As AI-generated threats continue to rise, more organisations are turning to red teaming to turn the tide. Nothing provides a better understanding of your security posture like letting a red team loose on your environment to simulate a real-world attack. 

Here is a list of some of the top red teaming tools you’ll find in 2026—along with what you’ll need to know to make your choice.  

Cobalt Strike (Fortra)  

Cobalt Strike is one of the most widely used red teaming tools in cybersecurity today. As one engineer noted, “It was the product that changed the industry” as its insights spurred the development of Endpoint Detection and Response (EDR). Now, nearly a decade and a half later, it continues to be the professional’s choice and is estimated to be in use by 60% of red teamers out there.  

Strengths 

• Vetted Exploits: One of Cobalt Strike’s key advantages is its interoperability. By integrating closely with Core Impact, it offers users full access to Core Impact’s library of core certified exploits, which is widely trusted by security experts over potentially risky open-source options.  

• Malleable C2: Traffic can be made to resemble legitimate apps (by altering URLs, headers, payload formatting, etc.), a mature and well-documented technique. 

• Integrated Workflow: Bundles payload generation, post-exploitation features, a team server for collaboration, and a single operator workflow—instead of making teams cobble together separate OSS components. 

• Superior Support: Commercial licensing comes with professional support; vendor maintenance, documentation, and live help. For teams that want compatibility with corporate tooling and predictable updates, this is key.  

• Mature Solution with Repeatable Results: Polished GUIs, established C2 features, team collaboration workflows, and vetted exploits mean repeatable, credible results.  

Limitations 

• Commercial Licensing: Commercial pricing can be high for smaller teams. 

• Legal Considerations: Cobalt Strike can only be used in authorised engagements. 

Watch Now: See Cobalt Strike explained in two minutes: https://www.youtube.com/watch?v=9BUxptcYZCk 

Mythic 

Mythic is an open-source, modular command-and-control (C2) framework perfect for creating customised “agents” across Windows, macOS, and Linux targets.  

Strengths 

• Highly Extensible: New features easily added or modified without an extensive overhaul. Every feature runs as a containerized microservice. 

• Fully Customisable: Used for openness, flexibility, and the ability to research and craft new payloads. 

• Development and Research: Many use Mythic for research, educational, and development purposes as it provides full control and zero licensing costs.  

Limitations 

• Requires Orchestration: Container orchestration, agent configuration, and more administrative effort than commercial tools are required. 

• Steep Learning Curve: Without a “turnkey” setup or a single-vendor installer, operators must be experienced to get Mythic up and running. 

AdaptixC2  

AdaptixC2 is a fairly new open-source red teaming tool that entered the market in January 2025. It offers flexibility, a modular architecture, and works across multiple operating systems. With no licensing costs, it is good for labs and bespoke engagements. 

Strengths 

• Cross-Platform Support: It offers support for Windows, Linux, and macOS agents. 

• “Extenders” and Plug-Ins: Add in additional capabilities like lateral movement, credential harvesting, and custom payloads. 

• Modifiable and Open-Source: Great for emulating bespoke adversaries as it is deeply customisable and easily expanded.  

Limitations 

• Less Mature: Being newer on the market means fewer “out of the box” modules and less battle-tested experience.  

• Less Standardised and Established: Integrating with other red-team ecosystems (toolchains, training, reporting workflows) may require more customisation. 

Sliver 

Developed by Bishop Fox, Sliver is an open-source adversary emulation platform that implants “slivers” (malicious binaries) across many architectures and supports multiple transport options. 

Strengths 

• Staged and Stageless Payloads: Sliver delivers both staged and stageless payloads to launch both larger, immediate-impact attacks and smaller, size-constricted ones. 

• Flexible Transport Options: Offers native support for DNS, HTTP(S), mTLS, WireGuard and custom transports for varied emulation of egress patterns.  

• Dynamic Code Generation: Reduces static detections (when configured properly) with per-binary keys and compile-time options to change fingerprints.  

Limitations 

• No Commercial SLA: Teams need to invest in their own internal support, testing, hardening, and expertise.  

• Payload Size: Some users report the need to reduce forensic artefacts.  

Havoc  

Havoc has rapidly gained traction in the red teaming community as one of the few open-source C2 tools to be designed with operator UX in mind.  

Strengths 

• Fully Customisable: Teams can extend, modify, and audit the framework (again, good for research, education, and custom engagements).  

• Fast Set Up: Documentation, tutorials, and YouTube walk-throughs shorten the learning curve, along with active community engagement. 

• Approachable UX: A GUI-driven framework smooths set up and provides a more polished, modern user experience comparable to commercial-grade tools. 

Limitations 

• Younger Ecosystem: Less battle-tested than older, more established red teaming tools; capabilities may evolve unevenly. 

• Operational Hardening Required: To achieve enterprise-grade OPSEC, internal investment is required: cleaning proxies, testing against EDR/XDR stacks, hardening listeners.   

Outflank Security Tooling (OST)  

Outflank Security Tooling, or OST, is a collection of advanced red teaming tools made “by red teamers, for red teamers.” This broad, evasive toolset emulates real-world attacks by simulating APT techniques, bypassing defences, and providing high-end offensive security. 

Strengths 

• Expert Maintained: OST is continuously updated by the hackers and experts that use it themselves, making it well-suited for mature and sensitive target environments. 

• Full Kill Chain Coverage: Get advanced tools to break the attack chain at any stage. Small teams can punch above their weight with shortcuts for hard stages like EDR evasion, initial access, and OPSEC-safe lateral movement. 

• Unique Industry Advantage: OST features techniques not yet weaponized or even published by other teams, giving organisations a unique advantage over other tools and attackers.  

Limitations 

• Vetted Audience: Because of its powerful capabilities, Outflank Security Tooling is not a tool for the masses. Instead, it is available only to a vetted community of responsible buyers and red team professionals because of its real-world attack potential. 

• OS-Specific Evasion: Evasion techniques are carefully crafted to work with certain operating systems and configurations, just like an attackers’ techniques. This means that an exploit designed for a Windows 11 endpoint may not work on Windows 10. 

Kali Linux 

Maintained by Offensive Security, Kali Linux is a Debian-based Linux construction used for red teaming, pen testing, and digital forensics. Rather than a specialised red teaming tool, it is a complete operating system and toolkit.  

Strengths 

• Preinstalled Security Tools: Kali Linux ships with 600+ preinstalled security tools (from John the Ripper to Burp Suite to Wireshark). 

• Free and Open Source: Users can modify, inspect, and rebuild it. No licensing or usage fees.  

• Open to Integration: Kali Linux serves as the foundation for red teaming tools, integrating with frameworks like Sliver and Havoc (C2 operators) to act as host. 

Limitations 

• Not a C2 Framework: While Kali Linux supports C2 frameworks, it is an environment—not a post-exploitation or C2 platform in its own right. 

• Inconsistent Tool Maturity: Tools can overlap, lead to inefficiencies, or (in the case of older tools) be buggy, outdated, or redundant.  

Matrix Table 

Tool	Overview	Use Case
Cobalt Strike	Commercial, professional-grade red teaming and post-exploitation platform used by ~60% of red teams worldwide.	Professional, repeatable red teaming engagements
Mythic	Open-source, modular C2 framework for research and custom agent creation.	Highly modular, customizable, cross-platform agent dev
AdaptixC2	New (2025) open-source C2 platform emphasizing modularity and cross-platform operation.	Highly modular, customizable, cross-platform agent dev
Sliver (BishopFox)	Open-source adversary emulation framework for red teaming with multi-transport implants (“slivers”).	Open-source research and adversary emulation
Havoc	Open-source GUI-based C2 framework designed for usability and community collaboration.	Modern GUI-driven open C2 alternative
Outflank Security Tooling (OST)	High-end offensive security red teaming toolkit created “by red teaming experts for red teaming experts.”	Advanced APT simulations and evasive tactics for mature, sensitive target environments.
Kali Linux	Debian-based Linux distro for penetration testing, digital forensics, and red teaming; acts as a tool platform.	Training and general-purpose pentesting

 

Conclusion: Commercial vs Open-Source 

Ultimately, the choice between commercial red teaming tools and open-source options depends on where you are willing to sacrifice. 

As SANS notes, “Balance the cost against the potential ROI. Open-source tools…may be cost-effective and community-driven, while commercial tools…often come with a additional capabilities and a curated database. This typically includes the latest threat intelligence, attack vectors, new campaigns and overall support.” 

Whether your organisation is looking for a cost-friendly option or a mature, licensed solution, there is a red teaming vendor that can fit your needs in 2026.  

FAQ:

What is a red team? 

A red team is a group of ethical hackers that play the part of adversaries in simulating a real-world cyberattack for the purpose of testing an organization’s cybersecurity defences. They play a key role in offensive security. 

 

What is the difference between a red team and a blue team? 

A red team attacks; a blue team defends. Though they play opposite roles in red team engagements, all are on the same side: improving the cybersecurity posture of the target organisation.  

This is why teams should prioritise blue team success over red team wins.  

Watch this explainer video for more: https://www.youtube.com/watch?v=E3ZMAipJvao 

 

How is red teaming different from penetration testing?
Pen testing searches for and catalogues vulnerabilities, specifically.  Red teaming leverages advanced and creative ways to breach an organisation, from social engineering to APTs and beyond. It is broader, less predictable, and tests everything from the tool stack to the response capabilities of the blue team.

 

What is the goal of a red team exercise?

The goal of a red team exercise is to uncover ways in which threat actors could leverage internal weaknesses, misconfigurations, and oversights – along with technical exploits and expertise – to access an organisation’s internal network, services, or applications and disrupt operations, exfiltrate data, and otherwise inflict harm.  

 

How do you get legal/ethical approval to run a red team? 

