Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CISA recently published BOD 26-02, the latest Binding Operational Directive shaping how federal agencies manage cyber risk. While attention often gravitates toward highly visible directives like KEV, this one matters for a different reason: it raises the standard for how lifecycle risk must be tracked and sustained over time. BOD 26-02 is described as guidance on unsupported edge devices, which is accurate but incomplete.

If you've been paying attention to the AI agent space over the past few months, you've probably noticed a pattern: every week brings a new story about an AI agent doing something it absolutely should not have done: reading private emails, exfiltrating credentials, or executing shell commands that a human would have never approved. The OpenClaw saga alone gave us exposed databases, command injection vulnerabilities, and a $16 million scam token, all in the span of about five days.

Why don’t developers fix every AppSec vulnerability, every time, as soon as they’re found? The most common answer? Time. Modern security tools can surface thousands of vulnerabilities in a given codebase. Fixing them all would take up a development team’s entire capacity, often competing with feature development and other priorities.

For most engineering teams, AI feels like a breakthrough years in the making. Code gets written faster, reviews move quicker, and releases that once took weeks now happen in days—or even hours. But as more of the software lifecycle becomes automated, a less comfortable reality is setting in: application security hasn’t kept pace, and AI-native security practices are often missing. When AppSec foundations are immature, AI doesn’t reduce risk—it scales it.

In today's hyper-connected digital world, every file you touch could be more dangerous than it appears. A simple spreadsheet, an innocent-looking PDF, or a shared presentation can all hide malicious code beneath their surface. These files, often exchanged freely across devices, cloud and collaboration platforms, can act as ticking time bombs. When triggered, they lead to devastating cyberattacks, massive data breaches, and severe compliance violations.

Today, we announced our Series C funding. I want to start by saying thank you to Delta-v Capital and Arthur Ventures for their partnership and conviction in what we’re building. We’re grateful for their support and for the trust they’ve placed in our team. They didn’t invest because Nucleus tells a good story.

Maybe you’re an AI builder, or maybe you’re a CISO. You've just authorized the use of AI agents for your dev team. You know the risks, including data exfiltration, prompt injection, and unvetted code execution. So when your lead engineer comes to you and says, "Don't worry, we're using Skill Defender from ClawHub to scan every new Skill," you breathe a sigh of relief. You checked the box. But have you checked this Skills scanner?

LDAP is commonly used as a centralized authentication backend for VPN gateways. In a typical setup, users submit credentials to the VPN service, which forwards them to the LDAP server for validation. The VPN gateway then grants or denies access based on the response it receives. CVE-2026-22153 does not rely on malformed packets or memory corruption. Instead, it stems from flawed authentication logic, where certain LDAP response states can be misinterpreted under specific configurations.

A recently disclosed vulnerability, tracked as CVE-2026-1731, affects BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). The flaw is rated critical, with a CVSS v4 score of 9.9 according to the National Vulnerability Database. BeyondTrust published advisory BT26-02 confirming that an unauthenticated remote attacker may be able to execute operating system commands by sending specially crafted client requests.