Salt Security announced a major expansion of its platform’s connectivity fabric with two new strategic integrations: the Salt Databricks Connector and the Salt Netlify Collector. These additions reinforce Salt’s “Universal Visibility” strategy, ensuring that security teams can capture deep API context from every corner of the enterprise, whether it’s a legacy on-premise server, a modern edge deployment, or the rapidly evolving Agentic AI Action Layer.

Securing the Agentic AI Action Layer at the Source. As enterprises rush to build Agentic AI, platforms like Databricks have become the operating system for AI workloads. While generalist security tools (CNAPPs) can scan Databricks infrastructure for misconfigurations, they remain blind to the actual behavior of the AI agents running inside.

The new Salt Databricks Connector bridges this gap, providing a dedicated API security discovery engine for Databricks environments. It specifically targets the “Agentic Action Layer,” identifying the Model Context Protocol (MCP) servers and AI agents that connect proprietary data models to the outside world.

The platform is easy to use, connecting in minutes without requiring complex instrumentation or manual configuration, while also providing action-layer visibility by instantly mapping which APIs and data sources internal AI agents are accessing, insight that traditional infrastructure scanners typically miss. At the same time, it enables unified governance, allowing teams to apply the same rigorous security policies to their AI workloads that they already enforce for their traditional APIs.

“Databricks is where the enterprise brain lives, but until now, we have not been able to see what the hands, the AI agents, are actually touching,” said Eric Schwake, Cybersecurity Director at Salt Security. “Generalist tools can tell you if your S3 bucket is open, but only Salt can tell you if an AI agent inside Databricks is actively leaking PII through an unmonitored API. We are turning the lights on in the agentic action layer.”

Rapid Support for the Modern Edge. Alongside AI visibility, Salt is addressing the fragmentation of modern web architectures. The new Salt Netlify Collector brings feature-parity traffic collection to decoupled frontend applications and Jamstack architectures.

Built to support major enterprise deployments, this collector demonstrates Salt’s agility and ability to rapidly build and deploy collectors as the market evolves. As organisations decouple their frontends and push logic to the edge, standard gateways are often bypassed. Salt ensures security travels with the code.

• Universal Reach: Extends Salt’s best-in-class traffic analysis to Netlify’s edge network.
• Rapid Adaptation: Showcases Salt’s flexible architecture, allowing the platform to support modern Content Delivery Networks (CDNs) and edge runtimes as fast as developers adopt them.

The Salt Databricks Connector and Netlify Collector are available immediately as part of the Salt Illuminate platform.

The post Salt Security Expands “Universal Visibility” with Specialized API Security for Databricks and Rapid Edge Support for Netlify appeared first on IT Security Guru.

More than half of UK employees retain access to company spreadsheets they no longer need, leaving sensitive business data exposed long after people change roles or leave organisations, according to new research from privacy technology company Proton.

The study, based on a survey of 250 small and medium-sized businesses (SMB) in the UK, found that 64% still had access to files that should no longer be available to them. In some cases, this includes documents containing financial information, client data, salary details, or internal planning material.

With around 16.9 million people working for SMBs across the UK, the findings suggest that millions of current and former employees could still have access to sensitive company data without their employers’ knowledge.

The research highlights a growing gap between the critical role spreadsheets play in daily business operations and the poor governance of their access. Spreadsheets are now widely used as informal systems of record, with 64% of respondents using them for project management, 47% for financial reporting, and 45% for managing client or customer data.

Despite this reliance, access controls remain weak. Nearly four in ten respondents (39%) said they had shared spreadsheets using “anyone with the link” permissions, while 20% said they only review who has access to their spreadsheets once a year. Manual offboarding processes remain common: 44% of access removals are handled manually, while just 36% are automated.

Proton says this combination of link-based sharing and manual offboarding helps explain why access often persists long after an employee leaves.

“Spreadsheets are often treasure troves of sensitive data, from financial and strategic planning information to HR and client data,” said Patricia Egger, head of security at Proton. “Yet they’re not handled like other high-risk data. When someone leaves a company, access to shared spreadsheets is often nobody’s problem. Links stay active, permissions aren’t reviewed, and data remains accessible without anyone noticing.”

Confusion over cloud security and data use

The study also found widespread misunderstanding about how secure cloud-based spreadsheets really are. Two-thirds of respondents (67%) believe their Google Sheets files are private and accessible only to intended viewers, while almost a quarter said they were unsure what information Google can or cannot access.

There is similar uncertainty around encryption and provider access, particularly with Microsoft. Almost a quarter of UK respondents said they were unsure whether Microsoft could view spreadsheet content.

Uncertainty also extends to data use. More than a third (34%) of respondents believe spreadsheet data could be used to train AI models, and 84% said they would find that concerning.

Personal and work accounts are being mixed

Nearly half of respondents (45%) admitted to opening work spreadsheets using personal cloud accounts, while 46% said they had accessed personal spreadsheets using work accounts. Security researchers warn that this blurring of personal and professional data increases the risk of accidental data leakage, unauthorised access, and compliance failures, particularly where sensitive financial or customer data is involved.

The UK is among the most spreadsheet-reliant countries

Proton compared its UK findings with results from other countries, including the US and France. While lingering access in the UK (64%) was slightly lower than in the US (67%), it was significantly higher than in France (40%).

The UK also showed the highest levels of uncertainty about provider access and encryption, particularly for Microsoft-hosted spreadsheets. Proton noted that these risks are amplified by European data sovereignty concerns, as data hosted by foreign cloud providers may fall under legal regimes outside a company’s control.

Everyday tools, enterprise-level risk

The findings point to a broader problem: spreadsheets are increasingly used to run core business processes, but without the governance, visibility, or controls normally applied to more formal business systems. Researchers say this creates a growing blind spot for SMBs, particularly as collaboration tools, consumer cloud accounts, and AI services become more deeply embedded in everyday work.

“Most of these risks don’t come from malicious behaviour,” Egger added. “They come from everyday process gaps; manual offboarding, weak defaults, and a lack of visibility into who can still access what.”

The post More than half of former UK employees still have access to company spreadsheets, study finds appeared first on IT Security Guru.

Keeper Security has announced instant account switching and passkey enhancements across its mobile applications and browser extension. This update is said to be available across all major web browsers including iOS, Android and the Keeper Browser Extension. 

The instant account switching enables users to securely toggle between multiple Keeper accounts on the same device or web browser without logging out, white still upholding strict enterprise security controls. Users managing workflows from personal, family and business accounts can do so seamlessly across platforms without risking security.

Craig Lurey, CTO and Co-founder of Keeper Security, said: “Security and usability must work together, especially as users operate across devices and environments. With seamless account switching now available across mobile apps and browser extensions, Keeper is simplifying day-to-day access while maintaining the policy enforcement and protections organisations rely on.”

Keeper’s new updates facilitate the switching of accounts directly from the login screen or account menu. Switching occurs immediately without forcing a re-authentication when a session is still active on the backend. If it is disabled or if organisational policies require verification, a prompt to authenticate will appear before accessing another account. All enterprise controls remain enforced, including role-based access controls, device verification, multi-factor authentication and audit logging. 

In this update, Keeper also announced performance and usability improvements, embedded autofill cloud sync and improved search surfaces. In addition, passwordless adoption is said to be continuously advanced with conditional passkey creation that enables supported logins to be upgraded to passkeys automatically in the background. Once completed, users will be notified. 

These new updates follow Keeper’s recent JetBrains Extension launch that offers JetBrains Integrated Development Environment (IDE) users a smooth and reliable way to manage secrets within their development workflows.

The post Keeper Introduces Instant Account Switching and Passkey Improvements appeared first on IT Security Guru.

In Formula 1, milliseconds matter… and so does security. Keeper Security has helped Atlassian Williams F1 Team tighten its cyber defences, revealing how the iconic racing team is using KeeperPAM to protect its data, systems and global operations without taking its foot off the accelerator.

Announced on 13 January 2026, a new case study from Keeper Security details how Atlassian Williams F1 Team has overhauled its privileged access strategy using KeeperPAM, a unified, cloud-native Privileged Access Management (PAM) platform built on zero-trust and zero-knowledge principles. With terabytes of sensitive telemetry and performance data generated every race weekend, any breach, whether trackside or back at base, could be race-ending.

Unlike many organisations, Atlassian Williams F1 Team’s infrastructure isn’t parked in one place. It’s constantly on the move, travelling across more than 20 countries each season. From airports and paddocks to garages and headquarters, the team needed cybersecurity that could keep pace with a relentless global schedule without adding friction.

“We travel to more than 20 countries each season, and every week we’re in a new location,” said James Vowles, Team Principal, Atlassian Williams F1 Team. “Our infrastructure isn’t sitting safely in a single building – it’s traveling with us. That means we have to be secure wherever we are, from airports to garages to our HQ at Grove. With Keeper, we can build that fortress around our operations.”

KeeperPAM delivered that protection by putting zero trust at the heart of access control. Through role-based access, privileged session monitoring and automated provisioning, the platform allows Atlassian Williams F1 Team to enforce least privilege while keeping engineers and staff moving at racing speed.

The team has also streamlined operations by funnelling all privileged connections through a single platform, giving security teams better visibility and faster reaction times when something looks off.

“We now have a single platform where all of our connections go through,” said Harry Wilson, former Head of Information Security, Atlassian Williams F1 Team. “We can apply policies, monitor usage and generate alerts when something unexpected happens. Doing that on our server estate was critical to us.”

KeeperPAM brings together enterprise password management, secrets management, privileged session management, endpoint privilege management, secure remote access and dark web monitoring into one cloud-native platform. By replacing legacy tools with a single solution, Keeper Security says organisations gain real-time visibility, automated least-privilege enforcement and AI-driven threat detection, helping them spot threats before they cross the finish line.

