<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>ClickSecure.AI Blog</title>
    <link>https://clicksecure.ai/blog</link>
    <description>Penetration testing, AI/LLM security, NIS 2 &amp; DORA, and human risk.</description>
    <language>en</language>
    <atom:link href="https://clicksecure.ai/feed.xml" rel="self" type="application/rss+xml"/>
    <item>
      <title>The Most Common API Security Flaws We Find in Pentests</title>
      <link>https://clicksecure.ai/blog/owasp-api-top-10-pentest-findings</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/owasp-api-top-10-pentest-findings</guid>
      <pubDate>Tue, 14 Jul 2026 09:00:00 GMT</pubDate>
      <description>APIs are where modern applications actually live. The browser is just a thin shell; the real logic, data and authorization decisions sit behind a growing surface of REST and GraphQL endpoints. That is also where we find the most impactful bugs during penetration tests. The OWASP API Security Top 10 (2023 edition) is a good map of the terrain, and after enough engagements the same handful of categories keep coming back.

#penetrationtesting #APIsecurity #OWASP #NET #RCE

https://clicksecure.ai/blog/owasp-api-top-10-pentest-findings</description>
      <category>penetration testing</category>
      <category>API security</category>
      <category>OWASP</category>
      <category>.NET</category>
      <category>RCE</category>
      <enclosure url="https://clicksecure.ai/images/blog/owasp-api-top-10-pentest-findings.png" type="image/png"/>
    </item>
    <item>
      <title>Device Code Phishing Is Up 37x — The MFA Bypass Your Awareness Training Doesn&apos;t Cover</title>
      <link>https://clicksecure.ai/blog/device-code-phishing-mfa-bypass</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/device-code-phishing-mfa-bypass</guid>
      <pubDate>Fri, 10 Jul 2026 09:00:00 GMT</pubDate>
      <description>Most phishing training teaches one lesson: check the URL before you type your password. Device code phishing wins precisely because the victim never types a password on a fake site. There is no lookalike login page to spot, and multi-factor authentication does not help. That is why it has quietly become one of the defining attack techniques of 2026.

#phishing #MFA #humanrisk #identity #awareness

https://clicksecure.ai/blog/device-code-phishing-mfa-bypass</description>
      <category>phishing</category>
      <category>MFA</category>
      <category>human risk</category>
      <category>identity</category>
      <category>awareness</category>
      <enclosure url="https://clicksecure.ai/images/blog/device-code-phishing-cover.png" type="image/png"/>
    </item>
    <item>
      <title>Poisoned AI Skills and Fake Exploit Repos — The New Supply Chain Attack on Your Team</title>
      <link>https://clicksecure.ai/blog/poisoned-ai-skills-supply-chain</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/poisoned-ai-skills-supply-chain</guid>
      <pubDate>Thu, 09 Jul 2026 09:00:00 GMT</pubDate>
      <description>Supply chain attacks used to mean poisoned npm packages and typosquatted Python libraries. In mid-2026, two campaigns showed the same playbook moving to two new targets: the skills your AI agents install, and the proof-of-concept code your security team downloads.

#supplychainsecurity #AIsecurity #malware #developers #agentskills

https://clicksecure.ai/blog/poisoned-ai-skills-supply-chain</description>
      <category>supply chain security</category>
      <category>AI security</category>
      <category>malware</category>
      <category>developers</category>
      <category>agent skills</category>
      <enclosure url="https://clicksecure.ai/images/blog/poisoned-skills-cover.png" type="image/png"/>
    </item>
    <item>
      <title>AI Agents Have an Identity Problem — and Attackers Already Know It</title>
      <link>https://clicksecure.ai/blog/ai-agent-identity-governance</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/ai-agent-identity-governance</guid>
      <pubDate>Wed, 08 Jul 2026 09:00:00 GMT</pubDate>
      <description>Every identity system your company runs — Active Directory, your IdP, your access reviews — rests on one quiet assumption: behind every account there is a human being whose status changes through HR events. Someone is hired, an account is provisioned. Someone changes roles, access is adjusted. Someone leaves, access is revoked.

