What can we help you find?

Google has built and released a new cookie protection measure that makes stolen session cookies useless on any other device for websites updated to support this approach. Here is what it does, who it …

Google has built and…

Google has built and released a new cookie protection measure that makes stolen session cookies useless on any other device for websites updated to support this approach. Here is what it does, who it helps, and what to do right now. The Short VersionInfostealer malware does not need your password or even your MFA Codes. All it needs is the small file your browser stores after you log in called a Session Cookie. For years, stealing that file alone was enough to impersonate you online, bypassing usernames, passwords, and even Multi-Factor Authentication (MFA). Chrome now ties that file to you…

New benchmark data names MDASH and Claude Mythos Preview are the top AI agents finding zero-day vulnerabilities of 2026. They find software bugs better than any human can, in less time, with more proo…

New benchmark data n…

New benchmark data names MDASH and Claude Mythos Preview are the top AI agents finding zero-day vulnerabilities of 2026. They find software bugs better than any human can, in less time, with more proof than every before. Here is what that means for your organization, and what you can do about it today. AI Vulnerability Automation Beyond Human Capabilities – a New Normal in Bug HuntingDownload The rules just changed A few years ago, finding security holes in a network took a skilled human weeks of focused work. Today, AI systems do that same job in minutes, without breaks, withou…

One Forgotten Password, Almost a Catastrophe A single Windows machine at a Retail store location had a cached AWS access key sitting on it. Nobody put it there on purpose. A user logged in, AWS sto…

One Forgotten Passwo…

One Forgotten Password, Almost a Catastrophe A single Windows machine at a retail store location had a cached AWS access key sitting on it. Nobody put it there on purpose. A user logged in, AWS stored the key automatically, and life moved on. No alarms, no policy violations, no red flags. Except that one key, sitting quietly on one machine, had a path to 98% of that company’s cloud environment. Almost every critical workload the business ran, one forgotten credential away from disaster. Security researchers found it before an attacker did. Most organizations would never know it was …

You now have five important reasons to start a router security conversation with your small business clients this week, especially those with work-from-home staff members. One of them has Russian mili…

You now have five im…

You now have five important reasons to start a router security conversation with your small business clients this week, especially those with work-from-home staff members. One of them has Russian military intelligence in the headline. This is your overview, talking points, and action plan. Why router security is front and center right now The FBI did not publish a warning and move on. They ran a court-authorized operation to take down a network of hijacked routers that Russia’s GRU Military Unit 26165, known as APT28 or Fancy Bear, was using for attacks. Routers in at least 23 U.S. sta…

OAuth tokens don’t expire when employees leave, passwords change, or apps go rogue. Your security program needs to understand this risk and remove unneeded and abandoned entitlements asap. Pictur…

OAuth tokens don’t…

OAuth tokens don’t expire when employees leave, passwords change, or apps go rogue. Your security program needs to understand this risk and remove unneeded and abandoned entitlements asap. Picture a spare key. You handed it to a contractor six months ago so they could fix your HVAC. The job is done. The contractor moved on. But the key still works, and you never asked for it back. That is more or less what happens every time someone at your company connects a third-party app to Google Workspace or Microsoft 365 using OAuth. Digital keys are created by your employees. They don’t expire,…

Most breaches don’t start with a hacker in a hoodie cracking code at 3am. They start with your username and a password from a breach that happened three years ago at a site you forgot you signed up …

Most breaches don’…

Most breaches don’t start with a hacker in a hoodie cracking code at 3am. They start with your username and a password from a breach that happened three years ago at a site you forgot you signed up for. Picture a thief who skips picking the lock entirely because the key is sitting right there under the mat. That’s what most cyberattacks look like in 2026. Attackers aren’t writing exotic code to break into your systems. They’re logging in with credentials your employees already use, often credentials stolen from a completely different website years ago and sold for a few dollars onli…

A Practical Brief for vCISOs THE WARNING WE IGNORED OR COULD NOT UNDERSTAND For years, the most credible voices in AI research have issued the same warning. Treat Artificial Intelligence with th…