For Atlassian Williams F1 Team, flexibility was just as important as control. Engineers occasionally need elevated access, but only when it’s genuinely required  and never longer than necessary.

“There are times when employees need local admin rights on a case-by-case basis,” added Wilson. “With Keeper, we can grant that access in real time and remove it automatically, which gives us confidence that privileged access is always controlled and temporary.”

Keeper Security believes modern PAM needs to work quietly in the background, more like a finely tuned race engine than a heavy braking system.

“Modern PAM has to do more than secure credentials. It has to automate provisioning, rotate secrets and eliminate standing privileges – all without burdening IT teams,” said Craig Lurey, CTO and Co-founder, Keeper Security. “That’s why we designed KeeperPAM to replace complexity with automation, freeing organisations like Atlassian Williams F1 Team to focus on what they do best.”

By centralising all credentials within a zero-knowledge environment, Atlassian Williams F1 Team has eliminated plaintext exposure while automating the provisioning and deprovisioning of privileged access. The result is lower operational overhead for IT teams and fewer roadblocks for engineers pushing performance innovation.

With KeeperPAM in place, Atlassian Williams F1 Team can now operate securely on any device, on any network, anywhere in the world. In a sport where marginal gains make all the difference, cybersecurity has become another competitive edge, helping the team stay secure, agile and firmly in the race.

The post Keeper Security puts Atlassian Williams F1 Team in pole position on cybersecurity appeared first on IT Security Guru.

BreachForums, one of the most well-known English-language cybercrime forums, has reportedly suffered a data breach, exposing user information after the site was taken offline once again.

As reported by The Register, a database linked to the forum was leaked online, potentially revealing account details, private messages and metadata on close to 325,000 accounts. However, security researchers caution that while the leak may attract attention, its intelligence value and authenticity remain uncertain.

Michael Tigges, Senior Security Operations Analyst at Huntress, said the dataset should be treated with caution.

“This data leak, while potentially useful for authorities and security professionals researching adversarial activities, is ultimately of limited forensics use,” he said.

“While the database leak may be legitimate, the integrity is called into question as it was derived from another cybercrime group, ShinyHunters.”

He added that such leaks are sometimes used to infer links between threat actors, but warned that datasets may be incomplete, selectively modified, or deliberately misleading.

“The reliability of the information must be highly scrutinised, as it may not be legitimate data or could be altered to disguise or prevent disclosure of information,” Tigges said.

Criminal trust continues to erode

The breach is likely to further undermine confidence in BreachForums among cybercriminals, following a series of takedowns and reappearances over recent years.

Gavin Knapp, Cyber Threat Intelligence Principal Lead at Bridewell, said the platform’s turbulent history has already damaged its credibility.

“Criminals are likely questioning its credibility and losing trust in it, and it’s often referred to as a potential honeypot for law enforcement,” Knapp said.

Knapp noted that the real-world impact of the leak depends largely on the operational security (OPSEC) practices of individual users.

“The data leak is obviously a problem for legitimate accounts used for crime, as opposed to sock-puppet accounts used by researchers or law enforcement,” he said.

“However, the impact depends on whether users exposed information that could be linked back to a real-world identity, such as unique email addresses or reused passwords.”

He added that the same risks apply to investigators and researchers who may also face exposure if poor OPSEC was used, and that it remains unclear how current or complete the leaked data is.

Limited underground reaction

Despite the publicity surrounding the breach, reaction within cybercrime communities appears muted.

Michele Campobasso, Senior Security Researcher at Forescout, said responses across underground forums have been limited or dismissive.

“On one of the XSS forum forks following the takedown, some users responded with sarcasm,” he said.

“In other underground forums and communities where we have access, we found no reaction on the topic.”

This lack of engagement may reflect growing scepticism among threat actors toward long-running forums, many of which are viewed as compromised or unreliable.

Disputed links to ShinyHunters

The breach has also prompted speculation around the involvement of the ShinyHunters extortion group, although responsibility remains disputed.

Campobasso said that while there is no conclusive evidence linking ShinyHunters to the leak, the claim is not implausible given recurring references to a figure known as “James” across multiple iterations of the shinyhunte[.]rs website.

Cached versions of the site show repeated mentions of “James”, including defacement messages, accusations from other group members, and a manifesto attributed to the same pseudonym. Linguistic patterns in the text suggest possible French influence, although Campobasso cautioned against drawing firm conclusions.

“It is possible that either the data leak was performed by James, or that someone is attempting to frame them in order to disrupt their reputation within the cybercriminal ecosystem,” he said.

A familiar pattern

Ultimately, the BreachForums incident highlights a recurring issue within cybercrime communities: instability, internal conflict and declining trust.

For defenders, the breach reminds them that leaked criminal datasets should be treated carefully, validated rigorously and never assumed to be complete or accurate, even when they appear to offer rare insight into adversary activity.

The post BreachForums Data Leak Raises Fresh Questions Over Credibility appeared first on IT Security Guru.

This week, Keeper Security the launch of its JetBrains extension, offering JetBrains Integrated Development Environment (IDE) users a secure and seamless way to manage secrets within their development workflows. By integrating directly with the Keeper Vault, developers can replace hardcoded secrets with vault references and execute commands using injected credentials, ensuring sensitive data remains protected at every stage of development. 

Secure secrets management protects the credentials, API keys, tokens and certificates that applications rely on to function safely. When these secrets are mishandled, such as being stored in plaintext, hardcoded into source code or shared insecurely, they become easy targets for attackers. The Keeper JetBrains extension eliminates these risks by allowing developers to store, retrieve and generate secrets from the Keeper Vault without leaving their IDE.

Unlike standalone plug-ins or external vault tools that rely on third-party servers, the Keeper JetBrains extension operates within a zero-knowledge architecture, ensuring all encryption and decryption occur locally on the user’s device. Integrated natively with Keeper Secrets Manager and KeeperPAM®, it brings enterprise-grade privilege controls directly into the developer’s workflow to deliver strong security without slowing down development. 

“Modern software development demands security at every layer,” said Craig Lurey, CTO and Co-founder of Keeper Security. “Integrating Keeper into JetBrains ensures developers can apply secure-by-design principles from the start, eliminating hardcoded credentials and strengthening the integrity of the software supply chain.”

The Keeper JetBrains extension provides a range of powerful capabilities, including secrets management that allows users to save, retrieve, and generate secrets directly from the Keeper Vault. It also supports secure command execution by enabling applications to run with secrets safely injected from the vault. In addition, the extension offers logging and debugging tools, giving users access to logs and the ability to enable debug mode for full operational transparency, and it supports cross-platform use across Windows, macOS, and Linux environments.

The JetBrains extension builds on Keeper’s broader KeeperPAM® platform, an AI-enabled, cloud-native privileged access management solution that unifies password, secrets, connection and endpoint management under a zero-trust, zero-knowledge framework. 

 

The post Keeper Security Launches JetBrains Extension appeared first on IT Security Guru.

A cyber attack on shared IT systems used by several London councils has resulted in the theft of personal data relating to thousands of residents, raising renewed concerns about the resilience of local government cyber security and the risks posed by interconnected public-sector infrastructure.

Kensington and Chelsea Council confirmed that sensitive personal information was accessed during the incident, which also disrupted services across neighbouring boroughs. The attack prompted swift intervention from the National Cyber Security Centre (NCSC) and the Metropolitan Police, underlining the seriousness of the breach.

Cyber security leaders warn that the incident reflects a broader and accelerating threat to public-sector organisations. Darren Guccione, CEO and co-founder of Keeper Security, noted that this is the second significant cyber incident affecting a UK local authority in less than two months, highlighting how persistently councils are being targeted.

“Councils and other arms of government remain high-value targets for cybercrime because they hold extensive sensitive personal data and operate interconnected, often legacy, systems that are both attractive to attackers and difficult to defend at scale,” Guccione said. He added that the frequency of these attacks suggests adversaries are shifting away from opportunistic intrusion towards sustained and sophisticated campaigns designed to exploit systemic weaknesses and undermine public trust.

The technical characteristics of the attack have also raised alarm among experts. Graeme Stewart, head of public sector at Check Point, said the incident shows “all the signs of a serious intrusion”, citing multiple boroughs being taken offline and internal warnings instructing staff to avoid emails from partner councils.

“That’s classic behaviour when attackers get hold of credentials or move laterally through a shared environment,” Stewart said. “Once they’re inside one part of the network, they can hop through connected systems far faster than most councils can respond.”

Stewart added that the rapid shutdown of services suggests authorities feared escalation into encryption or large-scale data theft. “Councils hold incredibly sensitive material – social-care files, identity documents, housing records. If attackers got near that, the fallout wouldn’t stay local,” he warned.

The incident has also highlighted the risks created by shared and centralised IT platforms across local government. Dray Agha, senior manager of security operations at Huntress, described such environments as a “double-edged sword”.

“While shared systems are efficient, the breach of one council can instantly compromise its partners, crippling essential services for hundreds of thousands of residents,” Agha said. He stressed the need to move beyond purely cost-driven IT strategies and towards segmented, resilient architectures capable of containing attacks before they spread.

For residents affected by the breach, the immediate concern is how their personal information may be misused. Chris Hauk, consumer privacy advocate at Pixel Privacy, urged individuals to remain vigilant for phishing and fraud attempts, while calling on the council to provide tangible support.

“People that have had their data exposed should stay alert for phishing schemes and other scams,” Hauk said. He added that Kensington and Chelsea Council should offer free credit monitoring to affected residents, noting that government bodies frequently expect private-sector organisations to do the same following similar breaches.