#AIsecurity #identity #IAM #nonhumanidentities #governance

https://clicksecure.ai/blog/ai-agent-identity-governance</description>
      <category>AI security</category>
      <category>identity</category>
      <category>IAM</category>
      <category>non-human identities</category>
      <category>governance</category>
      <enclosure url="https://clicksecure.ai/images/blog/ai-agent-identity-cover.png" type="image/png"/>
    </item>
    <item>
      <title>Your AI Browser Can Be Talked Into Stealing Your Data — BioShocking and AutoJack Explained</title>
      <link>https://clicksecure.ai/blog/ai-browser-prompt-injection</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/ai-browser-prompt-injection</guid>
      <pubDate>Tue, 07 Jul 2026 09:00:00 GMT</pubDate>
      <description>AI browsers — Chrome-like products where an agent clicks, reads and fills forms for you — are moving into companies fast, often through employees who simply install them. Two pieces of research published in June 2026 show why security teams need a position on them now, not later.

#AIsecurity #promptinjection #agenticAI #browsersecurity #LLM

https://clicksecure.ai/blog/ai-browser-prompt-injection</description>
      <category>AI security</category>
      <category>prompt injection</category>
      <category>agentic AI</category>
      <category>browser security</category>
      <category>LLM</category>
      <enclosure url="https://clicksecure.ai/images/blog/ai-browser-cover.png" type="image/png"/>
    </item>
    <item>
      <title>FortiBleed — 110 Million Stolen Credentials, and Why Your Firewall Is the New Crown Jewel</title>
      <link>https://clicksecure.ai/blog/fortibleed-edge-devices</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/fortibleed-edge-devices</guid>
      <pubDate>Tue, 07 Jul 2026 09:00:00 GMT</pubDate>
      <description>For years the mental model was simple: the firewall protects the network. In 2026 the model needs an update, because the firewall — and every other internet-facing appliance — is increasingly the thing being attacked.

#networksecurity #ransomware #FortiGate #credentialtheft #incidentresponse

https://clicksecure.ai/blog/fortibleed-edge-devices</description>
      <category>network security</category>
      <category>ransomware</category>
      <category>FortiGate</category>
      <category>credential theft</category>
      <category>incident response</category>
      <enclosure url="https://clicksecure.ai/images/blog/fortibleed-cover.png" type="image/png"/>
    </item>
    <item>
      <title>The First AI-Run Ransomware Attack — What JADEPUFFER Means for Your Patching Priorities</title>
      <link>https://clicksecure.ai/blog/jadepuffer-ai-ransomware-patching</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/jadepuffer-ai-ransomware-patching</guid>
      <pubDate>Tue, 07 Jul 2026 09:00:00 GMT</pubDate>
      <description>On July 1, 2026, the Sysdig Threat Research Team published its analysis of what it assesses to be the first documented case of agentic ransomware — a complete extortion operation driven from start to finish by a large language model, with no human at the keyboard. The team named the operator JADEPUFFER. The techniques it used were not new or clever. What is new is that a machine strung them together into a full attack against a neglected, internet-facing server, on its own.

#ransomware #AI #vulnerabilitymanagement #patching #NIS2

https://clicksecure.ai/blog/jadepuffer-ai-ransomware-patching</description>
      <category>ransomware</category>
      <category>AI</category>
      <category>vulnerability management</category>
      <category>patching</category>
      <category>NIS 2</category>
      <enclosure url="https://clicksecure.ai/images/blog/jadepuffer-ai-ransomware-patching.png" type="image/png"/>
    </item>
    <item>
      <title>Consent in the Age of AI — and Why Your Company&apos;s Data Is Part of the Story</title>
      <link>https://clicksecure.ai/blog/ai-identity-consent-registry</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/ai-identity-consent-registry</guid>
      <pubDate>Fri, 03 Jul 2026 09:00:00 GMT</pubDate>
      <description>The debate about artificial intelligence has shifted. For a while the question was &quot;what can AI create?&quot; Increasingly it is &quot;whose name, face, voice and work was used to create it — and did they agree?&quot; In June 2026, that question got a concrete answer for individuals: the Human Consent Registry, a free tool to tell AI systems how — or whether — they may use your identity.

