TL;DR Cobalt.io runs a credit-based pricing model at roughly $1,800 per credit, with most enterprise buyers spending between $15,000 and $40,000 per year. This guide breaks down how the credit model works, what drives total cost beyond the headline number, and how Cobalt’s pricing and value compare directly against Synack at a similar annual budget. […] The post Cobalt.io Pricing: What Cobalt Costs in 2026 (vs Synack) appeared first on Synack .
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. "Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation
Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that
Latest
An unprivileged user inside a Lima QEMU guest could reach the root-owned guest-agent socket and run commands as root in the VM. Fixed in Lima v2.1.3. Lima scored it **High, CVSS 8.2** with Scope: Changed, reflecting that crossing from an unprivileged account to root within the VM crosses a security boundary that other components rely on. Full write up is available on the Syntetisk blog.
Organizations have never had greater awareness of cyber risk. Yet turning that awareness into operational resilience has never been more challenging. The 2026 Bitdefender Cybersecurity Assessment confirms this is the case, as this year's findings reveal a series of surprising contradictions. Here are a few examples, based on the independent survey of 1,200 IT and cybersecurity professionals
Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. "Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe
A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.
A researcher found that using Anthropic’s Claude Opus 4.7, he could break into the website of Front Gate—used by every festival from Lollapalooza to Bonnaroo—and freely issue any ticket he chose.
Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes
COPENHAGEN, Denmark, 1 July 2026 – Heimdal today announced the launch of MSP Onboarding Wizard, a new capability that helps managed service providers onboard Microsoft Cloud Solution Provider (CSP) customers inside the Heimdal platform faster and with less manual work. Built for MSPs managing multiple Microsoft tenants, MSP Onboarding Wizard reduces customer onboarding from around […] The post Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes appeared first on Heimdal Security Blog .
Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way. Palo Alto Networks' Unit 42 calls the trick phantom squatting, and its new research shows it is already happening in the wild. The reason it matters is
Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier. Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork. Export controls restrict who can
Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). "Between June 12 and June 26, the threat
ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake "prove you're human" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning.
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between June 22nd - June 28th. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Big Picture Reports **The 2026 ExtraHop Global Threat Landscape Report (ExtraHop)** A global threat report on top attack surfaces, the most prolific threat actors, the ransomware economy, and more. **Key stats:** * Adversaries maintained access to enterprise networks for nearly 2.5 weeks on average before being detected in ransomware incidents. * Phishing and other forms of social engineering (35.8%) remain the most common point of entry for attackers targeting organizations. * 40% of organizations were targeted by AI-enhanced external attacks that used AI-driven automation for reconnaissance, phishing, or rapid lateral movement. *Read the full report* [*here*](https://www.cybersecstats.com/r/2330caa0?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Security **Quantifying Shadow AI Risk in the Browser (Neon Cyber)** The gap between AI policy and what actually happens in the browser. **Key stats:** * 63% of U.S. knowledge workers report having a clear AI policy that they understand. * Nearly 50% of workers who understand their organization's AI policy knowingly violate that policy by using unapproved AI tools. * 63% of workers rate AI as either absolutely essential or very necessary to their jobs. *Read the full report* [*here*](https://www.cybersecstats.com/r/d17a1934?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The 2026 AI Accountability Report (GitLab)** Everyone's generating AI code faster than they can review it. **Key stats:** * 80% of developers and technology buyers say their organization adopted AI tools faster than it developed policies to govern them. * 92% report some form of governance challenge with AI-generated code. * 34% of organizations that experienced a production incident in the past year cannot determine whether AI-generated code contributed to it. *Read the full report* [*here*](https://www.cybersecstats.com/r/110ec26e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Infrastructure Automation Report: The AI Readiness Gap (Spacelift)** Most infrastructure leaders think they're ready for AI. The actual data doesn’t agree. **Key stats:** * 93% of organizations have experienced AI-caused infrastructure incidents. * 86% of infrastructure leaders say they are confident in their organization's ability to govern AI, but only 30% have a formal AI governance policy in place. * 33% of infrastructure teams would apply AI-generated infrastructure-as-code directly to production without any review. *Read the full report* [*here*](https://www.cybersecstats.com/r/c47d679c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The Emerging Patch Gap (Tuskira)** AI is finding vulnerabilities faster than anyone can fix them. **Key stats:** * In the first 63 days of the Anthropic Claude Mythos Preview, Mythos disclosed 1,596 verified vulnerabilities across 281 open-source projects. * AI-driven discovery outpaces visible remediation by roughly 16.5 times, with about 25.3 disclosures per day versus about 1.5 patches per day. * Only 6.1% of Mythos disclosures are marked as patched, despite 90.9% maintainer acknowledgment. *Read the full report* [*here*](https://www.cybersecstats.com/r/a5ca2c65?