Blog
Practical security insights for technology leaders.
May 2026
Why Agent Sandboxes Will End Up in Monitor Mode (And What to Build Instead)
Mark Curphey predicts agent sandboxes will follow IPS, CASB and next-gen AV into monitor mode. The pattern is overwhelming: launch in enforcement, dial back when business breaks. What survives instead: just-in-time permissions, pre-deployment red teaming, and drift detection.
April 2026
The National Vulnerability Database Just Gave Up. Here's What SMEs Should Actually Do.
NIST will only enrich CVE entries meeting specific criteria after a 263% surge in submissions since 2020. "Filter by CVSS and patch the criticals" is already degrading. Five practical things SMEs should do instead, none of which require a larger security team.
April 2026
While We Argue About AI Zero-Days, Attackers Are Walking Through the Front Door
The security community spent a week debating AI-discovered zero-days. The same week, APT28 compromised routers using a known CVE from 2023. Penetration testers with hundreds of engagements say the attack paths that actually work are boring: identity, misconfiguration, weak credentials.
April 2026
Russia Is Hijacking Your Router's DNS. Here's What That Actually Means.
The NCSC has exposed APT28 hijacking router DNS settings to steal credentials. A known CVE on a TP-Link consumer router, active since 2024. Your endpoint agent cannot see this. Your annual pentest will not catch it. Here's what to do.
April 2026
The NCSC Just Told You to Require Cyber Essentials From Your Suppliers
Organisations with Cyber Essentials are 92% less likely to make cyber insurance claims. The NCSC supply chain playbook says you should require it from your suppliers, not just promote it. Seven practical steps and what it means for SMEs on both sides of the relationship.
April 2026
They Built a Fake Company to Hack One Developer. What Would You Do?
The axios npm compromise started with a fake Slack workspace, a staged Teams call, and five months of patience. The same campaign targeted maintainers of Lodash, Fastify, dotenv, and mocha. What's your runbook for "I think I was socially engineered"?
April 2026
Zero Lines of Malicious Code: Inside the axios Supply Chain Attack
axios versions 1.14.1 and 0.30.4 were published to npm containing a remote access trojan via an injected dependency. Zero malicious lines in the source. The maintainers couldn't even fix it because the attacker outranked them.
March 2026
Your AI Prompts Are the Next Data Breach Category
Troy Hunt added the KomikoAI breach to Have I Been Pwned. 1 million email addresses, with AI prompts mapped back to identities. This is the second AI prompt breach. It won't be the last.
March 2026
Your AI Proxy Is the Highest-Value Target on Your Network
LiteLLM, the most popular open-source LLM proxy, was backdoored on PyPI. Every API key passing through it was stolen. AI proxies are credential aggregators by design, and that makes them perfect targets for supply chain attacks.
March 2026
BSides Lancashire 2026: Red Teaming LLMs
We're speaking at BSides Lancashire on 26 March - "Red Teaming LLMs: A Practical Guide to Breaking AI Applications." Slides and write-up coming soon.
March 2026
Your AI Assistant Has a Shadow Audience
You installed a ChatGPT sidebar extension to be more productive. Someone else installed one to read everything you type. Over 900,000 installs across more than 20,000 enterprises -and the extensions did exactly what they promised, plus something else entirely.
March 2026
The Security Boundary Isn't the AI App -It's the Interaction Layer
CISOs finally have AI security budget. But most are asking the wrong question. They're evaluating AI applications when they should be evaluating what flows between users and models.
March 2026
Compliance Theatre: What the Delve Scandal Means for Your Security Reports
A YC-backed compliance startup has been accused of fabricating SOC 2, ISO 27001, and HIPAA reports for hundreds of companies. Five questions to ask your security provider - and what good looks like.