with almost no consideration for how its security gaps would eventually be weaponized. The result was decades of espionage, mass data exfiltration, and entrenched cybercrime ecosystems that security teams are still fighting today. The architects of the internet weren't reckless; they were building for a different threat model than the one that materialized.

AI carries a comparable risk profile. Frontier models are opaque, powerful, and being integrated into critical systems faster than the security community can assess them. CAISI represents a deliberate attempt not to make the same mistake twice—to subject transformative technology to security scrutiny while there is still time to act on what's found.

Ronald Lewis, Head of Cybersecurity Governance at Black Duck, put it directly: the initiative reflects "a hard‑won recognition of the national security risks that arise when transformative technologies are deployed before their implications are fully understood."

The question isn't whether that framing is correct; it almost certainly is. The question is whether the review process being built is substantive enough to match the risk.

Pre-release review is sound security practice, if it's done right

The principle behind CAISI isn't new. Shifting security evaluation left—earlier in the development lifecycle, before vulnerabilities become embedded—is a foundational concept in cybersecurity. What's new is applying it to AI systems at this scale. Reuters reporting confirms that evaluations include red-teaming exercises. Anthropic's earlier work with the Center, for example, revealed that techniques such as claiming human review had occurred or substituting characters could bypass safety mechanisms—vulnerabilities the company subsequently patched.

The challenge is that AI models present a different evaluation surface than traditional software. They're probabilistic, context-sensitive, and can behave unpredictably under adversarial conditions not anticipated during development. Meaningful assessment requires clear frameworks, not ad hoc testing.

Diana Kelley, CISO at Noma Security, noted that any effective review needs to be "grounded in clear, consistent frameworks, aligned with established guidance like NIST's AI Risk Management Framework and secure-by-design principles from CISA"—and must "avoid becoming a bottleneck or a checkbox exercise." Kelley added, "The goal should be meaningful risk reduction, not just oversight for its own sake.”

That distinction matters. A review process that results in a stamp of approval without surfacing actionable findings doesn't make AI systems safer—it just creates the appearance of oversight. The credibility of CAISI will ultimately be measured by whether its assessments change what gets released and how, not by how many models it has evaluated.

OT integration is the risk few are talking about

The current CAISI framework is largely IT-focused: evaluating software-layer capabilities and risks in systems designed to process information. That's the right starting point, but it's not where the risk stops. As AI agents are increasingly integrated into operational technology (OT)—building automation, industrial control systems, physical security infrastructure—the attack surface expands in ways that software-centric evaluations don't capture.

John Gallagher, VP of Viakoo Labs at Viakoo, framed the emerging concern, stating that if an AI agent is managing a physical network, ensuring it hasn't been poisoned or manipulated to disable security protocols becomes a critical OT security problem, not just a software one. The integrity of the model itself becomes infrastructure-critical. Gallagher draws a direct parallel to European regulatory frameworks such as NIS2 and the Cyber Resilience Act, which have begun to hold hardware manufacturers to security-by-design standards. AI is now being pulled into that same compliance gravity.

For organizations managing large-scale physical infrastructure, the implication is concrete: the AI tools they deploy will increasingly need to demonstrate compliance with federal standards that are still being defined. Getting ahead of that requirement—rather than retrofitting compliance after the fact—is the more defensible posture.

What's really driving voluntary participation

The voluntary nature of these agreements deserves scrutiny. Frontier AI companies aren't submitting their unreleased models to government review purely out of public-spiritedness or goodwill. The strategic calculus is more layered.

By engaging with CAISI, companies like Google, Microsoft, xAI, and Anthropic are doing more than satisfying an oversight requirement: they're helping define what "safe AI" looks like at the national security level. That framing has commercial downstream effects. When AI models are treated as systems requiring stress-testing like critical infrastructure, it elevates the perceived threat landscape across the board—and expands demand for AI-driven security solutions, audits, and assessments.

Ronald Lewis flagged this tension directly, noting that voluntary CAISI participation "serves a dual purpose: it signals responsibility and cooperation with government, while simultaneously stimulating demand in a security marketplace where fear, uncertainty, and complexity have always been powerful commercial drivers."

That isn't an argument against the framework. It's a reminder to evaluate it clearly. Voluntary processes, shaped in part by the entities being regulated, tend to reflect those entities' interests alongside the public interest. Practitioners and policymakers alike should hold CAISI's outputs to a high bar precisely because the incentives aren't purely altruistic.

Don't let frontier model hype obscure present-day risk

There's a final risk in the current moment: the attention directed at Anthropic's Mythos, Project Glasswing, and other headline-grabbing frontier developments can create the impression that the most significant AI security threats are those on the horizon. They may not be.

Security researchers have demonstrated that lower-powered, widely-accessible language models are already capable of identifying software vulnerabilities with fidelity comparable to far more publicized systems. The adversaries targeting enterprise environments aren't waiting for frontier model access—they're using what's already available. Lewis put the priority plainly: "For business leaders, the priority must be addressing present-day risks and evolving defenses to match the AI capabilities that adversaries can already access—not the hypothetical ones still on the horizon."

The CAISI framework is a meaningful structural development, and if a mandatory review process follows, it will accelerate a shift that was already underway: frontier AI moving from a pure technology bet toward a regulated strategic industry. As Ram Varadarajan, CEO at Acalvio, put it: "Geopolitical alignment and national security clearances are going to become as critical to a frontier lab's valuation as its raw compute." For security practitioners, though, the more immediate obligation is simpler: don't let the frontier capture all the attention; the threats worth defending against today are already deployed.

Follow SecureWorld News for more cybersecurity and AI news.

The SOC Is Changing Fast: 6 Skills Security Analysts Need in the AI Era

office@alexvakulov.com (Alex Vakulov) — Wed, 06 May 2026 13:24:00 GMT

The cybersecurity workforce conversation has taken a wrong turn. Too many people frame AI in security operations as "automation that handles the boring stuff so humans can focus on important and interesting work." That framing misses what's actually changing.

The real shift isn't about who processes alerts faster; it's about eliminating the alert overload problem entirely.

The pattern that keeps emerging is organizations drowning in alerts, not because they lack speed, but because their tools lack context. When AI systems understand institutional knowledge, how your organization actually works, what “normal” looks like in your environment, and which signals matter given your specific risk profile, the flood of meaningless notifications disappears.

That changes what security careers look like. Here's how.

The real problem isn't speed

Think about an emergency room. Triage exists because patient volume exceeds capacity. Doctors quickly assess the most critical patients to allocate limited, overtaxed resources.

Most SOCs operate the same way. Analysts face thousands of alerts and must rapidly decide which ones deserve investigation. The conventional wisdom says AI should make this sorting faster.

But faster sorting doesn't solve the underlying problem. You still have thousands of alerts competing for attention. You still have analysts burning out. You still have real threats hiding in the noise.

The better approach uses AI that understands your organization's institutional knowledge to surface only what actually matters. When AI knows your environment, your risk priorities, and your historical patterns, the alert volume problem begins to shrink. Analysts are no longer defined by how quickly they can sort signals, but by how well they can interpret, challenge, and refine the outcomes these systems produce—reflecting a shift toward a new SOC model centered on context rather than throughput.

This reframes what skills matter for security professionals.

6 skills that will define the next generation of SOC analysts

1. Institutional knowledge development

The most valuable analysts will be the ones who can capture, document, and continuously refine institutional knowledge. This means understanding what makes your organization’s security environment unique and translating that understanding into formats AI systems can learn from.

Every organization has tribal knowledge: why specific alerts matter more than others, how escalation paths actually work, what normal looks like for particular systems or user populations. Analysts who can articulate this knowledge and build feedback loops that improve AI performance become irreplaceable. In an AI-assisted SOC, institutional knowledge becomes part of the detection and decision layer itself.

2. AI oversight and governance

As AI systems take on more responsibility, organizations need analysts who can ensure those systems behave correctly. This means understanding how AI arrives at decisions, recognizing when outputs reflect blind spots or overconfidence, and knowing when human judgment must override automated actions.

Effective oversight requires setting guardrails, defining escalation criteria, and communicating AI capabilities and limitations to stakeholders. It also requires building trust gradually, starting with constrained use cases and expanding autonomy as confidence grows.

If you have never evaluated how a machine learning model performs in production or documented the decision logic behind an automated workflow, start with small, real-world exercises. Use microlearning approaches that turn each short lesson into practice: reviewing outputs, testing edge cases, or explaining the evidence behind a decision. Oversight is becoming a core responsibility of analysts.

3. Complex investigation and threat hunting

The role of advanced threat hunting skills, sophisticated incident response, and strategic assessment is expanding rapidly. These areas require connecting signals across multiple domains, understanding attacker behavior, and making judgment calls about situations that do not fit neatly into historical data.

AI can surface correlations, but humans still frame investigations. Analysts must decide what questions to ask, what evidence matters, and when incomplete data is meaningful in itself.

4. AI tool evaluation

Organizations face a steady stream of vendors claiming AI-powered capabilities. Analysts who can critically evaluate these tools, design realistic proof-of-concept tests, and assess whether a solution actually solves operational problems will be invaluable.

This requires understanding both security operations and AI behavior well enough to ask hard questions. Does the system actually learn from our environment, or does it simply process alerts faster? How is institutional knowledge incorporated? What happens when the system encounters behavior outside its training data?

These evaluation skills separate thoughtful security professionals from those who accept vendor claims at face value.

5. Cross-domain reasoning

Modern security incidents rarely stay confined to a single domain. Identity abuse, endpoint activity, cloud configuration changes, and ITSM records increasingly intersect.

AI can surface relationships between signals like code analysis, runtime behavior anomalies, etc., but analysts must decide which connections matter. The ability to reason across domains, understand cause and effect, and recognize when a benign signal becomes risky in a specific business context is becoming a defining skill.

Analysts who can synthesize across tooling silos provide clarity in environments where automation alone still lacks full situational awareness.

6. Decision quality and risk communication

As AI abstracts technical detail, the ability to explain decisions becomes more important these days. Analysts must be able to articulate why something matters, what decision is required, and what the consequences are if no action is taken.

This skill is not about reporting metrics or summarizing alerts. It is about framing uncertainty, tradeoffs, and impact in ways that support real decisions. Analysts who consistently improve decision quality, rather than simply reducing alert resolution time, remain central to SOC operations.

Those who can clearly explain risk to leadership and, in the case of MSSPs, to customers add value well beyond detection. The most effective analysts build this capability through investigations in which context matters more than pattern-matching and answers are not immediately obvious.

Getting started

If you're looking to future-proof your security analyst career, focus on these areas.

Start by paying attention to why decisions are made. When an alert is ignored, escalated, or delayed, capture the reasoning. Over time, these explanations reveal patterns that can be formalized and reused, whether by humans or machines.
Spend time understanding where automation struggles. Notice cases where AI recommendations appear confident but are incomplete, where compliance data is missing, or where limited context constrains the quality of the output.
Seek out investigations that are uncomfortable. Cases with conflicting signals, partial visibility, or unclear impact build judgment far more effectively than routine alert handling. Volunteer for them.
Rather than skimming many tools, learn one AI-enabled system deeply. Understand what inputs it uses, how feedback is incorporated, how quickly it adapts, and how errors surface. Depth matters more than breadth.
Finally, practice explaining decisions clearly. After an investigation, articulate what mattered, what was noise, and what would change the outcome next time. If you can explain it simply, you understand it well enough to guide both people and machines.

What this means for your career

The hundreds of thousands of open cybersecurity roles are not disappearing. They're evolving toward work that requires human judgment, institutional understanding, and strategic thinking.

Analysts entering the field will benefit from working alongside AI systems that provide guidance and speed. The learning curve accelerates when AI can explain why certain signals matter and what historical patterns suggest.

For experienced professionals, the path forward involves building expertise that AI systems can't replicate: deep organizational knowledge, sophisticated threat analysis, and the judgment to know when automated recommendations need human review.

Next-generation defense environments should function as a control hub where humans and AI work together. Analysts who combine institutional knowledge, cross-functional risk alignment, and mature decision oversight with hands-on investigative experience will be the ones leading that evolution.

Perishable Security: Unpacking the Food and Ag-ISAC 2025/2026 Reports

CamS@secureworld.io (Cam Sivesind) — Tue, 05 May 2026 13:08:03 GMT

In the cybersecurity field, there is often talk about "critical infrastructure" through the lens of power grids and financial switches. However, two new reports from the Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) shift the spotlight to a sector where the blast radius of a breach is measured in spoiled inventory and empty grocery shelves.

The 2025 Food and Agriculture Sector Cyber Threat Report and the 2026 Cybersecurity Guide for SMBs provide a comprehensive look at an industry caught in a high-stakes transition. As agriculture embraces "vibe coding" and autonomous machinery, it has also caught the eye of more than 72 active threat actors.

Here is what these findings mean for the sector, the defenders, and the general public.

The 2025 Threat Report, powered by the Predictive Adversary Scoring System (PASS), reveals that the food and ag industry is no longer a "niche" target; it is now a primary theater for both state-sponsored and financially motivated bad actors.

The sector is being probed by a diverse array of adversaries (72 and counting), ranging from ransomware syndicates to advanced persistent threats (APTs) interested in intellectual property and supply chain disruption.

Many large organizations have invested in "check-box" compliance, but the PASS data suggest that adversaries are pivoting toward custom malware and AI-fueled social engineering that bypass traditional signature-based defenses. It's a maturity mirage.

The report emphasizes that the threat landscape is too complex for any single company to manage in isolation. The "Defend Together" mandate is now a structural necessity.

The 2026 SMB Guide addresses a critical vulnerability: the thousands of small and medium-sized businesses that form the backbone of the food supply chain.

Attacks don't stop at the source. A breach at a small feed provider or a mid-sized distributor can send ripple effects across the entire sector. Call it supply chain pain.

As SMBs adopt affordable AI tools to manage logistics, they are often shipping applications faster than they can secure them, leaving doors open for Insecure Direct Object References (IDOR) and broken access controls. It's vibe coding and technical debt.

There is a notable rise in adversaries who don't "break down the door" as uninvited guests but slip in and maintain long-term persistence—waiting for the optimal moment to trigger a disruptive attack.

For the CISOs and security practitioners charged with protecting this "perishable" perimeter, the reports dictate a shift in tactical priorities.

Prioritize "uptime-linked" controls: In food and agriculture, the primary risk isn't data theft—it's disruption. Incident response plans must treat operational continuity as the "North Star." If a breach stops 60 trucks, your data recovery plan has already failed.
Verify the human, not just the credential: Both reports highlight the "Workforce Identity Gap." Security teams must move toward Forensic Identity Verification at the help desk and during remote onboarding to stop impersonation attacks that bypass legacy MFA.
Test the restore, not just the backup: Practice #2 in the SMB guide is clear: backups are only as good as the last time you successfully restored them. In an industry with perishable goods, recovery time is the only metric that matters.
Manage the shadow OT: Identify every networked thermometer, grain silo sensor, and automated feeder. These physical systems are now cyber assets and potential entry points for lateral movement.

For the public, these reports serve as a reminder that cybersecurity is now a component of food security.

Cyber-driven disruptions in the supply chain contribute to food inflation and localized shortages.

Adversaries targeting water treatment or food safety protocols (like altering chlorine levels, as seen in the ZionSiphon analysis) aim to undermine public trust in the basic safety of the food supply. The psychological impact can be very damaging.

The public can support resilience by being aware of "human-in-the-loop" social engineering. If a local food cooperative or grocer is breached, the risk to personal data (PII) is secondary to the risk of community service disruption.

UK Survey Shows Gap Between Perceived Security, Operational Resilience

CamS@secureworld.io (Cam Sivesind) — Mon, 04 May 2026 13:42:02 GMT

The latest Cyber Security Breaches Survey, commissioned by the United Kingdom's Department for Science, Innovation and Technology (DSIT) and the Home Office, provides a comprehensive baseline for the UK's digital health. While the data reflects a UK-specific landscape, the trends identified—ranging from cyber hygiene fatigue to the rising cost of recovery—serve as a global bellwether for cybersecurity professionals.

The report reveals a sobering reality: while awareness is at an all-time high, the gap between perceived security and operational resilience is widening.

The survey highlights a significant "awareness paradox." A vast majority of UK businesses (more than 70%) now identify cybersecurity as a high priority for their senior management. However, this high-level support is not always translating into technical rigor.

Approaches to risk management: There is a growing reliance on "checkbox" compliance. While more firms are seeking certifications like Cyber Essentials, many are failing to implement continuous monitoring.
The AI factor: Much like the trends seen in the recent NASCIO and Fortinet reports, UK organizations are grappling with the dual nature of AI. Awareness of AI-driven phishing is high, but the implementation of AI-powered defensive tools is concentrated primarily in larger, high-revenue enterprises.

The frequency of identified breaches has stabilized, but the impact per incident is rising.

Phishing dominance: Phishing remains the most common entry point, accounting for more than 80% of identified breaches. However, the survey notes an increase in the sophistication of these attacks, moving toward hyper-personalized "vibe coding" and deepfake impersonation.
The financial toll: The average cost of a breach has surged, driven not by the direct theft of funds but by Business Interruption. In line with findings from Fenix24, the "tail" of a breach—rebuilding infrastructure and lost productivity—now represents the bulk of the financial burden.

Perhaps the most concerning trend in the DSIT report is the state of incident response (IR).

The plan versus the reality: While a higher percentage of businesses now claim to have an incident response plan, only a fraction actually test those plans through tabletop exercises or simulations.
Communication gaps: During an active breach, many UK firms still struggle with internal handoffs. As identified in the Trackforce manufacturing report, convergence between technical teams and executive leadership remains a friction point, often delaying recovery by days.

The survey notes a transition in the "identity" of cybercrime. We are moving away from opportunistic, broad-scale attacks toward targeted, politically or ideologically motivated campaigns.

Supply chain vulnerability: Attackers are increasingly targeting the "managed service provider" (MSP) layer to gain access to multiple downstream targets.
Identity as the perimeter: Mirroring recent BeyondTrust and Sysdig reports, the DSIT data shows that "Elevation of Privilege" and "Identity Spoofing" are now the primary methods for lateral movement within UK networks.

For cybersecurity professionals: focus on validation

Stop reporting on "awareness" and start reporting on validation. If your organization has a response plan, test it under "Mythos-speed" conditions. Use automated attack path validation to prove that your controls actually stop an adversary from reaching a path to privilege.

For businesses: resilience over insurance

As the cost of business interruption rises, insurance alone is no longer a viable strategy. Follow the "whole-of-state" mindset: build resilience into your core operations so that a breach of your digital identity doesn't lead to a total physical shutdown.

For governments: the 'cyber hygiene' floor

The DSIT report confirms that government mandates (like Cyber Essentials) are working to raise the baseline, but they are not enough to stop sophisticated state-sponsored actors. Governments must continue to push for "Secure-by-Design" standards and provide more direct support for the "Workforce Identity Gap" in critical infrastructure.

Some snippets from the survey results:

Cybersecurity was considered a high priority for senior management in around seven in 10 businesses (72%) and six in 10 charities (60%). While this was broadly consistent with recent years for businesses, charities saw a significant decline compared with 2024/2025 (down from 68% to 60%), driven by low-income charities. Board-level responsibility for cybersecurity sat at 31% of businesses and 30% of charities and continued to be higher in larger businesses (68% of large businesses). Compared with 2024/2025, the proportion of businesses with board level responsibility for cybersecurity increased (from 27%), reversing the longer-term downward pattern seen earlier in the decade.
Seeking external information or guidance was reported by 44% of businesses and 31% of charities. This was most common among medium businesses (71%) and small businesses (58%), compared with 41% of micro businesses. For charities, this also reflects a decline compared with 2024/2025, aligning with the wider picture of reduced prioritization in this wave mentioned above.
The most common individual source of advice was external cybersecurity/IT consultants or providers (27% of businesses and 13% of charities). This was higher among medium (51%) and small businesses (39%) than micro businesses (24%).
Awareness of government initiatives increased compared with last year, reversing the longer-term decline seen previously: Cyber Aware was recognized by 30% of businesses and 30% of charities, while awareness of 10 Steps was 17% (businesses) and 19% (charities), and Cyber Essentials was 17% (businesses) and 16% (charities).
The Cyber Governance Code of Practice (launched in April 2025), had been heard of by 16% of charities and businesses. Launched in May 2025, the Software Security Code of Practice was recognized by 22% of businesses and 19% of charities.
Internal reporting remained the most common response following a breach or attack. Around eight in 10 businesses (81%) and charities (84%) said they informed directors or trustees, and 62% of businesses and 73% of charities said they kept an internal record of the incident. External reporting was less common: among those identifying breaches or attacks, 40% of businesses and 36% of charities reported their most disruptive breach outside their organization.

Report: Cloud Environments Have Scaled Beyond Human Limits

CamS@secureworld.io (Cam Sivesind) — Fri, 01 May 2026 12:36:00 GMT

In the early days of cloud adoption, security was often a game of "hustle"—manual triage, endless patching cycles, and human-led investigation. But according to Sysdig's 2026 Cloud-Native Security and Usage Report, that era is officially over.

The report, titled "The Hustle Hard Era is Over," maintains that cloud environments have scaled beyond human limits. For cybersecurity professionals, the 2026 mandate is clear: to survive at cloud speed, we must pivot from manual intervention to agentic automation and runtime-first visibility.

"We've hit an inflection point in cybersecurity: organizations are successfully reducing the most dangerous risks, but they're hitting a ceiling with human-led remediation," said Crystal Morin, Sr. Cybersecurity Strategist at Sysdig. "Cloud security has evolved to a stage where human-driven efforts alone can’t keep pace with the speed and scale of an AI-assisted threat landscape. The 2026 Cloud-Native Security and Usage Report makes this abundantly clear and offers a path forward. The next phase of defense isn't about working harder, because we've already maxed out human capability. It's time to build trust in machine-driven security that enables teams to operate at cloud speed."

The report identifies a critical tipping point in vulnerability management. With the sheer volume of containers and the speed of CI/CD pipelines, humans can no longer triage the "backlog" of vulnerabilities effectively.

The reality: We have reached the "human limit" of manual patching. The traditional "scan-and-fix" model is too slow to counter adversaries who move from initial entry to full compromise in minutes.
What comes next: The report calls for Agentic AI Vulnerability Management. This isn't just basic automation; it's the use of autonomous agents that can analyze reachability, validate exploits, and even suggest (or apply) fixes in real-time, allowing security teams to focus on high-level orchestration rather than ticket management.

As build-time security (Shift Left) matures, the report highlights a significant defensive shift: Runtime detection is now the most trusted signal in cloud security.

The data: Organizations have successfully reduced "image bloat" by 50% and dropped the number of running vulnerable images with known exploits by 74%—nearly to zero.
The "build discipline" payoff: Because build-time hygiene is improving, the "noise" in runtime environments has cleared. When a runtime alert fires today, it is much more likely to be a high-fidelity signal of an active threat rather than a false positive from a misconfigured package.
The strategic shift: For 2026, the SOC must treat runtime signals (like those from Falco or other open-source tools) as the primary trigger for automated response.

If 2024 was the year of AI experimentation, 2026 is the year of AI in Production. The report tracks a staggering 25x year-over-year growth in AI-specific packages within cloud environments.

Secure surface areas: Interestingly, the report found that organizations are building a secure surface for these models; only 1.5% of machine learning (ML) assets are currently publicly exposed.
The European lead: In a surprising trend, more than 50% of AI and ML packages now belong to European organizations, suggesting that regulations like the EU AI Act are accelerating, rather than stifling, secure adoption.
The risk: The growth of Agentic AI means that security teams now have to protect the identities of the AI agents themselves, as these agents often have broad permissions to interact with sensitive data.

The report reinforces a core 2026 truth: Identity is the cloud-native perimeter. However, traditional IAM is no longer enough.

Continuous vs. static: Identity management must evolve into continuous, automated enforcement. In a world of short-lived containers and ephemeral workloads, a "permission" granted at 9:00 AM may be a liability by 9:05 AM.
The non-human frontier: As the number of non-human identities (service accounts, AI agents, and bots) continues to outnumber human users, automated enforcement is the only way to manage the "privilege sprawl" that attackers exploit for lateral movement.

"Runtime has become the most reliable source of truth in this new era, and it's driving measurable progress. As confidence in high-fidelity detections grows, teams are increasingly trusting automated responses to take the first action," Morin said. "That shift is fundamentally changing how quickly threats are identified and contained. It moves the needle from hours and days to minutes and seconds—and at cloud scale, against machine-speed attacks, seconds matter."

"At the same time, the move to AI-driven infrastructure isn't being slowed by regulation. If anything, it's being strengthened by it. The data shows that organizations with clear guardrails in place are not only moving faster, like those beholden to regulations like the EU AI Act, but are also building and scaling more securely."

One final thought from Morin: "People, dashboards, and prioritization got us this far, but security isn't getting easier. It's time to change the operating model."

Report: Cybersecurity Struggles to Stay Relevant in AI-Speed Landscape

CamS@secureworld.io (Cam Sivesind) — Thu, 30 Apr 2026 12:23:01 GMT

The cybersecurity skills gap has been a persistent headline for years, but in 2026, the narrative has shifted from a simple shortage of talent to a complex "convergence crunch."

According to the Fortinet Training Institute's 2026 Global Research Report, the rapid integration of artificial intelligence has not only raised the stakes for defenders but has fundamentally redefined the skills required to survive. For cybersecurity professionals and the leaders who hire them, the data reveal a stark reality: we are no longer just fighting for talent; we are fighting to stay relevant in a machine-speed threat landscape.

"Cybersecurity is not simply a technical issue but a strategic business risk," said Carl Windsor, CISO at Fortinet. "This year's survey suggests that while boards generally recognize the importance of cybersecurity, more investment is needed to address key issues, such as rapidly accelerating AI risks and the ongoing cybersecurity skills shortage. Addressing these issues is critical to business resilience in an increasingly complex threat landscape."

Organizations are leaning into AI with a mix of desperation and hope. The report finds that 91% of organizations are already using or experimenting with AI-powered security solutions. While 84% believe these tools are making their teams more efficient, AI is simultaneously creating a new, specialized vacuum in the talent pool.

The new talent hunt: 60% of leaders say their top recruiting challenge is no longer just finding "security people," but finding professionals with specific experience in AI.
The trust leap: 42% of respondents would now trust AI to handle core security functions independently. This suggests a future where the CISO's role shifts from managing practitioners to governing autonomous agents.

Despite the focus on AI, the "human factor" remains the most significant point of failure. The top cause of breaches cited by IT leaders is a lack of cybersecurity skills (56%), followed closely by a lack of security awareness (55%).

The consequences of this gap are becoming more personal for leadership:

Million-dollar breaches: 52% of organizations report that breaches now cost them more than $1 million—a significant jump from 38% just five years ago.
Executive accountability: 50% of leaders reported that board members or executives have faced direct penalties after a cyberattack. This shift toward personal liability is finally forcing a "maturity mirage" check at the highest levels of the enterprise.

The report underscores that traditional hiring methods are failing to close the gap. This has led to a renewed focus on certifications and unconventional talent pools:

Certification as currency: 91% of IT decision-makers prefer candidates with technology-focused certifications, and 92% are willing to pay for employees to obtain them.
Broadening the net: 75% of organizations now have structured recruiting initiatives targeting women, and 71% have formal targets for underutilized talent pools. The message is clear: if you aren't diversifying your pipeline, you are intentionally leaving your perimeter unguarded.

The 2026 report serves as a tactical roadmap for closing the "remediation gap":

Prioritize AI governance roles: 63% of leaders expect a surge in need for AI oversight and governance roles. Don't just hire for "AI skills"; hire for the ability to audit and secure AI systems.
Upskill, don't just outsource: With 92% of organizations planning to invest in AI-related training in the next 12 months, the focus must be on elevating existing senior-level talent to handle the new complexity.
Bridge the boardroom disconnect: Only 59% of boards prioritize cybersecurity spending despite 73% calling it a "high priority." Use the data on executive penalties to turn "theoretical priority" into "budgetary reality."

According to the report: "Board and executive-level investment in a layered approach to cybersecurity—one that blends people, processes, and technology—is essential. Organizations should continue tapping into underutilized talent pools, and investing in training and upskilling to build and retain the expertise they need. This requires a coordinated approach grounded in three key pillars: raising awareness and education, expanding access to targeted training and certification, and deploying advanced security technologies."

AppSec Didn't Need a Faster Way to Find Bugs

Derek Fisher — Wed, 29 Apr 2026 19:05:42 GMT

I seem to oscillate between extremes when it comes to AI's impact on technology and the future of humanity, but once in a while something is publicized that makes me wonder where we are heading. Anthropic's announcement of Mythos and the subsequent partnerships in Project Glasswing might be one of those moments. While Mythos shouldn't be a surprise as it feels like a natural progression of AppSec, it is important that we understand what it can and cannot do, and what it will ultimately do to the industry that we know today.

For starters, in the AppSec space, we've not had much trouble in generating findings over the dozen or more years that I've been in it. We could fire up scanning tools and dump out hundreds or thousands (or hundreds of thousands) of vulnerabilities and throw them at developers. But that's what got us in trouble to begin with. Were those findings actually reachable, exploitable? Who really knew unless you thoroughly triaged the findings. We just knew that we could generate security findings in code at will, without much context, because writing software is complex. And with complexity comes insecurity.

The real problem with turning over rocks to see what's under there is the question of "what's next?" Developers and defenders only have so much bandwidth to address the findings, and need to balance that against the feature requests that often take the higher priority.

What we know about Mythos

While the details about Mythos will continue to become more clear over time, here is what is known today. Mythos is an agentic LLM that can autonomously plan, execute, and chain together complex multi-step tasks without human intervention. While originally built as a general-purpose AI, it excels specifically at cybersecurity, software engineering, and long-running agentic workflows. Perhaps most worrying, Mythos can be a zero-day generator capable of identifying and exploiting undiscovered vulnerabilities across major operating systems, web browsers, and critical software infrastructure. This is the reason that Anthropic partnered with more than 50 organizations such as AWS, Apple, Cisco, CrowdStike, Google, JPMorgan Chase, Microsoft, and others in order to provide them with early access and the ability to patch vulnerabilities in some of the most critical and widely used systems we know.

But wait, there's more. While most scanners today produce vanilla remediation guidance, Mythos can provide working exploits that a defender (or attacker) can use to prove out the potential vulnerability. And it does so with a higher success rate than previous models. If you've ever reviewed the output from a scanning tool that identifies a SQL injection vulnerability, you'll likely see the remediation listed as "use parametrized queries" or "sanitize your inputs." Those unhelpful messages would mean that developers were required to dig into the findings to identify the code path and formulate a custom remediation that would address the finding. It also likely meant sending a message to the AppSec team to ask for clarity on what the finding meant and help with the remediation. Essentially, a real "white-gloved" (and time consuming) approach to a single vulnerability.