Transparency will be critical in limiting long-term harm, according to Paul Bischoff, consumer privacy advocate at Comparitech. He called on the council to clarify what types of personal data were compromised as quickly as possible.

“Until then, victims cannot make informed choices about how to protect their personal information and finances,” Bischoff said. He noted that attackers have already published a proof pack containing sample stolen documents – a common tactic used by ransomware groups to substantiate their claims and apply pressure. “Based on our research into hundreds of ransomware attacks, the vast majority of these claims are legitimate,” he added.

At a policy level, Guccione pointed to the UK Government’s recently launched Cyber Action Plan, which includes more than £210 million in funding and the creation of a new Government Cyber Unit to improve coordination and resilience across public services.

“The plan is a positive development in recognising the cross-government nature of this challenge,” he said, but warned that central initiatives must be matched by action at the organisational level. He urged public-sector bodies to accelerate adoption of identity-centric security models, enforce stronger access controls, segment networks to limit lateral movement and implement continuous monitoring.

“Only by elevating cybersecurity from a technical afterthought to a core governance priority can public services reduce their exposure to increasingly persistent attacks and maintain citizens’ trust in the digital services they rely on,” Guccione said.

As investigations continue, the incident is expected to intensify scrutiny of cyber maturity across UK local authorities, many of which continue to deliver critical digital services under tight budgets and complex operational constraints.

The post London council cyber attack exposes personal data and highlights risks of shared public-sector IT appeared first on IT Security Guru.

We’re on the edge of something interesting in the industry right now, and it’s the transformation of the modern SOC.

We Know the Problem

Everyone knows that security operations centres are faced with too much, too hard, and too fast – not to mention too confusing. We know the stats: thanks to the cyber talent crunch, limited resources, and a ton of new attacks (thanks, bots and AI), 40% of alerts get ignored. Even worse, 61% of security teams admit to ignoring alerts that later proved to be critical incidents.

We’ve Dipped Our Toe in the Solution

The simple answer is “figure out how to get less alerts.” Check. Reducing noise is key. But once you do, is the problem solved?

No, but you’re on the right track. The next step is where the transformation really takes place, and where the industry is looking to go next. We’ve talked noise reduction, but now, what we need when we’ve only got a few (ish) alerts is to know is which one of those is worth our time? If we can only get to five a day, which ones should we be going after? And what determines what comes next on our roster?

Let’s Go All the Way

The answer is risk. You need to prioritise those remaining few (hundred) alerts by risk, which is a multifaceted project, then streamline remediations based on which ones present the biggest, most immediate, or most impactful threat.

Reducing noise is a good start, but it’s only that. Here’s where we jump off, and how to build a risk-first alert pipeline that analysts trust. And that will truly have the power to transform the SOC.

First, Let’s Talk Noise Reduction

Before we jump to the conclusion, let’s orient ourselves and look at where we’ve come from.

Nobody Can Function with Alert Fatigue

Faced with an average of 83 different tools from 29 different vendors, SOCs are forced to wade through deluges of data to find the rare, true positive needle in a haystack.

It doesn’t come easy, and SOCs waste most of their time looking. That’s why it’s so important to, before anything else can get better, cut the noise. Prophet Security, an AI SOC Platform company, does a great job of explaining the process of reducing alert fatigue, but then adds this insightful conclusion: “Do not chase volume alone. Reducing alert count without measuring risk impact creates blind spots.”

Cutting Down Alerts? It’s a Good Start

And this is the jumping off point. Having fewer alerts is, well, good. But those still have to be actioned on and someone has to decide which comes first. Typically, SOCs make that decision based on severity scores. It’s the way the industry does things, it’s the way we’ve always done things.

But these days, security no longer exists in a vacuum and “how big a deal” a certain exposure is really doesn’t matter if it isn’t a big deal to the business. Today, all security priorities are intrinsically tied to business objectives – it’s about time! – which means that the alerts that represent the biggest overall business risk are the ones that need to be taken care of first.

So, how do you do that?

Determining Risk to the Business: The Real Metric

We’ve carried the ball halfway down the court, and now it’s time to sink it in. To really help SOCs out, any sort of automated SOC tool needs to do more than cut down on noise. It needs to tell you what to do with the alerts that are left, and tie those decisions transparently to:

• Asset criticality. Is this a moderate severity vuln on a database holding cardholder information? That’s huge. Or is it a critical vulnerability on a stale on-premises database that holds no secrets? Not as big of a deal.
• How likely is this to be exploited? Are there currently strong security controls surrounding this asset, blocking any potential attacks? We can wait on the fix, then. Are there zero policies in place, meaning all an attacker has to do is compromise this one weakness and they’re in? Put that higher on the list.
• Risk to the business. If this vulnerable system goes down, what’s the worst that can happen? Is it a SCADA system or an API connecting highly regulated data? Priority one. Is it a retired server that’s been languishing in the digital corner? You get the point.

Looking at these other angles shows why simple severity scores won’t cut it. They say nothing of the context around the exposure; what it’s putting at risk, how real that risk might be, the impact if that risk becomes a real threat or gets exploited.

All these things need to be taken into account by your automated SOC tool if it’s going to do more than give you more puzzles to solve. SOCs have enough on their plates; these types of answers should come standard.

So, what’s the technology that can get it done?

A Modern, Risk-First Alert Pipeline

When looking for the right AI SOC platform, it needs to be one that will do this sort of math for you, not take out a bunch of alerts, hand you the rest, and say “good luck.”

That’s why you want one with a modern, risk-first alert pipeline. This sounds like a bunch of security-ish buzzwords strung together with hyphens, but it’s really where the magic takes place.

Can AI Help? Yes.

But first, does AI help? In 2025, you don’t have to ask. Yes, artificial intelligence helps in this whole process. Like with most technologies, applying AI, generative AI, machine learning, agentic AI, natural language processing, and everything AI can move the needle significantly; but only when used in the right way.

Building Out Alerts by True Risk

Here’s what a risk-first alert pipeline looks like in action:

1. Upstream Filtering: AI agents, especially agentic AI agents, ingest alerts and analyse them (early in the pipeline, or at the source). They filter out false positives here, leaving less mess to work with downstream.
2. User Behaviour: Helps filter out false positives by comparing normal baselines to existing identity and session activity.
3. Contextual Enrichment: Using only the alerts that aren’t marked duplicates or false positives, autonomous AI agents get to work. They gather and correlate data from all relevant sources (SIEMs, cloud logs, identity platforms, EDR) to build the beefed-up attack story and deliver SOCs alerts they can use. Right away.
4. Contextual Reasoning: You can’t chase dynamic threats with static rules. Agile, agentic AI agents “think” on the spot (using LLMs and domain-specific data) to make conclusions about the evidence, ask investigative questions, and come up with next steps.
5. Blended Scoring: The ultimate, prioritised list should be one where multiple factors have been taken into account: severity (yes), context (SIEMs, EDR, etc.), behavioural analytics (does surrounding system behaviour deviate from the norm?), and confidence scoring (how “right” the AI thinks its reasoning is, so SOCs know what they’re working with). All AI-based decisions should be transparent and auditable to boost trust; no “black box” scoring.

The result is that you get your alerts not only thinned out, but organised by order of importance to the business, not an arbitrary security scoring chart. Don’t misunderstand; severity needs to be factored in, too. It just can’t be the only factor.

The Benefit of a Risk-First Alert Model

With a risk-first alert model, SOCs can place their limited resources where it counts, instead of chasing down alerts that may not have been the best use of company time.

This means that security teams look really good when presenting to boards at the end of the year, and that non-security board members can immediately grasp why SOCs did what they did, how that positively impacted the business, and where their money was going.

And, most importantly, be happy with it.

The post From noise to signal: Building a risk-first alert pipeline that analysts trust appeared first on IT Security Guru.

Keeper Security, the provider of zero-trust and zero-knowledge cybersecurity software protecting passwords and passkeys, infrastructure secrets, remote connections and endpoints, had reflected on 2025 as a year of meaningful growth. Amid an increase in credential-based attacks, rapid AI adoption and the operational demands of hybrid environments, Keeper strengthened its Privileged Access Management (PAM) platform, expanded its global footprint and conducted industry research that shaped how organisations approach identity-first defence.

 

“This year’s results reflect the relentless dedication of our global team and the trust placed in us by the thousands of organisations that rely on Keeper to secure their most sensitive systems and data,” said Darren Guccione, CEO and Co-founder of Keeper Security. “We’re proud of what we accomplished together and deeply grateful to our customers, partners and employees for propelling Keeper to its position as a leader in identity and access management.”

 

A Turning Point for Privileged Access

One of the year’s defining moments was Keeper’s debut in the Gartner® Magic Quadrant for Privileged Access Management. The recognition aligned with the evolution of KeeperPAM®, which brought enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and endpoint privilege controls into a unified, cloud-native platform.

 

Organisations globally adopted KeeperPAM to modernise privileged access with zero-trust and zero-knowledge security that doesn’t carry the complexity associated with legacy PAM tools. Throughout the year, Keeper advanced its platform with cutting-edge capabilities. Endpoint Privilege Manager enables precise, just-in-time elevation while reducing the risks associated with local admin rights. Keeper Forcefield, which is the only product of its kind in the industry, protects against memory-based attacks on Windows machines.

