Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The way software gets built has fundamentally shifted. AI coding agents are no longer just autocomplete on steroids; they’re resolving packages, configuring environments, selecting tools, and in some cases running the entire development lifecycle, with or without a human in the loop.

Every defense contractor preparing for CMMC has the same expensive surprise: the third-party engineering firm with VPN access into one file server just doubled the size of their assessment. CMMC, the Cybersecurity Maturity Model Certification that DoD will require on covered solicitations starting November 10, 2026, is scored against the systems that touch Controlled Unclassified Information, or CUI.

In the world of application security, vulnerabilities are always a moving target. As modern applications keep becoming increasingly API-driven, cloud-native, and dependent on third-party services, the attack surface has expanded dramatically. For years, the OWASP Top 10 has served as the North Star for security professionals, providing a consensus-based ranking of the most critical web application security risks.

On May 14, GitGuardian found a public GitHub repository called "Private-CISA" — 844 MB of plain-text passwords, AWS tokens, and Entra ID SAML certificates belonging to CISA, exposed since November 2025. Some credentials were still valid. CISA pulled it offline within 26 hours.

Security leaders know the threat is real. Getting finance to agree is a different problem. Brand protection ROI is calculable, but most teams never build the model, so the budget request dies in review. The core formula is straightforward: add avoided fraud losses, account takeover (ATO) remediation savings, churn prevention value, and analyst time recovered, then subtract software cost and edivide by that cost.

How do you navigate VMware Cloud Foundation (VCF) 9 terminology changes? The quick answer is that VCF 9 rebrands legacy products to unify the platform.

The ripple effects of a cyberattack rarely stay contained. Modern organizations rely on vast ecosystems of vendors, suppliers, SaaS providers, and partners. As those connections deepen, so does the potential blast radius of a third-party compromise. What begins as an exposed system or stolen credential inside a vendor environment can quickly cascade across the supply chain. Attackers understand this. Increasingly, they target trusted third parties as an indirect path into larger organizations.

The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework. The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.

81% of development teams knowingly ship code with vulnerabilities. That number gets quoted a lot. Usually to make a point about how developers don't take security seriously. Here's a different reading: most of those developers knew the vulnerability was there. They just couldn't do anything about it in time. That's not apathy. That's a system failure. Feature deadlines are usually less flexible than security work.

Attackers are abusing the storage and sharing features of Kuse, a free AI app, to assist in phishing campaigns, according to researchers at Trend Micro. Kuse is a legitimate agentic AI platform used by employees to streamline workflows. Users can share files with coworkers, which generates a link hosted by Kuse’s domain. In this case, attackers are abusing the share feature to generate legitimate-looking phishing links.