TL;DR Cobalt.io runs a credit-based pricing model at roughly $1,800 per credit, with most enterprise buyers spending between $15,000 and $40,000 per year. This guide breaks down how the credit model works, what drives total cost beyond the headline number, and how Cobalt’s pricing and value compare directly against Synack at a similar annual budget. […] The post Cobalt.io Pricing: What Cobalt Costs in 2026 (vs Synack) appeared first on Synack .
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 11:21 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. "The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that
Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency , we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography . On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantum cryptography. The order says large-scale quantum computers, especially in adversarial hands, will threaten widely used cryptographic systems, and that attackers may already be collecting encrypted data now so they can decrypt it later. It also sets concrete migration deadlines: high-value and high-impact federal systems must use post-quantum key establishment by December 31, 2030 , and post-quantum digital signatures by December 31, 2031 . And even if you don’t care about quantum resistance, that’s not a problem because quantum resistance isn’t the main benefit of post-quantum crypto. That transition cannot happen only at the policy layer. Every application that signs packages, validates certificates, establishes secure channels, or protects long-lived secrets depends on cryptographic libraries. If those libraries do not expose post-quantum algorithms, the software stack cannot migrate. Almost every Python program that touches cryptography goes through pyca/cryptography . It’s currently the eleventh most-downloaded package on PyPI&l
Latest
Tuesday, June 30
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between June 22nd - June 28th. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Big Picture Reports **The 2026 ExtraHop Global Threat Landscape Report (ExtraHop)** A global threat report on top attack surfaces, the most prolific threat actors, the ransomware economy, and more. **Key stats:** * Adversaries maintained access to enterprise networks for nearly 2.5 weeks on average before being detected in ransomware incidents. * Phishing and other forms of social engineering (35.8%) remain the most common point of entry for attackers targeting organizations. * 40% of organizations were targeted by AI-enhanced external attacks that used AI-driven automation for reconnaissance, phishing, or rapid lateral movement. *Read the full report* [*here*](https://www.cybersecstats.com/r/2330caa0?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Security **Quantifying Shadow AI Risk in the Browser (Neon Cyber)** The gap between AI policy and what actually happens in the browser. **Key stats:** * 63% of U.S. knowledge workers report having a clear AI policy that they understand. * Nearly 50% of workers who understand their organization's AI policy knowingly violate that policy by using unapproved AI tools. * 63% of workers rate AI as either absolutely essential or very necessary to their jobs. *Read the full report* [*here*](https://www.cybersecstats.com/r/d17a1934?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The 2026 AI Accountability Report (GitLab)** Everyone's generating AI code faster than they can review it. **Key stats:** * 80% of developers and technology buyers say their organization adopted AI tools faster than it developed policies to govern them. * 92% report some form of governance challenge with AI-generated code. * 34% of organizations that experienced a production incident in the past year cannot determine whether AI-generated code contributed to it. *Read the full report* [*here*](https://www.cybersecstats.com/r/110ec26e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Infrastructure Automation Report: The AI Readiness Gap (Spacelift)** Most infrastructure leaders think they're ready for AI. The actual data doesn’t agree. **Key stats:** * 93% of organizations have experienced AI-caused infrastructure incidents. * 86% of infrastructure leaders say they are confident in their organization's ability to govern AI, but only 30% have a formal AI governance policy in place. * 33% of infrastructure teams would apply AI-generated infrastructure-as-code directly to production without any review. *Read the full report* [*here*](https://www.cybersecstats.com/r/c47d679c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The Emerging Patch Gap (Tuskira)** AI is finding vulnerabilities faster than anyone can fix them. **Key stats:** * In the first 63 days of the Anthropic Claude Mythos Preview, Mythos disclosed 1,596 verified vulnerabilities across 281 open-source projects. * AI-driven discovery outpaces visible remediation by roughly 16.5 times, with about 25.3 disclosures per day versus about 1.5 patches per day. * Only 6.1% of Mythos disclosures are marked as patched, despite 90.9% maintainer acknowledgment. *Read the full report* [*here*](https://www.cybersecstats.com/r/a5ca2c65?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI and Security Testing **AI and Pentesting Pulse Report 2026 (Cobalt)** Automated scanning tools are missing critical vulnerabilities, so organizations are turning back to humans. **Key stats:** * 78% of organizations experienced fully automated scanning tools missing critical vulnerabilities and returning false negatives. * 42% of security professionals plan to increase human-led red team operations. * The mean time to resolve AI and LLM security issues is 36 days, up from 19 days in 2025. *Read the full report* [*here*](https://www.cybersecstats.com/r/ef5ab28f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **State of AI in Pentesting (Aikido)** Everything you wanted to know about pen testing in the age of AI, from 400 security and engineering leaders. **Key stats:** * 20% suffered a serious incident linked to AI code. * 71% say AI has made security incidents harder to detect, investigate, or fix. * 79% are concerned about missing vulnerabilities introduced between scheduled tests. *Read the full report* [*here*](https://www.cybersecstats.com/r/c1ea1d9b?