 

Keeper also expanded visibility and control over privileged sessions through KeeperAI, built on a Sovereign AI framework, which enables real-time, agentic AI threat detection and response, ensuring that high-risk sessions are automatically terminated and all user activity is analysed and categorised. As teams began using AI in operational and development workflows, Keeper added support for the Model Context Protocol (MCP) within Keeper Secrets Manager. Keeper’s integration allows customers’ third-party AI tools, such as local or cloud-based assistants, to securely retrieve or manage secrets stored in their vault without compromising Keeper’s zero-knowledge security architecture.

 

Platform enhancements, such as bidirectional One-Time Share, improved biometric login with passkeys, a WearOS smartwatch app, a QR-code WiFi records and refinements to mobile and vault experiences, reflected Keeper’s ongoing commitment to balancing usability with continuous security improvements. Keeper also deepened integrations across the cybersecurity ecosystem, including new connections with CrowdStrike Falcon® Next-Gen SIEM, Google Security Operations and Microsoft Sentinel, helping organisations incorporate privileged access telemetry into broader detection and response workflows. The company’s commitment to strong encryption was reaffirmed by achieving FIPS 140-3 validation of its cryptographic module.

 

“2025 was a pivotal year for our engineering teams as we advanced our unified privileged access platform and delivered capabilities that measurably strengthen our customers’ defences,” said Craig Lurey, CTO and Co-founder of Keeper Security. “With KeeperAI, we moved real-time threat detection directly into privileged sessions. We expanded endpoint protection, modernised secure connections and continued to harden secrets management and zero-trust access across the platform. These improvements are the result of focused, disciplined engineering and constant feedback from customers. We’ve built a PAM platform that’s fast, scalable and secure by design, and we’re just getting started.”

 

Global Growth and Recognition

Keeper’s platform evolution translated into substantial global growth. The company surpassed four million paid users, with strong adoption across North America, Europe and the Asia-Pacific region. Growth in Japan was particularly notable, where Keeper tripled annual recurring revenue and expanded its footprint across finance, telecommunications, manufacturing and the public sector.

 

Keeper strengthened its global distribution network through its upscaled Partner Programme, adding new reseller and distributor relationships across the United States, Canada, France, Spain, Singapore, Japan, Australia and New Zealand. The company also enhanced its public-sector presence, earning placement on the CISA Continuous Diagnostics and Mitigation (CDM) Approved Product List, joining the Secure by Design Pledge and welcoming experienced security leaders including Chief Information Security Officer Shane Barney, Federal Advisory Board member David Epperson and Chief Revenue Officer Tim Strickland.

 

Keeper’s contributions across product innovation, identity security and research were recognised by industry analysts and award programmes throughout the year. In addition to Keeper’s debut on the Gartner Magic Quadrant, Enterprise Management Associates (EMA) highlighted Keeper for deployment ease, architecture and customer satisfaction. GigaOm named Keeper the Overall Leader in its Password Management Radar Report for the fourth consecutive year and KuppingerCole recognised Keeper as an Overall Leader in its 2025 Leadership Compass Report for Non-Human Identity Management. Keeper also received honours from the Computing Security Awards, Cybersecurity Excellence Awards, Fortress Cybersecurity Awards, Global InfoSec Awards and the Globee Awards, alongside consumer-focused recognition from Newsweek, CHIP (DE) and Connect Professional.

 

Industry Research Provides Data-Driven Insights

Keeper continues to invest in research that explores the challenges and realities for modern security teams. Keeper’s insight report, Navigating a Hybrid Authentication Landscape, examined how organisations are balancing passwords, passkeys and hybrid identity environments as authentication systems evolve. Securing Privileged Access: The Key to Modern Enterprise Defence detailed the motivations and challenges associated with scaling PAM programmes including cloud adoption, operational maturity and the impact of privileged access on overall risk. Perspectives gathered directly from security professionals at three major industry trade shows informed Identity, AI and Zero Trust: Cybersecurity Perspectives from Infosecurity Europe, Black Hat USA and it-sa Expo&Congress, offering a multi-region view into how identity and AI are shaping the next phase of security strategy.

 

The AI in Schools: Balancing Adoption With Risk study, conducted for Keeper’s Flex Your Cyber initiative, provided essential data on how educational institutions are managing AI cybersecurity in learning environments – highlighting concerning gaps in access controls and security awareness. The public service initiative is designed to support students, families and educators in learning about cybersecurity. It provides accessible resources to help communities navigate emerging digital risks and strengthen foundational security habits, aligning with Keeper’s broader mission to advance identity security across both enterprise and consumer environments.

 

Identity Security on the Global Stage

Keeper’s partnership with Atlassian Williams Racing continued to bring identity security into high-performance environments where data integrity and split-second decision-making are essential. Keeper and Williams extended their multi-year agreement this year, reinforcing a shared commitment to securing the data, systems and competitive insights that power modern Formula 1 operations.

 

Highlighting the authenticity of the partnership, the team implemented KeeperPAM to protect sensitive engineering and performance information across trackside and distributed environments, helping safeguard critical systems relied upon by race engineers, strategists and support teams. Co-branded content released throughout the season, featuring drivers Carlos Sainz and Alex Albon, Team Principal James Vowles and Keeper CTO and Co-founder Craig Lurey, helped introduce identity security concepts to a global Formula 1 audience in an accessible and engaging way.

 

Keeper was proud to support the team through a standout season. In 2025, Atlassian Williams Racing earned fifth place in the Constructors’ Championship, marking a significant step forward in the team’s resurgence. The included two podium finishes, with drivers Albon and Sainz securing eighth and ninth place in the Drivers’ Championship respectively, demonstrating consistent performance and momentum throughout the year.

 

Looking to the Year Ahead

Keeper enters 2026 focused on helping organisations secure every user, device and connection through a unified, zero-trust and zero-knowledge vault. Building on a year of meaningful innovation, global growth and expanded research, the company will continue advancing AI-driven capabilities, strengthening privileged access controls and supporting customers as identity security becomes increasingly important to both individuals and organisations worldwide.

 

“As we look ahead to 2026, we remain committed to advancing zero-trust cybersecurity and empowering organisations to defend against modern threats with confidence,” said Guccione. “Identity sits at the centre of every attack surface, and Keeper is uncompromising in our efforts to protect it. We will continue delivering innovative capabilities that strengthen privileged access, simplify security for users and teams, and ensure our customers can operate with confidence as cyber threats grow more frequent and sophisticated, backed by the power of AI.”

The post A year of Keeper Security! appeared first on IT Security Guru.

Government data has been stolen in a cyberattack, though officials say the risk to individuals remains low, according to a UK minister. The incident has prompted an ongoing investigation and renewed warnings from cybersecurity experts about the long-term risks of state-linked digital espionage.

Trade Minister Chris Bryant confirmed the breach in an interview with BBC Breakfast, saying officials moved quickly once the issue was identified. “An investigation is ongoing,” Bryant said, adding that the security gap was “closed pretty quickly.” While a Chinese affiliated group is suspected, Bryant cautioned that investigators “simply don’t know as yet” who was responsible.

The compromised systems are understood to relate to visa-related data. Government officials have emphasized that there is no indication of immediate harm to individuals, but cybersecurity specialists say such incidents should not be minimized, particularly when a nation-state actor may be involved.

Anna Collard, security awareness advocate at KnowBe4, warned that the implications often extend far beyond the initial breach. “While the government has described the risk to individuals as ‘low’, incidents like this still matter,” she said. “When state-level actors are suspected, the objective is often long-term intelligence rather than immediate harm. That makes transparency, strong oversight, and timely communication critical. Attribution in cyber incidents is complex, but this is another reminder that government systems are high-value targets. And even with attribution aside, what matters is public trust. Citizens expect their data to be handled with the highest level of care, especially when it involves sensitive information like visas.”

Chris Hauk, consumer privacy advocate at Pixel Privacy, said government data breaches often reveal underlying security weaknesses. “Government data breaches are always concerning, even when the government assures us that the possibility of risks to individuals is low,” he said. “Such a breach indicates that either the government systems were not properly configured or kept updated, or similar issues exist in third party systems. Even if individuals’ data has not been immediately exposed, compromises of government systems can lead to additional intelligence gathering or targeted attacks against public servants and citizens.” Hauk added that this incident fits a broader pattern of suspected Chinese-linked cyber operations that are likely to continue.

Nathan Webb, principal consultant at Acumen Cyber, noted that even incomplete identity data can be highly valuable. “Even partial identity data can be correlated across other breaches and used to create more convincing targeted attempts against individuals,” he said. Webb explained that determining the true impact of a breach is difficult because attackers may already hold related data from other sources. He added that if Chinese nation-state actors are involved, the attack was likely targeted and sophisticated, making strong patching strategies and continuous vulnerability scanning essential.

Other experts highlighted the strategic nature of such intrusions. Dray Agha, senior manager of security operations at Huntress, said, “This intrusion is likely an espionage operation aimed at building intelligence profiles, understanding policy deliberations, or mapping government networks. The real risk isn’t immediate financial harm to citizens, but rather long-term erosion of national security and diplomacy. This incident should be a stark reminder that state-affiliated cyber operations are primarily about persistent, strategic intelligence gathering, not just immediate, disruptive attacks.”

Dan Panesar, chief revenue officer at Certes, emphasized that speed alone does not define success in responding to breaches. “When a suspected nation-state actor steals government data, the risk is not defined by how quickly a gap was closed, but by what data was accessible during that window,” he said, warning that sensitive information may already have been quietly copied before detection.

As the investigation continues, the incident highlights that government systems remain prime targets and that maintaining public confidence depends on strong defenses, clear communication, and accountability.

The post UK Government Data Stolen in Cyberattack appeared first on IT Security Guru.

