Security Operations | Breaking Cybersecurity News | The Hacker News

In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren't just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem? Most defensive workflows still look like this: your CTI team finds a threat, they pass it to the Red Team to test, and eventually, the results reach the Blue Team for patching. This process is full of friction, silos, and delays. The reality is simple: You cannot fight an AI adversary moving at machine speed when your defense moves at the speed of a calendar invite. To bridge this gap, we’re hosting a technical deep dive with the team at Picus Security to unveil a new defensive paradigm: Autonomous Exposure Validation . Register for the Webinar Here ➜ Leading this session are Kevin Cole (VP of Produc...

Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure management was created to provide this context - to bridge the gap between remediation efforts and actual risk reduction. The market has responded with a flood of platforms claiming to deliver it.  Yet the question security leaders are asking is: which exposure management platform actually does provide it? In this article, I’ll break down the four dominant approaches to exposure management, explain what each one can and can't deliver, and lay out five evaluation criteria that help you separate platforms built to reduce risk to your unique business and environment from platforms ...

Anthropic’s Claude Mythos Preview has dominated security discussions since its April 7 announcement. Early reporting describes a powerful cybersecurity-focused AI system capable of identifying vulnerabilities at scale and raising serious questions about how quickly organizations can validate, prioritize, and remediate what it finds. The debate that followed has mostly focused on the right questions: Is this a step-change or an incremental advance? Does restricting access to Microsoft, Apple, AWS, and JPMorgan actually reduce risk, or does it just concentrate defensive advantage among the already-well-defended? What happens when adversaries—state actors, criminal enterprises—build equivalent capability? These are important. But there's a quieter operational problem that's getting less airtime, and it's the one that will actually determine whether most organizations survive this shift.  The Discovery-to-Remediation Gap The Mythos announcement, and the broader AI security...

Cybersecurity has changed fast. Roles are more specialized, and tooling is more advanced. On paper, this should make organizations more secure. But in practice, many teams struggle with the same basic problems they faced years ago: unclear risk priorities, misaligned tooling decisions, and difficulty explaining security issues in terms the business understands. These challenges do not usually come from a lack of effort. They emerge from something more subtle, a gradual loss of foundational understanding as specialization accelerates. Specialization itself is not the problem. A lack of context is. When security teams do not have a shared understanding of how the business, systems, and risks fit together, even strong technical execution starts to break down. Over time, that gap shows up in the way programs are designed, tools are chosen, and incidents are handled. Unfortunately, I’ve seen this pattern repeatedly when assisting with ...

Mid-market organizations are constantly striving to achieve security levels on a par with their enterprise peers. With heightened awareness of supply chain attacks, your customers and business partners are defining the security level you must meet. What if you could be the enabler for your organization to remain competitive — and help win business — by easily demonstrating that you meet these strict security levels? The challenge, of course, is how to do so with a small budget and a lean IT and security team. The security platform has long been seen as the mechanism for reducing complexity by consolidating security tools. However, it has never really lived up to its promise. Or has it? An upcoming webinar explores whether the security platform model can finally deliver on its original vision — simplifying operations, reducing cost, and strengthening security posture for mid-market organizations. Join Bitdefender to learn how Bitdefender GravityZone is making the dream of afforda...

My objective As someone relatively inexperienced with network threat hunting, I wanted to get some hands-on experience using a network detection and response (NDR) system. My goal was to understand how NDR is used in hunting and incident response, and how it fits into the daily workflow of a Security Operations Center (SOC). Corelight’s Investigator software , part of its Open NDR Platform, is designed to be user-friendly (even for junior analysts) so I thought it would be a good fit for me. I was given access to a production version of Investigator that had been loaded with pre-recorded network traffic. This is a common way to learn how to use this type of software. While I’m new to threat hunting, I do have experience looking at network traffic flows. I was even an early user of one of the first network traffic analyzers called Sniffer. Sniffers were specialized PCs equipped with network adapters designed to capture traffic and packets. These computers were the foundation on whi...

Why do SOC teams keep burning out and missing SLAs even after spending big on security tools? Routine triage piles up, senior specialists get dragged into basic validation, and MTTR climbs, while stealthy threats still find room to slip through. Top CISOs have realized the solution isn’t hiring more people or stacking yet another tool onto the workflow, but giving their teams faster, clearer behavior evidence from the start. Here’s how they’re breaking the cycle and speeding up response without extra hiring. Starting with Sandbox-First Investigation to Cut MTTR at the Source The fastest way to reduce MTTR is to remove the delays baked into investigations. Static verdicts and fragmented workflows force analysts to guess, escalate, and re-check the same alerts, which drives burnout and slows containment. That’s why top CISOs are making sandbox execution the first step . With an interactive sandbox like ANY.RUN , teams can detonate suspicious files and links in an isolated environme...