The red team engagement needs to be authorised and approved by the organisation and key stakeholders. Basic steps include: 

• Scope and Justification: Define what you’re testing and why 
• Sign-Off: Approval from legal, risk/compliance, SOC/security, IT/network operations, HR (if phishing), C-Suite sponsor 
• Rules of Engagement (RoE): Defines technical boundaries, allowed techniques, and things like safe words and kill switches. 

 

What kind of tools do red teams use?  

Red teams typically use command-and-control (C2) platforms to run red team engagements. These frameworks can be commercial-grade or open-sourced, and include tools such as: 

• Beacons/Agents/Slivers 

• Adversary Emulation Platforms 

• Exploit Frameworks 

• Lateral-Movement Tools 

• Post-Exploitation Tools (Outflank Security Tooling (OST)) 

• Payload Builders/Obfuscators/Packers 

• Transport and Tunneling Tools 

• Reconnaissance and Scanning Tools (Shodan, theHarvester) 

• Social Engineering and Phishing Toolkits (Social Engineering Toolkit (SET)) 

• Penetration Testing Tools (Core Impact) 

• Network/Application Testing Tools (Wireshark, Burp Suite) 

• Physical Tools (RFID cloners, lock-pick sets) 

• Command Libraries/Scripts/ Automation 

Cobalt Strike was one of the first public red team C2 frameworks and is a favourite in the red teaming community.  

What’s a purple team exercise and should we do one? 

A purple team exercise brings red teams and blue teams together in a collaborative security assessment. The focus is on bringing both skillsets to the table for the purpose of learning, teaching, and improving—not “winning.”  

A purple team mindset recognizes red and blue as the same team – with the ultimate goal of beating attackers – and fosters engagements that act as an open-communication training opportunity.  

The post The Best Red Teaming Tools of 2026: What You Need to Know appeared first on IT Security Guru.

South Korea’s largest online retailer, Coupang, has been rocked by a massive data breach that exposed the personal details of nearly 34 million customers, forcing CEO Park Dae-jun to resign amid mounting scrutiny from regulators and the public.

The breach, one of the most severe in South Korea’s history, reportedly included names, email addresses, phone numbers, and shipping details. While Coupang said that payment and login credentials were not compromised, the scale of the exposure has prompted police raids and a government-led investigation. The company has since apologised and appointed Chief Administrative Officer Harold Rogers as interim CEO while pledging to overhaul its cybersecurity practices.

According to Paul German, CEO at Certes, this incident is emblematic of a much broader trend. “2025 has, unfortunately, been the year of the high-profile data breach. Millions, no, billions, of dollars have been squandered in terms of reputational damage, lost sales and productivity, not to mention judicial penalties. When you factor in the knock-on effects across supply chains and third-party suppliers, the true cost of data exposure becomes staggering.”

German says Coupang’s leadership change underscores a critical lesson for corporate boards everywhere: data protection is no longer just a technical concern but a boardroom responsibility. “The CEO’s resignation is a stark reminder that data protection is not an IT issue, but an executive issue,” he adds. “Ultimately, it is the Board’s duty to ensure the company’s data is protected, wherever it resides. For any CEO, failure to do so risks not just the organisation’s trust, but their own career.”

As Coupang works to regain customer confidence, the company’s turmoil serves as a cautionary tale for global business leaders: in an era where cyber incidents can destroy reputations overnight, executive accountability for data security is non-negotiable.

The post Coupang CEO Resigns Following Major Data Breach Exposing 34 Million Customers appeared first on IT Security Guru.

Sophia McCall is a rising force in cybersecurity and a leading cyber security speaker. She is a cyber security professional who co-founded Security Queens, a platform created to break down barriers in a sector that has struggled with representation. Her work focuses on improving capability, access and visibility for underrepresented groups while helping organisations strengthen their approach to security.

Sophia has built a reputation for combining technical skill with a commitment to inclusion. She challenges outdated perceptions of the industry and shows companies how diverse teams contribute to better decision making and stronger defences. Her advocacy for mentorship has also helped many new entrants navigate a field that can often feel inaccessible. In this exclusive interview with the Cyber Security Speakers Agency, Sophia McCall discusses diversity, mentorship, hidden cyber threats and the cultural changes businesses need to make security truly effective.

Q: In practical terms, how does diversity strengthen a company’s security posture?

Sophia McCall: “So I think diversity brings a perspective of thought to your security teams. I think the more varied thought that you have within your defence teams, you’re less likely to fall into something like group think.

“And the more backgrounds you can bring in, the more different angles and perspectives you can bring in from different people, the better you’re able to kind of try to solve that problem.”

Q: What do you see as the main reasons the cyber security sector still struggles with diversity?

Sophia McCall: “So I think we have quite a big stereotype problem in cyber security, particularly with the news media portraying a hacker as a sweaty teenage boy hiding in a basement in a hoodie.

“We still have this image issue that persists within the industry. I’ve had to previously tell people that I’m not the diversity pick. You know, I’m here because I know what I’m doing. I’m very skilled at what I’m doing.

“But that kind of gatekeeping is quite exhausting, and even though we’re a little bit better, we still have a little bit further to go.

“So that’s why I co-founded Security Queens, a platform where we can welcome diversity and anyone can have that content to be accessible as much as they can.

“And it’s not just about that, but it’s about improving capability, access, and representation within the industry and trying to break down those barriers and toxic norms.”

Q: You speak often about mentorship. Why is it such a crucial part of building a stronger cyber workforce?

Sophia McCall: “So I’m a really big believer in mentorship. I really think it bridges the gap between potential and opportunity. Growing up, it was really nice to have female role models in the cyber security industry.

“Just seeing someone succeed and do well. I think having that form of mentorship is really good for someone that perhaps is a bit nervous or has quite a lot of self-doubt.

“Especially for something like cyber, which everyone thinks, “Oh, it’s really technical, it’s not for me.” There are loads of different career routes that you can go down that don’t mean you have to be a techie as such. And it’s all about passing that knowledge and actually building a community in cyber as well.”

Q: What cyber threats are business owners facing today that often go completely unnoticed?

Sophia McCall: “So I think one of the biggest risks that a lot of companies face is third-party risk. You can make your internal systems as secure as possible, but unfortunately if your suppliers or your supply chain is exposed, that’s definitely a way in for adversaries.

“Another thing that we’ve seen rise in recent years, especially with hybrid working, is things like bring-your-own-device or people working from home. So again, that adds another layer of exposure for companies.

“But also, something that’s particularly forgotten sometimes is insider risk as well. Not necessarily a malicious insider, but perhaps people that are less informed with security practice and clicking on phishing links, falling for scams, that kind of thing, which again leaves organisations exposed.”

Q: From your perspective, what remains the single biggest vulnerability inside most businesses?

Sophia McCall: “So there’s a saying that goes humans are the weakest link, and unfortunately, I think I am a little bit inclined to believe in that. You can invest millions in your firewalls and your defence technologies, but if you do not train your employees and your staff to spot a phishing email or how to spot a scam or a bit of fraud, it’s unfortunately all for nothing.

“So human error is still quite a big cause of major breaches and I’m always a big believer that security training is more of a culture that needs to be embedded in an organisation rather than a chore. So that’s something we can definitely work on, and particularly larger businesses that have those kinds of threats.”

Q: What common employee mistakes continue to put organisations at risk?

Sophia McCall: “So a lot of people think, “Oh, security is not my problem, that’s the IT department or the security team.” And I think one of the biggest things we need to make sure people know is that security is everyone’s responsibility.

“As I previously mentioned, phishing is a really big cause of breaches in many organisations and that’s something that we definitely need to address, but it’s all about empowering your employees with the right knowledge and making sure they are trained and have that awareness.

“And so, things like simulated phishing campaigns, things like that, help bring up that security barrier for them.”

Q: When you speak publicly, what do you most hope audiences carry forward?

Sophia McCall: “So I’m a really big believer in learning and not gatekeeping knowledge. Whenever I deliver a talk, I really want people to feel empowered and curious and wanting to learn more in a way.

“So cyber security isn’t just for the elite technical folks in the room. It is for everyone. Whether I’m speaking at a bank or a school, my goal is to demystify the subject so it can be accessible for everyone, quite exciting almost and actually quite impactful.

“I hope people don’t see diversity as a buzzword but actually as a strength to their team, and that mentorship and inclusion can help that journey and process as well.”

In 2025, Sophia McCall was named amongst the Top 20 Most Inspiring Women in Cyber.

The post Q&A: How Diversity and Mentorship Are Reshaping the Future of Cybersecurity appeared first on IT Security Guru.

A new industry report by KnowBe4 suggests that organisations are facing a sharply escalating human-centred risk landscape as artificial intelligence becomes embedded in everyday work. The State of Human Risk 2025: The New Paradigm of Securing People in the AI Era, based on survey responses from 700 cybersecurity leaders and 3,500 employees who experienced an employee-involved incident in the past year, highlights a 90% surge in incidents linked to the human element.

The findings point to a widening attack surface driven by social engineering, unsafe employee behaviour and simple mistakes. According to the report, 93% of surveyed leaders experienced incidents in which cybercriminals exploited employees directly. Email continues to dominate as the primary battleground, with a 57% rise in email-related incidents and 64% of organisations reporting external attacks delivered through email. Human error remains a major weak point, with 90% of organisations facing incidents caused by employee mistakes, while malicious insiders accounted for issues at 36% of organisations.

Budget pressures are mounting too, as nearly all (97%) of the cybersecurity leaders asked said they need increased investment to strengthen the human-security layer.

AI’s rapid infiltration into workplace tools is introducing a new tier of risk. AI-related security incidents climbed 43% in the past 12 months—the second-largest increase across all channels surveyed. Despite 98% of organisations taking steps to address AI-related threats, security leaders ranked AI-powered attacks as their top concern, with 45% citing the constant evolution of AI-driven threats as their biggest challenge in managing behavioural risk. Deepfake-related incidents are also rising, affecting 32% of organisations.

