SecPro

Continuous Exposure Management in CybersecurityIt's nearly here! Don't miss out on Katie's session tomorrow, hosted by yours truly.Don't miss out!#246: Exposure Therapy for the Threat LandscapeContinuous Exposure Management in CybersecurityCybersecurity threats continue to increase in frequency, sophistication, and financial impact. Organisations now operate in an environment where cyberattacks are persistent, automated, and highly adaptive. Attackers no longer rely solely on simple malware or isolated phishing emails. Modern threat actors use ransomware, cloud exploitation, credential theft, AI-generated scams, supply chain attacks, and long-term infrastructure compromise to target businesses, governments, and critical services.From the beginning of January 2026, several high-profile cyber incidents demonstrated how exposed many organisations remain. One major example involved the ransomware group RansomHub, which continued targeting healthcare providers, logistics companies, and public sector organisations across Europe and North America. The group used double-extortion techniques, encrypting systems while simultaneously threatening to leak stolen data publicly. These attacks highlighted how exposed organisations remain to credential theft, poor segmentation, and unpatched systems.Another major concern involved the cybercriminal collective Scattered Spider, which became associated with social engineering attacks against telecommunications and cloud service providers. The group exploited helpdesk procedures by impersonating employees and convincing support staff to reset credentials or bypass multi-factor authentication protections. This showed that organisational exposure is not limited to technical systems; human processes can also create major security weaknesses.Security agencies also continued warning about activity associated with the Chinese state-linked group Volt Typhoon. Investigations suggested the attackers maintained hidden access within critical infrastructure systems for extended periods. Rather than immediately disrupting services, the group appeared focused on persistence, reconnaissance, and positioning for future operations. This demonstrated how exposed critical infrastructure can become when visibility into networks and operational technology systems is limited.The financial sector also experienced increasing attacks involving AI-generated phishing campaigns and voice impersonation scams. Criminal groups used generative artificial intelligence to create highly convincing emails, cloned voices, and fraudulent communications at scale. These attacks lowered the barrier for cybercrime and increased the effectiveness of social engineering operations.Meanwhile, several retail and software organisations suffered supply chain breaches during the 2025 holiday period after attackers compromised third-party vendors and service providers. These incidents showed that organisations are exposed not only through their own infrastructure, but also through trusted external relationships.These attacks reveal an important reality about modern cybersecurity: many organisations do not fully understand where they are exposed. Traditional cybersecurity strategies often focus on defending networks after systems are already deployed. However, modern attackers continuously search for weaknesses across cloud platforms, remote devices, APIs, third-party suppliers, identity systems, and internet-facing infrastructure.As a result, cybersecurity has increasingly shifted toward a model known as continuous exposure management. Instead of relying on occasional assessments or static defences, organisations continuously identify, evaluate, prioritise, and reduce their exposure to cyber threats.Grow your Mac app with SetappGet around 30K unique impressions in the first days after your app’s releaseSetapp makes sure your app isn’t just listed, but seen. Plus, we handle the stuff you don’t like: distribution, licensing, billing, taxes, and customer support.You build great software; we bring you revenue and valuable feedback to help your app grow. Hope is not a growth strategy. Join Setapp.Share your appWhat Continuous Exposure Management MeansContinuous exposure management is a proactive cybersecurity strategy focused on identifying and reducing security weaknesses before attackers can exploit them.Traditional cybersecurity programmes often relied on periodic audits, annual penetration testing, and compliance checklists. While these activities remain useful, they are no longer sufficient in environments where infrastructure changes daily and attackers move rapidly.Continuous exposure management assumes that:• Organisations are constantly changing• New vulnerabilities appear continuously• Attack surfaces expand over time• Threat actors actively search for weaknesses• Visibility gaps create security risksThe goal is therefore to continuously discover and manage exposures across the organisation rather than reacting only after incidents occur. ,An exposure is any weakness, misconfiguration, vulnerability, or access path that could allow attackers to compromise systems or data. Exposures may include:• Unpatched software vulnerabilities• Weak passwords• Excessive access permissions• Misconfigured cloud storage• Insecure APIs• Legacy systems• Third-party supplier risks• Poor network segmentation• Exposed administrative interfacesModern organisations often have thousands of potential exposures at any given time. The challenge is not simply identifying vulnerabilities, but determining which exposures represent the greatest business risk.This is why continuous exposure management focuses heavily on prioritisation. Security teams must understand:• Which systems are most critical• Which vulnerabilities are actively exploitable• Which assets are internet-facing• Which exposures attackers are most likely to target• Which weaknesses could lead to major operational disruptionThis approach is closely connected to the concept of an attack surface, which describes all the possible entry points available to attackers. The growth of cloud computing, remote work, mobile devices, and third-party integrations has dramatically expanded organisational attack surfaces over the past decade.In many organisations, security teams no longer have complete visibility into all assets connected to the network. Shadow IT, unmanaged devices, forgotten cloud services, and legacy applications create unknown exposures that attackers may discover first.Continuous exposure management attempts to solve this problem by treating cybersecurity as an ongoing process of visibility, assessment, validation, and remediation.Tools and Practices for Continuous Exposure ManagementContinuous exposure management depends on a combination of technologies, operational processes, and strategic planning. Organisations must continuously monitor their environments and reduce exposure in a structured manner.Attack Surface Management (ASM)Attack Surface Management is one of the most important components of continuous exposure management. ASM platforms continuously identify internet-facing assets such as servers, domains, cloud environments, APIs, and applications. These tools help organisations discover systems that may not be properly tracked internally.For example, an ASM platform may identify:• Forgotten development servers• Publicly exposed databases• Expired certificates• Open administrative portals• Shadow IT applicationsThis visibility is important because organisations cannot protect assets they do not know exist. ASM also helps organisations understand how attackers view their infrastructure from outside the network perimeter.Several open source tools can help organisations identify and monitor externally exposed assets.OWASP Amass: A reconnaissance and attack surface mapping tool commonly used for external asset discovery, DNS enumeration, and subdomain mapping.Nmap: A network discovery and port scanning tool used to identify exposed services, hosts, and open network ports.theHarvester: An open source intelligence (OSINT) tool that gathers information such as domains, email addresses, and public infrastructure exposure from internet sources.These tools help organisations discover internet-facing systems that may otherwise remain unmanaged or forgotten.Vulnerability ManagementVulnerability management remains a central practice within exposure management. Security teams continuously scan systems for known vulnerabilities and software weaknesses. However, modern vulnerability management is increasingly focused on prioritisation rather than volume alone.Many organisations face thousands of vulnerability alerts each month. Attempting to patch every issue immediately is often unrealistic. Continuous exposure management therefore prioritises vulnerabilities based on:• Exploit availability• Internet exposure• Asset criticality• Privilege level• Business impact• Active attacker activityThis risk-based approach allows organisations to focus resources where they matter most.Open source vulnerability management tools help organisations continuously identify weaknesses across systems and applications.OpenVAS (Greenbone Vulnerability Manager): A full-featured vulnerability scanning platform capable of identifying thousands of known vulnerabilities and configuration weaknesses.Nikto: A web server scanner designed to detect dangerous files, outdated software, and insecure configurations.Trivy: A vulnerability scanner for containers, cloud infrastructure, and software dependencies commonly used within DevSecOps environments.These tools support proactive remediation by identifying exploitable weaknesses before attackers can use them.Continuous Security ValidationMany organisations now use continuous validation techniques to test whether security controls are functioning correctly.This may include:• Automated penetration testing• Breach and attack simulation• Red team exercises• Adversary emulationRather than assuming controls work properly, organisations actively validate defences against realistic attack techniques. For example, a breach simulation platform may attempt to imitate ransomware behaviour inside a controlled environment. Security teams can then evaluate whether monitoring tools successfully detect and block the activity.Security validation tools allow organisations to test whether defensive controls are operating effectively under realistic attack conditions.MITRE Caldera: An automated adversary emulation platform based on real-world attacker techniques documented within the MITRE ATT&CK framework.Atomic Red Team: A collection of small, controlled attack simulations used to test security monitoring and detection capabilities.Infection Monkey: A breach and attack simulation tool that safely tests lateral movement, credential exposure, and segmentation weaknesses.These tools help organisations validate security controls continuously rather than relying solely on theoretical assumptions.Identity and Access Management (IAM)Identity systems have become a major target for attackers. Compromised credentials often allow attackers to bypass perimeter security entirely. As a result, continuous exposure management places strong emphasis on identity security.Important IAM practices include:• Multi-factor authentication• Least privilege access• Privileged access management• Continuous authentication• Access reviews• Credential monitoringReducing unnecessary permissions significantly limits attacker movement inside networks after initial compromise.IAM-focused open source tools assist organisations in managing authentication, permissions, and access control.Keycloak: An identity and access management platform supporting single sign-on, multi-factor authentication, and federated identity management.FreeIPA: A Linux-based identity management solution providing centralised authentication, access control, and policy management.Authelia: An authentication and authorisation server designed to secure web applications using multi-factor authentication and access policies.These tools help reduce identity-related exposure by strengthening authentication and limiting unnecessary access privileges.Cloud Security Posture Management (CSPM)As organisations increasingly migrate infrastructure to cloud environments, cloud misconfigurations have become a major source of exposure. CSPM platforms continuously monitor cloud infrastructure for security weaknesses such as:• Publicly exposed storage buckets• Excessive permissions• Weak encryption settings• Insecure API configurations• Unprotected workloadsThese tools help organisations maintain visibility across rapidly changing cloud environments. Open source CSPM tools help organisations identify cloud misconfigurations and insecure cloud deployments.Prowler: A cloud security assessment tool focused primarily on AWS environments and aligned with security best practices.ScoutSuite: A multi-cloud auditing tool that analyses security posture across AWS, Azure, Google Cloud, and Oracle Cloud environments.CloudSploit: A cloud security monitoring tool used to identify insecure cloud configurations and compliance issues.These tools improve visibility into cloud infrastructure and help reduce exposure caused by configuration weaknesses.Threat Intelligence IntegrationThreat intelligence helps organisations understand which exposures are most likely to be targeted by attackers.For example, if threat intelligence sources report active exploitation of a newly discovered vulnerability, organisations can prioritise remediation efforts immediately.Threat intelligence also improves contextual decision-making by identifying:• Attacker techniques• Common malware behaviour• Industry-targeted campaigns• Emerging exploit trendsThis allows organisations to align exposure management with real-world threat activity rather than theoretical risk alone.Threat intelligence tools collect, organise, and analyse information about attacker activity and emerging threats.MISP (Malware Information Sharing Platform): A threat intelligence sharing platform used to distribute indicators of compromise, malware intelligence, and attack data.OpenCTI: A cyber threat intelligence platform designed for analysing and correlating threat information from multiple sources.YARA: A pattern-matching tool commonly used to identify malware families and suspicious files using custom detection rules.These tools help organisations prioritise exposures based on real-world attacker activity and emerging exploit trends.Security Operations and MonitoringAlthough continuous exposure management focuses heavily on prevention and reduction, monitoring remains essential.Security Operations Centres (SOCs) use tools such as:• Security Information and Event Management (SIEM)• Endpoint Detection and Response (EDR)• Extended Detection and Response (XDR)These systems help organisations identify indicators of compromise quickly if exposures are successfully exploited. The goal is to minimise attacker dwell time and reduce operational impact.Open source monitoring and detection tools support continuous visibility into organisational systems and suspicious activity.Wazuh: A security monitoring and threat detection platform combining SIEM functionality, endpoint monitoring, and intrusion detection.Suricata: A high-performance network intrusion detection and threat monitoring engine capable of deep packet inspection.Zeek: A network analysis and security monitoring framework used to detect suspicious behaviour and generate detailed traffic logs.These tools improve visibility, accelerate detection, and support rapid response when exposures are exploited.Creating a Culture of Continuous Exposure ManagementTechnology alone cannot create effective exposure management. Organisations must also change how they think about cybersecurity.Many businesses still treat cybersecurity as a compliance requirement or technical responsibility belonging only to IT departments. Continuous exposure management requires a broader cultural shift where exposure reduction becomes an organisational objective.Leadership InvolvementExecutive leadership plays a critical role in cybersecurity culture. Senior leaders must understand that exposure management directly affects operational continuity, financial performance, legal compliance, and customer trust.When leadership actively supports cybersecurity initiatives, organisations are more likely to allocate appropriate resources and prioritise long-term resilience over short-term convenience.Importantly, cybersecurity discussions should focus on business risk rather than purely technical language.Shared Organisational ResponsibilityExposure management requires participation across the entire organisation.Employees influence cybersecurity through:• Password practices• Data handling• Access management• Software usage• Reporting suspicious activityDevelopers, procurement teams, human resources departments, and executives all contribute to organisational exposure in different ways. Organisations should therefore promote the idea that cybersecurity is a shared operational responsibility rather than solely an IT problem.Continuous ImprovementContinuous exposure management depends on constant adaptation. Organisations should regularly:• Reassess risks• Review asset inventories• Validate security controls• Conduct training exercises• Update policies• Test incident response proceduresThreat landscapes change rapidly, meaning cybersecurity programmes must evolve continuously rather than remaining static.Encouraging TransparencyEmployees are often hesitant to report mistakes because they fear punishment. However, delayed reporting can significantly worsen security incidents. Organisations should encourage transparency and rapid communication regarding suspicious behaviour, accidental exposure, or potential vulnerabilities. A culture of openness improves detection speed and organisational resilience.Measuring Exposure and MaturityContinuous exposure management also requires measurable performance indicators. Organisations increasingly track:• Vulnerability remediation times• Internet-facing asset exposure• Patch management performance• Identity risk levels• Security control effectiveness• Mean time to detect threatsMeasurement allows organisations to identify weaknesses, prioritise improvements, and demonstrate progress over time.Setting Up for Continuous ThreatsThe modern cybersecurity landscape is defined by constant change, expanding attack surfaces, and increasingly sophisticated attackers. Recent incidents involving ransomware groups, social engineering campaigns, supply chain attacks, and state-sponsored actors demonstrate that organisations face continuous exposure to cyber risk.Traditional security approaches based on periodic assessments and static defences are no longer sufficient. Organisations must instead adopt continuous exposure management strategies that focus on ongoing visibility, prioritisation, validation, and remediation.Continuous exposure management helps organisations identify weaknesses before attackers exploit them. By continuously evaluating attack surfaces, monitoring vulnerabilities, securing identities, validating controls, and prioritising high-risk exposures, businesses can significantly improve resilience against modern threats.However, technology alone is insufficient. Successful exposure management also requires cultural change. Leadership involvement, employee participation, continuous learning, and organisational transparency all contribute to stronger cybersecurity outcomes.Ultimately, continuous exposure management is about reducing uncertainty. Organisations cannot eliminate all cyber risk, but they can continuously improve visibility, reduce exposure, and strengthen resilience against evolving threats.Key conclusions include:• Modern attack surfaces are larger and more complex than ever before• Organisations must continuously identify and reduce exposures• Visibility into assets and vulnerabilities is critical• Risk prioritisation is essential because resources are limited• Identity security and cloud security are major focus areas• Organisational culture strongly influences cybersecurity effectiveness• Cybersecurity should be integrated into overall business risk managementIn the modern digital environment, continuous exposure management has become an essential part of organisational security strategy rather than an optional enhancement.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;display:none;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.social_block .social-table{display:inline-block!important}}