Keeper Security has announced the appointment of two new additions to its federal team, with Shannon Vaughn as Senior Vice President of Federal and Benjamin Parrish, Vice President of Federal Operations. Vaughn will lead Keeper’s federal business strategy and expansion, while Parrish will oversee the delivery and operational readiness of Keeper’s federal initiatives, supporting civilian, defence and intelligence agencies as they modernise identity security to defend against pervasive cyber threats.

Vaughn brings more than two decades of private sector, government and military service, with a career focused on securing sensitive data, modernising federal technology environments and supporting mission-critical cybersecurity operations. Prior to joining Keeper, Vaughn served as General Manager of Virtru Federal, where he led business development, operations and delivery for the company’s federal engagements. During his career, he has held multiple senior leadership roles at high-growth technology companies, including Vice President of Technology, Chief Product Owner and Chief Innovation Officer, and has worked closely with U.S. government customers to deploy secure, scalable solutions.

“Federal agencies are operating in an elevated environment with unprecedented cyber risk. Next-generation privileged access management to enforce zero-trust security is essential,” said Darren Guccione, CEO and Co-founder of Keeper Security. “Shannon and Ben bring a unique combination of operational military experience, federal technology leadership and a deep understanding of zero-trust security. They know how agencies operate, how threats evolve and how to translate modern security architecture into real mission outcomes. These exceptional additions to our team will be instrumental as we expand Keeper’s role in securing the federal government’s most critical systems, personnel and warfighters.”

Vaughn is a career member of the U.S. Army with more than 20 years of service and currently holds the rank of Lieutenant Colonel in the Army Reserves. In addition to his operational leadership, Vaughn is a Non-Resident Fellow with the Asia Program at the Foreign Policy Research Institute, where he contributes research and analysis on the intersection of future technology threats and near-peer adversaries. He has a graduate degree from Georgetown University and undergraduate degrees from the University of North Georgia and the Department of Defence Language Institute.

To support execution across federal programs, Parrish oversees the delivery and operational readiness of Keeper’s federal initiatives. Parrish brings extensive experience leading federal operations, software engineering and secure deployments across highly regulated government environments. Prior to joining Keeper, he held senior leadership roles supporting federal customers, where he oversaw cross-functional teams responsible for platform reliability, customer success and large-scale deployments.

Parrish is a retired U.S. Army officer with more than 20 years of service across Field Artillery, Aviation and Cyber operations. His experience includes a combat deployment to Iraq and operational support to national cyber mission forces through the Joint Mission Operations Center. He has supported Department of Defence and Intelligence Community missions, including work with the White House Communications Agency, Joint Special Operations Command, Defence Intelligence Agency and National Reconnaissance Office. Parrish holds a graduate degree in Computer Science from Arizona State University and an undergraduate degree in Computer Science from James Madison University.

In his role at Keeper, Parrish aligns product, engineering, security and customer success teams and works closely with government stakeholders to ensure secure, reliable deployments that meet stringent federal mission, compliance and operational requirements.

“Federal agencies are being asked to modernise faster while defending against increasingly sophisticated, identity-driven attacks,” said Shannon Vaughn, Senior Vice President of Federal at Keeper Security. “I joined Keeper because we are focused on what actually produces tangible cyber benefits: controlling who has access to what, with full auditing and reporting – whether for credentials, endpoint or access management. We are going to win by being obsessive about access control that is easy to deploy and hard to break.”

These appointments come as federal agencies accelerate adoption of zero-trust architectures and modern privileged access controls in response to escalating credential-based attacks. The FedRAMP Authorised, FIPS 140-3 validated Keeper Security Government Cloud platform secures privileged access across hybrid and cloud environments for federal, state and local government agencies seeking to manage access to critical systems such as servers, web applications and databases.

The post Keeper Security Bolsters Federal Leadership to Advance Government Cybersecurity Initiatives appeared first on IT Security Guru.

UK-based AI safety and governance company CultureAI has been named as one of the participants in Microsoft’s newly launched Agentic Launchpad, a technology accelerator aimed at supporting startups working on advanced AI systems. The inclusion marks a milestone for CultureAI’s growth and signals broader industry interest in integrating AI safety and usage control into emerging autonomous AI ecosystems.

The Agentic Launchpad is a collaborative programme from Microsoft, NVIDIA, and WeTransact designed to support software companies in the United Kingdom and Ireland that are developing agentic AI solutions. With more than 500 companies applying, the selected cohort of 13 pioneering organisations represents some of the most forward-thinking solutions shaping the future of AI. The initiative is part of Microsoft’s wider investment in UK AI research and infrastructure, which includes nearly $30 billion committed to developing cloud, AI, and innovation capabilities in the region.

Selected companies in the program receive access to technical resources from Microsoft and NVIDIA, including engineering mentorship, cloud credits via Microsoft Azure, and participation in co-innovation sessions. Participants also gain commercial support, such as marketing assistance, networking opportunities and opportunities to showcase products to enterprise customers and investors.

CultureAI’s inclusion underscores an increasing industry emphasis on safe and compliant AI deployment. The company’s platform focuses on detecting unsafe AI usages, enforcing organisational policies during AI interactions, and providing real-time coaching to guide secure behaviour. This type of AI usage control has drawn interest from sectors with strict data governance and security requirements, including finance, healthcare, and regulated industries.

By working within the Agentic Launchpad cohort, CultureAI gains a strategic opportunity to integrate its usage risk and compliance controls with agentic AI development frameworks — an area where autonomous systems may introduce new vectors for inadvertent data exposure or misuse if not carefully governed.

Agentic AI represents a next stage of artificial intelligence that extends beyond generative tasks like text or image creation toward systems that can plan, act and autonomously execute sequences of decisions. This shift brings potential benefits in efficiency and automation, but also raises new challenges for risk management and governance in production environments.

Experts have noted that while initiatives like the Agentic Launchpad aim to accelerate innovation, they also emphasise robust tooling and ecosystem support to address security, operational governance and compliance in emerging AI applications. In this context, companies specialising in usage control and risk detection, such as CultureAI, might play a growing role as enterprises adopt more autonomous AI technologies.

The inclusion of AI safety-oriented companies like CultureAI in accelerator programmes reflects a broader trend in the industry toward embedding governance and risk mitigation into the core of AI development cycles. As agentic AI systems begin to move from laboratories into real-world use cases, particularly in sensitive or regulated domains, ensuring safe interaction with data and policy compliance may become a key differentiator for enterprise adoption.

“This recognition reflects the urgency organisations face today,” said James Moore, Founder & CEO of CultureAI. “AI is now embedded across everyday workflows, and companies need a safe, scalable way to adopt it. Our mission is to give them that confidence — through visibility, real-time coaching and adaptive guardrails that protect data without slowing innovation.”

The post CultureAI Selected for Microsoft’s Agentic Launchpad Initiative to Advance Secure AI Usage appeared first on IT Security Guru.

Salt Security has unveiled its “12 Months of Innovation” recap, a holiday-inspired look at the company’s product, partnership, and research momentum across 2025. As organisations raced to adopt AI agents, MCP servers and cloud-native architectures, Salt delivered an unmatched innovation “gift” to the industry almost every month, helping security teams keep pace with an expanding API attack surface.

From discovering zombie APIs and blind spots across the API fabric to securing AI agents and protecting MCP actions at runtime, Salt’s 2025 roadmap focused on one goal: giving security teams the visibility and control they need at the API action layer where applications, data, and AI intersect.

“In 2025, APIs didn’t just power applications, they powered AI agents, automation, and entire digital business models,” said Roey Eliyahu, co-founder and CEO at Salt Security. “That shift created massive new risk across the API fabric. Our team responded with a steady drumbeat of innovation across the year, so customers weren’t left defending yesterday’s problems while attackers moved on to tomorrow’s opportunities.”

The 12 Months of Innovation: A Year of Gifts for Security Teams

January – The Year Kicks Off with APIs at the Center
Salt Labs and early-year research showed how quickly API traffic and risk were growing, from zombie and unmanaged APIs to software supply chain vulnerabilities, setting the stage for why 2025 demanded a new approach to securing the API fabric. Security teams saw clearly that legacy tools weren’t built for dynamic, AI-driven environments.

February – A Spotlight on API Reality
Salt published its State of API Security Report and celebrated key industry recognition such as inclusion in top security lists, providing hard data on how fast API risk is growing. For CISOs and boards, the message was simple: API security is no longer a niche problem – it’s a core business issue.

March – Gold Medals & Rising Shadows
Salt’s innovation earned industry awards, including a Gold Globee, even as new blogs and research detailed how compliance pressure, data privacy obligations, and AI-driven attacks were expanding the API attack surface. Excellence and urgency moved in lockstep.

April – A Season of Partnerships & Paradigm Shifts
Salt deepened integrations with leading security platforms, including CrowdStrike, and strengthened protections for MCP server–driven architectures. These partnerships gave customers richer context and made it easier to bring Salt’s API intelligence into existing security workflows, connecting more of the enterprise API fabric into a cohesive defence.

May – The Cloud Era Gets Real
With cloud-native adoption surging, Salt expanded coverage for leading cloud environments and partners, powering posture governance, risk-aware recommendations, and alignment with emerging insurance and regulatory expectations. API security moved squarely into the boardroom.

June – Illuminate Everything
Salt launched Salt Illuminate along with expanded Cloud Connect capabilities, giving customers instant visibility into APIs across complex multi-cloud and hybrid environments. What was previously blind – shadow, zombie, and unmanaged APIs – suddenly came into view across the API fabric.

July – CISOs Sound the Alarm
Research and blogs from Salt Labs highlighted high-profile AI incidents, including conversational AI mishaps like the McDonald’s chatbot breach, and introduced Salt Surface to help organisations directly tackle their exposed API footprint. Visibility turned into prioritised, actionable defence.

