securityboulevard.com

How OTP Authentication Streamlines Service Delivery for HVAC Companies

None
Published date: 2026-03-21 00:00:00

None

<img decoding="async" src="https://cdn.pseo.one/67b62b766899109fe72fb789/687e6cccf6fe799d28851ea0/69be69575148ee4f7d63bbfe/content-image/aa7b6967-63fc-446d-9374-4879a2d281ca.webp" alt="aa7b6967-63fc-446d-9374-4879a2d281ca">Photo courtesy of <a href="https://www.freepik.com/free-photo/male-plumber-working-with-client-fix-kitchen-problems_94957515.htm">Freepik</a>As HVAC businesses grow and expand into new areas, they need to find ways to manage more customers and staff. One of the biggest challenges is making sure that service delivery and payments are secure and efficient, especially when working with new customers in different locations.A simple solution to this problem is one-time password (OTP) authentication. OTP authentication makes it easy to verify customers and payments quickly and securely that helps HVAC companies improve their overall service process.In this article, we’ll explore how OTP authentication helps HVAC companies streamline service delivery by improving customer verification, appointment scheduling, payments, and service completion, all while keeping things secure and simple.<h2>1. Simplified Customer Verification</h2>OTP (One-Time Password) authentication replaces <a href="https://mojoauth.com/ciam-101/authentication-server">traditional login methods</a> by sending a unique code to a customer’s phone or email, which they use to verify their identity instantly. For HVAC service appointments, customers can receive an OTP to confirm their identity, eliminating the need for passwords or lengthy forms.<h2>2. Enhanced Service Appointment Scheduling</h2>OTP authentication helps verify and confirm HVAC service appointments, ensuring both the customer and service provider are clear on the timing and details. When a customer schedules a service, they receive an OTP confirmation, which confirms the appointment and reduces the risk of any misunderstandings. This process ensures that appointments are tracked accurately, leading to fewer scheduling errors and improved customer satisfaction. As you invest in marketing or <a href="https://www.wearetg.com/industry/hvac-seo-company/">HVAC SEO services</a> to generate more leads, it’s essential to have a reliable system for booking appointments to avoid confusion and ensure a smooth customer experience.<h2>3. Improved Payment and Transaction Security</h2>OTP authentication adds a layer of security to payments and transactions, protecting HVAC businesses and their customers. When a payment is made, an OTP is sent to the customer's phone or email to verify the transaction, ensuring it’s legitimate. This reduces the risk of fraud or unauthorized charges. Additionally, OTP can prevent fraud from service vendors by confirming that payments are processed correctly and only authorized transactions are completed. This enhances security, builds trust, and ensures a reliable payment system for HVAC companies and their clients.<h2>4. Streamlined Service Completion Confirmation</h2>OTP authentication simplifies service completion verification. After an HVAC service is completed, an OTP is sent to the customer’s phone or email to confirm the work was done. This ensures clear communication and prevents any disputes about the service, making the process quicker and more reliable.<h2>5. Seamless Communication for Customer Support</h2>OTP authentication streamlines customer support by ensuring secure communication. When a customer contacts the HVAC company for assistance, they can verify their identity through OTP, <a href="https://www.fraud.com/post/account-verification">confirming they are the account holder</a>. This prevents unauthorized access to support channels and ensures that customer queries are handled by the right team.<h2>Endnote</h2>OTP authentication enhances security and simplifies key processes for HVAC businesses. By streamlining customer verification, service confirmations, and payments, it improves efficiency and builds trust. Adopting OTP ensures smoother operations, better customer experience, and strengthens the company's competitive edge in a growing market. It’s a valuable investment for long-term success.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-otp-authentication-streamlines-service-delivery-for-hvac-companies/" data-a2a-title="How OTP Authentication Streamlines Service Delivery for HVAC Companies"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-otp-authentication-streamlines-service-delivery-for-hvac-companies%2F&linkname=How%20OTP%20Authentication%20Streamlines%20Service%20Delivery%20for%20HVAC%20Companies" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://mojoauth.com/blog">MojoAuth Blog - Passwordless Authentication &amp; Identity Solutions</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by MojoAuth Blog - Passwordless Authentication & Identity Solutions">MojoAuth Blog - Passwordless Authentication & Identity Solutions</a>. Read the original post at: <a href="https://mojoauth.com/blog/otp-authentication-for-hvac-services">https://mojoauth.com/blog/otp-authentication-for-hvac-services</a>

Freethoughtblogs.com

This is Not Big News

Marcus Ranum
Published date: 2026-03-20 05:07:34

Apparently the Iranians managed to tag an F-35. As I mentioned in 2019, [stderr] stealth aircraft typically are mostly “stealthy” from the front, and some of them are quite un-stealthy from some angles, or if they have weapons bays open. It appears that the C…

Apparently the Iranians managed to tag an F-35. As I mentioned in 2019, [stderr] stealth aircraft typically are mostly stealthy from the front, and some of them are quite un-stealthy from some angl… [+8990 chars]

New York Post

French aircraft carrier’s location leaked by sailor using Strava on the ship deck

Anna Young
Published date: 2026-03-20 00:03:46

Strava, which is used by 120 million people around the world, allows runners and cyclists to log and share their workouts online.

A French seaman’s public fitness app revealed the exact location of a French aircraft carrier in the Mediterranean a shocking security blunder amid rising tensions in the Middle East, a report found.… [+2428 chars]

securityboulevard.com

Could your face change what you pay? NYC wants limits on biometric tracking

None
Published date: 2026-03-20 00:00:00

None

New York City lawmakers are pushing to ban private businesses from using biometric tools like voice and facial recognition software to track the public.While the desire to use surveillance technology in stores to fight shoplifting is understandable, <a href="https://www.nyclu.org/commentary/new-york-grocery-stores-are-scanning-your-face-lawmakers-can-stop-it" rel="noreferrer noopener nofollow">lawmakers</a> and <a href="https://www.politico.com/newsletters/digital-future-daily/2026/03/16/the-facial-recognition-grocery-fight-00830499" rel="noreferrer noopener nofollow">privacy advocates</a> are worried that the data could be repurposed to profile customers.The New York City Council has held a <a href="https://legistar.council.nyc.gov/MeetingDetail.aspx?ID=1390774&GUID=79F32E76-264B-40AD-81A8-81CE9AF71294&Options=info%7C&Search=" rel="noreferrer noopener nofollow">hearing</a> over two bills that would ban city landlords and businesses from using facial recognition technology.<ul class="wp-block-list"> <li>One proposal would make it illegal for any public place to use biometric recognition technology to identify or verify a customer.</li> <li>The other would prohibit landlords from installing, activating, or using any biometric recognition technology that identifies tenants or their guests.</li> </ul>In this article we want to focus on some of the reasons behind these proposals.For context, it’s good to know that in New York City, businesses that collect biometric data are already <a href="https://www.nyclu.org/resources/policy/testimonies/testimony-implementation-local-law-3-2021" rel="noreferrer noopener nofollow">required</a> to post standardized signs letting people know.Let’s look at what happens when your face becomes your ID, and every movement in a store can be turned into another data point.<h2 class="wp-block-heading" id="h-why-gathering-biometric-data-is-considered-bad">Why gathering biometric data is considered bad</h2>Collecting biometric data raises several objections. The most pressing ones are:<ul class="wp-block-list"> <li>Unique but hard-to-erase identifiers. While you can reset a password, your face is harder to change. This means data leaks or abuse of facial templates, gait, or voiceprints can create permanent risks and be linked across databases.</li> <li>Accuracy and bias concerns. <a href="https://www.aclu-mn.org/news/biased-technology-automated-discrimination-facial-recognition/" rel="noreferrer noopener nofollow">Studies</a> and civil liberties groups have found that facial recognition system can be <a href="https://www.scientificamerican.com/article/police-facial-recognition-technology-cant-tell-black-people-apart/" rel="noreferrer noopener nofollow">error-prone and biased</a> across different groups.</li> <li>Lack of meaningful consent. In practice, supermarkets and landlords using facial recognition are giving people a mere theoretical choice. People can submit their biometrics or forego basic services. Critics argue that this undermines genuine consent.</li> <li>Chilling effect. The feeling of constantly being watched everywhere you go is an uncomfortable one, and can discourage people from engaging in everyday, legitimate activities.</li> <li>Surveillance pricing. This deserves some more explanation, which we’ll cover next.</li> </ul><h2 class="wp-block-heading" id="h-what-is-surveillance-pricing">What is surveillance pricing?</h2>It’s essentially how your face becomes an unerasable loyalty card.Imagine you go into a local supermarket and notice that different people pay different prices for the same item. Would that feel fair?Surveillance pricing refers to the use of detailed consumer data and behavioral signals to dynamically adjust prices.Some characterize it as retailers using big‑data profiles to segment customers into increasingly narrow groups, down to the level of potentially charging each person the maximum the model thinks they are willing to pay.We already see versions of this online. When you’re <a href="https://www.theguardian.com/lifeandstyle/2025/may/21/booking-flights-online-dynamic-pricing-ticket-is-it-legal-australia" rel="noreferrer noopener nofollow">looking for airline tickets</a>, for example, prices can change based on various signals. But it can be hard to notice, and companies <a href="https://news.delta.com/delta-responds-misinformation-around-ai-pricing" rel="noreferrer noopener nofollow">tell us it’s not personal</a>. But imagine that same logic quietly following you into the supermarket.How this works online is relatively straightforward: websites track clicks, time on page, cart activity, and past spending to estimate how sensitive you are to price changes. In physical stores it’s more complex, but not impossible. Data from in-store security systems that also collect biometrics and facial recognition can be combined with loyalty programs, apps, and in‑store Wi‑Fi analytics could, in theory, be combined to build similar profiles. Electronic shelf labels (ESL) can already allow retailers to change shelf prices instantly across a store or specific sections.This could lead to situations where wealthier or more brand-loyal customers are quietly charged more. Or vulnerable groups could be targeted with manipulative discounts for higher‑margin or even less healthy products.<h2 class="wp-block-heading" id="h-what-to-do">What to do?</h2>Unfortunately, there’s no simple way to privacy‑hack your way out of a system that can turn your body into a tracking ID. The most effective fix is boring but powerful: laws with teeth, regulators that actually enforce them, and stores that don’t hide what they’re doing.You could:<ul class="wp-block-list"> <li>Avoid stores that openly advertise biometric scanning when there are alternatives.</li> <li> Support local and national efforts to regulate biometric tracking and related practices, such as the proposals from the New York City Council.</li> </ul>We shouldn’t have to trade access to food, housing, or basic services for the ability to move through a city without our bodies being mined for data. If we don’t draw that line now, practices like surveillance pricing could quietly bake inequality and discrimination into something as mundane as buying groceries.<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide">We don’t just report on privacy—we offer you the option to use it.Privacy risks should never spread beyond a headline. Keep your online privacy yours by using <a href="https://www.malwarebytes.com/vpn">Malwarebytes Privacy VPN</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/could-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking/" data-a2a-title="Could your face change what you pay? NYC wants limits on biometric tracking"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcould-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking%2F&linkname=Could%20your%20face%20change%20what%20you%20pay%3F%20NYC%20wants%20limits%20on%20biometric%20tracking" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/news/2026/03/could-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking">https://www.malwarebytes.com/blog/news/2026/03/could-your-face-change-what-you-pay-nyc-wants-limits-on-biometric-tracking</a>

securityboulevard.com

Randall Munroe’s XKCD ‘Plums’

None
Published date: 2026-03-20 00:00:00

None

<figure class=" sqs-block-image-figure intrinsic "> <a class=" sqs-block-image-link " href="https://xkcd.com/3209/"></a> <img data-stretch="false" data-image="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png" data-image-dimensions="251x409" data-image-focal-point="0.5,0.5" alt="" data-load="false" elementtiming="system-image-block" src="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=1000w" width="251" height="409" sizes="auto, (max-width: 640px) 100vw, (max-width: 767px) 100vw, 100vw" onload='this.classList.add("loaded")' srcset="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=100w 100w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=300w 300w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=500w 500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=750w 750w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=1000w 1000w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=1500w 1500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/0cb29db4-14a2-445e-9457-1e4cc4398d4a/plums.png?format=2500w 2500w" loading="lazy" decoding="async" data-loader="sqs"> <figcaption class="image-caption-wrapper"> via the comic artistry and dry wit of Randall Munroe, creator of XKCD </figcaption></figure><a href="https://www.infosecurity.us/blog/2026/3/20/randall-munroes-xkcd-plums">Permalink</a> <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/randall-munroes-xkcd-plums/" data-a2a-title="Randall Munroe’s XKCD ‘Plums’"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Frandall-munroes-xkcd-plums%2F&linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98Plums%E2%80%99" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://www.infosecurity.us/">Infosecurity.US</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Marc Handelman">Marc Handelman</a>. Read the original post at: <a href="https://xkcd.com/3209/">https://xkcd.com/3209/</a>

securityboulevard.com

Your Lateral Movement Detection Tools Are Missing 90% of Attacks. Here’s Why.

None
Published date: 2026-03-20 00:00:00

None

The average time to detect a breach used to be measured in months. Now it’s measured in minutes. And your <a href="https://d3security.com/glossary/">lateral movement detection tools</a> still can’t keep up.Here’s the uncomfortable truth: 90% of organizations experienced lateral movement in their last breach, and most detected it too late. The average eCrime attacker achieves a complete breakout in just 29 minutes, according to <a href="https://www.crowdstrike.com/global-threat-report/" rel="noreferrer noopener">CrowdStrike’s 2026 Global Threat Report</a>. Your detection tools are fighting a 70-minute alert investigation timeline with a 56-minute delay before a SOC analyst even begins to act. By then, the attacker is already pivoting.The problem is structural.<h2 class="wp-block-heading">The Blind Spot in Lateral Movement Detection Tools</h2><h3 class="wp-block-heading">Structural Gaps in Detection Coverage</h3>Traditional lateral movement detection tools work in silos. They monitor individual signals (network traffic, endpoint behavior, credentials used, privileged access) but they don’t see the story connecting them. They’re like security cameras in different rooms of a building that never share footage.An attacker exploits this structural gap daily. They move from the compromised finance analyst to a mid-tier file server. Your EDR flags the movement. Your SIEM flags the unusual login. Your NDR flags the unusual data transfer. But none of these tools talk to each other in real time. So you get three independent alerts, three separate investigations, three chances to miss the full scope of the compromise.This is why 67% of alerts go uninvestigated. Not because analysts are asleep. Because they can’t correlate disparate signals fast enough to understand what they’re looking at.<h3 class="wp-block-heading">Speed Limitations in Alert Investigation</h3>The second problem: stealth. Modern attacks don’t announce themselves. CrowdStrike’s 2026 data shows 82% of current detections are malware-free attacks: pure human-operated lateral movement using legitimate tools and stolen credentials. Your lateral movement detection tools are trained to spot malicious code, unusual process chains, and behavioral anomalies. But when an attacker uses your own admin credentials to move laterally, when they use RDP or PowerShell as you do every day, when they leverage legitimate tools, the signal disappears into the noise.Traditional lateral movement detection tools catch the obvious move. They miss the smart attacker.The third problem is scope. When lateral movement detection tools finally flag something suspicious, they show you an alert. Not a map. Not a timeline. Not what the attacker accessed. You get a data point, and from that point, your SOC team must manually follow the thread backward and forward to understand what happened. That’s why the average investigation takes 70 minutes, and that’s if the alert survives the investigation prioritization queue.<div style="display: flex; justify-content: center; align-items: center; width: 100%; min-height: auto;"> <object type="image/svg+xml" data="https://d3security.com/wp-content/uploads/2026/03/MorpheusAPD-3.svg" width="100%" height="auto" style="max-width: 800px;"></object> </div><h2 class="wp-block-heading">How Attack Path Discovery Changes the Equation</h2><a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a> (APD) represents a fundamental shift in how you understand compromise.Instead of detecting individual lateral moves, APD correlates evidence across your entire security stack (endpoint, network, identity, cloud, data, applications) simultaneously. It doesn’t wait for a single tool to flag something suspicious. It maps the full logical journey an attacker took, showing you exactly which systems were accessed, which credentials were used, what data was touched, and which systems are now at risk.This matters because lateral movement is a sequence of connected events. Traditional tools see the tree. APD sees the forest.When an attacker moves from the compromised endpoint to a file server to a database, traditional lateral movement detection tools produce three separate alerts (or none, if the attacker was subtle). APD produces one clear narrative: the attack path. It shows the entry point, every hop, every privilege escalation, every sensitive data access. A complete picture of the compromise in one coherent story.This changes how fast your SOC can respond. It changes what they can actually prevent. <h2 class="wp-block-heading">How Morpheus AI Implements Attack Path Discovery</h2><a href="https://d3security.com/morpheus/">Morpheus AI</a> is purpose-built for this. It’s a cybersecurity-specific large language model trained for 24 months by 60 security specialists to understand attack paths as sequences, not isolated events. Rather than a lateral movement detection tool layered on top of a general-purpose platform, it represents a fundamental shift in attack understanding.Here’s what that means in practice:<h3 class="wp-block-heading">Multi-Dimensional Correlation</h3>Morpheus AI ingests data from 800+ security integrations, every tool in your stack. More importantly, it understands the relationships between those data sources. It knows that an unusual network connection + a new credential use + a data access event = a potential lateral movement sequence, even if each individual signal is subtle.<h3 class="wp-block-heading">Self-Healing Integrations and Contextual Playbooks</h3><a href="https://d3security.com/morpheus/self-healing-integrations/">Self-Healing Integrations</a>. APIs drift. Integrations break. When they do, most platforms stop collecting data. Morpheus AI’s self-healing integration layer detects API drift automatically and fixes it, so you don’t lose visibility during an attack because a Splunk connector drifted.Contextual Playbook Generation. You don’t have to choose between speed and accuracy. Morpheus AI generates response playbooks at runtime, based on the actual evidence it found. These are playbooks tailored to the specific attack path it discovered, not templated responses or generic runbooks. This means your SOC can start responding to the actual compromise, not a hypothetical one. This kind of <a href="https://d3security.com/morpheus/response/">security automation</a> is what separates reactive from proactive security operations.<h3 class="wp-block-heading">Sub-2-Minute Investigation</h3>While traditional lateral movement detection tools leave SOC analysts staring at an alert for 70 minutes trying to understand context, Morpheus AI delivers a complete attack path narrative in under 2 minutes. It answers the questions your team would spend an hour manually investigating: What was the entry point? Where did they move? What can they access now? What’s the blast radius?<h2 class="wp-block-heading">A Real-World Scenario: Why Lateral Movement Detection Tools Fail</h2>Consider a scenario from real SOC experience:A finance analyst clicks a phishing link. Their endpoint is compromised. They don’t know it yet.Hour 0:00 — The attacker lands on the compromised endpoint. Traditional lateral movement detection tools might flag unusual process activity, but the endpoint wasn’t running active threat hunting. The alert sits in a queue.Hour 0:15 — The attacker extracts the analyst’s cached credentials and uses them to RDP into a mid-tier file server. Traditional lateral movement detection tools might flag the RDP connection (unusual for this user, unusual time of day) but the organization has thousands of RDP connections daily. The alert is low-confidence. It goes to the bottom of the triage queue.Hour 0:22 — The attacker moves from the file server to a database server. They extract a list of customer accounts. Traditional lateral movement detection tools flag a data exfiltration event. But the database connection came from a known internal server, using cached credentials. Low-confidence. Queue.Hour 1:05 — A security analyst finally begins investigating one of these alerts. They spend 70 minutes correlating events from endpoint, network, and database logs to understand the full scope: entry point, lateral movement path, data accessed.Hour 2:15 — Response begins.With Morpheus AI’s <a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a>:Hour 0:22 — Morpheus AI correlates the endpoint compromise, the credential extraction, the unusual RDP connection, the suspicious database access, and the data exfiltration into a single coherent narrative. It generates a playbook: isolate the compromised endpoint, revoke cached credentials, audit database access, lock down the affected servers.Hour 0:25 — The SOC analyst sees a complete attack path, not three separate alerts. Response begins immediately. The attacker has been active for 22 minutes. Your organization stops them at minute 25.The difference between lateral movement detection tools and Attack Path Discovery is fundamental. It’s the difference between seeing the attack and understanding it. Between spending 70 minutes investigating and 2 minutes responding.<h2 class="wp-block-heading">Why This Matters for Your Bottom Line</h2>The average breach involving lateral movement costs $4.88 million. A third of that cost comes from investigation and response time. Cutting investigation time by an order of magnitude (from 70 minutes to 2 minutes) is transformational.More importantly, it’s about what you can actually prevent. When your SOC team can see a complete attack path in 2 minutes instead of an hour, they can intervene during the attack. They can block the next lateral move. They can isolate systems before data is exfiltrated. They stop the attacker mid-sequence, not after full compromise.Traditional lateral movement detection tools react to what already happened. Attack Path Discovery prevents what’s about to happen.<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="960" height="540" src="https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1.png" alt="Cover art for the whitepaper titled: Morpheus AI-Driven Autonomous Investigation, Triage, and Response" class="wp-image-55641" srcset="https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1.png 960w, https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1-300x169.png 300w, https://d3security.com/wp-content/uploads/2025/03/morpheus-ai-whitepaper-cover-v2-1-768x432.png 768w" sizes="auto, (max-width: 960px) 100vw, 960px"></figure><h2 class="wp-block-heading">The Verdict: Why Lateral Movement Detection Tools Aren’t Enough</h2>Your lateral movement detection tools are working as designed. They’re catching individual lateral moves. But in an environment where the average attacker completes a full breakout in 29 minutes, individual detection isn’t enough. You need correlation. You need speed. You need the full attack path, not isolated alerts.That’s what separates Attack Path Discovery from lateral movement detection tools. It’s a fundamentally different model: one built on autonomous multi-dimensional correlation across your entire security stack, delivered in the time it takes to pour a cup of coffee.Morpheus AI brings this model to your organization without requiring you to rip out your existing tools. It integrates with 800+ platforms. It learns your specific environment. It generates playbooks that your team can execute immediately.Lateral movement detection tools have a place in your security program. What matters is whether you can afford to rely on them alone. You need correlation, speed, and the full attack path.<h2 class="wp-block-heading">See Attack Path Discovery in Action</h2><a href="https://d3security.com/demo/">Request a live demonstration</a> of <a href="https://d3security.com/morpheus/">Morpheus AI</a> tracing a complete attack path across your security stack in under 2 minutes.<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="1920" height="1080" src="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-%E2%80%94-Attack-Path-Discovery-vs.-Lateral-Movement-Detection.jpg" alt="" class="wp-image-59260" srcset="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection.jpg 1920w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-300x169.jpg 300w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-1024x576.jpg 1024w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-768x432.jpg 768w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Attack-Path-Discovery-vs.-Lateral-Movement-Detection-1536x864.jpg 1536w" sizes="auto, (max-width: 1920px) 100vw, 1920px"></figure>Read the Full Resource: <a href="https://d3security.com/resources/attack-path-discovery-vs-lateral-movement/">Attack Path Discovery vs. Lateral Movement Detection: Why Detection Alone Falls Short</a>A detailed comparison of lateral movement detection tools vs. Attack Path Discovery, with real-world scenarios and timing analysis.Explore more cybersecurity terms and concepts in the <a href="https://d3security.com/glossary/">D3 Security Glossary</a>.<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "@id": "#q1", "name": "What are lateral movement detection tools and how do they work?", "acceptedAnswer": { "@type": "Answer", "text": "Lateral movement detection tools monitor network traffic, endpoint behavior, and user activity to identify when an attacker moves from one system to another within a compromised network. They analyze patterns like unusual login attempts, credential usage, and data access to flag suspicious movement between systems." } }, { "@type": "Question", "@id": "#q2", "name": "Why are traditional lateral movement detection tools not enough?", "acceptedAnswer": { "@type": "Answer", "text": "Traditional lateral movement detection tools operate in silos, monitoring individual signals without correlation. They generate separate alerts from endpoint, network, and identity tools that teams must manually correlate. This delays investigation by an average of 70 minutes, while attackers complete breakouts in 29 minutes." } }, { "@type": "Question", "@id": "#q3", "name": "What is Attack Path Discovery and how is it different?", "acceptedAnswer": { "@type": "Answer", "text": "Attack Path Discovery (APD) correlates evidence across your entire security stack—endpoint, network, identity, cloud, data, applications—simultaneously. Instead of generating multiple independent alerts, APD creates one coherent narrative showing the complete attack path, enabling sub-2-minute investigation versus 70+ minutes with traditional lateral movement detection tools." } }, { "@type": "Question", "@id": "#q4", "name": "Can I use Attack Path Discovery alongside my existing lateral movement detection tools?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Attack Path Discovery complements traditional lateral movement detection tools rather than replacing them. It ingests data from 800+ security integrations including EDR, SIEM, NDR, and identity platforms, creating unified attack narratives from signals your existing lateral movement detection tools generate." } }, { "@type": "Question", "@id": "#q5", "name": "What is the impact of faster lateral movement detection on breach costs?", "acceptedAnswer": { "@type": "Answer", "text": "Breaches involving lateral movement cost an average of $4.88 million, with one-third of that cost attributed to investigation and response time. Reducing investigation time from 70 minutes to 2 minutes can save millions in remediation costs and prevent attackers from reaching critical assets before detection." } } ] } </script>The post <a href="https://d3security.com/blog/attack-path-discovery-vs-lateral-movement/">Your Lateral Movement Detection Tools Are Missing 90% of Attacks. Here’s Why.</a> appeared first on <a href="https://d3security.com/">D3 Security</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/your-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why/" data-a2a-title="Your Lateral Movement Detection Tools Are Missing 90% of Attacks. Here’s Why."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-lateral-movement-detection-tools-are-missing-90-of-attacks-heres-why%2F&linkname=Your%20Lateral%20Movement%20Detection%20Tools%20Are%20Missing%2090%25%20of%20Attacks.%20Here%E2%80%99s%20Why." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://d3security.com/">D3 Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Shriram Sharma">Shriram Sharma</a>. Read the original post at: <a href="https://d3security.com/blog/attack-path-discovery-vs-lateral-movement/">https://d3security.com/blog/attack-path-discovery-vs-lateral-movement/</a>

securityboulevard.com

Your SIEM Isn’t Broken. Your Investigation Layer Is Missing.

