The Hacker News | Expert Insights — Index Page

Reachability has quickly become one of the latest buzzwords in cybersecurity, but every vendor means something slightly different by the term. In part one of this series, I argued that reachability is really about only showing exploitable vulnerabilities. In part two , I compared runtime and static reachability to determine that if the goal of reachability analysis is to only fix exploitable vulnerabilities, only runtime reachability will get us there. The final question to address is, "Which type of runtime reachability is the right kind?" In 2025, almost every vendor uses the term reachability, alongside a nifty funnel showing your vulnerability count going down, but vendors almost always mean different things by the term. In this article, we'll explore the complexity of reachability types, and how while there's no silver bullet, function level reachability for vulnerabilities is the best overall answer to the problem. Flavors of Runtime Reachability All excalidraws are availab...

Your identity environment holds the keys to your most critical data in the form of privileged accounts. Industry consolidation and a desire for company growth both often lead to mergers or acquisitions which, if not managed closely, can wreak havoc on an identity landscape. Mergers of identity environments create a glut of identities and identity accounts to manage, some of which may be redundant. They also introduce new 3rd parties, contractors and non-human identities like service accounts, bots etc.... into the equation. In addition, a merger or acquisition could hybridize the identity landscape, adding Cloud applications to on-prem resources, and vice versa. All of this increases the attack surface if not managed properly. As the two companies determine how to best work together, there is a level of uncertainty that can result in temporary measures as a stop-gap. Temporary access is often granted to provide employee, contractor and third party access to applications and privile...

Sub: GenAI is here to stay. The organizations that thrive will be those that understand its risks, implement the right safeguards, and empower their employees to harness it safely and responsibly. For many people, generative AI (GenAI) began as personal experimentation in homes and on personal devices. Now, however, AI has become deeply ingrained in workplace habits, creating productivity gains, but also exposing organizations to significant security gaps. Sensitive company data, inadvertently or otherwise, regularly finds its way into public AI systems, leaving IT and cybersecurity leaders scrambling to respond. Once proprietary data is processed by a public AI tool, it may become part of the model's training data, serving other users down the line. For example, in March 2023, a multinational electronics manufacturer was reported to have experienced several incidents of employees entering confidential data, including product source code, into ChatGPT. Generative AI applications, su...

As AI continues to make inroads into enterprise security, it's easy to see the appeal: faster triage, smarter detection, and fewer manual workflows. From SOAR platforms streamlining alerts to AI-enhanced identity systems approving access requests in milliseconds, the value proposition is clear — greater efficiency, speed, and scale. But here's the rub: speed without scrutiny can lead to security drift. AI is a powerful enabler, not an autonomous guardian. And in corporate security — where stakes include sensitive employee data, internal intellectual property, and privileged infrastructure — the absence of human oversight isn't just risky; it's potentially catastrophic. AI as a Copilot, Not a Commander In modern corporate security environments, AI-driven tooling is increasingly embedded into day-to-day operations. Triage systems leverage AI to correlate alerts, automation scripts to remediate routine issues, and IAM platforms auto-approve low-risk access. These advancements undenia...

Salesforce Is Mission-Critical, but That Doesn't Mean It's Protected At the beating heart of customer operations, the scope of Salesforce goes well and beyond traditional customer relationship management (CRM) systems. As a system of records, a sales engine, a service dashboard, and a repository for years of business-critical insight, deals flow through it continuously. Strategies depend on it. Customer relationships live or die by what they contain.  Yet, despite this, a dangerous misconception persists: "It's in the cloud, so it must be safe." Unfortunately, this assumption is as costly as it is common.  Here's the reality. Salesforce operates under a shared responsibility model , meaning your cloud provider — in this case, Salesforce — is responsible for platform uptime, infrastructure integrity, and security of the cloud. But you, the customer, are responsible for its actual content (your data, your metadata, and your configurations). So, while Salesforce protects th...

Compliance is often treated as a paper exercise, something to tolerate, check off and forget. But in a threat landscape shaped by ransomware-as-a-service, AI-augmented phishing campaigns, and supply chain breaches, delaying compliance doesn't just create business and operational friction. It creates risk.  When compliance is layered late, organizations face mounting costs: duplicated controls, misaligned security priorities, reactive remediation efforts, and worst of all, security blind spots that attackers can exploit. Treating compliance as an afterthought is a gamble.  In this post, we highlight the real cost of sidelining compliance and why embedding compliance into your security strategy from the start is not just good hygiene, it's essential engineering.  Security and Compliance: Not Opposites, but Allies It's easy to think of security as "protecting" and compliance as "documenting". But that split is artificial. Frameworks like ISO/IEC 27001, NIST CSF, PCI ...

There's a war raging in the heart of every developer. On one side, you have the id: the impulse-driven creative force that wants to code at the speed of thought and would prefer to deploy first and ask questions later. On the other side, there's the superego, which wants to test every line of code and would push a release by a month if it meant catching one extra bug.  Experienced developers know how to act as a referee between these two forces and find the right balance between speed and security. But inexperienced or overworked devs often put their id in the driver's seat, which leads (among other things) to accidentally leaking developer secrets. These secrets include things like API and SSH keys, unencrypted credentials, and authentication tokens. Calling developer secrets "the keys to the kingdom" is something of a cliche, but it's tough to think of another phrase that accurately captures the unique power of this data. Unfortunately, the people who most appreciate the pow...

For businesses, compliance with regulations can often appear to be restrictive, and costly and reduce the speed of business. It's still necessary to create an environment that protects not only internal data but also external constituents like partners and customers. Highly regulated industries, such as healthcare and finance, are often faced with a variety of regulations that vary by geography and can carry steep penalties and consequences for noncompliance. Most companies struggle to comply with regulations. In fact, Business Wire estimates that " 71% of companies could potentially fail a cyber audit , which often includes identity management aspects".   What are some key compliance challenges your business may face?  Errors and inconsistencies resulting from repetitive manual processes Complex, evolving regulations that make compliance challenging Siloed environments and processes, often involving incompatible tools, or processes that do not match execution Difficu...

With thousands of endpoints, cloud instances, remote users, and third-party integrations, securing the enterprise has become a massive target. Each change in the IT environment - whether driven by digital transformation, M&A activity, or routine system updates - creates new opportunities for adversaries to leverage. Yet, the network is the backbone of business operations. It must always be available to support production, collaboration, and growth.  In this article, we'll explore the specific challenges large enterprises face when validating their security posture and how leading security teams are evolving their testing strategies to match the scale, speed, and sophistication of large, multi-faceted IT networks.  The Challenges of Validating Enterprise Network Security Enormous attack surface - In large enterprises, the attack surface spans countless assets across on-prem, cloud, and hybrid environments, making comprehensive security validation incredibly complex. Ac...

Identity Is the New Perimeter—And It's Fractured In 2025, identity isn't just a security issue—it's the battleground. And too many organizations are getting caught flat-footed. Organizations today must reckon with complex hybrid environments that contain interconnected endpoints, servers, cloud services, DevOps systems, identity infrastructure, and much more. And with enterprise systems no longer fitting neatly into a single network perimeter, the identities used to interact with these systems have become the new perimeter.  A strong cybersecurity foundation starts with clear visibility that puts risk in content. Identity security is no different. However, in practice, identity management systems are anything but centralized. Building IDs and access to physical offices are handled by one system. Logins to Windows machines are generally managed with Windows domains and Active Directory—but what about Macs and Linux machines? Companies use Okta, Ping Identity, or the equivalent ...