Original research, organized by theme
197+ cybersecurity analyses clustered by what they cover. Jump straight to compliance research if you are preparing for an audit. Threat intel if you are tracking current adversary behavior. Platform security if you are architecting a stack.
Compliance & Regulatory40 posts
Regulatory frameworks decoded: what changed, what the auditors check, what the fines are when you get it wrong.
See all 40 compliance & regulatory posts →148 security roles across six months of HN Who's Hiring. What the 2026 CISO market actually looks like.
Pulled six months of Hacker News 'Who is hiring?' threads, filtered to 148 security-adjacent roles. Distribution by month, role types (compliance is 29, threat detection 16, offensive security only 1), location breakdown, contact-information quality, and company-type clustering. Practical takeaways for candidates, hiring managers, and companies about to post for their first security engineer.
Two years of Item 1.05. What Form 8-K cyber filings say, and the seven things they never say.
Read every Item 1.05 8-K filed from December 2023 through April 2026. What the filings actually contain, the seven things they deliberately never say (threat actor, ransom payment, root-cause vector, specific systems, record count, insurance recovery, CISO accountability), the amendment problem, the small-cap gap, and four practical read-outs for vendors, buyers, boards, and pre-IPO companies.
98 HIPAA breaches in six weeks, 9.5M patients. What the HHS wall actually shows.
Pulled the last six weeks of breaches off the HHS OCR wall: 98 incidents, 9.46M affected individuals. Statistical breakdown of breach type, location, state, entity type, and business-associate involvement, with the shape of the top 10 by population affected. What the 2025 Security Rule NPRM is about to change for small practices, and four concrete actions a small or mid-sized covered entity can take this quarter before the rule lands.
SMB EDR Buyer Guide 2026: Microsoft Defender vs SentinelOne vs CrowdStrike vs Huntress vs Sophos
Side-by-side EDR comparison for the 10-500 seat SMB range. Microsoft Defender for Business, SentinelOne Singularity Core, CrowdStrike Falcon Go, Huntress Managed EDR, Sophos Intercept X. Per-seat pricing, detection philosophy, managed-service availability, MITRE ATT&CK results, and real TCO (not just license fee). Decision framework that picks for you by profile. Red flags to avoid in SMB sales pitches.
CIRCIA Incident Reporting: What Critical Infrastructure Owes CISA in 2026
CISA final rule (6 CFR Part 226) defines what counts as a reportable incident, who must report, and the 72-hour (or 24-hour for ransom payments) clock. Covered entity definition across 16 critical infrastructure sectors. Incident Report fields, safe harbor provisions, interaction with SEC 8-K / NERC CIP / TSA / HIPAA, and the runbook for the first 24 hours of an incident where reporting is mandatory.
What ChatGPT, Claude, and Gemini Actually Keep About You
Every AI chatbot retains your conversations. Retention periods, training use, law enforcement access, and breach history vary dramatically. A practical data privacy map of ChatGPT, Claude, Gemini, Copilot, Grok, and Meta AI. Including the NYT v. OpenAI court order requiring indefinite retention.
Your Encryption Has an Expiration Date
Every HTTPS connection, Signal chat, and VPN on the internet relies on crypto that quantum computers will break. NIST finalized the replacements in 2024. A post-quantum cryptography migration guide for application security and compliance teams.
Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses
Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware attacks to double-extortion, and what it means for incident response and cyber insurance.
EU NIS2 Directive: Why US Companies Need to Care
NIS2 became enforceable across EU member states in October 2024. It's Europe's biggest cybersecurity regulation since GDPR, covering 100,000+ entities across 18 critical sectors. And. Surprise to many US companies. It affects any non-EU company that provides services to EU customers in covered sectors. Penalties up to €10M or 2% of global revenue. A practical guide to whether NIS2 applies to you and what to do about it.
US State Data Privacy Laws 2026: The Complete Matrix Every Business Needs
If you do business in the US, you are likely subject to multiple state data privacy laws. California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and a growing list of states have active laws with enforcement authority. A practical matrix of what each law requires, the thresholds that trigger applicability, and the unified compliance approach that handles all of them.
Security Awareness Training Buyer Guide 2026: KnowBe4 vs Hoxhunt vs Curricula vs Proofpoint
Most awareness programs are box-checking. Click rates stay at 18% and nobody knows if that's good. This is the honest buyer guide. Ten vendors compared (KnowBe4, Proofpoint, Hoxhunt, Curricula, Ninjio, Infosec IQ, Living Security, Barracuda, Mimecast, specialized phishing). Metrics that matter vs vanity metrics. Realistic click rate curve (2-10%). Program design that works. Executive + VIP programs. Compliance-specific requirements.