But Mythos' provides for the ability to uncover and exploit vulnerabilities in systems at speed and scale. And with exploit code in hand, we know that the particular findings are exploitable.

Finding was never the hard part

After more than a decade of integrating SAST, DAST, SCA, IAST, and all the other ASTs available, we are still no more secure than we were back then. Product creation means writing code. Writing code means creating vulnerabilities. Creating vulnerabilities means developing remediation. But the number of false positives, unreachable code, low risk systems, and no context to the findings meant that most teams spun their wheels on trying to fight fires in an empty field. In other words, spending time on tasks that posed little risk to the organization. And with each passing vulnerability that never became "the one" (the front page news incident), the teams would trust the next finding just a little less.

So, with Mythos finding actionable vulnerabilities, do we have a reset opportunity? Well, no. We still have a bandwidth problem on the developers' side which is about to get exponentially worse. Now, instead of being flooded with findings that are of poor quality and likely never to be exploited, developers are about to be flooded with findings that are true positives that can be rapidly exploited. The known-but-unpatched surface area is now larger than the unknown surface area was six months ago. That's a new, higher category of risk.

What this likely means today is that the days of adversaries stockpiling zero-days and defenders chasing CVEs are likely over, and we're entering an era where these start to become less meaningful in favor of a perpetual state of attack and defend.

Who can patch the fastest

If CVE burndown and stockpiling zero-days stop becoming the measure of successful attack/defense, then what does the future of a cyber program look like? Bottom line: patch fast and automate controls. With the April 14th announcement that NIST will no longer enrich submitted CVEs to the NVD, due mostly to the surge in submissions, organizations will need to rely less on the structural and foundational methods of the past and move to a continuous patching posture. This shouldn't be a surprise as it's been preached by most AppSec folks over the years. The CVEs that have been released by the NVD are generic and are often not as actionable to an organization without context (i.e., a critical CVE identified today by the NVD may or may not be critical to your organization). So, while CVEs and the associated CVSS scores are a great starting point, they often don't match the reality of an organization's true posture.

What Mythos provides for organizations is the ability to identify the gaps in their current posture, at both scale and speed. Organizations should take the opportunity to establish their current baselines, leverage Mythos (once widely available) or other similar models to scan their environments for valid findings, and patch the findings most impactful to the overall risk of the organization. However, this is just a snapshot in time and doesn't do much for future ongoing attacks. Even if the organization identifies and fixes all vulnerabilities today, tomorrow their systems and code will change, exposing new vulnerabilities.

Fighting fire with fire

Enter the "Agentic Defender." Yes, it sounds like marketing-speak, but the underlying idea is right. Attackers are being empowered with AI tools and models capable of creating novel attack chains in an hour. The agentic defender will have to move beyond looking for known-bad and start looking for "not normal" using the same tools and probing the same way attackers do. This type of continuous agentic red-teaming isn't a replacement for your annual pentest (another likely relic soon to disappear); it's an acknowledgment that the annual pentest is now one afternoon of work for something like Mythos. The premise is simple: find the vulnerability before your adversary does.

Once vulnerabilities have been identified the defenders, AppSec, and development teams need to leverage the same speed offered by AI in a defensive manner. Develop, test, and deploy remediations to establish a self-healing environment where the defender's AI anticipates attack paths based on the adversarial testing and automatically develops remediations to close vulnerabilities before they can be exploited. The upside of all this automation is that your human analysts finally get to do the work you hired them for. Triage volume, alert enrichment, routine investigation? These should be agent tasks now. Threat hunting, architecture decisions, and supervising the autonomous workflows themselves are the human tasks.

[RELATED: Leadership in the Age of AI]

However, if you're going to turn agents loose on your own infrastructure, you need governance that isn't optional. Use scope limits with explicit written authorization for every target. Testing should be confined to sandboxed environments, not production, no matter how much a tool or vendor assures you the agent is "safe." Apply strict API and secret hygiene, because these agents will absolutely find the credentials you forgot you committed to a private repo. And create immutable audit trails for every action the agent takes, because when something goes sideways, you will need a record to reconstruct what happened.

Architecturally, organizations should be working with stateless environments that can handle nightly rebuilds. Patching can be slow when the environment must be carefully updated, with all the attendant anxiety about connection draining, session migration, in-flight transactions, and the one legacy database that nobody wants to touch. The fix is designing services that can be thrown away and rebuilt on a nightly cadence, where "patching" means means the next build picks up the updated dependency and rolls out in the morning. Containers, immutable infrastructure, and externalized state become the prerequisite for eventual agentic patching.

The other architectural shift is retiring the idea that your vulnerability management program's job is to eliminate vulnerabilities. It isn't, and it never was. With Mythos, there will be too many, they ship faster than you can patch, and now they come with working exploits attached. The job is to ensure that when a vulnerability does get exploited that the attacker finds themselves in a small, boring corner of your environment with nothing of value. In other words, a reduced blast radius for a small window of time.

The path forward

The announcement of Mythos is headline grabbing, but the reality is that it only exposed what most of us have already known. We don't have a finding problem, we have a fixing problem. This is only accelerated and made worse by Mythos and future models. The programs that make it through the coming months, and into the future, are the ones that invest in the layers Mythos doesn't touch: prioritization, reachability, architecture for blast-radius containment, runtime protection, and deployment pipelines fast enough to make "patch now" mean something. We're entering a world of autonomous exploitation. Organizations that do not adopt Mythos-level patching speeds and agentic defensive tools are no longer just at risk; they are sitting ducks. The machine is here. The only question is whether your defense can keep pace with its speed.

This article was published originally here.

Cybersecurity Community Gathers May 20 for 10th Annual SecureWorld Chicago

CamS@secureworld.io (Cam Sivesind) — Tue, 28 Apr 2026 19:58:56 GMT

The Greater Chicago cybersecurity community will gather for an impactful day of insights, networking, and collaboration at the 10th annual SecureWorld Chicago conference on May 20, 2026, led by three stellar keynote sessions.

Good friends Fred Kwong, CISO at DeVry University, and Ricardo Lafosse, CISO at The Kraft Heinz Company, will set their camaraderie aside to take on a fun and challenging rapid-fire game show format. Fred and Ricardo, prompted by moderator Arpi Long, Deputy CISO, Collective Health, will be presented with difficult "would you rather" choices ranging from ransomware negotiation dilemmas and crippling technical debt to extreme budget constraints and the secure-by-default friction that can stall business innovation.

They won't just pick a side; they have to defend it against a panel of their peers—in this case, Arpi and the audience.

SecureWorld Chicago is being held at the Donald E. Stephens Convention Center in Rosemont, IL. Earn 6 CPE credits for the day; and consider the SecureWorld PLUS course the day prior to earn an additional 6 CPE with Rodney Beard, Senior Cyber Risk Analyst, Cyber Risk Opportunities LLC, teaching a 6-hour course on "Securing & Enabling AI: Transform Chaos into Competitive Advantage."

John Opala, Former VP of IT & Global CISO for HanesBrands Inc., and member of SecureWorld's Charlotte Advisory Committee, will present the lunch keynote on "The Changing Dynamics of the Role of the CISO in the Age of AI."

John will talk about how CISOs and their teams can navigate the new age of cybersecurity, one that is continually evolving, including noticeable trends towards increased scrutiny on the decision-making processes of CISOs; ethical considerations in handling data breaches; proactive cybersecurity measures; building a culture of transparency and accountability within CISO teams; and more.

Closing out the day is our keynote panel, "Ask Us Anything! A Live Conversation with Security Leaders," featuring Pam Nigro, VP of Security & Security Officer, Medecision; Shefali Mookencherry, CISO, Chief Privacy Officer, University of Illinois at Chicago; Mike Zachman, CISO, Zebra Technologies; and moderator Erik Hart, CISO, Cushman & Wakefield, taking any and all questions from the audience.

Some featured breakout sessions throughout the day include:

Lori Kevin, VP, Security & Compliance, IMO Health, speaking on "From Risk to Resilience: Engaging the Enterprise for Smarter Security."
A panel on managing mental well-being in a stressful profession, featuring Bruce Coffing, CISO, City of Chicago; Joe Mariscal, Senior Director, Cybersecurity, Rich's Products Corporation; Troy Stairwalt, Board Member, The Center for Critical Infrastructure Security; and moderated by Lynn Dohm, Executive Director, Women in CyberSecurity (WiCyS). In this candid, high-impact session, a group of senior cybersecurity leaders will step away from the dashboard to discuss the one metric they rarely report to the board: their own mental resilience.
A panel of Business Information Security Officers, including Sarah Buerger, BISO, The Kraft Heinz Company; Ed Yousfi, BISO, Gallagher Bassett; Michael Wichmann, Chief of Staff, SVP, Information Security, Corporate Security, Identity & Fraud, Wintrust Bank; and moderator Frank Yanan, SVP & GIS BISO, Bank of America, talking about the role of the BISO in modern security.
Dan Flaningan, Chief Transformation Officer, and Meredith Winegar, Transformation Office Director, both from Old National Bank, present on "Building an AI-First Center of Excellence: From Legacy Transformation to Enterprise-Wide Capability."

See the full agenda and registration options, from the PLUS course with 12 CPEs; a Conference Pass with 6 CPEs and lunch; or an Open Sessions Pass to attend most of the sessions but not earn CPEs or have lunch.

State CIOs, CISOs Issue Distress Signal on AI, Limited Resources

CamS@secureworld.io (Cam Sivesind) — Tue, 28 Apr 2026 16:14:43 GMT

For more than a decade, the biennial NASCIO-Deloitte Cybersecurity Study has served as the definitive pulse check for state-level security. But the ninth edition, released in 2026, reads less like a progress report and more like a distress signal.

The message from state Chief Information Security Officers (CISOs) is clear: the post-pandemic era of relative stability has been replaced by a "blistering pace" of AI-accelerated threats and a "dire" resource crunch. For cybersecurity professionals, this report is about more than just government tech; it's a warning about the fragility of the public-sector foundation we all rely on.

The most jarring data point in the 2026 study is the collapse of executive confidence. In 2022, nearly half (48%) of state CISOs felt "extremely" or "very confident" in their ability to secure public data. By 2026, that number has plummeted to just 22%.

This isn't just self-doubt; it is a rational response to an evolving battlefield. CISOs cite three primary barriers to success:

Legacy infrastructure: The "technical debt" of aging systems that cannot be easily patched or modernized.
Increased sophistication of threats: Specifically, the weaponization of Agentic AI by foreign adversaries to probe for weaknesses at machine speed.
Insufficient funding: For the first time since 2024, CISOs are reporting budget reductions, with only 22% seeing any meaningful increase.

For CISOs and security teams: the 'whole-of-state' pivot

State CISOs are no longer just protecting the state capitol; they are being forced into a "whole-of-state" approach. Because confidence in local governments and higher education has hit an all-time low—with 63% of state CISOs expressing a lack of confidence in these entities—the state is becoming the "provider of last resort" for cybersecurity services.

The Action: State teams must now architect for multi-tenancy, providing centralized security operations (SOC) and threat intelligence to resource-strapped municipalities and school districts.

If you are a vendor or a business that interfaces with state government, the "maturity mirage" is over. As states adopt new AI guidelines (94% of CISOs are now actively involved in GenAI security policy), expect:

Stricter procurement: States will likely mandate higher security standards for any software or service that touches public data, particularly around AI transparency.
Shared liability: With budgets tightening, states will be less willing to absorb the risk of a third-party breach.

The study reminds us that cybersecurity is a pillar of public safety. When state CISOs lose confidence, it impacts the reliability of everything from unemployment benefits to DMV services and water infrastructure.

The takeaway: The public must move from being "users" to "aware stakeholders." Just as we demand road safety, we must support policies that prioritize the modernization of the digital infrastructure that holds our most sensitive personal information.

The AI paradox: defense vs. velocity

While AI is the primary driver of the "blistering pace" of attacks, it is also the only tool that can keep up. State CISOs are in a race to adopt AI-driven defenses even as they struggle to maintain legacy systems. This creates a resource gap where teams are forced to choose between keeping the lights on for 20-year-old servers and investing in the AI tools needed to stop 2026-level threats.

This year's study includes insights from the CISOs of all 50 states, the District of Columbia, and the U.S. Virgin Islands.

Responses from the survey uncovered five themes:

Facing an evolving threat landscape: Rapid advances in attack sophistication are challenging state CISOs, with AI viewed as both an emerging threat vector and a powerful tool for cyber defense.
Getting future-ready: CISOs are adopting new tools and regulatory frameworks to meet the evolving technology landscape.
Looking at whole-of-state cybersecurity: The survey points to a growing interest in centralized state support for the cybersecurity efforts of local governments, public education, and critical infrastructure.
The expanding CISO role: The proliferation of AI and generative AI (GenAI), as well as a growing appreciation of the need to safeguard public data, is bringing new responsibilities to the CISO role.
Dealing with a resource crunch: Compared with recent survey cycles, CISOs tell us that their funding shortfalls are growing more dire, while continuing to face challenges around maintaining a cyber workforce with the needed skills.

Some other key points within the report:

CISOs expressed growing concerns regarding other parties that interact with their data, possibly based on the growing complexity of information networks, as third-party interactions may introduce risks to transparency, access and credentials, and other vulnerabilities.
"The state has published a statewide acceptable use policy to help steer our customer agencies in AI usage," one CISO remarked, "but vendors auto-enabling AI features in products already leveraged by our customers causes major concern for data protection, privacy and risk."
Another CISO said: "GenAI is advancing faster than existing governance structures can adapt, creating growing uncertainty around security, privacy and ethical use. Vendors are increasingly embedding AI capabilities into products and services without sufficient transparency or state-level control, effectively inflicting AI on operational environments before comprehensive risk assessments or policy frameworks can be applied. This uncoordinated adoption has outpaced the development of formal security guidelines, governance models and ethical standards, leaving the state in a reactive position."
One major question is how CISOs expect their SOCs to evolve over the next two to four years to better support local government entities and public higher education. Survey respondents offered a range of answers, from "We expect to offer county, municipal, and K-12 SOC services within the next four years" to "Growing to provide fusion center-type intelligence sharing with municipalities, with a potential to offer SOC services in the future" to "We don't even have a SOC at the state level. We pay [vendors] to do that kind of work."

The 2026 NASCIO-Deloitte study is a wake-up call for cyber resilience in the public sector. It confirms that the era of treating cybersecurity as merely an IT problem is officially over. In a landscape where the "human-in-the-loop" is being outpaced by autonomous agents, the only path forward is a unified, whole-of-government approach backed by sustainable, long-term investment.

Your New AI Assistant Is a Master Key—and You Just Left It Under the Doormat

nahladavies@nahladavies.com (Nahla Davies) — Mon, 27 Apr 2026 14:38:03 GMT

It's a strange feeling when you realize the thing you trust the most with your work might be the one watching you the closest. No alarms go off. No ransom note shows up. Everything keeps working exactly as expected.

That's the point. The risk today doesn't look like a break-in. It looks like a dashboard, a browser extension, or a tool you installed six months ago and never questioned again.

There's a quiet shift happening in how data moves, and it's happening in plain sight. The tools you rely on aren't just helping you work faster. They're learning how you work, what you click, who you talk to, and how your business runs. And they're doing it with your full permission.

The new threat model doesn't need to break anything

Unfortunately, traditional security thinking still revolves around breaches. Someone gets in, something gets taken, and damage follows. That model feels clean and easy to understand. It also feels outdated the moment you look at how modern software behaves.

Today's AI tools don't need to break in because they're already inside. You gave them access, often through a single click that said "Allow." That access usually stretches further than expected, touching emails, files, analytics, CRM data, and sometimes internal conversations.

The real shift lies in how normalized this access has become. Teams install tools to solve immediate problems, not to map out long-term data exposure.

Over time, the stack grows, permissions overlap, and no one's really tracking who sees what anymore. You got sales juggling three bookkeeping tools, while marketing creates AI ads with all kinds of software. Something is bound to give, if it already hasn't.

Your AI stack knows more about your business than your team does

Every tool in your stack captures a slice of behavior. Analytics tools track user journeys. Communication platforms log conversations. CRM systems store relationships and deal flows. Individually, that feels manageable. Together, it forms a complete picture, and it's entirely in the hands of third parties.

What's unsettling is how easily that picture can be reconstructed outside your organization. Vendors aggregate usage patterns, metadata, and interaction flows to improve their products, but that same data has immense strategic value. It reveals how companies operate, where they struggle, and how decisions get made.

There's also the issue of visibility. Most teams don't have a centralized way to audit what’s being collected across tools. You trust each platform to handle its own data responsibly, but there's no unified lens that shows the full scope of exposure.

Consent doesn't mean awareness

It's tempting to think everything's fine because access was granted deliberately. The checkbox was there. The terms were accepted. From a legal standpoint, that holds up. From an operational standpoint, it leaves gaps.

Consent in software rarely translates to understanding. Privacy policies stretch for pages, filled with language that obscures more than it clarifies. Teams move quickly, and no one's pausing a rollout to dissect data-sharing clauses.

What ends up happening is a layered permission model where each tool quietly expands its reach. One integration pulls in another, and APIs connect systems that were never meant to overlap. Over time, your data flows in ways you never explicitly designed.

Data isn't just stored anymore, it's all about training

The value of data today isn't in storage. It's in interpretation. Modern platforms don't just hold your information. They process it, learn from it, and use it to refine their own capabilities. Not to mention, many AI companies openly or secretly train their models on your data.

That creates a feedback loop where your business operations indirectly train external systems. Your workflows, your bottlenecks, and your customer behavior all contribute to powerful LLMs that extend beyond your environment.

There's also a competitive angle that rarely gets discussed. When multiple companies use the same tools, patterns start to converge. Insights drawn from aggregated data can influence product development, pricing strategies, and even market positioning.

Convenience is the tradeoff no one questions enough

Speed wins almost every decision inside a growing company. A new Claude wrapper promises faster reporting, better collaboration, or easier automation, and it gets adopted quickly. That momentum leaves little room for deeper evaluation.

The tradeoff sits in the background. More convenience usually means more access. More integrations mean more data sharing. The friction that gets removed from your workflow often gets transferred into your data layer.

It's not about avoiding tools or reverting to manual processes. It’s about recognizing that every shortcut has a cost. The issue is that the cost rarely shows up immediately, so it's easy to ignore.

Final thoughts

Nothing here suggests that tools are inherently unsafe or that every platform is misusing data. The reality sits in a more nuanced space. You're operating in an ecosystem where access is expansive, visibility is limited, and incentives don't always align with your interests.

That makes awareness the only real leverage you have. Understanding what's being collected, how it's used, and where it flows changes how you evaluate your stack. It shifts the conversation from blind trust to informed usage.

The idea of getting hacked still feels dramatic and urgent. Data harvesting feels quieter, almost harmless at first glance. That’s exactly why it deserves more attention.

Why SMBs Are Cutting AI Spend—but Doubling Down on Automated Defense

CamS@secureworld.io (Cam Sivesind) — Fri, 24 Apr 2026 13:39:02 GMT

In the cybersecurity world, we often assume that small and medium-sized businesses (SMBs) are the lagging indicators of digital maturity. However, new research from Tech.co and Expert Market suggests that SMB leaders are becoming surprisingly surgical in their tech adoption.

The data reveal a major pivot in 2026: while many organizations are pulling back on AI for general business tasks, automated cybersecurity remains a non-negotiable priority. As inflation pressures and tech regret drive a more selective investment strategy, automated defense is emerging as a primary pillar of SMB optimization.

The 'selective AI' shift: cutting the fluff, keeping the shield

According to Tech.co's March 2026 survey, general automation usage is experiencing a significant cooldown. Across several key business functions, the "AI hype" seems to be receding:

Data analysis automation fell by 8 percentage points.
Scheduling and calendar management dropped by 6 percent.
Design task automation saw a 5 percent decline.

Yet, despite this broad pullback, automated cybersecurity adoption stayed nearly flat, dropping only a single percentage point month-over-month. Even with 9% of SMBs actively reevaluating their overall tech spend, one in five (19%) continue to automate their security posture.

Why is security surviving the budget axe when other AI tools are being cut? The answer is rooted in cold, hard math.

AI-driven security can reduce the cost of a data breach by an average of $1.9 million. For an SMB, that isn't just a financial hit, it's an existential threat—call it a breach penalty.

With 28% of SMBs citing inflation as their primary challenge, the cost of day-to-day operations is skyrocketing. Automation allows for optimization (a strategic focus for 31% of SMBs), enabling greater efficiency and threat detection accuracy without the need for additional headcount.

A separate survey by Expert Market provides the "why" behind the shift toward selectivity: 45% of SMBs report regret over a technology shift in the past 12 months.

This "tech regret" indicates that the era of rapid, broad-scale AI adoption is over. Leaders are moving toward results-driven investment strategies. They are no longer interested in "AI for AI's sake"; they are interested in tools that offer a clear ROI. In this environment, automated cybersecurity stands out because its value proposition—protecting digital assets and preventing catastrophic financial loss—is unambiguous.

For MSPs, CISOs, or consultants advising the SMB market, this research dictates a shift in how you communicate:

Move beyond "features": SMB leaders are tired of broad automation promises. Frame your security solutions around Risk Management and Optimization.
Validate the ROI: Use the $1.9 million figure. Show them that automated security is a hedge against the volatility of inflation and a defense against the "accountability gap" that a major breach creates.
Address the regret: Acknowledge that the technology landscape is overwhelming. Position automated security not as "another tool to manage" but as a way to simplify the complex task of 24/7 vigilance.

The Tech.co and Expert Market findings confirm that SMBs are getting smarter about their digital footprint. They are trimming the "ghost in the machine"—the underperforming AI tools that lead to tech regret—while hardening their "internal frontier."

The Working CISO's Guide to Secure AI Enterprise Governance and Implementations

George Al-Koura — Thu, 23 Apr 2026 17:50:42 GMT

I spent the first chapter of my career drinking from a literal firehose. As an analyst in the Canadian Armed Forces (CAF) during the peak of the Afghan war years, I often got thrown into a job or task and then formally trained up on it later. Operational needs always came first; they still do today. My job, crudely put, was to separate signal from noise and never blow the sources and methods that made the collection possible. Two decades later, I've gone from being an entry level SOC analyst at a MSSP to CISO at a global commercial enterprise with millions of active users. The only thing that's really changed is the gauge of the pipe and the speed at which your newest analyst will wire it directly into their coffee cup if you don't give them a better alternative.

Enterprise AI governance isn't new. It's a sources-and-methods problem wearing a different uniform.

I'm writing this for the working CISO/CIO/CTO, the founder, and the board director currently staring at a 60-slide vendor deck trying to figure out how much of it is real. I don't have a STEM degree. I studied Political Science & Psychology at a military college, in case you were wondering. If you're reading this, you're probably more formally educated and qualified than me, if we're being honest. I saying this because I am coming at this from a humble place. My intent is that I care about helping people get this right, and sharing knowledge is how we do that. Most of what I know I picked up from things getting broken in prod, inheriting other people's incidents, and getting chewed out by superiors or—even worse—auditors who were, annoyingly, right. What follows is a six-month plan to a defensible V1.0, at large enterprise scale and at 30-person-startup scale, because the principles don't change when the budget does.

One rule before we start...

If your AI governance program is built on nice slides, third-party opinions, and zero internal friction, you don't have a program. You have a hallucination. The best security work I've ever seen came from people who'd personally lived through the scenario they were designing for. Everything else is theatre.

Why most of these programs collapse

I've reviewed, audited, competed against, and in a few cases cleaned up after a lot of governance programs over the last decade. The ones that fall apart all fail the same way. Somebody downloads a policy template from a standards body, runs a tabletop without a single technical operator in the room, declares victory at "we have a policy," and goes home. Then a product team quietly spins up a shadow Copilot tenant. Marketing pastes a customer list into ChatGPT to get campaign copy. An engineer wires an open source MCP server straight into production because it was easy. And the CISO finds out on a Tuesday morning in a Slack DM that opens with "hey so this might be bad."

The second failure mode is worse. I call it admiring the beauty of your own ideas. You build a framework, skip external red teaming, skip third-party audit, and tell your board you're covered. You're not. You're self-certified. Those aren't the same word. The hardest part of this job isn't writing the policy. It's being honest about what your policy actually prevents versus what it just documents.

The shops that get this right start from the same uncomfortable premise. Everything is denied until it's reviewed, registered, and owned by a human with a name. Every approved path has a kill switch somebody has actually tested, not drawn on a whiteboard. Every output is logged in a way a forensic investigator would respect, not a marketing lead. My gut test: if my board asked tomorrow what Gemini did for Sarah in Finance last Tuesday at 14:00 UTC, could I answer without calling a vendor? If no, we haven't landed yet.

Here's the plan.

Months 1 and 2: Governance and Policy

You can't secure what you haven't named, so first sixty days are about getting your arms around what's actually happening inside your four walls, deciding what gets through the door going forward, and building a default posture that doesn't leak.

Deny by default is the single most important posture decision you'll make, and it's the one that gets the most pushback. Product leaders will tell you it kills innovation. It doesn't. It forces innovation to have an owner. Without a default-deny, your AI footprint is whatever your people felt like signing up for on a free trial last quarter, and it's bigger than you think. Run a DLP or SWG query against the top hundred AI domains. One of my peers found an entire customer service team had been routing tickets through an unapproved consumer chatbot for eight months. Nobody was malicious. Nobody asked.

The guts of governance should live in three registries:

Solution Registry serving as your list of every AI model, service, and provider reviewed and approved, with named owners and risk classifications.
Tooling Registry covering every MCP server, skill, plug-in, and integration that's been vetted.
Data Registry telling you every internal knowledge source AI is allowed to read, each one having passed a STRIDE threat model and a real backup and recovery check before the model gets near it. That last one is where most organizations cut corners and where they get bit. If a data source doesn't have a tested restore path, AI doesn't connect to it. That's a line I don't move.

Risk classification turns governance from a shelf document into something useful. You can use something as simple as five tiers. R0 is pure internal productivity, no sensitive data, no user impact. R1 touches real workflows but doesn't decide anything user-facing. R2 is user-visible but reversible. R3 is user decisioning. R4 is identity, safety, legal, or irreversible. In other words, it's the tier where you can't afford to be cute. Your approval workflow runs in two lanes. Fast lane for R0 and R1 on pre-approved infrastructure, no new vendors, no write access, no confidential data, one to two weeks end to end. Slow lane for everything else, two to six weeks, full stakeholder review. If the slow lane gets bypassed for the CEO's pet project, you don't have a lane system, you have a suggestion box.

At large enterprise scale this lives inside ServiceNow or a Jira-plus-Confluence stack with workflow automation, a formal AI governance committee chaired by your CIO or CISO with quarterly Senior Leadership attestation, and probably two or three dedicated headcount split between Architecture and InfoSec. The HLD template has a mandatory AI declaration section that can't be skipped. Your architects will complain. Good. At SME scale none of that is realistic and you don't need it. A single shared spreadsheet with four tabs, a one-page policy your CEO actually signs, a monthly thirty-minute touchpoint with your senior engineer, product lead, and whoever runs IT, and a risk table that fits on a whiteboard. What you really need is one person empowered to say no and a CEO who will back them. The framework is easy. The backing is hard.

Either way, you need a written AI Governance Policy. Not an HLD. A policy. It covers what's approved and what isn't, what data can and can't go into a prompt, whether personal accounts are allowed (Pro Tip: they aren't), what human review is required, and a real enforcement path your HR team has blessed. A policy without HR teeth is a poster you put up for auditors.

Months 2 and 3: Data Security and Privacy

Here's where the real exposure lives, and it isn't the AI. It's the people pointed at it. Models don't accidentally leak data. People using models leak data. Retrieval pipelines pointed at poorly classified stores leak data. Vendors who didn't opt you out of training leak your data in ways you won't find out about until someone else's chatbot quotes your internal memo back at them. Make the leak physically difficult, culturally awkward, and technically auditable, in roughly that order.

The one rule I'll die on: no PII, no credentials, no API keys, no customer records, no strategic business information goes into a prompt unless that specific use case has been explicitly approved, the data is properly contracted for, and the model vendor has opted you out of training on your traffic in writing. If your vendor won't opt you out, they don't get your work. Full stop. I've walked away from demos with very smart vendors over this exact clause. Not negotiable, and honestly it's the single most effective control you'll put in place. Everything else is hygiene.

On the application side, input and output sanitization is the app's job, not the model's. The minute you trust the model to police its own output, you've lost the plot. The application fetches the data, decides what to pass in, and validates what comes back. The model is a clever parameter in between.

Provenance is the thing nobody wants to talk about until a regulator shows up. If AI is producing content that reaches a customer, makes a decision, or sits in your records for audit, you need to know which model made it, on what input, under which guardrail, when, and whether a human reviewed it. Prompt, response, model version, reviewer name, timestamp, confidence score if the model gives you one. That log has to survive a regulator, a plaintiff, and a breach investigator at the same time, because in my experience they show up as a package.

At large enterprise scale: a full DLP stack inspecting traffic to known AI endpoints, a data classification schema that actually propagates through bucket policies, column tags, and IAM roles, a clean room capability for vendor model interaction with regulated data, embedded cryptographic provenance on anything sensitive you generate, and a named data protection officer sitting in the AI approval flow. If you've got the scale, doing less is negligence.

At SME scale: a commodity secure web gateway with domain-level AI blocking turned on for anything not on your list, a one-page data input rulebook you can laminate and hand to every new hire, everybody onto company SSO, every public chatbot UI blocked at the browser. I've seen a startup do this for under fifteen hundred a month all-in and be genuinely defensible. The trick wasn't the tools. It was the founder who wouldn't grant exceptions.

A word on regulation, because everybody wants to ignore it until Q4. PIPEDA, GDPR, the EU AI Act, the Training Data Bill of Materials (TDBOM) framework I've been advocating for in Canadian federal procurement. They're all converging on one demand. Prove where your data came from. Prove where it went. Prove you had the right to use it. Start capturing that lineage now even if nobody's asked yet, because they will, and retrofitting provenance after the fact is a special kind of hell.

Months 3 and 4: Infrastructure and Secure Deployment

Here's the unpopular opinion I keep getting asked about on podcasts. Until somebody builds a large language model that can safely talk to the open internet without leaking, getting jailbroken, or quietly wandering off with your data, treat every AI deployment as if it will do all three. That doesn't mean don't deploy. It means deploy inside a blast radius you can actually contain.

