What to Look for in an Exposure Management Platform (And What Most of Them Get Wrong)
The article dissects exposure‑management platforms, outlining four architectural approaches—stitched portfolios, data aggregators, single‑domain specialists, and fully integrated solutions. It argues that only integrated platforms can correlate diverse exposure types, validate exploitability, and map realistic attack paths across on‑prem, cloud, and hybrid environments. Five evaluation questions—coverage depth, attack‑path mapping, exploitability validation, control awareness, and prioritization methodology—help security leaders differentiate true risk‑reduction tools from mere reporting solutions. Ultimately, an integrated platform enables teams to answer whether their organization is genuinely safer after a remediation cycle.
North Korean Hackers Are Duping Freelance Developers with Fake Interviews to Steal Cryptocurrency and Deliver Malware — Sophos Warns the...
North Korean state‑backed group Nickel Alley is luring freelance developers through fake job interviews on platforms like Upwork, Fiverr and LinkedIn. The scheme convinces victims to download malicious npm packages or clone compromised GitHub repositories, installing the PyLangGhost RAT that...
Checkmarx Confirms Data Stolen in Supply Chain Attack
Checkmarx confirmed that a supply‑chain attack on its open‑source KICS project resulted in the theft of source code, employee data, API keys and a 96 GB archive. The breach originated from the Trivy supply‑chain compromise on March 23, 2026, which allowed the...
Your Phone Notifications Reveal More Than You Realize. Here’s How to Lock Them Down
The FBI recently extracted incoming Signal messages from an iPhone by exploiting the iOS notification database, even after the Signal app and its encrypted chats were deleted. Apple’s iOS 26.4.2 update now automatically purges expired notification logs, closing the specific loophole...
Iranian Cyber Group Handala Targets US Troops in Bahrain
Iran‑linked cyber group Handala escalated its campaign by targeting U.S. service members stationed in Bahrain, sending WhatsApp messages that threatened drone and missile strikes. The group also published personal data of 2,379 Marine Corps personnel and claimed responsibility for the...
Attack Path Visibility Concerns Outstrip AI Among Security Leaders
A recent study of cyber‑security leaders reveals that ransomware threats and the need for clear attack‑path visibility outrank the adoption of artificial‑intelligence solutions. Executives overseeing more than $100 billion in annual IT spend prioritize tools that map lateral movement and expose...
CISA Orders Feds to Patch Windows Flaw Exploited as Zero-Day
CISA has added Windows vulnerability CVE‑2026‑32202 to its Known Exploited Vulnerabilities catalog and issued Binding Operational Directive 22‑01, requiring federal agencies to patch by May 12. The zero‑click NTLM hash‑leak flaw stems from an incomplete fix for CVE‑2026‑21510 and enables pass‑the‑hash attacks...
A Quarter of Healthcare Organizations Report Medical Device Cyber-Attacks
RunSafe Security’s 2026 Medical Device Cybersecurity Index found that 24% of healthcare organizations experienced cyber‑attacks on medical devices in the past year. In 80% of those incidents, the impact on patients was moderate or significant, ranging from delayed imaging to...
GitHub Rushed to Fix a Critical Vulnerability in Less than Six Hours
GitHub patched a critical remote code execution vulnerability in less than six hours after Wiz Research used AI to discover the flaw in its internal git infrastructure. The security team reproduced the bug within 40 minutes, deployed a fix to...
Somebody’s Watching Me: The Crackdown on Stalkerware
The podcast episode spotlights Eva Galperin’s fight against stalkerware, a hidden class of spyware used to monitor victims’ phones. After uncovering a colleague’s decades‑long abuse in 2018, Galperin founded the Coalition Against Stalkerware to coordinate researchers, advocates, and legal action....
Aviatrix Intros Platform For Agentic AI Security The ‘Containment Era’
Aviatrix has introduced AgentGuard, a platform designed to contain compromised AI agents rather than merely detect and remediate them. The solution discovers agents across VMs, Kubernetes clusters, and serverless functions, mapping their connections and enforcing zero‑trust communication governance. By limiting...
Your AI Agent Is Ready to Go. Is Your Infrastructure?
TransUnion has spent $145 million building the OneTru platform, a hybrid architecture that couples traditional expert systems with generative AI, and has already generated $200 million in cost savings. The platform powers the AI Analytics Orchestrator Agent, leveraging Google Gemini to let...