Cybersecurity, Deepfakes, and the New Human Firewall#245: Trust Under PressureCybersecurity, Deepfakes, and the New Human FirewallTrust has always been one of the invisible foundations of cybersecurity. Every email opened, every password entered, and every file shared depends on a basic assumption that the system, person, or message involved is genuine. For decades, cybercriminals relied on simple deception techniques such as fake websites, phishing emails, and malware disguised as useful software. However, the rise of artificial intelligence has transformed the scale and sophistication of cyberattacks.Today, attackers can generate convincing voices, realistic videos, believable writing, and automated phishing campaigns in minutes. Deepfake technology and AI-enhanced scams are forcing organisations to rethink how trust operates in the digital world. Employees are no longer only defending against malicious software; they are defending against synthetic identities and manipulated reality.This crisis has led many cybersecurity professionals to adopt new defensive models, particularly zero trust architecture. Instead of assuming that users or systems are trustworthy once they are inside a network, zero trust treats every request as potentially hostile until verified. The same principles are now being applied to artificial intelligence systems themselves.At the same time, many organisations still struggle with one major weakness: human behaviour. Technical security tools can block many attacks, but employees without training remain vulnerable to manipulation. Non-specialist workers are increasingly becoming the primary targets of AI-powered attacks because they are often the easiest path into an organisation.The future of cybersecurity will therefore depend on rebuilding trust carefully, verifying identity continuously, and teaching ordinary users how to recognise increasingly advanced threats.Stay ahead of evolving threats: Get Dark Reading's expert cybersecurity intelligence delivered dailyArm yourself with actionable threat intelligence, critical vulnerability alerts, and expert analysis delivered daily. Dark Reading's award-winning team provides the insights you need to strengthen defenses and expand your cybersecurity expertise.The Dark Reading daily newsletter covers:• Real-world incident analysis and breach post-mortems with tactical takeaways• Emerging attack techniques, exploit trends, and adversary TTPs• Practical defense strategies for ransomware, supply chain attacks, and insider threats• Strategic insights from security leaders on AI security, zero trust, and cloud-native protection• Compliance updates and regulatory changes that impact your security programDaily alert - signupThe Growing Crisis of Trust in CybersecurityCybersecurity has traditionally relied on a layered approach to defence. Firewalls, antivirus software, password systems, and network monitoring tools were designed to protect systems from unauthorised access. Yet these tools often assumed that trusted users inside a network were safe.This assumption became dangerous as cybercriminals developed methods to bypass technical barriers by targeting people instead. Social engineering attacks exploit human psychology rather than software vulnerabilities. Attackers manipulate emotions such as fear, urgency, authority, or curiosity to convince victims to reveal sensitive information.Artificial intelligence has dramatically increased the effectiveness of these attacks. AI systems can now analyse public information from social media, company websites, and leaked data to craft highly personalised phishing messages. Unlike traditional spam emails filled with spelling mistakes, AI-generated messages can appear professional, accurate, and context-aware.Cybersecurity experts increasingly warn that the internet is entering a “post-authenticity” era. In this environment, seeing or hearing something online is no longer reliable proof that it is real. AI-generated images, cloned voices, and manipulated videos can imitate trusted individuals with alarming accuracy.This erosion of trust affects more than individual organisations. Public confidence in online communication, financial systems, journalism, and even democratic institutions may weaken if people can no longer reliably distinguish between authentic and synthetic information.For businesses, the consequences are severe. A successful AI-enhanced phishing attack can lead to stolen funds, ransomware infections, data breaches, or reputational damage. Companies must therefore move away from trust based on assumptions and toward trust based on continuous verification.How Hugging Face eliminated .env files and automated secret rotationWith 200+ engineers and infrastructure spanning Kubernetes, Terraform, and CI/CD, Hugging Face needed secrets management devs would actually use. They chose Infisical. See how they set up CLI injection for local dev, Kubernetes Operator for automatic redeployments, and self-serve workflows.Get the detailsDeepfakes and AI-Augmented AttacksDeepfakes are synthetic media generated using artificial intelligence. These systems can create realistic audio, video, or images that imitate real people. Early deepfakes were often easy to identify because of unnatural movements or distorted facial expressions. Modern AI models, however, have improved rapidly.Attackers now use deepfakes for fraud, impersonation, political manipulation, and corporate espionage. Voice cloning is especially dangerous because many organisations still rely on voice recognition or verbal confirmation for sensitive actions.One of the most widely discussed cases occurred in 2024 when a finance employee at a multinational company in Hong Kong was tricked into transferring approximately 25 million US dollars after participating in a video conference call populated by AI-generated deepfakes of senior executives. The employee believed the meeting was genuine because the fake participants looked and sounded like real colleagues. In reality, cybercriminals had used publicly available footage and AI systems to imitate the organisation’s leadership team.This incident demonstrated several important trends in modern cybercrime. First, attackers are increasingly combining traditional social engineering with advanced AI tools. Second, technical realism alone is enough to override human suspicion in many situations. Third, organisations that rely heavily on remote communication are particularly vulnerable.Deepfakes are not limited to corporate fraud. Attackers have also used cloned voices to impersonate family members during emergency scams, convincing victims to transfer money quickly. Political deepfakes have spread misinformation during elections. Fake executive videos have manipulated stock markets and public opinion.AI also enables large-scale automation of attacks. Cybercriminals can generate thousands of tailored phishing messages rapidly, adapting language and tone for different targets. AI chatbots can conduct fraudulent conversations in real time, increasing the sophistication of scams.The barrier to entry has also fallen dramatically. Many deepfake and AI-generation tools are inexpensive or publicly available. Attackers no longer need advanced programming expertise to launch convincing campaigns.This creates a dangerous imbalance. Defensive organisations often require extensive approval processes, training programmes, and infrastructure upgrades. Attackers, meanwhile, can experiment quickly with evolving AI tools.The Shift Toward Zero Trust ArchitectureIn response to growing cyber threats, many organisations have adopted zero trust architecture. Zero trust is not a single product or software platform. Instead, it is a security philosophy built around the principle of “never trust, always verify.”Traditional cybersecurity models assumed that users and devices inside a network perimeter could generally be trusted. Once an employee logged in successfully, they often received broad access to systems and data.Zero trust rejects this assumption. Every user, device, application, and request must be verified continuously, regardless of location. Access is granted only to the specific resources required for a task.The rise of remote work, cloud computing, and mobile devices accelerated the need for this approach. Modern organisations no longer operate within clearly defined network boundaries. Employees access systems from homes, cafés, airports, and personal devices.A zero trust model usually includes several core principles:• Identity Verification: Users must prove their identity using strong authentication methods. Multi-factor authentication is one of the most common examples. Instead of relying only on passwords, systems may require a mobile confirmation code, biometric scan, or hardware security key.• Least Privilege Access: Employees receive access only to the information necessary for their role. This reduces the damage attackers can cause if they compromise an account.• Continuous Monitoring: Zero trust systems monitor behaviour constantly. If a user suddenly downloads massive amounts of data or logs in from unusual locations, the system may trigger additional verification or block access.• Device Security: The security status of devices is checked before access is granted. Unpatched or compromised devices may be isolated automatically.• Microsegmentation: Networks are divided into smaller sections so that attackers cannot move freely across systems after gaining entry.These principles are particularly important in defending against AI-enhanced attacks. If a deepfake convinces an employee to reveal credentials, layered verification and limited permissions can still reduce the attacker’s ability to cause damage.Applying Zero Trust to Artificial IntelligenceAs organisations integrate AI systems into daily operations, cybersecurity experts are increasingly applying zero trust principles directly to AI technologies.AI systems create new attack surfaces. Large language models, automated assistants, and machine learning systems often process enormous quantities of sensitive data. If compromised, they can expose confidential information or generate misleading outputs.One growing concern is prompt injection attacks. In these attacks, malicious users manipulate AI systems by providing carefully designed instructions that override safety controls or extract hidden information. Another threat involves data poisoning, where attackers deliberately corrupt training data to influence how AI systems behave.Applying zero trust to AI means treating AI systems as potentially vulnerable rather than inherently trustworthy.This approach includes several important strategies.• Verifying Data Sources: AI systems should only process data from trusted and validated sources. Organisations must monitor datasets carefully to detect tampering, corruption, or manipulation.• Restricting AI Permissions: AI applications should not receive unrestricted access to internal systems. Limiting permissions reduces the risk of automated misuse.• Monitoring AI Behaviour: Security teams should track how AI systems interact with users and networks. Unexpected outputs, unusual access requests, or abnormal decision patterns may indicate compromise.• Human Oversight: Critical decisions involving finance, healthcare, legal matters, or infrastructure should not rely entirely on AI-generated outputs. Human review remains essential.• Model Security Testing: Organisations increasingly conduct adversarial testing against AI systems to identify weaknesses before attackers exploit them.Applying zero trust to AI is especially important because AI systems often appear authoritative. Employees may assume that machine-generated information is objective or reliable even when it is incorrect.This creates a paradox. AI tools can strengthen cybersecurity by detecting anomalies and automating threat analysis, yet the same technology can also increase organisational risk if deployed carelessly.Why Human Training Matters More Than EverDespite major advances in cybersecurity technology, humans remain one of the most common points of failure. Many cyberattacks succeed not because technical systems are weak, but because individuals are manipulated successfully. AI-enhanced attacks exploit human habits, emotions, and assumptions.Traditional cybersecurity training often fails because it relies on long presentations, technical jargon, or infrequent compliance exercises. Non-specialist employees may view security training as confusing, irrelevant, or disconnected from their daily responsibilities.Modern training programmes must therefore focus on practical behaviour rather than abstract theory. Employees do not need to become cybersecurity engineers. However, they do need enough awareness to recognise suspicious situations and respond safely. Training should begin with a clear explanation of how AI-enhanced attacks work. Employees should understand that emails, voices, videos, and online identities can now be fabricated convincingly.For example, staff should know that:• A phone call from a manager may not be genuine.• A video conference participant could be a deepfake.• A polished email with perfect grammar can still be malicious.• AI chatbots may imitate customer support agents or colleagues.The goal is not to create paranoia, but to encourage healthy verification habits.Practical Cybersecurity Training for Non-SpecialistsEffective cybersecurity training must be realistic, repeatable, and easy to apply under pressure. One of the most effective methods is scenario-based learning. Instead of memorising definitions, employees practise responding to simulated attacks. These exercises help workers build instinctive responses before real incidents occur.For example, organisations may conduct simulated phishing campaigns to teach employees how to identify suspicious messages. Workers who click fake malicious links can receive immediate educational feedback.Deepfake awareness training is becoming increasingly important as well. Employees should practise verifying unusual requests through secondary communication channels. If a senior executive requests an urgent financial transfer during a video call, staff should confirm the request independently using trusted procedures. Simple organisational habits can significantly reduce risk.Clear escalation procedures are essential. Employees should know exactly who to contact if they suspect a cyberattack or fraudulent communication. Confusion during a crisis often benefits attackers.Training should also emphasise emotional awareness. Many successful attacks rely on urgency or fear. Attackers pressure victims into acting quickly before they can think critically.Workers should learn to pause and verify when encountering messages involving:• Emergency financial requests• Password resets• Confidential data transfers• Threats of punishment or account closure• Requests for secrecyCybersecurity culture also matters. Employees are more likely to report suspicious incidents if organisations avoid blaming or humiliating staff who make mistakes.A blame-focused culture encourages silence. Workers may hide accidental clicks or suspicious interactions because they fear punishment. This delays incident response and increases organisational damage.Instead, organisations should encourage rapid reporting and treat cybersecurity as a shared responsibility. Short, regular training sessions are generally more effective than annual seminars. Threats evolve quickly, especially in AI-related environments. Continuous learning helps employees stay aware of changing attack techniques.The Role of Leadership and GovernanceTrust within cybersecurity is not only a technical issue. It is also a leadership challenge.Executives must recognise that cybersecurity is now deeply connected to organisational reputation, operational stability, and public confidence. AI-enhanced attacks can damage customer trust rapidly if organisations appear unprepared.Leadership teams should establish clear policies for AI usage, identity verification, and incident response. Employees need consistent guidance about when and how AI tools may be used.Governance frameworks should also address ethical concerns. AI-generated content creates risks involving misinformation, privacy violations, and impersonation. Many organisations now require internal disclosure when employees use AI-generated material in official communication. Transparent usage policies help preserve accountability.Investment in cybersecurity training must also come from leadership. Training programmes often fail because organisations treat them as secondary priorities. In reality, cybersecurity awareness is now a core business skill. Every department, including finance, human resources, marketing, and customer support, faces exposure to AI-enhanced attacks.Rebuilding Digital TrustThe cybersecurity landscape is entering a period of profound change. Artificial intelligence is simultaneously strengthening and weakening digital trust.On one hand, AI improves threat detection, automates security monitoring, and increases defensive capabilities. On the other hand, it enables cybercriminals to create highly convincing attacks at unprecedented speed and scale.Deepfakes and AI-generated deception challenge long-standing assumptions about authenticity. Organisations can no longer rely on visual evidence, familiar voices, or polished communication as proof of legitimacy. In this environment, trust must become evidence-based rather than assumption-based.Zero trust architecture represents one of the most important strategic responses to this challenge. By continuously verifying users, devices, and systems, organisations reduce their dependence on fragile assumptions.Applying zero trust principles to AI systems themselves is equally important. AI tools must be monitored, restricted, and validated carefully to prevent misuse or compromise.However, technology alone cannot solve the problem. Human behaviour remains central to cybersecurity resilience. Non-specialist employees are increasingly operating on the front line of digital defence. Practical training, clear verification procedures, and supportive organisational culture are essential in helping ordinary users recognise AI-enhanced threats.The future of cybersecurity will depend on balancing innovation with caution. AI systems will continue to evolve rapidly, and attackers will continue adapting their methods. Trust is therefore no longer something organisations can grant automatically. It must be earned continuously through verification, transparency, education, and resilient security design.In the years ahead, the organisations most capable of protecting themselves will not necessarily be those with the most advanced technology. They will be the ones that combine strong technical controls with informed, alert, and adaptable human decision-making.Further ReadingThese topics are always complex and always in need of further expansion. For that reason, you should check out our Substack page that also includes our "Further Reading" section. Follow the link below to get access.Check it out today*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;display:none;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.social_block .social-table{display:inline-block!important}}