August – Autonomous Everything
As organisations embraced autonomous workflows, Salt advanced protections for autonomous threat hunting and AI-driven security use cases, underscoring the inseparability of APIs and AI. The message: you can’t secure intelligent autonomy without securing the APIs – and API fabric – that power it.

September – Securing the AI Agent Revolution
Salt introduced the industry’s first solution to secure AI agent actions across APIs and MCP servers, protecting sensitive operations from prompt injection, abuse, and unintended access. This launch moved AI agent security from theory to practical, enforceable controls at the API action layer.

October – The Blind Spots Strike Back
New Salt data revealed the hidden risks in AI agent deployments and complex API ecosystems. Through detailed vulnerability breakdowns and guidance, Salt gave security and development teams the education and clarity they needed to modernise their security posture and better understand blind spots across their API fabric.

November – Security Starts in Code
Salt launched GitHub Connect and MCP Finder, enabling customers to discover shadow APIs, spec mismatches, and risky MCP configurations directly in code repositories and CI/CD pipelines – before deployment. Shift-left security met shift-right runtime intelligence across the API lifecycle, connecting design, code, and runtime behaviour.

December – Hello, Pepper
Salt closed the year by introducing Ask Pepper AI, a conversational assistant powered by the Salt platform, alongside MCP protection for AWS WAF. Security teams can now ask questions, investigate threats, and operationalise Salt insights in natural language while enforcing protection at the edge for MCP-aware and AI-driven applications.

“Instead of a partridge in a pear tree, security teams got 12 months of very real innovation – spanning discovery, governance, runtime protection, MCP and AI agent security, and now conversational investigation with Ask Pepper AI,” said Michael Callahan, CMO at Salt Security. “This year, customers told us they needed both visibility and speed. Our roadmap delivered both, and the market response has been tremendous. We delivered more API and AI security innovation in 2025 than any other player in our space.”

Looking Ahead to 2026

As organisations move deeper into AI-driven operations, agentic workflows, and API-centric architectures, Salt will continue to invest in securing the API action layer and API fabric – the place where AI, applications, and data intersect.

“In 2026, we expect APIs to become even more tightly woven into autonomous systems and mission-critical workflows,” added Eliyahu. “We’re already building the next wave of innovations so our customers can safely move faster than their adversaries.”

The post Salt Security Unveils its “12 Months of Innovation” appeared first on IT Security Guru.

Industrial routers and other OT perimeter devices are absorbing the majority of cyberattacks targeting operational technology environments, according to new Forescout Vedere Labs research.

Analysing 90 days of real-world honeypot data, researchers found that 67% of malicious activity was directed at OT perimeter devices, such as industrial routers and firewalls, compared with 33% aimed at directly exposed OT assets like PLCs and HMIs.

The findings highlight the growing risk facing edge devices that sit between IT and OT networks.

Automated attacks dominate the OT perimeter

The research shows that OT environments are under constant, automated attack, with more than 60 million requests logged across 11 devices in just three months. Once high-volume SNMP fingerprinting traffic was removed, the remaining 3.5 million events revealed that industrial firewalls and routers were the most heavily targeted assets.

Attackers overwhelmingly relied on SSH and Telnet brute-force attempts, which accounted for 72% of perimeter attacks. Many of the credentials used were drawn from well-known default IoT password lists that have circulated for almost a decade, underlining the persistent risk posed by weak or unchanged credentials.

HTTP and HTTPS traffic made up a further 24% of attacks, including thousands of automated exploit attempts designed to force devices to download malware from external servers.

Emerging botnets raise concerns

Researchers identified several malware families actively targeting OT perimeter devices, including RondoDox, Redtail, and ShadowV2. Of these, RondoDox stood out as the most prevalent, responsible for 59% of observed malicious HTTP activity.

RondoDox is a relatively new botnet that has rapidly expanded its exploit arsenal to include more than 50 known vulnerabilities, many without assigned CVEs. While most current exploits focus on IT and IoT devices, researchers warn that the addition of industrial router vulnerabilities could quickly increase the risk to critical infrastructure operators.

ShadowV2, first observed only months ago, has already become the third most common botnet in the dataset, demonstrating how quickly new automated threats are emerging.

Chaya_005: a long-running reconnaissance campaign

One of the most significant findings was the discovery of a previously undocumented activity cluster, dubbed Chaya_005. Active for at least two years, Chaya_005 appears to focus on fingerprinting and capability testing of industrial edge devices, rather than immediate mass exploitation.

The campaign initially included a successful exploit against a legacy Sierra Wireless router, before evolving into a broader set of malformed exploit attempts against multiple vendors’ devices. Researchers believe the activity may be designed to identify which devices are vulnerable to specific command-execution techniques, potentially for future exploitation or monetisation.

Unlike typical botnets, Chaya_005 showed no evidence of indiscriminate scanning or follow-on attacks, suggesting a more deliberate and targeted reconnaissance effort.

Hacktivists and OT expand the threat surface

The research also highlights the growing interest of hacktivist groups in OT targets. In one incident, the pro-Russian group TwoNet compromised and defaced a water treatment HMI in Forescout’s adversary engagement environment.

While such attacks often rely on manual exploitation, the data shows that routers, PLCs, HMIs and even IP cameras are routinely targeted by automated scanners and botnets, blurring the traditional distinction between IT and OT threats.

Security teams urged to rethink IT/OT boundaries

Forescout warns that treating attacks as “IT-only” or “OT-only” is increasingly dangerous. Automated malware does not distinguish between environments, and compromised IT devices at the OT perimeter can serve as a stepping stone into critical systems.

To reduce risk, researchers recommend that organisations harden OT devices, eliminate weak credentials, avoid exposing industrial equipment directly to the internet, and implement OT-aware monitoring capable of detecting malicious behaviour specific to industrial protocols.

The post Industrial routers bear the brunt of OT cyberattacks, new Forescout research finds appeared first on IT Security Guru.

KnowBe4, the world-renowned platform that comprehensively addresses human and agentic AI risk management, has announced a new custom deepfake training experience to defend against advanced cybersecurity threats from deepfakes such as fraudulent video conferences and AI-generated phishing attacks.

 

Deepfakes can be weaponised and utilised for fraud, disinformation campaigns and cause reputational damage across sectors. These types of deepfake attacks are now linked to one in five biometric fraud attempts, with injection attacks increasing 40% year-over-year, according to Entrust’s 2026 Identity Fraud Report. Security incidents related to deepfakes have increased, with 32% of cybersecurity leaders reporting a spike, according to the KnowBe4 The State of Human Risk 2025 report.

 

“Deepfakes represent a seismic shift in the threat landscape, weaponising AI to impersonate authority, exploit trust, and short-circuit the human decision-making process,” said Perry Carpenter, chief human risk management strategist at KnowBe4. “Our new deepfake training strengthens the workforce’s instincts by providing a safe, tightly controlled environment for learning. All simulations are created and approved by administrators, ensuring ethical use while helping employees recognise narrative red flags, subtle performance inconsistencies, and other cues that manipulated media can reveal. Awareness and preparedness remain our strongest defences, and we are committed to equipping organisations with practical, measurable skills to stay ahead of these emerging threats.”

 

You can check it out in action:

 

Deepfake video content is becoming more realistic and harder to discern from reality. Cybersecurity leaders must prepare their organisations for new and emerging threats, taking a proactive approach to their overall protection efforts. Cybersecurity and IT professionals now have the ability to generate a custom deepfake training experience featuring a leader from their organisation to demonstrate how convincing AI-powered social engineering has become and to deliver clear, actionable guidance on how to detect these attacks.

 

Several anonymous customers who have taken KnowBe4’s deepfake training were highly impressed with the real-world examples and effectiveness of the messaging such as deepfakes of their executives:

• “This was efficient and effective in getting the message across to our executives about what deepfakes are and how to properly deal with them using our inhouse protocols.”
• “Very informative content with real world examples and definitions helps better understand how deepfakes can affect one’s life and the risks they create. Thank you for keeping us alert!”

 

For more information on KnowBe4’s new deepfake training experience, visit https://www.knowbe4.com/deepfake-training.

The post New deepfake training from KnowBe4 – see it in action! appeared first on IT Security Guru.

In today’s world, it can be hard for awareness training to keep up with the modern threats that are constantly emerging. Today, KnowBe4 has announced a new custom deepfake training experience to counteract the risk of ‘deepfake’ attacks as they continue to rise. The experience, which is now available, aims to help employees defend against the advanced cybersecurity threats from deepfakes such as fraudulent video conferences and AI-generated phishing attacks. 

Deepfakes can be weaponised and utilised for fraud, disinformation campaigns and cause reputational damage across sectors. These types of deepfake attacks are now linked to one in five biometric fraud attempts, with injection attacks increasing 40% year-over-year, according to Entrust’s 2026 Identity Fraud Report. Security incidents related to deepfakes have increased, with 32% of cybersecurity leaders reporting a spike, according to the KnowBe4 The State of Human Risk 2025 report.

Perry Carpenter, chief human risk management strategist at KnowBe4, said: “Deepfakes represent a seismic shift in the threat landscape, weaponising AI to impersonate authority, exploit trust, and short-circuit the human decision-making process”

Carpenter continues: “Our new deepfake training strengthens the workforce’s instincts by providing a safe, tightly controlled environment for learning. All simulations are created and approved by administrators, ensuring ethical use while helping employees recognise narrative red flags, subtle performance inconsistencies, and other cues that manipulated media can reveal. Awareness and preparedness remain our strongest defences, and we are committed to equipping organisations with practical, measurable skills to stay ahead of these emerging threats.”