Tensions around workplace AI use appear to be contributing to emerging “shadow AI” behaviours. While most organisations have implemented AI-risk measures, 56% of employees expressed dissatisfaction with their employer’s approach to AI tools, potentially driving them towards unsanctioned platforms.

The report suggests email will remain the highest-risk channel for several years, but warns that attackers are increasingly shifting to multi-channel campaigns, including messaging apps and voice phishing. The growing use of AI by threat actors to craft convincing, scalable attacks is expected to accelerate this trend.

 Javvad Malik, lead CISO advisor at KnowBe4, said: “The productivity gains from AI are too great to ignore, so the future of work requires seamless collaboration between humans and AI. Employees and AI agents will need to work in harmony, supported by a security programme that proactively manages the risk of both. Human risk management must evolve to cover the AI layer before critical business activity migrates onto unmonitored, high-risk platforms.”

The post Human-Centric Cyber Risks Surge as AI Enters the Workforce, Report Finds appeared first on IT Security Guru.

Black Duck today announced the launch of Black Duck Signal, a new agentic AI platform designed to secure software at the same speed it’s now being developed with AI coding tools.

As AI-driven development accelerates, traditional security testing methods have struggled to keep pace. Black Duck Signal aims to bridge that gap by combining two decades of the company’s software security expertise with large language model (LLM)-powered software analysis to autonomously detect and remediate vulnerabilities across source code, binaries, supply chain components, and running applications.

The rise of AI coding assistants and autonomous agent workflows has transformed how software is built. Still, it has introduced new challenges in ensuring the security of AI-generated code. Signal is purpose-built for this era, working natively within AI-enabled development environments to identify, prioritise, and fix vulnerabilities in real time.

Unlike generic AI tools, Signal blends advanced multi-model LLM technology with human-labeled application security intelligence from the Black Duck KnowledgeBase, a vast repository built over years of analysis of both open-source and commercial software. The result is a system that provides accurate, context-aware insights without the noise, hallucinations, or false positives that often plague automated code analysis.

Signal’s agentic architecture enables both developers and security teams to work more efficiently by integrating directly with AI coding assistants such as Google Gemini, GitHub Copilot, Claude Code, and Cursor, as well as with other Black Duck security products. The platform’s real-time analysis capabilities allow it to scan new and modified code as it’s written, ensuring continuous protection without slowing down the development process.

“AI is revolutionizing how software is built—and with Signal, Black Duck is redefining how you secure it by completely eliminating the noise of legacy tools,” said Jason Schmitt, CEO of Black Duck. “Developers are moving faster than ever, embracing AI to build and deliver software at unprecedented speed. Signal is the first programming language-agnostic security analysis product to combine the power of LLM-based code analysis with petabytes of human-labeled security data curated over our decades of analysing real-world commercial and open-source software. Signal is designed to give developers the clarity, confidence, and control they need to innovate securely—without slowing down.”

In addition to real-time code analysis, Signal automates the remediation process with verified code fixes and library patching, reducing manual effort while maintaining developer control. It also brings advanced exploitability analysis to reduce alert fatigue and focuses attention on the vulnerabilities that matter most. Beyond traditional vulnerability scanning, Signal’s AI-driven detection of business logic flaws gives teams visibility into application-level zero-days that typically evade rule-based systems.

The post Black Duck launches Signal™, bringing agentic AI to application security appeared first on IT Security Guru.

Saviynt has today announced a $700M Series B Growth Equity Financing at a valuation of approximately $3 billion. Funds managed by KKR, a leading global investment firm, led the round with participation from Sixth Street Growth and TenEleven, as well as new funding from existing Series A investor Carrick Capital Partners.

The investment reflects what many in the cybersecurity sector see as an accelerating shift: as organizations deploy generative AI, autonomous agents, and machine-driven workflows, identity security is becoming core infrastructure rather than a back-office compliance function.

AI Spurs a New Identity Crisis

Saviynt’s platform is designed to manage the full spectrum of digital identities now proliferating across enterprises, from employees and contractors to machine workloads, service accounts, certificates, keys, and increasingly AI agents that operate autonomously.

Unlike earlier identity and access management tools built for predictable human usage, modern platforms must govern identities that make real-time decisions and interact continuously across cloud environments and AI ecosystems.

“This is a defining moment for Saviynt and the industry,” said Founder and CEO Sachin Nayyar. “The demand for secure, governed identity has never been greater. Identity has become central to enterprise AI strategies, and this investment gives us the resources to meet that demand globally.”

Saviynt’s unified architecture merges identity governance (IGA), privileged access management (PAM), application access governance (AAG), identity security posture management (ISPM), and access gateways into a single AI-enabled platform designed for cloud-native environments.

KKR Expands Its Cybersecurity Footprint

For KKR, the investment extends a two-decade track record of backing high-growth cybersecurity firms. The firm has previously supported companies such as Darktrace, ReliaQuest, KnowBe4, Ping Identity, ForgeRock, and Semperis.

“Saviynt has built one of the most advanced and comprehensive identity security platforms in the market, purpose-built for the AI era,” said Ben Pederson, Managing Director at KKR. “We look forward to partnering with the team to scale their platform globally and advance their next-generation AI capabilities.”

KKR is investing through its Next Generation Technology Growth Fund III.

Rapid Customer and Platform Growth

Saviynt’s momentum reflects the growing urgency of securing both human and non-human identities. The company now serves more than 600 enterprise customers, including over 20% of Fortune 100 companies.

The company has recently:

• Launched new tools for AI Agent Identity Management and Non-Human Identity Management
• Expanded its PAM and ISPM capabilities
• Added AI-enabled intelligence to automate onboarding, access reviews, and provisioning
• Delivered integrations with AWS, CrowdStrike, Zscaler, Wiz, and Cyera

Funding to Accelerate R&D and Ecosystem Expansion

Saviynt plans to use the capital to accelerate product development, expand AI-based utilities designed to help customers migrate from legacy systems, and deepen integrations with hyperscalers, software vendors, and channel partners.

The company said it also aims to strengthen its global go-to-market efforts as enterprises confront the security challenges introduced by AI-driven operations.

Advisors

Piper Sandler served as Saviynt’s exclusive financial advisor. Cooley LLP advised Saviynt, while Latham & Watkins LLP represented Carrick Capital Partners. Gibson, Dunn & Crutcher LLP advised KKR, and Moelis & Co along with Kirkland & Ellis LLP advised Sixth Street Growth.

The post Saviynt Raises $700M at Approximately $3B Valuation appeared first on IT Security Guru.

Salt Security used the stage at AWS re:Invent this week to unveil two major enhancements to its API Protection Platform, introducing a generative AI interface powered by Amazon Bedrock and extending its behavioural threat protection to safeguard Model Context Protocol (MCP) servers via AWS WAF. The announcements highlight the company’s growing focus on visibility, risk reduction and real-time defence in increasingly complex cloud and AI environments.

On 1 December, Salt launched “Ask Pepper AI”, a natural language interface designed to help security teams instantly query their entire API estate. Built on Amazon Bedrock, the tool allows users to ask plain-English questions (such as “Which of my APIs expose PII?” or “What APIs have the highest Risk Score?”) and receive immediate, actionable insights drawn from Salt’s API Discovery, Posture Governance and Threat Protection capabilities.

With organisations struggling for clarity in sprawling cloud environments, Salt’s H2 2025 State of API Security Report found that only 19% feel “very confident” in the accuracy of their API inventory, while 15% admit they do not know which APIs expose personal data. Salt says “Ask Pepper AI” helps close these gaps by democratising access to critical security information and accelerating both incident response and risk prioritisation.

“API security is complex, but understanding your risk shouldn’t be,” said Michael Nicosia, Co-Founder and COO at Salt Security. “‘Ask Pepper AI’ makes it simple. By using Amazon Bedrock, we’re putting powerful, intuitive security insights into the hands of everyone from SOC analysts to CISOs. When most organisations aren’t even sure what their API inventory looks like, the ability to just ask and get an immediate answer is a game-changer.”

Two days later, Salt announced a second major capability: the extension of its patented API behavioural threat protection to detect and block malicious intent targeting MCP servers. MCP servers allow LLMs and autonomous agents to execute tasks by calling APIs and tools, but their growing usage has outpaced security controls. Often deployed without central oversight and exposed to the internet, they are becoming a new target for attackers seeking access to sensitive data and system functionality.

Building on Salt’s recently released MCP Finder technology, the company now enables organisations to identify misuse or abuse of MCP servers and automatically block threats using AWS WAF, leveraging real-time behavioural intelligence from the Salt platform.

“Most organisations don’t even know how many MCP servers they have, let alone which ones are exposed or being abused,” said Nick Rago, VP of Product Strategy at Salt Security. “This capability lets them take action quickly, using existing controls to prevent real threats without needing to deploy new infrastructure.”

By combining MCP discovery with AWS WAF enforcement, customers can block attacks before they impact applications, uncover shadow or unmanaged MCP instances, extend edge protection to the AI action layer, and continuously update defences as attacker tactics change.

The post Salt Security Unveils New AI-Powered Capabilities, Expanding API Visibility and Protecting Emerging MCP Infrastructure appeared first on IT Security Guru.

Keeper Security has announced the appointment of Tim Strickland as Chief Revenue Officer (CRO). Strickland will lead Keeper’s global revenue organisation, driving go-to-market strategy, customer growth and channel expansion as demand accelerates globally for modern Privileged Access Management (PAM) and identity security solutions.