Three architectural commitments make the rest of the program tractable.

First, enterprise-hosted services, company credentials, SSO, nothing else. A good example of this is if your shop uses AWS Bedrock with Google Gemini at the workspace tier and a code assistant under Bedrock for engineering. Anthropic's Claude and GitHub Copilot can be approved for use inside Bedrock for specific use cases with documented risk tables. Everything else gets an HLD or it doesn't run. Personal accounts are banned as policy and backed by technical controls. If a developer can't get an API key from IT, they don't get an API key. They'll complain. They complain about SSO too. They'll live.

Second, the principle I'll defend against anyone trying to sell me an agentic future: AI is a function call. In every end-user-facing app, AI takes controlled input and returns controlled output. Your code decides what to do with that output. AI doesn't query your databases. AI doesn't execute actions. AI doesn't spawn sub-agents that go find things to do on their own time. AI returns a risk score, a classification, or a string of text. Your code suspends the account, flags the transaction, renders the copy. This principle eats roughly eighty percent of the agentic attack surface and costs you nothing except some developer ego.

Third, parameterized writes only. Same principle we've used since 1999 to stop SQL injection. Hardcoded query, AI output dropped into a parameter slot, permitted types limited to strings, booleans, or an enum drawn from a fixed set you defined in advance. AI does not construct API calls. AI does not emit raw SQL. If a vendor is selling you an agent that can autonomously modify production state, send them my number, I'd love that conversation.

Kill switches are the thing most programs lie about, so every approved AI path needs a documented, tested kill switch a named owner can pull inside fifteen minutes. SSO group removal, tooling registry flag flip, feature flag, model disable at the Bedrock level, data rollback where it applies. If nobody's pulled the switch in a drill, the switch is imaginary. I had one at a previous shop that looked great on paper and failed the first time we ran it because the on-call rotation had shifted and nobody remembered the runbook. We fixed it, then drilled it every quarter.

Large enterprise translation: a centrally managed MCP gateway, BYOK or HSM integration on anything touching regulated data, isolated compute tenancies for the really sensitive workloads, configuration drift detection running continuously, and a standing red team with a specific remit to go break your AI stack. You'll spend real money on this and it's worth every dollar if you have the exposure.

The SME approach is almost defiantly simple (and, therefore, much easier to execute). Use the hyperscaler managed services. Don't self-host models unless you have a very specific reason and the talent to match. Flat allowlist of approved AI domains at your SWG. One feature flag per AI path that somebody on DevOps can flip from their phone. One annual external pen test scoped to include AI. If the pen test vendor can't tell you off the top of their head what indirect prompt injection is or how retrieval poisoning works, get a different vendor. I mean that.

Months 4 and 5: Monitoring and Operational Resilience

This is the stage where I can tell within five minutes whether a CISO is actually running a program or just managing optics. Monitoring is where governance meets reality, and most organizations treat it as a box they ticked at go-live and haven't looked at since. Then the breach notification lands and everyone's shocked.

Your audit logs have to be real! Every AI invocation produces an entry with model ID, input, output, user, app context, timestamp, guardrail evaluations, and any write it triggered downstream. Centralized, retained against your longest regulatory clock, accessible to an investigator inside an hour, not a week. If your vendor doesn't expose the raw telemetry, pick a different vendor. I've killed procurement processes over this. Zero regrets.

Adversarial testing has to be scheduled, not one-off. Prompt injection, retrieval poisoning, jailbreak attempts, context overflow, output filter bypass. Models update. Prompts drift. Your guardrails age like produce, not wine. If you're not paying for external testing, black box and gray box evaluation against your AI surfaces, you're flying blind, and grading your own homework doesn't count as passing the class. Your SOC runbooks also need AI scenarios in them. Model compromise. Training data exfiltration. Vendor breach involving your data. A successful prompt injection that reached production and did something. These aren't the same patterns as ransomware, and your analysts need to have walked through them in a tabletop before the real one hits. The first tabletop I ran on this was humbling. That's the point.

Data drift monitoring closes the loop. Model outputs degrade silently. A classifier that was ninety-four percent accurate in August can be seventy-two in February because the world shifted and nobody changed a line of code. Define the metric, pick the threshold, wire the alert. This is where product engineering and security have to actually work together instead of lobbing Jira tickets at each other.

For a large enterprise, this is dedicated AI SOC coverage tied into your managed security provider, SIEM rules purpose-built for AI telemetry, quarterly adversarial exercises, drift monitoring owned by a product manager with teeth, a crisis comms runbook for AI disclosure events, and SLT tabletops twice a year at minimum.

SMEs are dramatically simpler and I'd argue more defensible because of it. Forward your vendor audit logs into whatever SIEM or log aggregator you already have. Write five AI-specific detection rules. Run one external AI-focused red team engagement a year, even a small one. Book a ninety-minute tabletop annually where your engineering lead, your legal advisor, and your CEO walk through a mock AI incident. That's the bar. Most companies, at any size, aren't meeting it.

Months 5 and 6: Talent and Culture

I'll say this bluntly because I've said it on record before: The technical skills are the easiest part of this job. Those you can hire for. What's hard is building a team where people will say no to the CEO when the CEO is wrong, where a junior analyst is comfortable escalating a bad AI output to a principal engineer without getting their head bitten off, where everybody understands that shipping fast is nothing compared to shipping right, and that we can always re-ship.

Hire operators over theorists, every time. The best AI security people I've worked with were SOC analysts first, or pen testers first, or platform engineers first, or occasionally intelligence operators who grok the sources-and-methods problem at a cellular level because they've lived it. Book knowledge is useful. Scar tissue is irreplaceable, and you can't fake it. I can tell inside five minutes of a technical conversation whether someone's done the thing or read about it. Most of us can.

Train everyone, not just the nerds. Every employee is an AI attack surface because every employee can paste a customer record into a public chatbot without thinking. I'm partial to the policy assistant approach, where staff can ask a governed internal AI tool what's approved and get a real answer. Short and frequent beats long and annual. Nobody remembers the thirty-minute mandatory compliance video. They do remember the Tuesday five-minute refresher that said "don't paste PII into Gemini, here's why."

Human-in-the-loop has to be a cultural default, not a checkbox. PR reviews stay mandatory. AI-generated legal goes through Legal. AI-drafted marketing copy goes through Marketing review. AI code follows the exact same bar as human code, and if it doesn't compile, doesn't lint, doesn't pass tests, it doesn't merge. I don't care that an AI wrote it. Your name is still on the commit.

Promote the people who protect the company. This is where culture lives or dies. If your organization rewards the person who cut corners to ship over the person who held the line on data governance, your program erodes inside a year no matter how good the documents look. I've watched good CISOs leave because the culture quietly told them their caution was unwelcome. The first meeting where somebody important gets told no is where your culture gets set. Make sure that meeting goes well.

Large enterprises need a role-based training matrix, an AI Ethics Committee with representation from outside security, dedicated learning paths, a named AI security lead, and biannual tabletops that include the board risk committee. SMEs can acceptably work with a monthly lunch and learn, a written AI best-practices guide short enough to read, one AI champion on the engineering team with real authority and air cover, and a crystal clear CEO statement that the rules apply to everybody, founders included. That's the whole play at small scale, and it outperforms a lot of the big-enterprise programs I've seen.

What V1.0 actually means

V1.0 isn't perfection, it's just a start. Anyone promising you perfection is selling you something. V1.0 is a defensible starting line. At the end of six months, if your board asks what AI is running in your enterprise, under what controls, touching what data, reviewed by whom, with what kill switch, you should be able to answer in a single meeting without calling a vendor. That's the bar. Everything past that is V1.1 onward, and you'll iterate every quarter for the rest of your career, because the tech will.

My biggest applicable professional lesson for this all from my army days was that intelligence operators work by disciplines that don't change regardless of the collection platform. You validate the sterile environment before you collect. You protect the sources and methods. You never forget that some actions are irreversible once taken. Those map directly onto what we're doing with AI right now. Your sterile environment is your data classification and your approved ecosystem. Your sources and methods are the proprietary data, prompts, and fine tuning that give your AI its edge over whoever's trying to knock you off. Your irreversibility is what happens when an autonomous agent makes a write your audit log can't reconstruct. The muscle memory I built in a uniform turns out to be exactly the muscle memory this moment is asking for, which I find darkly funny and quietly reassuring.

Two last things...

You don't need every shiny AI tool that launches on a Tuesday even if it promises the exact miracle that you somehow need in that very moment. You need the ones that serve your business and can be governed. Vendors push you toward complexity because complexity sells seats. Push back. Simpler architecture is more defensible architecture, and more defensible architecture sleeps better at night.

Respect operators over vendors. I'll listen all day to an engineer who's actually shipped what they're telling me about. I'll listen politely, for a much shorter window, to an analyst who read a Gartner report. If you're a CISO/CIO/CTO or a founder reading this, build your circle out of operators. They'll tell you the truth even when it's inconvenient, which it usually is.

If you disagree with any of this, come find me. I'll probably still be wrong about something, and I'd rather hear it from you now than from my auditors next cycle.

This article appeared originally on LinkedIn here.

Ransomware Negotiator Secretly Worked Both Sides—then Joined the Conspiracy

drewt@secureworld.io (Drew Todd) — Thu, 23 Apr 2026 12:16:00 GMT

A Florida man who worked as a ransomware negotiator at a U.S. cyber incident response firm has pleaded guilty to conspiring with the BlackCat/ALPHV ransomware group—feeding the attackers confidential information about his own clients while simultaneously negotiating on their behalf.

Angelo Martino, 41, of Land O'Lakes, Florida, admitted to providing BlackCat operators with clients' insurance policy limits and internal negotiation strategies without his employer's or clients' knowledge. The operators paid Martino for the intelligence, which they used to maximize ransom demands against five victims. He was supposed to be helping those same victims reduce what they paid.

From negotiator to affiliate

Martino's conduct went beyond leaking data. Beginning in April 2023, he conspired with Ryan Goldberg of Georgia and Kevin Martin of Texas to actively deploy BlackCat ransomware against U.S. targets. All three held cybersecurity industry roles—a fact the Department of Justice emphasized in its announcement.

After successfully extorting one victim for approximately $1.2 million in Bitcoin, the three men split their share of the ransom and laundered the proceeds through multiple channels. The conspiracy ran from April through November 2023.

To date, law enforcement has seized more than $10 million in assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat.

What officials said

Assistant Attorney General A. Tysen Duva of the DOJ's Criminal Division was direct about the nature of the betrayal, saying:

"Angelo Martino's clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims. Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself."

U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida focused on the insider access angle and what the case signals to others, saying:

"Ransomware victims turned to this defendant for help, and he sold them out from the inside. He abused his position at a cyber incident response company to feed confidential information to BlackCat actors, helping them maximize ransom payments from American victims. He then went further, joining the conspiracy himself to deploy ransomware and profit from extortion."

FBI Cyber Division Assistant Director Brett Leatherman noted that the case reinforces a point the bureau has pushed for years: ransomware is not exclusively an offshore problem.

"His guilty plea demonstrates that, for all the international aspects of cybercrime, the threat is also here in the United States," Leatherman said, adding that Martino "abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals."

Charges, co-conspirators, and sentencing

Martino pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce by extortion, and faces a maximum of 20 years in prison. Sentencing is scheduled for July 9.

Goldberg and Martin separately pleaded guilty to the same charge in December 2025. Both are scheduled to be sentenced on April 30, and each faces the same 20-year maximum.

The FBI's Miami field office is leading the investigation, with assistance from the U.S. Secret Service. Trial Attorneys Christen Gallagher and Jorge Gonzalez of the DOJ's Computer Crime and Intellectual Property Section (CCIPS), along with Assistant U.S. Attorneys Thomas Haggerty and Quinshawna Landon for the Southern District of Florida, are prosecuting the case.

BlackCat context

The BlackCat/ALPHV group was one of the more prolific ransomware-as-a-service operations before law enforcement action in December 2023, when the FBI disrupted the group's infrastructure, developed a decryption tool, and seized several BlackCat-operated websites. That decryption tool allowed field offices and international partners to help hundreds of victims recover their systems, saving an estimated $99 million in ransom payments.

Martino's case is a reminder that insider threats in the incident response (IR) industry pose the same risks as elsewhere in the enterprise—potentially worse, given the privileged access those responders have during an active crisis.

Organizations that engage third-party ransomware negotiators or IR firms should consider what contractual, technical, and operational controls govern how sensitive negotiation data is handled and who has access to it.

The full DOJ press release is available here.

Follow SecureWorld News for more cybersecurity news.

Do GE's ITAR Violations Expose a CMMC Blind Spot?

hnoggle@mccoe.org (Heather Noggle) — Wed, 22 Apr 2026 18:47:35 GMT

From my trade compliance connections, I saw that GE Aerospace faces a $36 million ITAR fine. This arises from a voluntary self-disclosure (VSD)—which is something the U.S. Department of State encourages—of 116 ITAR violations within multiple categories. And China.

From the State Department's website:

"The administrative settlement between the Department of State and GE Aerospace, concluded pursuant to ITAR § 128.11, addresses multiple categories of ITAR violations, including GE Aerospace's unauthorized exports of technical data to the People's Republic of China; violations of terms, conditions, and provisos of several Directorate of Defense Trade Controls authorizations involving various countries; unauthorized exports of defense articles to two countries; and failure to report material changes to its ITAR registration.

GE Aerospace voluntarily disclosed all the alleged violations, a substantial portion of which predate 2023. GE Aerospace also fully cooperated with the Department's review of this matter and has implemented numerous improvements to its ITAR compliance program since the conduct at issue."

$18,000,000 of this fine is suspended and to be channeled into improvement of GE Aerospace's ITAR program and controls. I'm going to posit that improvements are underway and led to the discovery and disclosure—so, GOOD.

GE Aerospace is a prime contractor in the defense industrial base. So...

Now, I know I'm fairly new to this CMMC space, but ITAR trade compliance controlled data feels a whole lot like chocolate to export controlled CUI's peanut butter. Yes, it's entirely possible that the two are parallel and never the twain shall meet in this instance, BUT... here are my (possibly meandering ranting) thoughts:

CMMC doesn't really have a voluntary self-disclosure of "we're not doing the program right." The closest thing is the False Claims Act, which is scary, but they are not the same. With VSD, the company says "we broke this, we're fixing it," and gets acknowledgement that yes, there's a problem, but the company's doing the right thing. CMMC does require—like a trade compliance program—executive affirmation. So, yes, there's legal exposure under the False Claims Act, but there's no "safe" correction path.
CMMC – Yes, the organization must report breaches in 72 hours, but that's not the same thing.
What external circumstances, if any, should trigger a review of a company's CMMC out of band? What if we had Level 3 CMMC already in place, and this ITAR information was CUI? Do the State Department and the Department of Defense/War even talk about these things Again, CMMC has no defined "material compliance failure" trigger.
This is a prime. Is it too big to fail? It can certainly absorb that fine. Risk can be managed with $$$ and lawyers ($$$$), and failure for the bigger companies isn't existential threat. Smaller subs... much less wiggle room. A prime can tolerate hundreds of violations across years. But smaller subcontractors, individually, risk more in this space. The decision to enter it and play by the rules can't be by the default of having the contract now.
ITAR technical data is often CUI—export-controlled CUI. Often, not always. Consider often a strong enough argument here: Are we requiring mere compliance and box checking for CMMC if it runs fully separate from ITAR when the data might overlap and an organization's sanctioned for one? (Do we really have peanut butter cups? Two ingredients in the same candy? Or are the commercial actors due to roam the planet alone?)
While a large number of CMMC NIST SP 800-171 controls (practices, requirements, oh my) are technical in nature, the time-consuming, drift-controlling sections require extensive time and management. Governance. They're not what come to mind when people say "cybersecurity," and yet they're clearly in NIST SP 800-171 just as sure as they're considered in something as simple as NIST CSF with its focus on maturity.
You probably noticed that many of the 116 ITAR violations are from years ago. Yet, they must still be reported. CMMC cycles for certification are three years. CMMC sure does feel like certifying a moment in time (not the intent at all!) while ITAR is forever—like a diamond.

Here's what GE Aerospace says about CMMC on its page: "The CMMC is crucial for GE suppliers because it ensures the protection of sensitive information within the defense industrial base (DIB). The Department of Defense (DoD) developed CMMC to enhance the cybersecurity posture of companies in the supply chain, particularly those handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)."

So, what do you think? Am I ranting about things that are too separate to integrate (and we want to keep them that way because everything's working as intended), or are we looking at something that should be a system and isn't?

This post appeared originally on LinkedIn here.

Navigating the New Cyber-Physical Convergence Reality in Manufacturing

CamS@secureworld.io (Cam Sivesind) — Wed, 22 Apr 2026 11:23:00 GMT

In the manufacturing sector, the traditional boundary between "the network" and "the floor" has effectively dissolved. According to Trackforce's executive trends report, Cyber-Physical Security Convergence in Manufacturing, the manufacturing world is entering an era where operational uptime is inseparable from cybersecurity posture.

For cybersecurity professionals, this shift means that protecting data is no longer the sole objective; the new mandate is protecting operational continuity. When a breach can stop 60 trucks or spoil millions of dollars in perishable inventory, security is no longer an IT cost center—it is a business continuity control.

The report highlights that the risks of convergence extend far beyond the four walls of a single factory.

The "maturity mirage" is a significant threat for pure manufacturers. While many have addressed "low-hanging fruit" like basic firewalls, 85% to 90% of organizations still operate in IT and OT silos. This lack of coordination creates a critical lag during incidents, when security teams may not understand the physical impact of a digital anomaly until production has already halted.

Your "invisible" attack surface is expanding. The report notes that identity discipline must now extend to third-party contractors and visitors who access your partners' facilities. If a third-party manufacturer lacks standardized incident reporting or patrol verification, your supply chain resilience is built on a foundation of guesswork.

The five trends every CISO must watch through 2027

Trackforce identifies five predictive shifts that will define the next couple of years. Cybersecurity teams should be most mindful of these evolving "frontiers."

1. Segmentation as an uptime control: Network segmentation is moving from a technical recommendation to a business-linked control. The goal is no longer just "blocking traffic" but ensuring that a compromise in the corporate office cannot trigger a physical shutdown on the line.

2. Identity discipline for the "extended" workforce: Identity is the new perimeter, and in manufacturing, that perimeter includes thousands of non-employees. CISOs must watch for the expansion of Identity Threat Detection and Response (ITDR) to cover contractors, maintenance technicians, and temporary visitors who represent high-risk entry points into OT environments.

3. The "handoff" failure point: Convergence succeeds or fails at the handoffs between departments. Security teams should be mindful of the "ownership gap"; if a networked camera or an electronic gate fails, is it an IT problem, a physical security problem, or an operational maintenance issue?

4. Physical systems as cyber assets: Access control systems, video surveillance, and visitor management platforms are now networked cyber assets. Attackers are increasingly using these "physical" tools as entry points for lateral movement into the broader corporate network.

5. Resilience via automated communications: True resilience is defined by the ability to maintain continuity execution when normal communications fail. Watch for a shift toward automated, standardized reporting that provides "audit-ready" evidence for insurers and stakeholders during a crisis.

To stay ahead of these trends, manufacturing security teams must pivot and audit their physical "shadow IT": Identify every networked physical security device and treat it with the same vulnerability management rigor as a server.

Underwriters are raising the bar for "operational evidence." Security teams must ensure their security program produces time-stamped, photo-backed activity logs that prove controls are working in practice, not just on paper.

Teams must bridge the silos and force coordination between IT and the floor managers. Resilience is built on understanding the physical consequence of a digital alert before it becomes a headline.

Notes from the report:

Recent natural disasters and regional infrastructure outages reinforce that disruption often begins with communication breakdown, not malware. When employees are displaced or internet access is limited, plants struggle to confirm workforce availability, verify site status, and coordinate response across distributed facilities. Through 2027, manufacturers will invest more in degraded-mode procedures, crisis communications automation, and repeatable site-level process discipline.
Physical security systems continue to consolidate onto enterprise networks, which increases the importance of device posture, segmentation, and logging. As a result, platforms that standardize the human and facility layers and make them usable for investigations and response become a core input to resilience and safety outcomes rather than a side system.

Manufacturing was the most targeted industry in 2024 for a reason: the stakes are physical. As Trackforce's report concludes, the organizations that weather the next three years will be those that treat cyber-physical convergence not as a technical hurdle but as a strategic business advantage.

2026 Microsoft Vulnerabilities Report: Why Less Actually Means More Risk

CamS@secureworld.io (Cam Sivesind) — Tue, 21 Apr 2026 16:10:31 GMT

In cybersecurity, we often look for comfort in the numbers. If total vulnerability counts are down, we assume the defense is winning. But the BeyondTrust 13th annual Microsoft Vulnerabilities Report just shattered that illusion.

The headline for 2026 is a classic "maturity mirage": while the total number of Microsoft vulnerabilities dropped by 6% (to 1,273), critical vulnerabilities doubled year-over-year. We are seeing a massive concentration of risk, where the flaws being discovered are significantly more severe and exploitable than in previous years.

For cybersecurity teams, the report is a mandate to stop counting CVEs and start mapping paths to privilege.

The most alarming data point in the report is the reversal of a multi-year downward trend in severity. Critical vulnerabilities jumped from 78 to 157 in just 12 months. Here's what's driving it:

AI-accelerated discovery: Attackers are using generative AI to analyze patches and reverse-engineer exploits in hours. The "window of exposure" has practically vanished.
The cloud explosion: Azure and Dynamics 365 saw a 9x increase in critical vulnerabilities. As enterprises move their "crown jewels" to the cloud, attackers are following the data.
Office as an entry point: Critical vulnerabilities in Microsoft Office surged 10x. Even as we harden the OS, the productivity tools we use every day remain a fertile ground for high-impact exploits.

For the third year running, Elevation of Privilege (EoP) vulnerabilities dominated the landscape, accounting for 40% of all reported flaws. In the modern threat landscape, "logging in" has replaced "breaking in." An attacker doesn't need a sophisticated zero-day if they can find a minor bug that allows them to escalate from a standard user to a Domain Admin. This reinforces that Identity is the new perimeter. If an attacker can reach a path to privilege, the game is over.

The report introduces a critical warning about risks that don't always appear in a CVE count. We are now defending an "Agentic Enterprise" filled with AI agents, service accounts, and long-lived machine credentials.

Traditional vulnerability tracking is no longer capturing the full picture. An over-privileged AI agent or a misconfigured OAuth token carries as much risk as a critical buffer overflow, yet these identity vulnerabilities often bypass the standard patching cycle.

The BeyondTrust report makes it clear that patching alone is a losing battle. To weather this concentration of risk, security leaders must pivot:

Shrink the blast radius with least privilege: Since 40% of flaws are EoP, removing administrative rights is the single most effective way to neutralize the impact of a vulnerability. If there is no path to privilege, the exploit hits a dead end.
Assume compromise, then detect: Patch faster, but operate under the assumption that an attacker is already trying to "log in." Implement behavioral analytics that can spot the "identity-first" attacks that CVE scanners miss.
Secure the non-human frontier: Apply the same Zero Trust principles to AI agents and service accounts that you apply to your human workforce.
Focus on "paths," not "points": Stop looking at vulnerabilities in isolation. Use the data to identify the common pathways—like over-privileged cloud identities—that attackers use to move laterally across your Microsoft estate.

The 2026 Microsoft Vulnerabilities Report is a warning that adversaries are getting more surgical. They aren't looking for more ways in; they are looking for the best ways in. As James Maude, Field CTO at BeyondTrust, puts it: "Risk is not decreasing, it is concentrating."

Here are some further thoughts on the report's findings from other cybersecurity vendor experts.

Mayuresh Dani, Security Research Manager, at Qualys:

"Security researchers face a 90-day disclosure embargo, whereas nation-state sponsored threat actor groups are known to stockpile vulnerabilities indefinitely. Due to the speed with which vulnerabilities are being exploited, regression testing might be left incomplete yielding 'one-and-done' fixes that threat actors often bypass. Hence, enterprises should require development teams to eliminate a vulnerability class rather than a single code path—reducing leading to repeat bypasses."
"Organizations should focus on quality-first patching while providing a greater transparency on failure rates. There should be regulatory policy changes that bring some parity between public researchers and state actors. Companies should:
- 1. Treat every patch as potentially provisional to harden and monitor their complete environments.
- 2. Apply layered mitigations—network and host based—even after patching.

Mark McClain, CEO at SailPoint:

"Identity is no longer about perimeter-based defense. The rise in AI-based agents, and the massively accelerating threat landscape, has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security. There is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who,' or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside."
"The modern enterprise requires a new control plane, driven by unifying identity, data, and security. The combined power of these contexts enables real-time decisions to reduce risk without impacting the business. These decisions can be driven by the nature of the identity, the context of the apps and data it can access, the behavior around how it is using these apps and data, and the security signals and risk warnings that may surround it."
"To combat this new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity."

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd:

"Cloud misconfigurations are so valuable to both attackers and defenders because they give us the ability to 'accidently' arrive at a negative outcome—both globally and immediately. There is so much technology focused on detecting misconfigurations in the development and testing pipeline, as well as production monitoring. The question isn't "can we find those misconfigurations' as much as 'how early and how quickly can we find and address these issues.' Adversarial testing is the ONLY objective way to know if our people, process, and technology are arriving at resilient outcomes."

Amit Zimerman, Co-Founder and Chief Product Officer at Oasis Security:

"While AI is highly efficient in automating and scaling tasks, human expertise is necessary to interpret complex results, make critical decisions, and apply context-specific reasoning. Humans are essential for ensuring that AI-driven tools are used responsibly and for validating the results of AI processes, especially when it comes to the nuances of certain vulnerabilities or threat landscapes. AI also plays a significant role in 'shift-left' approaches by identifying security vulnerabilities earlier in the software development lifecycle. When integrated into offensive security measures, AI can detect and address issues before they make it into production, reducing the cost of remediation and improving the overall security posture of an organization."

Leadership in the Age of AI

Rick Doten — Mon, 20 Apr 2026 20:48:41 GMT

Last week, I posted an article about how AI makes us more efficient but actually makes us work more.

This week, I'm going to talk about how we as people leaders will need to evolve how we manage people and the AI agents that our employees oversee as agents become commonplace in work.

For millennia, human leadership has been about delegating tasks to people and orchestrating them towards a unified goal. Keeping them on task, on time, and accurate. This is now what our employees will be doing with agents. It's like everyone gets a promotion.

In Simon Sinek's book Start with the Why, he talks about leaders at top needing to define the Why, then managers below them determining the What, and the workers executing the How. We can use this in managing AI. The AI now takes care of the How, humans start with the What. And leaders keep the Why, as well as define intent, context, judgement, taste—all the things we need to provide AI to be effective.

New skills will emerge, including managing non-humans, and managing humans who manage non-humans.

And our vocabulary will evolve. We have employees, but what are agents? They are doing the work analysts, engineers, writers, and architects were doing before? They aren't just tools? How do we categorize agents as a workforce?

Do we include them in the org charts now? What rights and responsibilities do they get? They have outcomes, use budget, we are dependent on their actions, they are dependent on our direction. They can bring success or risk depending on their actions.

Leaders will need judgment on which tasks to automate with agents. Some tasks are either too sensitive, too organizationally political, or cultural staples where it's not appropriate in their company. There might be tasks related to human interactions, or specific regulatory tasks might not be something to give to agents, even if they can do it.

We need to develop the guidelines of trustworthiness. Staff need to understand what or when output from AI is trustworthy, how to identify it, how to elicit more trustworthy output, and how to adjust it when it isn't.

They need guidance on when and where to spot-check, and when to throw out output that isn't useful. We will need to balance under-trusting agents, that could waste their capability, with over-trusting them that might cause unexpected outcomes.

We need to educate staff that their new robot assistants will likely drift from their intended task, either to try to please them or to go around a roadblock or control to complete the task. Or might develop an unexpected yet more efficient method to complete the task. Or if not given guardrails, do something completely different that they assume you wanted achieved. Welcome to the non-deterministic world.

This changes measurements of success for individuals, expectations for performance, and what outcomes we can gauge success on. We shift from managing output to managing judgement. Can you decompose a goal into agent-addressable sub-tasks, chain them, handle failure modes, and know when the whole approach is wrong?

We start to evaluate decisions the humans make instead of their deliverables. We won't ask what they accomplished this week, but ask what their agents did: Was there any drift? Did you do any re-alignment? Did they do anything that surprised you? What trends and patterns are you seeing? What threshold of deviation from intended behavior or outcome triggers scope change or decommissioning?

The performance review shifts from "did you ship it?" to "did you make the right call about what to delegate, what to verify, and what to escalate?"

Did we define a threshold for alerting to inject human judgement? Do we have the telemetry to know when we approach it? Did we write a pre-defined consequence ladder? These need documented in the governance and operational model, and the operational context for the agents (e.g., skills files).

Accountability is a huge discussion—and the area I get asked about the most. These items mentioned above, and others, need to be defined at beginning of project, not decided when something goes wrong.

I've used an analogy a lot the past year: if your dog bites someone, it's not the dog's fault, it's yours. You have stewardship of the animal, where you are both responsible for its actions and for its care and wellbeing. Agents are the same.

The NVD Course Correction: Navigating NIST’s Strategic Pivot for 2026

CamS@secureworld.io (Cam Sivesind) — Fri, 17 Apr 2026 13:30:02 GMT

For the better part of the last two years, the cybersecurity community has watched the National Vulnerability Database (NVD) with a mix of concern and frustration. As the volume of Common Vulnerabilities and Exposures (CVEs) hit record highs, the "gold standard" of vulnerability enrichment seemed to be buckling under the weight of its own success.

NIST has now officially announced a major operational update to the NVD to address this growth. For cybersecurity professionals, this isn't just a change in government workflow—it is a fundamental shift in how we will manage the vulnerability lifecycle moving forward.

The numbers are staggering. As software complexity explodes—driven by the rapid integration of AI and the sprawling growth of the "Agentic Enterprise"—the sheer number of CVEs has outpaced the human-led enrichment process at NIST.

This resulted in a significant enrichment gap, where thousands of CVEs lacked critical metadata like CVSS scores, CWE mappings, and CPE identifiers. For the enterprise, this gap created a "Maturity Mirage," where security teams were aware of vulnerabilities but lacked the high-context data needed to prioritize them effectively.

The update signals that NIST is moving toward a more collaborative, automated enrichment model. For practitioners, this means it is time to update their "Mental Risk Management Operating System."

The Shift: Practitioners can no longer wait for the NVD to provide the "final word" on a vulnerability before acting.
The Action: Teams must become more reliant on direct data from CVE Numbering Authorities (CNAs) and supplement NVD data with threat intelligence—such as CISA’s Known Exploited Vulnerabilities (KEV) catalog—to bridge the enrichment window.