More Lessons from the 2025 Kido Cyberattack#243: Suricata in Modern Network DefenceMore Lessons from the 2025 Kido CyberattackOver the last decade, endpoint telemetry, cloud-native security tooling, and identity-driven controls have dominated defensive strategy discussions. Yet the persistence of ransomware, data exfiltration campaigns, and hybrid intrusion operations has reinforced a familiar reality: attackers still have to move data across networks.That fact is precisely why Suricata remains strategically relevant.The Return of Network-Centric DetectionSuricata has evolved from a traditional intrusion detection system into a high-performance network security platform capable of intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), protocol analysis, and threat hunting support. In contemporary environments, Suricata is no longer simply a packet inspection engine sitting passively on a SPAN port. Properly deployed, it functions as a real-time telemetry layer capable of exposing adversary behaviour long before ransomware deployment or public data leakage.The 2025 cyberattack against Kido International illustrates exactly why this matters. The attack reportedly resulted in the theft of highly sensitive information relating to thousands of children and staff, including photographs, addresses, contact details, and safeguarding information. The attackers, identified in reporting as the Radiant ransomware group, allegedly used extortion tactics that included leaking sample profiles of children online.Although the precise technical kill chain was never fully disclosed publicly, the incident reflected a pattern now common across ransomware operations: initial compromise, lateral movement, credential abuse, data staging, exfiltration, and extortion. Suricata is particularly effective against exactly this sequence of activity.How Suricata Actually WorksAt its core, Suricata is a multi-threaded packet processing engine designed to inspect network traffic in real time. Unlike older IDS platforms constrained by single-threaded performance limitations, Suricata was built to scale across modern multicore infrastructure. This matters operationally because contemporary enterprise traffic volumes routinely overwhelm legacy inspection architectures.Suricata analyses packets at Layer 3 through Layer 7, reconstructing sessions and decoding application-layer protocols including HTTP, TLS, DNS, SMB, FTP, SSH, SMTP, and industrial protocols. Rather than relying purely on raw packet signatures, it can evaluate protocol behaviour, metadata, flow state, and content relationships.In practice, Suricata operates through several complementary detection models.Signature-based detection remains central. Rules written in the Suricata rule language identify known malicious patterns such as ransomware command-and-control traffic, exploit kit payloads, suspicious PowerShell downloads, credential harvesting behaviour, or malware beaconing intervals.Protocol anomaly detection extends visibility further. Suricata can identify malformed requests, protocol misuse, suspicious JA3 TLS fingerprints, DNS tunnelling indicators, or irregular SMB activity that may indicate lateral movement. Its network security monitoring functionality is equally important. Even when no alert is generated, Suricata produces detailed metadata records through EVE JSON logging. These logs can be forwarded to platforms such as Elasticsearch, Logstash, Kibana, Splunk, or SIEM pipelines where analysts correlate behaviour over time.That distinction is critical. Modern detection engineering increasingly depends not just on identifying known malware signatures but on exposing attacker tradecraft. A mature Suricata deployment, therefore, becomes less of a simple IDS and more of a network-centric detection fabric.The Kido Attack Through a Suricata LensPublic reporting on the Kido incident suggested that attackers gained access to sensitive records through systems associated with a third-party childcare software platform. The attackers subsequently exfiltrated personal information and used double-extortion tactics to pressure the organisation. Even without full forensic disclosure, the attack sequence aligns closely with contemporary ransomware operations.A Suricata deployment positioned at internet ingress points, cloud transit gateways, and east-west network boundaries could have materially improved detection opportunities at multiple stages.Initial Access DetectionModern ransomware operators frequently exploit externally exposed applications, weak authentication workflows, VPN infrastructure vulnerabilities, or stolen credentials. Once an adversary establishes initial foothold access, command-and-control traffic typically begins almost immediately.Suricata excels at identifying these patterns because it can inspect:suspicious HTTP user agents;outbound connections to known malicious infrastructure;unusual TLS fingerprints;exploit payload signatures;web shell traffic;suspicious authentication behaviour;anomalous DNS activity.If the Kido intrusion involved exploitation of a web-facing service or cloud-connected application, Suricata could have detected exploit attempts or malicious callback traffic before large-scale data access occurred.For example, Suricata rulesets from Emerging Threats and commercial threat intelligence feeds routinely include indicators for ransomware affiliate infrastructure, Cobalt Strike beacons, Sliver implants, remote administration frameworks, and known malware loaders. The value here is not theoretical. Many ransomware intrusions remain undetected for days or weeks because organisations focus heavily on endpoint encryption detection while underinvesting in network telemetry.Lateral Movement and Privilege EscalationRansomware groups rarely execute attacks from their initial compromise point. Instead, they move laterally through the environment using administrative protocols and credential reuse.This phase is where Suricata becomes especially valuable. Because the engine decodes SMB, RDP, Kerberos, LDAP, and other enterprise protocols, it can reveal behavioural indicators associated with privilege escalation and lateral movement:abnormal SMB share enumeration;excessive failed authentication attempts;suspicious remote service creation;PsExec-style execution patterns;remote PowerShell activity;unusual Kerberos ticket behaviour;large volumes of east-west traffic between systems.In childcare and education environments such as Kido’s, flat network architecture and broad access privileges can significantly amplify attack impact. A properly segmented environment monitored by Suricata would likely have generated telemetry showing anomalous internal movement patterns well before mass exfiltration.Importantly, Suricata also supports file extraction and file metadata logging. Analysts can identify suspicious executable transfers, archive creation, or staged payload movement across the network. That capability matters because ransomware operators commonly stage compressed archives prior to exfiltration.Data Exfiltration: The Most Detectable PhaseThe Kido attack became publicly visible once attackers began leaking stolen records and threatening further disclosures. By that point, the compromise had already progressed into a full extortion scenario. Ironically, data exfiltration is often one of the noisiest phases of a ransomware campaign.Large outbound transfers, encrypted archive uploads, unusual cloud storage traffic, and abnormal DNS patterns create detectable network artefacts.Suricata can identify these through:outbound transfer volume anomalies;suspicious HTTP POST requests;rare destination domains;cloud storage misuse;TOR traffic detection;DNS tunnelling signatures;encrypted archive transfers;command-and-control beacon intervals.Even when payloads are encrypted, metadata analysis remains powerful. A childcare organisation does not normally transmit gigabytes of archived child records to obscure external infrastructure at unusual hours. Suricata’s flow analysis and protocol logging can expose these operational inconsistencies. Had continuous network monitoring and alert triage been aggressively implemented, defenders may have identified staging or exfiltration behaviour before public leakage occurred.Why Suricata Matters More in 2026 Than It Did in 2016The security landscape has changed substantially.Ten years ago, IDS deployments were often treated as compliance exercises. Alerts flooded analysts with low-confidence signatures, encrypted traffic reduced inspection visibility, and many organisations lacked the staffing to operationalise network telemetry. That environment is, simply puy, different today. Several factors have made Suricata considerably more valuable in contemporary defence architectures.Encryption Has Increased the Importance of MetadataTLS adoption initially appeared to weaken network detection. In reality, it shifted the focus toward behavioural analytics. Suricata’s support for JA3 and JA4 fingerprinting, TLS metadata inspection, certificate analysis, and traffic pattern monitoring allows defenders to identify suspicious encrypted sessions without decrypting payload content.Threat actors increasingly rely on legitimate cloud infrastructure, short-lived VPS hosts, and encrypted command channels. Behavioural network analysis has therefore become essential.Ransomware Operations Have IndustrialisedModern ransomware groups operate more like mature enterprises than isolated criminal actors. They use initial access brokers to purchase footholds into corporate environments, malware-as-a-service ecosystems to distribute tooling, automated reconnaissance frameworks to map infrastructure, and dedicated exfiltration utilities to steal data before encryption begins.This industrialisation changes the defensive equation. Attack methodologies become repeatable. Infrastructure patterns recur across campaigns. Beaconing intervals, TLS fingerprints, DNS behaviours, and command-and-control techniques often appear across multiple victims because affiliates reuse tooling supplied by central operators.That operational consistency creates detection opportunities. Suricata benefits directly from rapidly updated threat intelligence ecosystems. Community and commercial rulesets can identify emerging ransomware infrastructure within hours, allowing defenders to detect known malicious behaviours before encryption stages begin.Equally important, Suricata allows analysts to build organisation-specific detections tailored to their own traffic baselines. A ransomware operator using legitimate administrative tools may evade generic malware signatures, but unusual east-west SMB traffic, abnormal PowerShell downloads, or unexplained archive transfers remain detectable through behavioural analysis.This is one of the reasons network telemetry has regained strategic importance in ransomware defence. Attackers may rotate malware binaries constantly, but they still need to communicate, authenticate, enumerate, and exfiltrate.And, obviously, those activities leave traces.How could Kido have played out with Suricata in the ranks?The 2025 Kido cyberattack demonstrated how modern extortion operations increasingly target organisations whose data carries significant emotional and reputational sensitivity. The reported exposure of information relating to children and families transformed the incident from a conventional breach into a wider safeguarding and trust crisis.Incidents of this type reinforce an important reality for defenders: compromise prevention alone is no longer sufficient. Organisations must also focus on reducing attacker dwell time, identifying lateral movement quickly, and detecting exfiltration activity before public disclosure occurs.This is where Suricata remains exceptionally relevant. Its ability to combine high-performance packet inspection with behavioural analysis, protocol decoding, and threat intelligence integration makes it one of the most effective open-source platforms for network-centric detection.Suricata does not eliminate the need for endpoint protection, identity monitoring, or cloud security controls. Instead, it strengthens them by providing independent visibility into how attackers actually move through environments. In contemporary ransomware operations, that visibility can be decisive.Whether the threat comes from commodity ransomware affiliates, cloud-focused intrusion groups, or sophisticated extortion campaigns, attackers ultimately depend on network communication to achieve their objectives. Suricata enables defenders to observe those interactions in real time, correlate them across systems, and intervene before operational disruption escalates into a full-scale crisis.For cybersecurity specialists designing modern detection architectures, Suricata remains far more than a legacy IDS. Properly deployed and operationalised, it is a critical component of contemporary threat detection and incident response strategy.Cloud and Hybrid Environments Need Independent VisibilityMany organisations mistakenly assume endpoint agents alone provide sufficient visibility in cloud-centric environments. However, attackers increasingly disable logging, tamper with agents, or exploit unmanaged infrastructure.Suricata deployed in cloud VPC mirroring architectures, Kubernetes ingress paths, or hybrid transit networks provides an independent telemetry source resistant to endpoint manipulation. That independence is operationally important during incident response.Operationalising Suricata ProperlySuricata is not a magic appliance. Poorly tuned deployments can produce overwhelming alert volumes or miss meaningful behavioural indicators. The difference between ineffective and highly effective deployments usually comes down to engineering maturity.Successful implementations typically include:aggressive rule tuning;environment-specific baselining;integration with SIEM and SOAR pipelines;automated enrichment workflows;threat hunting processes;segmentation-aware deployment architecture;continuous signature management;performance optimisation through AF_PACKET, DPDK, or PF_RING.Equally important is log retention and correlation.Suricata’s EVE JSON outputs become significantly more valuable when combined with identity telemetry, endpoint logs, firewall records, cloud audit trails, and authentication events. In modern SOC operations, Suricata often acts as the connective tissue between infrastructure telemetry and adversary behaviour analysis.Contemporary Attacks and Present-Day RelevanceThe techniques observed in the Kido attack continue to appear across healthcare, education, retail, manufacturing, and local government sectors.Attackers increasingly target organisations holding emotionally sensitive or operationally critical data because those organisations experience greater pressure to pay extortion demands. Suricata is particularly effective in these environments because it can expose the preparatory stages that occur before a catastrophic business impact.In current attack campaigns, defenders regularly use Suricata to detect:infostealer malware communications;malicious OAuth token abuse;DNS tunnelling;encrypted malware beacons;ransomware affiliate reconnaissance;suspicious cloud API activity;exploit framework traffic;lateral movement over SMB and RDP;large-scale data staging operations.Critically, modern security operations increasingly rely on layered visibility. No single control reliably stops sophisticated attackers. Endpoint detection can fail. Identity controls can be bypassed. Firewalls can be misconfigured.Network telemetry remains difficult for attackers to avoid entirely. That is where Suricata retains enduring defensive value.How would it help?The 2025 Kido cyberattack demonstrated the reputational, operational, and human consequences of modern ransomware and extortion campaigns. The compromise reportedly exposed deeply sensitive information relating to children and families, underscoring how cyber incidents increasingly intersect with safeguarding, privacy, and public trust. Suricata would not necessarily have prevented the initial compromise. No serious security professional should claim that any single tool can do that.What Suricata could have done, however, is significantly compress attacker dwell time. By exposing exploit traffic, lateral movement, command-and-control communications, suspicious protocol behaviour, and exfiltration activity, Suricata provides defenders with the opportunity to detect ransomware operations before they escalate into full-scale extortion crises.That capability is increasingly important in an era where attackers monetise not only system disruption, but also the public exposure of sensitive human data. For cybersecurity specialists building resilient detection architectures in 2026, Suricata remains one of the most operationally relevant open-source tools available.Detection Engineering and the Shift Toward Behavioural AnalysisOne of the most important developments in modern security operations is the transition away from purely signature-centric thinking. Traditional IDS deployments were frequently criticised because analysts associated them with noisy alerts and high false-positive rates. In many environments, teams deployed signatures indiscriminately without understanding normal traffic baselines or operational context.Contemporary Suricata deployments are increasingly tied to detection engineering practices instead. Rather than asking whether a single alert proves compromise, analysts use Suricata telemetry to identify behavioural chains. A single suspicious DNS may not matter in isolation. Combined with unusual SMB traversal, outbound encrypted archive uploads, and suspicious authentication activity, however, the telemetry becomes far more meaningful.This analytical approach mirrors how sophisticated threat actors actually operate. Modern attacks rarely involve a single obvious malware execution event. Instead, adversaries blend legitimate tooling, compromised credentials, encrypted traffic, and cloud infrastructure into campaigns designed to appear operationally normal.Suricata’s value therefore lies not only in identifying known malware but also in exposing inconsistencies in network behaviour. That distinction is especially important in sectors handling sensitive personal data.In the Kido incident, the reputational impact stemmed not simply from operational disruption but from the exposure of highly sensitive information relating to children and families. In similar attacks today, the exfiltration phase often creates the greatest long-term organisational damage.Behavioural detection at the network layer provides one of the few opportunities to identify those activities before public disclosure occurs.Suricata and Threat Hunting OperationsAnother reason Suricata has retained relevance is its usefulness beyond real-time alerting. Many mature SOCs now use Suricata as a retrospective hunting platform. Because EVE JSON logging captures rich protocol metadata, analysts can search historical records for indicators discovered after an intrusion becomes known. If threat intelligence identifies a malicious JA3 fingerprint, a suspicious domain, or a particular malware communication pattern, investigators can pivot across historical telemetry to determine whether compromise activity occurred weeks earlier.This capability substantially improves incident response. Ransomware operators frequently maintain persistence inside environments long before encryption or extortion stages begin. Retrospective network analysis allows defenders to reconstruct timelines, identify affected systems, and understand attacker movement patterns.In practical terms, Suricata often becomes one of the primary forensic data sources during post-compromise investigations.The Strategic Advantage of Open Source Security ToolingSuricata’s open-source model is another reason it remains influential. Commercial network detection and response platforms can provide extensive capabilities, but they also introduce licensing costs, proprietary telemetry limitations, and vendor dependency. Suricata offers a different operational model.Security teams can:customise rulesets;integrate bespoke detections;deploy at cloud scale;inspect proprietary protocols;automate telemetry pipelines;tune performance for specialised environments.For organisations with mature engineering capability, this flexibility is strategically valuable. The rapid pace of attacker adaptation means defensive tooling must evolve continuously. Open-source ecosystems frequently respond to emerging threats faster than slower commercial release cycles.That responsiveness has become increasingly important as ransomware groups fragment into smaller affiliate networks using rapidly changing infrastructure.Where Suricata Fits in a Modern Defensive StackSuricata should not be viewed as a replacement for endpoint detection, identity monitoring, or zero-trust architecture. Its strength lies in complementing those controls.In mature environments, Suricata commonly operates alongside:endpoint detection and response platforms;cloud workload protection systems;identity threat detection tools;network segmentation controls;SOAR automation pipelines;deception infrastructure;threat intelligence platforms.What makes Suricata uniquely valuable is its ability to observe the connective layer between systems.Attackers ultimately have to communicate. Even sophisticated adversaries using encrypted channels, legitimate tooling, and stolen credentials generate network artefacts. Those artefacts may be subtle, but they remain observable when telemetry collection is sufficiently mature. This is precisely why network security monitoring continues to survive repeated predictions of its decline.Final AssessmentThe 2025 Kido cyberattack illustrated the evolving economics of cybercrime. Modern attackers increasingly target organisations whose data carries emotional, legal, or reputational leverage. Childcare providers, schools, healthcare organisations, and local authorities therefore face disproportionate extortion pressure.In these environments, reducing attacker dwell time is operationally critical. Suricata directly supports that objective. Its combination of high-performance packet inspection, protocol analysis, behavioural visibility, and threat intelligence integration enables defenders to identify adversary activity across multiple stages of an intrusion lifecycle.Most importantly, Suricata provides visibility independent of endpoint state or attacker-controlled credentials. That independence becomes invaluable once adversaries establish persistence inside an environment. The broader lesson from incidents like Kido is not that organisations need a single perfect security product. Rather, they need layered visibility capable of exposing attacker behaviour before extortion operations mature into full business crises.Suricata remains one of the most effective open-source platforms for achieving that visibility.Further ReadingIn the interest of openness, the _secpro team would like to say that we have no ongoing association with Suricata or the Suricata team. Our assessment above is merely an assessment of the use of the tool, how it might have worked in the past, and how it could help today. To show that this isn’t a clever little marketing ploy, here are five other alternatives that can perform the same or a largely similar role to Suricata, and we would happily recommend them in its place as well:ArkimeSecurity OnionSnortWazuh (see our own assessment here: #242: Using Wazuh, Learning from 2025)Zeek*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;display:none;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.social_block .social-table{display:inline-block!important}}