Clearview AI's Privacy Settlement: Victims Are Now Shareholders
Clearview AI scraped 30+ billion photos from public internet to build a facial recognition system sold to law enforcement. A landmark $52 million ACLU settlement followed. A data privacy and facial recognition investigation.
Threat Intelligence61 posts
How actual threat actors operate right now. Analysis of recent incidents, attack patterns, and defense implications.
See all 61 threat intelligence posts →cisco SD-WAN CVE-2026-20182: a missing else-if branch gave UAT-8616 god-mode over the corporate WAN fabric of every Catalyst customer that didn't patch in 3 days
CVE-2026-20182 in Cisco Catalyst SD-WAN Controllers is CVSS 10.0 / pre-auth / unauthenticated / remote. The bug is a missing else-if branch in the vdaemon peering authentication service that handles device_type messages on UDP/12346 (DTLS). The switch statement handles vBond, vSmart, vEdge — but the device_type=2 (vHub) case has no verification branch, so the controller unconditionally flips the authenticated flag for anyone who claims to be a vHub. From there: SSH key injection into /home/vmanage-admin/.ssh/authorized_keys, NETCONF on TCP/830 as the high-priv internal vmanage-admin account, then root. CISA KEV added 2026-05-14 with the tightest federal mitigation window of 2026 (3 days, due May 17, ED 26-03). Attribution: UAT-8616 — the threat cluster that has been camping on Cisco SD-WAN since 2023, previously caught burning CVE-2026-20127 / 20133 / 20128 / 20122. Blast radius is the entire enterprise WAN fabric: OMP route tables, TLOC entries, branch-to-branch segmentation, policy distribution. A single controller pop = god-mode over every cEdge/vEdge in the overlay. This post: full bug walkthrough, affected versions and patches (20.9 → 20.18 and 26.1), hunt indicators across SSH/NETCONF/DTLS/config-plane/webshell layers, pre-patch mitigations (no Cisco workaround so perimeter ACL + management-plane lockdown), the post-patch credential rotation list, and Snort SIDs 66482-66483 for IPS detection.
exchange CVE-2026-42897: every news outlet is calling this "RCE." it isn't. it's OWA XSS — and the threat model is completely different.
CVE-2026-42897 in on-prem Microsoft Exchange Server is being reported as RCE across every major security outlet this week. It is not RCE. CWE-79 — Cross-Site Scripting in Outlook Web Access. The bug fires when a victim opens a crafted email in OWA. Javascript executes in the victim's authenticated browser session, not on the Exchange server. That distinction completely changes the response playbook: the box is not owned, the user's session is. Patch posture: no permanent fix for Exchange 2016/2019 unless you're enrolled in the Period 2 paid Extended Security Updates program. Exchange SE will receive the public patch. Exchange Online: not affected. This post: why every outlet has the framing wrong, what the post-XSS hunt actually looks like (inbox-rule abuse, EWS post-message-read patterns, MSExchange Management event log), the EEMS M2 mitigation everyone should already have auto-applied, the manual EOMT path for air-gapped boxes, and the PowerShell block to hunt persistence in the last 24 hours. CISA KEV due date for federal mitigation: 2026-05-29.
tanstack npm supply-chain compromise: 84 malicious package versions, a self-spreading worm, and a file-watcher wiper that triggers if you try to revoke your tokens
On May 11 2026 at 19:20 UTC the TanStack ecosystem on npm was compromised. 42 packages, 84 malicious versions, published in a six-minute window with valid Sigstore provenance. The attacker chained three GitHub Actions vulnerabilities — pull_request_target pwn-request, cache poisoning, and runner-process OIDC token extraction — to mint a valid npm publish token and ship malicious releases of @tanstack/react-router, @tanstack/start, @tanstack/solid-router, @tanstack/vue-router and dozens more. The payload harvests AWS / GCP / Kubernetes / Vault / GitHub / npm / SSH credentials and exfils over Session messenger (not HTTP — most egress filters won't catch it). It self-propagates by minting npm tokens for every other package the victim publishes, with forged Sigstore attestations. And it installs a file watcher on the host that detects API-key revocation attempts and triggers a destructive wiper payload — try to clean up from the compromised box and the box gets nuked. This post: full list of 42 affected packages with bad and safe versions, the deobfuscated payload capability matrix, all IOCs (file hashes, persistence locations, network indicators), and the correct air-gap-first remediation order (revoke from a different machine, image before you wipe, block *.getsession.org at the egress). Campaign: Mini Shai-Hulud — same crew that hit Mistral, UiPath, Squawk, Intercom, Lightning AI, SAP CAP. 169+ packages this wave.
ivanti EPMM CVE-2026-6973: the 'RCE' everyone's misreading. it's authenticated admin RCE, and that changes the playbook.