38 Vulnerabilities Found in OpenEMR Medical Software
A security audit by Aisle uncovered 38 vulnerabilities in OpenEMR, the open‑source electronic medical records platform used by more than 100,000 healthcare providers worldwide. The flaws include two critical SQL‑injection bugs (CVE‑2026‑24908 and CVE‑2026‑23627) and an authorization‑bypass issue (CVE‑2026‑24487) that...
Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately
cPanel has issued emergency security updates to fix a critical authentication bypass vulnerability (CVE‑2026‑41940) that scores 9.8 on the CVSS scale. The flaw affects all supported cPanel and WHM versions and can allow unauthenticated attackers to gain full administrative control...
Chrome 147, Firefox 150 Security Updates Rolling Out
Google and Mozilla released critical security updates for Chrome 147 and Firefox 150, addressing a total of 34 memory‑safety flaws. Chrome 147 includes 30 fixes, four of which are critical use‑after‑free bugs, while Firefox 150.0.1 patches four high‑severity vulnerabilities. Google...
AWS Leans on Prior Ingenuity to Face Future AI and Quantum Threats
AWS marks its 20‑year anniversary while confronting AI‑driven attacks and the looming quantum‑computing risk. The Nitro hardware platform gives AWS a “zero‑human” infrastructure, enabling isolated bare‑metal instances and protecting encryption keys. Early adoption of symmetric encryption means most data at...
Top AI-Powered Vendor Risk Management Platforms for SaaS Companies in 2026
Vendor risk breaches now account for roughly 30% of incidents, prompting regulators like Europe’s DORA and the SEC to tighten third‑party oversight. AI‑powered TPRM platforms promise continuous, machine‑speed visibility, turning multi‑page SOC 2 reports into concise insights and auto‑generating tickets in...
Microchip Launches PQC-Ready Root of Trust Controllers for Secure Platforms
Microchip Technology unveiled the TS1800 root‑of‑trust controller and the TS50x secure‑boot family, both engineered to run post‑quantum cryptography (PQC) algorithms. The TS1800 provides external root‑of‑trust functions with hardware acceleration for NIST‑standard PQC schemes such as ML‑DSA, LMS and ML‑KEM, while...
Met Police Federation Decries ‘Outrageous’ Palantir AI System
The Metropolitan Police Federation is threatening legal action over the force’s new Palantir AI system, which it says breaches officers’ privacy and GDPR rules. The pilot, launched last week, has already led to two arrests and two suspensions while hundreds...
CERT-In Warns of AI-Driven Cyber Threat Surge, MSMEs at Highest Risk
India’s cyber‑security agency CERT‑In warned that frontier AI is reshaping cyber threats, making attacks faster, more scalable and accessible to low‑skill actors. The advisory highlights that AI can scan code, spot zero‑day vulnerabilities and launch coordinated multi‑stage attacks in seconds....
Malaysian Indians Least Likely to Be Scammed as They Ask Too Many Questions: Police
Malaysians suffered an estimated 2.7 billion ringgit (about US $684 million) loss to online scams in 2024, a 76% jump from the prior year. The Penang Commercial Crime Department reported that only 7% of the 5,090 scam cases in the state involved Indian...
ClickUp Discloses Feature Flag Misconfiguration That Exposed 893 Customer Email Addresses and a Live API Token
ClickUp disclosed that a misconfigured feature‑flag setup exposed 893 customer email addresses and a live API token. The emails were embedded in Split.io flag targeting rules and became publicly queryable through the client‑side SDK key, which is intentionally exposed in...
Privacy Watchdog Clears Jollibee’s Christmas Ads
The National Privacy Commission (NPC) cleared Jollibee Foods Corp. and Rakuten Viber of violating the Philippines’ Data Privacy Act after a probe into the 2025 Holiday Gems Christmas campaign. The investigation found the stickers were delivered via on‑device keyword matching, with...
Router (Home Network): OWE Authentication Question
A home‑network user in NYC noticed their router reporting OWE (Opportunistic Wireless Encryption) instead of the expected WPA2. The moderator explained that when a router is set to WPA3/WPA2 mode it operates in an OWE transition mode, causing compatible devices...
BlueAPACHE Partners with NinjaOne to Strengthen Services Delivery
blueAPACHE announced a strategic partnership with NinjaOne, embedding the latter’s unified IT operations platform into its managed‑services framework. The integration will enable remote monitoring, automated patching, secure access and proactive remediation across client environments. blueAPACHE will first run NinjaOne‑enabled services...