None
Published date: 2026-03-20 00:00:00

None

73% of security leaders are evaluating SIEM alternatives. Here’s why they’re asking the wrong question.The cybersecurity industry has a new consensus: SIEM is broken. Startups pitch AI SOC platforms as the replacement. Analysts warn of vendor lock-in. Conference keynotes declare the end of an era.They’re all wrong about the diagnosis.The SIEM isn’t broken. The investigation layer that should sit on top of it was never built. And that gap is what’s actually burning out SOC teams, letting attackers dwell for months, and driving the 73% of security leaders who told Sumo Logic they’re shopping for alternatives.<h2 class="wp-block-heading">The real numbers behind the frustration</h2>The frustration is justified. SANS found that analysts take an average of 56 minutes before acting on an alert and 70 minutes to fully investigate a single incident. Devo reports that 53% of all alerts are false positives. Up to 40% of alerts go completely uninvestigated. And 61% of SOC teams admit to ignoring alerts that later turned out to be genuine compromise.Those numbers aren’t a SIEM failure. They’re an investigation capacity failure. SIEMs detect and alert. They were never designed to investigate. When a SIEM fires an alert, a human analyst must manually query across endpoints, identity systems, cloud platforms, email gateways, and network sensors to figure out what actually happened. That manual process takes an hour. Organizations face thousands of alerts daily. The math doesn’t work.<h2 class="wp-block-heading">SIEMs still do things nothing else can</h2>Before ripping anything out, it’s worth acknowledging what SIEMs do well. They remain the authoritative system of record for compliance (SOC 2, HIPAA, PCI-DSS, NIS2, DORA). They handle log aggregation and normalization at enterprise scale. Their correlation rule engines represent years of detection engineering investment. And in May 2025, CISA and NSA published joint guidance explicitly recommending SIEM and SOAR implementation as foundational security infrastructure.The global SIEM market is projected to reach $13.55 billion by 2029 at 13.7% CAGR. SIEMs aren’t dying. They’re not going anywhere.<h2 class="wp-block-heading">The AI SOC market has a category problem</h2>Most AI SOC startups do one thing: they ingest alert feeds, score them with AI, and suppress false positives. That’s genuine noise reduction. True investigation requires cross-stack correlation.When SIEM vendors and industry analysts critique AI SOC companies, this L1 triage bot category is typically what they’re examining. Gartner placed AI SOC agents at the Peak of Inflated Expectations in their 2025 Hype Cycle, warning that claims still outpace sustained improvement.The critical buyer question: Does the AI investigate threats and correlate across your entire stack? Or does it help humans filter alerts faster while the same structural investigation gap remains?<h2 class="wp-block-heading">What investigation actually requires</h2>Real investigation means tracing attack paths across tool boundaries. When an attacker pivots from a compromised endpoint to a cloud identity provider to a SaaS application, the SIEM sees the individual logs. But no one is stitching them together into a coherent attack narrative in real time.D3 Security’s <a href="https://d3security.com/morpheus/">Morpheus AI</a> was built for exactly this. On every incoming alert, Morpheus AI queries the SIEM to pull correlated logs and context, then correlates across EDR, identity providers, cloud platforms, email gateways, and network sensors to build a unified attack timeline. It performs <a href="https://d3security.com/morpheus/investigation/">Attack Path Discovery</a> along two axes simultaneously: vertical deep inspection into the alert’s origin tool and horizontal correlation across the full security stack.<object data="https://d3security.com/wp-content/uploads/2026/03/MorpheusAPD-4.svg" type="image/svg+xml" width="100%" height="auto"></object>The result: L2-analyst-depth investigation on every alert, in under two minutes, 24/7. Full investigation with a contextual response playbook generated at runtime from the evidence.<h2 class="wp-block-heading">The SIEM becomes more valuable, not less</h2>This is the part most AI SOC vendors miss. Morpheus AI treats the SIEM as a critical data source, the investigation’s foundation. It complements rather than competes with your SIEM. Every SIEM log, every correlation rule, every enrichment feed contributes to a more complete investigation.The architecture is complementary: the SIEM detects and aggregates; Morpheus AI investigates and responds. Organizations keep their compliance system of record, their centralized log store, their correlation engine. They add the investigation intelligence that the SIEM was never designed to provide.<h2 class="wp-block-heading">What to ask your current vendors</h2>If you’re part of the 73% evaluating alternatives, these questions will separate real capability from marketing:<ol class="wp-block-list"> <li>Can your SIEM investigate the alerts it generates, or does it rely entirely on human analysts?</li> <li>Can any single tool in your stack correlate across endpoints, network, identity, email, and cloud simultaneously?</li> <li>Is your AI SOC platform a purpose-built cybersecurity LLM, or a general-purpose model with a security wrapper?</li> <li>Can the platform generate response playbooks contextually at runtime, or does it require static playbook authoring?</li> <li>What happens when one of your vendor’s APIs changes: silent failure, or autonomous <a href="https://d3security.com/morpheus/self-healing-integrations/">self-healing</a>?</li> <li>What is the measurable time from alert to complete investigation? Under 2 minutes, or over 60?</li> </ol><h2 class="wp-block-heading">See Morpheus AI Investigate a Real Alert</h2><a href="https://d3security.com/demo/">Request a live demonstration</a> of <a href="https://d3security.com/morpheus/">Morpheus AI</a> investigating a real alert from your stack in under 2 minutes.<figure class="wp-block-image aligncenter size-full"><a href="https://d3security.com/resources/beyond-siem-beside-siem/"><img fetchpriority="high" decoding="async" width="1920" height="1080" src="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-%E2%80%94-Beyond-SIEM-Beside-SIEM.jpg" alt="Preview of the whitepaper: Beyond SIEM, Beside SIEM: How AI Closes the SIEM Investigation Gap" class="wp-image-59219" srcset="https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM.jpg 1920w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-300x169.jpg 300w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-1024x576.jpg 1024w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-768x432.jpg 768w, https://d3security.com/wp-content/uploads/2026/03/D3-Morpheus-—-Beyond-SIEM-Beside-SIEM-1536x864.jpg 1536w" sizes="(max-width: 1920px) 100vw, 1920px"></a></figure>Read the Full Resource: <a href="https://d3security.com/resources/beyond-siem-beside-siem/">Beyond SIEM, Beside SIEM: How AI Closes the SIEM Investigation Gap</a>Why 73% of security leaders are evaluating SIEM alternatives, what the real gap is, and how Morpheus AI complements your SIEM investment.The post <a href="https://d3security.com/blog/siem-isnt-broken-investigation-layer-missing/">Your SIEM Isn’t Broken. Your Investigation Layer Is Missing.</a> appeared first on <a href="https://d3security.com/">D3 Security</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/your-siem-isnt-broken-your-investigation-layer-is-missing/" data-a2a-title="Your SIEM Isn’t Broken. Your Investigation Layer Is Missing."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-siem-isnt-broken-your-investigation-layer-is-missing%2F&linkname=Your%20SIEM%20Isn%E2%80%99t%20Broken.%20Your%20Investigation%20Layer%20Is%20Missing." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://d3security.com/">D3 Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Shriram Sharma">Shriram Sharma</a>. Read the original post at: <a href="https://d3security.com/blog/siem-isnt-broken-investigation-layer-missing/">https://d3security.com/blog/siem-isnt-broken-investigation-layer-missing/</a>

securityboulevard.com

Cloud Security Posture Management in 2026

Johnbosco Ejiofor
Published date: 2026-03-20 00:00:00

None

Cloud security posture management (CSPM) <a href="https://securityboulevard.com/2025/02/7-cspm-tools-to-secure-your-cloud-infrastructure/" target="_blank" rel="noopener">is now a critical protection for businesses</a> in multi-cloud security environments. As of 2026, most businesses manage a hybrid and multi-cloud strategy and architecture for their AWS, Azure, Google Cloud Platform (GCP) and private clouds, which makes it unrealistic to attempt to monitor these environments manually. CSPM continuously monitors for cloud misconfigurations, non-compliance issues and changes in configurations, which in turn deliver automated policies and rules for the cloud services in use. CSPM can also be viewed as a combination of cloud operations, security engineering and compliance teams all in one, which is capable of helping companies scale despite limited teams. In this way, CSPM offers the awareness required to manage cloud risks through the detection of accessible storage, accessible ports and unsafe IAM policies. Market adoption also illustrates this shift, as the CSPM market is estimated to rise from <a href="https://www.grandviewresearch.com/industry-analysis/cloud-security-posture-management-market-report#:~:text=The%20services%20segment%20is%20projected,to%20enhance%20cloud%20security%20posture." target="_blank" rel="noopener">$5.25 billion in 2025 to over $10 billion by 2030</a>, according to analysts. The evolution of modern CSPM solutions has meant that, in addition to compliance, identity governance, information protection and automation of remediation have been centralized. Furthermore, these new tools allow CSPM to integrate with DevOps pipelines through policy as code and IaC scans, as well as threat intelligence and SIEM/SOAR tools, as seen in the case of <a href="https://www.group-ib.com/products/cloud-security-posture-management/" target="_blank" rel="noopener">Group-IB’s</a> CSPM, which monitors misconfigurations in the CI/CD pipeline to detect vulnerabilities before they reach production. CSPM is no longer just an emerging concept; it is now a mature form of cloud-native security that offers unified discovery, prioritization and remediation while reducing operational overhead. <h3 aria-level="1">Evolution of CSPM </h3>The first CSPMs, which appeared in the 2010s, were basic auditors for single clouds, raising awareness of glaring issues such as S3 buckets in public clouds or disabled encryption features. Yet as the use of the cloud increased, CSPM also evolved rapidly. In the late 2010s, the second generation of CSPMs emerged, capable of handling multiple clouds (AWS, Azure, GCP) by utilizing an agentless approach with API probes for scalability reasons. Now, CSPMs are context-aware, with built-in support for threat intelligence, CIEM and scanning of containers and Kubernetes clusters, while KSPM identifies <a href="https://www.picussecurity.com/resource/blog/the-ten-most-common-kubernetes-security-misconfigurations-how-to-address-them" target="_blank" rel="noopener">misconfigurations in clusters</a>, and DSPM helps with data security. The vice president of <a href="http://spin.ai/" target="_blank" rel="noopener">Spin.AI</a> describes the new generation of CSPMs as follows: “Modern CSPMs are much more independent and able to fix an increasing number of mistakes on their own.” Each generation of CSPM has been characterized by addressing new cloud security issues, evolving from static approaches to AI-based, real-time management of cloud posture. Some of the key trends within the industry include greater DevOps penetration as well as AI-based automation. By 2026, the leading CSPMs have broadly integrate into the category of cloud-native application protection platforms (CNAPPs). This is because they offer integrated assessments for vulnerabilities, workloads and postures, ensuring that the application of CSPMs is proactive within the CI/CD life cycle and addresses any potential misconfigurations. AI-based technology is increasingly being used to improve the detection of potential policy violators as well as anomalous behavior. Modern CSPM systems are capable of addressing situations independently and of escalating potentially critical threats to security teams, which is a very different approach from earlier CSPM scanners. <h3 aria-level="1">Core Functions and Use Cases </h3>By 2026, CSPM has become fully integrated throughout the cloud life cycle, effectively managing risk in dynamic environments. The primary objective of CSPM is continuous compliance and governance, which entails benchmarking against CIS Benchmarks, PCI DSS, HIPAA and GDPR, among other requirements. The platforms provide automated compliance across AWS, Azure and GCP, culminating in consolidated and audit-ready dashboards. Doing this manually is challenging, which is the main reason that nearly 89% of organizations have adopted CSPM, primarily for compliance, as stated by Flexera. CSPM also offers features such as automated asset discovery and the tracking of VMs, containers, databases, serverless workloads and SaaS integrations across accounts and regions. CSPM provides real-time visibility and prevents unmanaged assets by monitoring and sending alerts for changes and drifts. Once assets are mapped, CSPM moves on to risk assessment and prioritization. CSPM accomplishes this by using a combination of configuration checks and threat intelligence. Current CSPMs have evolved into remediation and guardrail areas, including automated remediations, one-click remediations and integrations using orchestration or ticket systems, with security scores directly linked to remediation through automation rules. Such capabilities are of utmost importance for regulated environments such as <a href="https://www.fedramp.gov/" target="_blank" rel="noopener">FedRAMP </a>and the U.S. Civilian Government. Today, CSPM is vital for organizations that manage multiple accounts, as it supports audit readiness, reduces risks and enables operational control of the environment. <h3 aria-level="1">Integration, Automation and AI </h3>CSPM has moved very strongly left, specifically into <a href="https://www.splunk.com/en_us/blog/learn/ci-cd-devops-pipeline.html">DevOps workflows and CI/CD pipelines</a>. CSPM scans code, specifically infrastructure as code, such as Terraform and AWS CloudFormation, before deployments. Through the implementation of security as code and the provision of intrinsic guardrails, configuration errors are identified before they enter the production environment. According to Group-IB, CSPM has moved into the monitoring of misconfigurations, specifically within CI/CD pipelines. Sophisticated CSPMs can also correlate posture findings with external threat intelligence. This helps identify which vulnerabilities have a higher probability of being exploited by an adversary, since it correlates posture findings with attack data. This outside-in perspective helps prioritize vulnerabilities according to their attack relevance. AI and analytics are playing an ever-increasing role in these capabilities. Machine learning algorithms operate on configuration and telemetry data to find anomalies and unknown risk patterns, whereas AI-driven virtual assistants, such as<a href="https://www.paloaltonetworks.com/blog/cloud-security/ai-powered-security-copilot/"> Prisma Cloud Copilot</a> from Palo Alto, speed up the overall investigation process. The literature on CSPM solutions identifies AI as a key enabler for CSPM solution development and notes that it is improving accuracy. However, other CSPMs go beyond detection to encompass orchestration and remediation. Advanced CSPMs now integrate with SOAR technology and ticketing systems, as well as cloud-native technology. CSPM now utilizes automation to remediate vulnerabilities, a feature that is essential in modern compliance as it assists in the enforcement of security policies in a multi-cloud infrastructure without human intervention. One of the distinguishing factors of CSPM in 2026 is its high level of integration and automation. CSPM solutions in 2026 are not standalone tools, as they were in 2020; they have developed into components of the broader security and DevOps ecosystem. <h3 aria-level="1">Mitigating Key Cloud Risks </h3>CSPM directly tackles risks specifically related to the cloud: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">Cloud Misconfigurations and Drift: The most prevalent cloud security risks are misconfigurations, which can cause security breaches due to misconfigured IAM policy, networking settings or storage permissions, leading to data leaks or security breaches. CSPM continuously monitors such security risks and alerts users to misconfigurations like public buckets or insecure S3 policy configurations. As security experts observe, attackers often exploit these misconfigurations in increasingly sophisticated ways. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1">Identity and Access Threats: Excessive or insufficient privileges are other prominent identity and access threats. According to<a href="https://fedtechmagazine.com/article/2024/10/solving-multicloud-security-puzzle-with-cspm-perfcon" target="_blank" rel="noopener"> Sai Balabhadrapatruni</a>, a staff engineer at Palo Alto, identity-based attackers often leverage weak authentication processes and credentials obtained through theft. Current-generation CSPMs incorporate <a href="https://securityboulevard.com/2023/08/how-ciem-offers-a-clear-path-to-cloud-security/?__hstc=82239177.d58973e620b4621f680e52287e00bfc4.1761264000266.1761264000267.1761264000268.1&__hssc=82239177.1.1761264000269&__hsfp=1412292518" target="_blank" rel="noopener">IAM analytics and CIEM solutions</a> that detect overprivileged accounts. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1">Vulnerable and Unpatched Resources: Many modern CSPMs also scan the cloud environment to identify known vulnerabilities, enabling the inclusion of CVE data in the asset inventory list. In this way, outdated and unpatched containers or images do not put the environment at risk. A unified view of misconfiguration and vulnerability alerts is offered in the new breed of CNAPP products. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1">Data Exposure and Compliance Risks: CSPM identifies exposed data in unencrypted databases, incorrectly configured logging and disabled encryption. Rod Wallace of Amazon identifies common data exposures, such as publicly exposed storage buckets. CSPM’s continuous monitoring approach ensures data governance, validating encryption at rest and secure access controls are in place for all accounts. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"134224900":false,"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="5" data-aria-level="1">Cloud-Native Containers and Kubernetes: By 2026, most CSPM solutions include capabilities such as Kubernetes security posture management (KSPM), where containers and configurations such as pods, namespace policies and registry settings are monitored, along with alerts for misconfigured registries, insecure Helm charts and misconfigured pod security policies. </li></ul><h3 aria-level="1">Leading CSPM Solutions in 2026 </h3>What sets apart the top CSPMs of 2026, however, is their depth, their intelligence and their unification. As noted earlier, leading CSPMs have now outgrown the provision of simple scanning and have evolved into context-rich platforms integrated into CNAPPs, such as <a href="https://orca.security/">Orca Security</a>. What sets them apart, subsequently, is that they offer a unified and integrated version of CSPM, combined with workload security, identity security and data security. Examples of such vendors are Wiz and Microsoft Defender for cloud. Ease of use and automation are important differentiators. Top-tier CSPMs also come with comprehensive rule sets, automated compliance templates and remediation playbooks as part of their offering. This means that a number of issues can indeed be solved automatically or through the use of native cloud controls. On the other hand, generative AI assistants can assist teams with the automation of tasks and the addressing of security talent gaps. Top platforms also specialize in context-aware risk prioritization. This means that they do not treat all issues equally; instead, they correlate misconfigurations directly to asset criticality, exposure and threat intelligence data. Group-IB, for instance, now incorporates attack surface and threat intelligence data to inform posture-related findings and prioritize remediation efforts according to their relevance to adversaries. Similarly, this type of correlation is also done to support alert prioritization features offered by other platforms like SentinelOne. In short, seamless coordination between multiple clouds is now a requirement. Leading CSPMs now promise a single pane of glass approach to AWS, Azure and GCP clouds, normalizing policy and compliance views to reduce noise and friction. Last but not least, state-of-the-art solutions now integrate with GRC and audit solutions to provide role-based reporting, dashboards for executives and risk-based metrics. CSPM has evolved from a standalone control to a fundamental security and governance building block in enterprise architecture in 2026. <h3 aria-level="1">Conclusion </h3>What was once seen as a compliance-oriented product, albeit in a very narrow sense, has grown into something entirely different: AI-powered products at the heart of cloud security. CSPM in 2026 is no longer optional in any cloud deployment; it is the first line of defense. By its very nature of offering automation, visibility and prioritization of compliance and risk in ever-changing environments, CSPM solutions provide security teams with their best shot. CSPM, when integrated with external threat visibility solutions, allows users to have full clarity regarding cloud risks from code to production. While the cloud space continues to see tremendous innovation, the future of CSPM remains exciting, as does its purpose: To completely eradicate risks and complexities so that the cloud can be utilized for safe innovation. <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/cloud-security-posture-management-in-2026/" data-a2a-title="Cloud Security Posture Management in 2026 "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcloud-security-posture-management-in-2026%2F&linkname=Cloud%20Security%20Posture%20Management%20in%202026%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

Why MCP Gateways are a Bad Idea (and What to Do Instead)