An innovative approach to discovering, analyzing, and governing identity usage beyond traditional IAM controls. The Challenge: Identity Lives Outside the Identity Stack Identity and access management tools were built to govern users and directories. Modern enterprises run on applications. Over time, identity logic has moved into application code, APIs, service accounts, and custom authentication layers. Credentials are embedded. Authorization is enforced locally. Usage patterns change without review. These identity paths often operate outside the visibility of IAM, PAM, and IGA. For security and identity teams, this creates a blind spot - what we call Identity Dark Matter. This dark matter is responsible for the identity risk that cannot be directly observed. Why Traditional Approaches Fall Short Most identity tools rely on configuration data and policy models. That works for managed users.

Many incident response failures do not come from a lack of tools, intelligence, or technical skills. They come from what happens immediately after detection, when pressure is high, and information is incomplete. I have seen IR teams recover from sophisticated intrusions with limited telemetry. I have also seen teams lose control of investigations they should have been able to handle. The difference usually appears early. Not hours later, when timelines are built, or reports are written, but in the first moments after a responder realizes something is wrong. Those early moments are often described as the first 90 seconds. However, taken too literally, that framing misses the point. This is not about reacting faster than an attacker or rushing to action. It is about establishing direction before assumptions harden and options disappear. Responders make quiet decisions right away, like what to look at first, what to preserve, and whether to treat the issue as a single system problem o...

Beyond the direct impact of cyberattacks, enterprises suffer from a secondary but potentially even more costly risk: operational downtime, any amount of which translates into very real damage. That’s why for CISOs, it’s key to prioritize decisions that reduce dwell time and protect their company from risk.  Three strategic steps you can take this year for better results: 1. Focus on today's actual business security risks Any efficient SOC is powered by relevant data. That’s what makes targeted, prioritized action against threats possible. Public or low-quality feeds may have been sufficient in the past, but in 2026, threat actors are more funded, coordinated, and dangerous than ever. Accurate and timely information is a deciding factor when counteracting them. It’s the lack of relevant data that doesn’t allow SOCs to maintain focus on the real risks relevant here and now. Only continuously refreshed feeds sourced from active threat investigations can enable smart, proactive ac...

Cybersecurity teams increasingly want to move beyond looking at threats and vulnerabilities in isolation. It’s not only about what could go wrong (vulnerabilities) or who might attack (threats), but where they intersect in your actual environment to create real, exploitable exposure. Which exposures truly matter? Can attackers exploit them? Are our defenses effective? Continuous Threat Exposure Management (CTEM) can provide a useful approach to the cybersecurity teams in their journey towards unified threat/vulnerability or exposure management. What CTEM Really Means CTEM, as defined by Gartner, emphasizes a ‘continuous’ cycle of identifying, prioritizing, and remediating exploitable exposures across your attack surface, which improves your overall security posture as an outcome. It’s not a one-off scan and a result delivered via a tool; it’s an operational model built on five steps: Scoping – assess your threats and vulnerabilities and identify what’s most important: assets, ...

Gartner® doesn’t create new categories lightly. Generally speaking, a new acronym only emerges when the industry's collective "to-do list" has become mathematically impossible to complete. And so it seems that the introduction of the Exposure Assessment Platforms (EAP) category is a formal admission that traditional Vulnerability Management (VM) is no longer a viable way to secure a modern enterprise. The shift from the traditional Market Guide for Vulnerability Assessment to the new Magic Quadrant for EAPs represents a move away from the "vulnerability hose", i.e., the endless stream of CVEs, and toward a model of Continuous Threat Exposure Management (CTEM) . To us, this is more than just a change in terminology; it is an attempt to solve the "Dead End" paradox that has plagued security teams for a decade. In the inaugural Magic Quadrant report of this category, Gartner evaluated 20 vendors for their ability to support continuous discovery, ris...

Attack Surface Management (ASM) tools promise reduced risk. What they usually deliver is more information.  Security teams deploy ASM, asset inventories grow, alerts start flowing, and dashboards fill up. There is visible activity and measurable output. But when leadership asks a simple question, “ Is this reducing incidents? ” the answer is often unclear.  This gap between effort and outcome is the core ROI problem in attack surface management, especially when ROI is measured primarily through asset counts instead of risk reduction.  The Promise vs. The Proof Most ASM programs are built around a reasonable idea: you can’t protect what you don’t know exists. As a result, teams focus on discovery: domains and subdomains, IPs and cloud resources, third-party infrastructure, and transient or short-lived assets.  Over time, counts increase. Dashboards are trending upward. Coverage improves.  But none of those metrics directly answer whether the organization i...