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Quantum Readiness **PQC Adoption Gaps: 90% of Systems Are Still Not Quantum-Safe (Forescout)** Post-quantum cryptography adoption is moving, but it’s not moving fast enough. **Key stats:** * Nearly 90% of SSH servers remain non-PQC-capable. * Only 3% of identified servers running Dropbear (common in embedded devices) support PQC. * In enterprise networks, IT devices most commonly support PQC on TLS at 8%, while IoT and IoMT are at 5.6% and OT is at 0.8%. *Read the full report* [*here*](https://www.cybersecstats.com/r/8deedbfd?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry Specific **2026 Healthcare IT Landscape Report (Omega Systems)** A report that benchmarks where healthcare organizations really stand on cybersecurity, compliance, vendor risk, and AI governance. **Key stats:** * 85% of healthcare practices experienced at least one operational disruption caused by a third-party or vendor-of-a-vendor failure in the past 12 months. * 61% of healthcare practices expect a fatal cyberattack within five years. * 76% say they are not ready for the proposed 2026 HIPAA Security Rule. *Read the full report* [*here*](https://www.cybersecstats.com/r/b7c8edbf?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight **2026 European Cyber Risk Report: Ransomware Is Escalating and Your Third Parties Are the Entry Point (Black Kite)** The fastest way into a European business right now? Third parties. **Key stats:** * Ransomware attacks rose 55.1% year-over-year in the first four months of 2026. * The Qilin ransomware group was linked to incidents in 26 of the 31 countries analyzed. * Manufacturing was the most-affected sector at 27.9% of ransomware victims. *Read the full report* [*here*](https://www.cybersecstats.com/r/ac51b776?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Data Health Check 2026 (Databarracks)** 500 UK organisations on what's threatening their data and uptime. **Key stats:** * 30% of organisations cite cyber incidents as their biggest cause of IT downtime, ahead of hardware failure at 19%. * 43% of large organisations reported losing data as a result of a cyber attack. * 65% think a serious cyber attack could threaten their survival. *Read the full report* [*here*](https://www.cybersecstats.com/r/0eb7ef3c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
Well, well, well - once again, the cat has dragged us in and spat us out. Today, we find ourselves questioning the reality we sit within. Must it be so predictable, and why us? “But watchTowr, what do you mean?” Well, if you’re here, you likely fit into one of the following categories: A dear reader, A group therapy accomplice A Groundhog Day fan club member Why? Because we once again find ourselves talking about Citrix NetScalers. Yes, that’s right, we’ve found another excuse to create memes and mock promise rings. For those that don’t start violently wretching when the phrase “Citrix NetScaler” is uttered, we have another word to whisper: “CitrixBleed”. As many know, the term CitrixBleed now refers to not a single vulnerability, but an entire class of Memory Disclosure-esque vulnerabilities in Citrix NetScaler devices, many of which have played roles in breaches and incidents in recent memory. For those new to this trauma, the following prior reading may be of interest: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)
New Microsoft research shows how attackers can hijack AI agents that act on a user's behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider. The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire. The work comes from Microsoft Incident Response and its
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a
Hi all, I'd like to share what I've been working on this year: 1. [Tantalus](https://tantalus.io/) - A unique prompt injection arena where you try to get an agent to exfiltrate data from a user's workstation. This arena puts you in front of a realistic AI assistant with access to files, emails, and chat history, pre-loaded with both legitimate tools and poisoned ones. 2. With Tantalus as the substrate for [my first whitepaper](https://doi.org/10.17605/OSF.IO/S9GU6), I put it through the ringer across **~6.1 million inference calls**; across model sizes 1.7B to 119B params. All behavioral and structural controls were bypassed or allowed malicious data to be generated, except for one. Only one control had a provable 100% rate at blocking bad behavior from ever being generated. As an independent researcher, I'm simply trying to spread the word. I've made these projects entirely independently and I'm not using these to sell any services. Any business inquiries can DM me directly. :)
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI)
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's the view?! Back to business, it's now 8 years ago that Scott and I thought it would be a cool idea to build Why no HTTPS? We used the site to shame companies for not implementing their transport later security property, and to make it a bit of fun, we shamed by country as well. This helped people jump on the bandwagon of giving their respective countries a little "encouragement", and we hope they'll do the same now with Why no Passkeys? Following my infamous phishing incident last year , I registered the domain with the intent of building the successor for the TLS version. However, due to a combination of me having no time and Scott getting very good with Claude Code, he's now stood up this project solo and done a wonderful job of it. Go and check it out, and give those big names from your country a little push.
Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. "The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that
The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI, which is named the bypass GuardFall, found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, "Continue," was built to
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer's account,
“Continuous” has become the most stretched word in offensive security. This guide breaks down what continuous penetration testing means, why most of the market doesn’t deliver it, and how Synack’s Sara is bringing always-on, human-validated testing to the enterprise. The post Continuous Penetration Testing: What Security Leaders Need to Know appeared first on Synack .
**Hello**, I wrote a research write-up documenting the design process behind my latest project (Project Onyx), which focuses on showing a different perspective in EDR evasion. **By "a different perspective" I mean approaching EDR evasion from a behavioral and architectural angle rather than the traditional signature or packing-oriented one.** It combines ML behavioral camouflage, steganographic key storage in ONNX model weights, environmental keying, WASM sandboxing, and a dead-drop C2 via model updates on HuggingFace. The most important thing about the project is that its primary goal is to serve as an architectural sketch (for now): each component is implemented and functional as part of the chain, but also, each layer would require dedicated research to become meaningful against real-world defenses. This project is best understood as a structured starting point for that kind of exploration. The article covers the architecture decisions, but also the dead ends: some approaches I scrapped, why fine-tuning a quantized LLM as a key oracle completely failed, considering exfiltration via forked ONNX repository and how I ended up at the final design. It's a research PoC rather than an operational tool, the techniques are implemented and demonstrated within the architecture, not presented as validated EDR bypasses. I'm open to any feedback. I hope someone finds this useful.
The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer. The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated
https://mooofin.github.io/portfolio/blog/s4nct1m0ny.html tuts for ISF from kernel DWARF. for vol as well . loginwindow plaintext credential extraction, Chainbreaker 3DES keychain decryption, and full RE of a Swift dropper using machine Hardware UUID as decryption key , ive tried to make it very less jargon and reader friendly
Post-quantum cryptography is now one pip-install away for the entire Python ecosystem. With funding from the Sovereign Tech Agency , we implemented support for ML-KEM, the NIST-standard key-establishment primitive, and ML-DSA, the NIST-standard digital-signature primitive, in pyca/cryptography . On June 22, 2026, the White House ordered the U.S. government to accelerate its transition to post-quantum cryptography. The order says large-scale quantum computers, especially in adversarial hands, will threaten widely used cryptographic systems, and that attackers may already be collecting encrypted data now so they can decrypt it later. It also sets concrete migration deadlines: high-value and high-impact federal systems must use post-quantum key establishment by December 31, 2030 , and post-quantum digital signatures by December 31, 2031 . And even if you don’t care about quantum resistance, that’s not a problem because quantum resistance isn’t the main benefit of post-quantum crypto. That transition cannot happen only at the policy layer. Every application that signs packages, validates certificates, establishes secure channels, or protects long-lived secrets depends on cryptographic libraries. If those libraries do not expose post-quantum algorithms, the software stack cannot migrate. Almost every Python program that touches cryptography goes through pyca/cryptography . It’s currently the eleventh most-downloaded package on PyPI&l
Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that
Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind BioShocking, a technique from security firm LayerX that tricked six AI browsers and assistants into copying a user's credentials and sending them to an attacker. The targets included OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension. An
Monday, June 29
Hundreds of contractors working on a project for Meta pretended to be kids in order to see how other chatbots like Gemini and ChatGPT would respond to high-risk subjects, WIRED found.
Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037)
Welcome back to another watchTowr Labs blog post. This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and CVE-2026-8037 keeps that streak alive: a pre-authentication Remote Code Execution vulnerability accessible to anyone who can access the API. So, in probably a predictable turn of events, we're back doing what we do best. What Is A Kemp LoadMaster, and What Is CVE-2026-8037? Produced by Progress (of MoveIT fame), Kemp LoadMaster is a load balancer and application delivery controller (ADC) that distributes incoming network traffic across multiple servers to keep applications available, responsive, and scalable. Typically, beyond basic load balancing, it provides Layer 4 and Layer 7 traffic management, SSL/TLS offloading, content switching, health checking, and a built-in web application firewall (WAF) to protect against common threats. Why would you use it? Well, Progress has us covered here:
pagecache-lpe-containment-kit: Educational, defensive kit for two Linux page-cache-corruption LPEs (DirtyClone CVE-2026-43503, pedit COW CVE-2026-46331): hardening, detection, verification, seccomp + validation harness. Detection and prevention only — no exploit code. TLP:CLEAR.
WhatsApp on Monday officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. Username reservations will start rolling out starting today,
Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence (AI) tools like Anthropic Claude and OpenAI Codex Security. The WebKit vulnerabilities are listed below - CVE-2026-43707 - A memory corruption issue that could result in an
The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with
This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open. The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cleanup waiting. Here’s the full Monday recap. ⚡ Threat of the Week New DirtyClone Linux Kernel Flaw Lets Local
Key Takeaways This case was first reported to customers in a threat brief released in July 2025 and in a public flash alert in August 2025 in partnership with Swisscom B2B CSIRT, which observed another intrusion tied to the same campaign. This report contains data from both intrusions. We plan to release a DFIR Labs […] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report .
A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these
Mozilla remains committed to maintaining a secure, trustworthy, and transparent Web PKI. Today we are announcing the publication of Mozilla Root Store Policy (MRSP) version 3.1, effective July 1, 2026. While previous policy updates focused heavily on certificate revocation, automation, and operational resilience, MRSP v3.1 focuses on a different challenge: ensuring that Certification Authority (CA) operations are sufficiently transparent, understandable, and auditable. Trust in the Web PKI depends not only on technical requirements, but also on the ability of Mozilla, auditors, and the broader community to understand how CA systems are designed, operated, and assessed. MRSP v3.1 introduces new requirements intended to improve the quality of CA documentation and strengthen independent assurance of the design and effectiveness of controls that protect CA systems. Improving CP/CPS Documentation Certification Practice Statements (CPSes) and combined Certificate Policy / Certification Practice Statement documents (CP/CPSes) are among the most important public documents published by a CA. They describe how a CA conducts its operations and meets industry requirements. Over the years, we have seen significant variation in the quality, structure, and level of detail provided in CP/CPS documentation. Some documents provide extensive implementation detail, while others rely heavily on incorporation by reference or provide only high-level descriptions of CA practices. The revised policy will continue to require conformance with RFC 3647, as modified by applicable CA/Browser Forum requirements. Improvements to section 3.3 in the MRSP will establish clearer expectations regarding the content and quality of CP/CPS documentation. The new requirements emphasize that documentation must be explicit, bounded, auditable, and sufficientl
Europe’s pro-competition proposals could see Google Search and Android systems opened up. The company claims there are serious privacy flaws.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Sunday, June 28
Reverse-engineering VMware's encrypted + compressed VM memory checkpoint format (vTPM "partial" encryption)
>On June 18, an international police operation seized the servers behind the fake "update your browser" pop-up, the one that has been tricking people into installing malware since 2017. They took down 106 servers and domains and scrubbed the malware off 14,971 hacked websites. >Dutch police, who led the operation, say the login details for 1.4 million websites were exposed in the process. The breach-notification service [Have I Been Pwned](https://haveibeenpwned.com/?ref=freshfromcache.com) was handed 154,000 email addresses and more than half a million passwords from the haul. Canada's federal police disinfected 2,488 computers and notified every Canadian victim they could identify. >The Netherlands, the FBI, Germany, and Canada ran it together with Europol behind them, as part of an ongoing campaign called Operation Endgame that has spent two years knocking out malware services hundreds of servers at a time. >SocGholish is tied to Evil Corp (yes, that's really their name), a Russian group that law enforcement knows well. The US, UK, and Australia have all sanctioned Evil Corp. Its alleged leader, Maksim Yakubets, carries a $5 million FBI bounty and is believed to have worked with Russian intelligence.
Saturday, June 27
Reverse Engineering dobreprogramy.pl Bundler - Extracting Clean Download URLs Without Executing Adware
Plus: Former national security advisor John Bolton pleads guilty in classified-materials case, Microsoft helps take down major infostealer infrastructure, and more.