Lidan Hazout
Published date: 2026-03-20 00:00:00

None

We all love MCP. <a href="https://securityboulevard.com/2026/03/introducing-the-mcp-security-gateway-the-next-generation-of-agentic-security/" target="_blank" rel="noopener">Model Context Protocol is open, simple, and powerful</a>, making it much easier to plug tools into AI agents in a consistent way. It has quickly become a core building block for many agentic architectures. We all understand the risks. When you give an agent access to powerful tools, you also give them the power to break things, leak data, or generate unexpected costs. So naturally, the industry started thinking: “We need a way to control MCP usage.” That is where MCP Gateways come in. The idea is attractive: Put a gateway in front of all MCP servers, and you can monitor tool calls, approve or deny specific actions, and enforce policies at a central control point. It sounds good at first. In practice, MCP Gateways are the wrong abstraction for securing modern agents. Let’s look at why. <h3 aria-level="2">Why MCP Gateways are a Bad Idea </h3>The instinct to put a gateway in front of MCP servers is understandable. It’s the same thinking that gave us firewalls, DMZs, and perimeter security. Put everything behind a checkpoint, monitor what flows through, and enforce policies from one central place. We know how that story ends. Perimeter security creates a hard shell with a soft center. Once you’re past the gate, you’re trusted. And in modern systems with APIs, microservices, and distributed agents, there are too many ways past the gate. MCP Gateways repeat this mistake at the protocol level. They try to solve a runtime problem with a network control, and that mismatch creates more issues than it solves. Here’s why they fall short: 1. They only cover MCP, not everything your agent can do Gateways only see what goes through MCP. Most real-world agent systems use much more than that. They execute shell commands and scripts, call native SDKs and libraries, connect directly to databases, and use framework-specific connectors for tools like Slack, GitHub, Jira, or cloud providers. A risky or buggy workflow does not care whether it uses MCP, a shell, or a built-in connector. From a security perspective, shell access is often far more dangerous than a typical MCP tool. If your security model only protects MCP, you are left with big blind spots. You are securing one door while the windows, back door, and garage are wide open. 2. They introduce a new secret management risk To work, many gateways require you to route requests, and often credentials, through them. API keys, OAuth tokens, service accounts, and other sensitive secrets may now live in or pass through a third-party system. Instead of reducing risk, you have just increased the number of places where your secrets exist, the number of systems that could be compromised, and the number of new vendors or services in your threat model. You tried to solve one problem, uncontrolled tool use, and created another, centralized secret exposure. 3. They lack full agent context Security is all about context. To decide whether a tool call is safe, you need to know the user prompt, the agent goal, the session history, what other tools were called before, and whether this call is part of a larger workflow or just a strange one-off. A gateway usually sees something like “Call tool X with arguments Y from client Z.” That is useful but incomplete. Without full session context, advanced detection is almost impossible. You cannot reliably flag suspicious sequences of actions, distinguish benign calls from data exfiltration, or enforce nuanced, context-aware policies like “only allow this if the user is in group A and the data is tagged B.” You end up with either overly permissive rules or very basic, noisy ones. 4. They are a single point of failure Most MCP Gateways are built as proxies or reverse proxies. If the gateway is down, misconfigured, rate-limited, or suffering from network issues, your agents are effectively offline. Instead of building resilient systems, you centralize everything behind one piece of infrastructure that now has to be highly available, low-latency, secure, and correctly configured across all environments. That is a lot of operational overhead for something that is supposed to “just” add security. 5. They are hard to enforce across all clients Even with a perfect design, you still face a major practical problem. How do you force every client and every agent to use the gateway? Agents can run in local developer environments, CI pipelines, different services or microservices, IDEs and notebooks, and on machines you do not fully control. If a client can talk directly to an MCP server, it can bypass the gateway unless you apply strict network and configuration controls everywhere. In practice, this often results in some traffic passing through the gateway and some not. You think you have control, but you do not have full coverage. Partial security can be worse than no security because it creates a false sense of safety. The good news is that there’s a better approach, one that actually addresses these fundamental problems instead of working around them. If MCP Gateways are the wrong layer, what is the right one? <h3 aria-level="2">Runtime Hooks – Securing the Entire Layer, Not Just the Protocol </h3>The best place to secure agents is inside the agent runtime itself, not at the edge of a single protocol. That is where runtime hooks come in. Hooks are built into the agent framework and trigger whenever tools are used. Runtime hooks solve the core limitations with gateways as a security guardrail: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">Full coverage across all tooling, not just MCP </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1">No credential exposure to third parties </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1">Access to full session and prompt context </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1">No single point of failure </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="5" data-aria-level="1">Easy configuration and rollout </li></ul>Because hooks live at the agent layer, they can see MCP tools, shell commands, native SDK calls, HTTP requests, and framework-specific connectors. If the agent invokes something, a hook can catch it. You are not limited to monitoring just one protocol while everything else runs unobserved. In addition, to avoid credential exposure, hooks run inside your environment and inside your agent code. They do not require you to send your secrets to a third party. Secrets remain in your existing systems, no extra proxy or gateway needs to store API keys, and you keep complete control over secret management. Hooks can inspect metadata and arguments without becoming a new storage location for credentials. Running inside your code and environment provides additional value, where hooks can see the full conversation history, the current prompt, the agent state or plan, and previous tool calls in the same session. Your security logic can be truly context-aware. You can write policies like “block this call if the user is external and the data is marked internal only” or “alert if the agent chains several export-style tools suspiciously.” This is extremely hard to do from a protocol-level gateway that only sees isolated tool call requests. Because hooks are typically implemented as part of the agent SDK or runtime, they avoid creating a single point of failure. If a hook fails, you can design it to fail safely, denying only the risky call, or to degrade gracefully while the agent continues to run. You are not routing all traffic through one central network bottleneck. You are adding behavioral controls inside each agent process. Finally, hooks are easier to deploy and manage. Instead of managing complex network paths and proxies, you enable hooks in your agent framework, configure policies in one place, and ship that configuration with your agents. This is far easier to standardize across teams and environments than enforcing gateways for every client. On top of that, no code changes are required if hooks are integrated at the framework or platform level. Teams can adopt security controls by configuration alone, without modifying each agent implementation. <h3 aria-level="3">MCP Registries: Control at the Source </h3>Runtime hooks secure how tools are used, but decades of security practice have taught us that good hygiene requires defense in depth. You need controls at multiple layers, and one of the most effective is controlling what exists in your environment in the first place. This is not a new or novel idea. We learned this lesson with package managers, container registries, and API gateways. Allowlists and approved registries prevent unauthorized code and tools from entering your systems, and the same principles should be applied to MCP servers. An MCP Registry lets you maintain an allowlist of approved MCP servers in your organization, define which tools are available to which teams or environments, and prevent agents from discovering or using unapproved MCPs. Combined with runtime hooks, this gives you a strong two-layer model. The registry controls what is allowed, which MCPs and tools exist in your environment, while the hooks control how those tools are used, including policies, context checks, and detections. This applies years of proven runtime security principles to a new attack surface, rather than trying to retrofit network-layer controls that were never designed for this problem. <h3 aria-level="2">Beyond MCP Security – Securing the Entire Agentic Attack Surface </h3>MCP is powerful and here to stay. It deserves a security model that actually matches how agents work in practice. MCP Gateways repeat the mistakes of perimeter security by focusing on a single protocol, while agents are not limited to a single use case. They employ shell commands, native SDKs, database connections, and framework-specific tools. This introduces secret management risks through centralized credential handling, a lack of the full agent and session context needed for effective policy decisions, and creates both a single point of failure and enforcement challenges across distributed environments. We do not need to reinvent security models to secure agentic systems in production. Decades of running complex, distributed systems have already taught us what works and which layers are most critical to secure. Runtime hooks combined with MCP registries. Hooks give you full coverage across all tooling, complete session context for policy decisions, no credential exposure to third parties, no central bottleneck, and easy rollout with no code changes when integrated at the framework level. This, combined with well-maintained registries give you governance and control over which MCPs exist in your environment in the first place. The agentic world is evolving too fast to bet on protocol-level controls – secure the agent where it actually runs, not just the protocol it happens to use today. <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/why-mcp-gateways-are-a-bad-idea-and-what-to-do-instead/" data-a2a-title="Why MCP Gateways are a Bad Idea (and What to Do Instead) "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhy-mcp-gateways-are-a-bad-idea-and-what-to-do-instead%2F&linkname=Why%20MCP%20Gateways%20are%20a%20Bad%20Idea%20%28and%20What%20to%20Do%20Instead%29%C2%A0%20%20%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

Securing Third-Party Procurement Platforms with Enterprise SSO

None
Published date: 2026-03-20 00:00:00

None

<h2>Introduction</h2>Procurement is no longer a back-office function handled through spreadsheets and manual approvals. Modern enterprise teams depend on a growing stack of third-party tools to manage vendor relationships, purchase orders, contract lifecycles, and spend analytics. As these platforms become more deeply integrated into daily operations, they also become high-value targets for unauthorized access and data exfiltration.Enterprise teams often rely on <a href="https://www.procureflow.ai/">software that supports procurement</a> to manage vendors, approvals, and spending workflows. Without centralized SSO and role-based access control, these systems can become a major internal risk surface. When each procurement tool maintains its own authentication silo, security teams lose visibility and control over who has access to what—and that’s precisely the gap that enterprise SSO is designed to close.<h2>Why Procurement Platforms Are a Security Blind Spot</h2>Most organizations focus their identity and access management (IAM) efforts on core systems like CRMs, ERPs, and collaboration tools. Procurement platforms, despite handling sensitive financial data and vendor contracts, frequently fall outside the scope of centralized security policies. This creates several risks:Credential sprawl: Every standalone procurement tool adds another set of credentials for employees to manage. Weak or reused passwords across these platforms significantly increase the attack surface.Orphaned accounts: When employees leave or change roles, their access to procurement platforms often persists because these tools aren’t integrated into the organization’s identity provider (IdP). This results in stale accounts that can be exploited.Lack of audit trails: Without SSO integration, it’s nearly impossible to maintain a unified audit log of who accessed procurement data, when, and what actions they performed. This is a compliance liability under frameworks like SOC 2, ISO 27001, and GDPR.Shadow procurement: Teams sometimes adopt procurement tools without IT or security approval, creating shadow IT scenarios where sensitive vendor and financial data flows through unsanctioned channels.<h2>The Role of Enterprise SSO in Procurement Security</h2>Enterprise Single Sign-On (SSO) addresses these vulnerabilities by centralizing authentication through a single identity provider. When procurement platforms are brought under the SSO umbrella, organizations gain several critical capabilities:<h3>Centralized Authentication and Lifecycle Management</h3>With SSO, employees authenticate once through the organization’s IdP (such as Okta, Azure AD, or Google Workspace) and gain access to all authorized procurement tools without separate logins. More importantly, when an employee is offboarded from the IdP, their access to every connected application—including procurement platforms—is revoked automatically. This eliminates the orphaned account problem entirely.<h3>Enforced Multi-Factor Authentication (MFA)</h3>SSO allows organizations to enforce MFA policies consistently across all connected applications. Instead of relying on each procurement vendor’s native MFA implementation (which may vary in strength or not exist at all), the IdP enforces a uniform authentication standard. This is particularly important for procurement platforms where a single compromised account could approve fraudulent purchase orders.<h3>Role-Based Access Control (RBAC) Through SCIM</h3>Enterprise SSO implementations often include SCIM (System for Cross-domain Identity Management) provisioning, which synchronizes user roles and permissions from the IdP to connected applications. In the procurement context, this means that a finance manager automatically receives approver-level access while a department requester gets view-and-submit permissions—without manual configuration in each tool.<h3>Unified Compliance and Audit Trails</h3>When all procurement platform access flows through a centralized IdP, security teams get a single pane of glass for monitoring authentication events. This unified audit trail simplifies compliance reporting and makes it easier to detect anomalous access patterns—like a user suddenly accessing procurement data outside normal business hours or from an unfamiliar location.<h2>Common SSO Standards for Procurement Integration</h2>Not all procurement platforms support SSO out of the box, and the standards they support can vary. Understanding the key protocols helps organizations evaluate procurement tools and plan their integration strategy:SAML 2.0: The most widely supported enterprise SSO standard. SAML-based authentication is XML-heavy but mature and well-understood by IdPs. Most enterprise-grade procurement platforms support SAML integration.OIDC (OpenID Connect): A modern, lightweight alternative to SAML built on OAuth 2.0. OIDC is increasingly adopted by SaaS procurement tools and offers easier implementation for developers.SCIM 2.0: While not an authentication protocol, SCIM is essential for automated user provisioning and de-provisioning. It ensures that role changes in the IdP are reflected in procurement platforms in near real-time.Organizations evaluating procurement platforms should prioritize those that support at least SAML 2.0 or OIDC, with SCIM provisioning as a strong differentiator for enterprise readiness.<h2>Implementation Best Practices for Securing Procurement Platforms with SSO</h2>1. Inventory all procurement tools. Before rolling out SSO, catalog every procurement-related application in use across the organization—including tools adopted by individual teams without IT oversight. This inventory is the foundation for a comprehensive integration plan.2. Prioritize by data sensitivity. Rank procurement platforms by the sensitivity of the data they handle. Tools that process vendor contracts, payment information, or compliance documentation should be integrated with SSO first.3. Enforce SSO-only access. Where possible, disable local authentication on procurement platforms after SSO integration. Allowing password-based fallback creates a bypass that undermines the security benefits of centralized authentication.4. Implement SCIM for automated provisioning. Manual user management in procurement tools is unsustainable at scale. SCIM provisioning ensures that access rights are always current, reducing administrative overhead and eliminating security gaps during role transitions.5. Set up conditional access policies. Leverage your IdP’s conditional access capabilities to add context-aware security layers. For example, require step-up MFA when accessing procurement platforms from outside the corporate network, or block access from non-compliant devices.6. Monitor and review access regularly. Even with SSO and SCIM in place, periodic access reviews are essential. Verify that user roles in procurement platforms align with current job functions, and remove access that is no longer justified.<h2>What to Look for in an SSO Provider for Procurement Use Cases</h2>Not all SSO solutions are built for the complexity of enterprise procurement environments. When evaluating providers, consider the following:Broad protocol support: The provider should support SAML 2.0, OIDC, and SCIM to cover the widest range of procurement platforms.Pre-built integrations: Look for providers that offer pre-configured connectors for popular procurement and spend management tools, reducing implementation time.Developer-friendly APIs: For procurement platforms that lack native SSO support, the provider should offer well-documented APIs and SDKs that enable custom integration.Compliance-ready: The SSO provider should support compliance frameworks relevant to procurement, including SOC 2 Type II, ISO 27001, and GDPR.Multi-tenant architecture: Enterprise teams managing procurement across multiple business units or subsidiaries need an SSO solution that supports multi-tenant configurations without sacrificing security isolation.SSOJet is purpose-built for these enterprise requirements, offering SAML and OIDC support, SCIM-based directory sync, and a developer-first API that makes it straightforward to bring even custom procurement platforms under centralized identity management.<h2>The Cost of Not Securing Procurement Platforms</h2>The financial and reputational risks of leaving procurement platforms outside the SSO perimeter are significant. A compromised procurement account can lead to fraudulent vendor payments, unauthorized contract modifications, or data breaches involving sensitive supplier information. Beyond direct financial losses, organizations face regulatory penalties if audit trails are incomplete or access controls are found lacking during compliance assessments.The 2023 Verizon Data Breach Investigations Report found that stolen credentials were involved in nearly 50% of all breaches. Procurement platforms, with their access to financial data and vendor ecosystems, represent exactly the kind of high-value target where credential-based attacks do the most damage.<h2>Conclusion</h2>Securing third-party procurement platforms with enterprise SSO isn’t a nice-to-have—it’s a critical component of modern security architecture. As procurement workflows become more distributed and tool stacks grow more complex, centralized identity management through SSO and SCIM provisioning is the most effective way to maintain control over access, enforce consistent security policies, and meet compliance obligations.Organizations that proactively integrate their procurement platforms with SSO reduce their attack surface, streamline user lifecycle management, and gain the visibility needed to detect and respond to threats before they escalate. The question isn’t whether to secure procurement platforms with SSO—it’s how quickly you can close the gap.Ready to secure your procurement stack? SSOJet makes it easy to integrate enterprise SSO across your entire SaaS portfolio—including procurement, spend management, and vendor tools. <a href="https://ssojet.com/">Get started with SSOJet</a> today.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/securing-third-party-procurement-platforms-with-enterprise-sso/" data-a2a-title="Securing Third-Party Procurement Platforms with Enterprise SSO"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecuring-third-party-procurement-platforms-with-enterprise-sso%2F&linkname=Securing%20Third-Party%20Procurement%20Platforms%20with%20Enterprise%20SSO" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://ssojet.com/blog">SSOJet - Enterprise SSO &amp; Identity Solutions</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by SSOJet - Enterprise SSO & Identity Solutions">SSOJet - Enterprise SSO & Identity Solutions</a>. Read the original post at: <a href="https://ssojet.com/blog/secure-third-party-procurement-sso">https://ssojet.com/blog/secure-third-party-procurement-sso</a>

securityboulevard.com

That “job brief” on Google Forms could infect your device

None
Published date: 2026-03-20 00:00:00

None

We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT).It’s not the malware that’s new, but how the attack starts.Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.<h2 class="wp-block-heading" id="h-what-is-purehvnc">What is PureHVNC?</h2>PureHVNC is a modular .NET RAT from the “Pure” malware family. In simple terms, it gives attackers remote control over an infected device and lets them steal sensitive information. Once installed, it can:<ul class="wp-block-list"> <li>Take control of the system and run commands remotely.</li> <li>Collect information about the device, including operating system, hardware, security software, and info about the user and connected devices.</li> <li>Steal data from browsers, extensions and crypto wallets.</li> <li>Extract data from apps like Telegram and Foxmail.</li> <li>Install additional plugins.</li> <li>Achieve persistence in several ways (for example, via scheduled tasks).</li> </ul><h2 class="wp-block-heading" id="h-different-lures-same-goal-compromise-your-device">Different lures, same goal: compromise your device</h2>In our research, we found multiple Google Forms hosting links to malicious ZIP files that start the infection chain. These forms are convincing, impersonating real company names, logos and links. LinkedIn is one of the platforms used to send links to these malicious forms.<div class="wp-block-jetpack-slideshow aligncenter" data-effect="slide" style="--aspect-ratio:calc(711 / 730)"> <div class="wp-block-jetpack-slideshow_container swiper"> <ul class="wp-block-jetpack-slideshow_swiper-wrapper swiper-wrapper"> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="711" height="730" alt="" class="wp-block-jetpack-slideshow_image wp-image-390399" data-id="390399" data-aspect-ratio="711 / 730" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/google-forms-lure-1.png?w=711"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Fake Google Forms that distribute malicious ZIPs.</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="716" height="866" alt="" class="wp-block-jetpack-slideshow_image wp-image-390400" data-id="390400" data-aspect-ratio="716 / 866" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/ad-partnership.png?w=716"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">The attackers impersonate real companies</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="678" height="957" alt="" class="wp-block-jetpack-slideshow_image wp-image-390401" data-id="390401" data-aspect-ratio="678 / 957" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/project-details-lure.png?w=678"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Well-known brands are impersonated to lend credibility</figcaption></figure> </li> </ul> <a class="wp-block-jetpack-slideshow_button-prev swiper-button-prev swiper-button-white" role="button"></a><a class="wp-block-jetpack-slideshow_button-next swiper-button-next swiper-button-white" role="button"></a><a aria-label="Pause Slideshow" class="wp-block-jetpack-slideshow_button-pause" role="button"></a> <div class="wp-block-jetpack-slideshow_pagination swiper-pagination swiper-pagination-white"></div> </div> </div>The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.<div class="wp-block-jetpack-slideshow aligncenter" data-effect="slide" style="--aspect-ratio:calc(820 / 868)"> <div class="wp-block-jetpack-slideshow_container swiper"> <ul class="wp-block-jetpack-slideshow_swiper-wrapper swiper-wrapper"> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="820" height="868" alt="Information requested from the user to make the form appear legitimate." class="wp-block-jetpack-slideshow_image wp-image-390225" data-id="390225" data-aspect-ratio="820 / 868" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_82ca84.png?w=820"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Information requested from the user to make the form appear legitimate.</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="840" height="977" alt="Information requested from the user to make the form appear legitimate." class="wp-block-jetpack-slideshow_image wp-image-390224" data-id="390224" data-aspect-ratio="840 / 977" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_d751b9.png?w=840"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">More information.</figcaption></figure> </li> </ul> <a class="wp-block-jetpack-slideshow_button-prev swiper-button-prev swiper-button-white" role="button"></a><a class="wp-block-jetpack-slideshow_button-next swiper-button-next swiper-button-white" role="button"></a><a aria-label="Pause Slideshow" class="wp-block-jetpack-slideshow_button-pause" role="button"></a> <div class="wp-block-jetpack-slideshow_pagination swiper-pagination swiper-pagination-white"></div> </div> </div>The forms link to ZIP files hosted on:<ul class="wp-block-list"> <li>File-sharing services such as Dropbox, filedn.com, and fshare.vn</li> <li>URL shorteners such as tr.ee and goo.su</li> <li>Google redirect links that obscure the final destination</li> </ul>The ZIP archives use various names and are tied to different business-related themes (marketing, interviews, projects, job offers, budgets, partnerships, benefits) to avoid suspicion, for example:<ul class="wp-block-list"> <li><code>{CompanyName}_GlobalLogistics_Ad_Strategy.zip</code></li> <li><code>Project_Information_Summary_2026.zip</code></li> <li><code>{CompanyName} Project 2026 Interview Materials.zip</code></li> <li><code>{CompanyName}_Company_and_Job_Overview.pdf.rar</code></li> <li><code>Collaboration Project with {CompanyName} Company 2026.zip</code></li> </ul>The lures use the names of well-known companies, particularly in the financial, logistic, technology, sustainability and energy sectors. Impersonating legitimate organizations add credibility to their campaign.<h2 class="wp-block-heading" id="h-what-happens-after-you-download-the-file">What happens after you download the file</h2>The ZIP archives usually contain legitimate files (such as PDFs of job descriptions) and an executable file along with a DLL, typically named <code>msimg32.dll</code>. The DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code), although the technique has undergone multiple modifications and upgrades over time.<figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="497" height="701" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/google-form-pdf-image-1.png" alt="Legitimate PDFs are present in some ZIP files, like this one pretending to be a job description from a real company." class="wp-image-390430"><figcaption class="wp-element-caption">Legitimate PDFs are present in some ZIP files, like this one masquerading as a real job description.</figcaption></figure><h2 class="wp-block-heading" id="h-analysis-of-the-malicious-campaign">Analysis of the malicious campaign</h2>We identified multiple variants of this campaign, each using different methods to extract the archive, distinct Python code, and varying folder structures. Across these variants, the campaign typically includes an executable file along with a DLL hidden in a separate folder. In some cases, attackers also include legitimate files related to the lure’s theme, enhancing the overall credibility of the attack.<figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="872" height="157" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_35cd55.png" alt="Example of files present in one of the archives analyzed." class="wp-image-390222"><figcaption class="wp-element-caption">Example of files present in one of the archives analyzed.</figcaption></figure>The malicious code is present in the DLL, and carries out various operations, including:<ul class="wp-block-list"> <li>Decrypting strings with a simple XOR, in this case with the “4B” key.</li> <li>Detecting debugging and sandboxing with <code>IsDebuggerPresent()</code> and <code>time64()</code>, and displaying the error “This software has expired or debugger detected” if triggered.</li> <li>Deleting itself, then dropping and launching a fake PDF.</li> <li>Achieving persistence via the registry key <code>CurrentVersion\Run\Miroupdate</code>.</li> <li>Extracting the “final.zip” archive and running it.</li> </ul>In this case, the PDF was started with the following command:<code>cmd.exe /c start "" "C:\Users\user\Desktop\Marketing Director Assessment Project\Marketing_Director_Assessment_Project.pdf"</code><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="815" height="890" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_bbc624.png" alt="The PDF opened during the infection chain." class="wp-image-390231"><figcaption class="wp-element-caption">The PDF opened during the infection chain.</figcaption></figure>The archive <code>final.zip</code> is unzipped using different commands across the analyzed campaigns into a random folder under <code>ProgramData</code>. In this example, the <code>tar</code> command is used:<code>cmd.exe /c tar -xf "C:\ProgramData\{random folder}\{random folder \final.zip" -C "C:\ProgramData\{random folder \{random folder} " >nul 2>&1</code>The zip contains several files associated with Python and the next stage.<figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="385" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_2bfbd9.png?w=1024" alt="Python files compressed into a random folder in ProgramData." class="wp-image-390233"><figcaption class="wp-element-caption">Python files compressed into a random folder in ProgramData.</figcaption></figure>Next, an obfuscated Python script called <code>config.log</code> is executed. It ultimately decodes and runs a Donut shellcode. This script appears under different names (e.g., <code>image.mp3</code>) and formats in the different chains analyzed.<code>"C:\ProgramData\{random folder}\{random folder}\pythonw.exe" "C:\ProgramData\{random folder}\{random folder}\config.log"</code><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="447" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_12924c.png?w=1024" alt="Obfuscated Python script that ultimately loads the Donut shellcode." class="wp-image-390226"><figcaption class="wp-element-caption">Obfuscated Python script that ultimately loads the Donut shellcode.</figcaption></figure>At the end of the infection chain, PureHVNC was injected into <code>SearchUI.exe</code>. The injected process may vary across the analyzed samples.PureHVNC executes the following WMI queries to gather information about the compromised device:<ul class="wp-block-list"> <li><code>SELECT * FROM AntiVirusProduct</code></li> <li><code>SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')</code></li> <li><code>SELECT Caption FROM Win32_OperatingSystem</code></li> </ul>For persistence, it creates a scheduled task using a base64-PowerShell command, with the flag <code>“-RunLevel Highest”</code> if the user has admin rights.<figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="567" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/powershell-commnand-for-scheduled-task.png?w=1024" alt="" class="wp-image-390414"><figcaption class="wp-element-caption">PowerShell command for the Scheduled Task</figcaption></figure>PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.<figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="875" height="632" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_2a7963.png" alt="Methods related to wallet and browser data exfiltration." class="wp-image-390221"></figure><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="988" height="647" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_a587b6.png" alt="Methods related to wallet and browser data exfiltration." class="wp-image-390230"><figcaption class="wp-element-caption">Methods related to wallet and browser data exfiltration.</figcaption></figure>The malware configuration is encoded with base64 and compressed with GZIP.In this case, the configuration includes:<ul class="wp-block-list"> <li>C2: <code>207.148.66.14</code></li> <li>C2 ports: <code>56001, 56002, 56003</code></li> <li>Campaign ID: <code>Default</code> </li> <li>Sleeping Flag: <code>0</code></li> <li>Persistence Path: <code>APPDATA</code></li> <li>Mutex Name: <code>Rluukgz</code> </li> </ul><h2 class="wp-block-heading" id="h-how-to-stay-safe">How to stay safe</h2>Using Google Forms is a highly effective method for distributing malware. Attackers are relying on trust in familiar tools like Google Forms, Dropbox, and LinkedIn, and impersonating legitimate companies to get past your guard.If you deal with job offers, partnerships, or project work online, this is worth paying attention to:<ul class="wp-block-list"> <li>Always check the origin of Google Forms, don’t enter sensitive information, and don’t download files unless you fully trust the source.</li> <li>Verify requests through official company channels before engaging.</li> <li>Be wary of links hidden behind URL shorteners or redirects.</li> </ul><h2 class="wp-block-heading" id="h-indicators-of-compromise-iocs">Indicators of Compromise (IOCs)</h2>IP<code>207.148.66.14</code>URL<code>https://goo[.]su/CmLknt7</code><code>https://www.fshare[.]vn/file/F57BN4BZPC8W</code><code>https://tr[.].ee/R9y0SK</code><code>https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9</code>HASH<code>ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3</code><code>d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386</code><code>e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320</code><code>e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00</code><code>7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b</code><code>e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c</code><code>b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66</code><code>85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37</code><code>b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357</code><code>fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc</code><code>1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d</code><code>c149158f18321badd71d63409d08c8f4d953d9cd4a832a6baca0f22a2d6a3877</code><code>83ce196489a2b2d18a8b17cd36818f7538128ed08ca230a92d6ee688cf143a6c</code><code>ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a</code><code>59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3</code><code>a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a</code><code>4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4</code><code>481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62</code><code>8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0</code><code>258adaed24ac6a25000c9c1240bf6834482ef62c22b413614856b8973e11a79f</code>Pro tip: This is only a partial list of malicious URLs. Download the <a href="https://www.malwarebytes.com/browserguard" rel="noreferrer noopener">Malwarebytes Browser Guard plugin</a> for full protection and to block the remaining malicious domains.<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide">We don’t just report on threats—we remove themCybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/that-job-brief-on-google-forms-could-infect-your-device/" data-a2a-title="That “job brief” on Google Forms could infect your device"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device">https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device</a>

TidBITS

When Face ID Helps iPhone Security—And When to Turn It Off

Adam Engst
Published date: 2026-03-19 21:42:27

Heading to a protest or crossing a border? Your iPhone’s Face ID—which is normally a boon with Stolen Device Protection—could become a liability. Learn when to disable biometrics and what other steps you can take to protect your privacy and data from compelle…

Ive been thinking a lot more about physical iPhone security recently. For a long time, weve encouraged biometric authentication over manually entering iPhone passcodes because of the very real threat… [+10107 chars]

The Times of India

Beyond passwords and firewalls: Why the age of AI agents demands a new security playbook

Spotlight Wire
Published date: 2026-03-19 10:00:36

India Business News: As artificial intelligence agents begin to take on more work inside companies, the foundations of digital security are undergoing dramatic shifts. For.

EMI CalculatorDetermine the monthly installment amount for a loan

securityboulevard.com

Governing Tens of Thousands of AI Agents: Why Policy Chaining Matters

None
Published date: 2026-03-19 00:00:00

None

<img decoding="async" src="https://www.aryaka.com/wp-content/uploads/2026/03/Blog-Governing-Tens-of-Thousands-of-AI-Agents-Why-Policy-Blog-Banner.jpg" class="mb-2" loading="easy" alt="Governing Tens of Thousands of AI Agents: Why Policy Chaining Matters" style="border-radius:16px;"> A new architectural challenge is emerging as enterprises adopt AI agents at scale.It is no longer unusual for large organizations to plan for thousands or even tens of thousands of deployed agents across departments, applications, and workflows.These agents may assist employees, automate operations, analyze documents, interact with enterprise systems, and coordinate complex workflows.But once agents begin to proliferate across the enterprise, an important question arises:How do you govern and secure interactions with tens of thousands of agents without creating an unmanageable policy system?This challenge is often underestimated.<h2 class="f-size mt-4">Why Agent Governance Becomes Complex </h2>Even if many agents are built using the same underlying agent stack, they rarely behave the same way.Different agents require different runtime validation and governance.Consider a few examples. HR Agents An HR assistant interacting with employees may need to detect:<ul class="pl-5"> <li class="pb-1">employee PII. </li> <li class="pb-1"> compensation information. </li> <li class="pb-1"> social security numbers. </li> <li class="pb-1"> internal HR policies </li> </ul>Prompts or responses containing such information may need to be redacted or blocked. Developer Assistants A developer productivity agent may allow:<ul class="pl-5"> <li class="pb-1"> source code </li> <li class="pb-1"> snippets </li> <li class="pb-1"> stack traces </li> <li class="pb-1"> debugging discussions </li> </ul>But it must detect:<ul class="pl-5"> <li class="pb-1"> API keys. </li> <li class="pb-1"> internal repositories. </li> <li class="pb-1"> proprietary code leakage </li> </ul> Finance Agents Finance assistants may require strict checks for:<ul class="pl-5"> <li class="pb-1"> financial records</li> <li class="pb-1"> bank account numbers</li> <li class="pb-1"> tax identifiers</li> </ul>And may restrict external references entirely. Customer Support Agents Customer-facing assistants may require:<ul class="pl-5"> <li class="pb-1"> tone moderation</li> <li class="pb-1"> abuse detection</li> <li class="pb-1"> harassment filtering</li> </ul>Even if those checks are unnecessary for internal engineering assistants.<h2 class="f-size mt-4">The Combinatorial Explosion Problem </h2>Now consider a large enterprise environment.An organization may have:<ul class="pl-5"> <li class="pb-1"> 10,000 agent instances </li> <li class="pb-1"> 20 user groups</li> <li class="pb-1"> multiple agent types</li> <li class="pb-1"> multiple validation categories</li> </ul>Each interaction may require different combinations of:<ul class="pl-5"> <li class="pb-1"> content category restrictions</li> <li class="pb-1">content safety checks</li> <li class="pb-1">tone validation</li> <li class="pb-1">sensitive data detection</li> <li class="pb-1">code detection</li> <li class="pb-1">URL validation </li> </ul>Even if each agent only requires a few validation differences, the number of possible combinations quickly grows into tens of thousands of policy variations.Without the right policy model, this becomes extremely difficult to manage.<h2 class="f-size mt-4">AI>Secure: A Structured Runtime Governance Model </h2>AI>Secure addresses this challenge using three building blocks:<ol class="pl-5"> <li class="pb-1"> Validator Objects</li> <li class="pb-1">Inspection Objects</li> <li class="pb-1">Traffic Policies with Policy Chaining</li> </ol>This layered model allows enterprises to reuse validation logic while keeping runtime policies understandable.Validator ObjectsValidator objects represent individual validation capabilities.Examples include:<ul class="pl-5"> <li class="pb-1">content category filtering</li> <li class="pb-1">content safety checks</li> <li class="pb-1">tone validation</li> <li class="pb-1">sensitive material detection</li> <li class="pb-1">code detection</li> <li class="pb-1">URL classification</li> <li class="pb-1">prompt injection detection</li> </ul>Each validator can be tuned independently.For example:A Sensitive Data Validator for Finance may detect:<ul class="pl-5"> <li class="pb-1">bank account numbers</li> <li class="pb-1">tax identifiers</li> </ul>While a Sensitive Data Validator for Engineering may detect:<ul class="pl-5"> <li class="pb-1">source code</li> <li class="pb-1"> API keys</li> </ul>Validator objects allow enterprises to define reusable building blocks.Inspection ObjectsInspection objects combine multiple validators into reusable validation profiles.They define which validators run at each inspection point.Inspection points may include:<ul class="pl-5"> <li class="pb-1">user prompts </li> <li class="pb-1"> model responses</li> <li class="pb-1"> file uploads</li> <li class="pb-1"> tool requests</li> <li class="pb-1"> tool results</li> <li class="pb-1"> file downloads</li> </ul>For example:Finance Agent Inspection ObjectPrompt inspection:<ul class="pl-5"> <li class="pb-1"> financial data detection</li> <li class="pb-1"> prompt injection detection</li> <li class="pb-1">URL validation</li> </ul>Response inspection:<ul class="pl-5"> <li class="pb-1">financial leakage detection</li> <li class="pb-1">tone validation</li> </ul>Developer Agent Inspection ObjectPrompt inspection:<ul class="pl-5"> <li class="pb-1">code detection</li> <li class="pb-1">source code policy enforcement</li> </ul>Response inspection:<ul class="pl-5"> <li class="pb-1">API key detection</li> <li class="pb-1">URL validation</li> </ul>Inspection objects allow enterprises to define standard validation profiles that can be reused across many agents.Traffic PoliciesTraffic policies determine when each inspection object should be applied.Rules may match conditions such as:<ul class="pl-5"> <li class="pb-1">user identity</li> <li class="pb-1">user group</li> <li class="pb-1">department</li> <li class="pb-1">role</li> <li class="pb-1"> agent identity</li> <li class="pb-1">agent type</li> <li class="pb-1">device posture</li> <li class="pb-1">network location</li> </ul>Each rule performs one of three actions:<ul class="pl-5"> <li class="pb-1">ALLOW (with a specific inspection object)</li> <li class="pb-1"> DENY</li> <li class="pb-1">JUMP (delegate evaluation to another rulebase)</li> </ul>Rules are evaluated using first-match semantics.Policy ChainingInstead of forcing all policies into one massive rule list, AI>Secure supports policy chaining.Policy chaining allows one rulebase to delegate evaluation to another rulebase using a JUMP action.This allows enterprises to organize policies modularly.For example:Top-level policy:if user_group = Finance → JUMP finance-policyif user_group = HR → JUMP hr-policyelse → DENYFinance policy:if agent_type = expense → JUMP finance-expense-policyif agent_type = forecast → JUMP finance-forecast-policyelse → ALLOW finance-default-inspectionExpense policy:if role = contractor → ALLOW strict-finance-inspectionif role = manager → ALLOW finance-manager-inspectionIf a chained rulebase produces no match, evaluation returns to the parent rulebase.This allows fallback policies to apply naturally.Why Policy Chaining Works Well at ScalePolicy chaining provides several advantages for large enterprises.Modular Policy DesignPolicies can be organized by logical dimensions such as:<ul class="pl-5"> <li class="pb-1">department</li> <li class="pb-1">user group</li> <li class="pb-1">agent type</li> </ul>Instead of maintaining one giant rulebase.Reusable RulebasesRulebases can be reused across multiple parents.For example, a contractor restrictions policy can be reused across many departments.Deterministic EvaluationPolicies are evaluated along a single path using first-match semantics.There is no ambiguity about which policy applies.Easier DebuggingEach decision can be traced along the policy path:root-policy → finance-policy → expense-policy → ALLOWThis makes troubleshooting far easier.Why Not Use Hierarchical Policy Models?Some systems use hierarchical policy inheritance, where multiple policies are applied and merged.For example:global policy ↓ department policy ↓ application policy ↓ user policyAll policies contribute to the final decision.While this model can be powerful, it also introduces challenges:<ul class="pl-5"> <li class="pb-1">policies must be merged </li> <li class="pb-1">pconflict resolution becomes complex</li> <li class="pb-1">pdebugging becomes difficult</li> <li class="pb-1">ppolicy behavior becomes less predictable</li> </ul>When many policies interact simultaneously, understanding why a decision occurred can become extremely difficult.The Advantage of Policy ChainingAI>Secure avoids these complexities by using policy chaining instead of policy merging.With policy chaining:<ul class="pl-5"> <li class="pb-1">ppolicies are evaluated sequentially</li> <li class="pb-1">ponly one evaluation path is taken</li> <li class="pb-1">p decisions are deterministic</li> <li class="pb-1">p policy reuse remains possible through chained rulebases</li> </ul>This approach provides the flexibility enterprises need without introducing the complexity of hierarchical policy merging.<h2 class="f-size mt-4">Scaling Runtime Governance for AI Agents</h2>As enterprises deploy thousands of agents, runtime governance becomes a core architectural requirement.The challenge is not just detecting unsafe content.It is managing large-scale validation policies in a way that remains understandable and maintainable.AI>Secure addresses this through:<ul class="pl-5"> <li class="pb-1">p reusable validator objects</li> <li class="pb-1">p reusable inspection profiles</li> <li class="pb-1">p modular traffic policies</li> <li class="pb-1">p policy chaining for scalable rule organization</li> </ul>Together, these capabilities allow enterprises to govern AI interactions at scale while keeping policy systems manageable.The future of enterprise AI will not simply be about building agents.It will be about governing thousands of agent interactions safely and predictably.And doing that effectively requires the right runtime policy architecture.The post <a rel="nofollow" href="https://www.aryaka.com/blog/governing-tens-of-thousands-of-ai-agents-policy-chaining/">Governing Tens of Thousands of AI Agents: Why Policy Chaining Matters</a> appeared first on <a rel="nofollow" href="https://www.aryaka.com/">Aryaka</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/governing-tens-of-thousands-of-ai-agents-why-policy-chaining-matters/" data-a2a-title="Governing Tens of Thousands of AI Agents: Why Policy Chaining Matters"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoverning-tens-of-thousands-of-ai-agents-why-policy-chaining-matters%2F&linkname=Governing%20Tens%20of%20Thousands%20of%20AI%20Agents%3A%20Why%20Policy%20Chaining%20Matters" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoverning-tens-of-thousands-of-ai-agents-why-policy-chaining-matters%2F&linkname=Governing%20Tens%20of%20Thousands%20of%20AI%20Agents%3A%20Why%20Policy%20Chaining%20Matters" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoverning-tens-of-thousands-of-ai-agents-why-policy-chaining-matters%2F&linkname=Governing%20Tens%20of%20Thousands%20of%20AI%20Agents%3A%20Why%20Policy%20Chaining%20Matters" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoverning-tens-of-thousands-of-ai-agents-why-policy-chaining-matters%2F&linkname=Governing%20Tens%20of%20Thousands%20of%20AI%20Agents%3A%20Why%20Policy%20Chaining%20Matters" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoverning-tens-of-thousands-of-ai-agents-why-policy-chaining-matters%2F&linkname=Governing%20Tens%20of%20Thousands%20of%20AI%20Agents%3A%20Why%20Policy%20Chaining%20Matters" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://www.aryaka.com">Aryaka</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Srini Addepalli">Srini Addepalli</a>. Read the original post at: <a href="https://www.aryaka.com/blog/governing-tens-of-thousands-of-ai-agents-policy-chaining/">https://www.aryaka.com/blog/governing-tens-of-thousands-of-ai-agents-policy-chaining/</a>

securityboulevard.com

SIEM Is Not Dead. It Just Stopped Moving Fast Enough.

None
Published date: 2026-03-19 00:00:00

None

<figure class="wp-block-image size-large"><a href="https://raffy.ch/blog/wp-content/uploads/2026/03/ChatGPT-Image-Mar-18-2026-01_54_57-PM.png"><img fetchpriority="high" decoding="async" width="1024" height="683" src="https://raffy.ch/blog/wp-content/uploads/2026/03/ChatGPT-Image-Mar-18-2026-01_54_57-PM-1024x683.png" alt="" class="wp-image-1637" srcset="https://raffy.ch/blog/wp-content/uploads/2026/03/ChatGPT-Image-Mar-18-2026-01_54_57-PM-1024x683.png 1024w, https://raffy.ch/blog/wp-content/uploads/2026/03/ChatGPT-Image-Mar-18-2026-01_54_57-PM-300x200.png 300w, https://raffy.ch/blog/wp-content/uploads/2026/03/ChatGPT-Image-Mar-18-2026-01_54_57-PM-768x512.png 768w, https://raffy.ch/blog/wp-content/uploads/2026/03/ChatGPT-Image-Mar-18-2026-01_54_57-PM.png 1536w" sizes="(max-width: 1024px) 100vw, 1024px"></a></figure>I recently joined <a href="https://www.linkedin.com/in/timothypeacock/">Tim Peacock</a> and <a href="https://www.linkedin.com/in/chuvakin/">Anton Chuvakin</a> on the <a href="https://cloud.withgoogle.com/cloudsecurity/podcast/ep267-ai-soc-or-ai-in-a-soc-cutting-through-hype-pricing-models-and-siem-detection-efficacy-with-raffy-marty/">Google Cloud Security Podcast</a> to talk about SIEM, AI SOC, pricing, federated architecture, detection engineering, and why network telemetry is quietly becoming important again.The short version is simple: SIEM is not dead. Calling it obsolete makes for good marketing, but it is not a serious thesis.<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> The new wave of AI SOC, SIEM, and pipeline vendors is not proving SIEM is dead. It is proving SIEM vendors left too many gaps open for too long. </blockquote>The recent wave of AI SOC startups, pipeline vendors, and new SIEM entrants is a response to real pain in the market. They are not replacing SIEM. They are capitalizing on the gaps incumbent vendors left open.<h2 class="wp-block-heading">TL;DR</h2><ul class="wp-block-list"> <li>SIEM is not dead. Vendors just left too many gaps open.</li> <li>AI SOC often exposes those gaps more than it replaces SIEM.</li> <li>Alert reduction alone will hide false negatives.</li> <li>The real fixes are better routing, detection, context, and workflows.</li> <li>Network telemetry still matters more than the market narrative suggests.</li> </ul><h2 class="wp-block-heading">The market is not replacing SIEM. It is rebuilding missing pieces.</h2>They say they will reduce alert volume, improve detections, make investigations faster, lower storage costs, and simplify operations. None of that is new. Those were always core parts of the SIEM vision.That is why so many of these new entrants exist. They found real gaps:<ul class="wp-block-list"> <li>Pricing that became too hard to justify</li> <li>Architectures that did not scale as well as they should</li> <li>Detection stacks that still require too much manual work</li> <li>Default content that creates too much noise</li> <li>Workflows that remain painful for analysts and service providers</li> </ul>This is why I do not buy the “SIEM is over” narrative. If incumbents fix these gaps, many point solutions lose their edge quickly.<h2 class="wp-block-heading">AI SOC is mostly a patch on downstream pain</h2>The strongest short-term value in the AI SOC market is obvious: too many teams, especially MSSPs and down-market security providers, are drowning in alerts. A lot of environments are running with default content, light tuning, and limited budget for customization. Large enterprises can afford deep implementation and constant refinement. Many managed providers cannot.<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> If a product makes the SOC quieter without improving coverage, you may not have solved the problem. You may have just converted visible false positives into invisible false negatives. </blockquote>If a startup is solving alert overload by learning that the same service-account misconfiguration fires every morning at 8am and can safely be deprioritized, that is useful. But it is still a patch on bad upstream logic, and it often hides a second problem: false negatives. Once teams see fewer alerts, they assume the system got smarter. Sometimes it did. Sometimes it just got quieter. The real fix belongs closer to the detection layer, the correlation logic, the content, and the configuration model.That is why I think a lot of the current AI SOC wave is temporary in its present form. Not temporary because the need goes away, but temporary because the best parts of that value will be absorbed elsewhere. Some of it should move back into the SIEM. Some of it should live in the detection engine. Some of it belongs in better onboarding, better rule tuning, better data handling, and better defaults.There is still room for new winners here. But “we reduce alerts by 80%” is not a durable thesis by itself.<h2 class="wp-block-heading">The architecture debate is not centralized versus federated. It is about access patterns.</h2>In theory, pushing compute to where the data sits is attractive. In practice, the answer depends on access patterns.Some data absolutely does not need to be centralized all the time. Endpoint system calls are a good example. You do not want to shovel every low-level signal into a central platform by default if you can process, summarize, or prioritize it earlier.But the moment an analyst, agent, or investigation workflow needs context, enrichment, and cross-correlation, some centralization comes back. You need to connect what happened on the endpoint with what happened on the firewall, identity plane, SaaS layer, email stack, and elsewhere.So the future is probably not pure centralized or pure federated. It is hybrid:<ul class="wp-block-list"> <li>Keep some data local or near-source</li> <li>Route and centralize the parts that matter</li> <li>Pull deeper context only when needed</li> <li>Optimize around how investigations actually happen</li> </ul>This is why I keep coming back to smart data routing. Most organizations do not need to send every piece of data to the same place forever. But they do need an architecture that knows when to summarize, when to correlate, and when to pull more detail back in.<h2 class="wp-block-heading">Data pipelines became the Trojan horse</h2>Vendors in this space positioned themselves as optimization and routing tools. Send your data here, normalize it, trim low-value volume, route it to the right storage tier, keep costs down, and retain optionality. In many environments, that solved a real problem.<a href="https://raffy.ch/blog/2025/12/03/the-trojan-horse-we-let-into-the-siem-kingdom/">But the strategic consequence is bigger than cost control.</a>Once a pipeline vendor owns your ingestion layer and your integrations, it becomes an abstraction layer between you and the SIEM. That makes the SIEM less sticky. At first the pipeline vendor only routes data. Then it adds search. Then it runs lightweight detections. Then it supports simple rules. At some point it starts to look suspiciously like a simple SIEM.If someone else owns the data path, they eventually get a shot at owning more of the security brain.<h2 class="wp-block-heading">Pricing remains one of the category’s hardest unsolved problems</h2>Almost everyone agrees that SIEM pricing has been a problem. Much fewer people agree on what the right answer is.The vendor reality is straightforward: data volume drives cost. The customer reality is equally straightforward: they hate unpredictability.That tension gets even worse in the service-provider world. MSSPs and MSPs often sell packaged services, per-user offerings, or per-device contracts. Their customers do not want a fluctuating bill because log volume spiked this month. So the thing that is economically clean for the vendor can be operationally ugly for the buyer.There is no perfect answer here. But the next generation of pricing models will need to do a better job of separating:<ul class="wp-block-list"> <li>Predictable commercial packaging</li> <li>Actual backend resource consumption</li> <li>Incentives for better data quality rather than more raw ingestion</li> </ul>The market has already started experimenting. Bring-your-own-storage, bring-your-own-compute, lower-cost data lakes, and more selective routing are all responses to the same pressure. Pricing is one of the core forces reshaping the market.<h2 class="wp-block-heading">Detection engineering still needs much more help from the platform</h2>Rules still need adaptation by environment. Thresholds differ. Data quality differs. Sources differ. Customer expectations differ. Generic content does not simply drop in and work.What is surprising is how much low-hanging product work still remains. A modern platform should do far more to help users answer basic but critical questions:<ul class="wp-block-list"> <li>Is the data required for this detection even present?</li> <li>Is it configured in a way that can ever make this rule fire?</li> <li>Are there obvious gaps or mistakes in the source configuration?</li> <li>Which detections are silent because they are poorly mapped to the environment?</li> </ul>The more interesting direction, in my view, is not just better standalone rules. It is better context. Call it a context graph, an entity graph, a risk graph, or something else. The naming matters less than the function.You want a living model of users, devices, applications, identities, behaviors, and risk signals. If the system knows that a user is coming from their normal IP, on a familiar device, through a known browser pattern, after strong authentication, that should shape how other events are interpreted. If all of those signals change at once, that should shape the response differently.That kind of context is where detection quality meaningfully improves.<h2 class="wp-block-heading">Network telemetry is not “back,” but it is still critical</h2>I do not think this automatically means a major standalone NDR renaissance. But I do think many teams went too far in treating network telemetry as secondary once endpoint and application visibility improved.An endpoint is still a single point of failure. If you lose visibility there, the network can still tell you a lot. It can help validate what else is happening. It can show you unmanaged systems, OT environments, choke points, and traffic patterns you will not otherwise see clearly.This matters even more now because some organizations are reassessing where systems and data live. In parts of Europe, I am seeing more discussion around data sovereignty, political trust, private clouds, and selective moves back toward local or regional infrastructure. As architectures spread and governance constraints tighten, network visibility becomes more important again.So no, I would not frame this as “throw away EDR and buy NDR.” That is the wrong lesson.<h2 class="wp-block-heading">What happens next</h2><blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> The real question is not whether SIEM survives. It is which vendors understand they are now selling data architecture, detection quality, analyst workflow, and decision support. </blockquote>The SIEM market is heading into another rebuild cycle. Some AI SOC and pipeline startups will disappear, some will be absorbed, and some incumbents will finally fix what they should have fixed years ago. But the core need is not going away: security teams still need a place where signals come together, context gets built, detections improve, and response decisions get made.That is still SIEM territory, even if the implementation looks very different from what we used to buy.? If you are building, buying, operating, or replacing SIEM, I’d love your input. I’m collecting market data at <a href="https://raffy.ch/SIEM">raffy.ch/SIEM</a>. Anyone can contribute, and everyone is welcome.<figure class="wp-block-image"><a href="https://cloud.withgoogle.com/cloudsecurity/podcast/ep267-ai-soc-or-ai-in-a-soc-cutting-through-hype-pricing-models-and-siem-detection-efficacy-with-raffy-marty/"><img decoding="async" src="https://media.licdn.com/dms/image/v2/D5622AQHA3qlrTGbRyw/feedshare-shrink_1280/B56Zz3RqhrKcAM-/0/1773675130004?e=1775692800&v=beta&t=1N_Xdf4Fc1_KCg0sd7rknMXXre9P8X9AUnm9fSc8YA0" alt=""></a></figure>The post <a href="https://raffy.ch/blog/2026/03/19/siem-is-not-dead-it-just-stopped-moving-fast-enough/">SIEM Is Not Dead. It Just Stopped Moving Fast Enough.</a> first appeared on <a href="https://raffy.ch/blog">Future of Tech and Security: Strategy & Innovation with Raffy</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/siem-is-not-dead-it-just-stopped-moving-fast-enough/" data-a2a-title="SIEM Is Not Dead. It Just Stopped Moving Fast Enough."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsiem-is-not-dead-it-just-stopped-moving-fast-enough%2F&linkname=SIEM%20Is%20Not%20Dead.%20It%20Just%20Stopped%20Moving%20Fast%20Enough." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsiem-is-not-dead-it-just-stopped-moving-fast-enough%2F&linkname=SIEM%20Is%20Not%20Dead.%20It%20Just%20Stopped%20Moving%20Fast%20Enough." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsiem-is-not-dead-it-just-stopped-moving-fast-enough%2F&linkname=SIEM%20Is%20Not%20Dead.%20It%20Just%20Stopped%20Moving%20Fast%20Enough." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsiem-is-not-dead-it-just-stopped-moving-fast-enough%2F&linkname=SIEM%20Is%20Not%20Dead.%20It%20Just%20Stopped%20Moving%20Fast%20Enough." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsiem-is-not-dead-it-just-stopped-moving-fast-enough%2F&linkname=SIEM%20Is%20Not%20Dead.%20It%20Just%20Stopped%20Moving%20Fast%20Enough." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://raffy.ch/blog">Future of Tech and Security: Strategy &amp; Innovation with Raffy</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Raffael Marty">Raffael Marty</a>. Read the original post at: <a href="https://raffy.ch/blog/2026/03/19/siem-is-not-dead-it-just-stopped-moving-fast-enough/">https://raffy.ch/blog/2026/03/19/siem-is-not-dead-it-just-stopped-moving-fast-enough/</a>

securityboulevard.com

The Hidden Security Risks in Open-Source Dependencies Nobody Talks About

Oluwakorede Akinsete
Published date: 2026-03-19 00:00:00

None

Virtually every application in today’s software world is built upon a series of layers of open-source code. While it may appear to be a good thing, as it allows developers to develop code swiftly and utilise tested code, this can expose security risks lurking in the background. Big <a href="https://securityboulevard.com/2024/12/log4shell-vulnerability-why-it-still-exists-and-how-to-protect-yourself-contrast-security/" target="_blank" rel="noopener">incidents like Log4Shell</a> also demonstrated that a single vulnerable library can bring thousands of systems to a standstill. While they may not make the news, they continually pose a serious threat if overlooked. Learning about the larger threats facing the open-source world of software security will help ensure your organisation is not caught off guard by a Trojan Horse.<h3>The Ubiquity and Fragility of Open Source</h3>Open-source code is all around us; a <a href="https://www.securitymagazine.com/articles/101420-open-source-software-vulnerabilities-found-in-86-of-codebases">recent</a> <a href="https://www.securitymagazine.com/articles/101420-open-source-software-vulnerabilities-found-in-86-of-codebases" target="_blank" rel="noopener">survey</a> <a href="https://www.securitymagazine.com/articles/101420-open-source-software-vulnerabilities-found-in-86-of-codebases">of</a> <a href="https://www.securitymagazine.com/articles/101420-open-source-software-vulnerabilities-found-in-86-of-codebases">the</a> <a href="https://www.securitymagazine.com/articles/101420-open-source-software-vulnerabilities-found-in-86-of-codebases">industry</a> found that 86% of enterprise codebases had at least one vulnerable open-source software component. Modern applications rely on hundreds, or even thousands, of third-party libraries. A study found that the average application in 2024 had more than 16,000 open-source files, triple the number a few years ago.The reality is that most of the code that comprises the application was written by someone else, perhaps even a stranger on the internet. It’s like a dependency avalanche. As Mike McGuire from Snyk describes it, blind spots abound in open-source dependency management. 61% of dependencies are transitive, meaning they’re included indirectly by other libraries.It’s hard to know what is being delivered. The software supply chain is complicated and vulnerable. Most of us assume that if a library is popular, then it must be secure, as many eyes have seen the code. That’s not necessarily true. Open-source projects tend to be supported by volunteers. <a href="https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-open." target="_blank" rel="noopener">NIST</a> states that OSS projects tend to be diverse, numerous, and use a wide range of operating models.The integrity or maintenance of OSS is not well understood or easily discoverable. Thousands of applications rely on libraries that are no longer supported. A 2025 security report found that 90% of codebases used libraries more than four years old, and 79% used components that had not been updated in two years or more. These outdated libraries increase the attack surface. The reality is that when a project is abandoned, even a small bug will persist indefinitely, as no one is left to fix it.<h3>Hidden Vulnerability Chains and Unknown Code</h3>Most teams will use tools such as SCA tools to scan their dependencies against known issues. However, it’s worth noting that third-party risks are not limited to known issues. While it is true that if all known issues were fixed as soon as they were known, then many problems would be averted, there are still two major issues that would arise. The first is the problem of transitivity, and the second is the problem of potentially malicious code. This is because most modern applications will have hundreds of dependencies, and each of those dependencies will have dozens of dependencies of their own.You can always fix the direct ones you know of, but what about the ones you don’t? The <a href="http://v/">OWASP</a> Top 10 has noted that most problems arising from software supply chain issues arise from “vulnerabilities or malicious changes in third-party code, tools, or other dependencies.” This means the break could be from much further up the chain.For example, if your application uses Library A, which uses Library B, Library C, and so on, then if Library A is clean—no known problems—then if Library B has a problem, your application is still broken because of Library B. This is not a hypothetical scenario. The <a href="https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html" target="_blank" rel="noopener">Google</a> SLSA framework has documented dozens of real-world attacks from different places in the supply chain.In one case, dubbed “Event-Stream,” attackers modified an otherwise perfectly harmless dependency of an npm package, making it an attack vector for malware. There was no CVE, simply because this was not a bug, but rather an attack. SLSA suggests that end-to-end integrity checks might have prevented this attack. The bottom line is that any code that finds its way into your build path can become an attacker.Things are made worse by the attackers’ ingenuity at finding new ways to smuggle code into your project without your knowledge. For example, dependency confusion and typosquatting attacks have become particularly sophisticated. In 2021, <a href="https://www.aikido.dev/blog/software-supply-chain-security-vulnerabilities">Alex</a> <a href="https://www.aikido.dev/blog/software-supply-chain-security-vulnerabilities" target="_blank" rel="noopener">Birsan</a> showed that an attacker could publish code to both npm and PyPI under an organisation’s internal namespace, thereby tricking their own build systems into ingesting attacker-controlled code.Typosquatting is another notably pernicious attack. An attacker publishes code to a package manager under a namespace that is close to, but not quite, that of an existing, popular library, such as reactrouteer vs. react-router. These “impostor” packages often contain hidden payloads, such as a Trojan horse that executes during installation, exfiltrating credentials or corrupting code. A <a href="https://www.sonatype.com/press-releases/open-source-malware-reaches-778500-packages.">recent</a> <a href="https://www.sonatype.com/press-releases/open-source-malware-reaches-778500-packages.">study</a> found that millions of such malicious or squatter packages were found on public repositories. Sonatype found that over 778,500 “open-source malware” packages had been identified since 2019, with 98.5% of these found on npm.According to Sonatype’s CTO, “Open-source malware, in particular, is a big problem because it sits right between endpoint protections and traditional vulnerability scans. In fact, by the time a scanner detects it, the damage could already be done.” Another problem with open-source software, according to <a href="https://plextrac.com/spooky-supply-chains-researcher-reality-a-conversation-with-jonathan-leitschuh/" target="_blank" rel="noopener">Leitschuh</a>, a veteran of the cybersecurity field, is that “these artefact repositories sat at the heart of the global SDLC without ever going through any enterprise-grade penetration testing or SOC audits.”In a nutshell, it is about the critical infrastructure developed and maintained by the open source community, such as build tools and container images, which are mostly open source and rarely tested. So, as OWASP explains in its cheat sheet, “a weak link in the entire supply chain, such as a third-party library or version control issue, can put the entire supply chain at risk.” In other words, a hidden vulnerability, from a small library bug to a broken step in the build process, can eventually lead to a major breach.<h3>Attacks on Maintainers and the Pipeline</h3>The unseen threats are those individuals behind the code. Just like how hackers target CEOs through social engineering attacks, they are increasingly targeting developers and maintainers. But why are they doing this? Well, the reason is that most of the maintainers of these packages are volunteers who are working on these projects without any supervision or contract. So, what will a hacker do if he gains access to a maintainer’s account? He will be able to inject a backdoor into a package that users are already familiar with. In fact, a single <a href="https://aftra.io/blog/software-supply-chain-risk-youre-ignoring." target="_blank" rel="noopener">npm</a> maintainer’s compromise in 2024 resulted in 18 popular packages being backdoored, resulting in billions of downloads.Even the most honest developers can inadvertently create problems down the chain. For instance, a security team at some organisation decided to rename their GitHub organisation as part of a routine update. But what they didn’t know was that the hacker had already taken the name they were trying to rename and had injected a backdoor into every CI workflow that hadn’t been updated to the new URL. As the researcher said, “It was still the same software… with the added backdoor.” The problem here is that the tools and workflows we are using have hidden vulnerabilities.There are hidden threats, too, coming from the tools and workflows used for building and delivery. The Codecov breach in 2021 was a classic case of attackers exploiting weaknesses in build and delivery systems. Attackers used a CI token to upload a malicious package into a deployment bucket, and then users would simply pull a backdoored binary without prior knowledge.Leitschuh points out that enterprise CI/CD systems are not built with strong security features, such as multi-factor authentication and audits, and attackers could therefore “break this part of the chain” too easily. In fact, attackers could break into a build system and then push their own code without compromising a dependency package. This form of stealth injection, in which attackers push a malicious build or a container, leaves almost no trace.<h3>Mitigations and Best Practices</h3>In today’s environment, the assumption that any link in the chain could be compromised should be made, and traditional perimeter defences, such as code review, are not sufficient. Layered defences are becoming the norm, and software composition analysis and SBOM generation are aiding the discovery of what exactly constitutes the software supply chain, including transitive dependencies.This means that agencies, such as those mandated by NIST EO 14028, are required to strictly control their dependencies, ensuring that they are only obtained from trusted, known sources, that two-factor authentication is enabled for all maintainer accounts and that version control is used to avoid accidentally pulling in a malicious version of a dependency, for instance.Tools such as Snyk and Dependabot can detect known vulnerabilities, but, as Brian Fox of Sonatype comments, we need to take a step forward and ensure that open-source malware does not even enter the pipeline in the first place.New frameworks, such as Google’s SLSA, are filling this gap, providing a structure for these total protections. SLSA, or Supply-chain Levels for Software Artefacts, is “a set of guidelines on how to best preserve end-to-end build integrity.” The authors note that integrity attacks are on the rise and that, while specific solutions may be necessary, overall structural solutions may be necessary to counter this trend.“By accumulating verifiable metadata around every build (e.g., SBOM, provenance), we provide ourselves with the ability to identify any kind of tampering or mismatching of dependencies.” The same zero-trust approach applies here, trusting every open-source library until verified, then implementing runtime protections such as anomaly detection to catch anything that might slip through.In terms of specific actions, teams should “take care of the fundamentals, such as understanding the entire dependency tree, eliminating unmaintained libraries, and being quick to react to newly disclosed issues.” An expert’s advice is that rather than “blindly updating all packages,” teams should “add multiple levels of checks to make life harder for attackers.”Collaboration between development and security teams is necessary, treating open-source libraries with the same level of scrutiny that you would other licensed software. After all, asOWASP reminds us, “Your security is only as strong as its weakest link in your supply chain.”<h3>Securing the Software Supply Chain Before it Secures You</h3>Hidden threats in open-source dependencies have emerged as the new frontier of cybersecurity challenges. They range from the mundane, such as stale and unpatched code, to the sinister, such as unknown backdoors and misused packages. No longer can CEOs at the highest levels afford to dismiss these threats, as they are squarely on the boardroom agenda today.As a cybersecurity expert succinctly puts it: “Your software supply chain is already more intricate and fragile than you think… The packages your systems rely on could vanish or turn hostile at any moment. That’s not fear-mongering. That’s the reality.” But there’s good news too: awareness and tools are on the rise. The key, however, lies in vigilance and preparedness; every open-source dependency is treated as an attack surface, and detection tools are always at the ready. In a world where software supply chain cybersecurity only seems to get tougher, the cost of preparedness and transparency far outweighs the cost of being caught off guard.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/the-hidden-security-risks-in-open-source-dependencies-nobody-talks-about/" data-a2a-title="The Hidden Security Risks in Open-Source Dependencies Nobody Talks About"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-hidden-security-risks-in-open-source-dependencies-nobody-talks-about%2F&linkname=The%20Hidden%20Security%20Risks%20in%20Open-Source%20Dependencies%20Nobody%20Talks%20About" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-hidden-security-risks-in-open-source-dependencies-nobody-talks-about%2F&linkname=The%20Hidden%20Security%20Risks%20in%20Open-Source%20Dependencies%20Nobody%20Talks%20About" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-hidden-security-risks-in-open-source-dependencies-nobody-talks-about%2F&linkname=The%20Hidden%20Security%20Risks%20in%20Open-Source%20Dependencies%20Nobody%20Talks%20About" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-hidden-security-risks-in-open-source-dependencies-nobody-talks-about%2F&linkname=The%20Hidden%20Security%20Risks%20in%20Open-Source%20Dependencies%20Nobody%20Talks%20About" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthe-hidden-security-risks-in-open-source-dependencies-nobody-talks-about%2F&linkname=The%20Hidden%20Security%20Risks%20in%20Open-Source%20Dependencies%20Nobody%20Talks%20About" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

Security Architecture for Hybrid Work: Enterprise Guide

Darren Kyle
Published date: 2026-03-19 00:00:00

None

<a href="https://www.gallup.com/401384/indicator-hybrid-work.aspx#:~:text=Line%20chart.,Get%20the%20data%20Download%20image" target="_blank" rel="noopener">According to Gallup</a>, more than half (52%) of U.S. employers now follow a hybrid working model. For enterprises, there is a clear logic behind this approach. Hybrid work is more flexible, favored by employees and crucially, powers a more productive team. However, this method of working also creates risks. A more dispersed workforce presents new points of entry for cybercriminals. Therefore, an effective hybrid work security architecture is essential for securing your workforce.Let’s explore the steps you can take to bolster security and protect critical data. <h3 aria-level="2">Challenges Faced by Enterprises </h3>Hybrid work brings several security challenges. Enterprises should seek to mitigate the following risks: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">A Wider Attack Surface: Whether connecting via home Wi-Fi or through public internet, employees provide easier targets for attackers. The transmission of sensitive information over less secure networks increases the risk of data leaks. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1">VPN Limitations: With a traditional VPN, as long as someone has the relevant credentials, they can gain access to a network. This means that, with the right login information, an attacker could obtain sensitive information. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1">Bring Your Own Device (BYOD) Risks: Employees may use their own devices to connect to company networks. If unsecured, these devices act as entry points for attackers. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="1" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1">Unsafe Communication Methods: It’s harder to obtain effective oversight of remote teams. Employees might use unsecured channels to share restricted information or files. </li></ul> <a href="https://securityboulevard.com/wp-content/uploads/2026/03/Picture1-17.png"><img fetchpriority="high" decoding="async" class="alignnone size-full wp-image-2089925" src="https://securityboulevard.com/wp-content/uploads/2026/03/Picture1-17.png" alt="" width="624" height="485" srcset="https://securityboulevard.com/wp-content/uploads/2026/03/Picture1-17.png 624w, https://securityboulevard.com/wp-content/uploads/2026/03/Picture1-17-300x233.png 300w" sizes="(max-width: 624px) 100vw, 624px"></a><h3 aria-level="2">Best Practices for Improving Hybrid Work Security Architecture </h3>Hybrid networks are built around a complex web of systems, infrastructure and endpoints. Enterprises need the right policies and oversight to secure these elements. Here are some steps you can take to boost your hybrid work security architecture. <h3 aria-level="3">Use a Secure SD-WAN Architecture </h3>Software-defined wide area network (SD-WAN) is an essential technology for remote workforce security. Traditional wide-area networks provide connectivity and security for on-site infrastructure. However, modern workforces, applications and data are distributed across varied locations, making the traditional approach less secure and efficient. Secure <a href="https://www.virginmediao2business.co.uk/insights/guides/sd-wan-guide/" target="_blank" rel="noopener">SD-WAN architecture</a> ensures a safe experience across the cloud. It includes built-in cloud security capabilities such as next-generation firewalls (NGFW), data encryption and segmentation, limiting access to sensitive information. SD-WAN also guarantees a more equal experience for those working from home, prioritizing applications to ensure critical traffic is routed over the best possible network path. Enterprises can also go a step further with secure access service edge (SASE) solutions. SASE brings the best of both worlds, unifying the networking capabilities of SD-WAN with advanced security features. These solutions are built around various components, including firewall as a service (FWaaS), secure web gateway (SWG) and cloud access security broker (CASB). <a href="https://securityboulevard.com/wp-content/uploads/2026/03/Picture2-8.png"><img decoding="async" class="alignnone size-full wp-image-2089926" src="https://securityboulevard.com/wp-content/uploads/2026/03/Picture2-8.png" alt="" width="624" height="485" srcset="https://securityboulevard.com/wp-content/uploads/2026/03/Picture2-8.png 624w, https://securityboulevard.com/wp-content/uploads/2026/03/Picture2-8-300x233.png 300w" sizes="(max-width: 624px) 100vw, 624px"></a> <h3 aria-level="3">Follow a Zero-Trust Approach </h3><a href="https://securityboulevard.com/" target="_blank" rel="noopener">Zero-trust network access</a> (ZTNA) is increasingly becoming the go-to approach for hybrid networks. Under this framework, all network interactions are treated as suspicious, regardless of their origin. For users to proceed, they must first be validated by a ‘trust broker’. This uses multiple verification methods, including multi-factor authentication, device health checks and geolocation tracking. Under the old approach, a user had free rein once they passed initial verification. With ZTNA, a user is continuously verified throughout their session. Once an anomaly is detected, access is revoked and an alert is forwarded to security teams. This halts bad actors before they can carry out harmful interactions on your network. Remember that a high proportion of attacks have internal origins. One of the best aspects of ZTNA is that it follows the least-privilege principle. This allows network operators to segment network users into different ‘zones’. Users only have access to the data and applications needed to carry out their roles, minimizing the risk of internal attacks. <h3 aria-level="3">Automate to Detect Threats Early </h3>Various enterprises are hampered by their inability to detect threats on time. Put simply, the longer it takes to spot a threat, the more damage that is likely to occur. Security information and event management (SIEM) and security orchestration automation and response (SOAR) solutions are the keys for automated security. These automated tools can spot network anomalies and take instant action, mitigating the reputational and financial impacts of attacks. Let’s explore how both tools improve your hybrid work security architecture in detail. <h3 aria-level="4">Security Information and Event Management </h3>SIEM solutions gather, merge and analyze data from across an organization, offering a single, centralized view. This creates a <a href="https://securityboulevard.com/2021/11/6-steps-to-strengthen-your-security-posture/" target="_blank" rel="noopener">stronger security posture</a>, making it easier to identify and respond to threats as they emerge. These tools provide the following essential features: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">Log Management: SIEM tools spot threats by analyzing logs from different sources, including network infrastructure, cloud applications and proxy logs. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1">Automatic Alerts: SIEM tools constantly monitor digital and on-site infrastructure, and alert security teams as soon as anomalies are detected. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1">Event Correlation: By bringing data together, SIEM tools can identify patterns across an enterprise, helping to spot threats more quickly. </li></ul><h3 aria-level="4">Security Orchestration Automation and Response </h3>SOAR tools focus on the threat response aspect of security. They enable you to automate time-consuming tasks so that security teams can focus on more important activities. SOAR operates via two main functions: <ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="3" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1">Security Automation: With SOAR, you can program security-related tasks, such as scanning emails for phishing scams. Automation makes processes more efficient, cutting out unnecessary steps so that tasks are completed more quickly. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="" data-listid="3" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769242":[8226],"469777803":"left","469777804":"●","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1">Security Orchestration: SOAR unifies different security tools used throughout your network. Orchestration enables these tools to respond as a single entity, ensuring automation across your network. </li></ul> <a href="https://securityboulevard.com/wp-content/uploads/2026/03/Picture3-6.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2089927" src="https://securityboulevard.com/wp-content/uploads/2026/03/Picture3-6.png" alt="" width="624" height="485" srcset="https://securityboulevard.com/wp-content/uploads/2026/03/Picture3-6.png 624w, https://securityboulevard.com/wp-content/uploads/2026/03/Picture3-6-300x233.png 300w" sizes="auto, (max-width: 624px) 100vw, 624px"></a><h3 aria-level="3">Use EDR Solutions to Boost Endpoint Security </h3>The rise of BYOD policies should bring a renewed focus on <a href="https://securityboulevard.com/2024/02/why-do-we-need-endpoint-security-in-2024/" target="_blank" rel="noopener">endpoint security</a>. Without the right measures, unsecured employee devices could act as gateways for cyberattackers. Use endpoint detection and response (EDR) tools to secure all devices. EDR continuously scans endpoints (any devices that connect to your network) for threats. If an endpoint is detected as a threat, EDR will disconnect it from the network. Any potentially dangerous transferred files are automatically quarantined. EDR also logs any previous security events on your network. These act as valuable assets for security analysts, helping to improve your security posture so that attacks don’t repeat. <h3 aria-level="2">Don’t Sleep on Security </h3>As enterprises adapt to new working arrangements, their security approach should follow the same rate of change. This means taking steps to boost security and protect key data and infrastructure. Whether by implementing EDR solutions, SD-WAN or automated tools, we’ve explored how to improve your hybrid work security architecture. Don’t leave it to chance; take proactive steps to bolster enterprise cybersecurity. <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/security-architecture-for-hybrid-work-enterprise-guide/" data-a2a-title="Security Architecture for Hybrid Work: Enterprise Guide "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecurity-architecture-for-hybrid-work-enterprise-guide%2F&linkname=Security%20Architecture%20for%20Hybrid%20Work%3A%20Enterprise%20Guide%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecurity-architecture-for-hybrid-work-enterprise-guide%2F&linkname=Security%20Architecture%20for%20Hybrid%20Work%3A%20Enterprise%20Guide%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecurity-architecture-for-hybrid-work-enterprise-guide%2F&linkname=Security%20Architecture%20for%20Hybrid%20Work%3A%20Enterprise%20Guide%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecurity-architecture-for-hybrid-work-enterprise-guide%2F&linkname=Security%20Architecture%20for%20Hybrid%20Work%3A%20Enterprise%20Guide%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fsecurity-architecture-for-hybrid-work-enterprise-guide%2F&linkname=Security%20Architecture%20for%20Hybrid%20Work%3A%20Enterprise%20Guide%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

FBI Seizes Two Websites Linked to Pro-Iranian Group Handala

Jeffrey Burt
Published date: 2026-03-19 00:00:00

None

The FBI this week seized the two websites belonging to a pro-Iranian hacktivist organization that claimed responsibility for the <a href="https://securityboulevard.com/2026/03/iranian-hackers-attack-u-s-company-stryker-in-escalation-of-cyber-war/" target="_blank" rel="noopener">data-wiping attack</a> on U.S. medical tech company Stryker and is among the most active of the myriad threat groups that mobilized when the U.S. and Israeli air strikes on Iran began more than two weeks ago.The two domains – one, Handala, used as a data leak site and another to target people with possible links to Israeli defense contractors – now feature seizure announcements from the FBI about the seizures. Neither the agency nor the Justice Department (DOJ) has released statements about the move.That said, announcements themselves say the sites were seized pursuant to a U.S. Federal Court warrant, adding that “law enforcement authorities determined this site was used to conduct, facilitate, or support malicious cyber activities on behalf of or in coordination with a foreign state actor. These activities may include unauthorized network intrusions, infrastructure targeting, or other violations of United States law.”According to reports, the Handala group on its official Telegram channel confirmed that websites were seized and taken offline, adding that the action was a “desperate attempt to silence our voice.”“This act of digital aggression only serves to highlight the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive,” the hackers wrote, <a href="https://techcrunch.com/2026/03/19/fbi-seizes-pro-iranian-hacking-groups-websites-after-destructive-stryker-hack/" target="_blank" rel="noopener">according to TechCrunch</a>. “Although they attempt to erase the evidence and hide their crimes through censorship and intimidation, their actions only confirm the impact of our mission. The pursuit of justice cannot be stopped by taking down a website; the movement for truth will persist and grow stronger.”The news site also noted that Handala’s X site was also suspended.<h3>They’ll Be Back</h3>“These domains were where everything came together,” Tammy Harper, senior threat intelligence researcher for threat exposure management firm Flare, <a href="https://flare.io/learn/resources/blog/handala-seizure">wrote in a blog post</a>. “Claims, leaks, messaging, all of it flowed through them. Taking control of those domains removes their ability to publish in the same way, at least temporarily. That matters, but only to a point.”There’s nothing to indicate access being removed or that the data that the group had collected was collected, Harper wrote. It’s easy to replace domains and groups like Handala, which don’t depend on a single piece of infrastructure. The group’s messaging is the same and it will likely continue somewhere else.“For this kind of actor, infrastructure is replaceable,” she wrote. “The persona is what holds it together. As long as they can keep accessing targets and putting material out somewhere, the model still works. So while the domains are down for now, this looks more like a disruption of their distribution layer than anything else. And based on how they’ve operated so far, it’s unlikely to slow them down for long.”<h3>A Widening Cyberthreat Surface</h3>This comes amid a surge of cyberthreats in retaliation for the bombings of Tehran and other places in the country, and as Iran – through kinetic warfare and through cyberspace – also targeted other countries in the Middle East deemed to be aligned with the United States.CloudSEK security intelligence analysts said that <a href="https://www.cloudsek.com/blog/ai-the-iran-us-conflict-and-the-threat-to-us-critical-infrastructure" target="_blank" rel="noopener">within hours of the start of the bombing</a> by the United States and Israel, more than <a href="https://securityboulevard.com/2026/03/pro-iranian-hacktivists-join-nation-state-groups-in-targeting-u-s-israel-others/" target="_blank" rel="noopener">60 pro-Iranian hacktivists gangs</a> mobilized to join nation-state threat groups run by Iran’s Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).Akamai researchers wrote that in the <a href="https://securityboulevard.com/2026/03/cyberattacks-spike-245-in-the-two-weeks-after-the-start-of-war-with-iran/" target="_blank" rel="noopener">first two weeks of the war</a>, they saw a <a href="https://www.akamai.com/blog/security/fortify-network-security-emerging-geopolitical-cyberthreats" target="_blank" rel="noopener">245% jump</a> in attempts by threat actors to attack critical institutions and businesses around the world.<h3>Multiple Targets</h3>Handala, which has been active since 2023 and has targeted Israeli organizations with data-wiping and other attacks, has become among the most active of the threat actors. Flashpoint, which has been tracking the activity in both the kinetic fighting and the battle in cyberspace, noted the group has taken credit for attacks, such as a data-wipe and exfiltration operation against the Hebrew University of Jerusalem – saying it erased more than 48 TB of data and exfiltrated 23 TB of confidential information – and claiming to have leaked 100,000 personal emails from the former head of Mossad’s research organization.However, it was last week’s attack on Stryker – which has headquarters in Portage, Michigan, but about 56,000 employees around that world and generated more than $25 billion in net sales last year – that stands out. Handala said it was able to erase the data from about 80,000 corporate and personal devices – including computers, servers, and mobile devices – in which the attackers were able to get into the network by compromising a Windows domain administrator account and using a command in Microsoft Intune to force a factory reset on them. No malware was neededSince the attack, <a href="https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117" target="_blank" rel="noopener">Microsoft</a> and <a href="https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization?utm_source=IranHardening202603&utm_medium=GovDelivery" target="_blank" rel="noopener">CISA</a> has published steps organizations should take to strengthen Intune management controls. In addition, Stryker has been giving <a href="https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html" target="_blank" rel="noopener">updates about its efforts</a> to restore and better protect its devices.<h3>Pressure Is On Defenders</h3>Brian Bell, CEO of <a href="https://fusionauth.io/" target="_blank" rel="noopener">FusionAuth</a>, which makes authentication and user management software, said that the attack on Stryker showed that authentication and authorization are not the same thing and that companies going forward will need to make adjustments to protect themselves.“Attackers didn’t need to break in,” Bell said about the Stryker incident. “They walked through the front door with compromised credentials. The missing safeguard is contextual: organizations need systems that can recognize when a privileged action is anomalous and require additional verification at that moment, not just at login. … The FBI’s seizure of Handala’s infrastructure is welcome, but the next group will find a new front door. The architectural fix has to happen on the defender’s side.”<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/fbi-seizes-two-websites-linked-to-pro-iranian-group-handala/" data-a2a-title="FBI Seizes Two Websites Linked to Pro-Iranian Group Handala"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-seizes-two-websites-linked-to-pro-iranian-group-handala%2F&linkname=FBI%20Seizes%20Two%20Websites%20Linked%20to%20Pro-Iranian%20Group%20Handala" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-seizes-two-websites-linked-to-pro-iranian-group-handala%2F&linkname=FBI%20Seizes%20Two%20Websites%20Linked%20to%20Pro-Iranian%20Group%20Handala" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-seizes-two-websites-linked-to-pro-iranian-group-handala%2F&linkname=FBI%20Seizes%20Two%20Websites%20Linked%20to%20Pro-Iranian%20Group%20Handala" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-seizes-two-websites-linked-to-pro-iranian-group-handala%2F&linkname=FBI%20Seizes%20Two%20Websites%20Linked%20to%20Pro-Iranian%20Group%20Handala" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-seizes-two-websites-linked-to-pro-iranian-group-handala%2F&linkname=FBI%20Seizes%20Two%20Websites%20Linked%20to%20Pro-Iranian%20Group%20Handala" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

Dormant Accounts Leave Manufacturing Orgs Open to Attack

Teri Robinson
Published date: 2026-03-19 00:00:00

None

Workers who have been <a href="https://securityboulevard.com/2024/02/mitigating-the-identity-risks-of-ex-employees-accounts/" target="_blank" rel="noopener">laid off or fired from their jobs</a> often complain mightily that companies treat them like common criminals, with security escorting them out of the building in some sort of corporate perp walk. And then solicit one of their work buddies to pack up their personal stuff and ship it to them, as if they might walk out with the good silver. You would think that level of caution would apply to deprovisioning access, especially in manufacturing, where organizations onboard temporary workers, contractors and third-party system integrators at breakneck speed during Spring production ramp-ups. It seems at the very least incongruous that 48% of manufacturing organizations don’t revoke employee access within 24 hours after they depart or change roles, according to new research by Pathmark. “If those privileges are not revoked immediately when projects conclude, or permissions are granted too broadly, they create long-lived entry points and widespread access that adversaries can exploit,” says Darren Guccione, CEO and co-founder at Keeper Security. Perhaps the problems has intensified because a full 74% “lack fully automated user provisioning and de-provisioning,” the <a href="https://pathlock.com/blog/access-governance-and-security-risks-in-manufacturing/" target="_blank" rel="noopener">Pathmark report</a> notes. What makes these dormant accounts particularly dangerous is that they don’t typically trigger behavioral alerts, which means they become an easy entry point for nefarious acts like credential stuffing, password spraying and phishing. Nearly half (46%) of security incidents that were reported were linked or thought to be linked to a yawning governance gap that has it genesis in, you guessed it, digital transformation. Stale credentials, Guccione says, “remain one of the most predictable and dangerous weaknesses in enterprise security.” Attackers understand that organizations are effectively leaving trusted identities active, he says, “and routinely look for dormant accounts that will allow them to blend in as legitimate users to avoid triggering traditional security alerts.” The findings “highlight a structural identity problem in manufacturing: Attackers increasingly log in rather than break in, and dormant or overprivileged accounts give them a frictionless path,” says James Maude, field CTO at BeyondTrust. “During seasonal rampups, access is created quickly but rarely removed with the same urgency, leaving behind a shadow layer of identities that don’t trigger behavioral alerts,” which Maude says, “expands the blast radius for everything from credential stuffing to insider misuse.” While just over half (53%) have some automation and rules in place to regularly conduct user access reviews, around one third (36%) are just getting started on identifying and remediating access risk and mostly depending on manual processes, as do 30%, who are at the same point when it comes to user account provisioning, modifying and de-provisioning. And it gets worse. About half (51%) do not use automated elevated access management with 14% admitting they have minimal or no governance when it comes to privileged access. They also note that those workers with the broadest permissions—third-party consultants and internal IT admins—are the most difficult to manage. Does make you wonder why three in five skipped comprehensive SoD risk simulations altogether before they deployed new roles as they migrated their organizations to the cloud. “With 74% of manufacturers lacking fully automated provisioning, 61% skipping SoD simulations before cloud migrations, and dormant accounts evading behavioral alerts entirely, the attack surface isn’t a gap—it’s a design flaw,” says Surya Kollimarla, director, identity security products at ColorTokens. Guccione says that “identity governance must be treated as a security priority, not just a compliance process” with access being “automated, time-bound and continuously verified, privileged access must follow the principle of least privilege and standing administrative rights should be eliminated wherever possible.” Security teams, Maude says, “should focus on shrinking standing privilege, ideally taking a just-in-time approach for privilege and access, especially for contractors and integrators.” By reducing privilege in a system, “you reduce the impact of inevitable mistakes,” he explains. Kollimarla urged security teams “to seriously evaluate two foundational shifts.” They must “go passwordless by design, not by patch.” Just layering passwordless capabilities on top of password-based infrastructure “don’t eliminate the attack surface—they obscure it,” he says. But “true passwordless architecture, integrated with automated SoD enforcement across your existing ERP and IAM systems, removes the credential risk at the source.” Security teams should also “authenticate based on context, not just identity,” Kollimarla says. Risk-based authentication that continuously evaluates the user, device, and application at the moment of access is the only model that raises the security bar without adding friction — because friction doesn’t get tolerated, it gets bypassed.” Perhaps then and only then will dormant accounts be perp walked out the door. <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/dormant-accounts-leave-manufacturing-orgs-open-to-attack/" data-a2a-title="Dormant Accounts Leave Manufacturing Orgs Open to Attack "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdormant-accounts-leave-manufacturing-orgs-open-to-attack%2F&linkname=Dormant%20Accounts%20Leave%20Manufacturing%20Orgs%20Open%20to%20Attack%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdormant-accounts-leave-manufacturing-orgs-open-to-attack%2F&linkname=Dormant%20Accounts%20Leave%20Manufacturing%20Orgs%20Open%20to%20Attack%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdormant-accounts-leave-manufacturing-orgs-open-to-attack%2F&linkname=Dormant%20Accounts%20Leave%20Manufacturing%20Orgs%20Open%20to%20Attack%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdormant-accounts-leave-manufacturing-orgs-open-to-attack%2F&linkname=Dormant%20Accounts%20Leave%20Manufacturing%20Orgs%20Open%20to%20Attack%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdormant-accounts-leave-manufacturing-orgs-open-to-attack%2F&linkname=Dormant%20Accounts%20Leave%20Manufacturing%20Orgs%20Open%20to%20Attack%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

FBI Data Purchases Ignite New Clash Over Privacy and Surveillance

James Maguire
Published date: 2026-03-19 00:00:00

None

<div>Lawmakers pressed the FBI this week after Director Kash Patel confirmed the agency is purchasing information that can track Americans’ movements, reopening a contentious debate over privacy and the limits of government surveillance.</div><div>The acknowledgment came during a Senate Intelligence Committee hearing, where Patel said the bureau buys data from private vendors as part of its investigative toolkit. The information, typically compiled by data brokers, can include detailed records of individuals’ location histories, usually sourced from mobile apps and digital advertising tracking.</div><div>Patel characterized the practice as lawful and effective, telling senators the FBI relies on data it believes is obtained in compliance with federal law. He indicated that such information has contributed to investigations, supporting the agency’s position that commercially available data is a legitimate resource.</div><div>The response drew immediate rebuke from Senator Ron Wyden, D-Oregon, who challenged the legality and implications of the practice. Wyden argued that acquiring sensitive location data without a warrant undermines constitutional protections, particularly the Fourth Amendment, which protects individuals against “unreasonable searches and seizures” by the government, ensuring the right to privacy. He pointed to the growing role of AI in analyzing vast datasets, warning that new technologies could expand the scope of surveillance beyond what lawmakers previously anticipated.</div><div><h3>Data Sources Law Sparks Debate</h3></div><div>The debate revolves around a gap in how privacy laws apply to modern data markets. Law enforcement agencies must obtain a warrant to access location data directly from telecom providers, a requirement established by the Supreme Court in 2018. However, third party companies that collect and sell consumer data operate under a different framework, allowing agencies to purchase similar information without judicial approval.</div><div>This distinction has become a focus for lawmakers attempting to update surveillance rules. Wyden, along with Senator Mike Lee, R-Utah, recently introduced the Government Surveillance Reform Act, which would require federal agencies to secure a warrant before buying Americans’ personal data. The proposal has a parallel effort in the House, led by Representatives Zoe Lofgren, D-California, and Warren Davidson, R-Ohio, reflecting bipartisan concern over the issue.</div><div>Supporters of the legislation argue that the current system allows agencies to sidestep established privacy protections. They claim that purchasing data from brokers achieves the same result as obtaining it directly from telecom providers, but without the legal safeguards intended to protect citizens.</div><div>Privacy advocates argue that this marketplace for personal data operates with limited transparency, leaving consumers largely unaware of how their data is distributed.</div><div>However, some officials defend the practice as necessary for modern investigations. Senate Intelligence Committee Chair Tom Cotton, R-Arkansas, said the key factor is that the data is available for purchase on the open market. If private entities can legally obtain it, he argued, law enforcement should not be restricted from using it to pursue criminal activity.</div><div>The FBI maintains that purchasing such data does not require a warrant because it is not compelled from a provider. That legal interpretation remains largely untested in court, leaving uncertainty about how judges may ultimately view the practice.</div>As lawmakers argue about new restrictions, the outcome could create near-term guardrails about how privacy is protected in the digital economy. But given that this issue is a complex mix of technology, law, and public policy, a full resolution is not likely anytime soon.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/fbi-data-purchases-ignite-new-clash-over-privacy-and-surveillance/" data-a2a-title="FBI Data Purchases Ignite New Clash Over Privacy and Surveillance"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-data-purchases-ignite-new-clash-over-privacy-and-surveillance%2F&linkname=FBI%20Data%20Purchases%20Ignite%20New%20Clash%20Over%20Privacy%20and%20Surveillance" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-data-purchases-ignite-new-clash-over-privacy-and-surveillance%2F&linkname=FBI%20Data%20Purchases%20Ignite%20New%20Clash%20Over%20Privacy%20and%20Surveillance" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-data-purchases-ignite-new-clash-over-privacy-and-surveillance%2F&linkname=FBI%20Data%20Purchases%20Ignite%20New%20Clash%20Over%20Privacy%20and%20Surveillance" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-data-purchases-ignite-new-clash-over-privacy-and-surveillance%2F&linkname=FBI%20Data%20Purchases%20Ignite%20New%20Clash%20Over%20Privacy%20and%20Surveillance" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Ffbi-data-purchases-ignite-new-clash-over-privacy-and-surveillance%2F&linkname=FBI%20Data%20Purchases%20Ignite%20New%20Clash%20Over%20Privacy%20and%20Surveillance" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