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI and Security Testing **AI and Pentesting Pulse Report 2026 (Cobalt)** Automated scanning tools are missing critical vulnerabilities, so organizations are turning back to humans. **Key stats:** * 78% of organizations experienced fully automated scanning tools missing critical vulnerabilities and returning false negatives. * 42% of security professionals plan to increase human-led red team operations. * The mean time to resolve AI and LLM security issues is 36 days, up from 19 days in 2025. *Read the full report* [*here*](https://www.cybersecstats.com/r/ef5ab28f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **State of AI in Pentesting (Aikido)** Everything you wanted to know about pen testing in the age of AI, from 400 security and engineering leaders. **Key stats:** * 20% suffered a serious incident linked to AI code. * 71% say AI has made security incidents harder to detect, investigate, or fix. * 79% are concerned about missing vulnerabilities introduced between scheduled tests. *Read the full report* [*here*](https://www.cybersecstats.com/r/c1ea1d9b?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Quantum Readiness **PQC Adoption Gaps: 90% of Systems Are Still Not Quantum-Safe (Forescout)** Post-quantum cryptography adoption is moving, but it’s not moving fast enough. **Key stats:** * Nearly 90% of SSH servers remain non-PQC-capable. * Only 3% of identified servers running Dropbear (common in embedded devices) support PQC. * In enterprise networks, IT devices most commonly support PQC on TLS at 8%, while IoT and IoMT are at 5.6% and OT is at 0.8%. *Read the full report* [*here*](https://www.cybersecstats.com/r/8deedbfd?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry Specific **2026 Healthcare IT Landscape Report (Omega Systems)** A report that benchmarks where healthcare organizations really stand on cybersecurity, compliance, vendor risk, and AI governance. **Key stats:** * 85% of healthcare practices experienced at least one operational disruption caused by a third-party or vendor-of-a-vendor failure in the past 12 months. * 61% of healthcare practices expect a fatal cyberattack within five years. * 76% say they are not ready for the proposed 2026 HIPAA Security Rule. *Read the full report* [*here*](https://www.cybersecstats.com/r/b7c8edbf?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight **2026 European Cyber Risk Report: Ransomware Is Escalating and Your Third Parties Are the Entry Point (Black Kite)** The fastest way into a European business right now? Third parties. **Key stats:** * Ransomware attacks rose 55.1% year-over-year in the first four months of 2026. * The Qilin ransomware group was linked to incidents in 26 of the 31 countries analyzed. * Manufacturing was the most-affected sector at 27.9% of ransomware victims. *Read the full report* [*here*](https://www.cybersecstats.com/r/ac51b776?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Data Health Check 2026 (Databarracks)** 500 UK organisations on what's threatening their data and uptime. **Key stats:** * 30% of organisations cite cyber incidents as their biggest cause of IT downtime, ahead of hardware failure at 19%. * 43% of large organisations reported losing data as a result of a cyber attack. * 65% think a serious cyber attack could threaten their survival. *Read the full report* [*here*](https://www.cybersecstats.com/r/0eb7ef3c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
Good news that these were discovered and removed. Those browser extensions were hiding in wait. >Microsoft just pulled 119 extensions from the Edge add-on store, all tied to one campaign its researchers named StegoAd. The extensions were the kind people install without thinking twice. Ad blockers, VPNs, translators, video downloaders, calculators, coupon finders. Each one did the job it advertised, collected real reviews, and sat in the store for years. Between them they reached up to 2.6 million installs. Then, after a built-in delay, some of them woke up and started stealing Google passwords and the sign-in codes meant to protect them. >The trick that names the campaign is steganography, hiding code inside a file that looks like an ordinary picture. The nefarious instructions were tucked into the image and font files the extension came with. The extension pulled that code out and ran it, but only after it had been installed for a while. A scanner checking the extension sees a translator and some images. The harmful part is not there to catch until the moment it runs. >That delay was deliberate. Microsoft says the payload held back for days, checked whether it was being watched, and went dormant if developer tools were open. On some versions it only fired for about one in ten installs. So the 2.6 million is a ceiling, not a count of victims, and Microsoft does not know how many people were actually hit. What it does know: the same code that ran ad fraud in the background could harvest WordPress logins and grab your Google credentials at the moment you signed in. >Microsoft ties StegoAd to a group it has tracked since at least 2021, the same operation researchers have linked to two earlier waves of poisoned extensions. The company removed all 119 and suspended more than 90 of the developer accounts behind them. It also published the technical fingerprints so Chrome, Firefox, and other browsers can check for the same thing.
