The emergence of large language models (LLMs) has transformed software development. What began as code completion and documentation assistance has evolved into a new development paradigm often described as vibe coding: a workflow in which developers express intent in natural language and allow AI systems to generate, modify, test, and sometimes deploy software on their behalf.

In cybersecurity, vibe coding presents both opportunities and risks. Security professionals increasingly use AI-assisted development to automate repetitive engineering tasks, generate proof-of-concept tooling, create detection rules, build integrations, and accelerate vulnerability research. At the same time, AI-generated code can introduce vulnerabilities, propagate insecure patterns, and create new attack surfaces if not properly governed.

Three scanners. Three verdicts. One CVE. JupiterOne UVM unifies every scanner, dedupes by asset, and tells you who owns it.

See what to fix first

For cybersecurity practitioners, the question is therefore not whether AI-assisted development will become part of the workflow. It already has. The more important question is which open source tools can support secure and transparent vibe coding practices while maintaining the visibility and control required in security-sensitive environments.

Understanding Vibe Coding in a Security Context

The term “vibe coding” typically refers to software development where developers describe desired outcomes rather than manually implementing every component. Instead of writing hundreds of lines of code, a practitioner might prompt an AI agent: “Create a Python utility that parses Suricata logs, extracts suspicious IP addresses, enriches them with threat intelligence data, and exports the results to Elasticsearch.”

The AI generates the implementation, while the human reviews and validates the output. In cybersecurity, this model is particularly attractive because practitioners often work across multiple programming languages and infrastructure platforms. Security engineers may need to switch between Python, PowerShell, Go, JavaScript, YAML, Terraform, Sigma, KQL, and Splunk SPL within a single project.

AI-assisted development reduces the cognitive overhead associated with these transitions. However, cybersecurity environments impose stricter requirements than general software development. Generated code must be evaluated for:

• Secure coding practices

• Supply-chain risks

• Data leakage

• Prompt injection vulnerabilities

• Privilege escalation opportunities

• Regulatory compliance

Research continues to highlight these concerns. Studies examining developer perceptions of AI coding assistants identify recurring concerns regarding insecure code generation, data leakage, licensing issues, and adversarial attacks such as prompt injection.

Similarly, NIST’s guidance on generative AI development emphasises that AI-enabled software workflows must be integrated into established secure software development practices rather than treated as independent systems. Consequently, open source tooling becomes especially attractive because organisations can inspect, audit, modify, and self-host these systems.

Sometimes, you’ve just got to build stuff. So why not join William Collins and John Capobianco for their upcoming talk on Engineering Agentic Network Operations? As a one of our lovely subscribers, you can also get a tasty discount as a thank you for your continued support - so make sure to make the most of the offer!

Don't miss out!

Why Open Source Matters for Cybersecurity Teams

Many popular AI coding environments are proprietary. While these tools may offer excellent developer experiences, they often introduce concerns regarding source code exposure, model transparency, and governance.

Cybersecurity organisations frequently operate under constraints that include:

• Sensitive intellectual property

• Regulated environments

• Classified infrastructure

• Customer confidentiality requirements

• Internal security review processes

Open source AI tooling provides several advantages.

First, the codebase itself can be audited. Security teams can review how prompts are handled, how data is transmitted, and how permissions are enforced. Second, self-hosting becomes possible. Rather than transmitting source code to third-party services, organisations can operate AI systems within their own environments. Third, open source ecosystems typically integrate more naturally with existing security controls such as identity management, logging pipelines, container security platforms, and software composition analysis tools.

As a result, many cybersecurity teams are prioritising open architectures for AI-assisted development.

OpenHands: The Leading Open Source Coding Agent

Among current open source projects, one of the most significant developments is OpenHands.

OpenHands is an autonomous software engineering platform that allows AI agents to write code, execute commands, browse documentation, interact with repositories, and perform multi-step development tasks. Unlike traditional autocomplete systems, OpenHands functions as an agent capable of planning and executing complex workflows.

For cybersecurity professionals, this capability is particularly valuable. Consider the process of creating a new detection engineering pipeline. Rather than manually implementing every component, an analyst could instruct OpenHands to:

• Build a log ingestion framework

• Create Sigma rules

• Generate test datasets

• Implement validation scripts

• Produce documentation

The agent can execute commands within controlled environments and iterate on failures until objectives are achieved. The academic literature surrounding OpenHands is notable because it emphasises several features directly relevant to security operations:

• Sandboxed execution environments

• Tool integration

• Multi-agent coordination

• Benchmark-driven evaluation

• Extensibility for custom workflows

These characteristics make OpenHands one of the strongest foundations currently available for cybersecurity-focused vibe coding.

Continue.dev and AI-Enhanced IDE Workflows

While autonomous agents are valuable, many security practitioners prefer a more controlled development experience. This is where the open source project Continue.dev has gained traction. Continue operates inside familiar development environments such as VS Code and JetBrains IDEs while allowing developers to connect local or hosted LLMs.

Rather than delegating entire projects to an autonomous agent, Continue functions as a collaborative assistant. Users can:

• Generate code

• Refactor existing implementations

• Explain unfamiliar codebases

• Create tests

• Review security-sensitive functions

This model aligns well with security engineering because it keeps humans directly involved in implementation decisions. For example, a detection engineer developing a SIEM integration can request code suggestions while retaining complete control over repository modifications.

Continue also integrates effectively with locally hosted models, reducing concerns around source code exposure. For organisations operating under strict governance requirements, this hybrid approach often represents a practical first step toward AI-assisted development.

Aider and Terminal-Centric Security Development

Many cybersecurity professionals spend substantial portions of their day in terminals rather than graphical IDEs. For these users, Aider has emerged as one of the most effective open source tools.

Aider operates directly from the command line and allows developers to use AI models to modify existing repositories. Unlike traditional chat interfaces, Aider understands repository structure and applies changes directly to tracked files. Several characteristics make Aider particularly useful in cybersecurity environments:

• First, it integrates naturally with Git workflows.

• Second, it preserves visibility into every modification.

• Third, it supports iterative review processes that align with secure development methodologies.

A penetration tester, for example, might use Aider to extend an internal reconnaissance tool, generate additional protocol parsers, or automate repetitive data processing tasks.

Because all changes remain visible through conventional version-control workflows, security review processes remain intact. This transparency is critical when generated code may eventually interact with production systems.

Open Interpreter and Security Automation

Another important open source project is Open Interpreter. Open Interpreter enables natural-language interaction with local computing environments. Instead of merely generating code, it can execute commands and perform actions on behalf of the user.

For cybersecurity teams, this capability enables rapid automation. An analyst might issue instructions such as:

• Parse all firewall logs from the previous week.

• Extract unique source addresses.

• Perform threat intelligence enrichment.

• Generate a CSV report.

The system can coordinate these activities without requiring the user to manually construct every script. This capability moves vibe coding beyond software development and into operational security workflows.

However, because Open Interpreter interacts directly with system resources, organisations must carefully implement permission boundaries, sandboxing mechanisms, and audit logging.

Local Model Infrastructure with Ollama

Open source vibe coding becomes significantly more attractive when paired with locally hosted models. Among available solutions, Ollama has become one of the most widely adopted.

Ollama provides a straightforward mechanism for running large language models on local hardware. Rather than sending code to external providers, organisations can deploy models internally and connect them to other tools.

This architecture provides several cybersecurity advantages:

• Sensitive repositories remain within organisational boundaries.

• Prompt data remains under local control.

• Audit and monitoring requirements become easier to satisfy.

For highly regulated sectors such as defence, healthcare, and financial services, local model deployment often represents the most realistic path toward enterprise adoption of vibe coding practices.

Agent Frameworks for Security Engineering

As organisations mature their AI development capabilities, individual coding assistants often evolve into agent ecosystems. Several open source frameworks support this transition. Notable examples include:

• AutoGen

• LangGraph

• CrewAI

These frameworks enable developers to create specialised agents with distinct responsibilities. Within a cybersecurity context, organisations may create:

• Vulnerability analysis agents

• Secure code review agents

• Threat intelligence agents

• Compliance validation agents

• Infrastructure hardening agents

Rather than relying on a single monolithic assistant, teams can orchestrate multiple agents performing specialised functions. This approach aligns closely with modern security operations, where workflows already involve numerous specialised tools and analysts.

Security Risks Associated with Vibe Coding

The benefits of AI-assisted development should not obscure the risks. Research consistently demonstrates that AI-generated code may contain vulnerabilities. Recent studies have found that a substantial proportion of generated code includes security weaknesses, even when produced by advanced models.

More concerningly, researchers have identified vulnerabilities affecting AI-enabled development environments themselves. Investigations into AI-assisted IDEs uncovered numerous security issues, including prompt injection pathways, data leakage opportunities, and remote code execution scenarios. These findings suggest that AI development environments must be evaluated as part of an organization’s attack surface.

For cybersecurity practitioners, this means AI-generated code cannot bypass established review processes. Generated code should be subjected to:

• Static application security testing

• Dynamic analysis

• Dependency scanning

• Manual review

• Threat modeling

Vibe coding accelerates implementation, but it does not eliminate the need for security engineering.

Integrating Open Source Vibe Coding into Secure Development Lifecycles

The most effective cybersecurity teams are treating AI-assisted development as an enhancement to existing secure development practices rather than a replacement. A mature workflow typically follows several stages:

• An AI assistant generates initial implementations.

• Developers review architectural decisions.

• Automated security scanning evaluates the output.

• Peer review validates security assumptions.

• Continuous integration pipelines enforce policy requirements.

• Deployment proceeds only after conventional validation processes are completed.

This approach aligns closely with NIST guidance regarding secure software development for AI-enabled systems.

In practice, organisations that successfully adopt vibe coding rarely eliminate human oversight. Instead, they are shifting human effort away from repetitive implementation tasks and toward validation, architecture, and risk management.

Ready to start?

Vibe coding is becoming a significant component of modern cybersecurity engineering. The ability to express intent in natural language and rapidly generate software creates substantial productivity gains for security analysts, detection engineers, penetration testers, and DevSecOps teams.

Among open source options, OpenHands currently represents the most capable autonomous coding platform, while Continue.dev and Aider provide strong human-in-the-loop alternatives. Open Interpreter expands AI assistance into operational automation, and Ollama enables local deployment strategies that satisfy stringent security requirements. Agent frameworks such as AutoGen, LangGraph, and CrewAI further extend these capabilities into complex security workflows.

The key challenge is not whether these tools can generate code. They clearly can. The challenge is ensuring that the generated code meets the standards expected in security-critical environments. Organisations that combine open source AI tooling with established secure development practices, rigorous code review, automated security testing, and strong governance controls will be best positioned to benefit from vibe coding while minimising its associated risks.

References and Further Reading

• NIST. Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (2024)

• Wang et al. OpenHands: An Open Platform for AI Software Developers as Generalist Agents (2024)

• Wang et al. The OpenHands Software Agent SDK (2025)

• Alwageed & Khan. The Role of Generative AI in Strengthening Secure Software Coding Practices (2025)

• Díaz Ferreyra et al. Security Concerns in Generative AI Coding Assistants (2026)

  ---

This issue was brought to you by JupiterOne.

Get CYBER_AI

OAuth governance was built for fixed-purpose SaaS apps. AI agents break that model.
When a user authorizes AI to Google Workspace, the grant event is indistinguishable from any other OAuth connection: same log format, same risk signals. But the behavior isn’t the same. A traditional app acts within predictable scope. An AI agent’s behavior is decided at inference time, driven by prompts your security team never sees.

Your SSPM sees the grant. It doesn’t see what happens after.

Material‘s OAuth Remediation Agent monitors real-time activity post-grant, classifies risk by observed API behavior, and auto-revokes tokens the moment something deviates, without blocking legitimate AI adoption.

See how it works

Artificial intelligence has transformed software development at a remarkable pace. Tasks that once required experienced developers, months of planning, and significant financial investment can now be completed by individuals with little or no formal programming background. By describing a desired outcome in natural language, users can generate websites, databases, internal tools, and customer-facing applications in a matter of hours.

This phenomenon, often referred to as “vibe coding”, has lowered the barriers to software creation more dramatically than any previous technological shift. Entrepreneurs can test ideas without hiring development teams. Internal business units can build their own solutions rather than waiting for IT departments. Hobbyists can experiment with concepts that would previously have remained little more than sketches on paper.

Yet while AI has made software development more accessible, it has not eliminated the challenges that accompany software deployment. Security remains one of the most significant of those challenges. During the recent “Hack Before You Launch” workshop, cybersecurity researcher Dr. Katie Paxton-Fear explored the growing disconnect between building applications and securing them, demonstrating how AI-generated software can quickly accumulate vulnerabilities despite appearing fully functional. Readers interested in the workshop itself can view the original event description and learning objectives here: Hack Before You Launch event page

The workshop’s central message was not that AI-generated code is inherently dangerous. Rather, it was that functionality and security are fundamentally different objectives: an application can successfully perform every task it was designed to accomplish while still exposing sensitive data, permitting unauthorised access, or creating opportunities for attackers. These categories of weakness align closely with the industry-standard OWASP Top 10 Web Application Security Risks, which remains one of the most widely used frameworks for evaluating application security.

Hear from Anthropic CISO, Jason Clinton, on why AI changed cybersecurity forever

Register for Forward, June 9-11, for a once-in-a-lifetime conversation with Anthropic CISO, Jason Clinton, about why cyber resilience isn’t just a best practice anymore. It’s survival.

Plus, hear from AWS, Microsoft, CrowdStrike, Cognizant, Alaska Airlines, The Home Depot, Piper Sandler, and dozens more. Then John Cena takes the mainstage with his personal blueprint for overcoming the impossible.

100+ speakers. 50+ sessions. Zero reasons to miss.

Save your virtual seat

This distinction is particularly important because AI development tools are often evaluated on their ability to produce visible results. Users judge success by whether a feature works, whether a page loads correctly, or whether a workflow behaves as expected. Attackers evaluate software differently. They are interested not in intended behaviour but in unintended behaviour. Their goal is to discover what an application permits beyond its design specifications.

Leave a comment

To illustrate this challenge, the workshop examined the development of a simple AI-generated application. The initial requirements were straightforward: create a fantasy-themed shop for a tabletop role-playing game, generate stock lists and pricing, and provide functionality that would allow users to share the information with players. The resulting application successfully fulfilled its requirements. However, once security testing began, vulnerabilities quickly emerged. For organisations deploying AI systems, the OWASP Top 10 for LLM Applications 2025 provides a useful framework for understanding these emerging threats.

This outcome should not be surprising. Modern applications depend upon layers of libraries, frameworks, APIs, authentication services, and cloud infrastructure. Even experienced developers can struggle to maintain visibility over every component in a growing system. For users relying heavily on AI-generated code, that visibility may be even more limited. The application behaves as expected, but the underlying architecture often remains largely opaque to the person who created it.

Dr. Paxton-Fear noted that security issues multiplied as the demonstration project became more complex. Early vulnerabilities were addressed through software updates and dependency management, but additional weaknesses emerged in areas such as authorisation controls, business logic, and object-level access controls. As features were added and the AI system lost awareness of the broader context of the application, new risks continued to appear.

Share

This reflects a broader challenge facing AI-assisted development. Large language models excel at producing code that satisfies immediate requirements. This challenge becomes particularly relevant as applications incorporate AI agents, external tools, APIs, and autonomous workflows, all of which expand the potential attack surface. OWASP GenAI Security Project. They are considerably less effective at maintaining a holistic understanding of an evolving application over time. Security weaknesses frequently arise not because the AI intentionally creates them, but because the complexity of the project exceeds the context available to the model at any given moment.

One of the most striking observations from the workshop was that many vulnerabilities are effectively invisible to the people building these applications. Traditional software developers generally possess at least a conceptual understanding of the technologies supporting their applications. They know which libraries are installed, which services communicate with one another, and where critical security decisions are made. Vibe coders often interact primarily with prompts and outputs. Their focus is on solving a business problem rather than understanding the architecture required to deliver the solution.

This difference in perspective has important security implications. According to Dr. Paxton-Fear’s analysis, only a small subset of common vulnerabilities can be directly attributed to actions taken by the vibe coder. Issues such as authorisation failures and business logic flaws may result from requirements provided by the user. However, many other risks originate from decisions made by the AI itself. These include vulnerable dependencies, exposed secrets, insufficient rate limiting, information leakage through debugging features, and various forms of injection vulnerability.

Leave a comment

The challenge is compounded by the speed at which AI enables development. Rapid iteration allows applications to move from concept to deployment in record time, but security reviews do not always keep pace. The same tools that accelerate innovation can also accelerate the accumulation of technical and security debt. In many cases, vulnerabilities are not discovered until after an application has already been deployed or adopted by users.

For organisations considering the role of AI in software development, the lesson is not that these tools should be avoided. The productivity benefits are too significant to ignore, and the technology is already becoming deeply embedded within development workflows. Instead, organisations must recognise that AI changes who can build software without changing the underlying realities of software security.

A working application is not necessarily a secure application. Functionality demonstrates that software performs its intended task. Security requires a separate process of validation, testing, monitoring, and maintenance. Organisations looking to formalise that process may find the OWASP Top 10 Project and the broader OWASP GenAI Security Project useful starting points. As AI-generated applications become more common, understanding this distinction may prove to be one of the most important cybersecurity challenges facing businesses over the next decade.

Subscribe now

Share

Leave a comment

Key Takeaways

• AI has dramatically reduced the barriers to software development, allowing non-developers to create functional applications.

• Functionality and security are separate concerns; software can work exactly as intended while still being vulnerable.

• As AI-generated applications increase in complexity, security weaknesses often become more numerous and more difficult to identify.

• Many vulnerabilities originate not from deliberate user actions but from limitations in how AI systems manage context across large projects.

• Vibe coders frequently lack visibility into the underlying technologies that make up modern applications, creating security blind spots.

• Organisations should focus on building security processes around AI-assisted development rather than attempting to prevent its use entirely.

• Security testing must become a standard part of the development lifecycle for AI-generated applications.

  ---

Further Reading

• “Hack Before You Launch” workshop materials, Dr. Katie Paxton-Fear

• OWASP Top 10 Web Application Security Risks: The industry-standard list of common web application vulnerabilities.

• OWASP Top 10 for LLM Applications 2025: Security risks specific to AI-powered systems and generative AI applications.

• OWASP GenAI Security Project: Guidance, tools, and community resources focused on securing generative AI systems.

• OWASP Top 10 GitHub Repository: Source material and supporting documentation for the OWASP Top 10 project.

Don’t miss out on tomorrow’s session, hosted by yours truly. Get your 50% discount as a _secpro subscriber and plug in for Katie’s expertise.

Don't miss out!

Cybersecurity threats continue to increase in frequency, sophistication, and financial impact. Organisations now operate in an environment where cyberattacks are persistent, automated, and highly adaptive. Attackers no longer rely solely on simple malware or isolated phishing emails. Modern threat actors use ransomware, cloud exploitation, credential theft, AI-generated scams, supply chain attacks, and long-term infrastructure compromise to target businesses, governments, and critical services.

From the beginning of January 2026, several high-profile cyber incidents demonstrated how exposed many organisations remain. One major example involved the ransomware group RansomHub, which continued targeting healthcare providers, logistics companies, and public sector organisations across Europe and North America. The group used double-extortion techniques, encrypting systems while simultaneously threatening to leak stolen data publicly. These attacks highlighted how exposed organisations remain to credential theft, poor segmentation, and unpatched systems.

Another major concern involved the cybercriminal collective Scattered Spider, which became associated with social engineering attacks against telecommunications and cloud service providers. The group exploited helpdesk procedures by impersonating employees and convincing support staff to reset credentials or bypass multi-factor authentication protections. This showed that organisational exposure is not limited to technical systems; human processes can also create major security weaknesses.

Security agencies also continued warning about activity associated with the Chinese state-linked group Volt Typhoon. Investigations suggested the attackers maintained hidden access within critical infrastructure systems for extended periods. Rather than immediately disrupting services, the group appeared focused on persistence, reconnaissance, and positioning for future operations. This demonstrated how exposed critical infrastructure can become when visibility into networks and operational technology systems is limited.

The financial sector also experienced increasing attacks involving AI-generated phishing campaigns and voice impersonation scams. Criminal groups used generative artificial intelligence to create highly convincing emails, cloned voices, and fraudulent communications at scale. These attacks lowered the barrier for cybercrime and increased the effectiveness of social engineering operations.

Meanwhile, several retail and software organisations suffered supply chain breaches during the 2025 holiday period after attackers compromised third-party vendors and service providers. These incidents showed that organisations are exposed not only through their own infrastructure, but also through trusted external relationships.

These attacks reveal an important reality about modern cybersecurity: many organisations do not fully understand where they are exposed. Traditional cybersecurity strategies often focus on defending networks after systems are already deployed. However, modern attackers continuously search for weaknesses across cloud platforms, remote devices, APIs, third-party suppliers, identity systems, and internet-facing infrastructure.

As a result, cybersecurity has increasingly shifted toward a model known as continuous exposure management. Instead of relying on occasional assessments or static defences, organisations continuously identify, evaluate, prioritise, and reduce their exposure to cyber threats.

What Continuous Exposure Management Means

Continuous exposure management is a proactive cybersecurity strategy focused on identifying and reducing security weaknesses before attackers can exploit them.

Traditional cybersecurity programmes often relied on periodic audits, annual penetration testing, and compliance checklists. While these activities remain useful, they are no longer sufficient in environments where infrastructure changes daily and attackers move rapidly.

Continuous exposure management assumes that:

• Organisations are constantly changing

• New vulnerabilities appear continuously

• Attack surfaces expand over time

• Threat actors actively search for weaknesses

• Visibility gaps create security risks

The goal is therefore to continuously discover and manage exposures across the organisation rather than reacting only after incidents occur. ,An exposure is any weakness, misconfiguration, vulnerability, or access path that could allow attackers to compromise systems or data. Exposures may include:

• Unpatched software vulnerabilities

• Weak passwords

• Excessive access permissions

• Misconfigured cloud storage

• Insecure APIs

• Legacy systems

• Third-party supplier risks

• Poor network segmentation

• Exposed administrative interfaces

Modern organisations often have thousands of potential exposures at any given time. The challenge is not simply identifying vulnerabilities, but determining which exposures represent the greatest business risk.

This is why continuous exposure management focuses heavily on prioritisation. Security teams must understand:

• Which systems are most critical

• Which vulnerabilities are actively exploitable

• Which assets are internet-facing

• Which exposures attackers are most likely to target

• Which weaknesses could lead to major operational disruption

This approach is closely connected to the concept of an attack surface, which describes all the possible entry points available to attackers. The growth of cloud computing, remote work, mobile devices, and third-party integrations has dramatically expanded organisational attack surfaces over the past decade.

In many organisations, security teams no longer have complete visibility into all assets connected to the network. Shadow IT, unmanaged devices, forgotten cloud services, and legacy applications create unknown exposures that attackers may discover first.

Continuous exposure management attempts to solve this problem by treating cybersecurity as an ongoing process of visibility, assessment, validation, and remediation.

Tools and Practices for Continuous Exposure Management

Continuous exposure management depends on a combination of technologies, operational processes, and strategic planning. Organisations must continuously monitor their environments and reduce exposure in a structured manner.

Attack Surface Management (ASM)

Attack Surface Management is one of the most important components of continuous exposure management. ASM platforms continuously identify internet-facing assets such as servers, domains, cloud environments, APIs, and applications. These tools help organisations discover systems that may not be properly tracked internally.

For example, an ASM platform may identify:

• Forgotten development servers

• Publicly exposed databases

• Expired certificates

• Open administrative portals

• Shadow IT applications

This visibility is important because organisations cannot protect assets they do not know exist. ASM also helps organisations understand how attackers view their infrastructure from outside the network perimeter.

Several open source tools can help organisations identify and monitor externally exposed assets.

• OWASP Amass: A reconnaissance and attack surface mapping tool commonly used for external asset discovery, DNS enumeration, and subdomain mapping.

• Nmap: A network discovery and port scanning tool used to identify exposed services, hosts, and open network ports.

• theHarvester: An open source intelligence (OSINT) tool that gathers information such as domains, email addresses, and public infrastructure exposure from internet sources.

These tools help organisations discover internet-facing systems that may otherwise remain unmanaged or forgotten.

Vulnerability Management

Vulnerability management remains a central practice within exposure management.

Security teams continuously scan systems for known vulnerabilities and software weaknesses. However, modern vulnerability management is increasingly focused on prioritisation rather than volume alone.

Many organisations face thousands of vulnerability alerts each month. Attempting to patch every issue immediately is often unrealistic. Continuous exposure management therefore prioritises vulnerabilities based on:

• Exploit availability

• Internet exposure

• Asset criticality

• Privilege level

• Business impact

• Active attacker activity

This risk-based approach allows organisations to focus resources where they matter most.

Open source vulnerability management tools help organisations continuously identify weaknesses across systems and applications.

• OpenVAS (Greenbone Vulnerability Manager): A full-featured vulnerability scanning platform capable of identifying thousands of known vulnerabilities and configuration weaknesses.

• Nikto: A web server scanner designed to detect dangerous files, outdated software, and insecure configurations.

• Trivy: A vulnerability scanner for containers, cloud infrastructure, and software dependencies commonly used within DevSecOps environments.

These tools support proactive remediation by identifying exploitable weaknesses before attackers can use them.

Continuous Security Validation

Many organisations now use continuous validation techniques to test whether security controls are functioning correctly.

This may include:

• Automated penetration testing

• Breach and attack simulation

• Red team exercises

• Adversary emulation

Rather than assuming controls work properly, organisations actively validate defences against realistic attack techniques. For example, a breach simulation platform may attempt to imitate ransomware behaviour inside a controlled environment. Security teams can then evaluate whether monitoring tools successfully detect and block the activity.

Security validation tools allow organisations to test whether defensive controls are operating effectively under realistic attack conditions.

• MITRE Caldera: An automated adversary emulation platform based on real-world attacker techniques documented within the MITRE ATT&CK framework.

• Atomic Red Team: A collection of small, controlled attack simulations used to test security monitoring and detection capabilities.

• Infection Monkey: A breach and attack simulation tool that safely tests lateral movement, credential exposure, and segmentation weaknesses.

These tools help organisations validate security controls continuously rather than relying solely on theoretical assumptions.

Identity and Access Management (IAM)

Identity systems have become a major target for attackers. Compromised credentials often allow attackers to bypass perimeter security entirely. As a result, continuous exposure management places strong emphasis on identity security.

Important IAM practices include:

• Multi-factor authentication

• Least privilege access

• Privileged access management

• Continuous authentication

• Access reviews

• Credential monitoring

Reducing unnecessary permissions significantly limits attacker movement inside networks after initial compromise.

IAM-focused open source tools assist organisations in managing authentication, permissions, and access control.

• Keycloak: An identity and access management platform supporting single sign-on, multi-factor authentication, and federated identity management.

• FreeIPA: A Linux-based identity management solution providing centralised authentication, access control, and policy management.

• Authelia: An authentication and authorisation server designed to secure web applications using multi-factor authentication and access policies.

These tools help reduce identity-related exposure by strengthening authentication and limiting unnecessary access privileges.

Cloud Security Posture Management (CSPM)

As organisations increasingly migrate infrastructure to cloud environments, cloud misconfigurations have become a major source of exposure. CSPM platforms continuously monitor cloud infrastructure for security weaknesses such as:

• Publicly exposed storage buckets

• Excessive permissions

• Weak encryption settings

• Insecure API configurations

• Unprotected workloads

These tools help organisations maintain visibility across rapidly changing cloud environments.

Open source CSPM tools help organisations identify cloud misconfigurations and insecure cloud deployments.

• Prowler: A cloud security assessment tool focused primarily on AWS environments and aligned with security best practices.

• ScoutSuite: A multi-cloud auditing tool that analyses security posture across AWS, Azure, Google Cloud, and Oracle Cloud environments.

• CloudSploit: A cloud security monitoring tool used to identify insecure cloud configurations and compliance issues.

These tools improve visibility into cloud infrastructure and help reduce exposure caused by configuration weaknesses.

Threat Intelligence Integration

Threat intelligence helps organisations understand which exposures are most likely to be targeted by attackers.

For example, if threat intelligence sources report active exploitation of a newly discovered vulnerability, organisations can prioritise remediation efforts immediately.

Threat intelligence also improves contextual decision-making by identifying:

• Attacker techniques

• Common malware behaviour

• Industry-targeted campaigns

• Emerging exploit trends

This allows organisations to align exposure management with real-world threat activity rather than theoretical risk alone.

Threat intelligence tools collect, organise, and analyse information about attacker activity and emerging threats.

• MISP (Malware Information Sharing Platform): A threat intelligence sharing platform used to distribute indicators of compromise, malware intelligence, and attack data.

• OpenCTI: A cyber threat intelligence platform designed for analysing and correlating threat information from multiple sources.

• YARA: A pattern-matching tool commonly used to identify malware families and suspicious files using custom detection rules.

These tools help organisations prioritise exposures based on real-world attacker activity and emerging exploit trends.

Security Operations and Monitoring

Although continuous exposure management focuses heavily on prevention and reduction, monitoring remains essential.

Security Operations Centres (SOCs) use tools such as:

• Security Information and Event Management (SIEM)

• Endpoint Detection and Response (EDR)

• Extended Detection and Response (XDR)

These systems help organisations identify indicators of compromise quickly if exposures are successfully exploited. The goal is to minimise attacker dwell time and reduce operational impact.

Open source monitoring and detection tools support continuous visibility into organisational systems and suspicious activity.

• Wazuh: A security monitoring and threat detection platform combining SIEM functionality, endpoint monitoring, and intrusion detection.

• Suricata: A high-performance network intrusion detection and threat monitoring engine capable of deep packet inspection.

• Zeek: A network analysis and security monitoring framework used to detect suspicious behaviour and generate detailed traffic logs.

These tools improve visibility, accelerate detection, and support rapid response when exposures are exploited.

Creating a Culture of Continuous Exposure Management

Technology alone cannot create effective exposure management. Organisations must also change how they think about cybersecurity.

Many businesses still treat cybersecurity as a compliance requirement or technical responsibility belonging only to IT departments. Continuous exposure management requires a broader cultural shift where exposure reduction becomes an organisational objective.

Leadership Involvement

Executive leadership plays a critical role in cybersecurity culture. Senior leaders must understand that exposure management directly affects operational continuity, financial performance, legal compliance, and customer trust.

When leadership actively supports cybersecurity initiatives, organisations are more likely to allocate appropriate resources and prioritise long-term resilience over short-term convenience.

Importantly, cybersecurity discussions should focus on business risk rather than purely technical language.

Shared Organisational Responsibility

Exposure management requires participation across the entire organisation.

Employees influence cybersecurity through:

• Password practices

• Data handling

• Access management

• Software usage

• Reporting suspicious activity

Developers, procurement teams, human resources departments, and executives all contribute to organisational exposure in different ways. Organisations should therefore promote the idea that cybersecurity is a shared operational responsibility rather than solely an IT problem.

Continuous Improvement

Continuous exposure management depends on constant adaptation. Organisations should regularly:

• Reassess risks

• Review asset inventories

• Validate security controls

• Conduct training exercises

• Update policies

• Test incident response procedures

Threat landscapes change rapidly, meaning cybersecurity programmes must evolve continuously rather than remaining static.

Encouraging Transparency

Employees are often hesitant to report mistakes because they fear punishment. However, delayed reporting can significantly worsen security incidents. Organisations should encourage transparency and rapid communication regarding suspicious behaviour, accidental exposure, or potential vulnerabilities. A culture of openness improves detection speed and organisational resilience.