Smart Firms Treat Vendor Risk Like Their Own
Artificial intelligence is accelerating the discovery of third‑party software flaws, turning vendor risk into a frontline concern for enterprises. Microsoft’s April 14, 2026 patch cycle addressed 167 Windows vulnerabilities, illustrating how quickly weaknesses can surface. Mid‑market firms, heavily reliant on cloud and...
New Report From the MPA’s Content Security Initiative Links Control Failures to Content Security Incidents Across the Entertainment Industry
The Motion Picture Association’s Trusted Partner Network released the TPN STAR Report, the first industry‑wide study linking security‑assessment data to real‑world content‑security incidents. The report finds that while most studios have basic policies, inconsistent execution of technical controls—especially MFA, vulnerability management,...
Why Backing Up Your Microsoft 365 Data Is Only Half the Job
Microsoft 365 has transformed from a suite of web apps into the enterprise’s central control plane, intertwining identity, collaboration, security, and workflow. While Microsoft secures the underlying platform, customers now shoulder configuration, access delegation, and governance responsibilities. A breach at a...
Building Cyber Resilience Through Zero Trust in the Public Sector
Public sector agencies are prime cyber‑crime targets, prompting governments to replace perimeter defenses with identity‑led Zero Trust models. In Australia, Zero Trust is codified in the 2025 Protective Security Policy Framework and reinforced by state strategies such as NSW’s 2026‑2028...
U.S. Ends Investigation Into Claims WhatsApp Chats Aren’t Private
The U.S. Commerce Department abruptly ended a 10‑month investigation into allegations that Meta Platforms can access and store unencrypted WhatsApp messages. The probe, led by an export‑control agent who claimed Meta viewed all content, was shut down at senior agency...
CyberHeed Pushes Beyond Checkbox Compliance with SmartPrep
CyberHeed, a Melbourne startup, is expanding its SmartPrep platform to serve as a foundational "compliance brain" for organizations at any maturity level. The tool reuses up to 60% of work across different GRC frameworks, shifting focus from certificate‑driven compliance to...
Federal Drawdown of Election Support ‘Destroyed’ Ongoing Relationships, Experts Say
Federal efforts under President Trump to scale back the Cybersecurity and Infrastructure Security Agency (CISA) have stripped election‑security staff, halted disinformation teams and eliminated the agency’s election program in the FY 2027 budget proposal. State officials in Michigan and Georgia testified...
Always-On Defence Becomes Critical as AI Accelerates Cyber Threats: Infotrust
Cybersecurity leaders warn that AI‑driven automation is accelerating attack speed, forcing organisations to shift from periodic checks to an always‑on defence model. Infotrust CEO Simon McKay notes attackers now have access to the same AI tools used by defenders, enabling larger‑scale...
Exclusive: OpenAI, Anthropic Meet with House Homeland Security Behind Closed Doors on Cyber Threats
OpenAI and Anthropic briefed the House Homeland Security Committee staff in classified sessions about their new cyber‑capable AI models—OpenAI’s tiered‑release GPT‑5.4‑Cyber and Anthropic’s Mythos Preview, which remains unreleased due to exploit risks. Both firms are granting federal agencies direct access...
Broken VECT 2.0 Ransomware Acts as a Data Wiper for Large Files
Researchers have identified a critical flaw in the VECT 2.0 ransomware that causes it to act as a data wiper for files larger than 128 KB. The ransomware, promoted on BreachForums and linked to the TeamPCP threat group, targets victims of recent...
ClickUp Data Leak Exposes Enterprise Emails for Over a Year
The tech roundup highlights a surge in AI‑driven productivity tools, with OpenAI’s Dreaming V3 doubling storage for Plus users, Google DeepMind’s Gemma 4 12B running offline on 16 GB devices, and Microsoft’s Scout assistant embedded across Teams, Outlook, and Windows. Hardware collaborations...
Shift to SSI Could Preserve Security of India’s Digital Ecosystem at Scale
The Data Security Council of India and the Digi Yatra Foundation released a joint paper urging a shift to self‑sovereign identity (SSI) for India’s digital ecosystem. It argues that centralized identity systems like Aadhaar are straining under scale, privacy expectations,...