New Microsoft research shows how attackers can hijack AI agents that act on a user's behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider. The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire. The work comes from Microsoft Incident Response and its
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI)
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's the view?! Back to business, it's now 8 years ago that Scott and I thought it would be a cool idea to build Why no HTTPS? We used the site to shame companies for not implementing their transport later security property, and to make it a bit of fun, we shamed by country as well. This helped people jump on the bandwagon of giving their respective countries a little "encouragement", and we hope they'll do the same now with Why no Passkeys? Following my infamous phishing incident last year , I registered the domain with the intent of building the successor for the TLS version. However, due to a combination of me having no time and Scott getting very good with Claude Code, he's now stood up this project solo and done a wonderful job of it. Go and check it out, and give those big names from your country a little push.
Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. "The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that
The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI, which is named the bypass GuardFall, found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, "Continue," was built to
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer's account,
“Continuous” has become the most stretched word in offensive security. This guide breaks down what continuous penetration testing means, why most of the market doesn’t deliver it, and how Synack’s Sara is bringing always-on, human-validated testing to the enterprise. The post Continuous Penetration Testing: What Security Leaders Need to Know appeared first on Synack .
The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer. The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated
https://mooofin.github.io/portfolio/blog/s4nct1m0ny.html tuts for ISF from kernel DWARF. for vol as well . loginwindow plaintext credential extraction, Chainbreaker 3DES keychain decryption, and full RE of a Swift dropper using machine Hardware UUID as decryption key , ive tried to make it very less jargon and reader friendly
Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that
Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind BioShocking, a technique from security firm LayerX that tricked six AI browsers and assistants into copying a user's credentials and sending them to an attacker. The targets included OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension. An
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be abused to take over susceptible instances. "Easily exploitable vulnerability allows
Hundreds of contractors working on a project for Meta pretended to be kids in order to see how other chatbots like Gemini and ChatGPT would respond to high-risk subjects, WIRED found.
Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037)
Welcome back to another watchTowr Labs blog post. This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and CVE-2026-8037 keeps that streak alive: a pre-authentication Remote Code Execution vulnerability accessible to anyone who can access the API. So, in probably a predictable turn of events, we're back doing what we do best. What Is A Kemp LoadMaster, and What Is CVE-2026-8037? Produced by Progress (of MoveIT fame), Kemp LoadMaster is a load balancer and application delivery controller (ADC) that distributes incoming network traffic across multiple servers to keep applications available, responsive, and scalable. Typically, beyond basic load balancing, it provides Layer 4 and Layer 7 traffic management, SSL/TLS offloading, content switching, health checking, and a built-in web application firewall (WAF) to protect against common threats. Why would you use it? Well, Progress has us covered here:
pagecache-lpe-containment-kit: Educational, defensive kit for two Linux page-cache-corruption LPEs (DirtyClone CVE-2026-43503, pedit COW CVE-2026-46331): hardening, detection, verification, seccomp + validation harness. Detection and prevention only — no exploit code. TLP:CLEAR.
WhatsApp on Monday officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. Username reservations will start rolling out starting today,
Key Takeaways This case was first reported to customers in a threat brief released in July 2025 and in a public flash alert in August 2025 in partnership with Swisscom B2B CSIRT, which observed another intrusion tied to the same campaign. This report contains data from both intrusions. We plan to release a DFIR Labs […] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report .