Measuring Exposure and Maturity

Continuous exposure management also requires measurable performance indicators. Organisations increasingly track:

• Vulnerability remediation times

• Internet-facing asset exposure

• Patch management performance

• Identity risk levels

• Security control effectiveness

• Mean time to detect threats

Measurement allows organisations to identify weaknesses, prioritise improvements, and demonstrate progress over time.

Setting Up for Continuous Threats

The modern cybersecurity landscape is defined by constant change, expanding attack surfaces, and increasingly sophisticated attackers. Recent incidents involving ransomware groups, social engineering campaigns, supply chain attacks, and state-sponsored actors demonstrate that organisations face continuous exposure to cyber risk.

Traditional security approaches based on periodic assessments and static defences are no longer sufficient. Organisations must instead adopt continuous exposure management strategies that focus on ongoing visibility, prioritisation, validation, and remediation.

Continuous exposure management helps organisations identify weaknesses before attackers exploit them. By continuously evaluating attack surfaces, monitoring vulnerabilities, securing identities, validating controls, and prioritising high-risk exposures, businesses can significantly improve resilience against modern threats.

However, technology alone is insufficient. Successful exposure management also requires cultural change. Leadership involvement, employee participation, continuous learning, and organisational transparency all contribute to stronger cybersecurity outcomes.

Ultimately, continuous exposure management is about reducing uncertainty. Organisations cannot eliminate all cyber risk, but they can continuously improve visibility, reduce exposure, and strengthen resilience against evolving threats.

Key conclusions include:

• Modern attack surfaces are larger and more complex than ever before

• Organisations must continuously identify and reduce exposures

• Visibility into assets and vulnerabilities is critical

• Risk prioritisation is essential because resources are limited

• Identity security and cloud security are major focus areas

• Organisational culture strongly influences cybersecurity effectiveness

• Cybersecurity should be integrated into overall business risk management

In the modern digital environment, continuous exposure management has become an essential part of organisational security strategy rather than an optional enhancement.

Further reading

Today, attackers can generate convincing voices, realistic videos, believable writing, and automated phishing campaigns in minutes. Deepfake technology and AI-enhanced scams are forcing organisations to rethink how trust operates in the digital world. Employees are no longer only defending against malicious software; they are defending against synthetic identities and manipulated reality.

This crisis has led many cybersecurity professionals to adopt new defensive models, particularly zero trust architecture. Instead of assuming that users or systems are trustworthy once they are inside a network, zero trust treats every request as potentially hostile until verified. The same principles are now being applied to artificial intelligence systems themselves.

At the same time, many organisations still struggle with one major weakness: human behaviour. Technical security tools can block many attacks, but employees without training remain vulnerable to manipulation. Non-specialist workers are increasingly becoming the primary targets of AI-powered attacks because they are often the easiest path into an organisation.

The future of cybersecurity will therefore depend on rebuilding trust carefully, verifying identity continuously, and teaching ordinary users how to recognise increasingly advanced threats.

Stay ahead of evolving threats: Get Dark Reading's expert cybersecurity intelligence delivered daily

Arm yourself with actionable threat intelligence, critical vulnerability alerts, and expert analysis delivered daily. Dark Reading’s award-winning team provides the insights you need to strengthen defenses and expand your cybersecurity expertise.

The Dark Reading daily newsletter covers:
• Real-world incident analysis and breach post-mortems with tactical takeaways
• Emerging attack techniques, exploit trends, and adversary TTPs
• Practical defense strategies for ransomware, supply chain attacks, and insider threats
• Strategic insights from security leaders on AI security, zero trust, and cloud-native protection
• Compliance updates and regulatory changes that impact your security program

Daily alert - signup

The Growing Crisis of Trust in Cybersecurity

Cybersecurity has traditionally relied on a layered approach to defence. Firewalls, antivirus software, password systems, and network monitoring tools were designed to protect systems from unauthorised access. Yet these tools often assumed that trusted users inside a network were safe.

This assumption became dangerous as cybercriminals developed methods to bypass technical barriers by targeting people instead. Social engineering attacks exploit human psychology rather than software vulnerabilities. Attackers manipulate emotions such as fear, urgency, authority, or curiosity to convince victims to reveal sensitive information.

Artificial intelligence has dramatically increased the effectiveness of these attacks. AI systems can now analyse public information from social media, company websites, and leaked data to craft highly personalised phishing messages. Unlike traditional spam emails filled with spelling mistakes, AI-generated messages can appear professional, accurate, and context-aware.

Cybersecurity experts increasingly warn that the internet is entering a “post-authenticity” era. In this environment, seeing or hearing something online is no longer reliable proof that it is real. AI-generated images, cloned voices, and manipulated videos can imitate trusted individuals with alarming accuracy.

This erosion of trust affects more than individual organisations. Public confidence in online communication, financial systems, journalism, and even democratic institutions may weaken if people can no longer reliably distinguish between authentic and synthetic information.

For businesses, the consequences are severe. A successful AI-enhanced phishing attack can lead to stolen funds, ransomware infections, data breaches, or reputational damage. Companies must therefore move away from trust based on assumptions and toward trust based on continuous verification.

How Hugging Face eliminated .env files and automated secret rotation

With 200+ engineers and infrastructure spanning Kubernetes, Terraform, and CI/CD, Hugging Face needed secrets management devs would actually use. They chose Infisical. See how they set up CLI injection for local dev, Kubernetes Operator for automatic redeployments, and self-serve workflows.

Get the details

Deepfakes and AI-Augmented Attacks

Deepfakes are synthetic media generated using artificial intelligence. These systems can create realistic audio, video, or images that imitate real people. Early deepfakes were often easy to identify because of unnatural movements or distorted facial expressions. Modern AI models, however, have improved rapidly.

Attackers now use deepfakes for fraud, impersonation, political manipulation, and corporate espionage. Voice cloning is especially dangerous because many organisations still rely on voice recognition or verbal confirmation for sensitive actions.

One of the most widely discussed cases occurred in 2024 when a finance employee at a multinational company in Hong Kong was tricked into transferring approximately 25 million US dollars after participating in a video conference call populated by AI-generated deepfakes of senior executives. The employee believed the meeting was genuine because the fake participants looked and sounded like real colleagues. In reality, cybercriminals had used publicly available footage and AI systems to imitate the organisation’s leadership team.

This incident demonstrated several important trends in modern cybercrime. First, attackers are increasingly combining traditional social engineering with advanced AI tools. Second, technical realism alone is enough to override human suspicion in many situations. Third, organisations that rely heavily on remote communication are particularly vulnerable.

Deepfakes are not limited to corporate fraud. Attackers have also used cloned voices to impersonate family members during emergency scams, convincing victims to transfer money quickly. Political deepfakes have spread misinformation during elections. Fake executive videos have manipulated stock markets and public opinion.

AI also enables large-scale automation of attacks. Cybercriminals can generate thousands of tailored phishing messages rapidly, adapting language and tone for different targets. AI chatbots can conduct fraudulent conversations in real time, increasing the sophistication of scams.

The barrier to entry has also fallen dramatically. Many deepfake and AI-generation tools are inexpensive or publicly available. Attackers no longer need advanced programming expertise to launch convincing campaigns.

This creates a dangerous imbalance. Defensive organisations often require extensive approval processes, training programmes, and infrastructure upgrades. Attackers, meanwhile, can experiment quickly with evolving AI tools.

The Shift Toward Zero Trust Architecture

In response to growing cyber threats, many organisations have adopted zero trust architecture. Zero trust is not a single product or software platform. Instead, it is a security philosophy built around the principle of “never trust, always verify.”

Traditional cybersecurity models assumed that users and devices inside a network perimeter could generally be trusted. Once an employee logged in successfully, they often received broad access to systems and data.

Zero trust rejects this assumption. Every user, device, application, and request must be verified continuously, regardless of location. Access is granted only to the specific resources required for a task.

The rise of remote work, cloud computing, and mobile devices accelerated the need for this approach. Modern organisations no longer operate within clearly defined network boundaries. Employees access systems from homes, cafés, airports, and personal devices.

A zero trust model usually includes several core principles:

• Identity Verification: Users must prove their identity using strong authentication methods. Multi-factor authentication is one of the most common examples. Instead of relying only on passwords, systems may require a mobile confirmation code, biometric scan, or hardware security key.

• Least Privilege Access: Employees receive access only to the information necessary for their role. This reduces the damage attackers can cause if they compromise an account.

• Continuous Monitoring: Zero trust systems monitor behaviour constantly. If a user suddenly downloads massive amounts of data or logs in from unusual locations, the system may trigger additional verification or block access.

• Device Security: The security status of devices is checked before access is granted. Unpatched or compromised devices may be isolated automatically.

• Microsegmentation: Networks are divided into smaller sections so that attackers cannot move freely across systems after gaining entry.

These principles are particularly important in defending against AI-enhanced attacks. If a deepfake convinces an employee to reveal credentials, layered verification and limited permissions can still reduce the attacker’s ability to cause damage.

For more on zero trust, see the following:

Applying Zero Trust to Artificial Intelligence

As organisations integrate AI systems into daily operations, cybersecurity experts are increasingly applying zero trust principles directly to AI technologies.

AI systems create new attack surfaces. Large language models, automated assistants, and machine learning systems often process enormous quantities of sensitive data. If compromised, they can expose confidential information or generate misleading outputs.

One growing concern is prompt injection attacks. In these attacks, malicious users manipulate AI systems by providing carefully designed instructions that override safety controls or extract hidden information. Another threat involves data poisoning, where attackers deliberately corrupt training data to influence how AI systems behave.

Applying zero trust to AI means treating AI systems as potentially vulnerable rather than inherently trustworthy.

This approach includes several important strategies.

• Verifying Data Sources: AI systems should only process data from trusted and validated sources. Organisations must monitor datasets carefully to detect tampering, corruption, or manipulation.

• Restricting AI Permissions: AI applications should not receive unrestricted access to internal systems. Limiting permissions reduces the risk of automated misuse.

• Monitoring AI Behaviour: Security teams should track how AI systems interact with users and networks. Unexpected outputs, unusual access requests, or abnormal decision patterns may indicate compromise.

• Human Oversight: Critical decisions involving finance, healthcare, legal matters, or infrastructure should not rely entirely on AI-generated outputs. Human review remains essential.

• Model Security Testing: Organisations increasingly conduct adversarial testing against AI systems to identify weaknesses before attackers exploit them.

Applying zero trust to AI is especially important because AI systems often appear authoritative. Employees may assume that machine-generated information is objective or reliable even when it is incorrect.

This creates a paradox. AI tools can strengthen cybersecurity by detecting anomalies and automating threat analysis, yet the same technology can also increase organisational risk if deployed carelessly.

Why Human Training Matters More Than Ever

Despite major advances in cybersecurity technology, humans remain one of the most common points of failure. Many cyberattacks succeed not because technical systems are weak, but because individuals are manipulated successfully. AI-enhanced attacks exploit human habits, emotions, and assumptions.

Traditional cybersecurity training often fails because it relies on long presentations, technical jargon, or infrequent compliance exercises. Non-specialist employees may view security training as confusing, irrelevant, or disconnected from their daily responsibilities.

Modern training programmes must therefore focus on practical behaviour rather than abstract theory. Employees do not need to become cybersecurity engineers. However, they do need enough awareness to recognise suspicious situations and respond safely. Training should begin with a clear explanation of how AI-enhanced attacks work. Employees should understand that emails, voices, videos, and online identities can now be fabricated convincingly.

For example, staff should know that:

• A phone call from a manager may not be genuine.

• A video conference participant could be a deepfake.

• A polished email with perfect grammar can still be malicious.

• AI chatbots may imitate customer support agents or colleagues.

The goal is not to create paranoia, but to encourage healthy verification habits.

Practical Cybersecurity Training for Non-Specialists

Effective cybersecurity training must be realistic, repeatable, and easy to apply under pressure. One of the most effective methods is scenario-based learning. Instead of memorising definitions, employees practise responding to simulated attacks. These exercises help workers build instinctive responses before real incidents occur.

For example, organisations may conduct simulated phishing campaigns to teach employees how to identify suspicious messages. Workers who click fake malicious links can receive immediate educational feedback.

Deepfake awareness training is becoming increasingly important as well. Employees should practise verifying unusual requests through secondary communication channels. If a senior executive requests an urgent financial transfer during a video call, staff should confirm the request independently using trusted procedures. Simple organisational habits can significantly reduce risk.

Clear escalation procedures are essential. Employees should know exactly who to contact if they suspect a cyberattack or fraudulent communication. Confusion during a crisis often benefits attackers.

Training should also emphasise emotional awareness. Many successful attacks rely on urgency or fear. Attackers pressure victims into acting quickly before they can think critically.

Workers should learn to pause and verify when encountering messages involving:

• Emergency financial requests

• Password resets

• Confidential data transfers

• Threats of punishment or account closure

• Requests for secrecy

Cybersecurity culture also matters. Employees are more likely to report suspicious incidents if organisations avoid blaming or humiliating staff who make mistakes.

A blame-focused culture encourages silence. Workers may hide accidental clicks or suspicious interactions because they fear punishment. This delays incident response and increases organisational damage.

Instead, organisations should encourage rapid reporting and treat cybersecurity as a shared responsibility. Short, regular training sessions are generally more effective than annual seminars. Threats evolve quickly, especially in AI-related environments. Continuous learning helps employees stay aware of changing attack techniques.

The Role of Leadership and Governance

Trust within cybersecurity is not only a technical issue. It is also a leadership challenge.

Executives must recognise that cybersecurity is now deeply connected to organisational reputation, operational stability, and public confidence. AI-enhanced attacks can damage customer trust rapidly if organisations appear unprepared.

Leadership teams should establish clear policies for AI usage, identity verification, and incident response. Employees need consistent guidance about when and how AI tools may be used.

Governance frameworks should also address ethical concerns. AI-generated content creates risks involving misinformation, privacy violations, and impersonation. Many organisations now require internal disclosure when employees use AI-generated material in official communication. Transparent usage policies help preserve accountability.

Investment in cybersecurity training must also come from leadership. Training programmes often fail because organisations treat them as secondary priorities. In reality, cybersecurity awareness is now a core business skill. Every department, including finance, human resources, marketing, and customer support, faces exposure to AI-enhanced attacks.

Rebuilding Digital Trust

The cybersecurity landscape is entering a period of profound change. Artificial intelligence is simultaneously strengthening and weakening digital trust.

On one hand, AI improves threat detection, automates security monitoring, and increases defensive capabilities. On the other hand, it enables cybercriminals to create highly convincing attacks at unprecedented speed and scale.

Deepfakes and AI-generated deception challenge long-standing assumptions about authenticity. Organisations can no longer rely on visual evidence, familiar voices, or polished communication as proof of legitimacy. In this environment, trust must become evidence-based rather than assumption-based.

Zero trust architecture represents one of the most important strategic responses to this challenge. By continuously verifying users, devices, and systems, organisations reduce their dependence on fragile assumptions.

Applying zero trust principles to AI systems themselves is equally important. AI tools must be monitored, restricted, and validated carefully to prevent misuse or compromise.

However, technology alone cannot solve the problem. Human behaviour remains central to cybersecurity resilience. Non-specialist employees are increasingly operating on the front line of digital defence. Practical training, clear verification procedures, and supportive organisational culture are essential in helping ordinary users recognise AI-enhanced threats.

The future of cybersecurity will depend on balancing innovation with caution. AI systems will continue to evolve rapidly, and attackers will continue adapting their methods. Trust is therefore no longer something organisations can grant automatically. It must be earned continuously through verification, transparency, education, and resilient security design.

In the years ahead, the organisations most capable of protecting themselves will not necessarily be those with the most advanced technology. They will be the ones that combine strong technical controls with informed, alert, and adaptable human decision-making.

Further reading

The FortiGate campaigns targeted internet-facing Fortinet firewall appliances. Firewalls are one of the most critical security devices in any organisation because they sit directly between internal infrastructure and the public internet. A successful compromise of a firewall can give attackers visibility into network traffic, remote access pathways, and authentication systems. In the 2026 campaigns, attackers exploited weakly protected or vulnerable FortiGate systems at scale. Security researchers observed that many of the affected devices had poor credential hygiene, exposed management interfaces, or delayed patching practices. The attackers were not necessarily highly skilled exploit developers. Instead, they used commercially available AI tools to accelerate and automate many stages of the attack lifecycle.

Framing the Modern Problem of FortiGate

The use of AI changed the scale and speed of the campaign. Traditional cyberattacks often require significant manual reconnaissance. An attacker must identify targets, determine which systems are vulnerable, analyse responses from scans, and decide which exploitation path to attempt. AI systems dramatically reduced this workload. Large language models could interpret scan results, generate scripts for exploitation, suggest likely credential combinations, and even automate follow-up tasks after a successful compromise. Instead of slowly investigating individual targets, attackers could manage hundreds of systems simultaneously.

This represented a major shift in cybercrime economics. In earlier years, large intrusion campaigns generally required either advanced expertise or large criminal organisations with specialised operators. AI compressed those requirements. Threat actors with moderate technical ability could now behave like highly organised intrusion teams because AI handled much of the analytical and scripting burden. The attackers essentially used AI as an operational multiplier.

Scaling up with AI

The consequences of the FortiGate campaign extended beyond the individual compromised devices. Once attackers gained access to firewalls, they could pivot deeper into internal networks. Firewalls often contain VPN configurations, authentication tokens, administrative credentials, and network topology information. This allowed attackers to escalate privileges and expand their access. In some environments, compromised firewalls acted as silent persistence mechanisms because administrators failed to realise the devices themselves had been breached.

One of the most important lessons from the campaign was that many organisations struggled not because they lacked security products, but because they lacked coordinated incident response. Security alerts were often isolated inside separate tools. Indicators of compromise were not correlated quickly enough. Analysts became overwhelmed by the volume of alerts generated during the attack waves. In several cases, organisations treated individual intrusion attempts as isolated incidents rather than recognising they were part of a broader campaign targeting similar infrastructure globally.

Taking Preventive Measures

This is where TheHive could have significantly reduced operational failures. TheHive is an open-source security incident response platform designed to support Security Operations Centres (SOCs), Computer Security Incident Response Teams (CSIRTs), and threat intelligence teams. Unlike traditional antivirus or firewall products, TheHive is not primarily focused on detection. Instead, its purpose is to coordinate investigation, enrichment, collaboration, and response.

TheHive would have been particularly effective against the FortiGate campaigns because the attacks generated enormous numbers of observables and repetitive workflows. Observables are pieces of evidence such as IP addresses, domains, hashes, URLs, usernames, or email addresses that analysts investigate during an incident. In the FortiGate campaign, security teams were flooded with indicators from firewall logs, authentication attempts, scanning activity, and malicious infrastructure. Without a centralised case management platform, analysts often investigated these indicators separately, resulting in duplicated effort and delayed response times.

TheHive’s case-based architecture could have improved this process substantially. When integrated with SIEM systems and detection platforms, alerts relating to suspicious FortiGate behaviour could automatically create incidents inside TheHive. Analysts would then have a shared workspace where all related observables, tasks, notes, timelines, and indicators were collected together. Instead of manually copying data between spreadsheets, emails, and ticketing systems, the investigation would become centralised and collaborative.

The Strength of TheHive

A major advantage of TheHive is its integration with Cortex, an analysis and automation engine. Cortex allows analysts to run automated enrichment tasks against observables. For example, suspicious IP addresses associated with the FortiGate attacks could automatically be checked against threat intelligence databases, passive DNS systems, WHOIS services, and malware repositories such as VirusTotal. The system could automatically add context about whether the infrastructure was linked to known malicious activity. This reduces analyst workload and accelerates triage.

The importance of automation becomes especially clear when considering AI-assisted attacks. Because AI allows attackers to operate at greater scale, defenders cannot rely entirely on manual investigation processes. Human analysts simply cannot process thousands of repetitive alerts fast enough during a rapidly evolving intrusion campaign. TheHive addresses this problem by reducing repetitive labour. Analysts can focus on higher-level reasoning and containment decisions while automated systems handle enrichment and correlation.

Another major strength of TheHive is campaign correlation. During the FortiGate attacks, many organisations failed to recognise broader patterns. An individual failed login attempt or suspicious scan might appear insignificant on its own. However, when similar events occur across multiple devices and regions, they may indicate a coordinated intrusion campaign. TheHive allows analysts to link cases together through shared observables and attack patterns. This creates a more strategic understanding of the threat landscape.

For example, if multiple firewall incidents involved the same command-and-control server or scanning IP range, analysts could identify these relationships quickly inside TheHive. Over time, this produces a campaign-level view rather than isolated incident-level visibility. This distinction is extremely important in modern cybersecurity because attackers increasingly operate as distributed campaigns rather than single-target intrusions.

TheHive also supports integration with MITRE ATT&CK, a widely used framework for classifying adversary tactics and techniques. Mapping the FortiGate attacks to ATT&CK categories would have improved both analysis and reporting. Analysts could identify whether attackers were engaging in credential access, persistence, lateral movement, or privilege escalation. This structured approach improves communication between technical responders, management teams, and external organisations.

In addition, TheHive integrates with threat intelligence sharing platforms such as MISP. During global campaigns, intelligence sharing is essential. If one organisation identifies malicious infrastructure or novel attacker behaviour, other organisations can use that information to strengthen their defences. The FortiGate campaign demonstrated how rapidly attacks can spread when organisations operate in isolation. A shared intelligence ecosystem could have significantly reduced attacker effectiveness.

Positioning TheHive Positively

However, simply deploying TheHive is not enough. Many organisations fail because they treat incident response platforms as passive repositories rather than active operational systems. To avoid repeating the mistakes seen during the FortiGate campaigns, organisations must apply TheHive properly within a mature security workflow.

The first requirement is integration. TheHive should not exist separately from the wider SOC environment. It must integrate with SIEM systems, EDR platforms, firewall telemetry, identity providers, and threat intelligence feeds. If analysts must manually transfer data into TheHive, the platform loses much of its operational value. Automation pipelines are essential because AI-driven attacks operate too quickly for entirely manual processes.

Second, organisations must establish clear incident response playbooks. One of the major problems during the FortiGate campaigns was inconsistent response behaviour. Different analysts handled similar incidents differently, creating confusion and delays. TheHive supports task templates and workflow orchestration, allowing organisations to standardise their response procedures. For example, any alert involving suspicious FortiGate authentication activity could automatically trigger a predefined investigation workflow including credential review, IOC enrichment, log preservation, and device isolation procedures.

Third, organisations must prioritise observability and telemetry quality. TheHive depends on receiving useful data from surrounding systems. If firewall logs are incomplete, poorly configured, or not centralised, incident responders will struggle to reconstruct attacker behaviour. Modern cybersecurity increasingly depends on visibility rather than perimeter strength alone. Security teams need high-quality logging, centralised telemetry collection, and long-term retention policies to support meaningful investigations.

Fourth, organisations must train analysts to think in terms of campaigns rather than isolated alerts. AI-assisted attacks are often highly distributed and adaptive. Attackers may rotate infrastructure, vary payloads, or spread activity across many targets simultaneously. TheHive’s correlation features are most effective when analysts actively search for relationships between incidents. This requires a more intelligence-driven mindset than traditional reactive alert handling.

Fifth, organisations should use TheHive as part of a broader Zero Trust and identity-centric security strategy. The FortiGate attacks often succeeded because exposed management interfaces and weak credentials created unnecessary attack surfaces. Incident response alone cannot compensate for weak preventative controls. Strong MFA policies, restricted administrative exposure, network segmentation, and continuous identity monitoring remain essential. TheHive works best when combined with preventative security architecture rather than replacing it.

Finally, organisations must recognise that AI-driven attacks represent a structural change in cybersecurity rather than a temporary trend. Traditional incident response models assumed that attackers operated at roughly human speed. AI fundamentally changes this assumption. Threat actors can now automate reconnaissance, generate phishing content instantly, and adapt intrusion workflows dynamically. Defensive operations must therefore become more automated, collaborative, and intelligence-driven.

Transition in the Age of AI

Platforms such as TheHive represent part of this transition. They shift security operations away from fragmented alert handling and toward coordinated investigation ecosystems. This does not eliminate the threat of AI-assisted attacks, but it significantly improves organisational resilience. The key lesson from the FortiGate campaigns is not merely that attackers used AI. It is that many organisations were operationally unprepared for attacks occurring at AI scale.

The FortiGate intrusion campaigns demonstrated how artificial intelligence is transforming cybercrime from a specialist activity into a scalable industrial process. Attackers used AI to accelerate reconnaissance, automate exploitation workflows, and manage large-scale intrusion operations with relatively limited human expertise. The resulting overload exposed major weaknesses in incident response coordination, alert correlation, and intelligence sharing. TheHive could have mitigated many of these problems by centralising investigation workflows, automating enrichment, correlating observables, and supporting collaborative incident response. However, effective use of TheHive requires more than simple deployment. Organisations must integrate it deeply into their SOC infrastructure, standardise workflows, improve telemetry quality, and adopt a campaign-oriented security mindset. As AI-assisted cyberattacks continue to evolve, the organisations that succeed will not necessarily be those with the largest number of security tools, but those capable of coordinating intelligence, automation, and human expertise into a unified defensive system.

Further reading

• TheHive Project Overview (StrangeBee): Official overview of TheHive platform, including its incident response workflows, collaboration model, and integration capabilities for SOC and CSIRT environments.

• CSO Online – Russian Group Uses AI to Exploit Weakly Protected Fortinet Firewalls: A journalistic breakdown of the FortiGate intrusion campaign, explaining how attackers combined AI-assisted workflows with exposed infrastructure and weak credential practices.

• AWS Security Blog – AI-Augmented Threat Actor Accesses FortiGate Devices at Scale: Detailed technical commentary and timeline analysis of the attack campaign, including reconnaissance, exploitation methods, and attacker operational patterns.

• TheHive Case Management Platform Features: Detailed explanation of TheHive’s case correlation, workflow automation, observables management, and collaborative incident response features.

  ---

See Also

This post is our fourth entry in our ongoing series around various open-source tools that we think you should take a look at. You can find the others hereL

That fact is precisely why Suricata remains strategically relevant.

The Return of Network-Centric Detection

Suricata has evolved from a traditional intrusion detection system into a high-performance network security platform capable of intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), protocol analysis, and threat hunting support. In contemporary environments, Suricata is no longer simply a packet inspection engine sitting passively on a SPAN port. Properly deployed, it functions as a real-time telemetry layer capable of exposing adversary behaviour long before ransomware deployment or public data leakage.

The 2025 cyberattack against Kido International illustrates exactly why this matters. The attack reportedly resulted in the theft of highly sensitive information relating to thousands of children and staff, including photographs, addresses, contact details, and safeguarding information. The attackers, identified in reporting as the Radiant ransomware group, allegedly used extortion tactics that included leaking sample profiles of children online.

Although the precise technical kill chain was never fully disclosed publicly, the incident reflected a pattern now common across ransomware operations: initial compromise, lateral movement, credential abuse, data staging, exfiltration, and extortion. Suricata is particularly effective against exactly this sequence of activity.

How Suricata Actually Works

At its core, Suricata is a multi-threaded packet processing engine designed to inspect network traffic in real time. Unlike older IDS platforms constrained by single-threaded performance limitations, Suricata was built to scale across modern multicore infrastructure. This matters operationally because contemporary enterprise traffic volumes routinely overwhelm legacy inspection architectures.

Suricata analyses packets at Layer 3 through Layer 7, reconstructing sessions and decoding application-layer protocols including HTTP, TLS, DNS, SMB, FTP, SSH, SMTP, and industrial protocols. Rather than relying purely on raw packet signatures, it can evaluate protocol behaviour, metadata, flow state, and content relationships.

In practice, Suricata operates through several complementary detection models.

Signature-based detection remains central. Rules written in the Suricata rule language identify known malicious patterns such as ransomware command-and-control traffic, exploit kit payloads, suspicious PowerShell downloads, credential harvesting behaviour, or malware beaconing intervals.

Protocol anomaly detection extends visibility further. Suricata can identify malformed requests, protocol misuse, suspicious JA3 TLS fingerprints, DNS tunnelling indicators, or irregular SMB activity that may indicate lateral movement. Its network security monitoring functionality is equally important. Even when no alert is generated, Suricata produces detailed metadata records through EVE JSON logging. These logs can be forwarded to platforms such as Elasticsearch, Logstash, Kibana, Splunk, or SIEM pipelines where analysts correlate behaviour over time.

That distinction is critical. Modern detection engineering increasingly depends not just on identifying known malware signatures but on exposing attacker tradecraft. A mature Suricata deployment, therefore, becomes less of a simple IDS and more of a network-centric detection fabric.

The Kido Attack Through a Suricata Lens

Public reporting on the Kido incident suggested that attackers gained access to sensitive records through systems associated with a third-party childcare software platform. The attackers subsequently exfiltrated personal information and used double-extortion tactics to pressure the organisation. Even without full forensic disclosure, the attack sequence aligns closely with contemporary ransomware operations.

A Suricata deployment positioned at internet ingress points, cloud transit gateways, and east-west network boundaries could have materially improved detection opportunities at multiple stages.

Initial Access Detection

Modern ransomware operators frequently exploit externally exposed applications, weak authentication workflows, VPN infrastructure vulnerabilities, or stolen credentials. Once an adversary establishes initial foothold access, command-and-control traffic typically begins almost immediately.

Suricata excels at identifying these patterns because it can inspect:

• suspicious HTTP user agents;

• outbound connections to known malicious infrastructure;

• unusual TLS fingerprints;

• exploit payload signatures;

• web shell traffic;

• suspicious authentication behaviour;

• anomalous DNS activity.

If the Kido intrusion involved exploitation of a web-facing service or cloud-connected application, Suricata could have detected exploit attempts or malicious callback traffic before large-scale data access occurred.

For example, Suricata rulesets from Emerging Threats and commercial threat intelligence feeds routinely include indicators for ransomware affiliate infrastructure, Cobalt Strike beacons, Sliver implants, remote administration frameworks, and known malware loaders. The value here is not theoretical. Many ransomware intrusions remain undetected for days or weeks because organisations focus heavily on endpoint encryption detection while underinvesting in network telemetry.

Lateral Movement and Privilege Escalation

Ransomware groups rarely execute attacks from their initial compromise point. Instead, they move laterally through the environment using administrative protocols and credential reuse.

This phase is where Suricata becomes especially valuable. Because the engine decodes SMB, RDP, Kerberos, LDAP, and other enterprise protocols, it can reveal behavioural indicators associated with privilege escalation and lateral movement:

• abnormal SMB share enumeration;

• excessive failed authentication attempts;

• suspicious remote service creation;

• PsExec-style execution patterns;

• remote PowerShell activity;

• unusual Kerberos ticket behaviour;

• large volumes of east-west traffic between systems.

In childcare and education environments such as Kido’s, flat network architecture and broad access privileges can significantly amplify attack impact. A properly segmented environment monitored by Suricata would likely have generated telemetry showing anomalous internal movement patterns well before mass exfiltration.

Importantly, Suricata also supports file extraction and file metadata logging. Analysts can identify suspicious executable transfers, archive creation, or staged payload movement across the network. That capability matters because ransomware operators commonly stage compressed archives prior to exfiltration.

Data Exfiltration: The Most Detectable Phase

The Kido attack became publicly visible once attackers began leaking stolen records and threatening further disclosures. By that point, the compromise had already progressed into a full extortion scenario. Ironically, data exfiltration is often one of the noisiest phases of a ransomware campaign.

Large outbound transfers, encrypted archive uploads, unusual cloud storage traffic, and abnormal DNS patterns create detectable network artefacts.

Suricata can identify these through:

• outbound transfer volume anomalies;

• suspicious HTTP POST requests;

• rare destination domains;

• cloud storage misuse;

• TOR traffic detection;

• DNS tunnelling signatures;

• encrypted archive transfers;

• command-and-control beacon intervals.

