Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In the modern software development lifecycle, the speed of innovation is often at odds with the security of our most sensitive data. As organizations embrace cloud-native development and AI-generated code, they face a phenomenon known as “secret sprawl”, aka, the uncontrolled and widespread distribution of API keys, passwords, and tokens across repositories, CI/CD logs, and developer collaboration tools.

CVE-2026-40372 is an elevation of privilege vulnerability in ASP.NET Core caused by improper verification of cryptographic signatures in the Data Protection library. The flaw sits in the HMAC validation routine of the managed authenticated encryptor, where a defective comparison lets an attacker submit a forged payload that the application accepts as legitimately signed. The vulnerability carries a CVSS v3.1 base score of 8.1 (Important), as assigned by Microsoft in the official advisory.

On 27 April 2026, the National Cyber Security Centre (NCSC) will officially implement Cyber Essentials v3.3, delivered through a new self-assessment question set known as Danzell, which replaces the previous Willow set. The foundational five technical controls remain the bedrock of the scheme, but this latest iteration tightens wording, scoping, and marking criteria in ways that have immediate consequences.

OWASP Penetration Testing is a specialized type of security testing that focuses on attack vectors and vulnerabilities listed in OWASP Top 10. An organization’s security landscape is complex, and thus it is essential to test the organization’s security measures to ensure that they are working correctly. OWASP’s (Open Web Application Security Project) compiled a list of the top 10 attacks named OWASP Top 10 for multiple technologies such as Web Applications, Cloud, Mobile Security, etc.

The OWASP Top 10 for Agentic Applications defines the most common AI agent risks, but real attacks unfold across multiple stages of behavior. Behavioral analytics detects those risks by modeling how users, AI agents, and their interactions change over time. By observing deviations across inputs, processing, and outputs, security operations teams can identify insider‑driven and agent‑driven threats that traditional, event‑based detection misses.

Last week, researchers at OX Security published findings that should stop every security leader in their tracks. They discovered a critical vulnerability baked directly into Anthropic's Model Context Protocol SDK, affecting every supported language: Python, TypeScript, Java, and Rust. The result: remote code execution on any system running a vulnerable MCP implementation, with direct access to sensitive user data, internal databases, API keys, and chat histories. Over 7,000 publicly accessible servers.

Security doesn’t stop at the perimeter. The “inside” of your network often harbors many overlooked risks. To address this, ealier this year we launched Detectify Internal Scanning, designed to bring our world-class vulnerability research directly into your private ecosystems.

On April 7, 2026, Anthropic fundamentally altered the AI landscape by announcing it would withhold its next-generation artificial intelligence (AI) model, Claude Mythos, from public release.