Strickland brings more than two decades of executive leadership experience scaling high-performance revenue teams at category-defining SaaS companies. Most recently, he served as Chief Revenue Officer at ZoomInfo, where he guided the company through a successful IPO, built its customer growth and strategic sales functions and oversaw the go-to-market integration of eight acquisitions.

Prior to ZoomInfo, Strickland held senior revenue leadership roles at Marketo, where he played an integral role in the company’s growth, its take-private acquisition by Vista Equity Partners and subsequent sale to Adobe. His responsibilities spanned enterprise sales, account management, customer success and global channel development.

“Tim is joining Keeper at a pivotal moment as organisations around the world confront unprecedented identity-based threats,” said Darren Guccione, CEO and Co-founder of Keeper Security. “He brings the kind of leadership that elevates teams, sharpens focus and accelerates impact. Tim understands the responsibility we have to our customers, and he shares our commitment to building secure, elegant solutions that drive meaningful outcomes. I’m confident he will help propel Keeper into its next chapter of growth while keeping our vision and our customers at the centre of everything we do.”

In his new role, Strickland will oversee Keeper’s global sales, customer success, revenue operations and channel ecosystem, with a focus on expanding market penetration for Keeper’s unified privileged access management platform. KeeperPAM® combines enterprise password management, secrets management, privileged session management, zero-trust network access, endpoint privilege management and remote browser isolation into a single cloud-native solution—designed to meet surging global demand for credential and identity-based threat protection.

“Identity and access security has never been more critical, and Keeper has built a revolutionary cybersecurity platform for organisations,” said Strickland. “The market opportunity is tremendous, and the company’s momentum reflects a deep commitment to innovation and customer value. I’m excited to help scale our impact globally and support customers in strengthening their security posture.”

Strickland also serves as an Advisory Partner with Summit Partners, where he helps high-growth technology companies navigate go-to-market transformation and scale with discipline. As Keeper continues to meet rising global demand for modern privileged access and identity security, Strickland’s leadership will help advance the company’s mission to deliver zero-trust and zero-knowledge solutions that protect the world’s most sensitive data and systems.

The post Keeper Security Appoints New Chief Revenue Officer appeared first on IT Security Guru.

KnowBe4, the platform that comprehensively addresses AI and human risk management, has been recognised as a Leader in the 2025 Gartner Magic Quadrant for Email Security Platforms for the second consecutive year and acknowledged specifically for its Ability to Execute and Completeness of Vision. 

KnowBe4 Cloud Email Security provides users with:    

• Advanced AI-enabled detection to mitigate the full spectrum of inbound phishing attacks and outbound data loss and exfiltration attempts 

• KnowBe4’s Agentic Detection Engine that leverages sophisticated natural language processing (NLP) and natural language understanding (NLU) models to protect inboxes from advanced phishing, impersonation and account takeover attacks  

• Integration in the KnowBe4 HRM+ platform that uses deep per-user behavioural analytics and threat intelligence to deliver personalized security at the point of risk 

• Continuous behavioural-based training delivered through real-time nudges 

A rise in advanced technology to address sophisticated phishing attacks and behaviour-led outbound data breaches has driven significant innovation in email security. According to the KnowBe4 2025 Phishing Threat Trends Report Vol. Six, there was a 15.2% increase in phishing email volume between March 1st – September 30th, 2025, compared to the previous six months.  

“We are honoured to be recognised as a Leader in the 2025 Gartner Magic Quadrant for Email Security Platforms,” said Bryan Palma, CEO, KnowBe4. “Email communication remains the primary attack vector for organisations globally. KnowBe4 plays an instrumental role in providing adaptive AI-enabled technology to build a stronger security culture for customers. In our opinion, this positioning validates our strategic vision and relentless focus on human and agent risk management that goes beyond detecting threats to preventing them before they reach employees’ inboxes.” 

This news follows several recent announcements which exemplify the strength of KnowBe4 Cloud Email Security, including the integration of Microsoft Defender O365 and recognition as a Gartner Peer Insights Customer’s Choice for email security platforms.  

Download a copy of the report.  

The post KnowBe4 Named a Leader in Gartner® Magic Quadrant™ for Email Security appeared first on IT Security Guru.

For years, the cybersecurity community has fought the scourge of weak, reused passwords. The solution, which was overwhelmingly adopted by both businesses and consumers, was the password manager (PM). These tools moved us from flimsy ‘123456’ credentials to unique, 30-character alphanumeric strings, stored behind a single, powerful master password.

But this elegant centralisation creates a paradox. By consolidating all digital keys into one encrypted vault, have we simply moved the weakness rather than eliminated it? Is this single, powerful key actually the soft underbelly of modern cybersecurity?

The Centrality of Strong Credentials

The necessity of strong and unique passwords cannot be overstated, as they form the bedrock of digital defence. Compromised credentials are the primary vector for data breaches. They affect everything from sensitive work systems and financial applications to personal e-commerce accounts and, increasingly, entertainment platforms. The security stakes are incredibly high across the board. For example, when engaging with entertainment platforms such as online casinos, where sensitive financial details are exchanged, and large sums can be involved, robust password hygiene is a non-negotiable requirement.

The need to protect these accounts dictates that users rely on tools to generate and store complex character strings. When reviewing the offerings for such platforms, resources like those curated by adventuregamers.com often highlight sites that prioritise player security. What’s more, they typically pay attention to strong architectural benefits such as secure payment methods and end-to-end encryption. Such diligent, layered protection is extremely important, yet all of that diligence ultimately hinges on the user’s own diligence in protecting their account with a unique, strong password that they have stored safely.

The Single Point of Failure Paradox

The most significant challenge to password managers is the single point of failure that they represent. If a cybercriminal can acquire the master password for a vault, they gain immediate access to every stored credential: banking, email, social media, and corporate access. This represents a far more lucrative target than breaching a single, isolated account. The risk is compounded by the fact that the most common failure point is not the vault itself. It is actually human error.

The master password, by necessity, must be complex yet memorable enough for the user to type manually. If a user chooses a weak master password or if they fall victim to a targeted keylogger or highly sophisticated phishing attempt, then the entire security framework collapses. While this risk does, of course, exist with any single password, the cascading effect here can be catastrophic. Furthermore, the master password’s security relies entirely on the security of the device it is typed into. If that device is compromised by potent, custom-built malware, then the master password can be intercepted before it ever interacts with the zero-knowledge architecture of the manager itself.

Architectural Defence: Zero-Knowledge Encryption

To counter the single point of failure, reputable password manager services employ sophisticated zero-knowledge architecture. This is the core technical defence that elevates them above simple, local file encryption. In a zero-knowledge system, the encryption and decryption of the vault happen locally on the user’s device and never on the provider’s actual server.

The provider only stores the cryptographically scrambled and salted blob of data. They never hold the master password or the key required to unscramble the vault, meaning that even if the password manager company’s servers are breached, the hackers only obtain a useless piece of encrypted data. They would still need to launch a brute-force attack on a highly salted and iterated hash, and this is an effort that could take centuries with our current computing technology.

This distinction is crucial. The provider cannot hand over your passwords to a government agency, a subpoena, or a hacker because they genuinely do not have access to them. The weakness doesn’t lie in the manager’s architectural security, but in its implementation on the end-user device. A sophisticated, state-sponsored attack on the endpoint device itself, such as a remote access trojan (RAT) or screen-scraping malware, is the only way to bypass this robust, zero-knowledge encryption model.

Beyond the Code: Phishing and Human Error

Ultimately, the password manager’s greatest vulnerability is not its code, but the user experience it requires. The convenience of autofill is a double-edged sword. While it does save time and prevent typographical errors, it can also be easily exploited by malicious sites.

Sophisticated phishing attacks can create near-perfect, convincing login pages that are designed to capture credentials. A well-designed password manager should only autofill a login on a specific, trusted domain, but user confusion or certain browser extensions can sometimes override these safety checks. The user, who is accustomed to the ease of autofill, may not notice the subtly altered URL of a phishing site until it is too late.

The other primary vector is the bypass of multi-factor authentication (MFA). While a PM helps secure the first factor (the password), many high-value accounts protected by PMs are also protected by MFA. However, attackers are increasingly using MFA fatigue attacks or complex adversary-in-the-middle (AiTM) techniques to steal a session token after the user authenticates with both their PM-stored password and their MFA token. This attack targets the session rather than the vault. This proves that a PM is not a complete security solution. Rather, it is a robust tool that must be correctly layered with other security controls, such as hardware security keys and stringent device hygiene.

The post The Vault or the Vulnerability? Why Your Password Manager Might Be the New Cyber Risk appeared first on IT Security Guru.

Modern iGaming security has evolved quickly, and users notice the difference. Stronger protections, more transparent communication, and more innovative tools give people far more confidence than older platforms ever did. At the same time, the number of online poker sites keeps growing, prompting users to seek more explicit guidance and safer options. This mix of better security and higher expectations shapes how people decide where to play—and why modern platforms continue to gain their trust.

Rising Expectations Around User Choice and Platform Safety

A lot of people feel overwhelmed the moment they start comparing different digital entertainment platforms, mainly because everything starts to look the same. You jump from one option to another, and before long, you’re not even sure which features actually matter. That’s usually when people begin looking for more explicit guidance and platforms that communicate safety without making users dig for it.

As platforms compete for attention, they raise their security standards to show they take user protection seriously. People notice stronger authentication, more precise privacy explanations, and better overall transparency. Those small details help them decide faster and feel more confident in their choice, rather than second-guessing every step.

There’s the bonus of feeling at ease since you know what you’re doing business with, taking out the blind step risk, and making it all more deliberate. When users are supported from the get-go, they relax and focus on savoring the experience rather than fretting about hidden snags.

Security Advances Driving Modern iGaming Forward

Modern iGaming platforms invest a chunk in authentication because users are known to give proper attention to it. Forcing a user to feel ‘safer’ with features such as device verification, biometrics, app-based codes, and never just an empty password field. These protections do not signal professionalism; they set expectations. After finally becoming used to ‘stronger’ security, anything ‘less’ feels dated.