Even when payloads are encrypted, metadata analysis remains powerful. A childcare organisation does not normally transmit gigabytes of archived child records to obscure external infrastructure at unusual hours. Suricata’s flow analysis and protocol logging can expose these operational inconsistencies. Had continuous network monitoring and alert triage been aggressively implemented, defenders may have identified staging or exfiltration behaviour before public leakage occurred.

Why Suricata Matters More in 2026 Than It Did in 2016

The security landscape has changed substantially.

Ten years ago, IDS deployments were often treated as compliance exercises. Alerts flooded analysts with low-confidence signatures, encrypted traffic reduced inspection visibility, and many organisations lacked the staffing to operationalise network telemetry. That environment is, simply puy, different today. Several factors have made Suricata considerably more valuable in contemporary defence architectures.

Encryption Has Increased the Importance of Metadata

TLS adoption initially appeared to weaken network detection. In reality, it shifted the focus toward behavioural analytics. Suricata’s support for JA3 and JA4 fingerprinting, TLS metadata inspection, certificate analysis, and traffic pattern monitoring allows defenders to identify suspicious encrypted sessions without decrypting payload content.

Threat actors increasingly rely on legitimate cloud infrastructure, short-lived VPS hosts, and encrypted command channels. Behavioural network analysis has therefore become essential.

Ransomware Operations Have Industrialised

Modern ransomware groups operate more like mature enterprises than isolated criminal actors. They use initial access brokers to purchase footholds into corporate environments, malware-as-a-service ecosystems to distribute tooling, automated reconnaissance frameworks to map infrastructure, and dedicated exfiltration utilities to steal data before encryption begins.

This industrialisation changes the defensive equation. Attack methodologies become repeatable. Infrastructure patterns recur across campaigns. Beaconing intervals, TLS fingerprints, DNS behaviours, and command-and-control techniques often appear across multiple victims because affiliates reuse tooling supplied by central operators.

That operational consistency creates detection opportunities. Suricata benefits directly from rapidly updated threat intelligence ecosystems. Community and commercial rulesets can identify emerging ransomware infrastructure within hours, allowing defenders to detect known malicious behaviours before encryption stages begin.

Equally important, Suricata allows analysts to build organisation-specific detections tailored to their own traffic baselines. A ransomware operator using legitimate administrative tools may evade generic malware signatures, but unusual east-west SMB traffic, abnormal PowerShell downloads, or unexplained archive transfers remain detectable through behavioural analysis.

This is one of the reasons network telemetry has regained strategic importance in ransomware defence. Attackers may rotate malware binaries constantly, but they still need to communicate, authenticate, enumerate, and exfiltrate.

And, obviously, those activities leave traces.

How could Kido have played out with Suricata in the ranks?

The 2025 Kido cyberattack demonstrated how modern extortion operations increasingly target organisations whose data carries significant emotional and reputational sensitivity. The reported exposure of information relating to children and families transformed the incident from a conventional breach into a wider safeguarding and trust crisis.

Incidents of this type reinforce an important reality for defenders: compromise prevention alone is no longer sufficient. Organisations must also focus on reducing attacker dwell time, identifying lateral movement quickly, and detecting exfiltration activity before public disclosure occurs.

This is where Suricata remains exceptionally relevant. Its ability to combine high-performance packet inspection with behavioural analysis, protocol decoding, and threat intelligence integration makes it one of the most effective open-source platforms for network-centric detection.

Suricata does not eliminate the need for endpoint protection, identity monitoring, or cloud security controls. Instead, it strengthens them by providing independent visibility into how attackers actually move through environments. In contemporary ransomware operations, that visibility can be decisive.

Whether the threat comes from commodity ransomware affiliates, cloud-focused intrusion groups, or sophisticated extortion campaigns, attackers ultimately depend on network communication to achieve their objectives. Suricata enables defenders to observe those interactions in real time, correlate them across systems, and intervene before operational disruption escalates into a full-scale crisis.

For cybersecurity specialists designing modern detection architectures, Suricata remains far more than a legacy IDS. Properly deployed and operationalised, it is a critical component of contemporary threat detection and incident response strategy.

Cloud and Hybrid Environments Need Independent Visibility

Many organisations mistakenly assume endpoint agents alone provide sufficient visibility in cloud-centric environments. However, attackers increasingly disable logging, tamper with agents, or exploit unmanaged infrastructure.

Suricata deployed in cloud VPC mirroring architectures, Kubernetes ingress paths, or hybrid transit networks provides an independent telemetry source resistant to endpoint manipulation. That independence is operationally important during incident response.

Operationalising Suricata Properly

Suricata is not a magic appliance. Poorly tuned deployments can produce overwhelming alert volumes or miss meaningful behavioural indicators. The difference between ineffective and highly effective deployments usually comes down to engineering maturity.

Successful implementations typically include:

• aggressive rule tuning;

• environment-specific baselining;

• integration with SIEM and SOAR pipelines;

• automated enrichment workflows;

• threat hunting processes;

• segmentation-aware deployment architecture;

• continuous signature management;

• performance optimisation through AF_PACKET, DPDK, or PF_RING.

Equally important is log retention and correlation.

Suricata’s EVE JSON outputs become significantly more valuable when combined with identity telemetry, endpoint logs, firewall records, cloud audit trails, and authentication events. In modern SOC operations, Suricata often acts as the connective tissue between infrastructure telemetry and adversary behaviour analysis.

Contemporary Attacks and Present-Day Relevance

The techniques observed in the Kido attack continue to appear across healthcare, education, retail, manufacturing, and local government sectors.

Attackers increasingly target organisations holding emotionally sensitive or operationally critical data because those organisations experience greater pressure to pay extortion demands. Suricata is particularly effective in these environments because it can expose the preparatory stages that occur before a catastrophic business impact.

In current attack campaigns, defenders regularly use Suricata to detect:

• infostealer malware communications;

• malicious OAuth token abuse;

• DNS tunnelling;

• encrypted malware beacons;

• ransomware affiliate reconnaissance;

• suspicious cloud API activity;

• exploit framework traffic;

• lateral movement over SMB and RDP;

• large-scale data staging operations.

Critically, modern security operations increasingly rely on layered visibility. No single control reliably stops sophisticated attackers. Endpoint detection can fail. Identity controls can be bypassed. Firewalls can be misconfigured.

Network telemetry remains difficult for attackers to avoid entirely. That is where Suricata retains enduring defensive value.

Conclusion

The 2025 Kido cyberattack demonstrated the reputational, operational, and human consequences of modern ransomware and extortion campaigns. The compromise reportedly exposed deeply sensitive information relating to children and families, underscoring how cyber incidents increasingly intersect with safeguarding, privacy, and public trust. Suricata would not necessarily have prevented the initial compromise. No serious security professional should claim that any single tool can do that.

What Suricata could have done, however, is significantly compress attacker dwell time. By exposing exploit traffic, lateral movement, command-and-control communications, suspicious protocol behaviour, and exfiltration activity, Suricata provides defenders with the opportunity to detect ransomware operations before they escalate into full-scale extortion crises.

That capability is increasingly important in an era where attackers monetise not only system disruption, but also the public exposure of sensitive human data. For cybersecurity specialists building resilient detection architectures in 2026, Suricata remains one of the most operationally relevant open-source tools available.

Detection Engineering and the Shift Toward Behavioural Analysis

One of the most important developments in modern security operations is the transition away from purely signature-centric thinking. Traditional IDS deployments were frequently criticised because analysts associated them with noisy alerts and high false-positive rates. In many environments, teams deployed signatures indiscriminately without understanding normal traffic baselines or operational context.

Contemporary Suricata deployments are increasingly tied to detection engineering practices instead. Rather than asking whether a single alert proves compromise, analysts use Suricata telemetry to identify behavioural chains. A single suspicious DNS may not matter in isolation. Combined with unusual SMB traversal, outbound encrypted archive uploads, and suspicious authentication activity, however, the telemetry becomes far more meaningful.

This analytical approach mirrors how sophisticated threat actors actually operate. Modern attacks rarely involve a single obvious malware execution event. Instead, adversaries blend legitimate tooling, compromised credentials, encrypted traffic, and cloud infrastructure into campaigns designed to appear operationally normal.

Suricata’s value therefore lies not only in identifying known malware but also in exposing inconsistencies in network behaviour. That distinction is especially important in sectors handling sensitive personal data.

In the Kido incident, the reputational impact stemmed not simply from operational disruption but from the exposure of highly sensitive information relating to children and families. In similar attacks today, the exfiltration phase often creates the greatest long-term organisational damage.

Behavioural detection at the network layer provides one of the few opportunities to identify those activities before public disclosure occurs.

Suricata and Threat Hunting Operations

Another reason Suricata has retained relevance is its usefulness beyond real-time alerting. Many mature SOCs now use Suricata as a retrospective hunting platform. Because EVE JSON logging captures rich protocol metadata, analysts can search historical records for indicators discovered after an intrusion becomes known. If threat intelligence identifies a malicious JA3 fingerprint, a suspicious domain, or a particular malware communication pattern, investigators can pivot across historical telemetry to determine whether compromise activity occurred weeks earlier.

This capability substantially improves incident response. Ransomware operators frequently maintain persistence inside environments long before encryption or extortion stages begin. Retrospective network analysis allows defenders to reconstruct timelines, identify affected systems, and understand attacker movement patterns.

In practical terms, Suricata often becomes one of the primary forensic data sources during post-compromise investigations.

The Strategic Advantage of Open Source Security Tooling

Suricata’s open-source model is another reason it remains influential. Commercial network detection and response platforms can provide extensive capabilities, but they also introduce licensing costs, proprietary telemetry limitations, and vendor dependency. Suricata offers a different operational model.

Security teams can:

• customise rulesets;

• integrate bespoke detections;

• deploy at cloud scale;

• inspect proprietary protocols;

• automate telemetry pipelines;

• tune performance for specialised environments.

For organisations with mature engineering capability, this flexibility is strategically valuable. The rapid pace of attacker adaptation means defensive tooling must evolve continuously. Open-source ecosystems frequently respond to emerging threats faster than slower commercial release cycles.

That responsiveness has become increasingly important as ransomware groups fragment into smaller affiliate networks using rapidly changing infrastructure.

Where Suricata Fits in a Modern Defensive Stack

Suricata should not be viewed as a replacement for endpoint detection, identity monitoring, or zero-trust architecture. Its strength lies in complementing those controls.

In mature environments, Suricata commonly operates alongside:

• endpoint detection and response platforms;

• cloud workload protection systems;

• identity threat detection tools;

• network segmentation controls;

• SOAR automation pipelines;

• deception infrastructure;

• threat intelligence platforms.

What makes Suricata uniquely valuable is its ability to observe the connective layer between systems.

Attackers ultimately have to communicate. Even sophisticated adversaries using encrypted channels, legitimate tooling, and stolen credentials generate network artefacts. Those artefacts may be subtle, but they remain observable when telemetry collection is sufficiently mature. This is precisely why network security monitoring continues to survive repeated predictions of its decline.

Final Assessment

The 2025 Kido cyberattack illustrated the evolving economics of cybercrime. Modern attackers increasingly target organisations whose data carries emotional, legal, or reputational leverage. Childcare providers, schools, healthcare organisations, and local authorities therefore face disproportionate extortion pressure.

In these environments, reducing attacker dwell time is operationally critical. Suricata directly supports that objective. Its combination of high-performance packet inspection, protocol analysis, behavioural visibility, and threat intelligence integration enables defenders to identify adversary activity across multiple stages of an intrusion lifecycle.

Most importantly, Suricata provides visibility independent of endpoint state or attacker-controlled credentials. That independence becomes invaluable once adversaries establish persistence inside an environment. The broader lesson from incidents like Kido is not that organisations need a single perfect security product. Rather, they need layered visibility capable of exposing attacker behaviour before extortion operations mature into full business crises.

Suricata remains one of the most effective open-source platforms for achieving that visibility.

In the interest of openness, the _secpro team would like to say that we have no ongoing association with Suricata or the Suricata team. Our assessment above is merely an assessment of the use of the tool, how it might have worked in the past, and how it could help today. To show that this isn’t a clever little marketing ploy, here are five other alternatives that can perform the same or a largely similar role to Suricata, and we would happily recommend them in its place as well:

• Arkime

• Security Onion

• Snort

• Wazuh (see our own assessment below)

• Zeek

  ---

Further reading

And, of course, this kind of knowledge doesn’t come easily and is often hard-won. In fact, it is often hard-won and then quickly becomes out of date as the threat landscape changes. Because of that, understanding practical approaches to cybersecurity and being able to flex your practical chops when the pressure is on is at the heart of becoming a successful practitioner today.

And who better to ask about this than someone sitting on the frontlines?

Hack Before You Launch is a practical, live workshop designed for developers, indie hackers and fast-moving builders who are using AI tools like ChatGPT and Copilot or simply plugging in and vibe coding to build and ship products faster than ever. While AI can accelerate development, it can also introduce hidden security vulnerabilities that often go unnoticed until it’s too late. In this session, ethical hacker Dr. Katie Paxton-Fear will demonstrate exactly how AI-generated applications can be exploited in the real world—and, more importantly, how to fix those issues before attackers find them first.

This is not a theoretical webinar. Attendees will watch a real AI-built application being tested for authentication flaws, prompt injection risks, and insecure data handling. Katie will walk through how attackers think, how vulnerabilities are uncovered, and the practical steps developers can take to protect their apps before launch. By the end of the session, participants will leave with a clear pre-launch security checklist and a better understanding of whether their product is truly ready to ship.

What you need to know

• Learn how AI-generated applications can introduce hidden security vulnerabilities

• Watch a live demonstration of real-world exploits, including authentication flaws and prompt injection

• Understand how attackers identify and exploit weaknesses in applications

• Discover practical, lightweight methods for identifying and fixing security issues

• Leave with a simple pre-launch security checklist to use before deploying your app

• Ideal for developers, indie hackers, startup founders, and anyone building with AI-assisted code tools

Important event information

• Date: Saturday, 30 May

• Time: 10:00 AM – 11:30 AM

• Duration: 1 hour 30 minutes

• Speaker: Dr. Katie Paxton-Fear

Join us to get a step ahead

And while we’re waiting for that, maybe it’s time to think about a particular tool which could come in handy—perhaps something that we looked at in brief last week.

How Using Wazuh Gets You Ahead

1. Install Wazuh Agents Across Endpoints

The first step in using Wazuh is deploying Wazuh agents on all important endpoints, including staff laptops, servers, domain controllers, cloud systems, and databases. These lightweight agents continuously collect security logs and monitor system activity such as logins, file access, software installations, and system changes.

For example, in a school or healthcare environment, agents would be installed on systems containing safeguarding records or patient information. This ensures all activity involving sensitive data is monitored in real time.

The main benefit of Wazuh here is visibility. Many organisations only monitor firewalls or antivirus alerts, leaving endpoints largely unprotected. Wazuh closes this gap by providing direct insight into what is happening on every critical device, making hidden threats much easier to detect.

2. Configure Log Collection and Centralised Monitoring

Once agents are installed, Wazuh collects logs from across the environment and sends them to the central Wazuh manager. This includes Windows Event Logs, Linux authentication logs, cloud service logs, VPN access records, and third-party platform activity.

Instead of security teams checking multiple systems separately, everything is centralised into one dashboard. For example, if a user logs into Microsoft 365, accesses a local server, and downloads files from a cloud database, Wazuh can correlate these events together.

The benefit is efficiency and context. Attackers often move across multiple systems, and isolated logs may not appear suspicious on their own. Wazuh improves detection by connecting those events into a single security story.

3. Create Detection Rules for Suspicious Behaviour

Wazuh becomes most effective when custom detection rules are configured. These rules identify behaviours that suggest compromise, such as repeated failed login attempts, logins from unusual countries, privilege escalation, or mass file downloads.

For example, if a staff account logs in from another country at 2:00 AM and starts exporting hundreds of child protection records, Wazuh can immediately generate an alert. This is known as anomaly detection.

