Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Kroll has recently seen a widespread installation of an application called Calendaromatic, that Kroll Threat Intelligence (TI) is currently classifying as a potentially unwanted program (adware) but displays some functionality that gives it the potential to conduct more malicious behaviors.

As Cybersecurity Awareness Month continues, we wanted to dive even deeper into the attack methods affecting APIs. We’ve already reviewed Broken Object Level Authentication (BOLA), injection attacks, and authentication flaws; this week, we’re exploring business logic abuse (BLA). Unlike technical flaws, business logic flaws exploit how an API is designed to behave.

Researchers at Bitdefender warn that scams are seeing a steady increase globally. Citing a recent report from the Global Anti-Scam Alliance (GASA), the researchers note that 57% of adults worldwide have reported encountering a scam in the past year, and 13% encounter a scam at least once per day. One in four adults lost money to a scam, and annual global scam losses now exceed $1 trillion.

It’s rare to find a security professional who enjoys the security information and event management (SIEM) migration process. Security teams are often diverted from actively defending their environment to tend to the long, manual, and error-prone migration process.

AI convenience rides on a river of data: text, clicks, images, voices, locations, and metadata you didn’t know existed. The core question is not whether AI uses data but how it collects it, what it infers, and whether people truly agree to that. In other words, the impact of AI on user consent and data collection is not academic. It decides whether your product earns trust or burns it.

Security reviews are changing. More buyers want live, verifiable proof of your security posture and not a static PDF that changes by dawn. Astra Trust Center helps teams answer due diligence questions upfront, cutting back-and-forth questionnaires and keeping deals moving. At the same time, attackers aren’t getting more creative, just more effective. The 2025 Verizon DBIR found that 88% of Basic Web Application Attacks involved stolen credentials.

This piece is part of a monthly series by Carisa Brockman and Bindu Sundaresan exploring the evolving world of AI governance, trust, and responsibility. Each month, we look at how organizations can use artificial intelligence safely, thoughtfully, and with lasting impact.

I’ve been spending a lot of time with teams and customers talking about AI. Not in terms of buzzwords or market predictions, but the real, in-the-trenches work of building software, serving customers, and securing identities and data. The mindset we’ve adopted around AI is simple: you can’t cut your way to great products or great customer experiences. AI isn’t about replacing people or chasing short-term efficiency gains.

Identity is now the most common entry point for attackers. In cloud-native environments, thousands of microservices, containers, and agents request credentials every day, and each one represents a potential weakness. The imbalance between human and non-human identities (NHIs) is growing, but many organizations still devote the bulk of their identity and access governance (IGA) efforts to the former.

In response to evolving digital risks and growing concerns about data misuse, Australia has introduced a substantial privacy reform via the Privacy and Other Legislation Amendment Act 2024 (POLA Act) passed on December 10, 2024 Designed to modernise the country’s privacy framework and better align it with international standards like the General Data Protection Regulation (GDPR), the POLA Act marks a pivotal shift in how personal information is defined, managed, and protected.