A Practical Brief fo…

A Practical Brief for vCISOs THE WARNING WE IGNORED OR COULD NOT UNDERSTAND For years, the most credible voices in AI research have issued the same warning. Treat artificial intelligence with the same institutional seriousness the world applied to nuclear Technology. Warren Buffet put it plainly at the 2024 Berkshire Hathaway shareholder meeting:“We let a genie out of the bottle when we developed nuclear weapons. AI is somewhat similar — it’s part way out of the bottle.” Source: CNN Business, May 2024If you’re like me, given the gravitas of the people warning us (Stephen Hawkin…

A guide to spotting senior executive impersonation scams before the fake CEO gets a real wire transfer. It Starts With a Message That Feels Important You get an email or a call. The name on the …

A guide to spotting …

A guide to spotting senior executive impersonation scams before the fake CEO gets a real wire transfer. It Starts With a Message That Feels Important You get an email or a call. The name on the screen is your CEO or CFO. The tone is serious. There is a confidential deal happening, an acquisition, a regulatory matter, something big. And they need you to move fast, quietly, and without telling anyone else. It feels urgent. It feels real. And that is exactly the point. Senior executive impersonation scams are one of the most common forms of financial fraud targeting businesses today. …

Artificial Intelligence (or AI) is making phishing emails smarter, malware sneakier, and credential theft easier putting each of us at increased risk of attack and compromise. Criminals are using A…

Artificial Intellige…

Artificial Intelligence (or AI) is making phishing emails smarter, malware sneakier, and credential theft easier putting each of us at increased risk of attack and compromise. Criminals are using AI to do something old-school security tools were never built to stop. They are making attacks look like normal, everyday activity. Not scary. Not obvious. Just plain Jane and normal stuff. This AI shift changes how your organization needs to think and prepare itself. AI Did Not Invent Cyberattacks. It Made Them Polished. Old phishing emails were easy to spot. Bad grammar, weird forma…

Your inbox sees dozens of emails every day that look completely routine. A DocuSign notification fits right in. A document is waiting. Someone needs a signature. You know the drill. Attackers know…

Your inbox sees doze…

Your inbox sees dozens of emails every day that look completely routine. A DocuSign notification fits right in. A document is waiting. Someone needs a signature. You know the drill. Attackers know the drill too, and they have built entire phishing campaigns around abusing your DocuSign trust. Why DocuSign Makes a Perfect Cover DocuSign is everywhere in business. Contracts, HR forms, NDAs, vendor agreements. Documents move fast, and people are trained to keep up. When a DocuSign email lands, the instinct is to act, not to question. This is the 2-Minute efficiency hack David Allen writ…

And yes, Google’s Gemini AI had no idea it was working for the bad guys. Malware has always followed a script. Literal, hardcoded, rigid instructions telling it exactly where to tap, what to stea…

And yes, Google’s …

And yes, Google’s Gemini AI had no idea it was working for the bad guys. Malware has always followed a script. Literal, hardcoded, rigid instructions telling it exactly where to tap, what to steal, and how to hide. For years, that rigidity was also its weakness. Change the screen layout, update the operating system, or swap languages, and the malware broke. Attackers had to rewrite code for every variation. It was expensive, slow, and frankly, a little exhausting for them. Then someone had an idea. What if the malware stopped following a fixed script and started asking AI what to do…

Ransomware groups are not breaking in organizations the same way they did five years ago. The entry methods have shifted, and understanding that shift is one of the most useful things you can do to pr…

Ransomware groups ar…

Ransomware groups are not breaking in organizations the same way they did five years ago. The entry methods have shifted, and understanding that shift is one of the most useful things you can do to protect your organization right now. Ryan Smith’s recent linked analysis, “Shifting the Front Door: How Ransomware Initial Access Has Changed,” captures this evolution quite well. When defenders strengthen one entry point, attackers adjust to the next weakest one. That pattern is worth paying attention to. From Mass Attacks to Precision Targeting Historically, ransomware groups relied…