On the other hand, real-time monitoring is of tremendous importance at present, as threats change rapidly. Platforms employ behavior-based tools to identify abnormal patterns before they materialize into something substantial. End-users may not realize it is happening in the background, but they surely see the outcomes. Fewer account issues and fewer security pop-ups really smooth the experience and take the stress out of it.

Encryption standards are at a level most people associate with banking or healthcare, and that in itself speaks volumes about the users. When a platform secures data with the same level of seriousness as a financial institution, people respond with greater trust. It turns moments of sensitivity – payments, or identity checks – into simple steps instead of points of anxiety.

Another interesting trend is the transparency that platforms provide. They do not ask users to trust them blindly; instead, they publish summaries of audits, security updates, and system notes. When details are shared, it gives people a sense that the platform is really taking ownership of their safety. This, in turn, lowers the fear of hidden issues and builds a stronger relationship with long-term users.

Why Traditional Apps Struggle to Keep Pace with Modern Threats

Most traditional apps rely on older system structures, which becomes problematic when threats evolve faster than their update cycles. A platform that still relies on legacy permissions or outdated libraries will create lag that end users feel. End users can feel it when an app feels very clunky and not ready to face modern risks; it’s a confidence eroder all by itself.

Many of these older systems also require manual updates, which slows everything down. A security issue that modern platforms patch instantly can sit unresolved in a traditional app until someone schedules the update. Users don’t always see the technical reason behind the delay, but they feel the fallout every time something doesn’t work the way it should.

Another issue comes from rigid permission handling. Older apps often ask for more access than they actually need, which raises red flags for people who care about privacy. Modern platforms take the opposite approach: they request the minimum and explain why. That contrast makes traditional apps look careless, even when they’re not trying to be.

On top of that, traditional apps tend to approach security reactively instead of proactively. They address problems after they happen rather than preparing for them in advance. Users today expect more, especially when digital entertainment platforms keep showing what quick adaptation looks like. Once they realize the difference, it becomes hard to go back to something that feels slower and less reassuring.

Wrap Up

Modern iGaming platforms raise the bar with faster updates, stronger authentication, and a more explicit commitment to user protection. People feel the difference immediately, especially when they have guidance that helps them make confident choices. As security continues to improve and new tools become standard, users can expect a safer, more transparent experience every time they play online.

The post Do Modern iGaming Platforms Offer Better Cyber Protections Than Traditional Apps? appeared first on IT Security Guru.

The group known as Librarian Ghouls has infiltrated networks of technical universities and industrial organisations across Russia, Belarus and Kazakhstan, all without raising immediate alarms. They achieved this by leveraging legitimate logins to move laterally through internal networks, utilising valid credentials and avoiding alert triggers.

Unlike many other APT groups, Librarian Ghouls does not rely on custom malware. Instead, they exploit legitimate third-party tools such as remote access software, archivers and SMTP utilities to craft near-perfect phishing campaigns, including password-protected files and polymorphic malware that adapts in real time. These tactics allow the attackers to slip past traditional detection controls almost unnoticed.

This incident is part of a broader and growing challenge when cybersecurity tools operate in silos, attackers exploit the gaps between them. Endpoint detection and response (EDR), firewalls, and authentication systems each play an important role, but without integration, they offer only partial visibility.

An EDR solution, for example, may overlook legitimate administrative tools if they do not exhibit overtly malicious behaviour. A firewall will flag anomalous outbound connections but often lacks the context to determine the originating user or endpoint. Authentication logs may capture a series of valid logins without recognising a lateral movement pattern.

The lesson from this is clear – integrated visibility across security layers is critical. Correlating signals from multiple tools is essential to detect complex, multi-stage attacks that no single solution can fully uncover on its own. Without this unified perspective, organisations risk missing the bigger picture until it’s too late.

With multiple security solutions generating alerts, many organisations operate with a false sense of security. Without integration, security is fragmented, leaving gaps for sophisticated attacks to exploit, sometimes for weeks or months.

 

How to protect against threats that evade detection

Organisations need a unified view of their environment and the ability to respond in real time. This is where Managed Detection and Response (MDR) come in. MDR combines advanced threat detection, analytics and human expertise to monitor, investigate, and respond to threats 24/7. Unlike traditional tools working in isolation, MDR correlates signals across endpoints, networks, cloud environments, and identity systems, enabling faster and more accurate detection of suspicious activity.

A strategic MDR approach gives organisations the ability to detect and respond to threats with a level of speed and accuracy that isolated tools cannot match. Firewalls might block unusual connections and EDRs may spot anomalous behaviour but when these signals operate independently, critical patterns can be missed. MDR leverages AI and automation to connect these disparate alerts, allowing real threats to be identified enabling the identification of real threats within minutes. It is effective even when attackers deliberately blend their activity with normal operations.

Once a genuine threat is detected, the speed of response is essential. By providing a unified view across network, endpoint and identity layers, MDR accelerates investigations, reduces operational disruption and helps maintain business continuity while protecting an organisation’s reputation. At the same time, AI-driven correlation filters out noise and false positives, highlighting only the most relevant alerts and providing the context security teams need to act decisively. This focus is particularly valuable in resource-constrained environments, where every second counts and alert fatigue can undermine effectiveness.

The Librarian Ghouls’ breach demonstrated that attackers could circumvent defences when solutions are uncoordinated. It’s like trying to find a needle in a haystack. MDR addresses this challenge by correlating disparate signals, filtering false positives and providing a unified view of infrastructure. By doing this, it amplifies the value of each security layer. EDRs gain the context to identify anomalies, firewalls better interpret network connections and identity systems more accurately flag suspicious access.

The post What your firewall sees that your EDR doesn’t appeared first on IT Security Guru.

Several major London boroughs, including Westminster, Kensington and Chelsea, and Hammersmith & Fulham, are facing serious disruption after a cyberattack crippled key IT systems, preventing residents from accessing frontline services and raising fears of data exposure, according to reports.

While details remain limited, the incident is already prompting renewed warnings from cybersecurity experts about structural weaknesses across the UK public sector, particularly where councils rely on shared platforms, legacy systems, and under-resourced IT teams.

Simon Pamplin, CTO at Certes Networks, said the attacks underscore how deeply such incidents can affect everyday life.  “These suspected cyberattacks on several of London’s borough councils really drive home the point that when systems holding sensitive information are hit, it’s not just the council that suffers. It spills out into the lives of residents and the whole network of services they depend on,” he explained.

Pamplin stressed that cyber resilience can no longer be treated as optional for organisations serving the public.

“When it comes to something as critical as local government, having rock-solid cyber resilience and data security isn’t a nice-to-have, it’s absolutely essential. It’s a bit like heading off on holiday, you wouldn’t dream of leaving the front door unlocked. In the same way, businesses and local authorities need to make sure every last digital door is properly secured, no exceptions, especially when the public is the one at risk.”

Darren Guccione, CEO and co-founder of Keeper Security, echoed those concerns, calling the incident a “serious wake-up call” for public-sector bodies still depending on outdated or interconnected infrastructure.

“Local councils are not only service providers, they’re custodians of highly sensitive personal data,” Guccione said. “When public services rely on shared or under-protected IT infrastructure, disruption is immediate and the consequences are far-reaching.”

He warned that structural vulnerabilities, legacy systems, limited budgets, and reactive security practices create conditions where a single breach can cascade across multiple essential services.

“Once an attacker gains access, the impact can spread rapidly across systems used for social care, housing, payments and citizen communications,” he noted.

Guccione urged councils to prioritise network segmentation, strict identity and access controls, and secure credential management, alongside continuous monitoring across both modern and legacy systems. He added that well-practiced incident response and business continuity plans are just as critical: “If cybersecurity is not embedded into core governance today, councils will continue defending ageing systems against rapidly evolving threats. That is not a sustainable position, and the stakes for citizens are simply too high.”

Other experts agree that the attack bears many hallmarks of a sophisticated ransomware operation. Rebecca Moody, Head of Data Research at Comparitech, said the combination of operational disruption and potential data theft fits the common playbook of modern ransomware groups seeking dual ransoms for decryption and data deletion.

“Governments are a key target… hackers can cause widespread disruption and access highly sensitive data,” she said, noting that Comparitech has tracked 174 confirmed attacks against government bodies worldwide so far this year, with average ransom demands approaching $2.5 million.

With investigations still underway, Moody urged residents and council employees to remain vigilant for phishing attempts or unusual account activity: “If this is a ransomware attack and ransom negotiations fail, it’s likely we’ll see a group coming forward to claim the attack and data theft in the coming days or weeks.”

Rik Ferguson, VP of Security Intelligence at Forescout, highlighted the shared-risk nature of modern IT ecosystems, noting that attackers increasingly exploit the interconnectedness between organisations.

“Attackers are learning that the fastest way to profit isn’t always by encrypting or publicly leaking data, it’s by holding entire enterprise ecosystems hostage,” he said. “Supply-chain and shared-services models create single points of failure.”

Ian Nicholson, Head of Incident Response at Pentest People, warned that the situation illustrates how quickly compromises can propagate across tightly connected public-sector systems.

“Again and again we see attackers exploiting legacy systems, slow patching, and under-funded, under-staffed IT teams,” he said. “Local authorities sit on highly sensitive information, and incidents like this really do impact those much-needed frontline services.”

Dray Agha, senior manager of security operations at Huntress, warned the incident exposes the fragility of shared public-sector infrastructure.

“This coordinated incident highlights a critical vulnerability in modern public services: the double-edged sword of shared IT infrastructure. While such systems are efficient, the breach of one council can instantly compromise its partners, crippling essential services for hundreds of thousands of residents. It underscores an urgent need to move beyond simple cost-saving IT models and invest in resilient, segmented networks that can contain such threats and protect vital public services.”