Hack Before You Launch - and other ways to get ahead#242: Using Wazuh, Learning from 2025Hack Before You Launch - and other ways to get aheadLearning to use tools which can actually aid in overcoming the adversary is difficult. To begin with, there’s the difficulty of knowing what the adversary is going to do, why they’re going to do it, and the signs that they’re actually doing it now. Not an easy task whatsoever. However, there is also the matter of understanding what we can do, how we can do it, and when it is appropriate to do it—because, when we know that, we can start to get a step ahead.And, of course, this kind of knowledge doesn’t come easily and is often hard-won. In fact, it is often hard-won and then quickly becomes out of date as the threat landscape changes. Because of that, understanding practical approaches to cybersecurity and being able to flex your practical chops when the pressure is on is at the heart of becoming a successful practitioner today.And who better to ask about this than someone sitting on the frontlines?Hack Before You Launch is a practical, live workshop designed for developers, indie hackers and fast-moving builders who are using AI tools like ChatGPT and Copilot or simply plugging in and vibe coding to build and ship products faster than ever. While AI can accelerate development, it can also introduce hidden security vulnerabilities that often go unnoticed until it’s too late. In this session, ethical hacker Dr. Katie Paxton-Fear will demonstrate exactly how AI-generated applications can be exploited in the real world—and, more importantly, how to fix those issues before attackers find them first.This is not a theoretical webinar. Attendees will watch a real AI-built application being tested for authentication flaws, prompt injection risks, and insecure data handling. Katie will walk through how attackers think, how vulnerabilities are uncovered, and the practical steps developers can take to protect their apps before launch. By the end of the session, participants will leave with a clear pre-launch security checklist and a better understanding of whether their product is truly ready to ship.What you need to know• Learn how AI-generated applications can introduce hidden security vulnerabilities• Watch a live demonstration of real-world exploits, including authentication flaws and prompt injection• Understand how attackers identify and exploit weaknesses in applications• Discover practical, lightweight methods for identifying and fixing security issues• Leave with a simple pre-launch security checklist to use before deploying your app• Ideal for developers, indie hackers, startup founders, and anyone building with AI-assisted code toolsImportant event information• Date: Saturday, 30 May• Time: 10:00 AM – 11:30 AM• Duration: 1 hour 30 minutes• Speaker: Dr. Katie Paxton-FearSign up to get ahead!And while we’re waiting for that, maybe it’s time to think about a particular tool which could come in handy—perhaps something that we looked at in brief last week.How Using Wazuh Gets You Ahead1. Install Wazuh Agents Across EndpointsThe first step in using Wazuh is deploying Wazuh agents on all important endpoints, including staff laptops, servers, domain controllers, cloud systems, and databases. These lightweight agents continuously collect security logs and monitor system activity such as logins, file access, software installations, and system changes.For example, in a school or healthcare environment, agents would be installed on systems containing safeguarding records or patient information. This ensures all activity involving sensitive data is monitored in real time.The main benefit of Wazuh here is visibility. Many organisations only monitor firewalls or antivirus alerts, leaving endpoints largely unprotected. Wazuh closes this gap by providing direct insight into what is happening on every critical device, making hidden threats much easier to detect.2. Configure Log Collection and Centralised MonitoringOnce agents are installed, Wazuh collects logs from across the environment and sends them to the central Wazuh manager. This includes Windows Event Logs, Linux authentication logs, cloud service logs, VPN access records, and third-party platform activity.Instead of security teams checking multiple systems separately, everything is centralised into one dashboard. For example, if a user logs into Microsoft 365, accesses a local server, and downloads files from a cloud database, Wazuh can correlate these events together.The benefit is efficiency and context. Attackers often move across multiple systems, and isolated logs may not appear suspicious on their own. Wazuh improves detection by connecting those events into a single security story.3. Create Detection Rules for Suspicious BehaviourWazuh becomes most effective when custom detection rules are configured. These rules identify behaviours that suggest compromise, such as repeated failed login attempts, logins from unusual countries, privilege escalation, or mass file downloads.For example, if a staff account logs in from another country at 2:00 AM and starts exporting hundreds of child protection records, Wazuh can immediately generate an alert. This is known as anomaly detection.The benefit is early warning. Rather than discovering a breach after data is stolen, security teams can investigate while the attack is still in progress. This can prevent a minor incident from becoming a major public breach.4. Monitor Privileged Accounts and Administrative ActionsOne of the most important uses of Wazuh is monitoring administrator accounts and privileged users. Attackers frequently target these accounts because they provide access to the most sensitive systems.Wazuh can detect suspicious administrative activity such as new account creation, privilege escalation, unauthorised password resets, disabling security tools, or attempts to delete audit logs.In the Kido attack scenario, if attackers gained access through stolen credentials from a third-party supplier, Wazuh could have flagged unusual administrator behaviour long before large-scale data theft occurred.The major benefit here is containment. Privileged account misuse causes the most damage during breaches, and Wazuh helps organisations identify abuse before attackers gain full control.5. Use File Integrity Monitoring for Sensitive DataWazuh also includes File Integrity Monitoring (FIM), which tracks changes to important files, folders, and configurations. This is especially useful for organisations storing highly sensitive records such as safeguarding reports, HR files, or financial data.For example, if confidential child records are copied, deleted, or altered unexpectedly, Wazuh can alert security staff immediately. It can also detect ransomware behaviour by identifying large numbers of file changes happening rapidly.The benefit is direct protection of critical data. Instead of simply monitoring user behaviour, Wazuh watches the files themselves, helping prevent both insider threats and external attacks.6. Investigate Alerts and Respond QuicklyThe final step is using Wazuh dashboards and reports to investigate alerts and respond quickly. Alerts are prioritised by severity, allowing security teams to focus on the highest-risk activity first.For example, repeated failed logins followed by a successful login from an unusual location may indicate credential theft. Security teams can then disable the account, isolate the affected system, and begin incident response before records are stolen.This solves one of the biggest cybersecurity problems: delayed breach discovery. Many organisations only realise they were attacked after data appears online or regulators become involved.The greatest benefit of Wazuh is proactive defence. It shifts security from reactive investigation to real-time prevention, reducing financial loss, reputational damage, and regulatory consequences.Further ReadingOWASP – Prompt Injection: A clear primer on one of the biggest risks in AI-assisted development: prompt injection. This explains how attackers manipulate LLM behaviour, why it matters for developers using tools like ChatGPT and Copilot, and how to test for it during development. Particularly useful ahead of Katie’s live exploit demonstrations.OWASP Top 10 for LLM Applications – LLM01: Prompt Injection: A more technical deep dive into why prompt injection remains the number one security risk for LLM-powered applications. Ideal for readers who want to move beyond basic awareness and understand why traditional security assumptions break down when building AI-driven products.Wazuh – File Integrity Monitoring: A practical guide to one of Wazuh’s most valuable defensive features. This resource explains how File Integrity Monitoring works, how checksums and baselines are used, and why monitoring sensitive files can help prevent ransomware, insider threats, and silent data theft.Wazuh – Real-Time Monitoring and FIM Configuration: For readers wanting to implement the steps discussed in the newsletter, this covers how to configure real-time monitoring, directory tracking, and alerting. It’s especially useful for security teams looking to move from reactive investigations to proactive detection.ITPro – Vibe Coding Security Risks and How to Mitigate Them: A strong overview of the risks introduced by “vibe coding” and AI-generated applications. It covers insecure code generation, poor authentication logic, weak dependency choices, and the importance of treating AI-generated code as untrusted until properly reviewed and tested.Microsoft Learn – Threat Modeling for Generative AI Applications: A strong resource for developers building AI-assisted products who need to think beyond code generation and into security architecture. It covers how to identify attack paths, trust boundaries, prompt injection risks, and unsafe tool access before deployment—perfect preparation for a “hack before launch” mindset.NIST AI Risk Management Framework (AI RMF): For readers who want the strategic layer behind practical security work, NIST’s AI RMF helps teams think about governance, risk ownership, security controls, and operational resilience for AI-enabled systems. Especially useful for startup founders and security leads trying to formalise lightweight security processes.Semgrep – Security Rulez: Should AppSec Engineers Still Learn AppSec?: Dr. Katie Paxton-Fear joins this discussion on how application security changes in the AI era. It explores whether security engineers should become orchestrators of AI agents rather than traditional tool users, and what modern AppSec teams should focus on as automation increases.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;display:none;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.social_block .social-table{display:inline-block!important}}

"Resilience is everything"#241: How Open-Source Cybersecurity Tools Could Have Helped Prevent the Kido International Cyberattack"Resilience is everything"Cybersecurity is no longer just a problem for large banks or government agencies. Today, schools, nurseries, hospitals, and small businesses are all targets for cybercriminals. Attackers know that organisations holding personal data—especially children’s data—can be pressured into paying quickly after a breach.A strong example of this is the 2025 cyberattack against Kido International, a nursery and early-years education provider based in Greater London. The attack exposed sensitive personal information involving around 8,000 children and staff, including names, addresses, dates of birth, photographs, and parent contact details. Some of this information was reportedly posted on a dark web leak site, making the incident even more serious.This attack showed how dangerous modern ransomware and data theft attacks can be. It also raised an important question: could stronger cybersecurity tools have helped prevent the damage?The answer is yes.Instead of focusing on expensive commercial security platforms, many organisations can improve protection using powerful open-source cybersecurity tools. Open-source tools are software programs whose code is publicly available, meaning organisations can use, inspect, and improve them without expensive licensing fees. While they still require skilled setup and management, they can provide excellent security when used correctly. Tools such as Wazuh, Suricata, TheHive, MISP, and Velociraptor could have helped reduce the impact of the Kido International attack—or possibly stopped it much earlier.And that’s important when it comes to development too, including faster tools like Hubspot’s Spotlight.See what's new for the HubSpot Developer Platform! Ship faster with AI coding tools like Cursor, Claude Code, and Codex. Build MCP-powered AI connectors, run serverless functions with support for UI extensions, and use date-based versioning to streamline roadmap planning.Take a peek todayUnderstanding the Kido International CyberattackIn 2025, Kido International suffered a serious cyberattack believed to involve ransomware and data theft. Attackers reportedly gained access to systems connected to a third-party platform used for storing and sharing children’s photos and developmental records with parents. This is known as a third-party compromise, where hackers target a connected supplier or service provider instead of attacking the main company directly.The attackers were able to steal sensitive information, including children’s personal profiles. Some of that data was later posted online as part of what appears to be a double extortion ransomware attack. In double extortion, criminals not only encrypt files but also steal data and threaten to release it publicly unless payment is made.This type of attack is especially harmful because the victims are children. Unlike passwords, personal identity information cannot simply be changed. Families may face privacy and safeguarding concerns for years. Because Kido handles highly sensitive personal data, the incident also created serious legal concerns under UK GDPR and child safeguarding responsibilities.The main lesson from this breach is clear: early detection and fast response are critical. That is where open-source cybersecurity tools could have made a major difference.Tool 1: Wazuh for Threat Detection and MonitoringWazuh is one of the most powerful open-source security monitoring platforms available today. It combines features of a SIEM (Security Information and Event Management) system with endpoint detection and response (EDR) capabilities. In simple terms, Wazuh collects logs and security events from computers, servers, cloud systems, and user accounts. It then looks for suspicious activity.For example, if a staff account suddenly logs in from another country at 2:00 AM and starts downloading hundreds of child records, Wazuh can trigger an alert. This is called anomaly detection.In the Kido attack, if the attackers used stolen credentials through a third-party platform, Wazuh could have detected:• unusual login locations• repeated failed login attempts• privilege escalation• large file exports• suspicious administrative activityInstead of discovering the breach after data was stolen, Kido’s security team could have investigated during the early stages of compromise. This early warning is often the difference between a minor security event and a major public breach.Tool 2: Suricata for Network Intrusion DetectionSuricata is an open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Its job is to monitor network traffic and identify malicious behaviour. Think of it like a security guard watching every packet of data entering and leaving the network.Suricata can detect:• suspicious file transfers• command-and-control traffic• ransomware communication patterns• known malicious IP addresses• unusual outbound data transfersIn the Kido breach, attackers likely needed to move stolen data outside the network. This is called data exfiltration. Suricata could have identified unusual outbound traffic—such as large encrypted transfers to suspicious external servers—and alerted administrators immediately. If configured with prevention rules, it could even block some of that traffic automatically.This would reduce the amount of stolen information and limit the attackers’ success.Tool 3: TheHive for Faster Incident ResponseDetecting an attack is only half the battle. The next challenge is responding quickly. TheHive is an open-source incident response platform designed for Security Operations Center (SOC) teams. It helps security analysts manage investigations, assign tasks, track incidents, and document every step of the response process.When an alert appears, TheHive helps answer critical questions:• What happened?• Which systems are affected?• Is the attacker still inside?• What should be isolated first?Without a structured incident response platform, teams often waste time checking multiple dashboards and sending emails. During the Kido attack, TheHive could have helped by:• assigning urgent investigation tasks• tracking compromised accounts• managing containment steps• documenting actions for legal and regulatory reportingThis improves Mean Time to Respond (MTTR), which is a key cybersecurity performance measurement. The faster the response, the less damage the attackers can cause.Tool 4: MISP for Threat Intelligence SharingMISP stands for Malware Information Sharing Platform. It helps organisations collect and share information about cyber threats. For example, if another education provider had already seen the same attacker group, MISP could provide:• malicious IP addresses• phishing domains• ransomware file hashes• attacker techniques• known indicators of compromise (IOCs)This intelligence allows organisations to prepare before they are attacked. In Kido’s case, if the ransomware group had targeted similar education providers first, MISP could have helped identify the warning signs earlier. Threat intelligence is valuable because attackers often reuse infrastructure and techniques. Stopping a known attacker is much easier than discovering them from scratch.Tool 5: Velociraptor for Digital ForensicsAfter a breach begins, investigators must understand exactly what happened. Velociraptor is an open-source digital forensics and endpoint investigation platform.It helps analysts examine infected systems and answer questions such as:• Which files were accessed?• Which user account was compromised first?• Did malware execute successfully?• Is persistence still active?