Mozilla remains committed to maintaining a secure, trustworthy, and transparent Web PKI. Today we are announcing the publication of Mozilla Root Store Policy (MRSP) version 3.1, effective July 1, 2026. While previous policy updates focused heavily on certificate revocation, automation, and operational resilience, MRSP v3.1 focuses on a different challenge: ensuring that Certification Authority (CA) operations are sufficiently transparent, understandable, and auditable. Trust in the Web PKI depends not only on technical requirements, but also on the ability of Mozilla, auditors, and the broader community to understand how CA systems are designed, operated, and assessed. MRSP v3.1 introduces new requirements intended to improve the quality of CA documentation and strengthen independent assurance of the design and effectiveness of controls that protect CA systems. Improving CP/CPS Documentation Certification Practice Statements (CPSes) and combined Certificate Policy / Certification Practice Statement documents (CP/CPSes) are among the most important public documents published by a CA. They describe how a CA conducts its operations and meets industry requirements. Over the years, we have seen significant variation in the quality, structure, and level of detail provided in CP/CPS documentation. Some documents provide extensive implementation detail, while others rely heavily on incorporation by reference or provide only high-level descriptions of CA practices. The revised policy will continue to require conformance with RFC 3647, as modified by applicable CA/Browser Forum requirements. Improvements to section 3.3 in the MRSP will establish clearer expectations regarding the content and quality of CP/CPS documentation. The new requirements emphasize that documentation must be explicit, bounded, auditable, and sufficientl
Europe’s pro-competition proposals could see Google Search and Android systems opened up. The company claims there are serious privacy flaws.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Reverse-engineering VMware's encrypted + compressed VM memory checkpoint format (vTPM "partial" encryption)
>On June 18, an international police operation seized the servers behind the fake "update your browser" pop-up, the one that has been tricking people into installing malware since 2017. They took down 106 servers and domains and scrubbed the malware off 14,971 hacked websites. >Dutch police, who led the operation, say the login details for 1.4 million websites were exposed in the process. The breach-notification service [Have I Been Pwned](https://haveibeenpwned.com/?ref=freshfromcache.com) was handed 154,000 email addresses and more than half a million passwords from the haul. Canada's federal police disinfected 2,488 computers and notified every Canadian victim they could identify. >The Netherlands, the FBI, Germany, and Canada ran it together with Europol behind them, as part of an ongoing campaign called Operation Endgame that has spent two years knocking out malware services hundreds of servers at a time. >SocGholish is tied to Evil Corp (yes, that's really their name), a Russian group that law enforcement knows well. The US, UK, and Australia have all sanctioned Evil Corp. Its alleged leader, Maksim Yakubets, carries a $5 million FBI bounty and is believed to have worked with Russian intelligence.
Reverse Engineering dobreprogramy.pl Bundler - Extracting Clean Download URLs Without Executing Adware
Plus: Former national security advisor John Bolton pleads guilty in classified-materials case, Microsoft helps take down major infostealer infrastructure, and more.
Recently I ran into a problem: I needed to analyze a VMware snapshot of a Windows 11 25H2 VM, but the VM had a vTPM, which makes VMware silently encrypt the .vmem/.vmsn/.vmss/.nvram. Volatility just couldn't find the kernel, and I couldn't find any existing tool to decrypt these files for offline analysis. So I reverse-engineered the format with the help of Claude and wrote one. It's called vmem-decrypt (pure Python): \- Recovers the data-file key from the VM password (PBKDF2 → AES-256-CBC key chain VMware labels everything "XTS-AES-256" but it's actually CBC, which trips up most people). \- Decrypts .vmem/.vmsn/.vmss/.nvram. \- Flattens the decrypted .vmem into a flat, Volatility-ready image. (VMware compresses then encrypts, so it's still in a proprietary checkpoint LZ77 layout) Workflow: pull the password hash from the .vmx (VM-Password-Extractor) → crack with hashcat (mode 27400) → feed the password to the tool → run Volatility. Full steps + format notes in the README. Tested on VMware Workstation Pro 26H1 / Win11 25H2 (build 26100), Volatility 3. Feedback welcome, especially snapshots from other VMware versions to test the format against. Repo: [https://github.com/heeeyaaaa/vmem-decrypt](https://github.com/heeeyaaaa/vmem-decrypt) (Yes, I used AI to help build this. It's tested and it works, that's what matters. Happy to walk through any part of how it works.)
Seeking feedback: Searchable index of EXIF/IPTC/XMP metadata from 720M+ public images — potentially useful for digital forensics investigations
I've been building a tool called Image-Meta and would love feedback from people who actually do forensics work, since that's one of the primary use cases I'm trying to serve well. \*\*What it does:\*\* Crawls and indexes the embedded metadata from publicly accessible images using ExifTool. Currently \~720 million images indexed with full EXIF/IPTC/XMP extraction. \*\*Forensics-relevant capabilities:\*\* \*\*Device attribution\*\* \- Search by camera serial number — link multiple images across different domains or accounts back to the same physical device \- Make/model filtering to narrow device type before drilling into serial \*\*Identity traces\*\* \- Author, copyright, rights, and description fields often contain real names, emails, and organizational affiliations that subjects didn't know were there \- Software fields can expose Photoshop/Lightroom license strings, machine names, or internal workflow metadata \*\*Timeline reconstruction\*\* \- foundDT = date we first indexed the image (earliest known appearance online) \- createDT / modifyDT = timestamps embedded in the file itself \- Useful for establishing when an image was created vs. when it first appeared publicly \*\*GPS / geospatial\*\* (Not available to public without subscription) \- Coordinate + radius search for images taken near a location \- Reverse-geocoded address search \- Many images still carry precise GPS even when uploaded to platforms that claim to strip metadata \*\*What I'm looking for feedback on:\*\* \- Are there metadata fields or query types that would make this more useful in an actual investigation workflow? \- Is the API structure (REST, Bearer token, field-level boolean search) something that integrates well with existing tooling? \- What's missing that you'd expect from a tool like this? Not trying to sell anything here — genuinely want to understand what the forensics community needs before I build more features. [https://image-meta.com](https://image-meta.com) API docs: [https://image-meta.com/api-docs](https://image-meta.com/api-docs)
Boards and CIOs are pushing security teams to build internal AI pentesting tools, but is it worth it? This piece walks through the five questions security teams should ask when deciding between build vs buy for AI pentesting. The post Considering Build vs. Buy for AI Pentesting? Top 5 Questions to Ask appeared first on Synack .