The benefit is early warning. Rather than discovering a breach after data is stolen, security teams can investigate while the attack is still in progress. This can prevent a minor incident from becoming a major public breach.

4. Monitor Privileged Accounts and Administrative Actions

One of the most important uses of Wazuh is monitoring administrator accounts and privileged users. Attackers frequently target these accounts because they provide access to the most sensitive systems.

Wazuh can detect suspicious administrative activity such as new account creation, privilege escalation, unauthorised password resets, disabling security tools, or attempts to delete audit logs.

In the Kido attack scenario, if attackers gained access through stolen credentials from a third-party supplier, Wazuh could have flagged unusual administrator behaviour long before large-scale data theft occurred.

The major benefit here is containment. Privileged account misuse causes the most damage during breaches, and Wazuh helps organisations identify abuse before attackers gain full control.

5. Use File Integrity Monitoring for Sensitive Data

Wazuh also includes File Integrity Monitoring (FIM), which tracks changes to important files, folders, and configurations. This is especially useful for organisations storing highly sensitive records such as safeguarding reports, HR files, or financial data.

For example, if confidential child records are copied, deleted, or altered unexpectedly, Wazuh can alert security staff immediately. It can also detect ransomware behaviour by identifying large numbers of file changes happening rapidly.

The benefit is direct protection of critical data. Instead of simply monitoring user behaviour, Wazuh watches the files themselves, helping prevent both insider threats and external attacks.

6. Investigate Alerts and Respond Quickly

The final step is using Wazuh dashboards and reports to investigate alerts and respond quickly. Alerts are prioritised by severity, allowing security teams to focus on the highest-risk activity first.

For example, repeated failed logins followed by a successful login from an unusual location may indicate credential theft. Security teams can then disable the account, isolate the affected system, and begin incident response before records are stolen.

This solves one of the biggest cybersecurity problems: delayed breach discovery. Many organisations only realise they were attacked after data appears online or regulators become involved.

The greatest benefit of Wazuh is proactive defence. It shifts security from reactive investigation to real-time prevention, reducing financial loss, reputational damage, and regulatory consequences.

Don’t forget to sign up for our upcoming Hack Before You Launch event!

Further reading

1. OWASP – Prompt Injection
   A clear primer on one of the biggest risks in AI-assisted development: prompt injection. This explains how attackers manipulate LLM behaviour, why it matters for developers using tools like ChatGPT and Copilot, and how to test for it during development. Particularly useful ahead of Katie’s live exploit demonstrations.

2. OWASP Top 10 for LLM Applications – LLM01: Prompt Injection
   A more technical deep dive into why prompt injection remains the number one security risk for LLM-powered applications. Ideal for readers who want to move beyond basic awareness and understand why traditional security assumptions break down when building AI-driven products.

3. Wazuh – File Integrity Monitoring
   A practical guide to one of Wazuh’s most valuable defensive features. This resource explains how File Integrity Monitoring works, how checksums and baselines are used, and why monitoring sensitive files can help prevent ransomware, insider threats, and silent data theft.

4. Wazuh – Real-Time Monitoring and FIM Configuration
   For readers wanting to implement the steps discussed in the newsletter, this covers how to configure real-time monitoring, directory tracking, and alerting. It’s especially useful for security teams looking to move from reactive investigations to proactive detection.

5. ITPro – Vibe Coding Security Risks and How to Mitigate Them
   A strong overview of the risks introduced by “vibe coding” and AI-generated applications. It covers insecure code generation, poor authentication logic, weak dependency choices, and the importance of treating AI-generated code as untrusted until properly reviewed and tested.

6. Microsoft Learn – Threat Modeling for Generative AI Applications
   A strong resource for developers building AI-assisted products who need to think beyond code generation and into security architecture. It covers how to identify attack paths, trust boundaries, prompt injection risks, and unsafe tool access before deployment—perfect preparation for a “hack before launch” mindset.

7. NIST AI Risk Management Framework (AI RMF)
   For readers who want the strategic layer behind practical security work, NIST’s AI RMF helps teams think about governance, risk ownership, security controls, and operational resilience for AI-enabled systems. Especially useful for startup founders and security leads trying to formalise lightweight security processes.

8. Semgrep – Security Rulez: Should AppSec Engineers Still Learn AppSec?
   Dr. Katie Paxton-Fear joins this discussion on how application security changes in the AI era. It explores whether security engineers should become orchestrators of AI agents rather than traditional tool users, and what modern AppSec teams should focus on as automation increases.

A strong example of this is the 2025 cyberattack against Kido International, a nursery and early-years education provider based in Greater London. The attack exposed sensitive personal information involving around 8,000 children and staff, including names, addresses, dates of birth, photographs, and parent contact details. Some of this information was reportedly posted on a dark web leak site, making the incident even more serious.

This attack showed how dangerous modern ransomware and data theft attacks can be. It also raised an important question: could stronger cybersecurity tools have helped prevent the damage?

The answer is yes.

Instead of focusing on expensive commercial security platforms, many organisations can improve protection using powerful open-source cybersecurity tools. Open-source tools are software programs whose code is publicly available, meaning organisations can use, inspect, and improve them without expensive licensing fees. While they still require skilled setup and management, they can provide excellent security when used correctly. Tools such as Wazuh, Suricata, TheHive, MISP, and Velociraptor could have helped reduce the impact of the Kido International attack—or possibly stopped it much earlier.

And that’s important when it comes to development too, including faster tools like Hubspot’s Spotlight.

See what's new for the HubSpot Developer Platform! Ship faster with AI coding tools like Cursor, Claude Code, and Codex. Build MCP-powered AI connectors, run serverless functions with support for UI extensions, and use date-based versioning to streamline roadmap planning.

Take a peek today

Understanding the Kido International Cyberattack

In 2025, Kido International suffered a serious cyberattack believed to involve ransomware and data theft. Attackers reportedly gained access to systems connected to a third-party platform used for storing and sharing children’s photos and developmental records with parents. This is known as a third-party compromise, where hackers target a connected supplier or service provider instead of attacking the main company directly.

The attackers were able to steal sensitive information, including children’s personal profiles. Some of that data was later posted online as part of what appears to be a double extortion ransomware attack. In double extortion, criminals not only encrypt files but also steal data and threaten to release it publicly unless payment is made.

This type of attack is especially harmful because the victims are children. Unlike passwords, personal identity information cannot simply be changed. Families may face privacy and safeguarding concerns for years. Because Kido handles highly sensitive personal data, the incident also created serious legal concerns under UK GDPR and child safeguarding responsibilities.

The main lesson from this breach is clear: early detection and fast response are critical. That is where open-source cybersecurity tools could have made a major difference.

Tool 1: Wazuh for Threat Detection and Monitoring

Wazuh is one of the most powerful open-source security monitoring platforms available today. It combines features of a SIEM (Security Information and Event Management) system with endpoint detection and response (EDR) capabilities. In simple terms, Wazuh collects logs and security events from computers, servers, cloud systems, and user accounts. It then looks for suspicious activity.

For example, if a staff account suddenly logs in from another country at 2:00 AM and starts downloading hundreds of child records, Wazuh can trigger an alert. This is called anomaly detection.

In the Kido attack, if the attackers used stolen credentials through a third-party platform, Wazuh could have detected:

• unusual login locations

• repeated failed login attempts

• privilege escalation

• large file exports

• suspicious administrative activity

Instead of discovering the breach after data was stolen, Kido’s security team could have investigated during the early stages of compromise. This early warning is often the difference between a minor security event and a major public breach.

Tool 2: Suricata for Network Intrusion Detection

Suricata is an open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Its job is to monitor network traffic and identify malicious behaviour. Think of it like a security guard watching every packet of data entering and leaving the network.

Suricata can detect:

• suspicious file transfers

• command-and-control traffic

• ransomware communication patterns

• known malicious IP addresses

• unusual outbound data transfers

In the Kido breach, attackers likely needed to move stolen data outside the network. This is called data exfiltration. Suricata could have identified unusual outbound traffic—such as large encrypted transfers to suspicious external servers—and alerted administrators immediately. If configured with prevention rules, it could even block some of that traffic automatically.

This would reduce the amount of stolen information and limit the attackers’ success.

Tool 3: TheHive for Faster Incident Response

Detecting an attack is only half the battle. The next challenge is responding quickly. TheHive is an open-source incident response platform designed for Security Operations Center (SOC) teams. It helps security analysts manage investigations, assign tasks, track incidents, and document every step of the response process.

When an alert appears, TheHive helps answer critical questions:

• What happened?

• Which systems are affected?

• Is the attacker still inside?

• What should be isolated first?

Without a structured incident response platform, teams often waste time checking multiple dashboards and sending emails. During the Kido attack, TheHive could have helped by:

• assigning urgent investigation tasks

• tracking compromised accounts

• managing containment steps

• documenting actions for legal and regulatory reporting

This improves Mean Time to Respond (MTTR), which is a key cybersecurity performance measurement. The faster the response, the less damage the attackers can cause.

Tool 4: MISP for Threat Intelligence Sharing

MISP stands for Malware Information Sharing Platform. It helps organisations collect and share information about cyber threats. For example, if another education provider had already seen the same attacker group, MISP could provide:

• malicious IP addresses

• phishing domains

• ransomware file hashes

• attacker techniques

• known indicators of compromise (IOCs)

This intelligence allows organisations to prepare before they are attacked. In Kido’s case, if the ransomware group had targeted similar education providers first, MISP could have helped identify the warning signs earlier. Threat intelligence is valuable because attackers often reuse infrastructure and techniques. Stopping a known attacker is much easier than discovering them from scratch.

Tool 5: Velociraptor for Digital Forensics

After a breach begins, investigators must understand exactly what happened. Velociraptor is an open-source digital forensics and endpoint investigation platform.

It helps analysts examine infected systems and answer questions such as:

• Which files were accessed?

• Which user account was compromised first?

• Did malware execute successfully?

• Is persistence still active?

• What data was stolen?

This is called digital forensics and incident response (DFIR). In the Kido breach, Velociraptor could have helped identify the attacker’s path through the environment and confirm whether the attackers still had access. This is critical because incomplete investigations often lead to repeat attacks. You cannot fully remove an attacker if you do not understand how they entered.

Why Open-Source Tools Matter

Many people assume good cybersecurity must be expensive. That is not always true.

Commercial platforms like CrowdStrike, Microsoft Defender, or Palo Alto Networks XDR are powerful, but they can be very costly for schools, nurseries, and smaller organisations. Open-source tools provide a strong alternative. Their advantages include:

• lower licensing costs

• flexibility and customization

• strong community support

• transparency in how they work

• integration with other platforms

However, they also require skilled staff to deploy and manage them properly. Open-source does not mean “easy.” Without proper configuration, even the best tools will fail. Security depends on people, processes, and technology working together.

Final Thoughts

The Kido International cyberattack was a serious reminder that cybercrime affects everyone, not just large corporations. When children’s personal data is exposed, the consequences are personal, emotional, and long-lasting. This breach likely involved third-party access, data theft, and ransomware-style extortion. It showed how attackers use weak points in trusted systems to cause major damage.

Open-source cybersecurity tools such as Wazuh, Suricata, TheHive, MISP, and Velociraptor could have helped by detecting suspicious behaviour earlier, monitoring network traffic, speeding up incident response, sharing threat intelligence, and improving forensic investigation.

No security tool can guarantee perfect protection. But stronger visibility, faster response, and better preparation can turn a major disaster into a manageable security incident. That is the real goal of cybersecurity: not just reacting after the breach, but preventing the breach from becoming tomorrow’s headline.

Open-Source Cybersecurity Tools Mentioned in the Article

1. Wazuh

Purpose: SIEM + Endpoint Detection and Response (EDR)
Best for: Log monitoring, threat detection, compliance monitoring, endpoint visibility

Key Uses:

• Detect unusual logins

• Monitor endpoints and servers

• File integrity monitoring

• Security alerts and compliance reporting

2. Suricata

Purpose: Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
Best for: Network traffic monitoring and malicious traffic detection

Key Uses:

• Detect ransomware traffic

• Monitor suspicious outbound connections

• Identify malicious IP communication

• Detect data exfiltration attempts

3. TheHive

Purpose: Incident Response Platform / Case Management
Best for: Security Operations Center (SOC) workflows

Key Uses:

• Incident investigation

• Alert triage

• Task assignment

• Breach documentation

• Regulatory reporting support

4. MISP

Purpose: Threat Intelligence Sharing Platform
Best for: Indicators of Compromise (IOC) management

Key Uses:

• Threat intelligence sharing

• Malware indicators

• Known attacker infrastructure tracking

• Phishing domain detection

5. Velociraptor

Purpose: Digital Forensics and Incident Response (DFIR)
Best for: Endpoint investigation and breach analysis

Key Uses:

• Investigate compromised systems

• Detect attacker persistence

• Malware analysis support

• Incident timeline reconstruction

Alternative Open-Source Cybersecurity Tools

6. Security Onion

Purpose: Network Security Monitoring (NSM) Platform

Why Use It: Security Onion combines multiple tools like Suricata, Zeek, and Elasticsearch into one security monitoring platform.

Best for: Full network visibility and SOC operations

7. Zeek

Purpose: Network Analysis and Threat Detection

Why Use It: Zeek focuses on deep network visibility and protocol analysis rather than signature-only detection.

Best for: Advanced network investigations

8. OpenVAS

Purpose: Vulnerability Scanning

Why Use It: Helps identify unpatched systems, weak configurations, and known security vulnerabilities.

Best for: Preventing attacks before they happen

9. OSQuery

Purpose: Endpoint Monitoring Using SQL Queries

Why Use It: Allows security teams to query endpoints like databases for suspicious activity.

Best for: Threat hunting and endpoint visibility

10. YARA

Purpose: Malware Detection Rules Engine

Why Use It: Used to identify malware families and suspicious files based on known patterns.

Best for: Malware analysis and threat hunting

11. ClamAV

Purpose: Open-Source Antivirus Engine

Why Use It: Provides malware scanning for files, email attachments, and servers.

Best for: Basic malware detection

12. Fail2Ban

Purpose: Intrusion Prevention Tool

Why Use It: Blocks repeated failed login attempts and brute-force attacks automatically.

Best for: Server and SSH protection

Infisical is an open-source secrets management platform that gives you one place to see every secret, who can access it, and when it was last rotated. No more chasing down answers. No more being the person who doesn’t know. Trusted by security teams at Hugging Face, Lucid Software, and more.

Start for Free Today

Welcome to another _secpro!

This week, we learn about how to use Lilith, get acquainted with the landscape in the context of the Iranian crisis, and take a look at the intriguing, possibly slightly terrifying world of quantum cybersecurity - don’t miss out!

Investigative Matters

Last week, we asked you - the audience - to give us a heads up on which tool you would like to learn about. After much deliberation, we have found out that our readers want to know a little bit more about Lilith.

Of course, this isn’t a beginner-friendly tool (for that, you might want to look at Metasploit or other more mainstream, accessible tools), however it’s always good to dip your toes into the water with more difficult tools. Take a look at our “beginner’s guide” (but not really for beginners) and see if you can take this valuable and potentially dangerous tool out for a test drive.

News Byte

APT28 Exploiting Routers for DNS Hijacking: Russian state-linked group APT28 is abusing vulnerable routers to perform DNS hijacking, enabling adversary-in-the-middle attacks that steal credentials and authentication tokens at scale.

Iran-Linked Handala Wipes 80,000 Devices via Intune: A single compromised admin credential was used to issue mass remote wipes through Microsoft Intune, demonstrating the destructive potential of identity-centric attacks without malware.

Paste-and-Run Attacks Dominate Initial Access: “ClickFix” social engineering—tricking users into executing clipboard-delivered commands—has become a leading initial access vector, bypassing traditional detection controls.

Mac Infostealers Surge with New Obfuscation Techniques: Atomic Stealer and MacSync Stealer are rising sharply, using AppleScript obfuscation and fake Homebrew prompts to exfiltrate credentials, crypto wallets, and Keychain data.