Ivanti disclosed CVE-2026-6973 in Endpoint Manager Mobile (EPMM): an authenticated admin RCE actively exploited in the wild. CVSS 7.2. Patched in 12.6.1.1 / 12.7.0.1 / 12.8.0.1. Most news coverage drops the 'authenticated' qualifier and treats this as a generic 0-day RCE. It's not. The auth requirement means your real threat model is 'attacker who has, or can get, admin creds' (phishing, password spray, breach corpus) not 'any internet scanner.' Different posture, different mitigation, different rotation list. This post: who's actually exposed (internet-facing admin consoles), the post-exploit blast radius (full mobile device control plane — push apps, push certs, push VPN configs to every managed device), the detection commands for admin-session anomalies, the patch order across HA pairs, the post-patch credential rotation list most teams skip, and the medium-term architecture fix (admin console off the public internet, period).
cPanel CVE-2026-29201, 29202, 29203: arbitrary file read, Perl code injection, DoS. three bugs in one disclosure, and the perl one is RCE.
cPanel disclosed and patched three CVEs on May 8, 2026 affecting cPanel & WHM and the WP Squared platform. CVE-2026-29201 is an arbitrary file read in the cPanel daemon (exposes /etc/userdomains, mysql credentials in ~/.my.cnf, api tokens, and the whostmgr admin secret). CVE-2026-29202 is Perl code injection in the handler dispatcher that lands as the cPanel user, chainable with any kernel local-privesc to escape tenant isolation and pivot across every customer on the box. CVE-2026-29203 is a DoS on the WHM daemon that becomes a force multiplier during IR. The detection runbook for cPanel admins: version check, world-writable Perl handler audit, access log grep for pre-disclosure 0day attempts, the patch order, customer communication template, the long-tail problem of customer-installed Perl scripts that aren't covered by the cPanel patch, and the full IR runbook if you find evidence of compromise.
PAN-OS CVE-2026-0300: an unauthenticated root RCE in the firewall you paid $80K for. Patch order, detection, what to do tonight.
Palo Alto Networks confirmed today (May 6, 2026) that CVE-2026-0300 — an unauthenticated buffer overflow in the PAN-OS User-ID Captive Portal yielding full root RCE — is being actively exploited in the wild. CVSS 9.3. Patches stagger to May 13/22/28. This post is the defender's runbook: what the captive portal exposes (your SSL decryption keys, GlobalProtect secrets, syslog forwarding), the post-exploitation pattern observed in early IR, detection commands for the management plane, the patch order across HA pairs, the workaround if you can't patch tonight, and what to do if you find evidence of compromise. If you operate Palo Alto firewalls, read this before lunch.
The new phishing campaign weaponizing Google + Outlook calendar invites — credential theft, OTP interception, and RMM in one click.
GBHackers and a handful of corporate IR teams broke a US-targeting campaign today: fake calendar invites — sent through legitimate Google Calendar / Outlook scheduling APIs — land credential-phishing pages that capture username + password + TOTP, then drop signed RMM agents (ConnectWise, TeamViewer, Atera, Splashtop) for unattended remote access. Calendar invites bypass every gut-check users have been trained on. This post: the exact KQL hunts for unauthorized RMM installs, Exchange Online transport rules to quarantine suspicious invites, OAuth-grant audits in Google Workspace, mandatory hardware-key migration for execs, and the full IR playbook if a workstation has been popped.
Apache HTTP/2 CVE-2026-23918: a double-free in the protocol everyone runs. The patch order, detection, and why CVSS 8.8 understates the risk.
Apache pushed an HTTP Server security release yesterday (May 5, 2026) patching CVE-2026-23918 — a double-free in mod_http2's stream-reset path that the ASF describes as 'double free and possible RCE.' CVSS 8.8. Apache HTTP runs on 22-31% of internet-reachable web servers and HTTP/2 has been the default since 2.4.17. Detection commands for HTTP/2 advertisement across your fleet, container-image rebuild order, the access-log fingerprint of exploitation, and the simple workaround (disable HTTP/2 with one Protocols line) if you can't patch in 48 hours. The patch matrix across Debian, Ubuntu, RHEL, Amazon Linux, and the cloud-managed Apache services is laid out below.
MetInfo CMS CVE-2026-29014: a 9.8 PHP code-injection RCE in a CMS most Western admins have never heard of. The detection runbook for the long tail.