We asked Kip Boyle, vCISO at Cyber Risk Opportunities LLC, for his take on the changes:

"NIST just stopped pretending it could enrich every CVE. Most security teams should be relieved. Here is why this matters for boards and CFOs:

For years, vendors have sold "patch everything CVSS 7 and above" as if that were a strategy. It never was. Patch coverage on critical-severity vulnerabilities is a vanity metric. Most of those vulnerabilities will never be exploited in your environment.
The CVE volume that broke NIST is the same volume that breaks every internal vulnerability management program. NIST's response is the right one: focus on what is actually being exploited (CISA's Known Exploited Vulnerabilities Catalog), federal-use software, and critical software per Executive Order 14028. Everything else still gets listed, but does not get the severity-score halo."

Kip continued, " This forces a long-overdue conversation in mature programs:

KEV coverage is the better operational metric than CVSS coverage.
CNA-provided severity scores are now the default. Trust the vendor closest to the code, then verify in your context.
If your patching SLAs depend on someone else enriching CVEs for you, your program was never risk-based.

He concluded, "The wizard's robes are off. Vulnerability management is a prioritization problem, not a scoring problem."

Boyle will be teaching a PLUS Course on "Master the NIST Cybersecurity Framework v2.0 in Just Six Hours" at SecureWorld Philadelphia May 6-7. Check the full agenda for his course details and the entire conference agenda. Earn 6 CPE for Boyle's course and 12 CPE for the 2-day conference for 18 total.

"To me, this change represents a welcome transition from a 'Universal Vulnerability Library' to a more refined 'Risk-Based Vulnerability Triage' model," said Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit. "This change will significantly impact solutions; specifically hardcoded tools, that provide a verdict based on the NVD's Common Platform Enumeration (CPE) strings. This could lead to a situation where a critical CVE does not list the CPE information as it has not been enriched by the NVD and no alerts will be generated for such vulnerability."

He continued, "I also feel that this move will force the industry to move away from 'Patch Everything' toward 'Patch What Matters.' Just the burden of determining its severity and relevance now falls entirely on the individual organization. This can be offset when CNAs provide the additional metadata as they understand the architecture of their own products better than a NIST analyst. However, there might be situations where a vendor downplaying a vulnerability in their product for PR purposes."

Dani concluded," Overall, I will miss the loss of a neutral third-umpire since NIST acted as an unbiased third party up until now."

As NIST prioritizes automation and consortium-based enrichment, enterprises must ensure their own vulnerability management tools are capable of ingesting diverse, real-time data feeds.

Visibility is King: As seen in recent reports on SaaS and "Shadow AI" sprawl, your exposure is likely larger than your current scanner admits.
Prioritization: Move away from "patch everything" toward risk-based prioritization. If the NVD metadata is delayed, use reachability analysis and business context to decide what gets patched first.

NIST is leaning into a "Consortium" approach, so governments and vendors (industry partners) must distribute the enrichment workload.

Vendors: There is now a higher expectation for software producers to provide complete, accurate metadata at the time of CVE assignment.
Governments: This move ensures that the NVD remains a viable public resource, but it also underscores the need for "Cyber Resilience"—the ability to maintain security posture even when centralized government resources are in transition.

AI: The Help and the Hazard

While NIST is exploring AI to help automate the categorization of vulnerabilities, the 2026 landscape reminds us that AI is a double-edged sword. As noted in other recent industry research, while AI can speed up defensive scanning, it also allows adversaries to reverse-engineer patches and weaponize N-day vulnerabilities in a fraction of the time. NIST's operational update is, in many ways, a defensive response to this "AI-driven velocity."

"We've seen a dramatic spike in AI-reported valid vulnerabilities. According to reports, last year alone, the number of reported vulnerabilities more than doubled," said Vincenzo Iozzo, CEO and Co-founder at SlashID. "As a result, the new NIST policy is sensible and the categories still covered are the most critical ones. Further, LLMs are approaching the point where they are good enough to allow individual organizations to prioritize and contextualize vulnerabilities in their environment reducing the need for enriched CVEs."

NIST’s update to the NVD is a necessary evolution. By acknowledging that the old manual model is unsustainable, it is paving the way for a more resilient, decentralized vulnerability ecosystem.

"What NIST is acknowledging is something the research community has understood for years: you cannot centralize vulnerability triage at this volume and expect it to hold," said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. "The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments. The next generation of vulnerability programs will be built around that kind of active, distributed signal, not quarterly enrichment cycles."

For the cybersecurity community, the message is clear: the database is a tool, not a crutch. Success in 2026 will be defined by how quickly practitioners can turn a CVE "alert" into a high-context "action," regardless of how long it takes for the official metadata to catch up.

OpenAI Launches GPT-5.4-Cyber, Expands Trusted Access Program as AI Defense Race Heats Up

drewt@secureworld.io (Drew Todd) — Thu, 16 Apr 2026 21:23:05 GMT

One week after Anthropic unveiled its Mythos frontier model — deployed in a controlled manner through Project Glasswing — OpenAI has answered with GPT-5.4-Cyber, a variant of GPT-5.4 fine-tuned specifically for defensive cybersecurity use cases.

Alongside the model release, OpenAI announced it is scaling its Trusted Access for Cyber (TAC) program to thousands of authenticated individual defenders and hundreds of teams responsible for securing critical software. Access to GPT-5.4-Cyber is tiered: individuals can verify their identity at chatgpt.com/cyber, while enterprise teams apply through an OpenAI account representative.

"The progressive use of AI accelerates defenders — those responsible for keeping systems, data, and users safe — enabling them to find and fix problems faster in the digital infrastructure everyone relies on," OpenAI said.

What GPT-5.4-Cyber Actually Does

Unlike standard GPT-5.4, which applies blanket refusals to many dual-use security queries, GPT-5.4-Cyber is described by OpenAI as "cyber-permissive"—meaning it has a deliberately lower refusal threshold for prompts that serve a legitimate defensive purpose. That includes binary reverse engineering, enabling security professionals to analyze compiled software for potential malware, vulnerabilities, and security robustness without access to the source code.

The model also carries specific restrictions. Use in zero-data-retention environments is limited, given that OpenAI has less visibility into the user, environment, and intent in those configurations — a tradeoff the company frames as a necessary control surface in a tiered-access model.

OpenAI also pointed to progress with Codex Security, its AI-powered application security agent now in research preview, which has helped fix over 3,000 critical and high-severity vulnerabilities across codebases since launch.

Two Philosophies, One Problem

The rapid one-two punch of releases from Anthropic and OpenAI has sharpened a debate in the security community — not just about which model is more capable, but about which risk philosophy holds up when capabilities are this powerful.

Ronald Lewis, Head of Cybersecurity Governance at Black Duck, laid out the divergence plainly: OpenAI's TAC approach mirrors how advanced forensic platforms have historically been released — restricted to validated professionals, governed by contractual controls, designed to augment expert judgment. Anthropic, by contrast, placed greater emphasis on model alignment and internal self-restraint over individual-level access controls.

"This represents a deliberate departure from the conventional 'dangerous tool → trusted operator' paradigm," Lewis said, noting that Anthropic's strategy reflects a different theory of risk management — that sufficiently aligned models combined with institutional governance can enable broad, high-capability use without strict individual gatekeeping.

Lewis characterized OpenAI's posture as more conservative: "It treats advanced cyber capabilities as regulated instruments, suitable for controlled deployment within professional workflows, much like forensic and investigative tooling, rather than as broadly accessible general-purpose systems."

The Remediation Gap Nobody's Solving

Security practitioners will find the sharpest analysis in what several experts say these announcements are failing to address: the widening gap between discovery speed and remediation capacity.

Marcus Fowler, CEO of Darktrace Federal, welcomed the expanded access but cautioned against confusing faster analysis with faster risk reduction. "Some of the greatest challenges in cybersecurity today are not the identification or analysis of weak code," Fowler said. "Most organizations are still constrained by the realities of remediation once an issue is discovered: patch development, testing, deployment, uptime requirements, and resource limitations."

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, put the distinction bluntly: "Finding bugs is very different from fixing bugs."

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, was more pointed. The bottleneck, he argued, has never been the model — it's the program architecture that determines which findings get verified, which get triaged, and which actually get fixed before an attacker reverse-engineers the same patch.

"What OpenAI's TAC expansion and Anthropic's Glasswing both tell us is that AI-discovered vulnerabilities are outpacing the coordinated infrastructure built to remediate them. The next generation of security programs won't be judged on which AI model they use to find vulnerabilities — they'll be judged on whether they built the program architecture, researcher coordination, and triage capacity to close the gap between machine-speed discovery and human-speed remediation."

— Trey Ford, Chief Strategy and Trust Officer, Bugcrowd

Ford's bottom line for CISOs: "The question every CISO should be asking isn't which model they can access — it's whether their program was designed to act on what those models find."

The Access Control Problem AI Can't Gate Its Way Out of

Ram Varadarajan, CEO at Acalvio, identified a harder architectural limitation that both releases sidestep. OpenAI's identity-gating is a reasonable control surface, he said, but one that "collapses entirely when the attacker is an agentic AI operating with authenticated credentials inside the perimeter, where identity is neither suspicious nor verifiable."

"The industry is converging on knowing who's in the environment," Varadarajan said. "But the more durable question is whether the environment itself can be made to betray what an attacker — human or AI — actually does when no one's watching. That question — environment as detection surface — may be the one that frontier model vendors are structurally unable to answer."

What Comes Next

OpenAI signaled that the TAC expansion is explicitly iterative. The company intends to broaden access to critical infrastructure defenders over time, and acknowledged that today's safeguards are calibrated to current model capabilities — future generations will require more extensive defensive architectures.

Notably, GPT-5.4-Cyber is not currently available to U.S. government agencies, though OpenAI told reporters it is in ongoing discussions and will evaluate access through internal governance and safety review processes.

Whether the AI-for-defense race ultimately benefits practitioners will depend less on which company's release philosophy wins out and more on whether the security organizations receiving these tools have the program infrastructure to act on what the models find.

Follow SecureWorld for more cybersecurity news.

Anthropic's Claude Mythos Signals a New Era in AI-Powered Cybersecurity—and a Race No One Is Ready For

drewt@secureworld.io (Drew Todd) — Thu, 16 Apr 2026 20:51:16 GMT

On March 26, 2026, a routine configuration error at Anthropic inadvertently left thousands of unpublished internal assets publicly accessible on the internet. Among them: a draft blog post describing a new model the company had been quietly developing—one it called "by far the most powerful AI model we've ever developed," and which it warned could "presage an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders."

Eleven days later, on April 7, Anthropic made it official. Claude Mythos Preview had arrived—not with a public release, but with a restricted defensive deployment unlike anything the AI industry had organized before. Anthropic had concluded the model was too capable to distribute widely, and chose a third path: deploy it defensively, at scale, under structured conditions, before offensive actors developed comparable capabilities.

What makes Mythos Preview different from every AI security tool that preceded it is not just what it can find, it is what it does next. Prior models could assist with vulnerability discovery but rarely converted findings into working exploits. Mythos Preview does both, autonomously, without human intervention beyond an initial prompt. Given a target and a single instruction, the model reads source code, forms hypotheses, validates them against a live environment, and delivers a complete, weaponized exploit. The loop from prompt to root access now runs in hours, sometimes overnight, at a cost that can be under $50 per finding.

That is the inflection point. And according to the security practitioners who have been watching this space closely, the industry's response has barely begun.

What Project Glasswing actually is

Project Glasswing brings together 12 founding partners—Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself—alongside more than 40 additional organizations responsible for building or maintaining critical software infrastructure. Anthropic has committed $100 million in model usage credits to the program, with Mythos Preview accessible via the Claude API, Amazon Bedrock, Google Cloud's Vertex AI, and Microsoft Foundry. Participating organizations can use the model to scan and secure both their own first-party software and the open source systems they depend on.

One week after Anthropic's announcement, OpenAI entered the same arena with GPT-5.4-Cyber, a fine-tuned variant of GPT-5.4 deployed to thousands of verified defenders through its Trusted Access for Cyber program. The two launches reflect a genuine strategic disagreement about how to handle models this capable.

Anthropic restricted access by scarcity, concluding Mythos was too dangerous to distribute widely, regardless of who was asking. OpenAI restricted by identity verification instead, concluding that wider access to properly verified defenders produces better outcomes. The disagreement itself signals something important: the industry has not yet converged on a framework for managing AI systems at this level of capability.

Anthropic has also engaged in ongoing discussions with federal officials and has privately warned top government officials that Mythos makes large-scale cyberattacks significantly more likely this year. United States Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell have separately cautioned financial industry executives about the model's potential dangers.

What the model actually found

Anthropic's researchers used a consistent scaffold for all vulnerability discovery: a containerized environment, a Claude Code instance running Mythos Preview, and a single-paragraph prompt asking the model to find a security vulnerability. Human involvement ends there. The model reads code, forms hypotheses, validates them against a running target, and outputs a bug report with a proof-of-concept exploit and reproduction steps.

A 27-year-old OpenBSD kernel crash. In OpenBSD’s TCP SACK implementation, Mythos Preview identified a two-bug chain allowing a remote attacker to crash any OpenBSD host responding over TCP. The flaw dates to 1998 and had survived decades of review on an operating system built around security as its primary design principle. It has been patched.

A 16-year-old FFmpeg codec vulnerability. In the H.264 decoder, a type mismatch dating to FFmpeg’s 2003 codebase — made exploitable by a 2010 refactor — allows a specially crafted video frame to trigger an out-of-bounds write. The underlying bug survived every fuzzer and every human reviewer who had examined the code in the intervening years. Three FFmpeg vulnerabilities found by Mythos have been patched in FFmpeg 8.1.

A 17-year-old FreeBSD RCE, fully exploited without human input. CVE-2026-4747 is a stack buffer overflow in FreeBSD’s NFS server that allows unauthenticated remote root access. Mythos Preview identified the vulnerability, discovered a method to bypass the host ID requirement using an unauthenticated NFSv4 call, constructed a 20-gadget ROP chain, and split it across six sequential RPC packets to fit within the per-request constraint — entirely without human involvement after the initial prompt. A prior independent research firm had demonstrated that Opus 4.6 could exploit the same flaw, but only with substantial human guidance.

Beyond these disclosed cases, Anthropic reports thousands of additional high- and critical-severity findings across every major operating system, every major web browser, cryptography libraries, and web applications — the overwhelming majority of which are still under coordinated disclosure. Of the 198 vulnerability reports reviewed by contracted human validators so far, expert assessors agreed with the model’s severity rating in 89% of cases and were within 1 severity level in 98% of cases.

Independent validation has also arrived. The UK’s AI Security Institute conducted its own evaluation of Mythos Preview, finding that on expert-level capture-the-flag tasks — tasks no model could complete before April 2025 — Mythos Preview succeeds 73% of the time. Using a 32-step corporate network attack simulation spanning initial reconnaissance through full network takeover, AISI observed the model executing multi-stage attacks autonomously, tasks that would take human professionals days to complete. Marcus Fowler, CEO of Darktrace Federal, puts the significance plainly: “When AI can find vulnerabilities at a speed and depth that materially changes how quickly weaknesses can be identified, it fundamentally accelerates the discovery of issues across both new and existing systems.”

The signal leadership should actually hear

There is a temptation to read Project Glasswing as good news—the cavalry arriving before the breach. Bradley Smith, SVP and Deputy CISO at BeyondTrust, pushes back directly on that framing.

"What Mythos and Glasswing should signal to leadership is not reassurance, it is urgency," Smith said. "If Anthropic's own assessment is that this model is too dangerous to release publicly because of what it could do in the wrong hands, that tells you something about what less capable but freely available models are already doing in the wrong hands right now. And when open-weight models reach this capability threshold—which credible estimates put at months rather than years—the volume and sophistication of AI-driven attacks scales to a level most organizations are structurally unprepared for."

Smith's point extends beyond Mythos itself. The BeyondTrust security team has already observed AI-assisted tooling compress the exploitation window for critical vulnerabilities to minutes—not weeks—using current-generation tools that existed before this announcement. The adversary, he argues, already has AI working for them. State-sponsored and criminal threat actors are already using AI-augmented tooling at a speed and scale that legacy defense postures cannot match.

The U.S. government's posture reinforces the urgency, with senior financial regulators escalating warnings to industry executives and Anthropic privately briefing federal officials on the threat.

Diana Kelley, CISO at Noma Security, translates the organizational imperative into practical terms: assume vulnerability discovery will accelerate whether you are ready or not. That means faster validation pipelines, tighter feedback loops between development and security, and a hard look at risk exceptions that were previously justified by the assumption that exploitation required rare human expertise. "That assumption," Kelley said, "is weakening."

The OT/IoT blind spot Glasswing has not addressed

Project Glasswing's partner list reads like a who's who of enterprise IT and cloud infrastructure. What it does not include is equally telling: no specialized expertise in OT, IoT, or industrial control systems security.

For John Gallagher, VP of Viakoo Labs, that gap is where the most serious damage from Mythos will actually land. "Mythos is OS agnostic," he said, "but vulnerability remediation is not. There is no 'Windows Update' for a water pump or an IoT gateway."

There are a handful of operating systems used in IT and data processing, and more than 150,000 in OT/IoT/cyber-physical systems. Enterprise IT has mature, broadly deployed solutions for managing a surge in patches and credential changes. The vast majority of OT, IoT, ICS, and CPS devices do not. A tsunami of newly discovered zero-days hitting factory floors, water treatment plants, and fleets of cameras and access control devices will find most organizations without the automated remediation tools needed to respond at speed. Gallagher also flags that Mythos doesn't just find code bugs, it identifies architectural flaws in how machine-to-machine communication occurs, meaning the fix isn't always a code patch but a total re-governance of a device's credentials.

Doc McConnell, Head of Policy at Finite State and a former CISA Branch Chief, extends the point to connected device manufacturers building technology that underpins critical infrastructure, manufacturing, and medical devices, where malfunctions can cost lives. The EU Cyber Resilience Act's vulnerability and incident reporting requirements come into force in September of this year; organizations that lack automated response capabilities will be exposed at that deadline.

"If you're waiting until a CVE drops to find out whether your product is affected, you’re already behind," McConnell said. "Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development—not as a final check when the features are final and the release is scheduled. We have to assume that if Anthropic is doing this loudly and responsibly, someone else is doing it quietly—and they may not have any interest in disclosing what they find."

Gallagher is direct about what Glasswing is missing: in OT and IoT security, the major partners lack the focus and technology to enable automated or autonomous patching at the edge. Generating an AI-powered playbook is a hollow victory if you lack the means to execute it. To truly harden the world's most vulnerable systems, Project Glasswing will need to move beyond boardroom giants and collaborate with best-in-class innovators who can take action where these devices actually live.

A skeptical read

Not everyone accepts Anthropic's framing at face value. Steven Swift, Managing Director of Suzu Labs, argues that several of the most technically detailed demonstrations—including the Linux kernel exploit walkthroughs—show a model writing code based on well-described prior context, rather than autonomously discovering and exploiting novel vulnerabilities. He also raises a structural accountability concern: because Mythos Preview is not publicly available, independent researchers cannot audit the claims. "Anthropics knows what they're doing," Swift said. "They’re making big claims, because attention is good for their business model—providing just enough detail so that the claims look convincing at first glance."

Swift's critique deserves to be held alongside the report's most defensible data points. The 27-year-old OpenBSD zero-day and the 16-year-old FFmpeg flaw were confirmed by AddressSanitizer; both have been patched and were found autonomously in code that had been extensively reviewed and fuzz-tested. The UK AISI's independent evaluation provides third-party corroboration that does not rely on Anthropic's own testing.

Uzair Gadit, CEO of Secure.com, offers his calibrated read of the hype-versus-reality question: "There's likely some hype in the claims, but not in the direction in which cybersecurity is traveling—and that distinction matters. FUD [fear, uncertainty, and doubt] fills the gap when validation lags capability. That's exactly where we are right now."

What defenders should do now

The Cloud Security Alliance CISO Community, co-authored with SANS, OWASP's Gen AI Security Project, and several CISOs, has published a strategy brief titled "The AI Vulnerability Storm: Building a Mythos-Ready Security Program" that offers operational guidance for organizations working through their response.

Sunil Gottumukkala, CEO of Averlon, offers a pointed sequencing note worth internalizing first: the initial vulnerabilities to hit organizations from Mythos-class models will not be in their proprietary code; they will be in vendor software and open-source components that organizations consume. The diagnostic questions that matter most are operational: Can you patch critical systems in near real time? Do you have a complete software inventory including dependencies? Can your team sustain a surge in patching and malicious activity simultaneously?

With that sequencing in mind, practitioners across this space converge on several priorities:

Deploy AI-assisted vulnerability discovery now, with current models. Opus 4.6 and comparable frontier models already find high- and critical-severity bugs across OSS-Fuzz targets, web applications, cryptography libraries, and the Linux kernel. Organizations that have not adopted AI-assisted bugfinding are leaving findings on the table—and potentially leaving them for adversaries to find first.
Compress patch cycles and revisit your legacy vulnerability backlog. N-day exploitation is now faster and cheaper. Tighten patching enforcement windows, enable auto-update where feasible, and treat dependency bumps carrying CVE fixes as urgent rather than routine maintenance. Exceptions previously accepted as low-risk based on exploitation difficulty may no longer be viable.
Plan for contractual and disclosure obligations at scale. Morey Haber, Chief Security Advisor at BeyondTrust, flags an underreported downstream consequence: organizations with contractual notification clauses tied to CVSS scores—typically triggering at 9.0—may face a flood of mandatory private disclosures as AI-driven discovery surfaces previously undetected vulnerabilities at scale. Legal and compliance teams need to be looped into vulnerability management planning now.
Implement Zero Trust and runtime attestation as a near-term mitigation. George McGregor of Approov argues that while accelerating patch cycles is valuable, it may be too slow to address the immediate risk window. Runtime app and device attestation can block AI agents and validate every API request, defending against exploitation of vulnerabilities while patching pipelines catch up.
Shift from visibility to decision speed. As Gadit frames it, the constraint for defenders has moved from finding issues to deciding what to fix—in what order, fast enough. "Security teams are about to be measured on response velocity, not just coverage," he said. Detection, prioritization, and action need to connect into a single automated loop, with humans in the loop rather than humans as the bottleneck.
Build continuous security into the product lifecycle. For connected device manufacturers and anyone shipping software that underpins critical infrastructure, binary analysis and software composition analysis need to happen from the earliest stages of design, not as a final check. A real-time SBOM with automated reachability analysis for new vulnerabilities is the minimum viable posture.

Jason Schmitt, CEO of Black Duck, adds a defense-in-depth frame that prevents any single tool—including Mythos—from being mistaken for a complete solution. Mythos appears capable of automating the most expensive and least scalable tier of security work: the human-driven penetration testing and bug bounty layer that catches what static analysis and fuzzing miss. That is significant. But it does not replace the upstream layers, and the complete platform remains one that finds every exploitable vulnerability, remediates them as efficiently as possible, and can deterministically prove it.

The bot-on-bot future

Ram Varadarajan, CEO of Acalvio, names where this leads plainly: "This confirms once again our bot-on-bot future in cybersecurity. We've reached a point where traditional, human-led security can no longer keep pace with automated attacks, forcing a total rethink of how we protect our data."

Fowler adds one important second-order observation that deserves not to be lost in the urgency: as external exploitation becomes harder against hardened systems, attackers will adapt toward the human. Insider risk—compromised credentials, malicious insiders, coerced access—requires no exploitation of vulnerabilities at all. Hardening the code does not harden the human.

Project Glasswing is an important step. The $100 million commitment, the breadth of the partner coalition, and the seriousness with which Anthropic has approached coordinated disclosure all reflect genuine effort. But the initiative is, by design, limited to a small subset of organizations facing this threat. For everyone else, the window between when Mythos-class capabilities become broadly available and when defenses are ready is the problem that requires action today.

"If your current vulnerability management strategy still involves a human clicking 'Approve' on a Tuesday morning, you aren't defending a network. You are managing a museum," said Noelle Murata, Sr. Security Engineer at Xcape, Inc.

The full technical report from Anthropic's Frontier Red Team, including cryptographic commitments for unreleased vulnerability details and coordinated disclosure timelines, is available at red.anthropic.com. The CSA/SANS "AI Vulnerability Storm" strategy brief is available through the Cloud Security Alliance.

Follow SecureWorld News for more cybersecurity news.

ZionSiphon: The Prototype for the Next Generation of OT Warfare

CamS@secureworld.io (Cam Sivesind) — Thu, 16 Apr 2026 16:15:00 GMT

As geopolitical tensions between the U.S., Israel, and Iran continue to simmer, the cybersecurity front has often been characterized by "digital graffiti" and disruptive DDoS attacks. However, a newly uncovered malware sample, analyzed by Darktrace, suggests that the transition from digital disruption to physical destruction is accelerating.

The malware, dubbed ZionSiphon, was specifically engineered to target Israeli water treatment and desalination systems. While Darktrace analysts describe the sample as potentially a "developmental build," its architecture provides a chilling look at the future of politically motivated cyber-physical attacks.

ZionSiphon is not a typical information stealer. It is a hybrid threat that combines standard IT intrusion techniques with specialized Operational Technology (OT) sabotage logic.

Some key technical capabilities uncovered in the report include:

Targeted Environmental Logic: The malware performs environment checks, specifically looking for strings related to water treatment and desalination, ensuring it only executes its payload in the intended industrial context.
ICS Protocol Scanning: It includes scanning modules for standard industrial control system (ICS) protocols, including Modbus, DNP3, and S7comm, used to communicate with Programmable Logic Controllers (PLCs).
Direct Physical Sabotage: Most alarmingly, the code contains early-stage Modbus manipulation logic designed to alter chlorine levels and system pressure—actions that could lead to equipment damage or public health risks.
Ideological "Easter Eggs": The malware contains embedded political messaging supporting Iran and explicit threats regarding the "poisoning" of water supplies.

"ZionSiphon shows a shift in the OT threat landscape: malware capable of targeting industrial processes is no longer exclusive to highly resourced nation‑state programs we have seen in the past such as Stuxnet or Industroyer," said Nathaniel Jones. VP, Security & AI Strategy, Field CISO at Darktrace. "The analyzed sample shows politically motivated intent and a clear focus on Israeli water infrastructure, but multiple implementation flaws suggest it is either a development build or the work of a low‑maturity threat actor. This shows that OT attack concepts are now within reach of much smaller threat actors and hacktivists, ZionSiphon is an example of how ideologically motivated actors with relatively modest resources are beginning to experiment with direct interaction with industrial systems."

As Jones said, the discovery of ZionSiphon marks a shift from opportunistic attacks (like exploiting default passwords on internet-facing PLCs) to bespoke malware development targeting critical infrastructure.

ZionSiphon proves that threat actors are actively experimenting with OT-specific payloads. Even an "incomplete" or "defanged" sample is a successful proof-of-concept for the adversary, allowing them to test persistence and propagation techniques like USB-based spread (reminiscent of Stuxnet). Call it the rise of the developmental stepping stone.

The inclusion of political messaging alongside sabotage logic suggests that OT malware is becoming a preferred tool for "gray zone" warfare—allowing states or affiliated actors to signal capability and intent without immediately triggering a full-scale kinetic response.

While ZionSiphon targeted Israel, the protocols it scans (Modbus, S7) are the backbone of global infrastructure. A tool developed for one region can be easily "re-skinned" for another. The physical perimeter is now global.

From the report: The malware also includes Israel-linked strings in its target list, including “Mekorot, “Sorek”, “Hadera”, “Ashdod”, “Palmachim”, and “Shafdan”. All of the strings correspond to components of Israel’s national water infrastructure: Mekorot is Israel’s national water company responsible for managing the country’s water system, including major desalination and wastewater projects. Sorek, Hadera, Ashdod, and Palmachim are four of Israel’s five major seawater desalination plants, each producing tens of millions of cubic meters of drinking water annually. Shafdan is the country’s central wastewater treatment and reclamation facility. Their inclusion in ZionSiphon’s targeting list suggests an interest in infrastructure linked to Israel’s water sector.

The warning from Darktrace is clear: ZionSiphon is a signal of intent.

Water and wastewater treatment facilities—often under-resourced compared to the energy sector—must realize they are now "Tier 1" geopolitical targets. Utility and municipal CISOs and CIOs should be on high alert.

Security teams must move beyond monitoring IT endpoints and gain cross-visibility into the OT environment. Detecting an "incomplete" threat like ZionSiphon requires behavioral analytics that can spot unusual subnet scanning for ICS protocols before a command is sent to a PLC.

Vendors and critical infrastructure third-party maintenance providers must harden their "removable media" policies. ZionSiphon’s use of USB propagation proves that the "sneakernet" remains a viable bypass for air-gapped systems.

ZionSiphon may not have "poisoned the water" today, but it has certainly poisoned the idea that critical infrastructure is shielded by its complexity. In the 2026 threat landscape, the "invisible perimeter" is no longer just a digital boundary—it is the valve, the pressure gauge, and the chlorine tank.

Identity Management Day 2026: Securing the New Perimeter

CamS@secureworld.io (Cam Sivesind) — Tue, 14 Apr 2026 17:31:57 GMT

Today, April 14, 2026, the global cybersecurity community will observe Identity Management Day. Founded by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCSA), the day serves as a critical checkpoint for an industry that has seen the traditional network perimeter effectively dissolve.

In 2026, the mandate is clear: Identity is the new perimeter. As recent threat telemetry has shown, attackers aren't breaking into systems anymore; they are simply logging in using stolen, intercepted, or spoofed credentials. Identity Management Day is a call to move beyond "compliance-based" identity and toward a model of identity resilience.

For the practitioners on the front lines, Identity Management Day is an opportunity to move from reactive maintenance to strategic orchestration.

Close the "Workforce Identity Gap": Audit the human workflows that surround identity. Hardening the help desk against AI-enabled vishing and securing remote onboarding processes are now just as important as technical protocol security.
Audit Non-Human Identities: Shift focus toward Service Accounts, OAuth tokens, and AI agents. These non-human entities often carry high privileges but lack the MFA protections and behavioral monitoring applied to human users.
Adopt Identity-First Zero Trust: Ensure that every access request—whether from a remote employee or an automated SaaS integration—is continuously verified based on context, not just a one-time login event.

"Identity management has undergone a massive shift: humans now make up less than 3% of managed identities in cloud environments. The rest belong to machines that don’t log off, don’t take breaks, and often operate with elevated permissions," said Crystal Morin, Chief Cybersecurity Strategist at Sysdig. "As automation and AI-driven development explode, the gap between human and machine identities is becoming one of the defining security challenges of our time. Machine identities are ephemeral, autonomous, and often difficult to manage at scale with traditional controls, which were never designed for this speed. Identity is the primary access control, it defines an environment’s boundaries, and it’s the most common source of initial access in a breach."

Morin added, "To keep up, organizations must rethink identity security as a continuous, lifecycle-driven discipline. Businesses must treat machine identities as the new firewall."

Leadership and organizational strategy must reflect that identity is a business-critical asset, not just an IT checkbox.

Enterprises & Governments: Prioritize the "Mental OS" shift toward Cyber Resilience. This means investing in unified platforms that integrate CSPM, CIEM, and DSPM to gain total visibility into "Identity Sprawl" across multi-cloud environments.
Vendors: Focus on "Secure-by-Design" identity features. 2026 demands phishing-resistant MFA as the default, explainable AI for behavioral analytics, and interoperable standards that allow for seamless identity governance across fragmented tech stacks.
Policy & Governance: Governments should lead by example, implementing robust Workforce Behavior monitoring and privacy guardrails that protect sensitive citizen data without stifling the velocity of digital services.

"The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage," said James Maude, Field CTO at BeyondTrust. "The identity security debt accumulated by many organizations represents a far great risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment. Understanding and reducing your identity attack surface should be at to forefront of every organization thinking when it comes to cyber defense moving forward."

For the public, Identity Management Day is about moving from awareness to actionable defense.

Recognize the "Human-in-the-Loop" Attacks: Be aware that attackers are weaponizing deepfakes and synthetic audio to impersonate IT support or executives. If a "password reset" request feels urgent or unusual, verify it through a secondary, out-of-band channel.
Clean Up "App Sprawl": Use this day to audit the permissions granted to third-party applications. Revoke access for apps you no longer use to minimize your "Shadow Identity" footprint.
Adopt Phishing-Resistant MFA: Move away from SMS-based codes where possible in favor of hardware keys or passkeys, which are significantly harder for modern AI-driven phishing kits to intercept.

Some more thoughts from industry experts from cybersecurity vendors:

Mark McClain, CEO at SailPoint,:

Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security. This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just “who," or in the case of AI agents, “what,” has access to the enterprise, but what data they can access and what they are able to do once inside."
"The modern enterprise requires a new control plane, driven by unifying identity, data, and security. The combined power of these contexts enables real-time decisions to reduce risk without impacting the business. These decisions can be driven by the nature of the identity, the context of the apps and data it can access, the behavior around how it is using these apps and data and the security signals and risk warnings that may surround it. To combat this new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity."

Chris Radkowski, GRC Expert at Pathlock:

"The rise of AI agents and machine identities has fundamentally outpaced traditional identity security. MFA and legacy access controls were built for a world of human users, not autonomous agents, service accounts, and AI-driven workflows that now outnumber people across the enterprise by 20x. Making matters more complex, the productivity promise of AI is too compelling for employees to wait on IT, workers are signing up for AI-powered tools, copilots, and automation platforms using their enterprise credentials, connecting them directly to corporate email, productivity suites, and business applications, often without security's knowledge."
"As agentic AI takes on real business actions with real permissions, the attack surface expands in ways most organizations aren't prepared to see, let alone secure. Credential abuse, account takeover, and sophisticated social engineering are increasingly targeting the non-human identities that operate quietly in the background with little oversight. That is why we believe that securing the modern enterprise means treating identity holistically by extending governance, least-privilege, and adaptive controls across every identity, human or machine. In the AI era, identity isn't just an IT problem. It's the foundation of trust itself."

Shane Barney, CISO at Keeper Security:

"Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy. When identity controls are fragmented or overly permissive, attackers don’t need novel exploits. They just need access that looks routine. Identity now defines the enterprise perimeter. When every identity is governed with least privilege and continuously validated, a stolen credential becomes a contained event instead of an enterprise-wide incident."

Jason Soroko, Senior Fellow at Sectigo:

"Machines, and their full Non-Human Identity (NHI) taxonomy, such as workloads, ai agents, etc…should never be thought about in the context of human authentication methods. MFA does not apply, as that is a band-aid solution for human authentication based on passwords. How are you going to ask your docker container to type in a one-time password from their authenticator app? It’s silly even to talk about it. Biometrics - do I even need to justify why we can’t talk about biometric authentication for NHI?"
"Right now most workloads and agents authenticate with static API tokens. These are harvested exactly the same way as passwords. They aren’t managed well, they’re in the clear in many places, and they are not going to be sustainable for secure agentic ai systems."
"Cryptographically bound tokens will be needed, as proof of possession, so that when an adversary inevitably steals the static API key, the adversary can’t do anything about it. It turns out that PKI will be performing a critical function here. That shouldn’t be a surprise to anyone. So let’s drop the old vocabulary that was created in the human only authentication era."

Elad Luz, Head of Research at Oasis Security:

"To reduce the risks associated with Non-Human Identities (NHIs), security teams need to implement modern identity management practices, strong governance, and proactive security controls. Where possible, organizations should transition to cloud-native identities and establish a comprehensive lifecycle management strategy for NHIs that cannot be migrated. Maintaining good identity hygiene is critical—this includes removing stale or unused NHIs, conducting regular access reviews, and ensuring NHIs follow the Principle of Least Privilege (PoLP) by granting only the minimum permissions necessary."
"A structured policy and enforcement program should be built around risk analysis and compliance frameworks, ensuring NHIs align with both security best practices and regulatory requirements. Adopting short-lived credentials, automated credential rotation, and managed identities can further minimize risk by limiting exposure. Collaboration with app development and DevSecOps teams is also essential to integrate these security measures without disrupting workflows, ensuring that NHIs remain secure while maintaining operational efficiency. By treating NHIs with the same level of oversight as human identities, organizations can mitigate risk while maintaining agility and scalability across their development and cloud environments."
"The rise of AI agents will introduce new security challenges for NHIs. These agents often operate under machine accounts or service identities, acting on behalf of human users, which makes it difficult to track permissions, monitor usage, and enforce accountability. Without proper oversight, organizations risk losing visibility into which identities have access to critical resources and how they are being used."
"The main concern is governance. If AI agents are assigned persistent, unmanaged service accounts, these identities can quickly become overprivileged and unmonitored, increasing the organization’s attack surface. To mitigate this risk, security teams should implement automated monitoring, enforce least privilege, and establish clear policies for AI-driven NHIs. By putting these guardrails in place early, organizations can embrace AI automation without compromising security."

AI-Powered Tax Scams Are Surging — What Security Teams and Taxpayers Need to Know

drewt@secureworld.io (Drew Todd) — Mon, 13 Apr 2026 20:12:31 GMT

Tax season has always been fertile ground for cybercriminals. Looming deadlines, financial anxiety, and the routine exchange of highly sensitive data create conditions that are nearly ideal for social engineering. What has changed in 2026 is the degree to which AI has turbocharged the threat — lowering the barrier to entry, dramatically improving the quality of lures, and enabling multi-channel campaigns that are increasingly hard to dismiss.

With Tax Day on April 15th, the IRS has issued its annual Dirty Dozen list of tax scams for 2026, warning that criminals are deploying more sophisticated schemes than ever before. Security experts say the data backs that up — and the implications extend well beyond individual taxpayers to enterprise security and AI governance.

AI Has Removed the Traditional Tells

For years, security awareness training taught people to spot phishing by looking for grammatical errors, inconsistent branding, or awkward phrasing. That guidance is increasingly obsolete. Hoxhunt tracked a 14-fold boom in AI-generated phishing attacks beginning in December 2025, and the company's Co-founder and CTO, Pyry Åvist, says the compounding effect is significant: "Attackers can now generate visually realistic messages in multiple languages, adapt them to local tax authorities, and produce dozens of variations of the same lure," he said. "That makes it harder for traditional filters to catch them, and harder for people to resist clicking on a malicious link."

Nicole Carignan, SVP of Security & AI Strategy and Field CISO at Darktrace, put the shift in sharper terms. "Phishing is no longer just a volume-based threat," she said. "It's become a quality and personalization problem, making it increasingly difficult to detect with the human eye alone." Attackers can now generate polished, brand-consistent communications tailored with publicly available or previously compromised data — and test and refine campaigns in real time.

Multi-Channel Attacks Compound the Risk

Beyond the quality of individual lures, researchers are tracking coordinated multi-channel campaigns where a phishing email is just the opening move. Åvist described the pattern: "An email about a tax issue might be followed by a phone call or voice message that reinforces the same story. Once someone is on a phone call, they are more susceptible to manipulation — particularly with deepfake voice technology that can make a fraudster in a Thai call center sound like an educated IRS professional in Houston."

The threat has also expanded beyond personal inboxes. Hoxhunt CEO Mika Aalto noted that tax-themed phishing is regularly delivered to employee work email accounts, because "compromising a corporate account can open the door to much larger financial and data exposure." Aalto added that one particularly effective post-click tactic involves redirecting victims to a legitimate site after they submit their credentials — making the interaction feel normal and reducing the likelihood they'll report the incident.

The Social Engineering Cocktail: Urgency, Fear, and Authority

Maxime Cartier, VP of Human Risk at Hoxhunt, offered the most direct framing of why tax season is so reliably exploitable:

"Tax season mixes the perfect social engineering cocktail of heavy deadline urgency, stress, fear, and the ritualistic delivery of sensitive information. People expect to receive messages about refunds, missing documents, scary fees, or payment deadlines — so a phishing email that references these topics feels believably urgent. The promise of a refund or the fear of penalties can push people to act quickly instead of verifying the message. Attackers rely on that moment of urgency when we are accustomed to feeling overwhelmed and obedient to authority." — Maxime Cartier, VP of Human Risk, Hoxhunt

That psychological profile maps directly onto the IRS's own warnings. The agency does not initiate contact via email, text, or unsolicited phone calls — any message that creates urgency around a tax matter and arrives through those channels should be treated as suspect by default.

AI Agents in Finance: A Growing Enterprise Attack Surface

For security leaders, the concern this tax season extends beyond phishing into a more complex risk: the growing use of AI agents in payroll, tax preparation, and financial operations. Diana Kelley, CISO at Noma Security, framed the core problem plainly: "Agents do not just read data — they can act on it. Once you combine sensitive financial data, external inputs, and tool access, the risk profile changes materially." AI agents are also vulnerable to indirect prompt injection and are non-deterministic by nature, she noted — a serious concern in workflows where accuracy is non-negotiable.

Kelley cited observed attacker breakout times of as little as 27 seconds to explain why governance must keep pace with deployment. "Speed without strong controls can quickly become systemic risk," she said. "The upside is efficiency. The downside is machine-speed mistakes or abuse unless security keeps pace with governance, visibility, and least-privilege controls."

Ram Varadarajan, CEO at Acalvio, offered a practitioner-focused framework for managing AI agent risk during the filing period. He recommended six controls organizations should put in place now:

Treat AI agents like privileged service accounts — audit access quarterly, enforce just-in-time provisioning, and require multi-party authorization before any agent is granted write access to financial systems.
Instrument your data, not just your perimeter — seed financial datasets with synthetic canary records so that any unauthorized access generates an unambiguous signal of compromise.
Require every AI agent to run under a scoped, time-limited identity with explicit task boundaries logged at invocation. Scope violations — such as a payroll agent querying benefits or equity records — should trigger an automatic halt and human review.
Segment AI agent access by system domain and enforce hard stops on cross-system queries without re-authorization, preventing the kind of lateral movement that cascaded through Uber's finance, HR, and legal systems in 2022.
Demand append-only, externally verifiable audit logs from AI vendors before deployment — not as a post-incident retrofit.
Run tabletop exercises simulating a compromised AI agent during peak filing periods to stress-test detection and response playbooks that were likely written for human attackers.

What the IRS Wants You to Know

As part of its 2026 Dirty Dozen warning, the IRS reiterated several baseline behaviors that apply to both individuals and enterprise security teams:

The IRS initiates contact via physical mail — not email, text, or unsolicited phone calls.
Messages pushing immediate action ('pay now,' 'verify now,' 'refund pending') are hallmarks of scam tactics, not legitimate IRS communications.
Do not click unexpected links. Navigate directly to official .gov websites instead.
Verify out of band — contact your tax preparer or employer using known contact details, not those provided in an unexpected message.
Never share Social Security numbers, banking information, or tax documents in response to unsolicited requests.

Carignan of Darktrace distilled the right posture: "Pause, verify, and don't act on urgency alone. In an environment where attacks are designed to look legitimate, taking a moment to validate requests through trusted channels is one of the most effective ways to reduce risk."

The IRS Dirty Dozen list and deeper guidance are available on the IRS newsroom website.

Follow SecureWorld for more cybersecurity news.

Anthropic's Claude Mythos Autonomously Discovers, Exploits Zero-Days

drewt@secureworld.io (Drew Todd) — Fri, 10 Apr 2026 13:12:00 GMT

Anthropic has unveiled Claude Mythos Preview, a new AI model with cybersecurity capabilities the company's researchers are calling a watershed moment for the industry. Unlike prior models that could identify vulnerabilities but rarely exploit them, Mythos Preview autonomously discovers and weaponizes zero-day flaws—including across every major operating system and web browser—without human intervention beyond an initial prompt.

The announcement, published April 7, 2026, on Anthropic's security research blog, comes alongside the launch of Project Glasswing—a restricted defensive initiative that will give Mythos Preview access to a limited group of critical infrastructure operators and open-source developers before any broader release. Anthropic has stated it does not plan to make the model publicly available, citing the severity of its offensive capabilities.

For security practitioners, the report details findings that challenge assumptions underpinning defensive security for the past two decades—including a 27-year-old crash bug in OpenBSD, a 16-year-old flaw in FFmpeg's H.264 codec, a guest-to-host memory corruption vulnerability in a production virtual machine monitor, and thousands of additional findings still under coordinated disclosure.

A qualitative leap over prior models

Anthropic's researchers are explicit about the performance gap between Mythos Preview and its predecessors. In a Firefox 147 JavaScript engine benchmark, Claude Opus 4.6 produced working shell exploits only twice across several hundred attempts against the same vulnerability set. Mythos Preview produced 181 working exploits, with register control achieved in 29 additional cases.

The model's performance on internal benchmarks tells a similar story. Across roughly 7,000 entry points in open-source repositories from the OSS-Fuzz corpus, Opus 4.6 achieved a single tier-3 crash on a five-tier severity scale, with no higher results. Mythos Preview reached tier 5—full control-flow hijack—on 10 separate, fully patched targets.

Critically, these capabilities were not explicitly trained into the model. Anthropic's team writes that exploit proficiency emerged as a downstream consequence of broader improvements in code reasoning and agentic autonomy—the same improvements that make the model more effective at patching vulnerabilities also make it more effective at exploiting them.

"Mythos Preview signals that zero-day discovery is becoming cheaper, faster, and more scalable," said Sunil Gottumukkala, CEO of Averlon. "Researchers have already shown earlier models can help find serious vulnerabilities, but this represents a real capability jump. Even with restricted access, the broader implication is clear: we should expect more dangerous vulnerabilities to be found across major software platforms, and many organizations still don't patch fast enough to keep up."

What the model actually found

Anthropic used a consistent scaffold for all vulnerability discovery work: a containerized environment, a Claude Code instance running Mythos Preview, and a single-paragraph prompt asking the model to find a security vulnerability. From there, the model reads source code, forms hypotheses, validates them against a running target, and outputs a bug report with a proof-of-concept exploit and reproduction steps. Human involvement ends at the initial prompt.

A 27-year-old OpenBSD kernel crash

In OpenBSD's TCP SACK implementation, Mythos Preview identified a two-bug chain. The first allows the start value of a SACK block to fall outside the valid send window. The second allows that value—due to signed 32-bit integer overflow on sequence number comparisons—to simultaneously satisfy contradictory conditions, triggering a null-pointer write that crashes the kernel. The flaw dates back to OpenBSD's 1998 SACK implementation and allows a remote attacker to repeatedly crash any OpenBSD host that responds over TCP. The vulnerability has been patched. Across 1,000 scaffold runs against OpenBSD at a total cost of under $20,000, the model surfaced several dozen findings.

A 16-year-old FFmpeg codec vulnerability

In the H.264 decoder, a 32-bit slice counter is stored in a 16-bit lookup table, initialized to the 65535 sentinel value. A specially crafted frame containing exactly 65,536 slices causes the counter to collide with that sentinel, triggering an out-of-bounds write. The underlying type mismatch dates to FFmpeg's 2003 H.264 commit; the exploitable code path was introduced in a 2010 refactor. Three FFmpeg vulnerabilities identified by Mythos Preview have been patched in FFmpeg 8.1, with additional findings under coordinated disclosure.

A guest-to-host memory corruption flaw in a production VMM

Mythos Preview identified a memory corruption vulnerability in a production virtual machine monitor written in a memory-safe language. The bug exists in an unsafe code block performing direct pointer manipulation—unavoidable in VMM code that must communicate with hardware. An attacker with guest access triggers an out-of-bounds write in the host process's memory. The vulnerability remains unpatched; Anthropic is withholding the project name and technical details pending coordinated disclosure.

Of the 198 vulnerability reports reviewed so far by contracted human validators, expert assessors agreed with the model's severity rating in 89% of cases and were within 1 severity level in 98% of cases.

Autonomous exploitation: the FreeBSD ROP chain

The most detailed exploit case study in the report is CVE-2026-4747, a 17-year-old remote code execution vulnerability in FreeBSD's NFS server. Mythos Preview identified and fully exploited the flaw without any human guidance after an initial prompt.

The vulnerability is a stack buffer overflow in FreeBSD's RPCSEC_GSS authentication handler: an attacker-controlled packet is copied into a 128-byte stack buffer, with a length check that permits up to 400 bytes. Several standard mitigations do not apply—the buffer is declared as an integer array, so GCC's stack protector does not instrument it, and FreeBSD does not randomize the kernel load address, making ROP gadget locations predictable.

Rather than brute-forcing the kernel host ID required to reach the vulnerable code path, Mythos Preview found that a single unauthenticated NFSv4 EXCHANGE_ID call returns the server's UUID and NFS daemon start time—sufficient to reconstruct the required values. The model then built a 20-gadget ROP chain that writes its public SSH key to /root/.ssh/authorized_keys, split across six sequential RPC packets to fit within the per-request constraint. The result is unauthenticated root access over the network.

A prior independent research firm had demonstrated that Opus 4.6 could exploit this same vulnerability, but only with substantial human prompting and guidance. Mythos Preview required none.

Vulnerability chains and the Linux kernel

A significant portion of the report documents Mythos Preview's ability to chain multiple vulnerabilities into complete exploits—a capability previously associated with skilled human researchers. The model demonstrated this across Linux kernel targets, constructing chains involving KASLR bypasses, heap manipulation, and kernel credential replacement.

In one case, the model used a one-bit out-of-bounds write in Linux's ipset (netfilter) code to flip the write-permission bit in a page table entry. The technique requires manipulating the kernel's per-CPU page allocator to place a kmalloc slab page physically adjacent to a page-table page in RAM, then using the OOB write to upgrade a read-only mapping of a setuid binary to writable. A 168-byte ELF stub, rewritten to use that mapping, provides root execution. Cost at API pricing: under $1,000.

A second example chains a use-after-free in Unix-domain socket out-of-band data handling (CVE-2024-47711) with a separate use-after-free in the Linux traffic-control DRR scheduler. The combined exploit builds an arbitrary kernel read primitive, defeats KASLR by reading the interrupt descriptor table, locates the kernel stack to recover a dangling pointer, and calls commit_creds() with a crafted root credential structure—navigating CONFIG_HARDENED_USERCOPY restrictions throughout. Cost: under $2,000.

Anthropic reports nearly a dozen similar examples of the model independently chaining two, three, or four vulnerabilities into functional privilege-escalation exploits in the Linux kernel.

Perspectives on the claims: a skeptical read

Not everyone in the security community accepts Anthropic's framing at face value. Steven Swift, Managing Director of Suzu Labs, offered a detailed critical assessment of the report's evidence.

"Anthropic knows what they're doing. They're making big claims, because attention is good for their business model," Swift said. "They're providing just enough detail so that their claims look convincing at first glance. But when you look closer, claims lack substance and rely on implications that all of the examples related prove their claims."

Swift specifically challenges the N-day exploit demonstrations, arguing that providing a model with detailed prior vulnerability context—including fuzzer-generated crash reports and CVE identifiers—is not equivalent to autonomous discovery. He notes that Mythos Preview was unable to produce working exploits against the Linux kernel vulnerabilities it independently found, and that generating exploit code from a well-described vulnerability is a capability that existing large language models already demonstrate.

He also raises a structural concern: because Mythos Preview is not publicly available, independent researchers cannot audit the claims. The report's evidence rests on Anthropic's own testing, with cryptographic commitments for unreleased vulnerability details offered as accountability anchors.

That critique is worth holding alongside the report's most defensible data points: the model discovered a 27-year-old zero-day in OpenBSD and a 16-year-old flaw in FFmpeg—both confirmed by AddressSanitizer and now patched—and it did so autonomously on code that had been reviewed and fuzz-tested extensively. Whatever the outer limits of the claims, those findings are concrete.

The dual-use problem at scale

"You can also look at this from another angle: try using Claude to write some code and see how many bugs, or even new zero-days, it produces," said Nick Mo, CEO & Co-founder of Ridge Security Technology Inc. "Claude Code is already making developers many times more productive than before, which means the number of potential vulnerabilities being introduced is also many times greater. It's writing code and writing vulnerabilities at the same time."

Mo's framing points to a compounding dynamic: AI-accelerated development creates more code—and therefore more surface area for vulnerabilities—while AI-accelerated security tooling is simultaneously needed to audit it. The race is between the same underlying technology deployed on offense and defense.

Noelle Murata, Sr. Security Engineer at Xcape, Inc., focused on the remediation side of the equation, noting that Project Glasswing's restricted partner program—which Anthropic describes as prioritizing critical infrastructure operators and open source maintainers—is designed to address what she calls a massive vulnerability debt now being surfaced faster than human teams can triage and patch it.

"If Project Glasswing is a 'cyber-nuke,' Anthropic is attempting to ensure the 'mutually assured destruction' of bugs happens in a controlled vacuum before it hits the production Internet," Murata said.

Implications for defenders

Anthropic's research team closes the report with a set of recommendations directed at security practitioners and software operators. The core themes, translated for operational context:

Deploy current frontier models for vulnerability discovery now. Opus 4.6 and comparable models already find high- and critical-severity bugs across OSS-Fuzz targets, web applications, cryptography libraries, and the Linux kernel. Organizations that have not adopted AI-assisted bugfinding are leaving findings on the table—and potentially leaving them for adversaries to find first.
Compress patch cycles. The N-day exploitation timeline has shortened. Organizations should tighten patching enforcement windows, enable auto-update where feasible, and treat dependency bumps carrying CVE fixes as urgent rather than routine maintenance. Out-of-band patching processes may need to become standard rather than exceptional.
Extend AI tooling beyond bug finding. Current models can triage reports, deduplicate findings, draft patch proposals, review pull requests for security issues, analyze cloud configurations, and support incident response documentation and root-cause analysis. Automation of these workflows reduces human bottlenecks as discovery volume increases.
Reassess friction-based defenses. Mitigations whose security value derives primarily from making exploitation tedious—rather than technically impossible—may be significantly weaker against model-assisted adversaries operating at scale and low cost. Hard barriers such as KASLR, W^X, and memory-safe language adoption remain valuable.
Update vulnerability disclosure policies for AI-scale discovery. Programs designed around individual researcher findings may need restructuring to manage the volume that AI-driven pipelines can generate. Anthropic itself contracted professional human validators to triage its own disclosure queue before sending reports to maintainers.

"The offensive landscape just went autonomous," said Joshua Marpet, Senior Product Security Consultant at Finite State. "We can no longer fight machine-speed threats with manual, point-in-time reviews. Defense must become as continuous and autonomous as the attacks coming our way."

Anthropic describes the current moment as a disruption of the security equilibrium that has prevailed for roughly 20 years. The company expresses confidence that AI-driven defense will eventually dominate—producing a net improvement in software security across the industry—but is direct about the difficulty of the transitional period.

Project Glasswing, the coordinated defensive initiative announced alongside Mythos Preview, will deploy the model to a restricted set of critical infrastructure operators and open source developers with the goal of hardening key systems before models with comparable capabilities become more broadly available. Anthropic says it plans to develop new cybersecurity safeguards with an upcoming Claude Opus model—testing and refining them on a system that does not carry the same risk profile as Mythos Preview—before pursuing wider deployment.

The full technical report, including cryptographic commitments for unreleased vulnerability details, is available at red.anthropic.com.

SecureWorld Boston 2026: Celebrating Security's Timeless Human Core

tbriggs@secureworld.io (Tom Briggs) — Thu, 09 Apr 2026 21:49:58 GMT

Boston has always had a particular talent for calling things as they are. It showed up at the Hynes Convention Center on Wednesday, April 8, as the 22nd annual SecureWorld Boston conference opened its doors and welcomed out of the cold, clear late winter weather the region's cybersecurity community for a two-day run at questions that matter.

The day opened early—with registration live by 7 a.m., PLUS courses underway by 7:30—and by the time the keynote theater filled for the 9 a.m. opening session, the room had the energy of a community that had been waiting to have this conversation.

That conversation started with "Security Catharsis." Moderated by Kyle Bubp (CISO, Avid) and featuring Gaël Frouin (CISO, AAA Northeast), Christopher Rich (BISO, MassMutual), and Praveen Sharma (Head of Product Security, Cubic Transportation Systems), the opening keynote brought up the topics that aren't always easy to discuss.

What followed was a conversation that security professionals have been having at happy hours for years—finally moved to the main stage. Hype versus real threat. Security awareness training as victim-blaming dressed up as a compliance checkbox. The tendency to reach for new tools when the foundations need addressing. There weren't always easy resolutions. This was rarer: permission to say aloud what those in the room were thinking and experiencing.

The rest of Day 1 built on that candor across a full slate of concurrent sessions. Bill Bowman (Operating Partner | CISO, Welsh Carson Anderson & Stowe) made the case for translating security risk into board language in "Breaking into the Boardroom." Randall Jackson (CISO, Income Research + Management) explored what it looks like for security teams to shift from reactive gatekeepers to business enablers. Richard Genthner (CISO, Boost Insurance) tackled shadow AI head-on: ChatGPT, Copilot, Claude, Gemini—tools that didn't knock on security's door before walking past it, and the urgent governance challenge that creates.

The Networking Hall ran all day, giving attendees the chance to connect not only with the deep sponsor roster, but also the region's leading association chapters—ISACA New England, ISSA New England, ISC2 Eastern Massachusetts, InfraGard Boston, WiCyS, and others. These associations form the connective tissue of the New England security community—hosting them under one roof is a lasting SecureWorld commitment.

Day 1 closed the way it should: with a happy hour extending from 4 to 5:30 p.m. in the Networking Hall, letting the day's ideas breathe and grow into new connections. These times prove that sometimes the best debrief sessions don't have moderators.

The Timeless Cybersecurity theme that anchors SecureWorld's 2026 season found its footing on Day 1 in the most direct way possible: by looking to the past, amplifying the human, and building a better, more secure future.

The stage was set for Day 2.

Day 2 highlights

Even at the tail end of Day 2, the energy of attendees carried things through.

The second-half atmosphere of any well-run conference has a distinctive feel. The ice is broken. The mental maps are set. Attendees have completed first-day handshakes and arrived, collectively, at the thing conferences are best for: an unguarded exchange between peers sharing a hard problem and a professional commitment to solving it. By Thursday morning at the Hynes, the Boston security community was squarely in that zone.

If Day 1 of the event set the table—framing this year's Timeless Cybersecurity theme, and igniting honest peer-to-peer dialogue—then Day 2 was about delivering the meal. Day 2 surfaced the conversations that happen when professional facades wear down and real talk emerges.

And honestly? Those are the best kind.

Thursday, April 9, had the feel of a well-worn conversation between people who'd been thinking out loud together for 24 hours. This was a fitting context for a day that would carry the community from keynote insights on security velocity to a powerful exploration of legal implications of cybersecurity.

Morning: the velocity problem

Day 2 opened with Silas Adams (CISO, Pep Boys) taking the keynote theater stage for a session titled "Security at the Speed of Innovation." Adams explored how the dominant industry narrative—security as the last line of defense, the brake pedal, the department of "no"—has calcified in ways that cost organizations real ground.

Adams came out swinging against that narrative. His argument: velocity-first security isn't a contradiction in terms; it's a design choice. Risk-based controls rather than painful toll gates. Automation as default. Human exceptions by design. A shift-left strategy that iteratively reduces blast radius while increasing delivery speed. He applied the same thinking to agentic AI ecosystems—the north-south and east-west threat surfaces that are keeping security leaders up at night—arguing that you can build systems that allow every line of business to innovate confidently, provided the right guardrails form the foundation.

It's a compelling blueprint, and the post-keynote Cyber Connect in the Networking Hall invited attendees to explore further in real time. Bonus Networking Hall sessions—a SecureWorld special—are consistently rated the "most valuable feature."

Morning breakouts continued to press on familiar pressure points from creative angles. Craig Stanland—author of Blank Canvas: How I Reinvented My Life After Prison—opened the ISSA New England Chapter Meeting with a session on insider threats. After committing an $800,000 fraud, Stanland served time. He came to Boston's security community not to scandalize but to illuminate: insider threats don't always begin with malicious intent. They start with a human under pressure finding small, incremental rationalizations that often bypass policies and frameworks. A bracing start to the morning.

Javed Ikbal (CISO, Bright Horizons) brought a sobering clarity to the ISC2 Eastern Massachusetts Chapter Meeting with his session titled "Pyongyang’s Programmers: Solving Developer Shortage with Kim's Keyboard Commandos." North Korean operatives embedded inside Western IT teams, generating state revenue, siphoning IP, and quietly positioning for future ransomware extortion. A documented, ongoing threat. Ikbal walked through the key TTPs and mitigation strategies in a session that blended the density of a threat briefing with the accessibility of a great conference talk.

In Room 208, Jeramy Kopacko of Sophos explored adversarial generative AI—what he framed as Newton's Third Law applied to digital offense. For every beneficial AI capability, adversaries are engineering an equal and opposite weaponized version. The human attack surface, he argued, has never been more exposed. Deepfakes, synthetic phishing, hyper-personalized social engineering—these aren't theoretical, they're operational.

