Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Mobile app risk rarely emerges from negligence. It emerges from fragmentation. In most enterprises, security is applied in stages: Each control works in isolation. None governs how risk evolves over time. Mobile applications are distributed, long-lived systems. Once deployed, they operate outside centralized infrastructure control, exposed to shifting SDK dependencies, evolving APIs, regulatory change, and adaptive adversaries. Security gaps rarely appear within a stage. They appear in the transitions.

Sending a work email to the wrong person – it’s something all of us have done at least once in our working lives. For some people, it’s a regular occurrence. But just how risky is it? Thinking back over your recent emails, you can probably pick out the ones that would have been worse to misdirect than others. In the best case it’s a non-issue or only slightly embarrassing.

There’s a moment every IT and security team recognises. You’ve done the hard work: rolled out SSO, tightened access policies, and moved sensitive tools behind stronger authentication. On paper, it looks like progress.

If you work in IT right now, your feed is probably split between AI hype, AI fear, and confused memes about both. Depending on who you ask, AI is either coming for your job, coming for everyone’s job, or going to “free you up to do more strategic work”—which somehow always looks like doing the same work, just faster, with fewer people. Some of that fear is legitimate.

Deterministic security tools, at this point, have become such a regular part of security that, for a long time, we weren’t questioning the alternatives. With AI becoming a core component of security with probabilistic models, it’s time to revisit determinism and get clear about what it’s needed for. Otherwise, why shouldn’t we just start replacing everything with AI?

Aikido Attack, our AI pentest product, found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. Storybook's WebSocket server has no authentication or access control, so if the dev server is publicly accessible, an attacker can exploit this without any user interaction at all. In the more common local setup, a developer just has to visit the wrong website while Storybook is running.

In Regex is (almost) All You Need, we learned that using a combination of regular expression patterns, entropy, and rule-based filters are an effective way to detect candidate secrets. Regex is used for casting a wide net to identify candidates. Entropy is used as a primary filter on the captured candidates and additional filters like presence of commonly used english words, or filtering on known “safe” files like go.sum are applied last.

The University of Hawaii Cancer Center is the only National Cancer Institute-designated cancer center in Hawaii. Located in Honolulu, the center employs over 300 faculty and staff conducting critical epidemiological research studying cancer risks across diverse populations. In August 2025, the Cancer Center fell victim to a ransomware attack that exposed Social Security numbers of up to 1.15 million people.

When Anthropic announced Claude Code Security on February 20th—a tool that scans codebases for vulnerabilities and suggests patches for human review—the reaction from markets was swift and brutal. Major cybersecurity names watched their stock prices fall by double digits within days. The implied thesis behind the selling: AI can now do what these companies do, so why pay for them? It's a compelling fear and an inaccurate conclusion at the same time. The DLP space is a clear example of why.

Microsoft is making a fundamental change to how outbound internet connectivity works for virtual machines within Azure Virtual Networks. From March 2026, default outbound access will be retired for new virtual networks, requiring organisations to explicitly design and configure outbound connectivity for their workloads.