Hackers Are Exploiting a Critical LiteLLM Pre-Auth SQLi Flaw
Researchers have identified a critical pre‑authentication SQL injection flaw (CVE‑2026‑42208) in the open‑source LiteLLM gateway, which routes LLM API calls. The vulnerability lets attackers send a crafted Authorization header to read or modify the proxy’s database, exposing stored API keys,...
Treasury Missed Security Controls in Giving DOGE System Access, GAO Finds
The Government Accountability Office (GAO) released a report revealing that the Treasury Department granted a Department of Government Efficiency (DOGE) associate access to its three payment systems without adhering to required security controls. The associate, identified by GAO as matching...
The Founder of Scholly Sold His Scholarship App to Sallie Mae. He Says They Fired Him for Asking Why They...
Sallie Mae bought scholarship‑matching app Scholly in 2023, gaining access to its five million users. Founder Christopher Gray has filed a Delaware lawsuit and an SEC whistleblower complaint, alleging he was fired after warning the acquirer about selling users' personal...
Google and Mastercard Contribute Agentic Commerce Standards to FIDO Alliance
The FIDO Alliance announced two new technical working groups to create open standards for AI‑agent authentication and commerce. Google donated its Agent Payments Protocol (AP2) and Mastercard contributed its Verifiable Intent framework to the Payments Working Group. The Agentic Authentication...
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
Former NSA Deputy Director Chris Inglis reflects on the 2013 Snowden disclosures, emphasizing that investigations found no illegal abuse of authority but that the fallout still damaged public trust. He argues Snowden bypassed internal reporting channels, highlighting systemic contractor‑management flaws...
One Year After CVE-2025-31324: Lessons for ERP Security Leaders
One year after SAP disclosed CVE-2025-31324, the flaw continues to be exploited long after the vendor released a patch. Onapsis reports the vulnerability ranked among the three most frequently abused weaknesses of 2025, alongside Oracle E‑Business Suite and Microsoft SharePoint....
Federal CIO Cautious on Anthropic’s Mythos Despite Planned Rollout
Federal CIO Greg Barbaccia said the government will proceed with a measured rollout of Anthropic’s Mythos AI model, noting its promise for bolstering cyber defenses while emphasizing lingering uncertainties about real‑world performance. He has only seen lab‑based evaluations and no...
Elsight’s Halo, Its BLOS (Beyond Line-of-Sight) Connectivity Platform, Is Now Certified on the U.S. DCMA Blue UAS List, Enabling Faster...
Elsight's Halo beyond‑line‑of‑sight (BLOS) connectivity platform has been certified on the U.S. Defense Contract Management Agency (DCMA) Blue UAS List, confirming it meets the department’s rigorous supply‑chain and cybersecurity standards. The certification lets U.S. military units procure Halo directly through...
US Bill Would Require Warrants for Digital Surveillance, Biometric Searches
The House introduced the Surveillance Accountability Act (H.R. 8470), a bipartisan bill that would require a warrant for virtually all government searches of digital and biometric data, including facial recognition, license‑plate readers, cloud storage, and data‑broker records. The legislation amends...
Vidar Rises to Top of Chaotic Infostealer Market
Credential‑stealing malware Vidar has surged to become the most used infostealer on the Russian Market, overtaking Lumma and Rhadamanthys after law‑enforcement takedowns in 2025. Intrinsec’s report attributes the rise to a major upgrade and expanded distribution network, including phishing, fake...
Cyber Insurance Data Gives CISOs New Ammo for Budget Talks
Resilience’s new cyber‑insurance analysis translates technical threats into monetary loss, giving CISOs a data‑driven script for board budget discussions. The study of manufacturing claims from March 2021‑February 2026 shows ransomware responsible for 90% of incurred loss while representing only 12% of claims....
ClickUp Data Leak Exposes Enterprise Emails for Over a Year
A hardcoded API key embedded in ClickUp’s public website allowed anyone to retrieve 959 corporate and government email addresses and 3,165 internal feature flags without authentication. The flaw, first reported in early 2025, remained active through April 2026, exposing sensitive...
Paragon Is Not Collaborating with Italian Authorities Probing Spyware Attacks, Report Says
Paragon Solutions, the Israeli‑American maker of Graphite spyware, has failed to answer a formal information request from Italian prosecutors investigating a 2024 hacking campaign that targeted journalists and activists. The company previously promised to assist the probe but instead cancelled...