Exposed records from the private group included the personal information of a senior White House intelligence official and an active-duty special operations officer.
AI has handed hackers a resource advantage. Winning it back means spending your own resources far more precisely, and that’s the strategy we call Dynamic Defense. The principle is simple. Contain the threat just enough, for just long enough, until the risk is removed. This piece shows how that works as a five-stage loop that […] The post How Dynamic Defense shuts an attacker out without shutting down the business appeared first on Heimdal Security Blog .
AI has flipped the economics of cybersecurity in the attacker’s favor. For most of the last decade, defenders held the cost advantage, buying down their risk with a stack of largely static controls. That advantage is gone, and winning it back is the central problem facing every security team in 2026. I think the answer […] The post Static security has run out of road. The case for Dynamic Defense appeared first on Heimdal Security Blog .
The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to strengthen cybersecurity requirements for products with digital elements. In simple terms, the CRA sets mandatory cybersecurity rules for hardware and software sold in the EU. This includes everything from connected devices (IoT) to operating systems and even stand-alone software. Very important, this concerns any company that wants to sell their products into the EU, regardless whether that company is based in the EU or not. The goal is to ensure that digital products placed on the EU market are secure by design and default and remain secure over time. That also means that the CRA does not stop at the launch of a product. It covers the entire lifecycle from design and development all the way through updates and vulnerability management. It also brings everyone in the product pipeline into responsibility. The CRA entered into force on 10 December 2024 , meaning it is already officially law in the EU, although most obligations are not yet applicable. The implementation is phased. From 11 September 2026 , companies will already need to comply with certain reporting obligations, particularly related to the notification of vulnerabilities and security incidents. From 11 December 2027 , the CRA will be fully applicable. Also, products with digital elements that have been placed on the market before 11 December 2027 are not subject to the CRA unless, from that date, they are subject to a substantial modification. Reporting obligations apply to all products with digital elements that have been made available on the Union market, including those already placed on the market before 11 December 2027. Preparing for the CRA is ultimately not just about interpreting legal text, but about translating regulatory expectations into concrete t
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing.
We’re sharing two headline numbers as an early look at our State of Continuous Security Validation report before the full analysis lands in July. Turns out 95% of security teams discover high or critical vulnerabilities outside their scheduled testing windows—proof that cadence alone is no longer a reliable measure of coverage. The post The State of Continuous Security Validation: An Early Look at the Data appeared first on Synack .
As UK police embrace the AI revolution, a WIRED investigation reveals the messy inside story of one region’s experiment with predictive analytics.
TL;DR Cobalt.io runs a credit-based pricing model at roughly $1,800 per credit, with most enterprise buyers spending between $15,000 and $40,000 per year. This guide breaks down how the credit model works, what drives total cost beyond the headline number, and how Cobalt’s pricing and value compare directly against Synack at a similar annual budget. […] The post Cobalt.io Pricing: What Cobalt Costs in 2026 (vs Synack) appeared first on Synack .
TL;DR Most attack surface management tools solve only half the problem: they map what’s exposed and stop there, leaving security teams to guess which findings actually matter. This review ranks the top 10 ASM platforms for 2026 on discovery breadth, exploit validation, and how well each holds up inside a real security program. Synack leads […] The post Best Attack Surface Management Tools in 2026 (Top 10, Reviewed) appeared first on Synack .
Open bug bounty programs are buckling under AI-generated noise, triage overload, and coverage blind spots. Synack's PTaaS platform and security researchers on the Synack Red Team preserve what works about incentivized research while fixing what doesn't. The post The Bug Bounty Model Is Failing. It’s Time to Say It Out Loud. appeared first on Synack .