VulnCheck published yesterday on CVE-2026-29014 — an unauthenticated PHP code-injection RCE in MetInfo CMS 7.9, 8.0, 8.1. CVSS 9.8. The campaign has been running since April 5 against the Chinese-language SMB CMS that dominates the Asian-diaspora SMB website market in the US, Canada, Australia, and Europe. If you operate shared hosting, you have MetInfo installs in your customer base you don't know about. The detection runbook: find every MetInfo across customer accounts (one find command), version-scan each install, hunt for the campaign's signature webshells, mod_security rules to block the vuln URL pattern at the host level, and the customer-communication workflow for proprietors who don't speak English.
The NHS just walled off hundreds of GitHub repos because of Anthropic Mythos. The institutional reaction has started.
The Register reports the UK's NHS has ordered tech leaders to wall off hundreds of public GitHub repos over advanced-AI scanning concerns, naming Anthropic's Mythos directly. This is the first major government-scale institutional reaction to Mythos-class capability. Tre called this in March; here's the playbook every defender should run in the next ten business days — repo inventory, gitleaks + trufflehog full-history sweep, the four-question test, default-private new repos, and the OSS hardening checklist for libraries you have to keep public.
Weaver E-cology CVE-2026-22679: a 9.8 RCE actively exploited since mid-March. The patch + IR runbook.
CVSS 9.8 unauthenticated RCE in Weaver E-cology via /papi/esearch/data/devops/ — actively exploited since mid-March 2026, weeks before today's public disclosure. Affects E-cology 10.0 prior to build 20260312. E-cology is the dominant OA platform across China and a hidden footprint in Western multinationals via their Chinese subsidiaries. Owning E-cology = owning every contract, HR record, and approval that flowed through the company. Detection commands, exact patch order, JSP webshell hunting, database compromise audit, PIPL/GDPR/state-law notification obligations, and the Tre-pattern-recognition take on enterprise admin platforms exposed to the public internet.
Itron disclosed an internal network breach via SEC 8-K. The utility you've never heard of runs your power meter.
Itron — the smart-meter and utility-software vendor used by ~8,000 utilities globally — filed an 8-K disclosing internal-network compromise in late April 2026. The disclosure is light on detail. The pattern is heavy. OT vendor breaches inherit the trust relationships the vendor has with hundreds of utility customers simultaneously. This is the Volt Typhoon shape applied to civilian critical infrastructure. What utility CISOs ask Itron, what they audit internally, and why SEC 8-K disclosures are a poor instrument for understanding the actual incident.
Platform Security31 posts
Deep-dive research on specific platforms. AWS, Supabase, Hasura, Clerk, Auth0, Kubernetes, and more. Real attack patterns, real hardening.
See all 31 platform security posts →building a real-time CVE detection-to-broadcast pipeline that hits X's 30-minute algorithmic velocity window
Engineering writeup of the Valtik flash-scanner pipeline we run in production. 26 RSS feeds polled every 10 minutes, 7-template rule-based drafter (not LLM, for cost + latency + hallucination reasons), 100-point validator that catches em-dashes and title-case dumps, auto-approve gate (validator score >=95 + CVE present + known vendor + 14-day dedup) that pushes 60-70% of drafts straight to live broadcast, real-time poster via xdk SDK, scheduled-drip fallback at 5am/9am/12pm PT. Three war stories included: the CVE dedup bug that posted PAN-OS twice (fix: dedup on the canonical id not the source URL), the OAuth1 token-scope footgun (fix: regenerate access token after flipping app perms, because tokens are baked at issue time and the X dev portal UI implies otherwise), and the 15-hour stuck-cron incident (fix: socket.setdefaulttimeout(10) at the top of every cron'd script). Plus the reply path that targets the algorithm's 75x weight for author-replies-to-replies, the highest single positive signal in the engagement graph.
A login bug where the password "null" works. The Note Mark OIDC bypass and what it teaches every auth team.
GHSA-pxf8-6wqm-r6hh: Note Mark's local-password endpoint accepted the literal string 'null' as a valid password for users who'd been migrated to OIDC. The hash field was NULL in the database; bcrypt.compare coerced both sides to the string 'null' and returned true. One null check would have prevented it. Walk through the bug, the broader pattern (any app that added SSO to a previously local-auth codebase), and the static + runtime detection rules every team should adopt.
Traefik shipped three authentication bypasses in 24 hours. The same root cause is in every reverse proxy.