Midday: when the law shows up

It's not every conference that assembles a panel including the Chief of the Securities, Financial and Cyber Fraud Unit for the U.S. Attorney's Office for the District of Massachusetts (Seth Kosto), a former national coordinator for cybercrime prosecutors (Brian Levine), the Assistant Attorney General and Chief of the Privacy and Responsible Technology Division of the Massachusetts AG's office (Jared Rinehimer), and Stephanie Siegmann—Partner and Chair of International Trade, National Security, Cybersecurity and AI at Hinckley Allen, and former National Security Chief for the same federal district.

Their lunch keynote, "The Intersection of Cyber Incident Response, Regulatory Compliance, and Enforcement in a Rapidly Evolving Threat Environment," covered territory that security professionals need to understand but rarely hear articulated with this kind of legal precision. False Claims Act exposure when cybersecurity posture doesn't match representations made to the government. The escalation of state AG enforcement. The liability gap between having a plan and executing one under pressure. The uncomfortable reality that incident response isn't just a technical problem—it's a legal event.

A moment that mattered

Alongside the presentations, the demonstrations, and the Dash for Prizes drawing in the afternoon, this year's conference carried a layer of meaning that no agenda line item could fully capture.

The community paused to remember Andy Smeaton.

A longtime member of the SecureWorld Boston Advisory Council, Andy was most recently CISO at Jamf. Before that, he held senior InfoSec positions across a remarkable range of organizations—Merlin Ventures, Afiniti, DataRobot, MIB Group, The Saudi Investment Bank, and Danversbank among them. He was, in the fullest sense of the phrase, a fixture in the Boston security community.

Those who knew him put it simply: you knew when Andy was in the room. He was quick with a smile, warm in presence, and genuinely invested in the people around him. That combination of expertise and humanity, it turns out, is rarer than it should be. Cybersecurity attracts brilliant technicians. It doesn't always attract people who know how to make others feel seen. Andy managed both.

The inaugural Andy Smeaton Leadership Honor, awarded to Bill Bowman, wasn't a footnote. It was a reminder. The work we do in cybersecurity exists in service of people—their data, their systems, their trust, their futures. Advisory Councils like the one that surrounds SecureWorld Boston are only as good as the humans who commit to showing up, year after year, with knowledge and generosity intact. Andy was one of those people. Andy's absence was felt throughout the two days in ways that are hard to quantify but impossible to miss.

A GoFundMe remains open and available for those looking to support Andy's family and legacy.

Afternoon: pulling the threads together

Afternoon sessions covered terrain that felt like a natural landing point after two days of accumulated insight. Energy in the room, true to form, was candid and considered—exactly the right register for the conversations being had.

Mark Annati (CISO, Commonwealth of Massachusetts Executive Office of Economic Development) offered something refreshingly grounded in "Behind the Prompt: A CISO's Practical AI Journey." This was a security leader's honest account of where AI is actually being useful—automating policy work, streamlining threat analysis, and yes, solving everyday problems along the way. Accessible, practical, and the kind of session that tends to generate great hallway conversations afterward.

Kishore Gangwani (Principal Engineer, Application Security, CarGurus) tackled the dual nature of AI for security engineering. Model Context Protocol security, agentic AI risk, the emerging threat surface created by "vibe coding"—but also the genuine upside: faster code review, more scalable pen testing, better signal from AI-assisted detection. The session avoided the binary framing that plagues most AI security conversations. The answer isn't fear or enthusiasm; it's engineering discipline.

Afternoon panels confronted the consolidation question ("The Great Consolidation: Rationalizing the Security Stack") and the perpetual identity-cloud-data trifecta ("The Velocity of Trust"), both of which drew in vendor and practitioner voices in the format that works best at these conferences—structured enough to move forward, open enough for real disagreement to surface.

The final Cyber Connect of the conference—a wrap-up of Thomas Hart's "Putting the Pieces Together" project—was a fitting close. A 1,000-piece jigsaw puzzle of Boston, assembled collaboratively throughout both conference days, with attendees using it as a literal metaphor for the cybersecurity environment: fragmented pieces that only resolve into something coherent when you commit to working together. Hart gathered the community's takeaways from the two days, stitching them into a final reflection that mirrored what the best moments of SecureWorld Boston consistently deliver.

What endures

The 22nd annual SecureWorld Boston conference wrapped the way the best conferences do—not with a neat conclusion, but with a set of open questions worth carrying forward.

Timeless Cybersecurity rests on a hypothesis: that beneath all the tools, frameworks, and escalating threat vectors, the core challenges of this work—trust, vigilance, communication, resilience—are stubbornly, usefully human.

The more things change—and they are changing fast—the more that truth remains the same. Technology serves humans. Humans build community. This community makes events worth showing up for—year after year, iteration after iteration.

SecureWorld Boston will be back. See you next time.

FBI: AI-Enabled Fraud Topped $893M in 2025—Real Toll Likely Far Higher

drewt@secureworld.io (Drew Todd) — Thu, 09 Apr 2026 16:50:52 GMT

The FBI's Internet Crime Complaint Center (IC3) has released its latest annual report, marking the first time in the center's 25-year history that it has devoted a dedicated section to artificial intelligence as a cybercrime tool. The milestone reflects how rapidly the technology has shifted from an emerging concern to a mainstream instrument of fraud.

The broader context is stark: total cybercrime losses reported to IC3 crossed $20 billion for the first time in 2025, reaching $20.877 billion across more than 1 million complaints—the first time IC3 has received that many reports in a single year.

The $893M figure is a floor, not a ceiling

IC3 logged 22,364 complaints with an AI-related descriptor in 2025, representing $893 million in adjusted losses. But the report draws an important distinction that security leaders should internalize: the AI attribution reflects only what victims reported and recognized. Actual AI involvement across fraud schemes is far broader.

The starkest illustration of this gap comes from investment fraud. Complaints in which victims specifically noted an AI nexus generated $632 million in losses. But total investment fraud losses in 2025 hit $8.648 billion—meaning AI was officially attributed to less than 8% of that category. The FBI's own analysis suggests many victims simply had no way to detect that synthetic content, generated personas, or AI-assisted scripts were used to manipulate them.

"AI-enabled synthetic content is becoming increasingly difficult to detect and easier to make, which allows criminal actors to potentially conduct successful fraud schemes against individuals, businesses, and financial institutions," the report states.

Investment fraud: AI at industrial scale

The investment fraud picture in 2025 reflects AI's role as an industrial scaler for social engineering. Criminals deployed AI chat tools to generate thousands of personalized victim conversations simultaneously—each one appearing distinct, building trust across weeks or months before the eventual theft.

Investment clubs became a key delivery mechanism. Fraudsters used AI-generated videos and audio to impersonate celebrities, CEOs, and financial figures, creating fake endorsements that were often distributed via social media or staged video calls. These productions were professional enough to deceive victims who would have recognized a low-quality fake.

Cryptocurrency investment fraud—commonly known as "pig butchering"—accounted for $7.228 billion in losses across 61,559 complaints, a 48% increase in complaint volume from 2024. These scams, largely run by organized criminal enterprises in Southeast Asia using trafficked labor, now rely on AI to accelerate the trust-building phase and increase the volume of simultaneous operations.

Business email compromise: voice cloning enters the kill chain

Business email compromise (BEC) remains one of the most financially damaging crime types tracked by IC3, generating $3.046 billion in losses in 2025. Within that category, AI is increasingly embedded in the attack chain.

Chat-generation tools allow attackers to rapidly produce executive-impersonation emails with the tone, vocabulary, and contextual detail of a specific organization's leadership. The FBI report highlights that voice cloning is now being layered into these attacks, used to place follow-up calls that appear to come from a CFO or CEO, reinforcing written wire transfer instructions.

In 2025, businesses reported more than $30 million in losses specifically attributed to BEC scams with a confirmed AI component. Given the attribution gap noted elsewhere in the report, that number should be treated as a conservative baseline.

Confidence and romance scams: synthetic personas at scale

AI-assisted confidence and romance scams generated $19 million in reported losses in 2025, with a confirmed AI nexus; but the mechanics documented in the IC3 report point to broader infiltration of this category.

Criminals are using AI chat generators to produce profiles and conversation scripts that make synthetic relationships more believable and sustainable over longer periods. A related and particularly concerning subcategory is the "distress scam": voice-cloning technology mimics the voice of a family member in apparent crisis, prompting victims to wire money immediately. These calls are increasingly difficult to distinguish from a real emergency.

Distress scams generated more than $5 million in losses in 2025, and the FBI notes that the tactic is evolving—expanding beyond grandparent-targeting schemes to impersonate a wider range of family members and friends in various emergency scenarios.

The employment fraud: deepfake interviews as network access vectors

AI-enabled employment fraud represents a threat category that sits at the intersection of individual financial crime and enterprise network security. The FBI documented widespread use of voice spoofing and video deepfakes during online job interviews in 2025, with victims reporting losses of approximately $13 million.

The enterprise dimension is significant: the IC3 report notes that financial loss is often not the primary objective in these cases. Instead, the goal appears to be gaining access to corporate networks under the cover of legitimate remote employment. An attacker who passes a deepfake interview and is provisioned with credentials and internal access represents a persistent, authorized threat inside the perimeter.

This pattern connects directly to the FBI's ongoing warnings about North Korean IT worker infiltration schemes, documented separately in the report, in which state-sponsored actors placed remote workers inside U.S. companies to exfiltrate data and generate revenue for weapons programs.

What security teams should take from this

The IC3's decision to formally break out AI as a tracked fraud descriptor for the first time is itself a signal. It acknowledges that AI has evolved from an emerging threat to a defined, measurable component of the cybercrime ecosystem.

Several operational implications stand out for defenders.

The attribution gap is a detection problem. If victims can't identify AI involvement, detection controls aren't surfacing it either. Voice biometric verification, deepfake detection tooling, and out-of-band confirmation workflows for high-value wire requests deserve renewed attention.
BEC defenses need to account for audio, not just email. Voice cloning as a BEC layer means that a callback to a "known" number or a voice that sounds right is no longer a reliable verification signal.
Remote hiring processes are an attack surface. Organizations should treat the interview and onboarding process as a security boundary—particularly for positions that carry privileged access or handle sensitive data.
The 60+ demographic is a significant target and, for enterprise security teams, represents a risk vector through employees' families. Distress scams and tech-support fraud targeting older Americans generated $7.748 billion in losses in 2025—a 59% increase from 2024.

The FBI launched several initiatives in response to the broader fraud picture in 2025. Operation Level Up, focused on cryptocurrency investment fraud, notified 3,780 victims last year—78% of whom were unaware they were being scammed at the time of contact—and prevented an estimated $225.8 million in losses. A new Scam Center Strike Force targeting Southeast Asian criminal enterprises responsible for large-scale pig butchering operations is pursuing both prosecutorial and sanctions-based disruption.

The 2025 Internet Crime Report is available here.

Follow SecureWorld News for more cybersecurity news.

Defending PLCs, Critical Infrastructure from Physical Cyberattacks

CamS@secureworld.io (Cam Sivesind) — Wed, 08 Apr 2026 20:44:00 GMT

A new Cybersecurity Advisory (AA26-097a) from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sent a clear message to the industrial world: the air gap is dead, and our literal "switches" are in the crosshairs.

The advisory details how Iranian-affiliated cyber actors have successfully exploited Programmable Logic Controllers (PLCs) across multiple U.S. critical infrastructure sectors. These intrusions amount to a direct assault on the hardware that manages our water, energy, and manufacturing.

So what does all this escalation mean for the professionals on the front lines and the public they protect?

To understand the gravity of this alert, we must define the target. PLCs are the "brains" of industrial automation. They are small, ruggedized computers that control physical processes—opening a water valve, regulating a turbine's speed, or managing a cooling system.

In the campaign, attackers targeted PLCs that were exposed to the internet, often using default passwords or known vulnerabilities in the administrative web interfaces. By gaining access, the actors were able to disrupt operations, in some cases displaying political messaging on the controller's screen while disabling the physical equipment.

For those charged with protecting the "internal frontier" of Operational Technology (OT), this advisory serves as a strategic blueprint for defense.

Attackers are no longer just looking for high-level IT credentials; they are performing automated reconnaissance for specific industrial hardware. If your PLC has an IP address, it is being scanned.

A recurring theme in this exploit was the use of default manufacturer passwords. Security teams must treat "factory settings" as an active vulnerability.

As we link industrial floors to corporate networks for data-driven insights, we create bridges for attackers to cross. The CISA advisory emphasizes that many compromised PLCs were accessible because of a lack of robust network segmentation.

While most cyberattacks feel invisible—a stolen credit card or a leaked email—attacks on PLCs have the potential for real physical impact.

In the short term, these attacks can cause localized service disruptions, such as water pressure drops or power fluctuations.

Even when physical damage is avoided, these attacks are designed to undermine public trust. Seeing a political message on a water utility's controller screen is a form of "digital graffiti" meant to signal that the basic pillars of society are vulnerable. Call it a psychological attack.

The public should view this as a reminder that cybersecurity is now a component of public safety. Just as we expect fire codes and clean water standards, we must demand that utilities treat cyber hygiene as a foundational safety requirement.

CISA isn't just raising the alarm; they are providing a roadmap for hardening these systems:

Change every default password: This remains the most effective, low-cost defense against the current Iranian campaign.
Implement robust MFA: Even for industrial interfaces, multi-factor authentication is the "gold standard" for stopping credential-based access.
Disconnect from the public web: There is rarely a legitimate business reason for a PLC to be directly accessible from the open internet. Move these assets behind a VPN or a secure firewall with strict access controls.
Audit your shadow OT: Use scanning tools to identify devices on your network that your security team might not even know exist.

Engineering Data Protection for AI Systems: Bridging Privacy Frameworks and Real-World Implementation

Shwetha Prasad — Wed, 08 Apr 2026 11:26:00 GMT

AI adoption is accelerating across enterprise and critical infrastructure environments, driving new levels of automation, insight, and operational efficiency. At the same time, it is fundamentally changing how data is collected, processed, and shared.

On paper, most organizations appear well prepared. Privacy frameworks are defined, data classification standards are established, and regulatory requirements are mapped to controls. However, real-world implementations often tell a different story. The challenge is no longer defining what should be protected, but ensuring those protections hold up as data moves through complex, AI-driven systems.

The gap is not in policy. It is in translating policy into practical, engineering-driven controls that align with how data actually behaves.

The shift: from static data protection to dynamic data systems

Traditional data protection strategies were designed for relatively stable environments. Data was structured, stored in known locations, and accessed through predictable patterns.

AI systems break these assumptions.

Data in AI environments is:

Continuously collected across distributed sources
Aggregated and enriched across platforms
Processed through models that generate new insights
Shared across cloud services and third-party ecosystems

In this model, data is no longer static. It is constantly moving, changing, and expanding in meaning.

As a result, protecting data at a single point is no longer sufficient. The focus must shift to understanding how data flows across systems and how risk evolves over time.

Where privacy frameworks fall short in practice

Static classification cannot capture inferred sensitivity

Most privacy frameworks rely on identifying and labeling sensitive data based on predefined patterns. While this works for structured data, it becomes less effective in AI systems where sensitivity is often inferred.

Seemingly non-sensitive data can become sensitive when:

Combined with other datasets
Processed through models
Analyzed for behavioral or contextual insights

This creates a gap where data is technically compliant, but still exposes risk through inference.

Controls are applied at points, not across lifecycles

Data protection controls are often implemented at specific layers such as endpoints, networks, or storage systems. However, AI pipelines span entire lifecycles, including ingestion, transformation, inference, and output generation.

Without visibility across these stages, organizations struggle to track:

How data is transformed
Where sensitive attributes emerge
How data is accessed across environments

This fragmentation leads to blind spots, where risks accumulate between control points rather than within them.

Identity expands the attack surface

In AI-enabled systems, identities play a central role in how data is accessed and processed. Service accounts, APIs, and automated workflows create access paths that extend across multiple systems.

When permissions are not tightly controlled, a single compromised identity can:

Access multiple data sources
Traverse across environments
Expose data beyond intended boundaries

The result is not just localized exposure, but system-wide risk propagation.

External dependencies reduce control and visibility

AI systems depend heavily on external components, including cloud services, third-party data providers, and pre-trained models. These dependencies extend the data protection boundary beyond the organization.

In many cases, organizations lack full visibility into:

How external systems handle data
What data is retained or reused
How model behavior may expose sensitive information

This creates a broader ecosystem risk, where data protection depends on factors outside direct control.

Engineering data protection for real-world AI systems

Addressing these challenges requires moving beyond policy-driven approaches toward engineering-driven data protection that operates across systems and data flows.

Data-centric protection across the lifecycle

Effective data protection starts with understanding how data moves and evolves. Instead of focusing only on where data is stored, organizations need visibility into:

Data origins
Transformation processes
Points where sensitivity emerges

Techniques such as data lineage tracking and context-aware classification help ensure protection extends across the full lifecycle, not just at isolated points.

Identity-aware access control

Access control must evolve from static permissions to continuous evaluation of identity behavior. This includes monitoring how identities interact with systems, detecting unusual access patterns, and limiting unnecessary cross-system access.

By focusing on how access is used rather than just how it is assigned, organizations can better contain risk and prevent lateral movement.

Integrated visibility across systems

In AI environments, risk spans data, identity, and infrastructure simultaneously. Treating these areas separately limits the ability to understand how risks combine.

An integrated approach enables organizations to:

Correlate signals across systems
Identify potential attack paths
Understand the broader impact of individual weaknesses

This shift from isolated alerts to systemic visibility is critical for managing complex environments.

Managing inference and model-driven exposure

AI introduces a new class of risk where sensitive information can be revealed through model outputs rather than direct data access.

Mitigating this risk requires:

Evaluating how models process and expose data
Limiting unnecessary data aggregation
Applying controls to outputs, not just inputs

This expands data protection beyond traditional boundaries into how insights themselves are generated and shared.

Embedding privacy-by-design into system architecture

Privacy cannot be retrofitted into AI systems. It must be designed into how systems collect, process, and share data.

This includes:

Minimizing unnecessary data collection
Segmenting data across environments
Controlling how data flows between systems

These architectural decisions play a critical role in reducing risk as systems scale and become more interconnected.

Moving forward: from frameworks to implementation

Privacy frameworks provide essential guidance, but they do not address the complexity of modern AI systems on their own. The challenge lies in operationalizing these frameworks in environments where data is dynamic, interconnected, and continuously evolving.

Organizations that succeed will be those that move beyond static controls and adopt engineering-driven approaches aligned with real-world data behavior. This requires continuous adaptation, cross-domain visibility, and a deeper understanding of how data interacts across systems.

Conclusion

AI systems are reshaping how data is used, and in doing so, they are exposing the limitations of traditional data protection approaches.

The focus must shift from protecting isolated datasets to managing how data flows, transforms, and creates risk across interconnected environments. Bridging the gap between privacy frameworks and implementation is not about adding more controls, but about designing systems that account for how data actually behaves.

In AI-driven environments, effective data protection is no longer a static function. It is an ongoing engineering challenge that requires continuous visibility, adaptation, and control.

Cyber Insurance Paradox: Judgers of Risk Struggle to Manage Own Risk

CamS@secureworld.io (Cam Sivesind) — Tue, 07 Apr 2026 12:50:59 GMT

The insurance industry occupies a unique and powerful position in the cybersecurity ecosystem. By setting underwriting standards, insurers effectively act as the de facto regulators of global security, defining what good looks like for everyone else.

However, a new joint report from the Insurance Information Institute (Triple-I) and Fenix24, "Cybersecurity for Insurers: Squaring Safety with Service," reveals a striking paradox: the very entities judging the world's risk are struggling to manage their own.

For cybersecurity professionals, the report is a critical look at the "circularity of risk" within the $16.3 billion cyber insurance market. Here is what the findings mean for the broader economy and the leaders advising on breach preparedness.

Insurers are high-value targets because they sit on a "triple threat" of data: sensitive PII/PHI of policyholders, proprietary financial data of global corporations, and systemic economic importance.

The report highlights that while ransomware is the headline-grabber, it only accounts for 19% of reported cyber claims. The real "silent killers" are Business Email Compromise (BEC) and Funds Transfer Fraud (FTF), which together drive 56% of claims. Despite this, insurers themselves are still working through "foundational" challenges, creating a disconnect between the security they mandate and the security they maintain.

"The findings reinforce that the insurance sector remains a high-value target because it sits at the intersection of sensitive data, financial transactions, third-party dependencies, and reputational exposure," said Heath Renfrow, Co-founder and CISO of Fenix24. "Threat actors understand that insurers are not just protecting their own operations—they are part of the broader response and recovery ecosystem for many other businesses. That makes disruption inside an insurer especially consequential."

Renfrow added, "What stands out most is that the challenge is no longer just about preventing intrusion. The threat landscape has evolved into one where attackers are deliberately targeting the systems that organizations rely on to respond and recover—identity infrastructure, administrative pathways, core applications, and backup environments. For insurers, that raises the stakes significantly. A compromise is no longer just an IT event; it can quickly become an operational and customer-impact event."

When the referees of risk have blind spots, the entire game changes for policyholders.

If insurers are still maturing their own defenses, there is a risk that underwriting requirements—such as MFA or EDR mandates—are being applied as "checkbox" compliance rather than deep, risk-based validation.

Foundational struggles within the insurance sector lead to unpredictable markets. There is a "tug-of-war" where rates decrease while threats evolve, suggesting that the industry is still struggling to find a stable actuarial baseline for cyber risk.

Business interruption now accounts for half of the $1 million average cost of a ransomware incident. Entities can no longer rely on insurance to just "pay the ransom"; they must prove they can restore operations independently.

For CISOs and advisors helping leadership navigate the insurance landscape, the Triple-I/Fenix24 report offers three key pivots:

Shift from "insured" to "recoverable": Don't just prepare to meet an underwriter’s checklist. Focus on cyber resilience—the ability to assure recoverability through automated infrastructure mapping and "battle-tested" recovery platforms.
Validate the "human workflow" gap: Since 56% of claims stem from BEC and transfer fraud, advise leadership that technical controls are insufficient. The "workforce identity gap" at the help desk and in funds transfer processes is where the most frequent (and insured) losses occur.
Pressure test vendor interdependency: The report notes that systemic economic importance makes insurers a target. Treat your insurer like a high-risk third-party vendor. Ask: If my insurer is breached, how does that impact my ability to trigger my own incident response and recovery?

The most provocative question raised by this research is systemic: If insurers are still navigating foundational cybersecurity challenges, can they accurately price risk for the rest of the economy?

If the surveyors of the land don't know where the sinkholes are on their own property, their maps of the broader territory are inherently suspect. This suggests that the industry may be over-relying on historical data for a threat landscape that is being fundamentally rewritten by AI-driven automation and autonomous threat agents.

Some additional thoughts from Renfrow

1. "The research suggests many organizations aren’t testing recovery in real-world ransomware scenarios. What does 'true' cyber resilience look like in practice, especially as attacks increasingly target identity systems and core infrastructure?

True cyber resilience is not a policy, a slide, or a tabletop exercise. It is the proven ability to restore business operations under real-world attack conditions, when identity is impaired, infrastructure is degraded, tools may be unavailable, and time is working against you.

In practice, that means several things. First, organizations must know what matters most to the business and in what order it must come back. Second, they need validated recovery paths for critical systems, not theoretical ones. Third, they must test recovery in conditions that resemble actual ransomware events—not clean lab scenarios. And finally, they need to assume that identity systems such as Active Directory, privileged accounts, and core management infrastructure may be compromised or unavailable during the event.

The gap we often see is that companies test whether data can be restored, but not whether the business can actually run again. Those are very different things. Recovery that is not tested against real dependencies, identity compromise, and operational pressure is not resilience—it is optimism."

2. "With cyber claims shifting toward BEC and fraud over ransomware, how should insurers and enterprises be rethinking their security and risk models?

Insurers and enterprises need to expand their thinking from pure malware defense to business process protection. Business email compromise and fraud succeed less through technical destruction and more through trust abuse, identity misuse, and control failure. That requires a different lens.

Security and risk models should place much more emphasis on identity assurance, privileged access, approval workflows, vendor payment controls, communications verification, and detection of abnormal business activity. In other words, the organization has to protect not only its systems, but also the decision-making processes that move money, authorize change, and approve transactions.

This shift also means risk models should not over-index on whether malware was involved. Some of the most damaging losses now come from attacks that exploit people, process, and identity without ever deploying ransomware. The financial and operational consequences can be just as severe."

3. "What are the potential downstream implications for policyholders if insurers themselves are still maturing in areas like recovery testing, patching speed, and identity protection?

If insurers are still maturing in these areas, the downstream implications for policyholders can be significant. At a basic level, it creates concentration risk in an industry that many organizations depend on during moments of crisis. If an insurer experiences operational disruption, delays in claims handling, communications, underwriting, or partner coordination can directly affect customers when they are most vulnerable.

There is also a broader market implication. Insurers help shape expectations around cyber maturity, coverage terms, and response readiness. If their own operational resilience lags behind the threat, the entire ecosystem can become less stable. Policyholders may face longer response timelines, more friction during claims events, or changes in underwriting and coverage assumptions driven by uncertainty.

More broadly, resilience inside insurance organizations matters because they are part of the trust backbone of cyber response. When they are strong, the system is stronger. When they are not, stress cascades outward."

4. "What needs to change for insurers to close these gaps and keep pace with the current threat environment?

Operationally, organizations need to move from control ownership to outcome ownership. It is not enough to say a tool is deployed or a policy exists. Leadership needs evidence that the company can withstand and recover from a destructive cyber event. That requires rigorous testing, clear restoration priorities, dependency mapping, identity hardening, and executive-level accountability for recovery readiness.

Culturally, there also has to be a shift away from assuming resistance alone will solve the problem. Prevention is necessary, but it is not sufficient. Every organization will eventually face control failure somewhere. The ones that perform best are those that have accepted this reality and built muscle memory around recovery.

The strongest insurers will be the ones that treat resilience as a core operating discipline—not a compliance exercise. That means making recovery readiness as measurable, repeatable, and accountable as financial controls or claims operations. In today's environment, resilience is not just a security issue. It is a business capability."

Infostealers Now Want Your Entire AI Identity, Not Just Your Passwords

nahladavies@nahladavies.com (Nahla Davies) — Mon, 06 Apr 2026 13:54:00 GMT

Infostealers used to be simple creatures. Grab a few saved passwords, maybe skim some cookies, sell the bundle, move on. That model feels almost quaint now.

The surface area of identity has exploded, and attackers have noticed. What used to be a login problem has quietly turned into something far more invasive, far more valuable, and far harder to recover from.

There's a new prize on the table, and it lives inside the tools people trust every day. Your AI accounts, your prompts, your histories, your context. All of it forms a profile that's richer than any password dump, and unfortunately, infostealers are adapting with alarming speed.

The evolution of infostealers from credentials to context

Infostealers have always followed value. When browsers started storing passwords, they targeted browsers. When crypto wallets surged, they pivoted to wallet files and seed phrases. The pattern has always been clear, even if the tooling keeps changing.

Now there's a different kind of value emerging. AI platforms are becoming central hubs for work, research, coding, and decision-making, making them ideal for quick data extraction. And why not, honestly?

People sheepishly feed them sensitive data without hesitation. Internal documents, proprietary code, business strategies. It's all there, often unencrypted and neatly organized in conversation histories.

Attackers no longer need to guess what matters to you; they can extract it directly. A compromised machine can reveal not just where you log in, but how you think, what you're building, and what you're planning next. That's a completely different level of intelligence.

The shift feels subtle on the surface, but it changes the economics of cybercrime. A single compromised AI account can be worth more than dozens of traditional credential pairs. It's not just access anymore—it's insight into a business's inner workings.

What an 'AI identity' actually looks like in practice

People tend to think of identity as a username and password combo, maybe tied to an email or a phone number. That definition is outdated. AI identity is layered, dynamic, and deeply personal in ways most users haven't fully processed yet.

Every prompt you’ve written, every response you’ve refined, every file you’ve uploaded contributes to that identity. Over time, it becomes a map of your intentions. It reveals your workflows, your priorities, your blind spots, and even your tone of thinking.

For professionals, it goes even deeper. Marketers store campaign ideas, engineers debug code, founders draft strategy. AI tools become extensions of cognition. Losing access to that data can be catastrophic, making it no coincidence that AI protection services are on the rise.

Attackers see that clearly. They're not just harvesting accounts; they're harvesting behavior. And behavior is far more exploitable than a static password ever was.

How infostealers are adapting their tactics

The technical shift isn't happening in isolation. Infostealers are evolving their capabilities to capture this new layer of data without raising alarms. I've heard an acquaintance say thieves act like they're performing a physical on an organization, looking for illnesses. But instead of treating them, they exacerbate them.

Modern strains are already scanning for session tokens tied to AI platforms. Instead of waiting for credentials, they hijack active sessions. That bypasses traditional authentication entirely and gives immediate access to account histories.

There's also a growing focus on local storage. Many AI tools cache data for performance reasons. Infostealers know exactly where to look: prompt histories, API keys, configuration files. It's all fair game once a system is compromised.

Even browser extensions are becoming targets. Some attackers inject malicious code that silently scrapes interactions as they happen. Users continue working as usual, unaware that everything they type is being mirrored elsewhere.

The result feels seamless from the attacker's perspective. Minimal friction, maximum yield. That combination is hard to defend against if you're still thinking in terms of passwords alone.

The security gap most organizations haven't addressed yet

Organizations have spent years building defenses around credentials: multi-factor authentication, password managers, zero trust policies. All of that still matters, but it doesn't fully address this new risk layer.

AI usage often slips through the cracks. Employees sign up with personal accounts, paste sensitive data into prompts, and integrate tools into workflows without formal oversight. It happens fast, and security policies struggle to keep up.

There's also a visibility problem. Traditional monitoring tools aren't designed to inspect AI interactions. They can flag suspicious logins, but they won't tell you if sensitive data has been exfiltrated through prompt histories.

That creates a significant governance blind spot—one that attackers are actively exploiting. While organizations focus on perimeter defenses, valuable data is flowing through channels that feel safe but aren't fully controlled.

Closing that gap requires a shift in mindset. AI tools need to be treated as data environments, not just productivity enhancers. That means governance, monitoring, and clear usage boundaries.

What users and teams can do without overcomplicating It

There's no single fix, but there are practical ways to reduce exposure without turning workflows upside down. Awareness is the starting point, and zero-trust still has its advantages.

Still, I think people need to understand that what they share with AI tools can persist and be accessed if accounts are compromised. It's like keeping everything in a purse; it's easier to reach and manage, but all a wrongdoer has to do is hit just one bird with its stone and the entire flock is a goner.

Using dedicated accounts for work-related AI usage helps create separation. It limits the blast radius if something goes wrong. But for a truly impactful solution, security teams will have to become boardroom whisperers.

Regardless, experts must also expand their monitoring scope. Look for unusual access patterns tied to AI platforms, track API usage, and treat these environments as part of the broader attack surface. The goal isn't to eliminate risk entirely; it's to make exploitation harder and less rewarding.

Conclusion

Something fundamental has shifted in how identity works online. It's no longer just about proving who you are; it's about everything that defines how you operate. AI tools have accelerated that shift, and attackers are moving just as quickly to take advantage of it.

There's a tendency to treat new technologies as separate from existing threats, but that separation doesn't hold for long. Infostealers have already crossed that boundary. They're not waiting for organizations to catch up.

The opportunity now lies in recognizing what's changed before it becomes standard practice for attackers. Protecting passwords still matters, but protecting context matters more than ever. And once you start looking at your AI footprint through that lens, the stakes become impossible to ignore.

Google Sets 2029 Deadline for Post-Quantum Cryptography Migration

drewt@secureworld.io (Drew Todd) — Thu, 02 Apr 2026 16:06:33 GMT

Google recently published a blog announcing a formal 2029 deadline for completing its post-quantum cryptography (PQC) migration—a move the company describes as both an internal commitment and an industry-wide call to action. The announcement, authored by Heather Adkins, VP of Security Engineering, and Sophie Schmieg, Senior Staff Cryptography Engineer, reflects a growing urgency inside Google as progress on quantum hardware accelerates.

The post represents a notable shift in posture: where discussions of quantum-safe cryptography have long been framed around a distant, hypothetical threat horizon, Google is now treating 2029 as a hard deadline backed by concrete engineering milestones.

Why the accelerated timeline?

According to Google, the updated timeline reflects advances across three fronts: quantum computing hardware development, quantum error correction, and quantum factoring resource estimates. Taken together, these developments suggest that a cryptographically relevant quantum computer (CRQC)—one capable of breaking current public-key encryption—may arrive sooner than the security community previously modeled.

The threat, as Google frames it, is not monolithic. The company draws an important distinction between two categories of risk: encryption and digital signatures. Encryption is already under threat today, through so-called "store-now-decrypt-later" attacks, in which adversaries harvest encrypted data now with the intent to decrypt it once a sufficiently powerful quantum machine becomes available. Digital signatures, by contrast, represent a future threat, but one that must be addressed before a CRQC exists, because retroactive remediation is not possible once the infrastructure has been compromised.

In response, Google says it has updated its internal threat model to prioritize the migration to PQC for authentication services. As the blog notes: "We've adjusted our threat model to prioritize PQC migration for authentication services—an important component of online security and digital signature migrations. We recommend that other engineering teams follow suit."

Google's existing PQC commitments

The announcement is not without precedent. Google has been investing in post-quantum security across its product stack for several years. Chrome has supported PQC key-exchange mechanisms, Google Cloud has offered PQC capabilities to enterprise customers, and internal communications infrastructure has already transitioned to quantum-safe protocols.

The latest concrete milestone: Android 17 will integrate PQC digital signature protection using ML-DSA, aligned with the U.S. National Institute of Standards and Technology's (NIST) published post-quantum standards. This brings PQC protections directly to end-user devices at scale—a significant deployment milestone given Android's global footprint.

Two 2029 deadlines, one underlying challenge

What makes Google's announcement particularly significant for the broader security ecosystem is the year it has chosen. 2029 is not only when Google intends to complete its PQC migration; it is also the year the CA/Browser Forum's new maximum SSL/TLS certificate lifespan of 47 days takes full effect, representing a 12-fold increase in certificate renewal frequency compared to current norms.

Jason Soroko, Senior Fellow at Sectigo, sees the convergence of these deadlines as more than coincidental.

"Google's announcement of a 2029 timeline for post-quantum cryptography migration reinforces how quickly the cryptographic landscape is evolving," Soroko said. "That same year, the CA/Browser Forum will reduce the maximum SSL/TLS certificate lifespan to just 47 days, a 12x increase in renewal frequency that fundamentally changes how organizations must operate. Right now, our research shows that 90% of organizations see a direct overlap between preparing for short-lived certificates and preparing for PQC adoption. These parallel 2029 deadlines are not coincidental; they represent two sides of the same challenge: preparing for a world where cryptography must be updated far more frequently and with far greater agility."

Soroko also said he sees reason for optimism in the fact that both transitions are arriving simultaneously. Rather than treating them as compounding burdens, he argues they point toward the same solution: greater cryptographic agility built into organizational infrastructure from the ground up.

"The convergence of these deadlines are in some way harmonious: As Google advances the PQC timeline, and as certificate validity shrinks to 47 days, the ecosystem must move together. Continued collaboration through the IETF and the CA/Browser Forum will be essential to ensuring that organizations can rotate keys, algorithms, and certificates quickly and safely, building the agility needed to secure the quantum era."

These developments are in keeping with the accelerating pace of digital transformation, according to Derek Fisher, Director, Cyber Defense & Information Assurance Program Director at Temple University and Founder of Securely Built.

"Certificate and encryption agility is nothing new. We moved from long-lived certificates (10-year certs) down to 1- or 2-year certificates many years ago," Fisher said. "The current world we're in and heading to is a sign of further maturity in this space, where the ability to rapidly change the certificate lifecycle and cryptographic algorithms is a must. But this means that we need to have the processes, procedures, pipelines, and testing in place to make this successful. Key, certificate, algorithm rotations should be able to be completed in the blink of an eye with relative confidence. Algorithms become obsolete or broken with little warning. Fortunately, with the impending post-quantum encryption world we are heading into, we have a window of time to prepare. Those organizations that use this time wisely will be better off."

What this means for security teams

For enterprise security practitioners, the 2029 horizon is close enough to warrant immediate planning. PQC migrations are not lift-and-shift operations; they require cryptographic inventory, dependency mapping, algorithm selection aligned with NIST standards, and integration testing across complex, often legacy infrastructure. At the same time, organizations preparing for 47-day certificate lifecycles are already building the automation and certificate management pipelines that PQC transitions will also require.

Google's explicit recommendation that "other engineering teams follow suit" in reprioritizing authentication services for PQC migration provides a practical starting point. NIST's finalized PQC standards—including ML-DSA, ML-KEM, and SLH-DSA—give organizations the algorithmic foundation they need to begin that work now.

The quantum era, as Google frames it, is not approaching—it is arriving on a schedule. The question for the industry is whether it will meet that schedule proactively or reactively.

Follow SecureWorld News for more cybersecurity news.

The Vulnerability Velocity: A Sobering Look at Bug Patching

CamS@secureworld.io (Cam Sivesind) — Wed, 01 Apr 2026 23:54:58 GMT

In cybersecurity, patching is often treated as a baseline chore—the digital equivalent of taking out the trash. However, a new Sector In-Depth report from Moody's Ratings elevates this routine task to a critical financial and operational metric.

For cybersecurity teams and the enterprises they protect, the report’s findings are a sobering reality check: despite the arrival of AI-driven tools, the "window of exposure" is becoming a primary driver of credit risk and organizational volatility.

So has patching improved or slipped in effectiveness? The short answer is that the complexity of the digital footprint is outpacing the speed of remediation.

Moody's research indicates that patching effectiveness has not significantly improved in a way that reduces overall risk. While technical teams are working harder, two factors are neutralizing their efforts.

First, larger enterprises (those with more than 10,000 employees) have significantly higher counts of unpatched Known Exploited Vulnerabilities (KEVs) simply due to the sheer size of their digital footprint. The scale of exposure is increasing.

Second, attackers are weaponizing new vulnerabilities faster than ever, increasing the time-to-exploit gap. Moody's notes that the risk is particularly high for "internet-facing" assets, where the delay in patching can lead to immediate ransomware or data exfiltration events.

A central question for 2026 is whether AI has finally "solved" the patching problem. The Moody's report suggests a neutral-to-negative impact so far:

On the defensive side: AI is being used to automate vulnerability scanning and prioritize patches. However, this has led to "alert fatigue," where teams are overwhelmed by a high volume of "critical" flags that lack business context.
On the offensive side: AI has arguably helped the attackers more. Adversaries are using LLMs to reverse-engineer patches and generate exploits for N-day vulnerabilities in hours, not days.
The net result: AI has accelerated the velocity of the game, but it hasn't necessarily improved the score for defenders.

The report highlights that the risk is not distributed equally.

Sectors with high digital dependency but complex legacy systems—such as healthcare, education, and public finance—often show slower patching cadences compared to the technology and telecommunications sectors.

North American and European firms generally have more robust patching outcomes, while firms in emerging markets face higher exposure to unpatched KEVs, often due to a lack of specialized cybersecurity personnel.

For the CISO and the SOC, the Moody's report dictates a shift in strategy from "patch everything" to "risk-based prioritization."

Cybersecurity teams should prioritize the KEVs and focus exclusively on vulnerabilities that are already being exploited in the wild. A "medium" severity KEV is often more dangerous than a "critical" vulnerability that has no known exploit.

For large enterprises, they must accept that their volume of unpatched flaws will naturally be higher. Call it the large footprint tax. Teams should focus on compensating controls (like network segmentation) for systems that cannot be patched immediately.

Use the language of the Moody's report to communicate effectively to the board level. Cybersecurity leadership should explain that unpatched flaws are now a material credit risk. This moves patching from a maintenance budget item to a risk mitigation priority.

The Moody's report confirms that software bugs are no longer just technical nuisances—they are financial liabilities. In an era where AI has weaponized the delay, slow patching is functionally equivalent to no patching.

Don't miss this Automox webcast on this very topic, "Visibility Is Velocity: Bridging Insight and Action in ITOps" on April 9, hosted by SecureWorld. This webcast offers a forward-looking conversation about what visibility needs to become in order to keep up with modern IT operations. Earn 1 CPE for attending the free webcast.

The SMB Cybersecurity Struggle Is Real with Limited Resources

CamS@secureworld.io (Cam Sivesind) — Tue, 31 Mar 2026 23:25:56 GMT

The security landscape has reached a point of "Identity Industrialization," according to the latest release from SonicWall, "The 7 Deadly Sins of Cybersecurity: 2026 Cyber Protect Report. The findings shift the conversation from merely tracking threats to analyzing the behavioral "sins" that allow those threats to take root.

For cybersecurity professionals, this report is a stark reminder that while the tools are evolving—driven by a 14x surge in AI-generated phishing—the fundamental vulnerabilities remain human and architectural.

Small and Medium-Sized Businesses (SMBs) are currently facing a "perfect storm." They are targeted with the same level of sophistication as Global 2000 companies, but often operate with a fraction of the budget and staff.

"SMBs are the backbone of the United States economy. They represent 99% of all U.S. businesses and nearly half of private sector employment while contributing roughly 44% of GDP," said Michael Crean, SVP and GM of Managed Security Services at SonicWall. "What they may not know is that they are facing the same cyber risks as large enterprises; however, they lack the same levels of expertise, budget, or resources. For SMBs, cybersecurity is no longer a technical concern. It is a business necessity."

The SMB "sins" and challenges are real. SMBs often suffer from "pride"—a belief that they are too small to be a target. This leads to underinvestment in Managed Detection and Response (MDR), leaving them vulnerable to "logging in" attacks where adversaries use stolen credentials to move laterally.

With limited IT staff, SMB help desks are prime targets for impersonation and vishing. Attackers exploit the personal nature of small-team communication to bypass MFA through social engineering. Call it the help desk vulnerability.

SMBs rely heavily on SaaS to scale, but they often lack the tools to govern data sprawl. This creates an "invisible" attack surface where sensitive customer data lives in unmonitored cloud silos.

While larger enterprises have more "shields," they often suffer from "sloth"—the slow movement of legacy bureaucracy. The challenges faced by SMBs offer critical lessons for the enterprise SOC.

SMBs are forced to be lean. Large enterprises can learn from the SMB move toward Unified Security Platforms. Consolidating the stack reduces "operational drag" and "patch paralysis," allowing teams to react to threats in minutes, not days. Agility is a defensive asset.

The SMB struggle with social engineering proves that no amount of budget can fix a broken security culture. Enterprises should adopt the SMB's "all-hands" approach to security, turning every employee into a "human sensor" through adaptive behavior training.

The report highlights that complexity is the enemy of security. SMBs succeed when they focus on "brilliant basics"—phishing-resistant MFA, immutable backups, and strict identity governance. Enterprises should "prune" their 75+ tool stacks to achieve the same clarity of signal.

The '7 deadly sins' of 2026: a mandate for action

Whether you are an SMB or a global giant, the SonicWall report identifies the core failures that lead to compromise:

Lust for speed: Deploying AI and cloud tools without privacy guardrails
Gluttony for data: Collecting more PII than you can secure, leading to massive data sprawl
Greed for complexity: Investing in "shiny" tools while neglecting the workforce identity gap
Wrath of response: Relying on reactive incident response rather than cyber resilience and business continuity

As the report concludes, the goal for the coming year isn't just to buy more tools, it's to close the gap between digital ambition and protective reality.

"The threat landscape is also shifting in ways that demand attention. Nation-state actors increased their targeting of SMBs and mid-market organizations throughout 2025, recognizing that smaller organizations often serve as entry
points into larger supply chains and critical infrastructure," Crean said. "These are no longer threats reserved for governments and large enterprises. Compounding the risk further, AI is accelerating threat actors' ability to automatically scan for weaknesses at a scale and speed that manual attackers could never achieve—rapidly identifying exposed services, overly
permissive access, and administrative gaps across thousands of targets simultaneously."

The Skeleton Key Era: Attackers Are Logging In, Not Breaking In

CamS@secureworld.io (Cam Sivesind) — Mon, 30 Mar 2026 19:08:20 GMT

The traditional image of a hooded figure exploiting a zero-day vulnerability to break into a server is becoming a historical relic. According to the Ontinue 2H 2025 Threat Intelligence Report, the world has officially entered the era of the "Skeleton Key."

The report's primary conclusion is a mandate for every modern CISO: "Attackers aren't breaking in anymore, they're logging in."

This isn't just a catchy phrase; it represents a fundamental industrialization of identity compromise. Here is what the report says the second half of 2025 taught everyone about the new perimeter and what it means for defense strategies.

In 2H 2025, identity-based attacks dominated true positives across Ontinue's telemetry. Attackers have moved away from complex technical exploits in favor of high-velocity credential theft.

Sophisticated phishing kits are now standard, capable of bypassing traditional MFA by intercepting session tokens in real-time. It's Adversary-in-the-Middle (AiTM).

Attackers are increasingly targeting OAuth tokens and Service Accounts. These identities often lack the same MFA protections as human users and provide a "silent" path for lateral movement. Think rise of non-human identities.

The market for "valid keys" has become professionalized, with Initial Access Brokers (IABs) selling verified credentials for specific enterprise environments on the dark web.

For the enterprise, the shift from breaking in to logging in means that breaches are becoming harder to detect using traditional perimeter-based security.

When attackers use a valid credential, they don't trip "intrusion" alarms. They look like an employee starting one's workday—a "silent" entry.

The report emphasizes that in identity-driven scenarios, the "time-to-impact" is shrinking. Once an attacker is logged in, they can move toward data exfiltration or ransomware deployment in a fraction of the time it took in the era of manual exploitation.

Enterprises heavily reliant on SaaS and automation pipelines are at higher risk, as these environments depend on a complex web of interconnected identities that are often poorly governed. It's trust as a vulnerability.

For SOC teams and security researchers, the 2H 2025 report dictates a move toward Managed Extended Detection and Response (MXDR) and behavioral analytics.

Since a login is no longer a guarantee of identity, security teams must move toward "Continuous Authentication"—constantly validating that the behavior of the logged-in user matches their established profile.

Teams must focus on reducing the window between detection and response. Automated response playbooks that can "freeze" an identity upon the detection of an anomaly (like an unusual OAuth grant) are now essential.

Ontinue argues that while AI can speed up detection, expert oversight remains critical to navigating the nuances of identity-based attacks where a legitimate tool is being used for a malicious purpose.

For the general public, the logging in trend means that the advice of "just use a strong password" is now dangerously incomplete.

While MFA remains a critical hurdle, the public must be educated on the risks of MFA fatigue (approving push notifications they didn't trigger) and sophisticated phishing that mimics legitimate login portals.

Just as enterprises must govern their identities, individuals must become more vigilant about the permissions they grant to third-party apps via "Login with Google/Microsoft" buttons, which can be abused for OAuth token theft.

The Ontinue report is a clear signal that the perimeter hasn't just moved—it has dissolved into the identity layer. As attackers continue to automate and industrialize the theft of "keys," the only way to stay ahead is to build a defense that is as identity-focused and high-velocity as the adversary.

As the report concludes: "In an era where attackers log in rather than break in, continuous validation... [is] no longer optional. [It is] essential."

Power, Control, and the Life You Lose Trying to Hold On

Craig Stanland — Sun, 29 Mar 2026 13:48:00 GMT

One of my favorite Steven Pressfield quotes doesn't come from some of his best-known works, "The War of Art" and "Turning Pro," which are two of my all-time favorites.

It comes from his book on Alexander the Great, "Virtues of War":

Alexander and his soldiers encounter an old man who stands in their way.

One of the soldiers demands that the old man move, saying to him:

"This man has conquered the world! What have you done?"

The philosopher replied without an instant's hesitation,

"I have conquered the need to conquer the world."

I used to want to conquer my old little world. And my conquering was through chasing externals to define who I am.

Because when identity is built on what’s outside of you, you're perpetually one outcome away from losing yourself.

It was a terrible way to live.

I look at what's going on in the world today, and I see people desperately trying to obtain as much power as they possibly can.

In my eyes, it's the greatest power grab I've seen in my 52 years.

Power is intoxicating, no doubt.

But it's also a self-fulfilling prison cell slowly built over time.

If power is your fuel, you're outsourcing your inner state to external approval and validation.

You're living on the top one inch of the ocean of life, completely missing the depth beneath you.

Because when you outsource your inner state to external validation, everything becomes a threat to what you need.

Life is lived in fear of losing what you have, even if the strategy appears to be acquiring more.

It's a strategy of defense disguised cleverly as offense.

Because what you have isn't enough, so you chase more, believing that when you reach a critical mass, you'll be untouchable, you won't lose what you have.

You'll be too big to fail.

But that's not true. Fear will still lurk around every corner, and you spend your life looking for what will take from you.

Because the life being built isn't coming from you, it's constantly being negotiated with the world around you.

Most of us aren't chasing power; we're chasing control over how we're perceived.

True power is created internally and requires no external validation.

But when you need to get drunk off of others' approval, fear, or validation, you will never understand this.

I want my life to be one of inner peace and emotional freedom, ease, and grace.

I don't chase these emotions "out there." I create them by coming back to,

"I have conquered the need to conquer the world."

This article appeared originally on LinkedIn here.

RSA Conference 2026 Recap: It's About Time for 'Power of Community'

tbriggs@secureworld.io (Tom Briggs) — Fri, 27 Mar 2026 18:54:36 GMT

Confession: While I've worked and attended tech events at the Moscone Center, when it comes to RSA Conference takes, I'm new. Since others are better equipped to deep dive into trends, news, and analysis, let's talk about time.

In his book When, Daniel Pink argues the case for matching the right task to the right part of the day. Decades of research spanning psychology, biology, economics, and medicine all reinforce that our daily human rhythms follow predictable patterns. Understanding and working with these can boost overall effectiveness and well-being. This collective flow of human energy was on center stage at the boisterous convergence of humanity and technology that was RSA Conference 2026.

Stepping into Moscone Center South on Tuesday, March 24, was a hit of pure human energy. 2025 set a high-water mark of nearly 44,000 attendees. Final numbers are pending, but projections this year show another high.

Along with other "up-and-at-em" Day 1 achievers, I dived right into the check-in line during what in hindsight surely must have been peak morning rush. Snaking back and forth for around a quarter mile to the furthest corners of the lobby, this was "The Power of Community" (2026 theme) on blast. As a parent who's made the mandatory Disneyland pilgrimage, this was a Star Wars: Rise of the Resistance during Spring Break break-level line.

Regardless of preparation, shuttling that volume of humanity through any registration process is a herculean task. Fortunately, helpful line management paired with consistently positive RSAC staff kept the energy and excitement flowing. From security check to badge, the wait totaled around 40 minutes. Impressive.

Entering the main exhibition hall, morning energy was on full display. Booth representatives were caffeinated, demos had energy, and the talking points were flowing. This was "get things done" type of energy. Media pass in hand, this was the best hours for optimistic "sky's the limit" quotes, factfinding, opinion gathering, and by-the-book insights.

Balancing the initial five-alarm sensory overload that is the show floor, this was also prime time for a side quest up to the AI Village for a brief chat with founder Sven Cattell. In this decidedly much more low-key and hands-on space, you could feel reflective, considered thought leadership flowing. This was a gathering of the brain trust with hands-on practitioners forging ahead to relentlessly fight the good fight. Not going to lie, chatting with a world-class expert PhD in Algebraic Topology who also has a postdoc in geometric machine learning on how humanity might better secure our future was a "smile and nod" type experience. Highly recommended for those looking to get "rubber meets the road" insights. (Literally, the next keynote while I was there was "Securing Autonomous EV Mobility.") After a brief stopover in the well-furnished media room for a quick lunch, it was back into the post-lunch exhibition floor.

In When, Pink notes that this post-lunch period marks a "trough"—the low point of the daily energy cycle for most people. For those diligently working the full-contact arena of the exhibition floor, this is the tough period. The promise of evening happy hours is still hours away. I saw one or two whisper rooms repurposed for a power nap. (Pink would approve.)

That said, conversations from this point onward became more real. With the white-hot morning energy burned away, you couldn't help but feel the conversations getting tangibly more "real." Pink notes that at this point in the day, analytical thinking, focus, and careful judgment are at their weakest (a boon for intrepid reporters seeking out raw takes and quotes). While all rules are off when the bright show lights are on, in normal times, Pink cautions against scheduling important decisions, high-stakes meetings, or complex problem-solving during this window. Yeah, not gonna happen here—we're powering through.

Conversations during this time surfaced honest impressions, vulnerabilities about the challenges faced, and a refreshing wave of "we're all in this together." Those who went hard out of the gate on swag acquisition found both bags and bodies tested. (I saw more than one bulging bag being dragged by an attendee who likely found this window a bit more exhausting than most.)

Soon enough, the promise of after-hours events appeared on the horizon. With copious choices of more hosted food, drink, and entertainment throughout the SoMa neighborhood and beyond, a collective eagerness filled the atmosphere and the energy started to build. Clearly, we were collectively climbing out of the trough to the promise of evening energy. Good food, good drink, and a chance to bond with newfound friends will do that.

In the end, surfing the energetic tides of RSAC 2026 left a deeper appreciation for the ebb and flow of both personal and collective energy. Making your way through the Super Bowl + World Cup + Olympics of cybersecurity, you can't help but respect our industry. Speaking from the editorial side of a cybersecurity events organizer, it was heartening to see humans do what humans have done for thousands of years—gather. RSAC 2026 was "Power of Community" embodied—in all its forms.

Nice to know that for all the talk of the undeniably impressive silicon and software advances, all this impressive tech is in service of us, the humans. The responsibility falls on us to make our world a bit more secure.

The Rise of the Agentic Enterprise: Navigating the Latest Cyber Risk

CamS@secureworld.io (Cam Sivesind) — Fri, 27 Mar 2026 11:36:00 GMT

The conversation around AI is shifting from "chatbots" to "agents." According to the recent McKinsey & Company analysis, "Securing the agentic enterprise: Opportunities for cybersecurity providers," cybersecurity is entering an era where AI doesn't just suggest actions, it executes them autonomously.

For security professionals, the shift reported in the article represents a fundamental change in the attack surface. CISOs and their teams are no longer just securing human users; they are securing a "chaotic web" of autonomous entities.

"What we're seeing isn't just an expansion of endpoints—it's an expansion of decision-makers," said Matt Pour, Director of Solution Engineering at Island. "Every agent introduces its own logic path, and security teams now have to account for behavior, not just access."

The "Agentic Enterprise" is defined by AI agents that can browse the web, access internal APIs, and make independent decisions to achieve a goal. While this unlocks unprecedented productivity, it introduces three "double-edged" risks.

The expanded identity perimeter: Every autonomous agent is essentially a non-human identity. If an agent has the authority to move data or change configurations, it becomes a high-value target for "Agent Hijacking" or prompt injection.
The "black box" execution risk: Unlike traditional automation with fixed logic, agentic AI can be unpredictable. An agent might find a "creative" way to solve a problem that inadvertently violates compliance or security policies.
Weaponized autonomy: Attackers are using the same agentic frameworks to conduct automated reconnaissance and multi-channel social engineering at a scale no human-led SOC can match.

"The real risk isn't just that agents can act, it's that they can act in ways we didn't explicitly design," Pour said. "That gap between intention and execution is where governance has to step in, because that's where most of the new attack surface lives."

For solution and service providers, the "Agentic Era" is a massive market opportunity to move beyond simple tool resale and into AI Governance and Assurance.

Providers must evolve from managing SIEM alerts to orchestrating "Agentic Guardrails." This includes deploying real-time monitoring that can detect when an AI agent is deviating from its intended behavioral profile.

"Guardrails can't be static policies anymore," Pour added. "They need to operate at runtime, adapting to what an agent is trying to do in context—and in high-risk scenarios, that includes building in human approvals to ensure autonomy doesn’t outpace accountability."

There is a growing vacuum for startups to build tools specifically for LLM Security and Model Poisoning defense. Vendors that can offer "Secure-by-Design" agent frameworks will win the trust of risk-averse enterprises. Call it the rise of agentic security platforms.

MSPs have an opportunity to offer "AI Stress Testing" as a service—using autonomous red-teaming agents to constantly probe an enterprise's defenses for AI-driven misconfigurations.

The McKinsey report suggests that the "arm's length" relationship between enterprises and their security partners is no longer sustainable.

Just as the cloud created a shared responsibility model, the agentic enterprise requires a shared behavioral model. Enterprises must define the "intent," while vendors provide the technical "guardrails" to ensure that intent is executed safely.

Security teams will demand "Explainable AI" from their vendors. If a security platform uses an autonomous agent to remediate a threat, the enterprise needs to know exactly why that decision was made to maintain regulatory compliance.

The relationship will become more iterative. Enterprise security teams will need to work closer than ever with vendors to "fine tune" defensive agents against the specific business logic of their organization.

What's next? The roadmap to agentic resilience

The McKinsey analysis makes it clear: the perimeter is no longer just invisible—it is active. To prepare, cybersecurity leaders should:

Inventory non-human identities: Start treating every AI agent with the same level of governance as a privileged human user.
Establish "agentic guardrails": Implement runtime controls that can "kill-switch" an agent if it attempts to access unauthorized data or execute high-risk commands.
Update the mental OS: Move from a mindset of "preventing access" to "governing autonomy."

We asked some additional experts from cybersecurity vendors for their thoughts on securing the new chaotic web.

Matthew Hartman, Chief Strategy Officer at Merlin Group, said:

"Agentic AI and emerging technologies will change the tools defenders use, but the most valuable skills remain broadly human ones—curiosity, problem-solving, and the initiative to investigate anomalies and adapt quickly. Organizations across all industries are increasingly looking for workers who can combine strong technical fundamentals with deep AI-curiosity. Defenders who demonstrate the ability to think critically about how technology evolutions change risk and defense will be successful."

Amit Zimerman, Co-Founder & Chief Product Officer at Oasis Security, said:

"Human oversight remains vital when using AI in offensive cybersecurity. While AI is highly efficient in automating and scaling tasks, human expertise is necessary to interpret complex results, make critical decisions, and apply context-specific reasoning. Humans are essential for ensuring that AI-driven tools are used responsibly and for validating the results of AI processes, especially when it comes to the nuances of certain vulnerabilities or threat landscapes."
"AI also plays a significant role in 'shift-left' approaches by identifying security vulnerabilities earlier in the software development lifecycle. When integrated into offensive security measures, AI can detect and address issues before they make it into production, reducing the cost of remediation and improving the overall security posture of an organization."
"Agentic AI security is still a rapidly evolving space. Enterprise readiness is ultimately proven in practice, not just at launch."

Diana Kelley, CISO at Noma Security, said:

"AI agents introduce a new dimension of supply chain risk because they're not just libraries or packages being pulled into the software development lifecycle by DevOps teams. They're software systems that use LLM outputs to determine next steps and execute actions across connected tools with the user’s delegated permissions. And they're being adopted by everyone from curious CEOs to highly-motivated new hires."
"Traditional supply chain controls were built for static artifacts: signed code, scanned dependencies, and trusted repositories. When you review and scan code before deployment, you can generally understand its intended behavior, even if you can’t predict every possible outcome. Agents are different. Their behavior can be assembled dynamically at runtime, with LLM-generated outputs influencing what steps they take next."
"An AI agent uses an LLM to read text and decide what to do next. The LLM generates the response, and the agent turns that response into actions using connected tools. So, if someone hides harmful instructions inside a document or tool, the LLM may interpret those instructions as something to follow, and the agent may act on them. The document isn't code, but it can still influence what the software does."
"That level of dynamic behavior and connectivity can create a fast-moving path from an untrusted external component to real internal impact."

Randolph Barr, CISO at Cequence Security, said:

"We're seeing AI rapidly evolve from simple automation to deeply personalized, context-aware assistance—and it's heading toward an Agentic AI future where tasks are orchestrated across domains with minimal human input."
"Before we even get to AI-specific risks, we have to get the fundamentals right. In the haste to bring AI to market quickly, engineering and product teams often cut corners to meet aggressive launch timelines. When that happens, basic security controls get skipped, and those shortcuts make their way into production. So, while organizations are absolutely starting to think about model protections, prompt injection, data leakage, and anomaly detection, those efforts mean little if you haven't locked down identity, access, and configuration at a foundational level."
"Security needs to be part of the development lifecycle from the beginning."

Kamal Shah, CEO at Prophet Security, said:

"AI improves the quality and clarity of vulnerability reporting by the hacking community. Researchers are using AI to draft clear guidance based on their findings, while documenting impact for multiple audiences within an organization. Some hackers have built AI agents to capture and annotate screenshots and network requests automatically, providing the necessary evidence that enterprises need to validate their findings. For organizations, this means receiving standardized, professional reports that are easier to reproduce and fix, effectively reducing the expensive back-and-forth typical of manual triage."

Bridging the Governance Gap in the AI-Driven Enterprise

CamS@secureworld.io (Cam Sivesind) — Thu, 26 Mar 2026 12:24:59 GMT

The transition from "AI curiosity" to "AI dependency" has happened faster than almost any other technological shift in recent history. But according to Auvik's newly-released 2026 IT Trends Report, "Beyond the hype: The Real State of IT in 2026," enterprises are currently living through a dangerous "maturity mirage."