#AIsecurity #LLM #dataprotection #consent #EUAIAct

https://clicksecure.ai/blog/ai-identity-consent-registry</description>
      <category>AI security</category>
      <category>LLM</category>
      <category>data protection</category>
      <category>consent</category>
      <category>EU AI Act</category>
      <enclosure url="https://clicksecure.ai/images/blog/ai-consent-cover.png" type="image/png"/>
    </item>
    <item>
      <title>NIS 2 and DORA Readiness — A Practical Place to Start</title>
      <link>https://clicksecure.ai/blog/nis2-dora-readiness</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/nis2-dora-readiness</guid>
      <pubDate>Mon, 29 Jun 2026 09:00:00 GMT</pubDate>
      <description>Two EU frameworks are reshaping how organizations are expected to manage cyber risk: NIS 2 (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554). They apply to different populations — NIS 2 to a broad set of essential and important entities across many sectors, DORA to financial entities and their ICT providers — but they pull in the same direction: measurable security measures, fast incident reporting, supply-chain scrutiny, and personal accountability for management.

#NIS2 #DORA #compliance #operationalresilience

https://clicksecure.ai/blog/nis2-dora-readiness</description>
      <category>NIS 2</category>
      <category>DORA</category>
      <category>compliance</category>
      <category>operational resilience</category>
      <enclosure url="https://clicksecure.ai/images/blog/nis2-dora-cover.png" type="image/png"/>
    </item>
    <item>
      <title>When More Than 80% of Breaches Start With an Exposed Human</title>
      <link>https://clicksecure.ai/blog/human-risk</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/human-risk</guid>
      <pubDate>Sat, 27 Jun 2026 09:00:00 GMT</pubDate>
      <description>For two decades, most security budgets flowed toward technical controls: firewalls, endpoint agents, segmentation, patching. Those controls still matter. But the dominant way into a modern organization is no longer an unpatched server — it is a person. When an employee clicks a crafted link, approves a fraudulent invoice, or reuses a password, the most expensive perimeter in the world is bypassed in seconds.

#NIS2 #humanrisk #securityawareness #phishing #DORA

https://clicksecure.ai/blog/human-risk</description>
      <category>NIS 2</category>
      <category>human risk</category>
      <category>security awareness</category>
      <category>phishing</category>
      <category>DORA</category>
    </item>
    <item>
      <title>Pentest vs vulnerability assessment — which do you need?</title>
      <link>https://clicksecure.ai/blog/pentest-vs-vulnerability-assessment</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/pentest-vs-vulnerability-assessment</guid>
      <pubDate>Thu, 25 Jun 2026 09:00:00 GMT</pubDate>
      <description>&quot;Pentest&quot; and &quot;vulnerability assessment&quot; are used interchangeably far too often. They are different tools for different jobs.

#penetrationtesting #vulnerabilityassessment

https://clicksecure.ai/blog/pentest-vs-vulnerability-assessment</description>
      <category>penetration testing</category>
      <category>vulnerability assessment</category>
    </item>
    <item>
      <title>A 7-point NIS 2 readiness checklist</title>
      <link>https://clicksecure.ai/blog/nis2-readiness-checklist</link>
      <guid isPermaLink="true">https://clicksecure.ai/blog/nis2-readiness-checklist</guid>
      <pubDate>Sat, 20 Jun 2026 09:00:00 GMT</pubDate>
      <description>NIS 2 raises the bar for cybersecurity across a much wider range of organizations than its predecessor. If you are not sure where you stand, this short checklist is a good place to start.

#NIS2 #compliance #DORA

https://clicksecure.ai/blog/nis2-readiness-checklist</description>
      <category>NIS 2</category>
      <category>compliance</category>
      <category>DORA</category>
    </item>
  </channel>
</rss>