Three high-severity Traefik advisories on April 25 2026: StripPrefixRegex Path/RawPath desync, forwarded-alias spoofing for pre-auth decisions, and ForwardAuth trustForwardHeader=false still leaking X-Forwarded-Prefix. All three are pre-authentication, all three let unauthenticated requests reach protected backends, and all three share the same root cause: edge and origin disagreed about what the request was. The same bug class lives in nginx, Envoy, HAProxy, and every CDN-fronted authenticated backend. Patch + audit guide.
Vercel Deployment Security: 10 Misconfigurations That Leak Secrets in 2026
Ten Vercel deployment misconfigurations we find repeatedly during penetration tests. NEXT_PUBLIC_* leaking service keys, preview deployments with production env vars, webhook handlers without signature verification, middleware path-smuggling bypass, unauthenticated API routes fanning out to paid third-party APIs, deployment-URL discovery of stale environments. Each with detection, exploitation, and fix.
OAuth 2.1 Migration in 2026: What Actually Changed and How to Move
OAuth 2.1 is the consolidated successor to OAuth 2.0 that deprecates the grant types that caused most real-world security bugs. The IETF draft became final in early 2026. Here is what changed, what to migrate first, and the specific patterns we see failing most often.
macOS Enterprise Hardening in 2026: The Configuration Beyond MDM Defaults
Apple's macOS is increasingly dominant in enterprise fleets. Security, design, finance, and executive teams ship on Mac. The default MDM configurations miss several important hardening controls. Here is the 2026 macOS enterprise hardening baseline.
Kubernetes Admission Controllers: The Policy Layer Most Clusters Forget
Most Kubernetes clusters we audit have RBAC sort-of configured and NetworkPolicies mostly working. And wide-open admission policy. A compromised service account that can create pods can create privileged pods, mount the host filesystem, and escape containers. Here is the admission controller configuration that stops this.
PowerShell Security for Enterprises in 2026: The Configuration Every Windows Shop Needs
PowerShell is the most powerful administrative tool on Windows and the most powerful post-exploitation framework for attackers. The enterprise configuration that enables defenders without disabling attackers is narrow. Here is the exact configuration that works in 2026.
Microsoft Entra ID Conditional Access: The 8 Gaps We Find in Every Audit
Microsoft Entra ID Conditional Access is the primary security control for M365 / Azure-dependent organizations. After running dozens of Entra ID audits in 2025-2026, these are the 8 configuration gaps we find repeatedly. Most produce real risk.
Zero Trust for Fully-Remote Companies: A Real-World Playbook
Most Zero Trust guidance assumes you have a corporate office. For fully-distributed companies with no corporate network, the architecture looks different. Here is the 2026 playbook for 50-500 person remote-first companies.
Salesforce Experience Cloud: The Multi-Million Dollar Misconfiguration Problem
Salesforce Experience Cloud (formerly Community Cloud) continues to expose sensitive Salesforce data due to misconfigured guest user profiles and permissive sharing rules. The pattern has caused multiple 2024-2026 breaches. Here is how to audit your own deployment.
AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise
The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive into AWS Instance Metadata Service security, IMDSv1 vs v2, SSRF exploitation, enforcement SCPs, and the cloud penetration testing runbook we use on Valtik engagements.
AI Security4 posts
What AI actually does and does not do for security, what it lets attackers do, and what defenders need to know.
See all 4 ai security posts →langflow CVE-2026-33017: the unauth RCE in your team's AI prototyping tool is exfiltrating your AWS keys in under 20 hours flat
Langflow — the visual builder for LLM agent chains used by AI engineers and MLOps teams — had its second unauthenticated RCE in two years pushed through the same exec() call. The vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow (note the _public_ — no auth by design), which routes attacker-supplied Python into exec() at src/lfx/src/lfx/custom/validate.py:397 with zero sandboxing. Sysdig honeypots logged the first probe 20 hours after disclosure on 2026-03-17, the first successful credential exfil within 25 hours, and active exploitation has continued through May 2026. The payload is purpose-built for AI infrastructure: dumps os.environ for AWS_*, OPENAI_*, ANTHROPIC_*, HF_TOKEN, PINECONE_*, SUPABASE_*, GITHUB_TOKEN; drops a 9.4MB Go binary (worker-linux-amd64) using utls for TLS fingerprint spoofing + embedded gitleaks for secret scanning; persists as keyhunter-worker.service; joins a NATS-based C2 botnet at 45.192.109.25:14222 subscribing to task.scan_cde, task.scan_web, task.validate_aws, task.validate_ai. Affected ≤ 1.8.1, patched in 1.9.0. NATS-as-C2 is the new technique infostealer botnets are converging on (sysdig writeup). Why AI/ML tooling is the new Jenkins: broad IAM, default-internet-exposed, :latest tags, high-value secrets in env, no auth gate. Full IOCs, the air-gap-first remediation order (the worker can detect revocation CLI invocations), and the IAM/key-rotation list to clean up after compromise.