Artificial intelligence (AI) is making its way into security operations quickly, but many practitioners are still struggling to turn early experimentation into consistent operational value. This is because SOCs are adopting AI without an intentional approach to operational integration. Some teams treat it as a shortcut for broken processes. Others attempt to apply machine learning to problems that are not well defined. Findings from our 2025 SANS SOC Survey reinforce that disconnect. A significant portion of organizations are already experimenting with AI, yet 40 percent of SOCs use AI or ML tools without making them a defined part of operations, and 42 percent rely on AI/ML tools “out of the box” with no customization at all. The result is a familiar pattern. AI is present inside the SOC but not operationalized. Analysts use it informally, often with mixed reliability, while leadership has not yet established a consistent model for where AI belongs, how its output should be valida...

Modern security teams often feel like they’re driving through fog with failing headlights. Threats accelerate, alerts multiply, and SOCs struggle to understand which dangers matter right now for their business. Breaking out of reactive defense is no longer optional. It’s the difference between preventing incidents and cleaning up after them. Below is the path from reactive firefighting to a proactive, context-rich SOC that actually sees what’s coming. When the SOC Only Sees in the Rear-View Mirror Many SOCs still rely on a backward-facing workflow. Analysts wait for an alert, investigate it, escalate, and eventually respond. This pattern is understandable: the job is noisy, the tooling is complex, and alert fatigue bends even the toughest teams into reactive mode. But a reactive posture hides several structural problems: No visibility into what threat actors are preparing. Limited ability to anticipate campaigns targeting the organization’s sector. Inability to adjust defenses...

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code. Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world. Next week, the Cortex Cloud team at Palo Alto Networks is hosting a technical deep dive to walk you through three recent investigations and exactly how to defend against them. Secure your spot for the live session ➜ What Experts Will Cover This isn't a high-level overview. We are looking at specific, technical findings from the field. In this session, our experts will break down three distinct attack vectors that are bypassing traditional security right now: AWS Identity Misconfigurations: We will show how attackers abuse simple setup errors in AWS identities to gain initial access without stealing a single password. Hiding in A...

Most people know the story of Paul Bunyan. A giant lumberjack, a trusted axe, and a challenge from a machine that promised to outpace him. Paul doubled down on his old way of working, swung harder, and still lost by a quarter inch. His mistake was not losing the contest. His mistake was assuming that effort alone could outmatch a new kind of tool. Security professionals are facing a similar moment. AI is our modern steam-powered saw. It is faster in some areas, unfamiliar in others, and it challenges a lot of long-standing habits. The instinct is to protect what we know instead of learning what the new tool can actually do. But if we follow Paul’s approach, we’ll find ourselves on the wrong side of a shift that is already underway. The right move is to learn the tool, understand its capabilities, and leverage it for outcomes that make your job easier.  AI's Role in Daily Cybersecurity Work AI is now embedded in almost every security product we touch. Endpoint protection platfor...

Vulnerability management is a core component of every cybersecurity strategy. However, businesses often use thousands of software without realising it (when was the last time you checked?), and keeping track of all the vulnerability alerts, notifications, and updates can be a burden on resources and often leads to missed vulnerabilities.  Taking into account that nearly 10% of vulnerabilities were exploited in 2024, a multitude of possible – detrimental – breaches could occur if immediate remediation doesn’t take place. Businesses need a service that delivers relevant and actionable vulnerability information as soon as possible, saving your business valuable time and resources. Traditional vulnerability management products are often expensive and come with a suite of services, many of which are not needed by businesses, especially those on a budget. A Smarter Way to Track Vulnerabilities SecAlerts is streamlined, easy-to-use, affordable and works in the background 24/7. It ma...

Every day, security teams face the same problem—too many risks, too many alerts, and not enough time. You fix one issue, and three more show up. It feels like you’re always one step behind. But what if there was a smarter way to stay ahead—without adding more work or stress? Join The Hacker News and Bitdefender for a free cybersecurity webinar to learn about a new approach called Dynamic Attack Surface Reduction (DASR) —a method that helps security teams close gaps before attackers even find them. Most tools today only tell you what’s wrong. They scan, report, and give you long lists of problems. But they don’t help you fix them fast enough. The truth is, the attack surface keeps changing—new apps, cloud systems, remote devices, misconfigurations. It never stops. Attackers only need one open door. And that’s why traditional defenses often fail—they react too slowly. Meet DASR: A Smarter Way to Stay Safe Dynamic Attack Surface Reduction (DASR) changes how we defend. Instead o...

Artificial intelligence (AI) holds tremendous promise for improving cyber defense and making the lives of security practitioners easier. It can help teams cut through alert fatigue, spot patterns faster, and bring a level of scale that human analysts alone can’t match. But realizing that potential depends on securing the systems that make it possible. Every organization experimenting with AI in security operations is, knowingly or not, expanding its attack surface. Without clear governance, strong identity controls, and visibility into how AI makes its decisions, even well-intentioned deployments can create risk faster than they reduce it. To truly benefit from AI, defenders need to approach securing it with the same rigor they apply to any other critical system. That means establishing trust in the data it learns from, accountability for the actions it takes, and oversight for the outcomes it produces. When secured correctly, AI can amplify human capability instead of replacing it t...