How empowered is your secrets scanning system

None
Published date: 2026-03-19 00:00:00

None

<h2>Are Your Secrets Scanning Systems Truly Empowered for Complete Cybersecurity Protection?</h2>Where digital are increasingly complex, organizations must evaluate whether their secrets scanning systems are fully equipped to meet cybersecurity demands. With cyber threats become more sophisticated, unique challenges arise for cybersecurity teams, especially in managing Non-Human Identities (NHIs) and ensuring secrets security management. So how do organizations proactively manage these identities and ensure robust security across various sectors like financial services, healthcare, and beyond?<h3>Understanding Secrets Scanning: More Than Just Detective Work</h3>Secrets scanning systems are critical in sensitive data. At their core, they detect and manage secrets—encrypted passwords, tokens, or keys—that serve as a form of machine identity. However, secrets scanning is not merely a reactive process; it should empower an organization to anticipate threats and address vulnerabilities before they are exploited. The real empowerment lies in understanding the lifecycle of Non-Human Identities and applying a comprehensive approach to securing these elements.<h3>Empowerment Through a Lifecycle Perspective</h3>Managing NHIs effectively involves a holistic approach that covers all stages of their lifecycle. From discovery and classification to threat detection and remediation, each phase offers insights into how NHIs can be better protected. This is not something that point solutions like basic secret scanners can achieve. By adopting a lifecycle perspective, organizations gain valuable insights into ownership, permissions, and usage patterns, enhancing their ability to detect potential vulnerabilities.<ul> <li>Discovery and Classification: The first step is identifying all machine identities in use and classifying them based on their importance and access levels. This strategy helps in prioritizing the security efforts.</li> <li>Threat Detection: Continuous monitoring of NHIs allows for timely detection of unusual patterns or potential security breaches.</li> <li>Remediation: Once a threat is detected, swift action is necessary to mitigate risks. Automating this process ensures that security teams can respond quickly and effectively.</li> </ul><h3>Bridging the Security and R&D Divide</h3>One of the critical issues in managing NHIs is the disconnect between security teams and R&D departments. Security teams must work closely with R&D to ensure that machine identities are integrated into security frameworks seamlessly. This alignment is crucial for creating secure cloud environments that protect sensitive data across multiple platforms. More information on refining these integrations can be found in the article on <a href="https://entro.security/blog/entro-wiz-integration/">Entro Wiz Integration</a>.<h3>Ensuring Compliance and Efficiency</h3>In addition to reducing security risks, effective NHI management also aids in regulatory compliance. By offering policy enforcement and audit trails, organizations can ensure they meet necessary regulatory requirements with ease. Moreover, such systems enhance organizational efficiency by automating secrets management, thereby freeing up security teams to focus on strategic initiatives. For insights into optimizing these processes, explore how <a href="https://entro.security/blog/secrets-security-in-hybrid-cloud-environments/">hybrid cloud environments</a> contribute to robust NHI and secrets management.<h3>Enhanced Visibility with Centralized Control</h3>Having a centralized view for access management and governance is a critical component of empowered secrets scanning systems. A centralized platform allows for comprehensive visibility, enabling organizations to track and manage all machine identities efficiently. This framework not only offers enhanced control over machine identities but also leads to cost savings by automating processes like secrets rotation and decommissioning of obsolete NHIs.<h3>Empowerment Across Industries</h3>While the theoretical framework is similar across industries, the application varies significantly. For example, in financial services sector, where data sensitivity is paramount, empowered secrets scanning systems can mean the difference between a minor security incident and a major data breach. In healthcare, ensuring that patient data remains secure is a legal requirement. For DevOps and SOC teams, on the other hand, the focus might be on integrating these security measures into their agile and fast-paced environments. The challenges might vary, but the need for an empowered approach remains constant. The consulting and program management techniques can provide insights into customized solutions across different sectors.In conclusion, the empowerment of secrets scanning systems hinges on not just detection and management but a comprehensive approach to Non-Human Identity management. By bridging the gap between security and development teams and adopting a lifecycle perspective, organizations can ensure robust protection against evolving cyber threats. While we continue to explore these concepts, further strategies for achieving such empowerment will be unveiled.<h2>Mastering the Complexity of Cybersecurity with Effective Non-Human Identity Management</h2>Have you ever wondered what lies beyond the basic capabilities of secrets scanning systems when it comes to protecting sensitive data? Organizations often encounter complexities when dealing with Non-Human Identities (NHIs) and secrets security management. The urgency to address these challenges cuts across industries like financial services, healthcare, and DevOps. By enriching the understanding of NHIs and their lifecycle management, organizations can craft a robust fortress against potential cyber threats.<h3>Decoding NHI</h3>A Non-Human Identity encompasses more than just machine identifiers such as encrypted passwords, tokens, or keys. These elements collectively form digital credentials that can access critical systems and data. Mismanagement or oversight can lead to a significant security breach. Unfortunately, the challenge isn’t just about losing a credential; it’s about ensuring these NHIs are created, managed, and retired.<ul> <li>Strategic Importance: Addressing NHIs is crucial for maintaining the integrity and trust associated with digital transactions across industries.</li> <li>Holistic Approach: NHI management needs methods encompassing discovery, classification, threat detection, and response mechanisms to be dynamic and efficient.</li> </ul>For an insightful dive into agentic approaches within AI, see how <a href="https://entro.security/blog/agentic-ai-owasp-research/">agentic strategies are being developed</a>.<h3>Unraveling the Misalignment: Security and R&D</h3>Misalignment between security operations and research & development teams often results in vulnerabilities. These gaps can be bridged by fostering collaboration and ensuring mutual understanding, particularly with R&D teams introduce new technologies and innovations that alter security. This collaborative stance compels both sectors to consider security implications from the onset.<ul> <li>Transformative Integration: Integrating security protocols in R&D processes can lead to enhanced risk management and efficient operational structures.</li> <li>Continuous Dialogue: Establishing communication channels specifically focused on security can minimize roadblocks and promote proactive problem-solving.</li> </ul><h3>Support for Industry-Specific Challenges</h3>Though the framework for NHI management might remain consistent across different sectors, its application must be crafted according to industry specifics.In financial services sector, maintaining rigorous controls transforms small weaknesses into fortified systems that resist targeted attacks, whereas, in healthcare, the lion’s share of security efforts is focused on data integrity—ensuring patient confidentiality and regulatory compliance.The unique requirements for DevOps teams involve prioritizing speed and innovation, which necessitates an agility-centric approach to security. This demands integration of tools and processes that complement rapid application development cycles. Similarly, SOC teams benefit by adopting diagnostic tools that integrate seamlessly with their incident response strategies.<h3>Enhancing Control with Centralized Management</h3>Centralization of NHI management unfolds numerous benefits:<ul> <li>Comprehensive Oversight: Centralized systems ensure enhanced visibility into all NHIs, simplifying the tracking and allocation of permissions and usage patterns.</li> <li>Resource Efficiency: Automation processes like secrets rotation and NHIs decommissioning minimize the operational burden on IT departments.</li> <li>Risk Mitigation: By quickly adapting to the changing cybersecurity environment, central control systems dampen the impact of potential threats.</li> </ul>For insights into advanced security strategies, explore <a href="https://entro.security/blog/keeping-security-in-stride-why-we-built-entros-third-pillar-for-agentic-ai/">this comprehensive guide</a> on why structured frameworks help maintain stride.<h3>Expanding the Conversation</h3>The dialogue on NHI management should be inclusive of emerging technologies and future directions.– Artificial Intelligence’s Influence: AI offers innovations in predictive analytics and automation, heralding new capabilities within secrets scanning systems. – Interdisciplinary Collaboration: Diverse teams consisting of IT, compliance, and industry-specific experts must collaborate to develop resilient security strategies. For more information on how scanning configurations are evolving, visit <a href="https://dev.housing.arizona.edu/what-is-scanning-configuration" rel="noopener">this resource</a>.Through a proactive and informed approach to Non-Human Identities and secrets management, organizations can safeguard their environments effectively. By addressing systemic vulnerabilities and promoting efficient collaborations, cybersecurity can turn uncertainties into improved stability and resilience, helping organizations not just to survive, but to thrive.The post <a href="https://entro.security/how-empowered-is-your-secrets-scanning-system/">How empowered is your secrets scanning system</a> appeared first on <a href="https://entro.security/">Entro</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-empowered-is-your-secrets-scanning-system/" data-a2a-title="How empowered is your secrets scanning system"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-empowered-is-your-secrets-scanning-system%2F&linkname=How%20empowered%20is%20your%20secrets%20scanning%20system" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-empowered-is-your-secrets-scanning-system%2F&linkname=How%20empowered%20is%20your%20secrets%20scanning%20system" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-empowered-is-your-secrets-scanning-system%2F&linkname=How%20empowered%20is%20your%20secrets%20scanning%20system" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-empowered-is-your-secrets-scanning-system%2F&linkname=How%20empowered%20is%20your%20secrets%20scanning%20system" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-empowered-is-your-secrets-scanning-system%2F&linkname=How%20empowered%20is%20your%20secrets%20scanning%20system" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/how-empowered-is-your-secrets-scanning-system/">https://entro.security/how-empowered-is-your-secrets-scanning-system/</a>

securityboulevard.com

Mapping Your Defenses to What You Need, Not What You Inherited

None
Published date: 2026-03-19 00:00:00

None

<article class="blog-post" morss_own_score="10.0" morss_score="13.0"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" morss_own_score="5.0" morss_score="166.5"> There is a deceptive sense of security that comes with a crowded security architecture. We look at our environments and see a landscape filled with multiple vendor tools, SIEM dashboards pulsing with telemetry, and threat intelligence feeds. On paper, the organization looks hardened. The budget has been allocated, the tools have been deployed, and leadership feels a sense of safety. But there is a reality that many organizations are slow to embrace: Just because a tool and detection exist doesn’t mean you can defend against an attack. Attackers do not view your security by the number of products you own. They measure it by your blind spots and the many ways they can infiltrate your systems. While you are monitoring your “presence” at the front door, they are searching for the entry points where they can operate undetected. This is the difference between having a tool that exists and a detection that is relevant and can effectively disrupt an attack. <h3>Presence vs. Capability: The Strategic Divide</h3> Most organizations frame their security maturity around procurement. They ask, “Do we have endpoint protection?” or “Do we have cloud security?” These are inventory questions, not defensive ones. Having a tool present on a server is simply a baseline level of safety: it exists, but whether it is configured, operational, or effective is a different question entirely. Coverage mapping reframes this conversation. Instead of asking whether a tool exists, the question becomes whether your defenses can detect and disrupt how adversaries actually operate. This is not measured at the tool or technique level alone, but at the level of execution and how a specific procedure unfolds across identities, systems, and controls. Presence says, “We deployed the agent.” Coverage asks, “When an adversary executes a credential access procedure using PowerShell and legitimate system tools, do we detect it, and where does that detection fail?” <h3>Thinking in Adversary Behavior</h3> Modern attackers are not random, but they are not bound to a single playbook either. They operate through recurring patterns of behavior shaped by objectives, access, tooling, and opportunity. Frameworks like MITRE ATT&CK help defenders model and categorize those behaviors, but ATT&CK itself is not an attacker script. It is a structured knowledge base that documents tactics, techniques, and observed procedures drawn from real intrusions. Coverage mapping becomes valuable when it is used to measure defensive readiness against those observed behaviors. Rather than asking whether a control is deployed, you ask where it can detect, interrupt, or contain adversary activity across realistic attack paths. That often exposes uneven defensive depth: a team may be well covered against common malware patterns, yet far less prepared for abuse of legitimate tools, stolen credentials, remote administration pathways, or hands-on-keyboard activity that blends into normal operations. Adversaries exploit these asymmetries. They do not need to defeat every control; they look for the gaps between what is installed, what is configured, and what is actually producing reliable defensive outcomes. A tool may be present and running, yet still fail to generate meaningful visibility at the moment an attacker shifts tactics or moves through a trusted path. <h3>The Discipline of Measuring Gaps</h3> This process often reveals an uncomfortable reality: most security stacks are over-indexed on coverage volume rather than defensive effectiveness. Organizations frequently have overlapping controls concentrated in low-impact areas, while high-risk execution paths remain insufficiently defended. Coverage mapping is the discipline required to expose these imbalances. It enables teams to prioritize based on how adversaries actually succeed, rather than how tools are deployed. By identifying where defenses break down in practice, organizations can: <ul> <li>Refine your investment decisions by aligning spend to areas of highest adversary impact </li> <li>Reduce alert fatigue by eliminating redundant or low-fidelity detections </li> <li>Strengthen defensive depth across the adversary procedures that matter most. </li> </ul> <h3>From Reactive Security to Strategic Defense</h3> Reactive security operates on signals: alerts, indicators, and isolated detections that require constant triage. Effective defense, however, is measured by whether adversary procedures can be consistently detected, understood, and disrupted as it unfolds. Coverage mapping enables this shift. It connects telemetry to detection logic, detection logic to response, and response to observable defensive outcomes. Instead of asking whether tools are deployed, organizations can evaluate whether their controls hold up against how attacks are actually executed in their environment. Success is not defined by tool count or compliance alignment. It is defined by defensive performance against real-world adversary behavior at the point of execution. In practice, a focused, well-instrumented defense will outperform a fragmented stack that lacks effective detection into how attacks succeed. <h2>Practical Guide: Mapping Adversary Procedures (Using MITRE ATT&CK as Reference)</h2> Building your first coverage map is not about “mapping to ATT&CK.” It is about using ATT&CK as a reference model to understand how adversaries operate, then validating whether your defenses can detect and disrupt those attacks. The goal is not framework alignment. It is execution-level effectiveness in reducing attacker probability and residual risk. <h3>Define Relevant Adversary Scenarios</h3> Start with the threats that matter most to your organization. This should be informed by threat intelligence, industry patterns, and known attack patterns, not an abstract list of techniques. Rather than selecting isolated techniques, define relevant procedures in your environment based on assets that are most vulnerable. For example: <ul> <li>Credential access via misuse of native tools </li> <li>Lateral movement using remote services or valid accounts </li> <li>Data staging and exfiltration over trusted channels </li> </ul> ATT&CK can help categorize these behaviors, but the focus should remain on how they are executed in practice, not on achieving coverage across the matrix. <h3>Understand Your Defensive Environment</h3> Detection and disruption depend on how your environment is instrumented and controlled. Before mapping adversary behavior, you must understand where security controls actually intersect with the systems, identities, and infrastructure attackers use. This means inventorying where defensive controls operate across endpoints, identities, networks, and cloud services. The goal is not simply to confirm that tools are deployed, but to understand where they meaningfully influence attacker activity. Adversaries move through environments by abusing legitimate pathways—credentials, administrative tools, remote access channels, and trusted services. If your controls are not positioned along those paths, they cannot influence the outcome of an attack. Mapping your environment in this way ensures that defensive coverage reflects how systems are actually used and how attacks actually unfold, rather than how tools are listed in an inventory. <h3>Evaluate Detection and Response Coverage</h3> Assess how your current controls perform against these scenarios: <ul> <li>Where do you generate reliable detections? </li> <li>Where do detections lack context or fidelity? </li> <li>Where are you dependent on manual interpretation? </li> <li>Where do you have no visibility at all? </li> </ul> This is not a binary exercise. Coverage should be evaluated based on confidence, consistency, and timeliness of detection and response. Validation is critical. Simulating adversary behavior—through controlled testing or emulation—confirms whether detections function as expected and whether response actions are effective. Without validation, coverage remains theoretical. <h3>Prioritize and Close Execution Gaps</h3> Gaps often emerge not from missing tools, but from misaligned configurations, incomplete detection logic, or uncorrelated data sources. Addressing these gaps may involve: <ul> <li>Improving detection engineering within existing tools </li> <li>Enriching telemetry or enabling additional logging </li> <li>Tuning correlation and response workflows </li> </ul> The objective is not to expand tooling, but to increase defensive reliability across the execution paths adversaries use. <h2>Conclusion</h2> Tidal Cyber is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy. By mapping techniques, sub-techniques, and procedures to ATT&CK, we reveal exactly where you’re exposed and how attackers actually operate. It’s a level of precision you’ve never had before, empowering your security team to proactively reduce risk and optimize high-impact security investments. Threat-Led Defense is Tidal Cyber’s unique implementation of Threat-Informed Defense, enhanced with procedure-level granularity to make CTI more relevant and actionable. </article><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/mapping-your-defenses-to-what-you-need-not-what-you-inherited/" data-a2a-title="Mapping Your Defenses to What You Need, Not What You Inherited"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fmapping-your-defenses-to-what-you-need-not-what-you-inherited%2F&linkname=Mapping%20Your%20Defenses%20to%20What%20You%20Need%2C%20Not%20What%20You%20Inherited" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fmapping-your-defenses-to-what-you-need-not-what-you-inherited%2F&linkname=Mapping%20Your%20Defenses%20to%20What%20You%20Need%2C%20Not%20What%20You%20Inherited" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fmapping-your-defenses-to-what-you-need-not-what-you-inherited%2F&linkname=Mapping%20Your%20Defenses%20to%20What%20You%20Need%2C%20Not%20What%20You%20Inherited" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fmapping-your-defenses-to-what-you-need-not-what-you-inherited%2F&linkname=Mapping%20Your%20Defenses%20to%20What%20You%20Need%2C%20Not%20What%20You%20Inherited" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fmapping-your-defenses-to-what-you-need-not-what-you-inherited%2F&linkname=Mapping%20Your%20Defenses%20to%20What%20You%20Need%2C%20Not%20What%20You%20Inherited" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://www.tidalcyber.com/blog">Tidal Cyber Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tidal Cyber">Tidal Cyber</a>. Read the original post at: <a href="https://www.tidalcyber.com/blog/mapping-your-defenses-to-what-you-need-not-what-you-inherited">https://www.tidalcyber.com/blog/mapping-your-defenses-to-what-you-need-not-what-you-inherited</a>

securityboulevard.com

SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft

None
Published date: 2026-03-19 00:00:00

None

Austin, TX, USA, March 19th, 2026, CyberNewswireNew Report Highlights Surge in Exposed API Keys, Session Tokens, and Machine Identities, and more.<a target="_blank" rel="nofollow noopener" href="https://spycloud.com/">SpyCloud</a>, the leader in identity threat protection, today released its annual <a target="_blank" rel="nofollow noopener" href="https://spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2026/?utm_medium=pr&utm_source=cybernewswire&utm_term=press-release&utm_campaign=2026-exposure-report">2026 Identity Exposure Report</a>, one of the most comprehensive analyses of stolen credentials and identity exposure data circulating in the criminal underground and highlighting a sharp expansion in non-human identity (NHI) exposure.Last year, SpyCloud saw a 23% increase in its recaptured identity datalake, which now totals 65.7B distinct identity records. The report shows attackers are increasingly targeting machine identities and authenticated session artifacts in addition to traditional username and password combinations and personally identifiable information (PII).<blockquote>“We’re witnessing a structural shift in how identity is exploited,” said <a target="_blank" rel="nofollow noopener" href="https://spycloud.com/team/trevor-hilligoss/">Trevor Hilligoss, Chief Intelligence Officer at SpyCloud</a>. “Attackers are no longer just targeting credentials. They’re stealing authenticated access, including API keys, session tokens and automation credentials, and using this access to move faster, stay persistent, and scale attacks across cloud and enterprise environments.”</blockquote>Key Findings from the 2026 Identity Exposure Report:Non-Human Identities Are Now a Core Attack SurfaceSpyCloud recaptured 18.1 million exposed API keys and tokens in 2025, spanning payment platforms, cloud infrastructure providers, developer ecosystems, collaboration tools, and AI services.The report also identified 6.2 million credentials or authentication cookies tied to AI tools, reflecting rapid enterprise adoption of AI platforms and the associated expansion of machine-based access paths.Unlike human credentials, these NHIs often lack MFA enforcement, rotate infrequently, and operate with broad permissions. When exposed, they can provide attackers with persistent access to production systems, software supply chains, and cloud infrastructure.Phishing is an Enterprise ThreatSpyCloud recaptured 28.6 million phished identity records in 2025. Notably, nearly half of those identities were corporate users, reinforcing that phishing remains a persistent enterprise threat.This trend aligns with <a target="_blank" rel="nofollow noopener" href="https://spycloud.com/newsroom/phishing-has-surged-400-percent-year-over-year/">SpyCloud research</a> showing that successful phishing attacks have surged 400% YoY. The result is a clear warning to enterprises: their workforce is now 3x more likely to be targeted with phishing attacks than infostealer malware.Modern phishing datasets increasingly contain more than credentials. Many include session cookies, authentication tokens, and MFA workflow data, allowing attackers to assume authenticated sessions without triggering traditional alerts. With an influx of bad actors leveraging AI to craft more realistic lures and automate campaigns, this problem is not going away anytime soon, and enterprise security teams must go beyond employee training for a more true preventative approach.Session Theft and MFA Bypass Continue at ScaleSpyCloud recaptured 8.6 billion stolen cookies and session artifacts exposed through malware infections, demonstrating continued attacker focus on session hijacking techniques that bypass traditional authentication safeguards. In parallel, SpyCloud analysis of underground combolists found that 51% of records overlapped with previously observed infostealer logs, indicating that criminals are increasingly repackaging malware-exfiltrated data rather than relying solely on fresh breach disclosures.Public reporting throughout the past year has documented multiple MFA bypass campaigns leveraging adversary-in-the-middle (AitM) phishing kits and session replay techniques, including activity targeting Microsoft 365 environments through stolen authentication tokens.On March 4, 2026, Europol announced, in partnership with Microsoft and other private organizations, that it had executed a coordinated seizure of Tycoon 2FA – a major phishing-as-a-service infrastructure and service that enabled widespread MFA bypass through AitM techniques – and disrupted its operational capabilities significantly. <a target="_blank" rel="nofollow noopener" href="https://spycloud.com/blog/tycoon-2fa-takedown-inside-the-global-phishing-infrastructure-disruption/">SpyCloud supported the global disruption effort</a> by contributing victim identity intelligence and operational analysis drawn from criminal underground sources. The recent operation highlights the industrialization of phishing and the growing value of session artifacts in attacker workflows. Malware Continues to Exfiltrate Identity DataDespite the <a target="_blank" rel="nofollow noopener" href="https://spycloud.com/newsroom/phishing-is-the-leading-cause-of-ransomware-attacks-in-2025/">rise of phishing</a>, infostealer malware remains a significant contributor to identity exposure, enabling attackers to harvest credentials, cookies, and authentication tokens from infected devices. SpyCloud recaptured over 642.4 million exposed credentials from 13.2 million infostealer malware infections in 2025. That’s an average of 50 exposed user credentials per malware infection – further expanding the amount of entry points available to bad actors. A notable portion of infections occurred on endpoints with EDR or antivirus tools installed, reinforcing that endpoint controls alone are not sufficient to prevent identity theft.Credential Exposure Remains High, with Weak Password HygieneSpyCloud recaptured 5.3 billion credential pairs – stolen credentials consisting of usernames or email addresses and passwords.Among exposed corporate credentials, 80% contained plaintext passwords, significantly lowering the barrier to immediate account takeover attacks. Once again, predictable patterns tied to pop culture, sports, and short numeric strings continue to be used broadly. Top trendy passwords include:<ul> <li>67 / sixseven: 140.4M</li> <li>sweet / cookie / candy / cake / pie: 5.7M</li> <li>chiefs / kansas city chiefs: 5M</li> <li>2025: 4.1M</li> <li>apple / banana / orange / strawberry / fruit: 2.6M</li> </ul>Password reuse remains widespread, and the report also identified 1.1 million password manager master passwords circulating in underground sources, raising concerns about vault-level compromise when master credentials are weak.The Expanding Identity Exposure SurfaceThe 2026 report highlights a central shift in identity threats and underscores the need for continuous identity threat protection across both human and machine identities. Attackers are combining breach data, phishing captures, malware logs, session tokens, and machine credentials to construct composite identity profiles that fuel everything from session hijacking and ransomware to supply chain compromise.As organizations accelerate cloud adoption and embed AI tools across workflows, machine identities are becoming deeply integrated into critical systems. The theft of these credentials and authentication tokens can create downstream ripple effects far beyond a single compromised account.<blockquote>“The challenge isn’t just stopping phishing or malware,” Hilligoss added. “It’s understanding how exposed identities connect across systems, vendors, and automation workflows.” </blockquote><blockquote>He continues, “SpyCloud has recaptured nearly one trillion stolen identity assets in our 10 years of disrupting cybercrime. It’s the basis of our insights on the evolution of identity sprawl and the ways in which bad actors aim to weaponize data against individuals and businesses. But there is good news for defenders. When organizations continuously monitor exposure and build in automated remediation workflows – we’ve seen how that can significantly shrink the attacker’s window of opportunity, and that’s a win worth fighting for.”</blockquote>Full report and in-depth analysis available <a target="_blank" rel="nofollow noopener" href="https://spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2026/?utm_medium=pr&utm_source=cybernewswire&utm_term=press-release&utm_campaign=2026-exposure-report">here</a>.About SpyCloud<a target="_blank" rel="nofollow noopener" href="https://spycloud.com/">SpyCloud</a> transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now. To learn more and see insights on your company’s exposed data, users can visit <a target="_blank" rel="nofollow noopener" href="http://spycloud.com">spycloud.com</a>.<h5>Contact</h5>Katie Hanusik REQ on behalf of SpyCloud <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c0b3b0b9a3acafb5a480b2a5b1eea3af">[email protected]</a> <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/spyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft/" data-a2a-title="SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fspyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft%2F&linkname=SpyCloud%E2%80%99s%202026%20Identity%20Exposure%20Report%20Reveals%20Explosion%20of%20Non-Human%20Identity%20Theft" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fspyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft%2F&linkname=SpyCloud%E2%80%99s%202026%20Identity%20Exposure%20Report%20Reveals%20Explosion%20of%20Non-Human%20Identity%20Theft" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fspyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft%2F&linkname=SpyCloud%E2%80%99s%202026%20Identity%20Exposure%20Report%20Reveals%20Explosion%20of%20Non-Human%20Identity%20Theft" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fspyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft%2F&linkname=SpyCloud%E2%80%99s%202026%20Identity%20Exposure%20Report%20Reveals%20Explosion%20of%20Non-Human%20Identity%20Theft" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fspyclouds-2026-identity-exposure-report-reveals-explosion-of-non-human-identity-theft%2F&linkname=SpyCloud%E2%80%99s%202026%20Identity%20Exposure%20Report%20Reveals%20Explosion%20of%20Non-Human%20Identity%20Theft" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

securityboulevard.com

CVE-2026-3630: Critical Buffer Overflow in Delta Electronics COMMGR2 Enables Remote Code Execution