we read 15 vibe-coded apps so you don't have to: 69 vulnerabilities, 5 patterns, one playbook
Tenzai's January 2026 study audited 15 web apps generated by AI tools (Cursor, Claude Code, Replit's agent mode, Devin, OpenAI Codex). Result: 69 distinct vulnerabilities. 0 of 15 had CSRF. 0 had basic security headers. 100% had SSRF. 24.7% of all AI-generated code shipped with a flaw. We replicated the methodology on 8 client codebases and found the same patterns. Five recurring vulns walked through with code: SSRF against AWS IMDS (the canonical exploit), hardcoded service-role keys in NEXT_PUBLIC_ client bundles, missing Supabase RLS policies (tested with one pg_tables query), wide-open CORS reflecting any origin with credentials, and Clerk unsafe_metadata trusted as auth (the privilege-escalation one-liner: window.Clerk.user.update). Why the AI does this (RLHF rewards 'the app works' not 'the app is secure'). The 5-step pre-flight you can run in under 10 minutes before shipping. Plus a downloadable PDF checklist for the email list.
The Wayback Machine Is Going Dark in 2026
241 news outlets now block the Internet Archive's crawlers. Reddit cut it off in August 2025. The New York Times added archive.org_bot to robots.txt at the end of 2025. Cloudflare blocks AI crawlers by default as of July 2025. Google Cache is gone. Bing Cache is gone. The open record of the web is narrowing fast, and that matters for journalists, OSINT operators, and bug bounty researchers who need archival evidence. Practical alternatives and a local-capture pipeline included.
Prompt Injection Attacks: The Complete Taxonomy for 2026
Prompt injection is the SQL injection of the LLM era. Direct, indirect, multimodal, stored, tool-chain, and training-time variants walked through with real incidents (Bing Chat, Slack AI, M365 Copilot) and the layered defenses that actually reduce risk. The SQL-injection-for-LLMs reference a serious AI security program needs.
Consumer Privacy & Opsec47 posts
What surveillance actually looks like in 2026, what data is collected about you, and what you can do about it.
See all 47 consumer privacy & opsec posts →the $2.3 billion phone call: voice-clone scams are hitting elderly americans at industrial scale in 2026
In 2026 Americans over 65 lost $2.3 billion to phone scams where the voice on the other end was their own grandchild, son, or daughter. It wasn't. It was a voice cloned from three seconds of audio, available from any TikTok, YouTube clip, or voicemail greeting. The fbi logged the number. Average loss per victim: $12,500. Success rate jumped from 12% in 2024 to 34% in 2026. Senator Hassan opened an investigation into ElevenLabs on April 16, 2026. This post: how the scam actually works (the 'grandson in jail' script, the 'lawyer wants bond wired' setup, the 90-minute time pressure that prevents callbacks), the technology layer ($5/month subscription to clone any voice from 3 seconds of audio), the criminal supply chain (industrial pig-butchering compounds in Burma and Cambodia, Telegram script markets), the 5 things every family should agree on TODAY (code word, never-wire-on-voice, the lawyer-call-is-fake rule, brief parents AND kids, test the code word), the IR runbook if it happens (hang up, call back on known number, IC3.gov, freeze accounts), and the CFO version of the same scam (deepfake CEO calls finance team). Designed to be shared.
Copy Fail (CVE-2026-31431): a 732-byte Python script roots every Linux distribution shipped since 2017.
Xint and Theori dropped a 732-byte Python exploit on April 29 that turns any unprivileged Linux user into root on every major distribution shipped since 2017. The bug is a page-cache write primitive in the kernel's authencesn AEAD implementation, exploitable via AF_ALG sockets and splice(). The exploit walkthrough, who is in scope, the patches that already exist, and the seccomp + module blacklist mitigations for environments that cannot reboot immediately.
I ran my MCP auditor on Anthropic's own reference server. It found a gap.
The Model Context Protocol is eighteen months old and already production infrastructure for every AI IDE integration. I wrote mcp-security-scanner to check for five attack patterns: tool argument validation, shell passthrough, filesystem scope, SSRF, credential exposure. Running it on Anthropic's own reference server fired MCS1 on server-memory. Here's the finding, why the pattern propagates, and how to fix it.