As London councils work to restore systems, the attack marks yet another reminder that cybersecurity weaknesses in shared public infrastructure can carry real-world consequences, disrupting essential services and potentially exposing citizens’ most sensitive data.

The post Cyberattack on Multiple London Councils Exposes Fragility of Shared Public-Sector Systems appeared first on IT Security Guru.

As retailers prepare for another record-breaking Black Friday, cybersecurity experts are warning that this year’s threats are not only bigger than ever but far more intelligent, automated and difficult to spot.

Fresh data from Check Point, KnowBe4 Threat Labs and other cyber specialists note that attackers are using AI, automation and brand impersonation at industrial scale, exploiting the intensity of the shopping weekend to steal credentials, identities and payment information.

Fake retail sites multiply as attackers use AI and automation

According to Check Point Research, malicious activity tied to Black Friday is rising sharply. One in 11 newly registered Black Friday-themed domains has already been classified as harmful, with criminals spinning up fraudulent sites faster than retailers can report or shut them down.

Brand impersonation remains a core tactic, as 1 in 25 new domains mimicking Amazon, AliExpress and Alibaba has been flagged as malicious. Recent phishing campaigns spoofing HOKA and AliExpress demonstrate how attackers are exploiting high-demand brands to lure victims into sharing login credentials and payment details through convincing fake storefronts.

Omer Dembinsky, Data Group Manager at Check Point Research, said attacks this year “aren’t just bigger; they’re smarter, customised and automated.” Criminals are relying on AI-style templating, mass domain generation and sophisticated replica sites that look indistinguishable from the real thing.

“The best defence is prevention,” Dembinsky added. “Don’t trust a Black Friday link just because it looks real. Verify the domain, use security tools that can validate newly registered sites, and think twice before entering your credit card as you’re one click away from handing over your identity.”

Phishing surges ahead of Black Friday and Amazon leads UK impersonation

New findings from KnowBe4 Threat Labs reveal that out of 27,061 Black Friday-themed phishing emails observed globally, the vast majority (84.30%) impersonated “Deal Watchdog” alert services designed to create urgency around limited-time offers.

In the UK, Amazon was the most impersonated brand, with attackers overwhelmingly using credential-harvesting links as their main payload. UK activity began unusually early this year, with attacks starting on 3rd November and peaking on 10th November, well ahead of the shopping weekend.

Javvad Malik, Lead CISO Advisor at KnowBe4, warned that the psychological pressure of discounted deals is exactly what scammers rely on.

“The combination of time-limited deals and high demand means people often act quickly without taking the usual precautions,” he said. “Taking a moment to verify a website, examine a link or double-check a deal could be the difference between a great saving and becoming a victim.”

AI is fuelling more convincing scams than ever

Keeper Security says AI-generated content is behind much of this year’s sophistication. Fake order confirmations, AI-generated customer service chats and spoofed retailer sites are now near-perfect replicas of legitimate communications, making them harder than ever to spot.

Anne Cutler, Cybersecurity Expert at Keeper Security, explained: “Where there’s money and momentum online, cybercriminals invariably follow—and Black Friday delivers both in abundance. This year we’re guaranteed to see ever more sophisticated scams, primarily fuelled by artificial intelligence.”

Keeper’s global research shows identity-based attacks remain the top concern for cybersecurity leaders in 2025, with stolen credentials continuing to be the leading cause of data breaches.

“The simple truth is that if an attacker controls your identity, they also control your access to everything, ranging from sensitive financial information to social media accounts,” Cutler added. She stressed the importance of strong, unique passwords, MFA and monitoring unusual login activity.

Stick to “Brightly Lit” Parts of the Internet, experts warn

Privacy experts emphasise that consumers must stay vigilant as they hunt for bargains. Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, advised shoppers to go directly to retailer websites instead of clicking ads or pop-ups, many of which lead to expertly forged scam pages.

He added practical reminders:

• Avoid public WiFi for shopping or banking

• Use secure payment methods like Apple Pay or Google Pay

• Buy gift cards only from official retailers or trusted resellers

Paul Bischoff at Comparitech echoed similar safety fundamentals:

1. Never click links or attachments in unsolicited emails

2. Never switch communication/payment channels outside the marketplace

3. If a deal feels rushed, take a step back—it may be a scam

Brian Higgins, also from Comparitech, warned that delivery scams spike during major retail periods, with fake package-fee notifications being especially common as shoppers await parcels. “Don’t buy anything really essential unless you trust the vendor. And if you can afford it, sign up for one of the Credit Monitoring services as they will let you know if you start to buy stuff you’re not aware of,” he cautioned.

Black Friday doesn’t have to be a hacker’s payday

Despite the rising threats, experts agree that a few proactive steps dramatically reduce risk. Strong passwords, MFA, domain checking, secure payment methods and scepticism toward unsolicited messages remain the most effective protections.

As Cutler noted: “A few proactive steps, coupled with an identity-first mindset, can make the difference between a money-saving bargain and a costly breach.”

With AI-powered scams growing faster than ever, the message from security researchers is to enjoy the deals, but shop with caution and never let urgency override judgement.

The post Black Friday 2025: Smarter, Faster and AI-Powered Scams Drive a Surge in Cyber Threats appeared first on IT Security Guru.

Casino security used to be pretty straightforward. You had cameras watching the floor and security guards watching for suspicious players. These days, things are way more complicated. Casinos deal with hackers, data breaches, and scammers who go after players through their phones and computers. The technology protecting casinos has improved a lot, but there’s still one weak spot that doesn’t get enough attention: most players have no idea how to protect themselves online.

You can spend millions on fancy security systems, but it doesn’t help much when a player clicks on a fake email or uses “password123” for their account. Criminals know that people are usually easier to trick than to break through firewalls. That’s why teaching players about security needs to be a priority, not something casinos ignore.

Building Security Awareness From Day One

When someone signs up for a casino account, that’s when they should learn the basics. But most sites just show a wall of legal text that nobody bothers reading. What actually works is giving people simple, useful advice. Things like how to make a strong password or how to tell if an email is really from the casino or just a scam.

Sweepstakes platforms are a type of casino that works differently from regular online sites. They use virtual money instead of real cash, which can be new for beginners. Offering premium sweepstakes helps new players learn how the system works and enjoy the games safely. This way, they can play the game confidently and with peace of mind.

Banks spend years educating customers to check URLs before logging in and never share sensitive account info over the phone, even with their staff. It worked. Casinos should do the same thing. Security tips need to show up regularly, not just once during signup.

Why Security Awareness Really Matters

The casino industry keeps getting bigger. In 2023, it was estimated that there were over 1.5 billion people playing online gambling games worldwide. That’s a lot of people who could run into security problems. Every new player can either help keep things safe or accidentally give criminals a way in. When millions of people are using these sites, even a few falling for scams adds up fast.

Teaching players about security takes effort, but it’s worth it. Players who know what to watch for make fewer mistakes. They spot weird activities happening in their accounts and report them quickly. They feel better about using the platform, so they keep coming back and recommend it to people they know.

Making Security Education Something Players Actually Want

Nobody wants a boring security lecture when they’re trying to have fun. The trick is teaching people without making it feel like school. Quick videos, simple quizzes with small prizes, and occasional reminders work way better than long presentations.

There are good moments to bring up security naturally. When someone makes their first deposit, you can explain how the site protects their payment info. When they contact support, the team can mention a security tip while helping them. The goal is to make this stuff feel helpful instead of annoying.

Some casinos treat security education like a mini-game. Players already like earning points and unlocking rewards, so applying it here will be useful. Give out bonus credits or badges for finishing security lessons. A few sites even run contests where players practice spotting fake emails or recognizing secure websites.

Building a Community That Watches Out for Each Other

Teaching individual players helps, but things work even better when the community gets involved. When someone in a forum spots a scam and warns others, that message spreads way faster than any official email. Casinos should make reporting simple and recognize players who help catch problems.

Scams targeting casino players are a real problem in the US. Between 2022 and mid-2025, the Better Business Bureau (BBB), an organization for ethical standards, reported receiving almost 200 scam reports and over 10,000 complaints about online gaming. People reported getting their money stolen, not understanding the terms, and having a hard time telling real betting sites apart from fake ones. 

Chat rooms and social media groups connected to gaming sites are where scammers like to operate. Players who recognize the warning signs can help protect new people before they lose money.

Being honest about security issues builds trust, too. When a casino has a security problem and tells players exactly what happened and how they’re fixing it, people respect that. It shows the casino sees players as partners instead of just customers. This kind of openness makes players take their own security habits more seriously.

Wrapping Up 

You can’t turn players into security experts overnight. One training video during signup won’t stick. Regular updates about new scams, reminders about password basics, and positive feedback when players report issues all help build better habits gradually.

Technology matters a lot for casino security. But it can’t do everything alone. When players know how to protect themselves and actually participate in keeping things safe, they stop being the weak link. They become the strongest defense a casino has.

The post How User Education Can Become the Strongest Link in Casino Security appeared first on IT Security Guru.

How CTEM Helps Cyber Teams to Become More Proactive

Software, infrastructure, and third-party services change far faster than quarterly audit cycles, which increases the risk of data and infrastructure exposure.

In the UK, just over four in ten businesses and three in ten charities identified a cyber breach or attack in the last 12 months alone. Phishing is dominant, and larger organisations are hit more often. ENISA’s latest threat landscape lists availability attacks, ransomware, and data threats as the top three cybersecurity concerns across Europe. It can be a lot to keep up with.

Today’s security teams need a way to keep exposure data current and to turn that data into work that actually removes attack paths. Continuous threat exposure management (CTEM) serves as the basis for that cadence, as it runs as a repeatable loop. CTEM enables teams to scope what matters, discover the real attack surface, prioritise by reachability and likely impact, validate in the way an attacker would, and route fixes through the tooling you already use.

For developer-led organisations, the advantage is straightforward. Rather than noisy findings and notifications, CTEM provides a framework for reproducible work items so you close meaningful paths quickly instead of growing a backlog of low-signal tickets.

A Developer’s Framework for CTEM

A simple way to operationalise CTEM is the DEPTH method: Discover, Evaluate, Prioritise, Test, Hand-off. It maps neatly to normal delivery rhythms without creating unnecessary complexity and bureaucracy.

Discover. Keep a continuous inventory of what is actually reachable from the internet, one service at a time. This can include domains and subdomains, API gateways and endpoints, object stores, edge devices, certificates, and identity integrations. Treat identity posture as exposure in its own right. Stale tokens, over-broad roles, default credentials, and unaudited service accounts are just as exploitable as a common vulnerability and exposure (CVE).

Evaluate. Attach signals so triage is deterministic. For each finding, store the CVE, the exploit prediction scoring system (EPSS) probability, inclusion in CISA’s known exploited vulnerabilities (KEV) database, authentication state, blast-radius indicators (data sensitivity, privilege reach), and a small proof of reachability (for example, a curl output, test URL, or certificate details). Keep the schema compact enough to sort in an issue tracker.

Prioritise. Use an ordering rule that anyone can apply. Internet-exposed items that are KEV-listed go first. Next, rank by EPSS probability (higher first). Break ties by unauthenticated reachability and then by data sensitivity. Maintain a parallel queue for identity and configuration faults that open paths even without a CVE. Publish this rubric at the top of the board to aid in decision-making.

Test. Prove exploitability and control efficacy in the environment you run today. Keep checks short and scriptable. Examples are a curl or HTTPie snippet for an insecure direct object reference (IDOR) or weak-auth path; a signed URL to demonstrate public object-store access; a one-liner to verify default credentials on a lab-scoped edge device; or, an OpenSSL command to confirm certificate or TLS posture. Ensure the scripts are idempotent for retesting after a fix, and save the artifacts along with the ticket. For APIs, align test cases with the common failure modes you already track.

Hand-off. Convert proof into change using the rails you already have. Standardise the ticket: owner, environment, link to reachability proof, EPSS score, KEV status, fix approach, rollback plan, and the exact retest command. Route through change control and CI/CD. Close only when the retest passes in the target environment. For software-supply-chain items, ensure policy and build pipelines reflect secure-development practices rather than ad-hoc checks.

Integration Touchpoints

In security operations and monitoring, enrich alerts with exposure context so events touching known high-risk assets are ranked higher by default. If a relevant CVE enters an actively exploited list, adjust priority accordingly.

In change management, add a simple control to the template. A CTEM checkbox stating “retest script attached and passing” is useful here, so that evidence is required at approval rather than after deployment.

In the SDLC, treat exposure checks like any other quality gate: keep validation scripts in the same repository as your IaC and application code, run them post-deploy in staging, and schedule safe, read-only checks against production endpoints where appropriate.

This keeps evidence versioned, reproducible, and close to the code. For third-party and open-source exposure, track both the upstream fix and your local mitigation. Use a clear baseline for secure development, and surface objective health and provenance signals in builds rather than relying on informal judgements.

Common Failure Modes

Tool sprawl without ownership. Adding scanners without assigning triage and closure grows the backlog and erodes trust. Keep outputs flowing into the same issue tracker, and apply SLAs only to items with proof and reachability so effort tracks risk, not volume.

Counting patches instead of paths removed. If a CVE is marked fixed but an object store remains public, the path still exists. Make “closed and retested” your lead metric, not “PR merged.”

Ignoring identity. Weak authentication, stale tokens, and overly broad roles create routine lateral movement. Keep identity items in the same queue and run them through the same DEPTH flow as infrastructure and code.

Enabling a Proactive Approach

CTEM replaces ad-hoc reaction with an operating rhythm that ties signals to fixes. Discovery jobs refresh the exposed surface for one service. Triage applies a simple ordering rule that combines KEV status and EPSS probability with reachability. Validation turns each top item into a short and scriptable proof. Mobilisation converts that proof into a change ticket with an owner, rollback plan, and an exact retest command.

CI runs the same script after the change and fails if the path still exists. The board shows “attack paths removed” and “time to risk reduction” as the lead metrics.

The result is a closed loop. On a rolling basis, you learn what’s exposed, you choose the highest-likelihood, highest-impact items, you prove them, you fix them, and you retest automatically. That is what “proactive” looks like. This means less time waiting on alerts and more time closing off the routes attackers actually use.

With CTEM, the goal is simple: a smaller exposed surface, fewer reachable attack paths, and faster time to risk reduction. CTEM, implemented with DEPTH and wired into delivery and operations, keeps those outcomes on a timetable that teams can sustain, without adding complexity or creating a parallel process.

The post How CTEM Helps Cyber Teams to Become More Proactive appeared first on IT Security Guru.

Salt Security has announced Salt MCP Finder technology, a dedicated discovery engine for Model Context Protocol (MCP) servers, the fast-proliferating infrastructure powering agentic AI. MCP Finder provides an organisation with a complete, authoritative view of its MCP footprint at a moment when MCP servers are being deployed rapidly, often without IT or security awareness.

As enterprises accelerate the adoption of agentic AI, MCP servers have emerged as the universal API broker that lets AI agents take action by retrieving data, triggering tools, executing workflows, and interfacing with internal systems. But this new power comes with a new problem: MCP servers are being deployed everywhere, by anyone, with almost no guardrails. MCPs are widely used for prototyping, integrating agents with SaaS tools, supporting vendor projects, and enabling shadow agentic workflows in production.

This wave of adoption sits atop fractured internal API governance in most enterprises, compounding risk. Once deployed, MCP servers become easily accessible, enabling agents to connect and execute workflows with minimal oversight. This becomes a major source of operational exposure.

The result is a rapidly growing API fabric of AI-connected infrastructure that is largely invisible to central security teams. Organisations currently lack visibility regarding how many MCP servers are deployed across the enterprise, who owns or controls them, which APIs and data they expose, what actions agents can perform through them, and whether corporate security standards and basic controls (like authentication, authorisation, and logging) are properly implemented.

Recent industry observations show why this visibility crisis matters. One study showed that only ten months after the launch of the MCP, there were over 16,000 MCP servers deployed across Fortune 500 companies. Another showed that in a scan of 1,000 MCP servers, 33% had critical vulnerability and the average MCP server had more than 5. MCP is quickly becoming one of the largest sources of “Shadow AI” as organisations scale their agentic workloads.

According to Gartner^® “Most tech providers remain unprepared for the surge in agent-driven API usage. Gartner predicts that by 2028, 80% of organisations will see AI agents consume the majority of their APIs, rather than human developers.”

Gartner further stated, “As agentic AI transforms enterprise systems, tech CEOs who understand and implement MCP would drive growth, ensure responsible deployment and secure a competitive edge in the evolving AI landscape. Ignoring MCP risks falling behind as composability and interoperability become critical differentiators. Tech CEOs must prioritize MCP to lead in the era of agentic AI. MCP is foundational for secure, efficient collaboration among autonomous agents, directly addressing trust, security, and cost challenges.”*

Salt’s MCP Finder technology solves the foundational challenge: you cannot monitor, secure, or govern AI agents until you know what attack surfaces exist. MCP servers are a key component of that surface.

Nick Rago, VP of Product Strategy at Salt Security, said: “You can’t secure what you can’t see. Every MCP server is a potential action point for an autonomous agent. Our MCP Finder technology gives CISOs the single source of truth they need to finally answer the most important question in agentic AI: What can my AI agents do inside my enterprise?”

Salt’s MCP Finder technology uniquely consolidates MCP discovery across three systems to build a unified, authoritative registry:

1. External Discovery – Salt Surface
   Identifies MCP servers exposed to the public internet, including misconfigured, abandoned, and unknown deployments.
2. Code Discovery – GitHub Connect
   Using Salt’s recently announced GitHub Connect capability, MCP Finder inspects private repositories to uncover MCP-related APIs, definitions, shadow integrations, and blueprint files before they’re deployed.
3. Runtime Discovery – Agentic AI Behavior Mapping
   Analyses real traffic from agents to observe which MCP servers are in use, what tools they invoke, and how data flows through them.
   

Together, these sources give organisations the single source of truth required to visualise risk, enforce posture governance, and apply AI safety policies that extend beyond the model into the actual action layer.

Salt’s MCP Finder technology is available immediately as a core capability within the Salt Illuminate platform.

 

*Source: Gartner Research, Protect Your Customers: Next-Level Agentic AI With Model Context Protocol, By Adrian Lee, Marissa Schmidt, November 2025.

The post Salt Security Launches Salt MCP Finder Technology appeared first on IT Security Guru.

Nominations are now open for the 2026 Most Inspiring Women in Cyber Awards! The deadline for entry is the 9th January 2026. We’re proud to be media supporters once again. 

The 2026 event is hosted by Eskenzi PR and sponsored by Fidelity International, BT, Bridewell and Plexal – organisations that are leading the way in making the cybersecurity industry more inclusive. The 6th annual event, held at the iconic BT Tower on the 26th February 2026, aims to celebrate trailblazers at all stages of their careers from across the cybersecurity industry who are doing exceptional things. 

Additionally, Eskenzi PR has partnered with some of the most influential women in cyber groups to help shape the awards, ensuring they are more inclusive and intersectional than ever before. By partnering with WiCyS UK & Ireland Affiliate and Women in Tech and Cybersecurity Hub (WiTCH), it is hoped that the 2026 event will reach an even wider range of inspirational women from across all corners of the globe.