Deepfake video content is becoming more realistic and harder to discern from reality. Cybersecurity leaders must prepare their organisations for new and emerging threats, taking a proactive approach to their overall protection efforts. Through this new experience, cybersecurity and IT professionals now have the ability to generate a custom deepfake training experience featuring a leader from their organisation to demonstrate how convincing AI-powered social engineering has become and to deliver clear, actionable guidance on how to detect these attacks.

The post Next Gen Awareness Training: KnowBe4 Unveils Custom Deepfake Training appeared first on IT Security Guru.

Keeper Security has announced a new integration with ServiceNow® IT Service Management (ITSM) and the Security Incident Response (SIR) module. The integration allows organisations to securely ingest security alerts from across the Keeper platform directly into ServiceNow, enabling faster and more consistent investigation of incidents tied to credentials, secrets and privileged access.

Stolen credentials remain one of the most common entry points for cyber attackers. According to the 2025 Verizon Data Breach Investigations Report, 60% of cybersecurity breaches involve the human element, including compromised passwords and misuse of access. Keeper’s global research reinforces the urgency of protecting the identity layer, with 69% of organisations adopting Privileged Access Management (PAM) to defend against credential theft. Many of these threats originate from privileged and administrative activity, which organisations secure through solutions like KeeperPAM®, Keeper’s cloud-native PAM platform. The new ServiceNow integration helps teams operationalise these defences by routing high-priority identity and access alerts into the workflows they already rely on for incident management.

Craig Lurey, CTO and Co-founder of Keeper Security, said: “Identity-based attacks are growing more sophisticated, but the fundamentals remain the same. Defenders need reliable signals and immediate context, and this integration delivers both. By sending Keeper’s privileged access telemetry to ServiceNow in real time, security teams can focus on analysis and action instead of stitching data together. It’s a streamlined, practical way to strengthen visibility where it matters most.”

The Keeper Security ITSM application provides a guided setup experience and a secure, OAuth 2.0-protected webhook to receive alerts from the Keeper platform. Security teams can operationalise activities such as BreachWatch® detections of compromised passwords, changes in privileged user behaviour and high-risk actions involving credentials, secrets or privileged sessions. The integration automatically converts incoming alerts into SIR tickets with full contextual detail, allowing analysts to triage and investigate with greater accuracy and fewer manual steps.

The integration offers secure webhook ingestion protected by OAuth 2.0, automatically converting incoming alerts into SIR records to remove manual ticket creation and speed up response times. Administrators can map alert types to custom severity levels, configure the connection, and manage authentication tokens without any bespoke development. Each alert includes detailed metadata to support investigations, and the platform’s zero-knowledge architecture ensures Keeper cannot access or decrypt customer data, maintaining strong privacy and security throughout.

“Attackers don’t wait, so organisations shouldn’t wait either for the critical signals that can stop an attack before damage is inflicted,” said Darren Guccione, CEO and Co-founder of Keeper Security. “By bringing Keeper’s privileged access intelligence straight into ServiceNow, in real time, we’re giving organisations a faster path to detection and response at the identity layer, where most attacks begin.”

As organisations contend with increasingly distributed infrastructure and a rise in credential-driven attacks, consistent visibility across identity and privileged access tools is essential. Keeper’s integration with ServiceNow closes a persistent monitoring gap and strengthens an organisation’s ability to detect, investigate and resolve identity-related incidents quickly.

The post Keeper Security Launches ServiceNow Integration to Improve Visibility and Response to Cyber Attacks appeared first on IT Security Guru.

This week, Outpost24 announced the acquisition of Infinipoint, a specialist in device identity, posture validation, and secure workforce access. The acquisition marks Outpost24’s entry into the Zero Trust Workforce Access market and enhances its identity security division, Specops, by laying the foundation for a unified approach that evaluates both the user and the device before access is granted.

As organisations advance their Zero Trust strategies, authentication alone is no longer enough. MFA and SSO confirm who the user is, but they do not validate the security of the device being used. In hybrid environments where employees, contractors, and partners rely on a mix of corporate and unmanaged devices, this gap has become a significant source of risk. Ensuring that only secure, compliant devices can access critical systems is now essential to reducing credential misuse, preventing lateral movement, and maintaining regulatory assurance.

Organisations will benefit from the combined strengths of Specops’ unrivalled authentication and Infinipoint’s device identity and posture expertise, gaining a unified, context-aware approach to workforce access. This will allow organisations to evaluate both user and device trust at the moment of access, strengthening Zero Trust adoption while improving compliance and operational efficiencies by leveraging Infinipoint’s unique self-service and auto-remediation capabilities – across any device and any identity provider.

“With the strategic addition of Infinipoint’s unique capabilities to the Specops platform, we are setting a new benchmark for Zero Trust Workforce Access with a holistic security layer that ensures every access attempt is validated across both the person and their device,” stated Ido Erlichman, Chief Executive Officer of Outpost24. “This acquisition strengthens our identity security portfolio and supports our strategy to help customers reduce risk across every stage of the access journey.”

Shirona Partem, Managing Director of Specops, added: “For many organisations, securing access requires supporting both password and passwordless authentication. Infinipoint’s device identity and posture verification complement both models, giving customers stronger assurance that access originates from a trusted user on a trusted device. This addition enhances the Specops portfolio and broadens how we support organisations in protecting their workforce.”

Commenting on the acquisition, Ran Lampert, Chief Executive Officer and Co-Founder of Infinipoint, said: “We are excited to join the Outpost24 family, and bring device identity and posture enforcement to a wider global audience. Together, we are setting the new standard for Zero Trust access, combining user and device validation into a seamless security fabric that eliminates historic access vulnerabilities. This powerful integration delivers the true promise of Zero Trust, giving our customers the confidence to scale their businesses globally with secure, friction-free access for every employee, every time.”

The acquisition underscores the Outpost24’s commitment to advancing its exposure management and identity security capabilities and strengthens its role in delivering end-to-end visibility and control across identities, devices, and the external attack surface.

The post Outpost24 Acquires Infinipoint appeared first on IT Security Guru.

As AI-generated threats continue to rise, more organisations are turning to red teaming to turn the tide. Nothing provides a better understanding of your security posture like letting a red team loose on your environment to simulate a real-world attack. 

Here is a list of some of the top red teaming tools you’ll find in 2026—along with what you’ll need to know to make your choice.  

Cobalt Strike (Fortra)  

Cobalt Strike is one of the most widely used red teaming tools in cybersecurity today. As one engineer noted, “It was the product that changed the industry” as its insights spurred the development of Endpoint Detection and Response (EDR). Now, nearly a decade and a half later, it continues to be the professional’s choice and is estimated to be in use by 60% of red teamers out there.  

Strengths 

• Vetted Exploits: One of Cobalt Strike’s key advantages is its interoperability. By integrating closely with Core Impact, it offers users full access to Core Impact’s library of core certified exploits, which is widely trusted by security experts over potentially risky open-source options.  

• Malleable C2: Traffic can be made to resemble legitimate apps (by altering URLs, headers, payload formatting, etc.), a mature and well-documented technique. 

• Integrated Workflow: Bundles payload generation, post-exploitation features, a team server for collaboration, and a single operator workflow—instead of making teams cobble together separate OSS components. 

• Superior Support: Commercial licensing comes with professional support; vendor maintenance, documentation, and live help. For teams that want compatibility with corporate tooling and predictable updates, this is key.  

• Mature Solution with Repeatable Results: Polished GUIs, established C2 features, team collaboration workflows, and vetted exploits mean repeatable, credible results.  

Limitations 

• Commercial Licensing: Commercial pricing can be high for smaller teams. 

• Legal Considerations: Cobalt Strike can only be used in authorised engagements. 

Watch Now: See Cobalt Strike explained in two minutes: https://www.youtube.com/watch?v=9BUxptcYZCk 

Mythic 

Mythic is an open-source, modular command-and-control (C2) framework perfect for creating customised “agents” across Windows, macOS, and Linux targets.  

Strengths 

• Highly Extensible: New features easily added or modified without an extensive overhaul. Every feature runs as a containerized microservice. 

• Fully Customisable: Used for openness, flexibility, and the ability to research and craft new payloads. 

• Development and Research: Many use Mythic for research, educational, and development purposes as it provides full control and zero licensing costs.  

Limitations 

• Requires Orchestration: Container orchestration, agent configuration, and more administrative effort than commercial tools are required. 

• Steep Learning Curve: Without a “turnkey” setup or a single-vendor installer, operators must be experienced to get Mythic up and running. 

AdaptixC2  

AdaptixC2 is a fairly new open-source red teaming tool that entered the market in January 2025. It offers flexibility, a modular architecture, and works across multiple operating systems. With no licensing costs, it is good for labs and bespoke engagements. 

Strengths 

• Cross-Platform Support: It offers support for Windows, Linux, and macOS agents. 

• “Extenders” and Plug-Ins: Add in additional capabilities like lateral movement, credential harvesting, and custom payloads. 

• Modifiable and Open-Source: Great for emulating bespoke adversaries as it is deeply customisable and easily expanded.  

Limitations 

• Less Mature: Being newer on the market means fewer “out of the box” modules and less battle-tested experience.  

• Less Standardised and Established: Integrating with other red-team ecosystems (toolchains, training, reporting workflows) may require more customisation. 

Sliver 

Developed by Bishop Fox, Sliver is an open-source adversary emulation platform that implants “slivers” (malicious binaries) across many architectures and supports multiple transport options. 

Strengths 

• Staged and Stageless Payloads: Sliver delivers both staged and stageless payloads to launch both larger, immediate-impact attacks and smaller, size-constricted ones. 