• What data was stolen?This is called digital forensics and incident response (DFIR). In the Kido breach, Velociraptor could have helped identify the attacker’s path through the environment and confirm whether the attackers still had access. This is critical because incomplete investigations often lead to repeat attacks. You cannot fully remove an attacker if you do not understand how they entered.Why Open-Source Tools MatterMany people assume good cybersecurity must be expensive. That is not always true.Commercial platforms like CrowdStrike, Microsoft Defender, or Palo Alto Networks XDR are powerful, but they can be very costly for schools, nurseries, and smaller organisations. Open-source tools provide a strong alternative. Their advantages include:• lower licensing costs• flexibility and customization• strong community support• transparency in how they work• integration with other platformsHowever, they also require skilled staff to deploy and manage them properly. Open-source does not mean “easy.” Without proper configuration, even the best tools will fail. Security depends on people, processes, and technology working together.Final ThoughtsThe Kido International cyberattack was a serious reminder that cybercrime affects everyone, not just large corporations. When children’s personal data is exposed, the consequences are personal, emotional, and long-lasting. This breach likely involved third-party access, data theft, and ransomware-style extortion. It showed how attackers use weak points in trusted systems to cause major damage.Open-source cybersecurity tools such as Wazuh, Suricata, TheHive, MISP, and Velociraptor could have helped by detecting suspicious behaviour earlier, monitoring network traffic, speeding up incident response, sharing threat intelligence, and improving forensic investigation.No security tool can guarantee perfect protection. But stronger visibility, faster response, and better preparation can turn a major disaster into a manageable security incident. That is the real goal of cybersecurity: not just reacting after the breach, but preventing the breach from becoming tomorrow’s headline.Open-Source Cybersecurity Tools Mentioned in the Article1. WazuhPurpose: SIEM + Endpoint Detection and Response (EDR)Best for: Log monitoring, threat detection, compliance monitoring, endpoint visibilityKey Uses:Detect unusual loginsMonitor endpoints and serversFile integrity monitoringSecurity alerts and compliance reporting2. SuricataPurpose: Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)Best for: Network traffic monitoring and malicious traffic detectionKey Uses:Detect ransomware trafficMonitor suspicious outbound connectionsIdentify malicious IP communicationDetect data exfiltration attempts3. TheHivePurpose: Incident Response Platform / Case ManagementBest for: Security Operations Center (SOC) workflowsKey Uses:Incident investigationAlert triageTask assignmentBreach documentationRegulatory reporting support4. MISPPurpose: Threat Intelligence Sharing PlatformBest for: Indicators of Compromise (IOC) managementKey Uses:Threat intelligence sharingMalware indicatorsKnown attacker infrastructure trackingPhishing domain detection5. VelociraptorPurpose: Digital Forensics and Incident Response (DFIR)Best for: Endpoint investigation and breach analysisKey Uses:Investigate compromised systemsDetect attacker persistenceMalware analysis supportIncident timeline reconstructionAlternative Open-Source Cybersecurity Tools6. Security OnionPurpose: Network Security Monitoring (NSM) PlatformWhy Use It: Security Onion combines multiple tools like Suricata, Zeek, and Elasticsearch into one security monitoring platform.Best for: Full network visibility and SOC operations7. ZeekPurpose: Network Analysis and Threat DetectionWhy Use It: Zeek focuses on deep network visibility and protocol analysis rather than signature-only detection.Best for: Advanced network investigations8. OpenVASPurpose: Vulnerability ScanningWhy Use It: Helps identify unpatched systems, weak configurations, and known security vulnerabilities.Best for: Preventing attacks before they happen9. OSQueryPurpose: Endpoint Monitoring Using SQL QueriesWhy Use It: Allows security teams to query endpoints like databases for suspicious activity.Best for: Threat hunting and endpoint visibility10. YARAPurpose: Malware Detection Rules EngineWhy Use It: Used to identify malware families and suspicious files based on known patterns.Best for: Malware analysis and threat hunting11. ClamAVPurpose: Open-Source Antivirus EngineWhy Use It: Provides malware scanning for files, email attachments, and servers.Best for: Basic malware detection12. Fail2BanPurpose: Intrusion Prevention ToolWhy Use It: Blocks repeated failed login attempts and brute-force attacks automatically.Best for: Server and SSH protection*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;display:none;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.social_block .social-table{display:inline-block!important}}

A tentative second step of a difficult taskThe next time someone asks "who has access to that secret?" you should have the answer in seconds and not having to hunt across five different tools.Infisical is an open-source secrets management platform that gives you one place to see every secret, who can access it, and when it was last rotated. No more chasing down answers. No more being the person who doesn't know. Trusted by security teams at Hugging Face, Lucid Software, and more.Start For Free Today#240: Learning More LilithA tentative second step of a difficult taskWelcome to another _secpro!This week, we learn about how to use Lilith, get acquainted with the landscape in the context of the Iranian crisis, and take a look at the intriguing, possibly slightly terrifying world of quantum cybersecurity - don't miss out!Join us on Substack!Investigative MattersLast week, we asked you - the audience - to give us a heads up on which tool you would like to learn about. After much deliberation, we have found out that our readers want to know a little bit more about Lilith.Of course, this isn't a beginner-friendly tool (for that, you might want to look at Metasploit or other more mainstream, accessible tools), however it's always good to dip your toes into the water with more difficult tools. Take a look at our "beginner's guide" (but not really for beginners) and see if you can take this valuable and potentially dangerous tool out for a test drive.Check it out!News ByteAPT28 Exploiting Routers for DNS Hijacking: Russian state-linked group APT28 is abusing vulnerable routers to perform DNS hijacking, enabling adversary-in-the-middle attacks that steal credentials and authentication tokens at scale.Iran-Linked Handala Wipes 80,000 Devices via Intune: A single compromised admin credential was used to issue mass remote wipes through Microsoft Intune, demonstrating the destructive potential of identity-centric attacks without malware.Paste-and-Run Attacks Dominate Initial Access: “ClickFix” social engineering—tricking users into executing clipboard-delivered commands—has become a leading initial access vector, bypassing traditional detection controls.Mac Infostealers Surge with New Obfuscation Techniques: Atomic Stealer and MacSync Stealer are rising sharply, using AppleScript obfuscation and fake Homebrew prompts to exfiltrate credentials, crypto wallets, and Keychain data.Vidar Infostealer Returns with Enhanced Evasion: The Vidar malware family has resurfaced with improved anti-analysis techniques and browser injection capabilities following disruption of competing stealers.SparkCat Malware Expands to Western Targets: A mobile infostealer leveraging OCR to extract crypto seed phrases from screenshots now targets English-speaking users and uses code virtualization for stealth.Axios Supply Chain Attack via Social Engineering: North Korean actors compromised a maintainer account using fake Teams/Slack interactions, publishing malicious npm packages affecting a widely used HTTP library.Claude Code Leak Weaponized with Malware: Attackers are distributing trojanized versions of leaked developer tooling, embedding infostealers into widely shared GitHub repositories.Rise of “Espionage Ecosystems": Advanced persistent threats are evolving into coordinated ecosystems using AI, fileless malware, and behavioral mimicry for long-term stealth persistence in enterprise networksIran-Linked Cyber Operations Persist Despite Ceasefire: Threat actors continue targeting infrastructure and ICS environments, indicating sustained geopolitical cyber activity independent of kinetic conflict pauses.Taking a look at the academyQuantum computers could crack cybersecurity systems before 2030 (Jacob Smith):Explores recent research indicating that advances in quantum computing may render current public-key cryptographic systems obsolete within this decade, forcing urgent migration toward post-quantum cryptography.AI Helped Spark a Quantum Breakthrough Impacting Encryption: Reports on newly published papers showing AI-assisted breakthroughs accelerating quantum capabilities, with direct implications for breaking modern encryption schemes earlier than expected.Agentic AI and Cybersecurity Risk Landscape: Examines how frontier AI systems may disproportionately empower attackers over defenders in the near term, reshaping threat models and requiring new defensive paradigms.Integrating AI-Blockchain Framework with Spider Monkey Optimization for IoMT Security (M. N. Alatawi et al.): Proposes a hybrid AI-blockchain architecture to secure Internet of Medical Things (IoMT) environments, improving resilience against data breaches and unauthorized access.Cybersecurity Governance under the Jordanian National Cyber Security Framework (JNCSF) (multiple authors, MDPI Journal of Cybersecurity and Privacy): Analyzes governance structures and policy effectiveness in national cybersecurity frameworks, highlighting implementation gaps and optimization strategies.Future Directions in Cyber Security: Trends, Threats, and Strategic Countermeasures (ResearchGate preprint, March–April 2026 circulation): Identifies emerging threats driven by cloud, AI, and digital transformation, proposing adaptive and layered defense strategies for modern enterprises.AI-Driven Cybersecurity: Offensive vs Defensive Advantage (Berkeley/industry collaborative research briefing): Argues that AI lowers barriers to entry for cyber attackers more than defenders, emphasizing the need for automated defense orchestration and policy reform.Cybersecurity Implications of Accelerated AI Adoption in Cloud Systems(PDF): Investigates how AI-driven cloud deployments introduce misconfiguration risks, identity vulnerabilities, and expanded attack surfaces requiring new security models.Post-Quantum Security Urgency: Cryptographic Transition Challenges: Reviews current academic work on transitioning to quantum-resistant cryptography, highlighting scalability, interoperability, and implementation barriers.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A tentative first step of a difficult task#129: Learning LilithA tentative first step of a difficult taskWelcome to another _secpro!This week, we learn about how to use Lilith, get acquainted with the landscape in the context of the Iranian crisis, and take a look at the intriguing, possibly slightly terrifying world of quantum cybersecurity - don't miss out!Join us on Substack!Investigative MattersLast week, we asked you - the audience - to give us a heads up on which tool you would like to learn about. After much deliberation, we have found out that our readers want to know a little bit more about Lilith.Of course, this isn't a beginner-friendly tool (for that, you might want to look at Metasploit or other more mainstream, accessible tools), however it's always good to dip your toes into the water with more difficult tools. Take a look at our "beginner's guide" (but not really for beginners) and see if you can take this valuable and potentially dangerous tool out for a test drive.Check it out!News ByteAPT28 Exploiting Routers for DNS Hijacking: Russian state-linked group APT28 is abusing vulnerable routers to perform DNS hijacking, enabling adversary-in-the-middle attacks that steal credentials and authentication tokens at scale.Iran-Linked Handala Wipes 80,000 Devices via Intune: A single compromised admin credential was used to issue mass remote wipes through Microsoft Intune, demonstrating the destructive potential of identity-centric attacks without malware.Paste-and-Run Attacks Dominate Initial Access: “ClickFix” social engineering—tricking users into executing clipboard-delivered commands—has become a leading initial access vector, bypassing traditional detection controls.Mac Infostealers Surge with New Obfuscation Techniques: Atomic Stealer and MacSync Stealer are rising sharply, using AppleScript obfuscation and fake Homebrew prompts to exfiltrate credentials, crypto wallets, and Keychain data.Vidar Infostealer Returns with Enhanced Evasion: The Vidar malware family has resurfaced with improved anti-analysis techniques and browser injection capabilities following disruption of competing stealers.SparkCat Malware Expands to Western Targets: A mobile infostealer leveraging OCR to extract crypto seed phrases from screenshots now targets English-speaking users and uses code virtualization for stealth.Axios Supply Chain Attack via Social Engineering: North Korean actors compromised a maintainer account using fake Teams/Slack interactions, publishing malicious npm packages affecting a widely used HTTP library.Claude Code Leak Weaponized with Malware: Attackers are distributing trojanized versions of leaked developer tooling, embedding infostealers into widely shared GitHub repositories.Rise of “Espionage Ecosystems": Advanced persistent threats are evolving into coordinated ecosystems using AI, fileless malware, and behavioral mimicry for long-term stealth persistence in enterprise networksIran-Linked Cyber Operations Persist Despite Ceasefire: Threat actors continue targeting infrastructure and ICS environments, indicating sustained geopolitical cyber activity independent of kinetic conflict pauses.Taking a look at the academyQuantum computers could crack cybersecurity systems before 2030 (Jacob Smith):Explores recent research indicating that advances in quantum computing may render current public-key cryptographic systems obsolete within this decade, forcing urgent migration toward post-quantum cryptography.AI Helped Spark a Quantum Breakthrough Impacting Encryption: Reports on newly published papers showing AI-assisted breakthroughs accelerating quantum capabilities, with direct implications for breaking modern encryption schemes earlier than expected.Agentic AI and Cybersecurity Risk Landscape: Examines how frontier AI systems may disproportionately empower attackers over defenders in the near term, reshaping threat models and requiring new defensive paradigms.Integrating AI-Blockchain Framework with Spider Monkey Optimization for IoMT Security (M. N. Alatawi et al.): Proposes a hybrid AI-blockchain architecture to secure Internet of Medical Things (IoMT) environments, improving resilience against data breaches and unauthorized access.Cybersecurity Governance under the Jordanian National Cyber Security Framework (JNCSF) (multiple authors, MDPI Journal of Cybersecurity and Privacy): Analyzes governance structures and policy effectiveness in national cybersecurity frameworks, highlighting implementation gaps and optimization strategies.Future Directions in Cyber Security: Trends, Threats, and Strategic Countermeasures (ResearchGate preprint, March–April 2026 circulation): Identifies emerging threats driven by cloud, AI, and digital transformation, proposing adaptive and layered defense strategies for modern enterprises.AI-Driven Cybersecurity: Offensive vs Defensive Advantage (Berkeley/industry collaborative research briefing): Argues that AI lowers barriers to entry for cyber attackers more than defenders, emphasizing the need for automated defense orchestration and policy reform.Cybersecurity Implications of Accelerated AI Adoption in Cloud Systems(PDF): Investigates how AI-driven cloud deployments introduce misconfiguration risks, identity vulnerabilities, and expanded attack surfaces requiring new security models.Post-Quantum Security Urgency: Cryptographic Transition Challenges: Reviews current academic work on transitioning to quantum-resistant cryptography, highlighting scalability, interoperability, and implementation barriers.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Don't miss out on this offer!As AI systems rapidly move into production, one critical question remains: how secure are they, really? The AI Red & Blue Teaming Summit is a hands-on, practitioner-focused virtual event designed to answer exactly that.Taking place on April 17th and 18th, this two-day summit brings together security professionals, AI engineers, and risk leaders to explore how modern AI systems are attacked and how to defend them effectively.Secure your discounted spot today!Newsletter Reader ExclusiveAs a newsletter reader,you can access an exclusive 40% discount on your ticket. Of course, this offer won't last forward - you've got just48 hoursto take advantage of this offer that putsyou ahead of the game.Get your 40% off and secure your spot todayThis is a limited-time offer, ideal if you're looking to build or strengthen your AI security capabilities with practical, immediately applicable skills. Ifyou'reresponsible for securing AI systems—or preparing for therisksthey introduce—this is one of the most practical events you can attend this year.The event is structured across two complementary tracks:Day 1: Red TeamingSimulate real-world attacks on AI systems, including prompt injection, jailbreaks, and agent-based exploitation. Join John Sotiropoulos, Katie Paxton-Fear, Tim Rains, and Will Thomas to take steps forward in the offensive game.Day 2: Blue TeamingTranslate those attack insights into defensive strategies by building detection rules, incident response playbooks, and actionable security roadmaps. Join Yuri Diogenes, Mark Simos, Matthew Rosenquist, and David Okeyode to set up proper defenses and keep the adversary out.Built around frameworks like OWASP’s LLM Top 10 and MITRE ATT&CK, the summit emphasizes hands-on labs, practical exercises, and real-world application, not just theory and not just water cooler talk-pieces.Speaker SpotlightHear directly from leading voices in AI security and adversarial testing:Yuri Diogenes– A globally recognized cybersecurity expert specializing in AI security, threatmodeling, and zero trust architectures.Katie Paxton-Fear – Security researcher and educator known for making complex offensive security concepts accessible and actionable.WillThomas– Practitioner focused on real-world AI systemdefenseand operational security strategies.JohnSotiropoulos– Bringing deepexpertisein enterprise security and applied AI risk management.MatthewRosenquist– Focused on how AI is reshaping the threat landscape and accelerating both attacker and defender capabilities.Together, they represent a cross-section of offensive, defensive, and strategic perspectives on securing AI in production environments.Secure your spot today*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Introducing a new feature for the readership#238: Whose Tools? Which Application?Introducing a new feature for the readershipWelcome to another_secpro!As AI rapidly reshapes the cybersecurity landscape, security professionals are being pushed into unfamiliar territory—where models, data pipelines, and adversarial machine learning become part of the threat surface. This week’s edition is designed to help you navigate that shift.We’re kicking things off with AI Security 101 (from our sister publication, cyber_ai), a structured series covering everything from the fundamentals of machine learning in security to emerging risks like adversarial attacks, AI-driven offensive techniques, and governance challenges. Whether you're just getting started or looking to operationalize AI securely, this provides a practical foundation.Beyond that, we’re expanding The Library with curated tools, frameworks, and resources to accelerate your workflow, alongside News Bytes tracking a sharp rise in global cyber activity—from AI-driven threats to geopolitical escalation. Finally, we highlight key perspectives from across the blogosphere, including frameworks for AI risk scoring, chatbot security controls, and insights into the evolving cybersecurity market.If you’re building, defending, or evaluating AI systems, this edition will give you both the context and the tools to stay ahead.