Aiding in this mission, cybersecurity consultancy Bridewell has committed to sponsoring a bursary that will allow the UK based winners of the Ones to Watch category to attend the awards with paid travel and accommodation. A new addition for the 2026 awards, sparked by industry feedback, this move is hoped to remove the financial barriers of attending industry events for people starting out in their careers.

Cybersecurity continues to face challenges with diversity and representation. According to research by ISC2, women now make up about 22% of the global cybersecurity workforce. Despite the industry’s growing demand for skilled professionals – driven by escalating talent shortages and increasingly sophisticated threats – representation remains limited. Building a more inclusive cybersecurity community requires visible role models, mentorship, and active encouragement. After all, we cannot become what we cannot see.

The Most Inspiring Women in Cyber Awards aims to bring together and empower incredible women (both established and those starting out their careers) and make long lasting connections.

Nominations can be submitted via this link and will remain open until 5pm on Friday 9th January 2026. An esteemed panel of judges (yet to be confirmed) will then review the submissions and narrow the list down to the Top 20, each of whom will be profiled on the IT Security Guru. There will also be five women crowned ‘ones to watch’.

On the 26th February 2026, a physical awards ceremony will be held in London at the iconic BT Tower. The event will include a welcome address and an informal panel discussion with a Q&A featuring industry leaders. Then, the finalists will be awarded their certificates and trophies. The event will conclude with networking over food and drinks at the top of the tower. Finalists, judges, and guests are welcome to attend in person and the public can tune in to the ceremony via a live stream. More information to be provided soon.

The award’s founder, Yvonne Eskenzi, said: “We’re delighted to once again host the Most Inspiring Women in Cyber Awards, supported by industry leaders including Fidelity International, Bridewell and Plexel. With BT’s continued partnership, it’s a pleasure and a privilege to return to the iconic BT Tower once again for this special occasion. At Eskenzi, we remain deeply committed to championing diversity in cybersecurity through meaningful action. Together with leading women’s networks and forward-thinking organisations, the Most Inspiring Women in Cyber Awards aims to celebrate, elevate and empower women across the sector while helping to forge lasting connections among all who attend.”

‘Women in Cyber’ group, at Fidelity International, said: “At Fidelity International, supporting the 2026 Most Inspiring Women in Cyber Awards reflects our belief that empowering women strengthens cybersecurity. As cyber threats intensify, diverse perspectives are key to safeguarding our digital future. By championing talent and creating opportunities, we aim to inspire the next generation of women leaders in cybersecurity.”

Laura Price, Cyber Skills Partnerships Manager at BT Business, said: “At BT Business, we’re committed to helping organisations stay connected, secure, and future ready. Supporting the Most Inspiring Women in Cyber Awards reflects our belief that diversity and innovation go hand in hand. By celebrating role models and amplifying voices, we aim to inspire the next generation of cyber leaders and strengthen the resilience of businesses in an increasingly digital world.”

Diane Gilbert, Senior Lead Programmes at Plexal, said: “Plexal supports women in cyber to build careers and grow their businesses. Wonderful moments like the Most Inspiring Women in Cyber Awards provide an opportunity to celebrate the increased inclusion and diversification of the industry to date. And reinforces the important role we all play in keeping the momentum going on female representation in the sector. Plexal is excited to be a returning sponsor of the 2026 awards.” 

For more information and to nominate visit: https://www.itsecurityguru.org/most-inspiring-women-cyber-2026/

The post Nominations Open For The Most Inspiring Women in Cyber Awards 2026 appeared first on IT Security Guru.

Amelia Hewitt, Co-Founder (Director of Cyber Consulting) at Principle Defence and Founder of CybAid, and Rebecca Taylor, Threat Intelligence Knowledge Manager and Researcher at Sophos, are proud to announce the launch of the second series of The Cyber Agony Aunt Podcast (formerly Securely Yours Podcast). The new season is now available to stream on all major platforms.

The Cyber Agony Aunt Podcast is an empowering series hosted by Hewitt and Taylor, two accomplished cybersecurity professionals, recorded at Matinee Studios in Reading, UK. Drawing on their extensive experience in the field and their roles as mentors, they use an “agony aunt” format to address the real-life questions and challenges faced by professionals.

Inspired by classic magazine advice columns, the podcast offers practical guidance for those building and thriving in cybersecurity and related careers. Through candid conversations and questions from mentees and peers, Hewitt and Taylor explore pressing topics such as active allyship, burnout, sexual harassment, threat intelligence, and overcoming adversity. Their confessional tone ensures that no issue is considered off-limits.

To further enrich the series, Season 2 features a selection of seasoned professionals who share their perspectives, lived experiences, and expert insights in specially curated episodes. Amelia Hewitt and Rebecca Taylor have had the privilege of speaking with:

• Callum Stott(Sales Director at Matinée Multilingual),
• Karl Lankford(Senior Director, Solutions Engineering at Rapid7),
• Phoebe Farrelly(Deals – Lead Advisory & Restructuring at PWC, and Branch Coordinator for CyberWomen Groups C.I.C),
• Nikki Webb(Global Channel Manager at Custodian360, Founder of The Cyber House Party, and Volunteer Marketing Coordinator at The Cyber Helpline),
• Will Lyne(Head of Economic & Cybercrime at the Metropolitan Police Service),
• Pauline Campbell (Principal Lawyer at London Borough of Waltham Forest & Social Justice Author),
• Jake Moore(Global Cybersecurity Advisor at ESET)
• Zak Layton-Elliott(Director of Partnerships at CybAid ,and Cyber Security Analyst at Principle Defence).

The Cyber Agony Aunt Podcast offers practical guidance for anyone seeking to advance their career in cybersecurity. Driven by the belief that everyone should thrive, not merely survive, the series aims to make professional growth attainable through accessible, actionable advice. Hewitt and Taylor approach even the most complex and uncomfortable topics with honesty and empathy, ensuring no conversation is left unspoken and no listener feels alone.

Co-host Amelia Hewitt said: ‘It’s been an incredible journey. We have been very fortunate to have lots of guests on the series, all happy and willing to share their opinions and thought leadership. This series is a real eye opener, myth buster and level setter for anyone wanting to understand the nitty gritty of a career in the cyber industry.’

Co-host Rebecca Taylor added: ‘This podcast is about showing that no-one in cyber is alone. By bringing together voices from across the industry, we’re breaking down barriers, sharing real experiences, and proving that a career in cyber is possible for anyone – even with all its challenges. We’re not shying away from the tough conversations; we’re having them, so others don’t have to face them in silence.’

The Cyber Agony Aunt Podcast, hosted by Amelia Hewitt and Rebecca Taylor, is now available to stream on all major platforms. Their first book, Securely Yours, is also available for purchase on Amazon (you can read the IT Security Guru’s Q&A with the hosts here). The duo are currently working on their highly anticipated second book, ‘Resilient You: An Agony Aunts’ Guide to Keeping It Together’, scheduled for release in April 2026.

The post Podcast Empowers Professionals to Thrive in Their Cybersecurity Careers appeared first on IT Security Guru.

The European Union Agency for Cybersecurity (ENISA) has been officially designated as a Program Root in the global Common Vulnerabilities and Exposures (CVE) Program. It marks a significant step in the EU’s efforts to bolster cybersecurity resilience and streamline vulnerability coordination across member states.

As a Program Root, ENISA will serve as the central point of contact for national authorities, EU CSIRTs network members, and other partners operating under its mandate. The move aligns with major legislative efforts such as NIS2 and the Cyber Resilience Act, while further supporting the rollout of the EU Vulnerability Database (EUVD).

Boris Cipot, Principal Security Engineer at Black Duck, described the development as “a major step toward a stronger cybersecurity resilience in Europe,” noting that centralizing vulnerability coordination “ensures a faster, more consistent handling of security vulnerability information across the EU while also aligning with key initiatives like NIS2 and the Cyber Resilience Act.”

He added that ENISA’s new role gives the bloc “the needed strategic autonomy in vulnerability management,” reducing reliance on non-EU entities and helping “harmonize the CVE practices across European member states.”

Cipot also highlighted the long-term benefits for researchers and vendors and said “the idea and goal is to give researchers and cybersecurity vendors the capability to gain CVE ID assignment quicker, have a clearer legal guidance under EU law, and gain enhanced visibility through both the EUVD and global CVE listings.”

Daniel dos Santos, head of research at Forescout, explained that the designation reflects momentum on both sides. “It shows both ENISA’s commitment to the CVE program and also that the CVE program is interested in having ENISA’s contributions there,” he said. “Everyone gains when there are more organizations involved in shaping the CVE program and the future of vulnerability reporting.”

He also noted that the shift should “facilitate the process for national authorities, CSIRTs and other partners, since they can have a single point of contact with the CVE program in Europe,” while helping researchers and vendors agree on coordinated disclosure practices.

However, both experts cautioned that successful implementation would depend heavily on resources. Cipot pointed to potential integration challenges, including alignment of policies and tooling, while dos Santos emphasized the need for sustained investment.

“The main challenge is ensuring that ENISA has enough funding and resources to fulfil its ongoing mission of “achieving a high common level of cybersecurity across Europe” while now also having an extended role in the CVE program,” explained Forescout’s dos Santos. “There have been several additions to ENISA’s mandate recently, with the launch of the EU Vulnerability Database and the Cyber Resilience Act. As the recent NVD backlog and funding issues have shown, vulnerability reporting is a task that demands a significant amount of time and effort, so ENISA will have to balance that with their ongoing responsibilities.”

With ENISA taking on greater responsibility in vulnerability reporting and coordination, its performance will be closely watched by security teams, vendors and policymakers alike across the region.

 

The post ENISA becomes CVE Program Root, strengthening Europe’s vulnerability management framework appeared first on IT Security Guru.