While organizations are rushing to integrate artificial intelligence into every facet of their workflows, a massive disconnect has emerged between IT ambition and cybersecurity reality. For the modern CISO and security practitioner, the report serves as both a roadmap and a warning.

The headline from the Auvik report is jarring: nearly 30% of organizations currently have no formal policy governing the use of AI, despite the fact that AI tools are already pervasive across their networks.

This "governance gap" creates a unique set of challenges. IT teams are now managing an average of three million SaaS applications across the Auvik ecosystem. Many of these are AI-driven tools adopted by employees without security oversight, leading to "shadow AI"—where sensitive corporate data is fed into public LLMs without privacy guardrails.

As the workforce becomes more distributed, the "perimeter" has effectively vanished. Security teams are struggling with a lack of visibility, with 51% of IT professionals citing "network visibility" as a top challenge in managing remote and hybrid endpoints.

"AI is everywhere in IT conversations right now, but our data shows that enthusiasm is running well ahead of readiness," said Doug Murray, CEO of Auvik. "When three-quarters of IT leaders believe they have an AI policy but fewer than half of help desk staff say the same, that's an implementation problem versus a policy problem. Until governance is understood at every level of the organization, AI risks becoming just another source of Shadow IT rather than a solution to it."

The report identifies a "maturity mirage" where organizations believe they are more prepared for digital transformation than they actually are. For cybersecurity professionals, this translates into several critical hurdles.

The budget vs. time paradox: While budgets are shifting toward AI and automation, IT teams are still bogged down by "keep-the-lights-on" tasks. More than 40% of IT leaders spend the majority of their time on reactive troubleshooting rather than proactive security architecture.
AI-driven misconfigurations: As AI accelerates the speed of deployment, it also accelerates the speed of error. Automated systems can create complex cloud misconfigurations in minutes, weaponizing an environment before a human analyst can even receive an alert.
The identity crisis: With "logging in" replacing "breaking in" as the primary attack vector, the report underscores the urgent need for Workforce Identity Verification. Attackers are leveraging AI-enabled vishing and deepfakes to bypass legacy MFA, targeting the very help desks meant to protect the organization.

Despite the risks, the Auvik report highlights significant opportunities for security teams to evolve from "department of no" to "strategic enablers."

Organizations that move toward unified detection and response platforms are seeing a reduction in "operational drag." By consolidating the security stack, teams can reclaim the time needed to focus on AI governance.

Security teams can use the same AI-driven automation as attackers to perform continuous, real-time auditing of their SaaS and cloud sprawl.

The report suggests a need for IT leaders to update their "mental operating system." This means moving away from low-context metrics like CVSS and toward a context-aware risk management model that prioritizes business continuity.

Auvik's findings suggest that the next 12 months will be defined by a shift from AI Hype to AI Governance. To stay ahead, cybersecurity professionals should:

Draft and enforce "Acceptable Use" for AI: Closing the 30% policy gap is the first priority. Security must define which data can be shared with LLMs and which must remain within air-gapped or private instances.
Audit the SaaS shadow: Use network management and SaaS discovery tools to identify exactly where Shadow AI is operating.
Invest in identity-first security: As the perimeter disappears, Identity is the new perimeter. Implementing Zero Trust for cloud and hardening help desk recovery workflows against AI-enabled impersonation is non-negotiable.

'Security Through Obscurity' Days Are Over for Manufacturing Sector

CamS@secureworld.io (Cam Sivesind) — Wed, 25 Mar 2026 17:10:46 GMT

For years, the manufacturing sector operated under the "security through obscurity" model—relying on air-gapped systems and proprietary protocols to stay off the radar of mainstream cybercriminals. According to the Huntress 2026 Cyber Threat Report, those days are officially over.

Manufacturing has emerged as one of the most targeted industries, not necessarily because its data is the most valuable, but because its tolerance for downtime is the lowest. In an industry where "minutes equal millions," attackers are shifting their tactics from simple data theft to sophisticated operational paralysis.

The report highlights a staggering shift: attackers have realized they don't need to find a zero-day exploit when they can simply steal a credential. In manufacturing, where remote access for vendors and technicians is a necessity, identity-based attacks have surged. And a recent blog post dives further into the woes manufacturers face from a cybersecurity standpoint.

What it means: CISOs must move beyond traditional MFA. Attackers are now using MFA fatigue and token theft to bypass legacy defenses. For a manufacturing firm, a single compromised service account used for equipment maintenance can provide an attacker with lateral access to the entire Production VLAN.

One of the most unsettling trends in the 2026 report is the heavy abuse of Remote Monitoring and Management (RMM) tools. Attackers are "living off the land," using the very software your IT team uses to manage the environment to instead deploy ransomware or exfiltrate IP.

What it means: Security teams can no longer assume that "authorized software" is performing "authorized actions." Detecting these threats requires behavioral analysis that can distinguish between a technician performing a routine update and an adversary using that same tool to disable security agents.

Ransomware remains the apex predator for manufacturing. However, the report notes a shift toward exfiltration-only attacks and lock-and-leak tactics. Attackers are increasingly targeting the "crown jewels" of manufacturing: proprietary CAD files, sensitive formulas, and supply chain contracts.

What it means: Even if your backups are "gold-plated" and you can restore systems in hours, the threat of data exposure remains a powerful lever for extortion. Defense strategies must prioritize Data Loss Prevention (DLP) and egress filtering just as much as rapid recovery.

From the blog post: "Threat actors have figured out that while you might be able to live without your data for a few days, you can't survive with a dead assembly line. They're moving past the office network to disrupt the operational technology (OT) systems that keep your machines running.

While the exact cost changes based on what you're making, the ripple effects are the same across the board:

Missed shipments: Late deliveries trigger contract penalties and upset your biggest partners.
Idle labor: You're still paying for staff and overhead, even if no one can do their job.
Restart pains: Getting an OT system back online safely takes much longer than a standard IT reboot.
Safety risks: Sudden shutdowns can damage sensitive equipment or create hazardous conditions for people on the floor or in the plants."

The 2026 landscape demands a transition from "security as a cost center" to "resilience as a business continuity strategy," the researchers urge. Some tips from the report and blog post:

Audit "shadow" integrations: Manufacturers often have a sprawling web of SaaS and cloud-native integrations that create an invisible attack surface. Securing these "fragmented identities" is now the mandate for survival.
Bridge the IT/OT gap: As digital convergence accelerates, the air gap is a myth. Security teams need unified visibility that covers both the corporate office and the PLC (Programmable Logic Controller) on the floor.
Prepare for AI-speed social engineering: The report warns of a 14x increase in AI-generated phishing. Manufacturing help desks—often the primary point for password resets and vendor onboarding—must be trained to identify synthetic audio and hyper-personalized impersonation attempts.

More from the blog post around control and governance:

"Between government programs and directives like CMMC 2.0 and NIS2, and big customers demanding proof of security before they sign a contract, the pressure is on."
"Governance is about making sure that cybersecurity programs are fit-for-purpose, well-managed, and compliant, so that if a threat actor does find a way in, you have a practical plan to stop them. Regulators and partners want to see that you aren't just guessing—they want to see that you have a handle on who has access to your systems, apps, and data, and what's running on your floor."

As the blog points out, Zero Trust has finally hit the factory floor.

"Zero Trust architecture can feel like a lot to ask of an organization and its employees," said Brian Milbier, Senior Director of Security and IT and Deputy CISO at Huntress. "But, what it's really about is ensuring that every system at every level is protected and that no one is able to gain unauthorized access."

U.S. FCC Adds All Foreign-Made Consumer Routers to Covered List

drewt@secureworld.io (Drew Todd) — Tue, 24 Mar 2026 21:19:00 GMT

The U.S. Federal Communications Commission took sweeping action on March 23, 2026, adding all consumer-grade routers produced outside the United States to its Covered List—the agency's catalog of communications equipment deemed to pose unacceptable national security risks. The practical effect is a forward-looking prohibition: no new foreign-made router model can receive FCC equipment authorization, which is required for any device to be legally imported, marketed, or sold in the U.S.

The move follows a determination by a White House-convened interagency body that foreign-produced routers introduce a supply chain vulnerability capable of disrupting critical infrastructure and national defense, and present a "severe cybersecurity risk" that could be leveraged to attack American households and networks. FCC Chairman Brendan Carr welcomed the determination in a statement released alongside the announcement.

Typhoon campaigns cited as catalyst

The FCC's action explicitly names three high-profile Chinese state-sponsored intrusion campaigns—Volt Typhoon, Flax Typhoon, and Salt Typhoon—as evidence that foreign-manufactured SOHO routers have already been weaponized against U.S. infrastructure. Those campaigns, which drew significant attention from the intelligence community and federal agencies over the past two years, exploited vulnerabilities in small-office and home-office networking hardware to gain persistent footholds in American networks, including those of telecommunications providers and critical infrastructure operators.

The citation matters because it frames this ruling not as a precautionary measure but as a response to documented, large-scale exploitation. It also signals that the FCC is extending the logic it applied to specific vendors—Huawei and ZTE were placed on the Covered List years ago—to an entire product category defined by manufacturing geography.

Scope: what is and isn't affected

The ruling applies exclusively to new device models seeking FCC equipment authorization. Routers already authorized and in use are not affected; consumers can continue using previously purchased devices, and retailers can continue selling existing authorized inventory. The restriction is structural and forward-looking, not a recall or a ban on current hardware.

The scope, however, is broad. China accounts for an estimated 60% or more of the U.S. home router market. But the FCC's FAQ is explicit that the manufacturer's nationality is irrelevant—the determining factor is where the device is produced. That sweeps in U.S.-headquartered companies with overseas manufacturing operations, including major brands that design domestically but contract production to facilities in Asia.

A limited exit ramp exists. Manufacturers can apply to the Department of Defense or the Department of Homeland Security for "Conditional Approval," which requires companies to disclose their full management structure, detail their supply chain, and submit a concrete plan to onshore manufacturing in the United States. There is no established timeline for approval, and early indicators from the analogous December 2025 drone ban—where four non-Chinese manufacturers received conditional approval while Chinese market leaders remain blocked—suggest the process will be selective.

Industry impact: a supply chain squeeze

The market implications are significant. Because virtually no consumer router currently on the market is manufactured entirely within the United States—even brands that design domestically use overseas contract manufacturers—the ruling puts enormous pressure on an industry that has operated on the assumption of globalized hardware supply chains.

For enterprise security and IT procurement teams, the more immediate concern is not an overnight disruption but a medium-term squeeze on available hardware options for remote worker kits, branch office deployments, and network refreshes. As eligible product lines narrow, prices are expected to rise and vendor choices to consolidate around manufacturers that can navigate the conditional approval pathway or invest in domestic production capacity.

Expert perspectives

Jacob Krell, Senior Director of Secure AI Solutions & Cybersecurity at Suzu Labs, said the ruling reflects a risk the security community has been raising for years:

"Supply chain compromise is becoming one of the most serious threat vectors for nation state and advanced intrusion activity targeting critical infrastructure. The FCC's decision to add foreign manufactured consumer routers to its Covered List reflects a risk the security community has been warning about for years.

As endpoint and product security have improved, adversaries have increasingly looked upstream toward manufacturing, firmware, and other supply chain dependencies where compromise can create durable access. The FCC's citation of Volt Typhoon, Flax Typhoon, and Salt Typhoon is consistent with that concern. Network devices are especially attractive targets because they sit in the path of every packet entering and leaving an environment, and predeployment compromise can be exceptionally difficult to detect and remediate.

Security leaders should treat this as a procurement signal. If the federal government has concluded that foreign manufactured network hardware can present unacceptable supply chain risk, organizations should be reviewing whether their own vendor diligence, firmware assurance, and hardware sourcing practices reflect that same reality. Every router, switch, and access point in the environment came from a supply chain. Knowing where that hardware was manufactured, who wrote the firmware, and what visibility exists into that process is no longer a theoretical exercise."

Damon Small, a board of directors member at Xcape, Inc., described the decision as a significant escalation of the government’s supply chain posture:

"This is a massive expansion of U.S. tech protectionism, moving beyond specific Chinese entities like Huawei or ZTE to a blanket ban on all foreign-produced consumer routing hardware. By citing the weaponization of SOHO routers by groups like Volt Typhoon and Salt Typhoon, the FCC is treating the humble home router as a primary vector for national-scale pivot attacks against critical infrastructure.

For security leaders, the immediate risk isn't an overnight 'dark start,' but a long-term supply chain squeeze; with more than 60% of the market currently dominated by foreign manufacturing, procurement for remote-worker kits and branch offices is about to become significantly more expensive and limited to a handful of 'trusted' (likely domestic) vendors.

Defenders should audit their current fleet of remote-access hardware and prioritize vendors moving toward U.S.-based manufacturing or those actively seeking DHS 'Conditional Approval.' While existing hardware is safe for now, expect insurance carriers and federal auditors to eventually move the goalposts from 'legal to use' to 'compliant to keep.'"

What security leaders should do now

Both experts emphasize that this ruling, even if challenged in court—as the December drone ban has been—signals a durable shift in how U.S. policymakers are treating network hardware supply chain risk.

This creates practical near-term takeaways for security and procurement teams:

Audit existing remote access and branch hardware inventories, and document where each piece of equipment was manufactured.
Evaluate vendor roadmaps for conditional approval or domestic production investment. Incorporate hardware provenance into procurement criteria and third-party risk assessments, applying the same scrutiny to switches and access points as to routers.
Monitor the conditional approval process at the DoD and DHS, since that pipeline will define which products remain viable in the medium term.

The FCC's action is the latest in a series of escalating supply chain interventions—from the Huawei and ZTE vendor bans to the December 2025 drone restrictions. Whether it survives legal challenge or not, it reflects a federal posture that treats the network hardware supply chain as a national security domain rather than a procurement commodity.

Follow SecureWorld News for more cybersecurity news.

The AI Asymmetry: Finding Bugs Faster Might Create Security Issues

CamS@secureworld.io (Cam Sivesind) — Mon, 23 Mar 2026 13:42:00 GMT

In the arms race of modern cybersecurity, automated bug detection has been viewed by many as the holy grail. However, a recent sector in-depth report from Moody's Ratings suggests that the technological leap is creating a dangerous paradox.

While AI is becoming a powerhouse for identifying code weaknesses, it is simultaneously widening the gap between vulnerability discovery and remediation, leaving many organizations more exposed than ever.

For cybersecurity professionals, the report highlights a shifting landscape where the "speed of AI" is meeting the "friction of human operations." Here are the critical takeaways from the Moody's analysis.

The growing 'vulnerability backlog'

Software vulnerabilities remain the primary vector for unauthorized network access. Today's complex, reused codebases are rife with human errors that attackers can exploit at scale. Moody's notes that while minimizing these flaws is essential for reducing the severity of cyber incidents, the sheer volume of newly discovered bugs is outstripping the capacity of security teams to address them.

AI: A double-edged sword for discovery

AI tools are demonstrating remarkable promise, often uncovering previously unknown "zero-day" style bugs in software that has already undergone rigorous security testing. These tools are becoming increasingly autonomous, identifying flaws at a pace no human team could match.

However, this efficiency comes with a significant catch: quality control. A lack of human oversight in AI-generated reports is leading to a flood of low-quality software checks and false positives.

These inaccurate reports distract security teams from genuine, high-risk threats.

In response to this "noise," some companies are scaling back their bug bounty programs. These programs are becoming "polluted" by low-quality, AI-generated submissions, which ultimately diminishes their effectiveness in finding real vulnerabilities.

The widening patching gap

The most alarming trend identified in the report is the widening asymmetry between exploitation and remediation.

Threat actors are leveraging AI and automation to exploit vulnerabilities more quickly than ever before. The sheer volume of disclosed vulnerabilities leaves many bugs unaddressed for extended periods.

According to Exhibit 6 in the report, patching speed varies significantly by sector. This variation suggests that while some industries are adapting their workflows, others remain dangerously slow, creating "windows of opportunity" that attackers are eager to exploit.

The path forward

Moving 'left' with AI

The report concludes that the only sustainable solution is a shift toward secure coding practices earlier in the software development lifecycle—often referred to as "shifting left."

By addressing security issues during the design and development phase, organizations can prevent vulnerabilities from ever reaching production. This reduces the "patching debt" and minimizes the surface area for cyberattacks. Ironically, the same AI-enabled tools causing the current backlog will be essential here, helping developers identify and fix security flaws in real-time as they write code.

7 Tips to Prevent Business Email Compromise Scams in 2026

trayalex812@gmail.com (Alex Tray) — Sun, 22 Mar 2026 14:22:00 GMT

What would you do if your finance manager wired $57,800 to a "trusted vendor," only to realize the email request was fraudulent?

In this digital world, business email compromise (BEC) is growing. BEC scams involving wire transfers increased by 33% in the second quarter of 2025. This illustrates how attackers are targeting financial workflows and payments.

Malware is no longer the basis for such attacks. They depend on trust.
With the growth of AI-generated messages, it's becoming difficult to differentiate between a legitimate message and a fraudulent one.
This article discusses seven tips to prevent business email compromise scams in 2026.

What is a BEC scam?

In a BEC scam, criminals use the identity of a partner, vendor, or executive. With this identity, they trick employees into sending sensitive information or money.

Consider that you are a CFO. You receive a fraudulent message that looks like a legitimate message from the CEO. The message asks for an urgent international wire transfer.

It was written in such a way that the tone sounds right. The signature matches. The timing feels believable. So, the transfer happens.

But it's a message that the CEO never sent.

BEC attacks use the power of urgency, authority, and familiarity. Their targets are finance teams, procurement departments, and HR—basically, anyone who handles payments or sensitive information.

In 2026, attackers will be able to send emails based on executive travel schedules, imitate writing styles, and replicate conversation threads using AI. They are extremely dangerous because of this.

The good news is that you can reduce your risk by implementing the right systems.

7 tips to prevent BEC scams in 2026

1. Enforce multi-factor authentication (MFA) across all accounts

If there's one control that immediately reduces risk, it's MFA. Even if attackers steal credentials through a phishing attack campaign, they still can't access an account without the second factor.

Don't limit MFA to executives. Apply it across:

Email accounts
Financial platforms
Cloud storage systems
Vendor portals

Use hardware keys or authentication apps rather than SMS when possible. The reason is that SMS-based MFA can be bypassed through SIM swapping.

Pro tip: Audit your MFA coverage quarterly. Many organizations think MFA is enabled, but it's not enforced on legacy accounts.

2. Implement SPF, DKIM, and DMARC email authentication

You can't prevent impersonation without technical controls.

SPF, DKIM, and DMARC work together to verify that emails actually come from authorized domains. Without them, attackers can spoof your domain and trick partners into trusting malicious messages.

Enabling strong email authentication reduces spoofing significantly. The email authentication methods, like DMARC, help protect users from impersonation at scale.

Set your DMARC policy to "reject," not just "monitor." Many businesses stop at the monitoring mode and never move forward.

Also, make it a point to:

Implement consistent DMARC monitoring to detect unauthorized domain usage
Review DMARC reports weekly
Remove unused domains
Lock down lookalike domains

Technical hygiene can prevent embarrassment and financial loss.

3. Establish a strict payment verification process

Here's where most companies fail: process discipline. No email alone should authorize a payment change.

Create a rule that any request involving money must be verified through a second channel. For example:

Call the vendor using a number already on file
Use secure vendor portals
Require two-person approval for large transfers

Many organizations also manage vendor communication and payment history through a cloud-based CRM, which helps finance teams verify requests using centralized records instead of relying only on email conversations.

Think about how many companies receive fake booking emails requesting updated bank details. Without a verification step, finance teams may process them without questioning.

Build friction into financial workflows. Convenience should never outweigh security.

Ask yourself: If a transfer request came in right now, how would your team verify it?

4. Train employees to recognize AI-powered social engineering

Technology alone won't save you. Employees must understand how modern scams look and feel. Today's attackers:

Mirror executive writing styles
Reference recent meetings
Use context pulled from LinkedIn
Create urgency with realistic deadlines

Today's attackers don't just copy writing styles—they also replicate branding details such as logos, formatting, and signatures. In some advanced cases, attackers even use an AI voice generator to create convincing audio messages that impersonate executives, adding another layer of urgency and realism to fraudulent payment requests.

Establishing internal standards for how to make an email signature ensures consistency across the organization, making it easier for employees to detect subtle differences in fraudulent messages.

Run scenario-based training sessions. Instead of boring slide decks, simulate real attacks. Send controlled internal tests and debrief afterward. It also helps to train employees on how legitimate financial communication should look, including standardized invoice email templates used by your organization. Send controlled internal tests and debrief afterward.

For example, an employee receives a message referencing a recent earnings call, asking for an urgent document review before market close. Would they question it?

Education builds instinct. And instinct stops mistakes.

Encourage a culture where employees feel safe reporting suspicious emails. Fear of embarrassment often prevents early reporting.

5. Monitor vendor and third-party email risks

Your organization might be secure, but have your vendors implemented security measures?

BEC attackers often compromise a supplier's mailbox and send legitimate-looking payment change requests from a real email thread.

This is particularly dangerous because:

The domain is authentic
The conversation history is real
The tone matches past communication

Imagine receiving a seemingly genuine invoice update from a travel partner. It looks just like previous correspondence, but it's malicious.

You've probably seen fake Robinhood email campaigns circulating online. Attackers exploit brand familiarity. The same principle applies to vendors.

You can mitigate this by:

Conducting vendor risk assessments annually
Limiting financial update privileges
Setting vendor-specific payment verification rules

Your defense is only as strong as your weakest partner.

6. Use AI-based email threat detection tools

If attackers use AI, so should you. Modern email security tools often analyze:

Behavioral anomalies
Writing tone deviations
Login location irregularities
Unusual financial language

For example, if your CEO never directly requests wire transfers but suddenly sends one, behavioral AI can flag the anomaly.

Layered protection works best with:

Secure email gateways
Behavioral analytics
Domain monitoring
Real-time threat intelligence

Don't rely solely on traditional spam filters. BEC emails don't often contain malware or suspicious links; they look clean and legitimate. Your detection strategy must go beyond keyword scanning. In addition to enterprise-grade email security tools, endpoint protection solutions can provide an extra layer of defense by monitoring for malware and viruses, detecting data breaches, and enhancing device-level security.

While BEC attacks rely heavily on social engineering rather than malware, securing every endpoint reduces the overall attack surface and helps prevent credential theft that often fuels these scams.

7. Develop a rapid incident response plan

Even with strong defenses, assume that one of the attempts from the attackers succeeded.

What to do next? Every company needs:

A documented process to solve attacks
A 24-hour response protocol
Clear roles and responsibilities
Bank contact procedures
Legal and compliance notification steps

Time matters. The faster you contact financial institutions, the higher the chance of reversing transfers.

Run tabletop exercises twice a year. Walk through scenarios, such as a fraudulent transfer sent 45 minutes ago. What will your team do next to handle it?

Clarity reduces chaos, and preparedness reduces damage.

Build a resilient defense against BEC

BEC scams in 2026 are smarter, faster, and powered by AI. But implementing proper preventive measures can minimize the risk.

You can reduce your exposure through:

MFA
Securing email authentication
Verifying payments through secondary channels
Training employees on modern social engineering
Monitoring vendor risks
Deploying AI-driven detection tools
Maintaining a clear incident response plan
Incorporating a reliable backup solution, like Office 365 email backup.

This isn't about adding complexity. It's about building discipline into how your organization communicates and moves money.

If you want to understand the evolving email threats and learn directly from cybersecurity leaders, explore upcoming events by SecureWorld. Practical insights from experts can strengthen your defense before the next attack happens.

Popular AI Sandbox Has a Backdoor—Since August

Derek Fisher — Fri, 20 Mar 2026 13:23:00 GMT

Those of us in cybersecurity should be familiar with sandbox environments where we can detonate and review malware in a minimal risk container. Similarly, a managed sandbox environment for AI allows you to run code, process data, and call tools all from a contained and controlled environment.

A prime example of a use case is presenting a chatbot with data and asking it to evaluate the data and return some analysis. An LLM behind the chatbot will not likely respond accurately, but an AI agent can create and execute Python to analyze a CSV, query a database, or run statistical models and return the analysis. In one of these sandbox environments, they can do that without accessing your infrastructure.

Here are some of the other benefits of a managed sandbox environment.

Containment of unintended side effects

AI agents, especially code-executing ones, can produce outputs that interact with the real world, like writing files, making network calls, and modifying state, but a sandbox draws a hard line around what the agent can touch. This means a bug in the generated code or a bad prompt doesn't cascade into your infrastructure.

Isolation of untrusted code

When an AI agent generates and then executes code, that code is fundamentally untrusted. It was written by a model trained on the internet, possibly manipulated through prompt injection, and hasn't been audited by a human. Sandboxing treats it the same way you'd treat code from an unknown external source. You can run it, but you run it in a box.

Reproducible, ephemeral execution

Managed sandboxes are typically ephemeral and short-lived. Each execution starts clean, which prevents one agent's session from contaminating another's and makes behavior more predictable and auditable.

Abstracting infrastructure responsibility

The "managed" part means the cloud provider handles the low-level mechanics of isolation such as the containerization, the resource limits, and the kernel boundaries. The customer gets a safe execution surface without having to build and maintain it themselves.

Bottom line: AI execution in a managed sandbox means you reduce the ability for the AI to affect other systems. Well, in theory at least. More on that in a bit.

Not every sandbox is open play

One of these AI execution sandboxes is the AWS Bedrock AgentCore Code Interpreter, available since August of 2025. It is a fully-managed service that enables AI agents to securely execute code in isolated sandbox environments, designed so that agentic workloads cannot access external systems. It allows for three network modes: Sandbox, VPC, and Public. The promise of the Code Interpreter goes beyond data analysis and code execution. Take the instance of an LLM reviewing a dataset for anomalies. Using LLM inference means you'll likely get results that will be imprecise or even hallucinated. However, if an agent can create Python code to parse the data and return results, you're more prone to get better and more accurate results.

Engineering teams use AI agents in these sandboxes to run Python, JavaScript, and TypeScript, perform complex data analysis, generate visualizations, analyze financial and operational data, and execute mathematical computations without compromising system security.

This all sounds great, so what's the problem?

Well, from a security standpoint, the piece that matters most for teams is that Code Interpreter supports running AWS CLI commands directly within the sandbox using an SDK and API, using IAM-based access controls and fine-grained permissions. This is what makes it useful for engineering workflows but also why the default role permissions are so problematic.

Research from BeyondTrust found that The AgentCore Starter Toolkit—AWS's open source quick start for getting Code Interpreter up and running—ships with a default IAM role that grants full S3 read access, full DynamoDB access, and unrestricted Secrets Manager access. That's not a misconfiguration a developer introduced, that's the out-of-the-box posture AWS documented and published (features that AWS stated are by design). The tyranny of the default strikes again!

No internet access doesn't always mean none

Getting the Code Interpreter to, you know, interpret code was not difficult for the BeyondTrust team. This meant getting a chatbot, and the agents it relies on, to execute code of the researcher's choosing through a prompt injection, supply-chain attack, or getting the chatbot to generate code that was influenced by the researcher. For example:

Once the code execution is achieved, the researchers move on to the next phase. And, stop me if you've heard this, but it's always DNS.

What was found in the BeyondTrust research is that the Code Interpreter could be persuaded to interact with C2 (command and control) channels and exfiltrate data through S3 buckets all through DNS A and AAAA record queries. For the data exfiltration, base64 encoded data was embedded in DNS subdomain queries. The researchers showed that they could run AWS CLI commands using the Code Interpreter's attached IAM credentials. This allowed them to list S3 buckets, pull files containing customer PII, API credentials, or financial records, and send that data encoded into DNS subdomain lookups to a DNS server controlled by the researchers.

While helpful, the researchers needed a method for controlling the Code Interpreter remotely. Enter the C2 ability through DNS. The researchers we able to send commands through DNS A record responses. Each octet in the response was encoded base64 command chunks as explained by the BeyondTrust writeup:

The Code Interpreter polls the attacker's DNS server for these chunked commands, reconstructs and executes them, then returns the output via DNS subdomain queries. Circle complete. There is now a fully bidirectional, persistent communication channel hidden entirely within traffic that looks like routine DNS traffic.

These channels allow for the bypass of any network isolation through DNS, and makes it difficult for defenders to block without crippling the operation of their sandboxed environment. Perhaps more frightening is the fact that more sophisticated DNS C2 implementations could establish a fully interactive shell, not just one-off commands.

Defense-in-depth for DNS

All is not lost, and there are practical steps that can be taken to limit the risk if you are using Code Interpreter. BeyondTrust recommends the following:

Inventory your AgentCore Code Interpreter instances, their network modes, and their privileges.
If you're using Sandbox Mode and assumed it provided complete network isolation, it does not. DNS resolution is enabled by design, which means DNS-based data exfiltration is possible. Migrate sensitive workloads to VPC only mode.
Scan code for prompt injection vulnerabilities to reduce risk of attackers manipulating code that is sent to the code interpreter.
Use Guardrails on the input as an additional safeguard.
Prefer newer models that have built-in safeguards to limit outright prompt injection.

But it's worth noting that you can take your defensive posture a few steps further. Specifically for DNS, consider:

Deploying a Route53 Resolver DNS Firewall to configure an allow-list of known-good domains. This list should be short. Additionally, you can alert on high-frequency DNS queries to single domains.
Make sure you monitor DNS query volume and entropy. A query for aGVsbG8gd29ybGQ.attacker.com looks nothing like api.github.com. Look to baseline normal DNS query patterns and alert on deviations.

Lastly, harden the Code Interpreter. Since the default IAM role provided with Code Interpreter has full S3 read, full DynamoDB, and unrestricted Secrets Manager access by default. This means the blast radius is equal to the IAM role. That's a problem, and one that AWS says is working as intended.

For users of the Code Interpreter, take matters into your own hands and consider auditing and replacing the default Starter Toolkit IAM role with inline policies scoped to specific S3 paths and ARNs only. Enforce least privilege as a hard requirement, not a best practice. Lastly, make sure to enable CloudTrail for all API calls made by the Code Interpreter's IAM role and alert on calls to services outside expected scope.

The path forward

Like all things AI, we're on the cutting edge of a lot of this technology, and we're only in the early stages of understanding the attack surface AI technology presents. From prompt injection to autonomous agents to poisoned models to the insecure platforms AI operates in, there is no doubt that we are going to continue to see novel (and even not so novel) ways of pushing the boundaries of security with these new systems.

This appeared originally on Substack here.