Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The holiday season is traditionally a period of goodwill, gift giving, and time with loved ones, but if you are responsible for your enterprise’s cyber defenses it’s also a time when you should have a heightened awareness of cyber risk. Cybercriminals often treat this time of year as a prime opportunity to exploit the unprepared and unwary.

On December 11, 2025, Push Security published research detailing a newly observed browser-based phishing technique called ConsentFix. The name ConsentFix is derived from its similarity to the previously documented ClickFix technique using fake CAPTCHA pages. ConsentFix, enables threat actors to gain cloud account access without capturing passwords, multifactor authentication (MFA) codes, or other credentials by abusing legitimate OAuth authentication and consent flows.

A phishing campaign is targeting executives with phony offers for awards, according to researchers at Trustwave SpiderLabs. The attackers first dupe the victims into handing over their credentials, then use the ClickFix social engineering technique to trick them into installing malware. “The campaign uses a high-value executive recognition lure, ‘Cartier Recognition Program,’ to target executives,” the researchers write.

2025 began with experts warning about the dangers of agentic AI use—but that didn’t slow adoption. Our annual State of Trust Report shows that nearly 80% of organizations are either actively using or planning to use agentic AI. That acceleration is outpacing the governance required to keep these systems safe: ‍ ‍ A level of machine autonomy that would’ve been unthinkable just a few years ago is quickly becoming normalized.

At the recent Conversations Live with Stuart McNish panel on cybersecurity — part of the thoughtful public affairs dialogue series produced in partnership with the Vancouver Sun — industry leaders gathered to unpack the real-world risks shaping organizational resilience and national security. The event, held on Dec. 10, 2025, brought together experts from across the cybersecurity landscape to go beyond headlines and explore strategies for responding to evolving threats.

Earlier this year, FedRAMP RFC-0012 signaled a coming shift in how cloud service providers (CSPs) working with the U.S. federal government are expected to handle vulnerabilities. It outlined plans to move FedRAMP away from simple CVSS-score thresholds and toward continuous, context-aware, exploitability-driven, and automation-first vulnerability management.

Like any other global industry, financial services companies face tremendous challenges of scale and complexity when it comes to managing cyber risk across their digital supply chain. The financial services supply chain is composed of more than 1.6M third-party relationships across the industry ecosystem.

Modern engineering teams ship fast. Attackers move faster. CI/CD pipelines are no longer just build systems; they are a critical part of production infrastructure. A compromised pipeline can allow attackers to inject malicious code, poison dependencies, leak secrets, or deploy compromised builds directly to production. As Engineering Managers, we’re expected to maintain high delivery velocity while reducing security risks.

Applicability thresholds of state privacy laws often hinge on size or scale. TDPSA is different. It puts no revenue thresholds like CCPA or CPRA. So if your business operates in Texas or reaches the state’s residents, you’re most likely inside the scope already. The law took effect on July 1, 2024, and by January 2025, the universal opt-out obligations became fully enforceable. That transition is what moved TDPSA from a policy update to a website-level requirement.

From intelligent chatbots to autonomous agents, innovation has never moved faster thanks to GenAI. But with the rate of velocity comes a massive new challenge: a class of complex, non-deterministic security risks that traditional cybersecurity methods are simply not equipped to handle. AI-native applications are already running in production. Across industries, teams are deploying copilots, RAG systems, autonomous agents, and AI-powered workflows faster than traditional security processes can keep up.