None
Published date: 2026-03-19 00:00:00

None

<div data-elementor-type="wp-post" data-elementor-id="10723" class="elementor elementor-10723" data-elementor-post-type="post"> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4b3a23b e-con-full e-flex e-con e-parent" data-id="4b3a23b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c3745e6 elementor-widget elementor-widget-heading" data-id="c3745e6" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Key Takeaways</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-d61cfc8 e-con-full e-flex e-con e-parent" data-id="d61cfc8" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1cc3550 elementor-widget elementor-widget-text-editor" data-id="1cc3550" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <ul> <li>CVSS v3.1 base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, according to the CNA</li> <li>Delta Electronics COMMGR2 contains an out-of-bounds write vulnerability (CWE-787) enabling unauthenticated remote code execution</li> <li>NVD lists the vulnerability as analyzed; vendor advisory Delta-PCSA-2026-00005 is available addressing multiple COMMGR2 vulnerabilities</li> <li>No evidence of active exploitation in the wild; specific affected versions and patches detailed in vendor advisory</li> </ul></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7922e98 e-con-full e-flex e-con e-parent" data-id="7922e98" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-32cc4f0 elementor-widget elementor-widget-heading" data-id="32cc4f0" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">CVE-2026-3630: What Happened?</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7b5767d e-con-full e-flex e-con e-parent" data-id="7b5767d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-af4318e elementor-widget elementor-widget-text-editor" data-id="af4318e" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> CVE-2026-3630 represents a critical out-of-bounds write vulnerability in Delta Electronics COMMGR2, an industrial communication and engineering support component. NVD lists CWE-787 (Out-of-bounds Write), sourced from the CNA. As a result, the vulnerability enables remote attackers to execute arbitrary code without authentication or user interaction. The CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N indicates this is a network-accessible flaw with low attack complexity. It requires no privileges or user interaction. As a result, it earns a Critical 9.8 rating. Successful attacks could lead to full compromise of data privacy, integrity, and availability on affected systems. In response, Delta Electronics has released a Product Cybersecurity Advisory (Delta-PCSA-2026-00005) addressing this vulnerability alongside CVE-2026-3631, indicating joint disclosure of multiple COMMGR2 security issues. </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-fbe0a75 e-con-full e-flex e-con e-parent" data-id="fbe0a75" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9271f5c elementor-widget elementor-widget-heading" data-id="9271f5c" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Who’s Affected?</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6b89f6a e-con-full e-flex e-con e-parent" data-id="6b89f6a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-998466b elementor-widget elementor-widget-text-editor" data-id="998466b" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> The vulnerability affects Delta Electronics COMMGR2 software, which is commonly deployed in industrial automation environments, including manufacturing, building automation, energy, and logistics sectors. In particular, COMMGR2 typically runs on engineering workstations and servers that support Delta’s industrial control systems and automation equipment. Organizations using Delta automation products should consult the vendor’s Product Cybersecurity Advisory Delta-PCSA-2026-00005 for specific affected version ranges and patch information. Given the network-accessible nature of this vulnerability, systems with COMMGR2 exposed to network traffic represent the highest risk exposure. Industrial environments where COMMGR2 is installed on operator or engineering workstations may face particular risk, as successful exploitation could potentially enable attackers to pivot into operational technology (OT) networks or manipulate industrial control configurations. </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-60e74a5 e-con-full e-flex e-con e-parent" data-id="60e74a5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9fec738 elementor-widget elementor-widget-heading" data-id="9fec738" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Want to Learn More?</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-40b423a e-con-full e-flex e-con e-parent" data-id="40b423a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c1ba1ef elementor-widget elementor-widget-text-editor" data-id="c1ba1ef" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> Contact us at <a href="https://www.praetorian.com/contact/">Praetorian</a> to learn how our offensive security team can help you assess your exposure to CVE-2026-3630 and other emerging threats. </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-c3d038d e-con-full e-flex e-con e-parent" data-id="c3d038d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-2f1ae9b elementor-widget elementor-widget-heading" data-id="2f1ae9b" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">References</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4741609 e-con-full e-flex e-con e-parent" data-id="4741609" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-7aa6937 elementor-widget elementor-widget-text-editor" data-id="7aa6937" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-3630" rel="noopener noreferrer">NVD — CVE-2026-3630</a></li> <li><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05" rel="noopener noreferrer">CISA Advisory</a></li> <li><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-07" rel="noopener noreferrer">CISA Advisory</a></li> </ul></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-3d477fe e-con-full e-flex e-con e-parent" data-id="3d477fe" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1158cf6 elementor-widget elementor-widget-heading" data-id="1158cf6" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Disclaimer</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-2742f51 e-con-full e-flex e-con e-parent" data-id="2742f51" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-05026e7 elementor-widget elementor-widget-text-editor" data-id="05026e7" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> The information presented reflects our best understanding as of the publication date based on publicly available advisories, NVD data, and vendor disclosures. Details may evolve as new information becomes available. We will update this post if material changes occur. Praetorian makes no guarantees regarding the completeness or accuracy of third-party disclosures referenced herein. </div> </div> </div>The post <a href="https://www.praetorian.com/blog/cve-2026-3630/">CVE-2026-3630: Critical Buffer Overflow in Delta Electronics COMMGR2 Enables Remote Code Execution</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.<div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/cve-2026-3630-critical-buffer-overflow-in-delta-electronics-commgr2-enables-remote-code-execution/" data-a2a-title="CVE-2026-3630: Critical Buffer Overflow in Delta Electronics COMMGR2 Enables Remote Code Execution"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcve-2026-3630-critical-buffer-overflow-in-delta-electronics-commgr2-enables-remote-code-execution%2F&linkname=CVE-2026-3630%3A%20Critical%20Buffer%20Overflow%20in%20Delta%20Electronics%20COMMGR2%20Enables%20Remote%20Code%20Execution" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcve-2026-3630-critical-buffer-overflow-in-delta-electronics-commgr2-enables-remote-code-execution%2F&linkname=CVE-2026-3630%3A%20Critical%20Buffer%20Overflow%20in%20Delta%20Electronics%20COMMGR2%20Enables%20Remote%20Code%20Execution" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcve-2026-3630-critical-buffer-overflow-in-delta-electronics-commgr2-enables-remote-code-execution%2F&linkname=CVE-2026-3630%3A%20Critical%20Buffer%20Overflow%20in%20Delta%20Electronics%20COMMGR2%20Enables%20Remote%20Code%20Execution" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcve-2026-3630-critical-buffer-overflow-in-delta-electronics-commgr2-enables-remote-code-execution%2F&linkname=CVE-2026-3630%3A%20Critical%20Buffer%20Overflow%20in%20Delta%20Electronics%20COMMGR2%20Enables%20Remote%20Code%20Execution" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fcve-2026-3630-critical-buffer-overflow-in-delta-electronics-commgr2-enables-remote-code-execution%2F&linkname=CVE-2026-3630%3A%20Critical%20Buffer%20Overflow%20in%20Delta%20Electronics%20COMMGR2%20Enables%20Remote%20Code%20Execution" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by n8n-publisher">n8n-publisher</a>. Read the original post at: <a href="https://www.praetorian.com/blog/cve-2026-3630/">https://www.praetorian.com/blog/cve-2026-3630/</a>

securityboulevard.com

Identity-Centric Security Strategies for Hybrid Workforces

Oluwakorede Akinsete
Published date: 2026-03-19 00:00:00

None

The shift to hybrid work arrangements has revolutionized the cybersecurity perimeter. Currently, roughly half of all employees who are remotely accessible are working from both their offices and homes, using different devices. In this fluid environment, experts are unanimous that identity, and not the network, is the new perimeter. In fact, as one <a href="http://idsalliance.org/webinar/identity-is-the-only-perimeter/" target="_blank" rel="noopener">Identity Defined Security Alliance</a> (IDSA) webinar presentation stated, with the risks associated with working remotely, “identity is no longer the new perimeter, but is now the only perimeter that matters.” This is because the reality is that more than <a href="https://www.idsalliance.org/webinar/identity-is-the-only-perimeter/" target="_blank" rel="noopener">80% of all breaches</a> are the result of stolen or hijacked credentials, which means that one single identity can compromise the entire network. In other words, identity-based security is no longer optional. It is the foundation on which the entire network needs to be built. Workforce identity security needs to be the keystone of the entire network. This article aims to discuss the many ways in which identity-based security can be implemented. <h3 aria-level="1">The Hybrid Reality: New Perimeter, New Threats </h3>Hybrid work has effectively broken the traditional network moat. Users and workers can log in from the kitchen table, the corner of the coffee shop and their personal devices. They can carry sensitive company data with them wherever they go. This has opened the door wide for attackers. <a href="https://www.ibm.com/think/insights/reactive-to-resilient-how-proactive-identity-threat-defense-shifts-cybersecurity-mindset" target="_blank" rel="noopener">IBM</a> states that attackers “are using identities to walk through the front door” since the use of credentials has become the primary entry point for attackers. <a href="http://permiso.io/identity-threat-detection-and-response-itdr">Studies</a> continue to prove that 80% of all cyberattacks in the modern era involve the exploitation of account credentials. <a href="https://www.idsalliance.org/blog/workforce-identity-security-best-practices-the-essential-role-of-unified-identity-protection">A</a> <a href="https://www.idsalliance.org/blog/workforce-identity-security-best-practices-the-essential-role-of-unified-identity-protection" target="_blank" rel="noopener">study states that in 2023</a>, “84% of data breaches involved compromised credentials, costing organizations an average of $4.24 million each.” Playing old security tricks, such as VPNs and firewalls, will do nothing if an attacker has legitimate credentials. This is where the concept of ‘zero-trust’ came about. According to Microsoft, ‘zero-trust’ means that you don’t trust anyone or anything. “We verify who the user is, and at the same time, we are keeping a constant eye on the security of our network, our data and our applications, no matter if they are in the office, working from home, or on the go.” Every single attempt to get access is verified. It is not verified based on the location of the user. It is verified based on who the user is. It is verified based on the state of the device. It is verified based on the risk present. In a hybrid environment, workforce identity security assumes that any login attempt could be an attack. <h3 aria-level="1">Core Principles of Identity-Centric Security </h3>An identity-centric approach flips this old model on its head; we don’t just protect a network and trust that only the right people get in. We make identity our central point of control. So the first thing we want to do is implement a<a href="https://securityboulevard.com/2026/02/empowering-a-global-saas-workforce-from-identity-security-to-financial-access/" target="_blank" rel="noopener"> strong identity and access management (IAM) solution</a>. It involves implementing single sign-on (SSO) with modern federation (SAML, OAuth2/OIDC) and directory sync (SCIM) to verify user identities. This means that even if a password is compromised, MFA or passwordless FIDO ensures that attackers cannot get in. Least privilege and governance are just as important. Every person should have only the access they need to perform their jobs. This requires automating the joiner-mover-leaver process, where access rights are granted and revoked in real-time, as well as periodic checks on access rights. The IDSA identifies one of the weak links in the chain: Breaches often result from identities being fragmented across many isolated accounts and permissions. An attacker needs only one weak point to get into the whole resource. A strict identity security policy can bring all the fragmented identities together by using IAM and SSO systems. Therefore, it can eliminate orphaned identities as well as the problem of privilege creep. Another critical aspect that needs to be considered is the security of non-human identities. Cyberattackers usually target non-human identities to carry out lateral movements. Therefore, as one expert points out, a single compromised non-human identity can provide the attackers with the key to the entire environment. A firm should extend its workforce identity security across all identities under its management. This includes rotating service credentials, certificate management (PKI) and automated processes and devices with the same level of vigilance as users — monitoring and least privilege applied universally. The bottom line is that a robust identity security model is all about continuous verification of all users and devices, MFA and authentication, least privilege and sealing identity gaps throughout the hybrid environment. This is all about a zero-trust approach — no one inside the corporate network is trusted; you have to verify who they are and what they are authorized to do.<h3 aria-level="1">Practical Strategies and Best Practices </h3>Security professionals can help ensure workforce identity security with the following best practices, which flow a bit more smoothly: <ul><li aria-setsize="-1" data-leveltext="●" data-font="Arial" data-listid="1" data-list-defn-props='{"134224900":false,"335551671":0,"335552541":1,"335559685":720,"335559991":360,"469769226":"Arial","469769242":[8226],"469777803":"left","469777804":"●","469777815":"hybridMultilevel"}' data-aria-posinset="0" data-aria-level="1">Centralize and Simplify Logins: Implement IAM with SSO and federation for both cloud and on prem apps. This can greatly reduce password fatigue, simplify policy enforcement and allow you to enforce policies such as MFA more easily. One single login with Okta or Azure AD with MFA can replace dozens of individual user logins. Centralization can also make it easier to manage deprovisioning and policy standardization. Just remember, the central SSO service is now a high-value target and must itself be highly secure. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="Arial" data-listid="1" data-list-defn-props='{"134224900":false,"335551671":0,"335552541":1,"335559685":720,"335559991":360,"469769226":"Arial","469769242":[8226],"469777803":"left","469777804":"●","469777815":"hybridMultilevel"}' data-aria-posinset="1" data-aria-level="1">Enforce Multi-Factor and Adaptive Authentication: Ensure at least two factors for all users, with special consideration for administrators. Implement adaptive MFA, which can request an additional authentication factor based on the riskiness of the login attempt. Phishing-resistant MFA, such as FIDO2 with hardware keys or biometrics, is especially strong. Studies have shown that moving toward passwordless or phishing-resistant MFA can significantly reduce account-takeover attacks. Another type of continuous authentication can quietly reauthenticate users based on behavioral factors such as suspicious behavior. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="Arial" data-listid="1" data-list-defn-props='{"134224900":false,"335551671":0,"335552541":1,"335559685":720,"335559991":360,"469769226":"Arial","469769242":[8226],"469777803":"left","469777804":"●","469777815":"hybridMultilevel"}' data-aria-posinset="2" data-aria-level="1">Implement Identity Governance: Implement the tools and processes required to manage the identity and access life cycle. Automate provisioning and deprovisioning (via SCIM or HR workflows), ensuring users’ access is always in sync with their roles. Inactive accounts should be periodically disabled. The IDSA states, “account sprawl, or the lack of identity and access management, is a significant and growing risk to an organization.” Account sprawl can result in unknown risks, and the longer it is left unaddressed, the more serious the risks become. To address account sprawl, you can retire unused accounts and consolidate duplicate identities. Implementing a privileged access management (PAM) solution can vault and manage administrator credentials and limit the time for which an administrator is privileged. </li></ul><ul><li aria-setsize="-1" data-leveltext="●" data-font="Arial" data-listid="1" data-list-defn-props='{"134224900":false,"335551671":0,"335552541":1,"335559685":720,"335559991":360,"469769226":"Arial","469769242":[8226],"469777803":"left","469777804":"●","469777815":"hybridMultilevel"}' data-aria-posinset="3" data-aria-level="1">Monitor and Respond to Identity Threats: Use identity threat detection and response (ITDR) products or processes to monitor identities for suspicious behavior. This can include monitoring for unusual login activity, brute-force attacks, phishing attempts and lateral movement between accounts. Attack path analysis can be used to understand how a low-privilege account breach can be escalated. IBM suggests a mix of monitoring with AI and automation to score identities for risk and contain attacks — for example — if credentials have been found on the dark web or a login has been attempted. </li></ul><h3 aria-level="1">Technology Enablers </h3>Technology tools are the foundation of a good identity security strategy. Here are some of the commonly used technology tools: <ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}' data-aria-posinset="1" data-aria-level="1">Cloud Identity Providers: Microsoft Entra (Azure AD), Okta, Ping Identity and Google Identity are some of the commonly used cloud-based IAM solutions with features such as SSO, MFA and Conditional Access. Identity-as-a-service (IDaaS) solutions such as these support SAML, OAuth2 and OIDC for integration with thousands of SaaS applications. For instance, administrators can enforce device compliance for access to email and CRM applications. </li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}' data-aria-posinset="2" data-aria-level="1">Zero Trust Network Access (ZTNA): ZTNA solutions, such as SASE, connect users to applications rather than providing access to the entire network, and access to applications and resources is determined by identity and device rather than the network location. </li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}' data-aria-posinset="3" data-aria-level="1">Privileged Access Management and Identity Governance & Administration (IGA): CyberArk, BeyondTrust, SailPoint and Saviynt are some of the PAM and IGA solutions commonly used for identity security. These solutions help organizations discover all identities and enforce policies such as JML workflows. They also enable organizations to lock down superuser accounts with just-in-time provisioning and session monitoring. </li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}' data-aria-posinset="4" data-aria-level="1">Multi-Factor and Passwordless Technologies:<a href="https://www.ibm.com/think/insights/reactive-to-resilient-how-proactive-identity-threat-defense-shifts-cybersecurity-mindset" target="_blank" rel="noopener"> MFA</a> for the entire workforce is necessary. New passwordless technologies, such as FIDO2 tokens and platform biometrics, are less vulnerable to credential theft. Companies are increasingly using passkeys and identity wallets to improve security and user experience. </li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}' data-aria-posinset="5" data-aria-level="1">Identity Analytics and Deception: Advanced identity analytics platforms incorporate ML to model normal user behavior. Some companies are using deception technologies, which include fake identity credentials or ‘honey accounts’, which are designed to alert the company if the wrong person finds the fake identity. </li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}' data-aria-posinset="6" data-aria-level="1">Cross-Domain Identity Solutions: Identity verification is not just about passwords. Some companies are using global eID and credential-issuing solutions such as Entrust or Thales that allow employees to present digital identity cards or mobile credentials in all situations, linking real-world identity to digital identity. </li></ul>A solid foundation of identity technologies enables the security team to adopt the identity-centric model. However, it is also important to note that no single technology is the answer. It is also necessary to develop policies to support the identity-centric model, such as access reviews and incident response and to ensure that all stakeholders are trained on the identity-centric model. <h3 aria-level="1">Identity as the New Security Perimeter in the Hybrid Era </h3>Identity is the lifeblood of security in the modern world. With hybrid work and cloud-based collaboration, an identity-centric approach is no longer a choice; it’s a requirement. When security is prioritized within an organization’s workforce identity, security and agility are maximized. According to an expert, “The future of cybersecurity is identity-centric.” If you are holding on too tightly to outdated notions of security perimeters, you are doing yourself a great disservice. <a href="https://securityboulevard.com/2025/06/identitys-new-frontier-ai-machines-and-the-future-of-digital-trust/" target="_blank" rel="noopener">According to Security Boulevard</a>, “The age of identity-centric security has arrived. Those who cling to perimeter-based security models will find themselves increasingly vulnerable in a world where identity is everything.” The benefits of an identity-centric approach are clear. Businesses that focus on identity verification and security are seeing a clear ROI in reduced fraud and breach attempts. When working in a hybrid environment, an<a href="http://entrust.com/solutions/industries/enterprise/" target="_blank" rel="noopener"> identity security approach</a> is no longer a technical nicety; it’s a business requirement. Security professionals who are identity-centric will not only keep their businesses safe from current threats but will also ensure that they are ready for future threats in this ever-changing world of cyber threats and security. <div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/identity-centric-security-strategies-for-hybrid-workforces/" data-a2a-title="Identity-Centric Security Strategies for Hybrid Workforces "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fidentity-centric-security-strategies-for-hybrid-workforces%2F&linkname=Identity-Centric%C2%A0Security%C2%A0Strategies%C2%A0for%20Hybrid%20Workforces%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fidentity-centric-security-strategies-for-hybrid-workforces%2F&linkname=Identity-Centric%C2%A0Security%C2%A0Strategies%C2%A0for%20Hybrid%20Workforces%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fidentity-centric-security-strategies-for-hybrid-workforces%2F&linkname=Identity-Centric%C2%A0Security%C2%A0Strategies%C2%A0for%20Hybrid%20Workforces%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fidentity-centric-security-strategies-for-hybrid-workforces%2F&linkname=Identity-Centric%C2%A0Security%C2%A0Strategies%C2%A0for%20Hybrid%20Workforces%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fidentity-centric-security-strategies-for-hybrid-workforces%2F&linkname=Identity-Centric%C2%A0Security%C2%A0Strategies%C2%A0for%20Hybrid%20Workforces%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Technology

Related News

How OTP Authentication Streamlines Service Delivery for HVAC Companies

This is Not Big News

French aircraft carrier’s location leaked by sailor using Strava on the ship deck

Could your face change what you pay? NYC wants limits on biometric tracking

Randall Munroe’s XKCD ‘Plums’

Your Lateral Movement Detection Tools Are Missing 90% of Attacks. Here’s Why.

Your SIEM Isn’t Broken. Your Investigation Layer Is Missing.

Cloud Security Posture Management in 2026

Why MCP Gateways are a Bad Idea (and What to Do Instead)

Securing Third-Party Procurement Platforms with Enterprise SSO

That “job brief” on Google Forms could infect your device

When Face ID Helps iPhone Security—And When to Turn It Off

Beyond passwords and firewalls: Why the age of AI agents demands a new security playbook

Governing Tens of Thousands of AI Agents: Why Policy Chaining Matters

SIEM Is Not Dead. It Just Stopped Moving Fast Enough.

The Hidden Security Risks in Open-Source Dependencies Nobody Talks About

Security Architecture for Hybrid Work: Enterprise Guide

FBI Seizes Two Websites Linked to Pro-Iranian Group Handala

Dormant Accounts Leave Manufacturing Orgs Open to Attack

FBI Data Purchases Ignite New Clash Over Privacy and Surveillance

How empowered is your secrets scanning system

Mapping Your Defenses to What You Need, Not What You Inherited

SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft

CVE-2026-3630: Critical Buffer Overflow in Delta Electronics COMMGR2 Enables Remote Code Execution

Identity-Centric Security Strategies for Hybrid Workforces

Most Popular

How OTP Authentication Streamlines Service Delivery for HVAC Companies

Could your face change what you pay? NYC wants limits on biometric tracking

That “job brief” on Google Forms could infect your device

Securing Third-Party Procurement Platforms with Enterprise SSO

Cloud Security Posture Management in 2026

Technology

Related News

Most Popular

Advertisements

Follow us

Recent Tweets