• Flexible Transport Options: Offers native support for DNS, HTTP(S), mTLS, WireGuard and custom transports for varied emulation of egress patterns.  

• Dynamic Code Generation: Reduces static detections (when configured properly) with per-binary keys and compile-time options to change fingerprints.  

Limitations 

• No Commercial SLA: Teams need to invest in their own internal support, testing, hardening, and expertise.  

• Payload Size: Some users report the need to reduce forensic artefacts.  

Havoc  

Havoc has rapidly gained traction in the red teaming community as one of the few open-source C2 tools to be designed with operator UX in mind.  

Strengths 

• Fully Customisable: Teams can extend, modify, and audit the framework (again, good for research, education, and custom engagements).  

• Fast Set Up: Documentation, tutorials, and YouTube walk-throughs shorten the learning curve, along with active community engagement. 

• Approachable UX: A GUI-driven framework smooths set up and provides a more polished, modern user experience comparable to commercial-grade tools. 

Limitations 

• Younger Ecosystem: Less battle-tested than older, more established red teaming tools; capabilities may evolve unevenly. 

• Operational Hardening Required: To achieve enterprise-grade OPSEC, internal investment is required: cleaning proxies, testing against EDR/XDR stacks, hardening listeners.   

Outflank Security Tooling (OST)  

Outflank Security Tooling, or OST, is a collection of advanced red teaming tools made “by red teamers, for red teamers.” This broad, evasive toolset emulates real-world attacks by simulating APT techniques, bypassing defences, and providing high-end offensive security. 

Strengths 

• Expert Maintained: OST is continuously updated by the hackers and experts that use it themselves, making it well-suited for mature and sensitive target environments. 

• Full Kill Chain Coverage: Get advanced tools to break the attack chain at any stage. Small teams can punch above their weight with shortcuts for hard stages like EDR evasion, initial access, and OPSEC-safe lateral movement. 

• Unique Industry Advantage: OST features techniques not yet weaponized or even published by other teams, giving organisations a unique advantage over other tools and attackers.  

Limitations 

• Vetted Audience: Because of its powerful capabilities, Outflank Security Tooling is not a tool for the masses. Instead, it is available only to a vetted community of responsible buyers and red team professionals because of its real-world attack potential. 

• OS-Specific Evasion: Evasion techniques are carefully crafted to work with certain operating systems and configurations, just like an attackers’ techniques. This means that an exploit designed for a Windows 11 endpoint may not work on Windows 10. 

Kali Linux 

Maintained by Offensive Security, Kali Linux is a Debian-based Linux construction used for red teaming, pen testing, and digital forensics. Rather than a specialised red teaming tool, it is a complete operating system and toolkit.  

Strengths 

• Preinstalled Security Tools: Kali Linux ships with 600+ preinstalled security tools (from John the Ripper to Burp Suite to Wireshark). 

• Free and Open Source: Users can modify, inspect, and rebuild it. No licensing or usage fees.  

• Open to Integration: Kali Linux serves as the foundation for red teaming tools, integrating with frameworks like Sliver and Havoc (C2 operators) to act as host. 

Limitations 

• Not a C2 Framework: While Kali Linux supports C2 frameworks, it is an environment—not a post-exploitation or C2 platform in its own right. 

• Inconsistent Tool Maturity: Tools can overlap, lead to inefficiencies, or (in the case of older tools) be buggy, outdated, or redundant.  

Matrix Table 

Tool	Overview	Use Case
Cobalt Strike	Commercial, professional-grade red teaming and post-exploitation platform used by ~60% of red teams worldwide.	Professional, repeatable red teaming engagements
Mythic	Open-source, modular C2 framework for research and custom agent creation.	Highly modular, customizable, cross-platform agent dev
AdaptixC2	New (2025) open-source C2 platform emphasizing modularity and cross-platform operation.	Highly modular, customizable, cross-platform agent dev
Sliver (BishopFox)	Open-source adversary emulation framework for red teaming with multi-transport implants (“slivers”).	Open-source research and adversary emulation
Havoc	Open-source GUI-based C2 framework designed for usability and community collaboration.	Modern GUI-driven open C2 alternative
Outflank Security Tooling (OST)	High-end offensive security red teaming toolkit created “by red teaming experts for red teaming experts.”	Advanced APT simulations and evasive tactics for mature, sensitive target environments.
Kali Linux	Debian-based Linux distro for penetration testing, digital forensics, and red teaming; acts as a tool platform.	Training and general-purpose pentesting

 

Conclusion: Commercial vs Open-Source 

Ultimately, the choice between commercial red teaming tools and open-source options depends on where you are willing to sacrifice. 

As SANS notes, “Balance the cost against the potential ROI. Open-source tools…may be cost-effective and community-driven, while commercial tools…often come with a additional capabilities and a curated database. This typically includes the latest threat intelligence, attack vectors, new campaigns and overall support.” 

Whether your organisation is looking for a cost-friendly option or a mature, licensed solution, there is a red teaming vendor that can fit your needs in 2026.  

FAQ:

What is a red team? 

A red team is a group of ethical hackers that play the part of adversaries in simulating a real-world cyberattack for the purpose of testing an organization’s cybersecurity defences. They play a key role in offensive security. 

 

What is the difference between a red team and a blue team? 

A red team attacks; a blue team defends. Though they play opposite roles in red team engagements, all are on the same side: improving the cybersecurity posture of the target organisation.  

This is why teams should prioritise blue team success over red team wins.  

Watch this explainer video for more: https://www.youtube.com/watch?v=E3ZMAipJvao 

 

How is red teaming different from penetration testing?
Pen testing searches for and catalogues vulnerabilities, specifically.  Red teaming leverages advanced and creative ways to breach an organisation, from social engineering to APTs and beyond. It is broader, less predictable, and tests everything from the tool stack to the response capabilities of the blue team.

 

What is the goal of a red team exercise?

The goal of a red team exercise is to uncover ways in which threat actors could leverage internal weaknesses, misconfigurations, and oversights – along with technical exploits and expertise – to access an organisation’s internal network, services, or applications and disrupt operations, exfiltrate data, and otherwise inflict harm.  

 

How do you get legal/ethical approval to run a red team? 

The red team engagement needs to be authorised and approved by the organisation and key stakeholders. Basic steps include: 

• Scope and Justification: Define what you’re testing and why 
• Sign-Off: Approval from legal, risk/compliance, SOC/security, IT/network operations, HR (if phishing), C-Suite sponsor 
• Rules of Engagement (RoE): Defines technical boundaries, allowed techniques, and things like safe words and kill switches. 

 

What kind of tools do red teams use?  

Red teams typically use command-and-control (C2) platforms to run red team engagements. These frameworks can be commercial-grade or open-sourced, and include tools such as: 

• Beacons/Agents/Slivers 

• Adversary Emulation Platforms 

• Exploit Frameworks 

• Lateral-Movement Tools 

• Post-Exploitation Tools (Outflank Security Tooling (OST)) 

• Payload Builders/Obfuscators/Packers 

• Transport and Tunneling Tools 

• Reconnaissance and Scanning Tools (Shodan, theHarvester) 

• Social Engineering and Phishing Toolkits (Social Engineering Toolkit (SET)) 

• Penetration Testing Tools (Core Impact) 

• Network/Application Testing Tools (Wireshark, Burp Suite) 

• Physical Tools (RFID cloners, lock-pick sets) 

• Command Libraries/Scripts/ Automation 

Cobalt Strike was one of the first public red team C2 frameworks and is a favourite in the red teaming community.  

What’s a purple team exercise and should we do one? 

A purple team exercise brings red teams and blue teams together in a collaborative security assessment. The focus is on bringing both skillsets to the table for the purpose of learning, teaching, and improving—not “winning.”  

A purple team mindset recognizes red and blue as the same team – with the ultimate goal of beating attackers – and fosters engagements that act as an open-communication training opportunity.  

The post The Best Red Teaming Tools of 2026: What You Need to Know appeared first on IT Security Guru.

South Korea’s largest online retailer, Coupang, has been rocked by a massive data breach that exposed the personal details of nearly 34 million customers, forcing CEO Park Dae-jun to resign amid mounting scrutiny from regulators and the public.

The breach, one of the most severe in South Korea’s history, reportedly included names, email addresses, phone numbers, and shipping details. While Coupang said that payment and login credentials were not compromised, the scale of the exposure has prompted police raids and a government-led investigation. The company has since apologised and appointed Chief Administrative Officer Harold Rogers as interim CEO while pledging to overhaul its cybersecurity practices.

According to Paul German, CEO at Certes, this incident is emblematic of a much broader trend. “2025 has, unfortunately, been the year of the high-profile data breach. Millions, no, billions, of dollars have been squandered in terms of reputational damage, lost sales and productivity, not to mention judicial penalties. When you factor in the knock-on effects across supply chains and third-party suppliers, the true cost of data exposure becomes staggering.”

German says Coupang’s leadership change underscores a critical lesson for corporate boards everywhere: data protection is no longer just a technical concern but a boardroom responsibility. “The CEO’s resignation is a stark reminder that data protection is not an IT issue, but an executive issue,” he adds. “Ultimately, it is the Board’s duty to ensure the company’s data is protected, wherever it resides. For any CEO, failure to do so risks not just the organisation’s trust, but their own career.”

As Coupang works to regain customer confidence, the company’s turmoil serves as a cautionary tale for global business leaders: in an era where cyber incidents can destroy reputations overnight, executive accountability for data security is non-negotiable.

The post Coupang CEO Resigns Following Major Data Breach Exposing 34 Million Customers appeared first on IT Security Guru.