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefCheck out our AI Security 101 articlesAI Security is the new frontier that stands before many of us in this industry. It's hardly a surprise that cybersecurity has undergone a substantial change in light1. What “Cybersecurity AI” Actually Means2. Machine Learning 101 for Security Professionals3. Threat Detection with AI: From Rules to Models4. Adversarial Machine Learning Basics5. What LLMs Can Do in Cybersecurity6. Securing AI Models and Pipelines7. AI-Enhanced Offensive Techniques8. Privacy and Data Protection in AI Systems9. AI Governance, Ethics, and Risk Management10. Building a Security-Aware AI WorkflowThe LibraryYou asked for tools and tutorials, so here are some tools and tutorials.Each week, we’ll look at a selection of tools concerning AI and cybersecurity. Cast your vote for your favourite tool and we’ll share a quick tutorial on how to get started and how to get the most out of it the next week.fr0gger/Awesome-GPT-Agents: A curated list of GPT agents for cybersecurity.awesome-cybersecurity-blueteam: A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.Anthropic-Cybersecurity-Skills: More than 730 structured cybersecurity skills for AI agents, covering MITRE ATT&CK, agentskills.io open standard, and works with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI & over 20 other platforms.Lilith: A foundational reverse engineering resource for cybersecurity entrepreneurs in C++.flowsint: A modern platform for visual, flexible, and extensible graph-based investigations. Forcybersecurityanalysts and investigators.Dojo-101: "An offline cybersecurity knowledge base."Head over to Substack to cast your voteNews BytesIran-Linked Cyber Activity Escalates with Wiper Risk (Unit 42): Analysis shows a surge in destructive cyber operations tied to Middle East conflict, including thousands of phishing URLs, mobile malware delivery via fake alert apps, and increased likelihood of wiper attacks targeting high-value infrastructure.Intelligence Report Highlights Raton RAT & INC Ransomware (CYFIRMA): Threat intel identifies active malware families leveraging phishing and social engineering for initial access, alongside espionage campaigns by Mustang Panda using DLL sideloading, credential dumping, and USB propagation.Cyberattacks Spike 245% Following Iran Conflict (Black Arrow Cyber): Technical briefing notes a sharp rise in attacks targeting financial services and e-commerce, with adversaries increasingly using legitimate admin tools and stolen credentials to evade detection and enable large-scale disruption.Teams Vishing & Cisco Exploitation (Kaseya): Incident roundup details ransomware causing municipal emergency declarations, active exploitation of Cisco firewall vulnerabilities, and a rise in Microsoft Teams vishing campaigns abusing enterprise collaboration platforms.Email Threat Evasion Techniques (Hornetsecurity Security Lab): Analysis of M365 threats highlights adversaries bypassing detection via fuzzing and evasion, emphasizing email as a primary initial access vector in enterprise environments.Law Enforcement Takedowns Are Training Cybercriminals (WSJ): Criminal groups are adapting rapidly to past disruptions, improving operational security and malware resilience after observing law enforcement techniques used in takedowns.AI Expected to Drive Surge in Zero-Day Exploits (ITPro / RSAC Panel): Experts warn that AI could industrialize vulnerability discovery, potentially generating hundreds of zero-days weekly while also enhancing defensive capabilities.Human Behavior Identified as Primary Security Weakness (TechRadar Pro): Security failures increasingly stem from user behavior, with attackers exploiting MFA fatigue and cognitive biases via social engineering and AI-assisted phishing.Cyberattack on Polish Energy Sector Signals Escalation (AP News): A destructive attack linked to suspected Russian actors used wiper malware against energy infrastructure, marking a shift beyond financially motivated ransomware toward disruptive operations.Into the blogosphere...The Artificial Intelligence Risk Scoring System (AIRSS) – Part 1: Setting the Scope (Walter Haydock): This article introduces a structured methodology for quantifying AI-related cybersecurity risk. Haydock proposes a scoring system to evaluate exposure across data sensitivity, model behavior, and operational context. The piece is widely referenced within the newsletter’s series and generated strong engagement due to its practical framework for security teams adopting AI.Chatbot Checklist: 5 Ways to Avoid AI-Powered Fails (Walter Haydock): A tactical guide focused on securing AI chatbots against misuse, data leakage, and reputational risk. It outlines five concrete controls—ranging from prompt constraints to monitoring pipelines—making it highly shareable among practitioners implementing LLM systems. Its actionable nature led to strong reader interaction and discussion.Declaring a Truce on SaaS Security: This piece challenges the adversarial dynamic between vendors and enterprise security teams. Haydock argues for a cooperative model that reduces duplicated controls and improves overall risk posture. The contrarian framing sparked debate in comments and shares among SaaS security professionals.How Cybersecurity Startups Win (and Why Most Don’t) (Ross Haleliuk): A strategic deep dive into the cybersecurity market, focusing on why many startups fail despite strong technology. It examines go-to-market misalignment, buyer psychology, and product-market fit in security.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

A review for those with no timeHave you heard about Cyber_AI?In conjunction with _secpro, the Packt cyber_ai newsletter is our sister publication that gives you insights into deep research, cutting-edge developments, and controversial news in that confusing and still largely misunderstood overlap in cybersecurity and artificial intelligence. Every week, we publish a newsletter that helps you get down to the most important details in a sea of AI-generated, security-compromising noise.Sound good? Join us by following the link below.Don't miss out!#237: Taking Stock with FlashpointA review for those with no timeWelcome to another_secpro!The conflict surrounding Iran illustrates how contemporary cyber operations function as an extension of geopolitical competition rather than a separate domain of warfare. State-linked actors, proxy groups, and opportunistic cybercriminals all exploit the disruption and political polarization created by armed conflict to conduct espionage, influence operations, and disruptive attacks.Techniques such as distributed denial-of-service campaigns, wiper malware, credential-harvesting phishing, and information manipulation are used not only to target military or government networks but also to pressure civilian infrastructure, financial institutions, and private companies that sit within the broader strategic ecosystem.As the conflict evolves, these tactics demonstrate how cyber capabilities can be rapidly mobilized, scaled through proxy actors, and directed against a wide range of targets—creating a threat landscape in which the effects of war extend well beyond the battlefield and into the digital systems that underpin modern economies and societies.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefYour SOC is a queueing system. It behaves like one, tooMost SOC improvement work focuses on what happens after an investigation starts. Faster playbooks, better context, tighter workflows. All useful.But for a lot of teams, the bigger problem is what happens before anyone even looks at the alert. Alerts come in. Analysts triage and escalate. When the arrival rate exceeds capacity, queues build and wait time spikes."The Queue is the Breach" – written by Jon Hencinski, Head of Security Operations at Prophet Security – walks through the operational math behind this: alert cycle time, wait time across severity levels, analyst utilization, and what those metrics actually reveal about whether your bottleneck is people, process, or the operating model itself.Get your free eBook todayThis week's articlesOn Flashpoint's "2026 Global Threat Intelligence Report"In early 2026, researchers from Group-IB published an analysis of a cyber-espionage campaign known asOperation Olalampo, attributed to the advanced persistent threat group MuddyWater. MuddyWater has long been associated with Iranian state-linked cyber activity and has historically targeted government agencies, telecommunications providers, and critical infrastructure organizations across the Middle East and surrounding regions. The Olalampo campaign demonstrates how state-aligned cyber actors continue to evolve their tactics and infrastructure while relying on proven techniques such as phishing and custom malware frameworks.Check it out todayNews BytesUS Takes Down Record DDoS Botnets: A coordinated law enforcement operation dismantled multiple Mirai-derived botnets (Aisuru, Kimwolf, etc.) responsible for record-scale DDoS attacks, including a 31.4 Tbps burst; researchers note continued evolution toward decentralized C2 using blockchain-based DNS.“Darksword” iOS Spyware Campaign: Researchers uncovered large-scale iOS exploitation chains targeting hundreds of millions of devices via Safari vulnerabilities, enabling rapid “hit-and-run” data exfiltration tied to suspected state-linked operators.SocksEscort Proxy Botnet Takedown: A 15-year-old Linux malware-driven proxy network infecting ~369k IoT/SOHO devices was dismantled; operators monetized access for credential stuffing, fraud, and anonymized attack infrastructure.Hacked Sites Deliver Vidar Infostealer: Compromised websites are being weaponized to distribute Vidar stealer via fake browser updates and drive-by downloads, emphasizing continued effectiveness of web-based initial access vectors.AI & Browser Threat Trends in 2026 (Red Canary):Large-scale telemetry (~110k threats) indicates adversaries are both targeting browsers and leveraging AI tooling to improve phishing, malware staging, and post-exploitation automation.Iran-Linked Cyber Escalation Threat Brief (Unit 42):Threat intelligence indicates increased cyber activity aligned with geopolitical tensions, including targeting of critical infrastructure and enterprise networks with coordinated campaigns.Into the blogosphere...Security for High Velocity Engineering (Jason Chan): This article explores how modern engineering organizations can embed security into rapid deployment pipelines without slowing innovation. It emphasizes threat-informed design, automation, and scaling security practices across large codebases, reflecting the shift toward DevSecOps in high-growth tech companies. (tl;dr sec)Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks! (Christophe Tafani-Dereeper): A practical, tactical guide focused on Kubernetes hardening, covering attack surfaces such as misconfigured RBAC, container escapes, and network exposure. The article provides actionable controls aligned with real-world attack paths, making it popular among cloud security engineers.How to Securely Build Product Features Using AI APIs (Rami McCarthy): This piece analyzes security risks when integrating AI APIs (e.g., prompt injection, data leakage) and outlines defensive design patterns. It became especially relevant during the surge of generative AI adoption in 2023–2024.AI and Machine Learning in Cybersecurity (Clint Gibler): A strategic overview of how AI/ML is used in both offensive and defensive cybersecurity, including malware detection, anomaly detection, and automated threat hunting. It also discusses limitations and future directions.Gartner, Forrester and Cybersecurity: A Deep Dive (Ross Haleliuk): This article critically examines the role of industry analysts (Gartner, Forrester) in cybersecurity decision-making, including their influence on vendor selection and enterprise strategy. It blends market analysis with practitioner insight, making it popular among security leaders.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A take on a new threat from an old adversaryYou're already thinking about compliance—is digital accessibility on your list?If you work in or around regulated industries, here's something that may have slipped under your radar: a federal ADA deadline hits in less than two months. On April 24, state and local governments — and the vendors and partners who serve them — must meet WCAG 2.1 AA standards for digital accessibility or face real legal exposure.Accessibility failures aren't just an HR or marketing problem. They're an organizational risk vector, and the lawsuit surge is real: Digital accessibility litigation jumped 15% nationwide in Q1 2025 alone.Aspiritech's team of autistic and neurodivergent tech professionals helps organizations audit, test, and remediate digital products against WCAG and Section 508 standards, catching what automated scanners miss.Read the full breakdown below!The Top 5 Things Businesses Need to Know About Digital Accessibility Right NowWant to know where your digital products stand?Book a free strategy session with Aspiritech's accessibility experts.#235: Defending Against OlalampoA take on a new threat from an old adversaryWelcome to another_secpro!The conflict surrounding Iran illustrates how contemporary cyber operations function as an extension of geopolitical competition rather than a separate domain of warfare. State-linked actors, proxy groups, and opportunistic cybercriminals all exploit the disruption and political polarization created by armed conflict to conduct espionage, influence operations, and disruptive attacks.Techniques such as distributed denial-of-service campaigns, wiper malware, credential-harvesting phishing, and information manipulation are used not only to target military or government networks but also to pressure civilian infrastructure, financial institutions, and private companies that sit within the broader strategic ecosystem.As the conflict evolves, these tactics demonstrate how cyber capabilities can be rapidly mobilized, scaled through proxy actors, and directed against a wide range of targets—creating a threat landscape in which the effects of war extend well beyond the battlefield and into the digital systems that underpin modern economies and societies.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefIt’s increasingly difficult to see through the hype of AI in cybersecurity in a sea of shiny vendor demos that fail to deliver in production.We recently aired a discussion between Gourav Nagar (Head of Information Security and IT at Upwind) and Jon Hencinski (Head of Security Operations at Prophet Security, ex-Expel) that provides a practitioner's perspective on building comprehensive AI-driven cybersecurity programs.Key topics they discussed include:• Getting organizational buy-in (where leadership and practitioners are aligned)• Improving alert detection, triage, and investigations• Maturing your cybersecurity program (alert management is no longer a constraint)Watch On-Demand!This week's articlesOperation Olalampo: Indicators of Compromise, Mitigation Strategies, and Implications for the 2026 Threat LandscapeIn early 2026, researchers from Group-IB published an analysis of a cyber-espionage campaign known asOperation Olalampo, attributed to the advanced persistent threat group MuddyWater. MuddyWater has long been associated with Iranian state-linked cyber activity and has historically targeted government agencies, telecommunications providers, and critical infrastructure organizations across the Middle East and surrounding regions. The Olalampo campaign demonstrates how state-aligned cyber actors continue to evolve their tactics and infrastructure while relying on proven techniques such as phishing and custom malware frameworks.5 Key Learnings concerning the Iranian CrisisFive quick and easy takes to get your brain juices flowing in a time of political turmoil. How do we expect we will be forced to respond as cybersecurity professionals? What will be the possible long term effects? Click on the link to get involved.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesOAuth Redirection Abuse Enables Phishing and Malware Delivery (Microsoft Security Blog): Microsoft researchers documented campaigns abusing OAuth redirection mechanisms to deliver phishing pages and malware payloads. Attackers manipulate legitimate OAuth flows used by cloud services to redirect victims to malicious infrastructure, enabling credential harvesting and malware deployment while bypassing many security controls.Threat Brief: Escalation of Iranian Cyber Activity (Unit 42): Researchers from Palo Alto Networks’ Unit 42 warn that geopolitical tensions are driving increased cyber operations linked to Iranian actors. Campaigns include vishing attacks impersonating government officials and credential harvesting aimed at organizations in the Middle East and allied countries.SentinelOne Intelligence Brief: Iranian Cyber Activity Outlook (SentinelOne): SentinelOne analysts outline likely cyber responses from Iranian threat actors amid regional conflict, including disruptive attacks, espionage, and hacktivist operations conducted by proxy groups. The report emphasizes potential targeting of Western infrastructure and organizations tied to geopolitical developments.What Defenders Need to Know About Iran’s Cyber Capabilities (Check Point Research): Check Point’s research team published an analysis of Iranian cyber capabilities, highlighting the country’s use of APT groups, influence operations, and destructive malware campaigns. The report provides a technical overview of known tools, operational patterns, and likely future tactics.Cloudflare Threat Report: “Industrialization” of Cybercrime (Cloudflare): Cloudflare’s latest threat report describes how generative AI and automation are enabling cybercriminals to scale attacks dramatically. Researchers note AI-assisted reconnaissance, deepfake identity fraud, and massive DDoS attacks reaching record bandwidth levels.State-Backed Hackers Weaponizing Enterprise Ecosystems (Cloudflare): A Cloudflare analysis finds that nation-state actors increasingly conduct “living-off-the-land” attacks using legitimate enterprise services such as cloud platforms and SaaS applications for command-and-control. The report also documents deepfake-enabled insider infiltration campaigns attributed to North Korean operators.NCSC Warning on Increased Cyber Risk Amid Middle East Conflict (UK National Cyber Security Centre): The UK’s NCSC issued guidance advising organizations to strengthen cyber defenses due to heightened geopolitical tensions. The advisory warns that hacktivists and state-aligned actors may increase disruptive operations such as DDoS attacks and website defacements.Russian-Aligned Hacktivists Continue Large-Scale DDoS Campaigns (ITPro): Security reporting indicates that groups like NoName057(16) are sustaining distributed denial-of-service campaigns against organizations in NATO countries. These attacks use volunteer-driven botnet tools and coordinated messaging platforms to overwhelm targeted services.Sophos Advisory: Heightened Cyber Risk from Regional Escalation (Sophos X-Ops): Sophos researchers warn that geopolitical escalation involving Iran could trigger retaliatory cyber activity from affiliated threat groups. The advisory encourages organizations to adopt heightened monitoring and “Shields Up” defensive postures to mitigate potential intrusion and disruption attempts.Into the blogosphere...Run Cyber Like a Portfolio or Get Treated Like a Cost Center (Geoff Hancock): This article argues that cybersecurity programs should be managed like investment portfolios rather than tool collections. Instead of continually buying new security products, organizations should allocate cyber budgets strategically—balancing risk reduction, measurable outcomes, and alignment with business objectives. The author emphasizes governance, performance metrics, and executive-level financial justification for cyber investments.CTO at NCSC Summary: Week Ending March 1st (Ollie Whitehouse): This weekly cybersecurity intelligence digest summarizes recent threat activity and defensive guidance. A key focus is a government advisory warning about exploitation of Cisco Catalyst SD-WAN infrastructure, encouraging organizations to investigate possible compromises and apply urgent patches. The article aggregates major security alerts, research findings, and operational lessons for defenders.The Copilot Email Bug Is the Kraken (Gerry Kennedy): This article analyzes a security flaw in Microsoft Copilot, where the AI reportedly summarized emails that were labeled confidential. Kennedy argues that the issue highlights deeper risks when generative AI tools are embedded in enterprise communication systems. The piece frames the bug as a warning that AI assistants could inadvertently expose sensitive legal or corporate information if governance and security controls are weak.Security Check-In: Quick Hits – Gaming Tool Malware, LexisNexis Data Breach, and Crypto Threats (Rod Trent): This rapid-analysis security roundup covers several emerging cyber incidents, including malware distributed through gaming utilities and ongoing data-breach concerns. The article warns that compromised tools and websites could lead to ransomware infections or data theft. It also advises users to rely on verified software sources and highlights the continuing trend of attackers targeting consumer platforms and developer ecosystems.The Choices We Make (Michael Corn): Michael Corn reflects on leadership decisions in cybersecurity programs, using personal experience to illustrate how early choices in security assessments, risk prioritization, and organizational culture influence long-term resilience. The article emphasizes strategic thinking and accountability in security leadership, arguing that delayed or avoided decisions can create systemic security gaps.