What Your Car Is Selling to Insurance Companies Right Now (2026)
Post-2018 vehicles transmit telematics (GPS, braking, acceleration, Bluetooth pairings, voice transcripts) to manufacturers who resell to insurance clearinghouses like LexisNexis Risk Solutions. FTC hit GM in 2025 but the pipeline is still running for Ford, Toyota, Honda, Hyundai, Kia, Nissan, Subaru, Stellantis. How to pull your Consumer Disclosure Report, opt out at each manufacturer, and whether dongle-based insurance discounts are actually a trap.
Active Directory Tier Zero in 2026: The Privilege Boundary Every AD Audit Must Check
Microsoft's Active Directory administrative tier model turns 10 years old in 2026. Most enterprise AD environments still have not implemented it properly. Here is what Tier 0 means, why it matters, and the specific audit procedure that finds the gaps before attackers do.
DNS-over-HTTPS for Corporate Networks: The 2026 Tradeoffs
DoH in consumer browsers was the 2020-2023 story. DoH in enterprise networks is the 2026 story. A different set of tradeoffs between user privacy, security monitoring, and content filtering. Here is how defenders should think about it.
RAG Security: The Attacks Against Vector Databases Nobody Is Testing For
RAG pipelines have their own attack surface most teams never threat model. Vector store poisoning, cross-tenant leakage, embedding inversion (Morris et al. 92% token recovery), metadata filter bypass, semantic retrieval attacks, prompt injection via retrieved documents. The RAG security audit checklist a production system needs before go-live.
Travel Opsec: Airport Wifi, Hotel Networks, and Border Crossings in 2026
Traveler threat model for normal business trips and elevated-risk destinations. Pre-travel patching, device encryption, VPN selection (Mullvad, ProtonVPN, IVPN). USB juice jacking and bluetooth hygiene. Hotel networks, airport wifi, captive portals. US CBP border search authorities and what travelers can actually do. Tier 2: clean travel devices, biometric-off-at-border, post-trip wipe.
How 200 Companies Learn Everything About You in 100 Milliseconds
Real-Time Bidding broadcasts your browsing data to hundreds of companies in under 100ms per page load. A deep dive into browser fingerprinting, cross-device tracking, and online profiling with data privacy implications.
iCloud Forensics: What Apple Actually Gives Law Enforcement
Your iPhone is the most private consumer device ever built. Your iCloud backup is not. A practical walkthrough of what Apple does. And doesn't. Hand over when law enforcement subpoenas your account, why Advanced Data Protection changes everything, and the one-click setting most iPhone users still haven't enabled.
Ad Blockers That Actually Work in 2026 (and the Ones That Don't)
Google's Manifest V3 killed most ad blockers in 2024. Chrome now ships with gutted tracker-blocking capabilities. The good news. The good ones still work, they just aren't on Chrome anymore. A 2026 guide to the ad blockers that still meaningfully block ads and trackers, the ones that have been quietly neutered, and the DNS-level approach that works everywhere.
Google Takeout: The Full Audit of What Google Actually Has On You
Go to takeout.google.com and request all of your data. The archive will typically run 50 to 500 GB. It contains things you did not know Google was storing. Including 10+ years of location history, every Google Assistant voice command, and a complete index of what you've watched, searched, purchased, and typed. A practical walkthrough of what's in there and what to delete.
Tools & Comparisons14 posts
Honest comparisons of security tools, platforms, and frameworks. Which to use, when, and why.
See all 14 tools & comparisons posts →1 million exposed self-hosted AI services. The 4 most common holes, and what to do tonight.
The Hacker News dropped research on 1M+ exposed self-hosted AI services on the public internet — Ollama, Open WebUI, vLLM, LiteLLM, LocalAI. The 4 most common holes: missing auth, no rate limiting, exposed model weights, and open prompt as a data extraction surface. Working Caddyfile snippets, hardened Ollama systemd units, Tailscale ACLs for zero-public-port deployment, garak red-team probes, and a complete production checklist. Self-hosted AI deployments are 10x weaker than the SaaS equivalents; thirty minutes of hardening tonight saves you from being part of next month's follow-up post.
Browser Isolation in 2026: Finally Worth Deploying at Scale
Browser isolation has been a niche enterprise product for a decade. In 2026, it finally makes economic and operational sense for mid-market deployments. Here is what changed, the vendor shootout, and the deployment patterns that work.
Agentic AI Security: When Your LLM Can Call Tools, What Goes Wrong
LLMs with tool-calling are a fundamentally different security model than chatbots. The attack surface explodes. Confused deputy attacks, composite tool exploitation, untrusted tool output, memory poisoning, credential theft. Real incidents from GitHub Copilot Workspace, Claude Computer Use, M365 Copilot. Architectural patterns that contain blast radius.