Vidar Infostealer Returns with Enhanced Evasion: The Vidar malware family has resurfaced with improved anti-analysis techniques and browser injection capabilities following disruption of competing stealers.

SparkCat Malware Expands to Western Targets: A mobile infostealer leveraging OCR to extract crypto seed phrases from screenshots now targets English-speaking users and uses code virtualization for stealth.

Axios Supply Chain Attack via Social Engineering: North Korean actors compromised a maintainer account using fake Teams/Slack interactions, publishing malicious npm packages affecting a widely used HTTP library.

Claude Code Leak Weaponized with Malware: Attackers are distributing trojanized versions of leaked developer tooling, embedding infostealers into widely shared GitHub repositories.

Rise of “Espionage Ecosystems”: Advanced persistent threats are evolving into coordinated ecosystems using AI, fileless malware, and behavioral mimicry for long-term stealth persistence in enterprise networks

Iran-Linked Cyber Operations Persist Despite Ceasefire: Threat actors continue targeting infrastructure and ICS environments, indicating sustained geopolitical cyber activity independent of kinetic conflict pauses.

Taking a look at the academy

Quantum computers could crack cybersecurity systems before 2030 (Jacob Smith):
Explores recent research indicating that advances in quantum computing may render current public-key cryptographic systems obsolete within this decade, forcing urgent migration toward post-quantum cryptography.

AI Helped Spark a Quantum Breakthrough Impacting Encryption: Reports on newly published papers showing AI-assisted breakthroughs accelerating quantum capabilities, with direct implications for breaking modern encryption schemes earlier than expected.

Agentic AI and Cybersecurity Risk Landscape: Examines how frontier AI systems may disproportionately empower attackers over defenders in the near term, reshaping threat models and requiring new defensive paradigms.

Integrating AI-Blockchain Framework with Spider Monkey Optimization for IoMT Security (M. N. Alatawi et al.): Proposes a hybrid AI-blockchain architecture to secure Internet of Medical Things (IoMT) environments, improving resilience against data breaches and unauthorized access.

Cybersecurity Governance under the Jordanian National Cyber Security Framework (JNCSF) (multiple authors, MDPI Journal of Cybersecurity and Privacy): Analyzes governance structures and policy effectiveness in national cybersecurity frameworks, highlighting implementation gaps and optimization strategies.

Future Directions in Cyber Security: Trends, Threats, and Strategic Countermeasures (ResearchGate preprint, March–April 2026 circulation): Identifies emerging threats driven by cloud, AI, and digital transformation, proposing adaptive and layered defense strategies for modern enterprises.

AI-Driven Cybersecurity: Offensive vs Defensive Advantage (Berkeley/industry collaborative research briefing): Argues that AI lowers barriers to entry for cyber attackers more than defenders, emphasizing the need for automated defense orchestration and policy reform.

Cybersecurity Implications of Accelerated AI Adoption in Cloud Systems (PDF): Investigates how AI-driven cloud deployments introduce misconfiguration risks, identity vulnerabilities, and expanded attack surfaces requiring new security models.

Post-Quantum Security Urgency: Cryptographic Transition Challenges: Reviews current academic work on transitioning to quantum-resistant cryptography, highlighting scalability, interoperability, and implementation barriers.

Lilith is a C++-based remote administration tool (RAT) that demonstrates how low-level system control and command-and-control (C2) mechanisms are implemented. It is not a consumer-ready framework but rather a developmental or educational codebase that exposes the mechanics behind remote access tooling.

From a cybersecurity perspective, tools like Lilith are studied because they mirror real-world attacker capabilities. Understanding how such tools operate—how they execute commands, persist on systems, and communicate over networks—enables defenders to recognise these behaviours in the wild. This knowledge directly supports threat detection, incident response, and the development of defensive controls.

What you need before using Lilith

To work effectively with Lilith, you need a working understanding of C++, operating system internals (particularly Windows), and networking concepts such as sockets and client-server communication. Without this foundation, the codebase will be difficult to interpret or modify.

A controlled lab environment is essential, typically consisting of one or more virtual machines. This isolates experimentation from production systems and prevents accidental exposure or security incidents. Using a virtualised lab also allows you to safely simulate attacker and defender scenarios, which is critical for building practical defensive skills.

Installing & building Lilith

Cloning and compiling the repository is the first step in interacting with the tool. This process forces you to engage directly with the source code rather than relying on precompiled binaries, which is important for both transparency and learning.

Compiling the project helps you understand dependencies, build configurations, and how the executable is structured. From a defensive standpoint, this process mirrors how analysts reconstruct malware from source or rebuild samples to study their behaviour, which is a common practice in malware analysis and reverse engineering.

Understanding the architecture

Lilith follows a standard RAT architecture consisting of a controller (operator) and a client (target system). The controller issues commands, and the client executes them and returns results. Communication typically occurs over a network socket, forming a basic command-and-control channel.

Understanding this architecture is fundamental to cybersecurity because many real-world threats use similar models. By studying how commands are transmitted, parsed, and executed, defenders can identify indicators such as unusual outbound connections, command patterns, or unauthorised process activity. This knowledge is essential for building detection rules and monitoring strategies.

Running Lilith

Running Lilith involves configuring a connection endpoint, launching a listener on the operator side, and executing the client on a target system. Once connected, the operator can issue commands remotely.

This workflow demonstrates how attackers establish footholds and maintain control over compromised systems. By replicating this process in a lab, you gain insight into how unauthorised access is initiated and sustained. This directly informs defensive practices such as network segmentation, endpoint monitoring, and intrusion detection, all of which are designed to disrupt or detect these workflows.

How to learn effectively with Lilith

Lilith is most valuable as a code analysis and experimentation platform. By tracing execution paths, inspecting how commands are handled, and modifying functionality, you gain a deeper understanding of how remote access tools are constructed.

This hands-on approach is critical for developing advanced defensive skills. Security professionals often need to analyse unfamiliar binaries or reverse engineer malicious tools. Practising with a known codebase like Lilith builds the analytical skills required to identify malicious logic, uncover hidden functionality, and anticipate attacker behaviour.

Defensive learning applications

Studying Lilith enables you to simulate attacker techniques and observe their artefacts on a system and network. This includes process creation, file changes, registry modifications, and network traffic patterns.

These observations are directly applicable to defensive operations. For example, you can create detection signatures, develop monitoring baselines, and test endpoint detection and response (EDR) tools. By understanding what malicious activity looks like at a technical level, you improve your ability to detect and respond to real threats, thereby strengthening the protection of organisational assets.

Risks and legal considerations

Lilith is a dual-use tool, meaning it can be used for both legitimate research and malicious activity. Operating such tools outside of a controlled and authorised environment can lead to legal consequences and security risks.

Adhering to strict ethical and legal boundaries ensures that your work contributes to security rather than undermines it. Responsible use—limited to personal labs or explicitly authorised environments—allows you to safely develop skills while maintaining compliance with laws and organisational policies. This discipline is a core requirement for any cybersecurity professional.

Key takeaway for beginners

Lilith is not designed as a beginner-friendly operational tool but as a learning resource for understanding how remote administration and command-and-control systems function at a low level. Its value lies in exposing implementation details rather than providing ease of use.

For asset protection, this depth of understanding is critical. High-level tools can obscure how attacks actually work, whereas studying a project like Lilith reveals the underlying mechanics. This enables you to move beyond surface-level defences and build more robust detection and mitigation strategies grounded in real attacker techniques.

This week, we learn about how to use Lilith, get acquainted with the landscape in the context of the Iranian crisis, and take a look at the intriguing, possibly slightly terrifying world of quantum cybersecurity - don’t miss out!

Investigative Matters

Last week, we asked you - the audience - to give us a heads up on which tool you would like to learn about. After much deliberation, we have found out that our readers want to know a little bit more about Lilith.

Of course, this isn’t a beginner-friendly tool (for that, you might want to look at Metasploit or other more mainstream, accessible tools), however it’s always good to dip your toes into the water with more difficult tools. Take a look at our “beginner’s guide” (but not really for beginners) and see if you can take this valuable and potentially dangerous tool out for a test drive.

Check it out!

News Byte

APT28 Exploiting Routers for DNS Hijacking: Russian state-linked group APT28 is abusing vulnerable routers to perform DNS hijacking, enabling adversary-in-the-middle attacks that steal credentials and authentication tokens at scale.

Iran-Linked Handala Wipes 80,000 Devices via Intune: A single compromised admin credential was used to issue mass remote wipes through Microsoft Intune, demonstrating the destructive potential of identity-centric attacks without malware.

Paste-and-Run Attacks Dominate Initial Access: “ClickFix” social engineering—tricking users into executing clipboard-delivered commands—has become a leading initial access vector, bypassing traditional detection controls.

Mac Infostealers Surge with New Obfuscation Techniques: Atomic Stealer and MacSync Stealer are rising sharply, using AppleScript obfuscation and fake Homebrew prompts to exfiltrate credentials, crypto wallets, and Keychain data.

Vidar Infostealer Returns with Enhanced Evasion: The Vidar malware family has resurfaced with improved anti-analysis techniques and browser injection capabilities following disruption of competing stealers.

SparkCat Malware Expands to Western Targets: A mobile infostealer leveraging OCR to extract crypto seed phrases from screenshots now targets English-speaking users and uses code virtualization for stealth.

Axios Supply Chain Attack via Social Engineering: North Korean actors compromised a maintainer account using fake Teams/Slack interactions, publishing malicious npm packages affecting a widely used HTTP library.

Claude Code Leak Weaponized with Malware: Attackers are distributing trojanized versions of leaked developer tooling, embedding infostealers into widely shared GitHub repositories.

Rise of “Espionage Ecosystems”: Advanced persistent threats are evolving into coordinated ecosystems using AI, fileless malware, and behavioral mimicry for long-term stealth persistence in enterprise networks

Iran-Linked Cyber Operations Persist Despite Ceasefire: Threat actors continue targeting infrastructure and ICS environments, indicating sustained geopolitical cyber activity independent of kinetic conflict pauses.

Taking a look at the academy

Quantum computers could crack cybersecurity systems before 2030 (Jacob Smith):
Explores recent research indicating that advances in quantum computing may render current public-key cryptographic systems obsolete within this decade, forcing urgent migration toward post-quantum cryptography.

AI Helped Spark a Quantum Breakthrough Impacting Encryption: Reports on newly published papers showing AI-assisted breakthroughs accelerating quantum capabilities, with direct implications for breaking modern encryption schemes earlier than expected.

Agentic AI and Cybersecurity Risk Landscape: Examines how frontier AI systems may disproportionately empower attackers over defenders in the near term, reshaping threat models and requiring new defensive paradigms.

Integrating AI-Blockchain Framework with Spider Monkey Optimization for IoMT Security (M. N. Alatawi et al.): Proposes a hybrid AI-blockchain architecture to secure Internet of Medical Things (IoMT) environments, improving resilience against data breaches and unauthorized access.

Cybersecurity Governance under the Jordanian National Cyber Security Framework (JNCSF) (multiple authors, MDPI Journal of Cybersecurity and Privacy): Analyzes governance structures and policy effectiveness in national cybersecurity frameworks, highlighting implementation gaps and optimization strategies.

Future Directions in Cyber Security: Trends, Threats, and Strategic Countermeasures (ResearchGate preprint, March–April 2026 circulation): Identifies emerging threats driven by cloud, AI, and digital transformation, proposing adaptive and layered defense strategies for modern enterprises.

AI-Driven Cybersecurity: Offensive vs Defensive Advantage (Berkeley/industry collaborative research briefing): Argues that AI lowers barriers to entry for cyber attackers more than defenders, emphasizing the need for automated defense orchestration and policy reform.

Cybersecurity Implications of Accelerated AI Adoption in Cloud Systems (PDF): Investigates how AI-driven cloud deployments introduce misconfiguration risks, identity vulnerabilities, and expanded attack surfaces requiring new security models.

Post-Quantum Security Urgency: Cryptographic Transition Challenges: Reviews current academic work on transitioning to quantum-resistant cryptography, highlighting scalability, interoperability, and implementation barriers.

As AI systems rapidly move into production, one critical question remains: how secure are they, really? The AI Red & Blue Teaming Summit is a hands-on, practitioner-focused virtual event designed to answer exactly that.

Taking place on April 17th and 18th, this two-day summit brings together security professionals, AI engineers, and risk leaders to explore how modern AI systems are attacked and how to defend them effectively.

Secure Your Spot Today!

Newsletter Reader Exclusive

As a newsletter reader, you can access an exclusive 40% discount on your ticket. Of course, this offer won’t last forward - you’ve got just 48 hours to take advantage of this offer that puts you ahead of the game.

Book Now and Get 40% Off!

This is a limited-time offer, ideal if you’re looking to build or strengthen your AI security capabilities with practical, immediately applicable skills. If you’re responsible for securing AI systems—or preparing for the risks they introduce—this is one of the most practical events you can attend this year.

The event is structured across two complementary tracks:

Day 1: Red Teaming

Simulate real-world attacks on AI systems, including prompt injection, jailbreaks, and agent-based exploitation. Join John Sotiropoulos, Katie Paxton-Fear, Tim Rains, and Will Thomas to take steps forward in the offensive game.

Day 2: Blue Teaming

Translate those attack insights into defensive strategies by building detection rules, incident response playbooks, and actionable security roadmaps. Join Yuri Diogenes, Mark Simos, Matthew Rosenquist, and David Okeyode to set up proper defenses and keep the adversary out.

Built around frameworks like OWASP’s LLM Top 10 and MITRE ATT&CK, the summit emphasizes hands-on labs, practical exercises, and real-world application, not just theory and not just water cooler talk-pieces.

Speaker Spotlight

Hear directly from leading voices in AI security and adversarial testing:

Yuri Diogenes – A globally recognized cybersecurity expert specializing in AI security, threat modeling, and zero trust architectures.

Katie Paxton-Fear – Security researcher and educator known for making complex offensive security concepts accessible and actionable.

Will Thomas – Practitioner focused on real-world AI system defense and operational security strategies.

John Sotiropoulos– Bringing deep expertise in enterprise security and applied AI risk management.

Matthew Rosenquist – Focused on how AI is reshaping the threat landscape and accelerating both attacker and defender capabilities.

Together, they represent a cross-section of offensive, defensive, and strategic perspectives on securing AI in production environments.

Secure Your Spot Today

As AI rapidly reshapes the cybersecurity landscape, security professionals are being pushed into unfamiliar territory—where models, data pipelines, and adversarial machine learning become part of the threat surface. This week’s edition is designed to help you navigate that shift.

We’re kicking things off with AI Security 101 (from our sister publication, cyber_ai), a structured series covering everything from the fundamentals of machine learning in security to emerging risks like adversarial attacks, AI-driven offensive techniques, and governance challenges. Whether you’re just getting started or looking to operationalize AI securely, this provides a practical foundation.

Beyond that, we’re expanding The Library with curated tools, frameworks, and resources to accelerate your workflow, alongside News Bytes tracking a sharp rise in global cyber activity—from AI-driven threats to geopolitical escalation. Finally, we highlight key perspectives from across the blogosphere, including frameworks for AI risk scoring, chatbot security controls, and insights into the evolving cybersecurity market.

If you’re building, defending, or evaluating AI systems, this edition will give you both the context and the tools to stay ahead.

Subscribe now

Share

Leave a comment

If you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!

Cheers!
Austin Miller
Editor-in-Chief

Check out our AI Security 101 articles

AI Security is the new frontier that stands before many of us in this industry. It’s hardly a surprise that cybersecurity has undergone a substantial change in light

1. What “Cybersecurity AI” Actually Means

2. Machine Learning 101 for Security Professionals

3. Threat Detection with AI: From Rules to Models

4. Adversarial Machine Learning Basics

5. What LLMs Can Do in Cybersecurity

6. Securing AI Models and Pipelines

7. AI-Enhanced Offensive Techniques

8. Privacy and Data Protection in AI Systems

9. AI Governance, Ethics, and Risk Management

10. Building a Security-Aware AI Workflow

The Library

You asked for tools and tutorials, so here are some tools and tutorials.

Each week, we’ll look at a selection of tools concerning AI and cybersecurity. Cast your vote for your favourite tool and we’ll share a quick tutorial on how to get started and how to get the most out of it the next week.

fr0gger/Awesome-GPT-Agents: A curated list of GPT agents for cybersecurity.

awesome-cybersecurity-blueteam: A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Anthropic-Cybersecurity-Skills: More than 730 structured cybersecurity skills for AI agents, covering MITRE ATT&CK, agentskills.io open standard, and works with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI & over 20 other platforms.

Lilith: A foundational reverse engineering resource for cybersecurity entrepreneurs in C++.

flowsint: A modern platform for visual, flexible, and extensible graph-based investigations. For cybersecurity analysts and investigators.

Dojo-101: “An offline cybersecurity knowledge base.”

News Bytes

Iran-Linked Cyber Activity Escalates with Wiper Risk (Unit 42): Analysis shows a surge in destructive cyber operations tied to Middle East conflict, including thousands of phishing URLs, mobile malware delivery via fake alert apps, and increased likelihood of wiper attacks targeting high-value infrastructure.

Intelligence Report Highlights Raton RAT & INC Ransomware (CYFIRMA): Threat intel identifies active malware families leveraging phishing and social engineering for initial access, alongside espionage campaigns by Mustang Panda using DLL sideloading, credential dumping, and USB propagation.

Cyberattacks Spike 245% Following Iran Conflict (Black Arrow Cyber): Technical briefing notes a sharp rise in attacks targeting financial services and e-commerce, with adversaries increasingly using legitimate admin tools and stolen credentials to evade detection and enable large-scale disruption.

Teams Vishing & Cisco Exploitation (Kaseya): Incident roundup details ransomware causing municipal emergency declarations, active exploitation of Cisco firewall vulnerabilities, and a rise in Microsoft Teams vishing campaigns abusing enterprise collaboration platforms.

Email Threat Evasion Techniques (Hornetsecurity Security Lab): Analysis of M365 threats highlights adversaries bypassing detection via fuzzing and evasion, emphasizing email as a primary initial access vector in enterprise environments.

Law Enforcement Takedowns Are Training Cybercriminals (WSJ): Criminal groups are adapting rapidly to past disruptions, improving operational security and malware resilience after observing law enforcement techniques used in takedowns.

AI Expected to Drive Surge in Zero-Day Exploits (ITPro / RSAC Panel): Experts warn that AI could industrialize vulnerability discovery, potentially generating hundreds of zero-days weekly while also enhancing defensive capabilities.

Human Behavior Identified as Primary Security Weakness (TechRadar Pro): Security failures increasingly stem from user behavior, with attackers exploiting MFA fatigue and cognitive biases via social engineering and AI-assisted phishing.

Cyberattack on Polish Energy Sector Signals Escalation (AP News): A destructive attack linked to suspected Russian actors used wiper malware against energy infrastructure, marking a shift beyond financially motivated ransomware toward disruptive operations.

Into the blogosphere...

The Artificial Intelligence Risk Scoring System (AIRSS) – Part 1: Setting the Scope (Walter Haydock): This article introduces a structured methodology for quantifying AI-related cybersecurity risk. Haydock proposes a scoring system to evaluate exposure across data sensitivity, model behavior, and operational context. The piece is widely referenced within the newsletter’s series and generated strong engagement due to its practical framework for security teams adopting AI.

Chatbot Checklist: 5 Ways to Avoid AI-Powered Fails (Walter Haydock): A tactical guide focused on securing AI chatbots against misuse, data leakage, and reputational risk. It outlines five concrete controls—ranging from prompt constraints to monitoring pipelines—making it highly shareable among practitioners implementing LLM systems. Its actionable nature led to strong reader interaction and discussion.

Declaring a Truce on SaaS Security: This piece challenges the adversarial dynamic between vendors and enterprise security teams. Haydock argues for a cooperative model that reduces duplicated controls and improves overall risk posture. The contrarian framing sparked debate in comments and shares among SaaS security professionals.

How Cybersecurity Startups Win (and Why Most Don’t) (Ross Haleliuk): A strategic deep dive into the cybersecurity market, focusing on why many startups fail despite strong technology. It examines go-to-market misalignment, buyer psychology, and product-market fit in security.

In conjunction with _secpro, the Packt cyber_ai newsletter is our sister publication that gives you insights into deep research, cutting-edge developments, and controversial news in that confusing and still largely misunderstood overlap in cybersecurity and artificial intelligence. Every week, we publish a newsletter that helps you get down to the most important details in a sea of AI-generated, security-compromising noise.

Sound good? Join us by following the link below.

Packt Cyber_AI

#10: Governance, Ethics, and the Age of AI

Welcome to CYBER_AI, a new newsletter from the Packt team focusing on—well, exactly what it says on the tin: cybersecurity in the age of AI…

Read more

3 months ago · Austin Miller

Welcome to another _secpro!

The conflict surrounding Iran illustrates how contemporary cyber operations function as an extension of geopolitical competition rather than a separate domain of warfare. State-linked actors, proxy groups, and opportunistic cybercriminals all exploit the disruption and political polarisation created by armed conflict to conduct espionage, influence operations, and disruptive attacks.

Techniques such as distributed denial-of-service campaigns, wiper malware, credential-harvesting phishing, and information manipulation are used not only to target military or government networks but also to pressure civilian infrastructure, financial institutions, and private companies that sit within the broader strategic ecosystem.

As the conflict evolves, these tactics demonstrate how cyber capabilities can be rapidly mobilized, scaled through proxy actors, and directed against a wide range of targets—creating a threat landscape in which the effects of war extend well beyond the battlefield and into the digital systems that underpin modern economies and societies.

Subscribe now

Leave a comment

If you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!

Cheers!
Austin Miller
Editor-in-Chief

Your SOC is a queueing system. It behaves like one, too

Most SOC improvement work focuses on what happens after an investigation starts. Faster playbooks, better context, tighter workflows. All useful.

But for a lot of teams, the bigger problem is what happens before anyone even looks at the alert. Alerts come in. Analysts triage and escalate. When the arrival rate exceeds capacity, queues build and wait time spikes.

“The Queue is the Breach” – written by Jon Hencinski, Head of Security Operations at Prophet Security – walks through the operational math behind this: alert cycle time, wait time across severity levels, analyst utilization, and what those metrics actually reveal about whether your bottleneck is people, process, or the operating model itself.

Get your free eBook today

This week’s articles

On Flashpoint’s “2026 Global Threat Intelligence Report”

In early 2026, researchers from Group-IB published an analysis of a cyber-espionage campaign known as Operation Olalampo, attributed to the advanced persistent threat group MuddyWater. MuddyWater has long been associated with Iranian state-linked cyber activity and has historically targeted government agencies, telecommunications providers, and critical infrastructure organizations across the Middle East and surrounding regions. The Olalampo campaign demonstrates how state-aligned cyber actors continue to evolve their tactics and infrastructure while relying on proven techniques such as phishing and custom malware frameworks.

News Bytes

US Takes Down Record DDoS Botnets: A coordinated law enforcement operation dismantled multiple Mirai-derived botnets (Aisuru, Kimwolf, etc.) responsible for record-scale DDoS attacks, including a 31.4 Tbps burst; researchers note continued evolution toward decentralized C2 using blockchain-based DNS.

“Darksword” iOS Spyware Campaign: Researchers uncovered large-scale iOS exploitation chains targeting hundreds of millions of devices via Safari vulnerabilities, enabling rapid “hit-and-run” data exfiltration tied to suspected state-linked operators.

SocksEscort Proxy Botnet Takedown: A 15-year-old Linux malware-driven proxy network infecting ~369k IoT/SOHO devices was dismantled; operators monetized access for credential stuffing, fraud, and anonymized attack infrastructure.

Hacked Sites Deliver Vidar Infostealer: Compromised websites are being weaponized to distribute Vidar stealer via fake browser updates and drive-by downloads, emphasizing continued effectiveness of web-based initial access vectors.

AI & Browser Threat Trends in 2026 (Red Canary):
Large-scale telemetry (~110k threats) indicates adversaries are both targeting browsers and leveraging AI tooling to improve phishing, malware staging, and post-exploitation automation.

Iran-Linked Cyber Escalation Threat Brief (Unit 42):
Threat intelligence indicates increased cyber activity aligned with geopolitical tensions, including targeting of critical infrastructure and enterprise networks with coordinated campaigns.

Into the blogosphere...

Security for High Velocity Engineering (Jason Chan): This article explores how modern engineering organizations can embed security into rapid deployment pipelines without slowing innovation. It emphasizes threat-informed design, automation, and scaling security practices across large codebases, reflecting the shift toward DevSecOps in high-growth tech companies. (tl;dr sec)

Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks! (Christophe Tafani-Dereeper): A practical, tactical guide focused on Kubernetes hardening, covering attack surfaces such as misconfigured RBAC, container escapes, and network exposure. The article provides actionable controls aligned with real-world attack paths, making it popular among cloud security engineers.

How to Securely Build Product Features Using AI APIs (Rami McCarthy): This piece analyzes security risks when integrating AI APIs (e.g., prompt injection, data leakage) and outlines defensive design patterns. It became especially relevant during the surge of generative AI adoption in 2023–2024.

AI and Machine Learning in Cybersecurity (Clint Gibler): A strategic overview of how AI/ML is used in both offensive and defensive cybersecurity, including malware detection, anomaly detection, and automated threat hunting. It also discusses limitations and future directions.

Gartner, Forrester and Cybersecurity: A Deep Dive (Ross Haleliuk): This article critically examines the role of industry analysts (Gartner, Forrester) in cybersecurity decision-making, including their influence on vendor selection and enterprise strategy. It blends market analysis with practitioner insight, making it popular among security leaders.

1. From Fragmented Threats to a Converged Attack Surface

Historically, defenders could think in categories: ransomware, phishing, vulnerabilities, and insider threats. The report argues that these distinctions are no longer operationally meaningful. Attackers now combine them fluidly, using whichever vector is most efficient at a given moment.

This convergence is driven by two forces:

• The availability of massive datasets (credentials, personal data, access tokens)

• The automation of attack workflows, increasingly orchestrated by AI

The result is what Flashpoint describes as a “high-velocity threat engine”, where attacks are continuous, adaptive, and multi-vector by design.

For a non-specialist, the key takeaway is simple: organisations are no longer being “hacked” in a single way. They are being systematically probed across all weak points at once, often by automated systems.

2. Agentic AI and the Rise of Machine-Speed Attacks

The most consequential shift identified in the report is the emergence of agentic AI—autonomous or semi-autonomous systems capable of executing full attack chains with minimal human oversight.

These systems can:

• Identify targets

• Generate phishing content

• Test stolen credentials

• Adapt tactics based on failure

• Rotate infrastructure to avoid detection

This represents a move from “human-in-the-loop” attacks to machine-speed operations, where iteration is cheap and scale is effectively unlimited.

One striking data point: AI-related illicit activity increased by roughly 1,500% in a single month in late 2025, signaling rapid adoption by threat actors. For defenders, this creates an asymmetry. Attackers can now run thousands of variations of an attack simultaneously, while defenders must still detect and respond with relatively slower processes. This fundamentally changes the economics of cyber conflict.

3. Identity as the Primary Attack Vector

Another core insight is that identity has replaced traditional exploitation as the dominant entry point. Instead of “breaking in,” attackers increasingly log in using stolen credentials. The scale is significant, as approximately 3.3 billion compromised credentials and tokens are circulating in criminal ecosystems today.

These credentials are harvested primarily via infostealer malware and then reused across services. Because many organizations rely on identity-based access (cloud services, SaaS, APIs), compromised credentials provide immediate and often undetected access.

This shift has several implications:

• Traditional perimeter defenses (firewalls, endpoint protection) are less effective

• Multi-factor authentication can be bypassed or undermined

• Insider threat models blur, as attackers operate with legitimate credentials

In practical terms, cybersecurity is becoming less about blocking intrusions and more about verifying trust continuously.

4. Industrialisation of Cybercrime

The report emphasises the professionalisation of cybercrime, describing it as an industrial ecosystem with supply chains, specialisation, and scalable business models. One example is the evolution of ransomware into a “franchise model”:

• Core groups develop tools and infrastructure

• Affiliates execute attacks

• Profits are shared

At the same time, ransomware itself is evolving. Instead of encrypting systems, attackers increasingly rely on:

• Data theft

• Credential compromise

• Extortion without encryption

Ransomware incidents increased by over 50% year-over-year, reflecting both growth in activity and diversification of tactics.

This industrialisation lowers barriers to entry. Less-skilled actors can now conduct sophisticated attacks by leveraging shared tools and services, much like legitimate cloud-based businesses.

5. The Collapse of the Vulnerability Window

Another important trend is the shrinking time between vulnerability disclosure and exploitation.

The report notes:

• A 12% increase in vulnerability disclosures, exceeding tens of thousands annually

• Exploitation now occurs within hours or days, rather than weeks or months

This is partly due to automation: AI systems can ingest newly disclosed vulnerabilities and immediately test them at scale.

For organisations, this eliminates the luxury of delayed patching cycles. Vulnerability management must become near real-time, or risk exposure to rapid exploitation.

6. Data as Fuel: Infostealers and Credential Economies

Underlying many of these trends is the explosion of infostealer malware, which harvests credentials, session cookies, and other sensitive data from infected devices.

The report links this to:

• Millions of infected endpoints

• Billions of harvested credentials

• A thriving marketplace for access data

This data fuels multiple attack types simultaneously:

• Account takeovers

• Business email compromise

• Fraud

• Ransomware entry points

In effect, stolen identity data has become a universal currency in cybercrime, enabling a wide range of downstream attacks.

7. Blending of Cyber, Physical, and Human Threats

Flashpoint also emphasises that cyber threats are increasingly intertwined with physical and human domains.

Examples include:

• Recruitment of insiders

• Use of social engineering enhanced by AI (e.g., deepfakes, personalised phishing)

• Targeting of physical infrastructure via digital access

This reflects a broader shift toward hybrid threats, where digital compromise can have real-world consequences, and vice versa. (The IT Nerd) For non-experts, this means cybersecurity is no longer just an IT issue, instead becoming an ever-present business risk and societal risk.

8. Implications for Defence

The report does not just describe threats; it outlines a strategic shift required for defence. The key recommendations can be summarised as follows:

1. Move to intelligence-led security: Organizations must rely on real-time threat intelligence, including data from adversary environments (e.g., dark web forums), rather than purely reactive defences.

2. Prioritise identity security: Protecting credentials, monitoring for leaks, and enforcing strong identity controls become central.

3. Automate defence to match attacker speed: Manual processes cannot keep pace with machine-speed attacks. Automation and AI-assisted defence are required.

4. Reduce exposure windows: Rapid patching, continuous monitoring, and proactive vulnerability management are essential.

5. Integrate security domains: Siloed teams (e.g., network, identity, fraud) must operate as a unified function, mirroring the convergence seen on the attacker side.

Worth reading? We’d say so

Flashpoint’s new report portrays a cybersecurity landscape defined by scale, speed, and integration. The combination of agentic AI, massive credential exposure, and industrialised cybercrime has created an environment where attacks are faster, cheaper, and more adaptive than ever before.

The most important conceptual shift is this: cyber threats are no longer discrete events but continuous, automated processes. Attackers iterate until they succeed, often using legitimate access rather than exploiting technical flaws. For organisations and individuals alike, the implication is clear. Security can no longer rely on static defences or delayed responses. It must become dynamic, intelligence-driven, and centred on identity and trust.

If you work in or around regulated industries, here’s something that may have slipped under your radar: a federal ADA deadline hits in less than two months. On April 24, state and local governments — and the vendors and partners who serve them — must meet WCAG 2.1 AA standard…

Read more

Read more

If you work in or around regulated industries, here’s something that may have slipped under your radar: a federal ADA deadline hits in less than two months. On April 24, state and local governments — and the vendors and partners who serve them — must meet WCAG 2.1 AA standard…

Read more

#…

Read more

Read more