Recently I ran into a problem: I needed to analyze a VMware snapshot of a Windows 11 25H2 VM, but the VM had a vTPM, which makes VMware silently encrypt the .vmem/.vmsn/.vmss/.nvram. Volatility just couldn't find the kernel, and I couldn't find any existing tool to decrypt these files for offline analysis. So I reverse-engineered the format with the help of Claude and wrote one. It's called vmem-decrypt (pure Python): \- Recovers the data-file key from the VM password (PBKDF2 → AES-256-CBC key chain VMware labels everything "XTS-AES-256" but it's actually CBC, which trips up most people). \- Decrypts .vmem/.vmsn/.vmss/.nvram. \- Flattens the decrypted .vmem into a flat, Volatility-ready image. (VMware compresses then encrypts, so it's still in a proprietary checkpoint LZ77 layout) Workflow: pull the password hash from the .vmx (VM-Password-Extractor) → crack with hashcat (mode 27400) → feed the password to the tool → run Volatility. Full steps + format notes in the README. Tested on VMware Workstation Pro 26H1 / Win11 25H2 (build 26100), Volatility 3. Feedback welcome, especially snapshots from other VMware versions to test the format against. Repo: [https://github.com/heeeyaaaa/vmem-decrypt](https://github.com/heeeyaaaa/vmem-decrypt) (Yes, I used AI to help build this. It's tested and it works, that's what matters. Happy to walk through any part of how it works.)
Friday, June 26
Seeking feedback: Searchable index of EXIF/IPTC/XMP metadata from 720M+ public images — potentially useful for digital forensics investigations
I've been building a tool called Image-Meta and would love feedback from people who actually do forensics work, since that's one of the primary use cases I'm trying to serve well. \*\*What it does:\*\* Crawls and indexes the embedded metadata from publicly accessible images using ExifTool. Currently \~720 million images indexed with full EXIF/IPTC/XMP extraction. \*\*Forensics-relevant capabilities:\*\* \*\*Device attribution\*\* \- Search by camera serial number — link multiple images across different domains or accounts back to the same physical device \- Make/model filtering to narrow device type before drilling into serial \*\*Identity traces\*\* \- Author, copyright, rights, and description fields often contain real names, emails, and organizational affiliations that subjects didn't know were there \- Software fields can expose Photoshop/Lightroom license strings, machine names, or internal workflow metadata \*\*Timeline reconstruction\*\* \- foundDT = date we first indexed the image (earliest known appearance online) \- createDT / modifyDT = timestamps embedded in the file itself \- Useful for establishing when an image was created vs. when it first appeared publicly \*\*GPS / geospatial\*\* (Not available to public without subscription) \- Coordinate + radius search for images taken near a location \- Reverse-geocoded address search \- Many images still carry precise GPS even when uploaded to platforms that claim to strip metadata \*\*What I'm looking for feedback on:\*\* \- Are there metadata fields or query types that would make this more useful in an actual investigation workflow? \- Is the API structure (REST, Bearer token, field-level boolean search) something that integrates well with existing tooling? \- What's missing that you'd expect from a tool like this? Not trying to sell anything here — genuinely want to understand what the forensics community needs before I build more features. [https://image-meta.com](https://image-meta.com) API docs: [https://image-meta.com/api-docs](https://image-meta.com/api-docs)
Boards and CIOs are pushing security teams to build internal AI pentesting tools, but is it worth it? This piece walks through the five questions security teams should ask when deciding between build vs buy for AI pentesting. The post Considering Build vs. Buy for AI Pentesting? Top 5 Questions to Ask appeared first on Synack .
Exposed records from the private group included the personal information of a senior White House intelligence official and an active-duty special operations officer.
AI has handed hackers a resource advantage. Winning it back means spending your own resources far more precisely, and that’s the strategy we call Dynamic Defense. The principle is simple. Contain the threat just enough, for just long enough, until the risk is removed. This piece shows how that works as a five-stage loop that […] The post How Dynamic Defense shuts an attacker out without shutting down the business appeared first on Heimdal Security Blog .
AI has flipped the economics of cybersecurity in the attacker’s favor. For most of the last decade, defenders held the cost advantage, buying down their risk with a stack of largely static controls. That advantage is gone, and winning it back is the central problem facing every security team in 2026. I think the answer […] The post Static security has run out of road. The case for Dynamic Defense appeared first on Heimdal Security Blog .