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A take on a new threat from an old adversaryIt’s increasingly difficult to see through the hype of AI in cybersecurity in a sea of shiny vendor demos that fail to deliver in production.We recently aired a discussion between Gourav Nagar (Head of Information Security and IT at Upwind) and Jon Hencinski (Head of Security Operations at Prophet Security, ex-Expel) that provides a practitioner's perspective on building comprehensive AI-driven cybersecurity programs.Key topics they discussed include:• Getting organizational buy-in (where leadership and practitioners are aligned)• Improving alert detection, triage, and investigations• Maturing your cybersecurity program (alert management is no longer a constraint)Watch On-Demand!Looking for some of the AI SOC best practices discussed?1. Cover all the alerts you care about: You can feed in informational, low, and medium alerts so even these signals can be investigated while they’re early indicators, not after they’ve been aged into incidents.2. Require deterministic consistency: Your Tier 1 analyst at 3:20am may not function like your Tier 2 at 12:00pm, but your AI SOC platform should absolutely enforce the same level of deterministic consistency and rigor in its reasoning and conclusions.3. Unshackle your detection engineers: Stop suppressing rules because your team can’t handle the volume.4. Keep humans in the loop for remediation: There is a distinction to be made between autonomous investigation and autonomous remediation, and the latter requires trust to be built amongst the practitioners on your team.5. Verify the AI with a parallel run: It’s critical you run the AI alongside your SOC for a couple of weeks (or more) to build trust in its accuracy in your environment and team’s workflow.Watch On-Demand!#234: What is Olalampo?A take on a new threat from an old adversaryWelcome to another_secpro!Cybersecurity in 2026 is being shaped by a convergence of accelerating attack speeds, expanding digital ecosystems, and increasingly autonomous adversary capabilities. Recent threat intelligence points to a shift from manually orchestrated intrusions toward highly adaptive operations, including the emergence of agentic AI systems capable of planning and executing multi-stage attacks with minimal human oversight. These developments are enabling adversaries to scale campaigns and adjust tactics in real time, while AI-assisted reconnaissance and credential abuse continue to compress intrusion timelines. In some environments, attackers are now moving laterally within minutes of initial access, leaving little margin for delayed detection or response.At the same time, threat actors are increasingly exploiting trusted access paths and identity-based weaknesses rather than relying solely on traditional malware. Credential compromise, third-party exposure, and cross-domain movement remain dominant techniques, reflecting the growing dependence of organizations on interconnected services and supply chains. Ransomware groups continue to prioritize sectors where operational disruption increases the likelihood of payment, while intelligence-driven campaigns such as recent MuddyWater activity demonstrate sustained investment in targeted espionage operations.Despite the growing sophistication of adversaries, many successful intrusions still exploit familiar weaknesses, including poor credential hygiene and unpatched systems. The current threat landscape underscores a clear reality: as attack capabilities evolve, resilience depends not only on advanced defenses but also on disciplined execution of fundamental security controls.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThe MCP Maturity Model was created by Stacklok, who have built an MCP platform and are working with enterprises to put MCP into production. Their Applied AI Engineers work hands-on with leaders to curate trusted registries, deploy advanced security measures and light up AI agents. You can learn more about the company atstacklok.com, or just drop them an email atenterprise@stacklok.comto start a conversation.This week's articleOperation OlalampoOperation Olalampois a cyber-espionage campaign attributed to the Iranian state-aligned Advanced Persistent Threat (APT) group MuddyWater. Identified by Group-IB threat intelligence researchers, the campaign represents a continuation of MuddyWater’s long-standing strategy of targeting organizations across geopolitically significant regions, particularly the Middle East and North Africa (MENA). First observed on 26 January 2026,Operation Olalampodemonstrates the group’s increasing technical sophistication and operational maturity, particularly through the deployment of custom malware families, the use of novel command-and-control (C2) channels, and evidence of artificial intelligence-assisted development practices.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesAgentic AI: The 2026 Threat Multiplier Reshaping Cyberattacks (Barracuda): Barracuda researchers describe the emergence of agentic AI systems capable of autonomously planning and executing multi-stage cyberattacks. Unlike generative AI tools, these systems can coordinate actions, adapt to defenses, and persist without human oversight, significantly increasing attack speed and scalability.CrowdStrike 2026 Global Threat Report Findings (Adam Meyers): CrowdStrike reported adversaries increasingly using trusted access paths and cross-domain movement to evade detection. AI-assisted intrusion techniques and malware-free attacks are becoming more common, with rapid lateral movement remaining a key threat.GRIT 2026 Ransomware & Cyber Threat Report Industry Insights (GuidePoint Research): Analysis shows ransomware operators continue targeting sectors where operational disruption increases the likelihood of payment. Credential-based access and third-party compromise remain dominant initial access vectors.Cyber Threat Landscape 2026 Update (Panorays Research): Recent analysis highlights increased reliance on third-party ecosystems and supply chains as attack surfaces. Organizations face growing risk from identity compromise and external partner exposure.CrowdStrike Warns Attackers Move in Under 30 Minutes (TechRadar): CrowdStrike data shows attackers now move laterally in networks in an average of 29 minutes, with some compromises occurring in under a minute. AI-enabled reconnaissance and credential abuse are accelerating intrusion timelines.IBM X-Force Threat Intelligence Index 2026 (IBM): IBM’s latest threat index reports increasing use of AI-assisted attacks alongside persistent exploitation of basic security weaknesses such as unpatched systems and poor credential management.Operation Olalampo – MuddyWater Campaign (Group-IB): Researchers documented a new MuddyWater campaign using updated malware variants and Telegram-based command infrastructure. The operation targeted regional organizations with espionage-focused tooling.Into the blogosphere...Cybersecurity Predictions for 2026 (Frankly Speaking): This article outlines major cybersecurity predictions for 2026, including shrinking security budgets, consolidation of tools, and the increasing impact of AI automation. The author argues that specialized “tool babysitters” will decline as AI simplifies security operations and organizations move toward generalist security practitioners. The post also highlights how AI spending may divert resources away from traditional cybersecurity investments.SACR Cybersecurity 2026 Outlook (SACR team): This industry-focused outlook reviews major cybersecurity developments and forecasts trends across security platforms, identity security, SecOps, mergers and acquisitions, and AI-driven defense technologies. The article analyzes how enterprise security architectures are evolving and where investment and innovation are concentrating in 2026.Cybersecurity Trends for 2026 (Trust in Digital Life): This expert-panel article compiles practitioner predictions for cybersecurity in 2026, covering topics such as AI-driven attacks, evolving threat actors, regulatory pressures, and new enterprise security challenges. It emphasizes the increasing complexity of defending digital infrastructure as organizations expand cloud and AI deployments.The 6 Security Shifts AI Teams Can’t Ignore in 2026 (Gradient Flow): This article examines how AI-native companies must rethink security strategies. It highlights the move from traditional static security models to systems designed for autonomous AI agents interacting directly with enterprise environments. Key issues include identity security, data integrity, governance risks, and expanded attack surfaces.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at this year's infamous playersMore than 50% of enterprises are experimenting or building with the Model Context Protocol (MCP). They useMCP to connect their AI agents to data and systems behind their corporate firewall, providing agents with the context they need to deliver real value: better code, richer responses, deeper insights, etc. The technical leaders who help their companies deploy MCP in production will create huge competitive advantages.So, how do you get out in front of MCP?Start with thisMCP Maturity ModelWith this model in hand, you will know where you are today and how to take the next step. The model includes a simple process and technology indicators for every stage and best of all, there are no forms - it’s yours to freely access and share.The MCP Maturity Model was created by Stacklok, who have built an MCP platform and are working with enterprises to put MCP into production. Their Applied AI Engineers work hands-on with leaders to curate trusted registries, deploy advanced security measures and light up AI agents. You can learn more about the company atstacklok.com, or just drop them an email atenterprise@stacklok.comto start a conversation.Check out the MCP Maturity Model#233: Who's Who?Thinking about who we've seen and when we'll see them againWelcome to another_secpro!If the last week has felt unusually loud in cybersecurity, you’re not imagining it. The threat landscape rarely sits still, but the volume and velocity of activity over the past several days have been particularly notable — from fresh zero-day disclosures to the continued industrialization of ransomware operations.Several incidents reinforced a now-familiar pattern: adversaries are moving faster between initial access and lateral movement, compressing dwell time and forcing defenders to detect and respond in near real time. We’ve seen renewed exploitation of edge devices and VPN infrastructure, alongside opportunistic abuse of newly published proof-of-concept code. Patch latency remains a decisive risk factor.Ransomware groups, meanwhile, continue to evolve their business models. Double-extortion is table stakes; data theft without encryption is resurging as affiliates look to reduce operational friction while maintaining leverage. Law enforcement pressure has fragmented some major crews, but the ecosystem remains resilient — smaller operators are filling the gaps quickly.Another theme this week: the expanding role of AI in offensive tradecraft. Security teams are tracking more convincing phishing pretexts, better-localized lures, and automated reconnaissance workflows. While not revolutionary on their own, these incremental gains are compounding attacker efficiency.On the defensive side, there’s cautious optimism. Organizations accelerating identity hardening, network segmentation, and telemetry aggregation are seeing measurable gains in detection fidelity.In this issue, we break down the most consequential events, extract the technical lessons that matter, and outline practical mitigation steps you can operationalize immediately. Let’s get into it.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThe Problem with One-Size-Fits-All Mobile App Security and How to Fix ItIs your team struggling to balance security requirements with user experience? Join us on February 24 at 4 PM CET / 10 AM ET for a webinar discussing how leading financial services teams are shifting to data-driven, risk-based mobile security for more precise responses.Register NowThis week's articleThe 2026 Rogue's GalleryIn 2025, cybersecurity experts continued to track an evolving landscape of financially motivated and geopolitically aligned threat groups whose operations grew in scale, coordination, and technical sophistication. Among the most prevalent were Cl0p, known for large-scale data-extortion campaigns exploiting zero-day vulnerabilities in managed file transfer platforms, and Qilin, a ransomware-as-a-service operation that refined double-extortion and partner affiliate models.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesGoogle Warns of Hackers Leveraging Gemini AI for All Stages of Cyberattacks (Google Threat Intelligence Group): State-backed and criminal actors are operationalizing Gemini for recon, payload development, phishing lure generation, and automation across intrusion lifecycles.Palo Alto Soft-Pedals China Attribution in Global Espionage Campaign (Reuters – Christopher Bing et al.): Unit 42 reporting tied activity to a China-aligned cluster but public attribution was reportedly toned down due to geopolitical and business risk considerations.GTIG Analysis Exposes Growing Cyber Threats to Military Infrastructure (Google Threat Intelligence Group): Defense industrial base entities face escalating intrusion attempts, with targeting focused on logistics, contractors, and operational support systems.CrashFix Campaign Deploys ModeloRAT via Browser Extension Abuse (Cyware Threat Intelligence): ClickFix evolution uses malicious ad-blocker extensions to crash browsers, coercing victims into executing commands that deploy a remote-access trojan.React2Shell Exploitation Surges Following Public Tooling Release (Cyware Research): CVE-2025-55182 exploitation exceeded 1.4 million attempts in a week, enabling unauthenticated RCE and deployment of reverse shells and XMRig miners.GlassWorm Supply-Chain Malware Targets OpenVSX Extensions (Cyware / Threat Briefing): Attackers hijacked developer accounts to push trojanized updates using invisible Unicode obfuscation and persistent macOS backdoors.OpenClaw AI “Skill” Ecosystem Weaponized for Credential Theft (Cyware / Jamieson O’Reilly research): Over 230 malicious skills delivered infostealers via fake tooling, harvesting API keys, wallets, and browser credentials.BYOVD Intrusion Uses Revoked EnCase Driver to Kill EDR (Acumen Cyber / Huntress-linked research): Attackers leveraged a signed but revoked kernel driver for privilege escalation and direct termination of endpoint security controls.European Commission MDM Platform Breach Disclosure (Acumen Cyber Threat Digest): Unauthorized access to centralized mobile device management infrastructure exposed staff contact metadata but not enrolled devices.Into the blogosphere...Security for AI-Native Companies: The 6 Shifts You Can’t Ignore (Gradient Flow): This article examines structural security changes required for organizations building AI-first products. It argues that perimeter security is obsolete and must be replaced with identity-centric controls governing humans and AI agents alike. The piece highlights risks such as model impersonation, agent privilege escalation, and dataset poisoning, emphasizing Zero Trust architectures adapted for autonomous systems.LLMs + Coding Agents = Security Nightmare (Gary Marcus): Marcus explores how large language models integrated into coding agents introduce systemic vulnerabilities. He outlines risks including insecure code generation, exploit scaffolding, and accelerated malware development. The article frames LLMs as amplifiers of existing AppSec failures—particularly when deployed without human review or secure SDLC guardrails.How Hackers Turned Claude Code Into a Semi-Autonomous Cyber Weapon (Ben Dickson): This piece analyzes adversarial misuse of AI coding systems. It documents how attackers decomposed malicious objectives into benign prompts, bypassing safety filters. The article details attack chaining, guardrail evasion, and autonomous exploit iteration—illustrating how generative AI can operationalize cyberattacks at machine speed.Capital, Competition, and the Business of Cybersecurity (Ross Haleliuk): This article analyzes macro-economic and venture dynamics shaping the cybersecurity sector. It explores consolidation pressures, platformization of security tooling, and the funding gap between early-stage innovators and incumbents. The post is frequently cited in operator and VC circles for its market intelligence and strategic forecasting.This week's academiaFederated Learning-Driven Cybersecurity Framework for IoT Networks with Privacy-Preserving and Real-Time Threat Detection Capabilities (Milad Rahmati): This paper proposes a decentralized cybersecurity architecture tailored to IoT ecosystems using federated learning. Instead of aggregating sensitive telemetry in a central repository, models are trained locally on edge devices and securely aggregated using homomorphic encryption. The framework leverages recurrent neural networks to detect anomalies such as DDoS attacks while preserving data privacy. Reported detection accuracy exceeds 98%, with improved energy efficiency relative to centralized approaches. The study addresses scalability, privacy preservation, and real-time detection—three persistent bottlenecks in IoT security.Adaptive Cybersecurity: Dynamically Retrainable Firewalls for Real-Time Network Protection (Sina Ahmadi): This research introduces machine-learning firewalls capable of continual retraining in production environments. Unlike static rule-based systems, these firewalls adapt to emergent threat signatures using reinforcement and continual learning pipelines. The architecture supports distributed micro-services deployments, integrates with Zero Trust models, and optimizes latency and throughput. The work frames adaptive perimeter defense as essential given polymorphic malware and AI-assisted intrusion techniques.Adversarial Defense in Cybersecurity: A Systematic Review of GANs for Threat Detection and Mitigation (Tharcisse Ndayipfukamiye; Jianguo Ding; Doreen Sebastian Sarwatt; Adamu Gaston Philipo; Huansheng Ning): This systematic review analyzes 185 peer-reviewed studies on the dual use of Generative Adversarial Networks in cyber offense and defense. It proposes a four-dimensional taxonomy covering GAN architectures, defensive roles, threat models, and cybersecurity domains. Findings show GANs improve intrusion detection, malware classification, and synthetic threat simulation but suffer from training instability, explainability deficits, and computational overhead. The paper outlines a research roadmap emphasizing hybrid GAN models and defenses against LLM-driven cyberattacks.Algorithmic Segmentation and Behavioral Profiling for Ransomware Detection Using Temporal-Correlation Graphs (Ignatius Rollere; Caspian Hartsfield; Seraphina Courtenay; Lucian Fenwick; Aurelia Grunwald): This article presents a graph-analytics framework for ransomware detection based on temporal-correlation modeling of system behaviors. By mapping encryption activity, process lineage, and anomaly timing, the system distinguishes malicious from benign operations in real time. Experimental evaluations show superior precision and recall compared to signature-based and heuristic tools, particularly against polymorphic ransomware strains. The architecture is designed for enterprise scalability and modular SOC integration.Generative AI Revolution in Cybersecurity: A Comprehensive Review of Threat Intelligence and Operations (Mueen Uddin; Muhammad Saad Irshad; Irfan Ali Kandhro; et al.): This review examines how generative AI is transforming cyber threat intelligence, SOC automation, and attack simulation. It surveys applications including automated phishing detection, malware generation analysis, vulnerability discovery, and incident response orchestration. The authors also evaluate risk externalities—such as AI-enabled social engineering and autonomous attack tooling—positioning generative models as both defensive accelerants and threat multipliers.Keeping Up with the KEMs: Stronger Security Notions for KEMs and Automated Analysis of KEM-based Protocols (Cas Cremers; Alexander Dax; Niklas Medinger): Focused on post-quantum cryptography, this award-winning paper advances formal security models for Key Encapsulation Mechanisms (KEMs), a foundational primitive in hybrid and quantum-resistant encryption schemes. The authors introduce stronger security definitions and automated symbolic analysis techniques to validate KEM-based protocols. The work is highly relevant as governments and critical infrastructure sectors prepare for quantum decryption threats.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Webinar: How to Build Faster with AI AgentsLearn how full‑stack developers boost productivity by 50% with AI agents that automate layout, styling, and component generation through RAG and LLM pipelines.See how orchestration and spec‑driven workflows keep you in control of quality and consistency.Save your seat!Sign up today!#232: Peering at the Rogue's Gallery...Thinking about who we've seen and when we'll see them againWelcome to another_secpro!Over the past week, the cybersecurity and artificial intelligence landscapes have continued their rapid convergence, with developments underscoring both the transformative potential of AI and the expanding threat surface it creates. Organisations across sectors are accelerating AI deployment to enhance threat detection, automate incident response, and reduce analyst workload. At the same time, adversaries are operationalising many of the same capabilities, leveraging generative models to scale phishing campaigns, craft more convincing social engineering pretexts, and accelerate malware development cycles.Regulatory and governance pressures are also intensifying. Policymakers are signalling stricter expectations around AI transparency, model security, and data provenance, particularly where systems intersect with critical infrastructure or sensitive personal data. This is driving renewed focus on secure model pipelines, third-party risk management, and auditability of training datasets. Boards and CISOs alike are being pushed to treat AI risk not as an experimental concern but as an enterprise security priority.Notably, the past week has highlighted the growing importance of supply chain resilience in AI ecosystems. From model repositories to open-source frameworks, dependencies are becoming prime targets for compromise, reinforcing the need for code integrity verification and continuous monitoring.Taken together, the signal is clear: AI is no longer an emerging variable in cybersecurity strategy; it is now a central pillar on both sides of the threat equation. The organisations best positioned to navigate this shift will be those that integrate AI governance, security engineering, and workforce readiness into a unified operating model—balancing innovation with control as the pace of change continues to accelerate.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThis week's articleThe 2026 Rogue's GalleryIn 2025, cybersecurity experts continued to track an evolving landscape of financially motivated and geopolitically aligned threat groups whose operations grew in scale, coordination, and technical sophistication. Among the most prevalent were Cl0p, known for large-scale data-extortion campaigns exploiting zero-day vulnerabilities in managed file transfer platforms, and Qilin, a ransomware-as-a-service operation that refined double-extortion and partner affiliate models.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesAPT28 Uses Microsoft Office CVE-2026-21509 in Espionage Campaigns: Russia-linked APT28 exploited a newly disclosed Microsoft Office vulnerability to deliver espionage malware via weaponized documents, enabling code execution and persistent access on victim systems.CISA: VMware ESXi Flaw Now Exploited in Ransomware Attacks: Ransomware operators began exploiting a high-severity ESXi sandbox-escape vulnerability for hypervisor-level compromise, enabling lateral movement and mass virtual machine encryption.New “Fancy” QR Codes Are Making Quishing More Dangerous: Threat actors are leveraging visually stylized QR codes to evade user suspicion and deliver phishing payloads, increasing mobile credential-harvesting success rates.Hugging Face Abused to Distribute Financial Malware: An Android campaign used dropper apps and Hugging Face repositories to host thousands of credential-stealing APK variants targeting financial services users.KONNI Targets Blockchain Developers with AI-Generated PowerShell Backdoor: North Korean operators used Discord lures delivering LNK-triggered, AI-assisted PowerShell malware with persistence, UAC bypass, and C2 beaconing.SectorD Spear-Phishing Campaign Deploys RustyWater Implant: A Middle East–focused operation delivered a Rust-based implant via weaponized Word docs, featuring anti-debugging, encrypted C2 comms, and registry persistence.VoidLink Linux Malware Framework Targets Cloud Environments: A modular cloud-focused framework written in Zig/Go/C enables reconnaissance, credential harvesting, rootkit deployment, and Kubernetes/Docker-aware exploitation.Fake NexShield Ad-Blocker Extension Drops ModeloRAT: Malicious browser extensions delivered via malvertising executed PowerShell downloaders, leading to RAT deployment and enterprise network compromiseInto the blogosphere...TCP #116: Starlink v. Iran, Agents Attack …(Darwin Salazar, Head of Growth at Monad): A weekly digest of the hottest security news covering global high-profile events such as satellite internet warfare, AI attack probes, malware leaks, and major cybersecurity M&A activity. This issue highlights geopolitical cyber interplay (Starlink vs Iran), high-volume AI infrastructure scanning by adversaries, leaked cybercrime data, and high-value acquisitions by CrowdStrike — offering broad industry impact context and emerging threat developments.Resilient Cyber Newsletter #62: Netskope IPO, AI-Driven Attacks, Black Hat Takeaways (Chris Hughes): This weekly issue covers major industry signals including Netskope’s S-1 filing pointing toward an IPO, enterprise earnings calls, AI-driven attack activity and tooling trends, and critical insights from Black Hat. Highlights include identity threat detection playbooks and discussion around detection blind spots and proactive posture improvements.Cyber Markets Brief #42: Google Unified Security, Forrester & Gartner on Exposure Management (Dane Disimino, i.e., Cyber PMM): A deep market-focused cyber brief highlighting Google’s unified security push, Forrester’s proactive security framing, and Gartner’s new classification of exposure management platforms. Includes vendor shifts (Deepwatch, identity security), open AI tool updates (GPT 5.1), and job/gig alerts relevant to the cybersecurity product ecosystem.This week's academiaRed Teaming with Artificial Intelligence-Driven Cyberattacks: A Scoping Review (Mays Al-Azzawi; Dung Doan; Tuomo Sipola; Jari Hautamäki; Tero Kokkonen) This scoping review analyzes how artificial intelligence is being operationalized in offensive cybersecurity contexts, particularly red teaming. Screening 470 records, the authors identify AI-enabled attack vectors including automated penetration, data exfiltration, credential harvesting, and social engineering. The paper highlights how AI accelerates reconnaissance and exploitation phases while lowering attacker skill thresholds. It also frames AI-driven red teaming as a defensive necessity for simulating next-generation threats.Securing the AI Frontier: Urgent Ethical and Regulatory Imperatives for AI-Driven Cybersecurity (Vikram Kulothungan): This article examines governance and regulatory tensions emerging from AI integration into cybersecurity systems. It surveys global regulatory frameworks (including EU risk-based models), then analyzes ethical risks such as algorithmic bias, privacy erosion, transparency deficits, and accountability gaps. The author argues for harmonized international policy and increased public AI literacy to ensure responsible deployment of AI-enabled cyber defense technologies.Adversarial Defense in Cybersecurity: A Systematic Review of GANs for Threat Detection and Mitigation (Tharcisse Ndayipfukamiye; Jianguo Ding; Doreen Sebastian Sarwatt; Adamu Gaston Philipo; Huansheng Ning): This systematic review synthesizes 185 peer-reviewed studies on Generative Adversarial Networks (GANs) in cybersecurity. It proposes a taxonomy covering defensive functions, architectures, domains, and threat models. Findings show GANs improving intrusion detection, malware classification, and IoT security resilience. However, issues such as training instability, benchmarking gaps, computational cost, and explainability remain barriers to operational deployment.Zero Trust Cybersecurity: Procedures and Considerations in Context (Brady D. Lund; Tae Hee Lee; Ziang Wang; Ting Wang; Nishith Reddy Mannuru):This paper evaluates Zero Trust Architecture (ZTA) as a response to increasingly sophisticated, AI-augmented threat landscapes. It details implementation principles such as continuous authentication, least-privilege access, and breach-assumption design. Case analysis focuses on high-information-exchange environments (e.g., libraries, educational institutions), illustrating how ZTA mitigates lateral movement and insider risk.Advancing Cybersecurity Through Machine Learning: A Scientometric Analysis of Global Research Trends and Influential Contributions (Kamran Razzaq; Mahmood Shah) Using scientometric and bibliometric techniques, this study maps global research output at the intersection of machine learning and cybersecurity. It identifies publication growth, leading institutions, collaboration networks, and dominant subfields (e.g., intrusion detection, malware analytics). The authors highlight ML’s accelerating role in predictive defense and automated threat intelligence while noting concentration of influence among a small cluster of research hubs.Integrating Artificial Intelligence into the Cybersecurity Curriculum in Higher Education: A Systematic Literature Review (Jing Tian) This systematic literature review examines how universities are embedding AI into cybersecurity education. It evaluates curriculum models, competency frameworks, lab environments, and interdisciplinary integration. The paper concludes that AI literacy is becoming foundational for cyber workforce readiness, recommending expanded hands-on training in automated defense, adversarial ML, and AI risk governance.Brought to you in cooperation with Telerik:*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

The New Year Issue for a Year of New IssuesThe Hidden Dangers of Mobile App ProliferationMobile apps have quietly become critical infrastructure for global commerce but security practices haven’t kept up.This webinar exposes why traditional assumptions no longer hold, and what modern mobile defenses really require from device intelligence to RASP, attestation, and anti-tampering controls.Join us on January 20th for a deep dive into the risks shaping the next era of mobile security.Register today#229: Speak to Me, Oh Oracle!The New Year Issue for a new year of issuesWelcome to another_secpro!Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefVisibility Builds Trust. Exposure Creates Risk.Today’s executives are expected to be visible—on LinkedIn, in the press, at conferences, and across digital channels. That visibility fuels brand trust, investor confidence, and talent attraction. But it also creates a dangerous imbalance: as executive exposure increases, digital threats accelerate even faster.This is the Visibility Paradox.Most executive risk doesn’t start with sophisticated hacks. It starts with unmanaged digital exposure—home addresses, family details, travel patterns, and credentials scattered across the open and dark web. These gaps turn influence into liability.Our latest thought leadership article introduces a modern framework for Safe Visibility, built on five critical pillars:• Public data elimination• Continuous monitoring and rapid removal• Secure communication protocols• Organization-wide security alignment• Integrated physical securityEach pillar matters. Miss one, and the entire protection strategy weakens. The ultimate metric? High executive visibility with zero digital or physical incidents. VanishID is the category leader in executive digital-risk protection, delivering end-to-end coverage—from PII removal and dark web monitoring to real-time exposure dashboards and fully managed operations with zero lift for security teams.Get your complimentary risk scan todayThis week's articleClip, Clop!Clopis a well‑known cybercrime group that has operated since at least 2019. The group, sometimes spelled “Cl0p” and is characterised by highly organised ransomware and extortion operations that target large organisations globally.Clopdoes not rely solely on traditional encryption of victim systems. Instead, it often focuses on data theft and extortion.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesChinese-linked hackers target US entities with Venezuelan-themed malware: Researchers uncovered a cyberespionage campaign by “Mustang Panda” using Venezuela-themed phishing ZIPs to deliver malware designed for long-term data theft and persistence. Artifacts left behind helped analysts attribute the activity, though impact on targets remains unclear.Oracle Hack Still Generating Ransom Demands: The Clop ransomware group’s mid-2025 breach of Oracle E-Business Suite continues to ripple out, with ransom extortion ongoing and sensitive data held at risk. Attackers used a zero-day to gain unauthenticated access, affecting hundreds of firms.New Ransomware Variant Emerges Using Blockchain: DeadLock ransomware abuses Polygon smart contracts to distribute proxy info, sidestepping traditional discovery and allowing multiple variant generation. It deploys via remote tools, deletes backups, and marks files “.dlock”.Investigating React2Shell Fake POC: A malicious “fake proof-of-concept CVE scanner” script is circulating, designed to target researchers by masquerading as legitimate vulnerability tools. Early analysis highlights poor obfuscation but warns of sandbox/AV-evasion triggers and delayed execution tactics.‘VoidLink’ Malware Poses Advanced Threat to Linux Systems: Researchers revealed a modular, cloud-focused Linux malware framework with loaders, implants, rootkits, and plugin modules designed for stealthy persistent access in cloud/container environments.Linux Malware “VoidLink” Analysis: Security researchers described VoidLink’s cloud-native capabilities, credential harvesting, and awareness of cloud platforms (AWS, Azure, GCP, containerization), emphasizing its potential future risk.Into the blogosphere...TCP #116: Starlink v. Iran, Agents Attack …(Darwin Salazar, Head of Growth at Monad): A weekly digest of the hottest security news covering global high-profile events such as satellite internet warfare, AI attack probes, malware leaks, and major cybersecurity M&A activity. This issue highlights geopolitical cyber interplay (Starlink vs Iran), high-volume AI infrastructure scanning by adversaries, leaked cybercrime data, and high-value acquisitions by CrowdStrike — offering broad industry impact context and emerging threat developments.Resilient Cyber Newsletter #62: Netskope IPO, AI-Driven Attacks, Black Hat Takeaways (Chris Hughes): This weekly issue covers major industry signals including Netskope’s S-1 filing pointing toward an IPO, enterprise earnings calls, AI-driven attack activity and tooling trends, and critical insights from Black Hat. Highlights include identity threat detection playbooks and discussion around detection blind spots and proactive posture improvements.Cyber Markets Brief #42: Google Unified Security, Forrester & Gartner on Exposure Management (Dane Disimino, i.e., Cyber PMM): A deep market-focused cyber brief highlighting Google’s unified security push, Forrester’s proactive security framing, and Gartner’s new classification of exposure management platforms. Includes vendor shifts (Deepwatch, identity security), open AI tool updates (GPT 5.1), and job/gig alerts relevant to the cybersecurity product ecosystem.This week's academiaInside Ransomware Groups: An Analysis of Their Origins, Structures, and Dynamics (Andrew Phipps & Jason R. C. Nurse fromComputers & Security): This peer-reviewed study systematically analyses the criminal organisations behind major ransomware operations (e.g., Conti, LockBit, BlackCat/ALPHV). Using over 500 source materials — including leaked communications and industry reports — the authors develop a conceptual framework for understanding how ransomware groups are formed, organised, and sustain operations. It also discusses ransomware-as-a-service (RaaS), branding dynamics, and mitigation strategies based on group structures.A Computational Model for Ransomware Detection Using Cross-Domain Entropy Signatures (Michael Mannon, Evan Statham, Quentin Featherstone, Sebastian Arkwright, Clive Fenwick, Gareth Willoughby): This article introduces an entropy-based detection model aimed at distinguishing ransomware behaviour from benign processes across multiple domains (file system, memory, and network). The mathematical framework quantifies entropy deviations over time, offering a way to detect malicious encryption activity even when signature-based methods fail. Their experimental results show promising accuracy and low false positives, suggesting this could enhance real-time defensive systems.Unveiling Zero-Space Detection: A Novel Framework for Autonomous Ransomware Identification (Lafedi Svet, Arthur Brightwell, Augustus Wildflower, Cecily Marshwood): This research proposes Zero-Space Detection, an unsupervised multi-phase framework integrating clustering and ensemble learning to detect ransomware in high-velocity environments. It is specifically designed to overcome limitations of traditional signature and heuristic approaches, demonstrating high detection efficacy across diverse ransomware families (e.g., LockBit, Conti, REvil) while preserving real-time performance.Federated Cyber Defense: Privacy-Preserving Ransomware Detection Across Distributed Systems (Daniel M. Jimenez-Gutierrez, Enrique Zuazua, Joaquin Del Rio, Oleksii Sliusarenko, Xabi Uribe-Etxebarria): Addressing the need for cross-organizational ransomware detection without compromising privacy, this paper applies federated learning to train collaborative models on distributed systems. The approach met or exceeded centralized training performance using the RanSAP dataset. It shows how networked defenders can share intelligence to improve malware detection while keeping sensitive data local — a key consideration for enterprise and regulatory environments.Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire (Felipe Castaño, Constantinos Patsakis, Francesco Zola, Fran Casino): A detailed empirical reconstruction of the LockBit ransomware franchise, this study combines leaked management panel data, negotiation chat logs, and blockchain analysis to map technical artefacts, attacker behaviour, and ransom payment flows. It situates LockBit’s evolution within MITRE ATT&CK tactics and reveals systemic financial patterns relevant to tracking and disrupting ransomware economies.SAFARI: A Scalable Air-Gapped Framework for Automated Ransomware Investigation (Tommaso Compagnucci, Franco Callegati, Saverio Giallorenzo, Andrea Melis, Simone Melloni, Alessandro Vannini): SAFARI is an open-source air-gapped analysis framework that enables safe, reproducible investigation of ransomware samples. It uses automation, virtualization, and infrastructure-as-code to characterise malware behaviour across environments without risk of infection or propagation. Case studies analysing strains like WannaCry and LockBit illustrate its use in profiling encryption strategies and countermeasure effectiveness.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}