Container Security 2026: The Complete Guide from Image Build to Runtime
Container security has failure modes that don't exist in traditional infrastructure. This is the complete 2026 container security guide. Six failure mode categories. Image security from build to runtime. Registry security. Runtime protection (Falco, Tetragon, commercial). Integration with Kubernetes cluster security. Specific production attack patterns. 10 fastest wins.
Directus Headless CMS: Role Escalation, File Library Exposure, and the Defaults That Bite
Directus is one of the most popular open-source headless CMS platforms, sitting behind thousands of production websites, mobile apps, and IoT data flows. It's also a recurring audit finding. Permission templates that don't scale, file library exposure, API access tokens with excessive privileges, and the Flows engine's hook execution that becomes an attack vector when misused.
DevSecOps 2026: The Complete Implementation Guide for Mid-Market Engineering Orgs
The gap between 'we have DevSecOps' and 'security genuinely shifted left' is vast. Most companies deploy the tooling. Very few reduce vulnerability burden. This is the complete 2026 DevSecOps guide. Tools that matter at each scale. Integration patterns. Organizational patterns (Security Champions, platform engineering). Six failure modes that produce dashboards nobody opens. 90-day launch plan.
Vulnerability Management Buyer Guide 2026: Tenable vs Qualys vs Rapid7 vs Wiz vs Snyk
Everyone has VM. Almost nobody has it working. This is the complete buyer guide. Twelve vendors (Tenable, Qualys, Rapid7, Wiz, Orca, Lacework, Snyk, GitHub Advanced Security, Microsoft Defender VM, Kenna/Cisco VM, Outpost24, OpenVAS). Prioritization problem. Patching integration. Web app vs infrastructure. External attack surface management (EASM). 10 failure patterns. Compliance-specific requirements (PCI ASV, HIPAA, SOC 2, CMMC).
SIEM Buyer Guide 2026: Splunk vs Sentinel vs Elastic vs Chronicle vs Sumo
Nobody walks out of a SIEM procurement cycle happy. This is the honest buyer guide. Twelve vendors compared (Splunk ES, Microsoft Sentinel, Elastic Security, Sumo Logic, Datadog, Chronicle, Rapid7, Exabeam, LogRhythm, QRadar, Devo, Panther). Pricing model deep dive (per-GB, per-employee, workload, hybrid). Evaluation criteria. 10 common deployment failure patterns. When NOT to deploy SIEM.
EDR Buyer Guide 2026: CrowdStrike vs SentinelOne vs Defender vs Palo Alto Cortex
EDR replaced AV a decade ago and became foundational endpoint control. Once deployed EDR is sticky. This is the complete 2026 EDR buyer guide. Vendor shootout (CrowdStrike, SentinelOne, Microsoft Defender, Palo Alto Cortex, Sophos, Cybereason, Trend Micro, Bitdefender, Kaspersky, Elastic, Wazuh, Huntress). Pricing. The July 2024 CrowdStrike lesson. Common failure patterns. Decision framework.
CNAPP Buyer Guide 2026: Wiz vs Orca vs Prisma Cloud vs Lacework vs Sysdig
CNAPP consolidates CSPM, CWPP, CIEM, DSPM, container, and Kubernetes security into one platform. Expensive but necessary at scale. This is the complete 2026 buyer guide. What the category covers. Vendor shootout (Wiz, Orca, Palo Alto Prisma Cloud, CrowdStrike Falcon, Lacework, Sysdig, Check Point, Microsoft Defender for Cloud, Aqua, Upwind). Agent vs agentless. Pricing negotiation. Common failure patterns. Decision framework by cloud spend.
Identity Provider Buyer Guide 2026: Okta vs Entra ID vs Google vs JumpCloud vs Ping
Pick your IdP wrong and the next three years of security architecture get harder. This is the complete 2026 IdP buyer guide. Four categories (IdPaaS, cloud-native, legacy, open source). Vendor-by-vendor with pricing (Okta, Entra ID, OneLogin, JumpCloud, Ping, Google, AWS IAM Identity Center, Keycloak). Workforce vs customer identity. Migration patterns. Decision frameworks by org size.
CSPM Tools in 2026: Wiz, Prisma, Orca, Lacework, and the Cloud-Native Choice
Cloud Security Posture Management (CSPM) is the primary approach to finding misconfigurations across AWS, GCP, and Azure at scale. The market has consolidated around a few major players plus emerging CNAPP (Cloud-Native Application Protection Platform) offerings. A practical comparison of Wiz, Prisma Cloud, Orca, Lacework, and cloud-native alternatives. Plus the framework for choosing the right tool.
Research driving engagements
Our engagements apply the same research methodology to your environment. If you want the specific findings for your stack, start with a free security check.