The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to strengthen cybersecurity requirements for products with digital elements. In simple terms, the CRA sets mandatory cybersecurity rules for hardware and software sold in the EU. This includes everything from connected devices (IoT) to operating systems and even stand-alone software. Very important, this concerns any company that wants to sell their products into the EU, regardless whether that company is based in the EU or not. The goal is to ensure that digital products placed on the EU market are secure by design and default and remain secure over time. That also means that the CRA does not stop at the launch of a product. It covers the entire lifecycle from design and development all the way through updates and vulnerability management. It also brings everyone in the product pipeline into responsibility. The CRA entered into force on 10 December 2024 , meaning it is already officially law in the EU, although most obligations are not yet applicable. The implementation is phased. From 11 September 2026 , companies will already need to comply with certain reporting obligations, particularly related to the notification of vulnerabilities and security incidents. From 11 December 2027 , the CRA will be fully applicable. Also, products with digital elements that have been placed on the market before 11 December 2027 are not subject to the CRA unless, from that date, they are subject to a substantial modification. Reporting obligations apply to all products with digital elements that have been made available on the Union market, including those already placed on the market before 11 December 2027. Preparing for the CRA is ultimately not just about interpreting legal text, but about translating regulatory expectations into concrete t
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing.
Thursday, June 25
We’re sharing two headline numbers as an early look at our State of Continuous Security Validation report before the full analysis lands in July. Turns out 95% of security teams discover high or critical vulnerabilities outside their scheduled testing windows—proof that cadence alone is no longer a reliable measure of coverage. The post The State of Continuous Security Validation: An Early Look at the Data appeared first on Synack .
As UK police embrace the AI revolution, a WIRED investigation reveals the messy inside story of one region’s experiment with predictive analytics.
TL;DR Cobalt.io runs a credit-based pricing model at roughly $1,800 per credit, with most enterprise buyers spending between $15,000 and $40,000 per year. This guide breaks down how the credit model works, what drives total cost beyond the headline number, and how Cobalt’s pricing and value compare directly against Synack at a similar annual budget. […] The post Cobalt.io Pricing: What Cobalt Costs in 2026 (vs Synack) appeared first on Synack .
TL;DR Most attack surface management tools solve only half the problem: they map what’s exposed and stop there, leaving security teams to guess which findings actually matter. This review ranks the top 10 ASM platforms for 2026 on discovery breadth, exploit validation, and how well each holds up inside a real security program. Synack leads […] The post Best Attack Surface Management Tools in 2026 (Top 10, Reviewed) appeared first on Synack .
Wednesday, June 24
Open bug bounty programs are buckling under AI-generated noise, triage overload, and coverage blind spots. Synack's PTaaS platform and security researchers on the Synack Red Team preserve what works about incentivized research while fixing what doesn't. The post The Bug Bounty Model Is Failing. It’s Time to Say It Out Loud. appeared first on Synack .
MSPs spend too much time talking to other MSPs and not enough time talking to the people they’re supposed to serve. That’s Paul Croker’s view of some of the channel’s biggest growth problems. While most industry events bring technology professionals together, they rarely put them in the same room as the business leaders making […] The post Breaking the MSP Echo Chamber: The Power of Community appeared first on Heimdal Security Blog .
If you ever wanted to carve out a piece of MFT/Journal - a timeframe, path or file extensions... here's your chance
I worked in forensics for many years and one of the most annoying things in MFT/Journal analysis, is that initial work of prepping the files until they are readable by humans (size, format, timeframe). I used to export to csv, open in emeditor, then carve out the time periods I did not care about, but that took time and was not reliable. Now, with the emergence of AI, I was finally able to create the app that does it. It basically allows you to select a timeframe, extensions you do or do not care about, folders you wish to exclude, and go on your merry way of exporting the valid but carved out MFT for use in other tools or a CSV for use in your favorite tools, too. As this could be a collaborative project... and I will NEVER sell it, it will remain free (and maybe even open source) - what else would you like to see in such an app? Mods, am I allowed to add a link to a free tool here? https://preview.redd.it/smc3u9vl679h1.png?width=2470&format=png&auto=webp&s=8435e8ed9428b9d46396d069816eefe7fe631af1 I am almost certain there is no free or paid software out there that allows this kind of laser-focused carving of MFT files for speed of analysis. If the mods allow it, I'll post a link to the download. It's Freeware.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I know enough about home cinema audiovisual to know there's a lot I don't know. It's conscious incompetence, if you like, which is different to the unconscious incompetence most people have on the topic. That's not to sound derogatory (it's spelled out that way in the competence model ), rather it recognises that this is a super specialised area and as soon as you start scratching the surface, things get very complex and very expensive really fast. But it's also exciting, and what we've got in the pipeline for our house expansion will blow you away. More to come soon
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes.