Blog

Practical insights on penetration testing, compliance, AI security and human risk.

2026-07-14

The Most Common API Security Flaws We Find in Pentests

APIs now carry most of the traffic and most of the risk. Here are the flaws we see again and again during penetration tests, mapped to the OWASP API Security Top 10, plus an illustrative walkthrough of how a "low" file-inclusion bug chains into remote code execution on a .NET service.

Read →
2026-07-10

Device Code Phishing Is Up 37x — The MFA Bypass Your Awareness Training Doesn't Cover

Device code phishing sidesteps passwords, MFA, and even passkeys — because it never touches the login. Detections are up 37x in 2026 as ready-made kits commoditize the technique. Here is how it works, why it beats your current defences, and how to test your staff against it.

Read →
2026-07-09

Poisoned AI Skills and Fake Exploit Repos — The New Supply Chain Attack on Your Team

A fake AI agent skill passed every security scanner and reportedly reached 26,000 agents. A trojanized "proof-of-concept" campaign is hunting the security researchers themselves. The software supply chain now includes the things your AI installs — here is how to defend it.

Read →
2026-07-08

AI Agents Have an Identity Problem — and Attackers Already Know It

Identity management was built around people — an employment record, a manager, a departure date. AI agents have none of those, and they are multiplying across companies faster than anyone is governing them. Practical steps for CISOs and IT managers to get non-human identities under control.

Read →
2026-07-07

The First AI-Run Ransomware Attack — What JADEPUFFER Means for Your Patching Priorities

Sysdig documented JADEPUFFER, an attack it assesses was run end to end by an LLM — breaking in through an old Langflow flaw, harvesting credentials, and wiping a production database. Here is what it changes about how you prioritize patching and exposure.

Read →
2026-07-07

FortiBleed — 110 Million Stolen Credentials, and Why Your Firewall Is the New Crown Jewel

A campaign dubbed FortiBleed targeted 430,000 FortiGate firewalls, harvested over 110 million credentials, and has now been linked to the INC and Lynx ransomware operations. Here is what happened, why edge devices are attackers' favourite way in, and what to do about it this week.

Read →
2026-07-07

Your AI Browser Can Be Talked Into Stealing Your Data — BioShocking and AutoJack Explained

Two new attacks show how AI browsers and agents can be manipulated by a single web page — one convinces the agent it is playing a game, the other turns it into a delivery vehicle for code execution. Should your company allow AI browsers at all? Here is a practical answer.

Read →
2026-07-03

Consent in the Age of AI — and Why Your Company's Data Is Part of the Story

A new free tool, the Human Consent Registry, lets people tell AI systems whether they can use their identity. It is a useful signal for individuals — and a reminder that organizations must control, and secure, the data they feed into AI.

Read →
2026-06-29

NIS 2 and DORA Readiness — A Practical Place to Start

NIS 2 and DORA both raise the bar on cyber risk, incident reporting and accountability. Here is a clear, jargon-free way to see where you stand — plus a free checklist you can download and work through.

Read →
2026-06-27

When More Than 80% of Breaches Start With an Exposed Human

Most incidents no longer begin with a broken firewall — they begin with a person. Here is why human risk is now the decisive control for NIS 2 organizations, and how to manage it as behavior rather than awareness.

Read →
2026-06-25

Pentest vs vulnerability assessment — which do you need?

They are often confused, but they answer different questions. Here is when to use each — and why most teams need both.

Read →
2026-06-20

A 7-point NIS 2 readiness checklist

A practical, no-jargon checklist to gauge how ready your organization is for NIS 2 — and where to start.

Read →