惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
Scott Helme
Scott Helme
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Schneier on Security
I
Intezer
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
Cloudbric
Cloudbric
V2EX - 技术
V2EX - 技术
Google Online Security Blog
Google Online Security Blog
L
Lohrmann on Cybersecurity
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
LINUX DO - 热门话题
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Recent Announcements
Recent Announcements
Security Archives - TechRepublic
Security Archives - TechRepublic
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
K
Kaspersky official blog
阮一峰的网络日志
阮一峰的网络日志
博客园_首页
Latest news
Latest news
B
Blog
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
博客园 - 叶小钗
L
LangChain Blog
GbyAI
GbyAI
Last Week in AI
Last Week in AI
S
Security Affairs
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
Security Latest
Security Latest
Vercel News
Vercel News
Y
Y Combinator Blog
G
GRAHAM CLULEY
S
Securelist
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
雷峰网
雷峰网

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS.
The Hacker News · 2026-06-11 · via The Hacker News

For thirty years, vulnerability management ran on a buffer: the months between when a vulnerability was found and when someone could figure out how to weaponize it. The solution was straightforward enough; triage by severity, schedule the fix, validate, and move on. The buffer was what made that work.

Today, that buffer is gone.

AI didn't make your team slower. It changed the other side of the equation, compressing discovery-to-exploit from months to hours. And the sad truth for defenders is that a process built for breathing room can't survive without it.

AI Turned Vulnerability Discovery Into a Volume Game

In its May 2026 update, Anthropic reported that it and approximately 50 partners used Claude Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities in systemically important software in a single month.

Earlier figures were just as stark.

Pointed at Firefox, the gated Mythos model wrote 181 working exploits, against just 2 from the previous frontier model. It surfaced vulnerabilities across every major OS and browser, including an OpenBSD bug that had sat undetected for 27 years.

At the time of writing, more than 99% of what it found was still unpatched.

Figure 1. February 2026, FortiGate Campaign

An AWS threat-intelligence report from February 2026 shows the flip side: no zero-days needed, just weak credentials, industrialized through a custom MCP server running offensive tools autonomously. AWS confirmed 600+ devices across 55+ countries; the actor's logs, according to independent researchers, queued 2,516 devices across 106 countries.

Either way, the rules have clearly changed. What once took rare expertise now runs at machine speed and scale.

The Vulnerability Weaponization Window Has Collapsed, Too

Defenders used to have months between a CVE going public and its first confirmed exploitation in the wild, the window known as time-to-exploit (TTE).

That window has slammed shut.

Zero Day Clock puts the 2026 average at roughly 24 hours, down from ~53 days in 2024.

Figure 2. Mean time-to-exploit (TTE) by Zero Day Clock

The breach data agrees, too.

Verizon's 2026 DBIR ties 32% of initial-access techniques to exploitation of vulnerabilities and expects that number to climb, because AI coding assistants now put exploit-building, porting a tool to a new language, and discovering fresh flaws all within reach for attackers who've never had them before.

Figure 3. Generative AI-assisted techniques categorized as initial access methods by Verizon’s 2026 DBIR

Telling Teams to Patch Faster Is Like Telling a Freighter to Brake on a Dime

The industry's reflex answer is to patch faster. Regulators are codifying it: Many regulations now point toward same-day fixes for some critical vulnerabilities. Boards expect it. Executives demand it.

But remediation isn't a switch. Patches clear regression testing, wait for change windows, need to wait for approvals, and respect existing uptime and compliance commitments. Taking production down to outrun an exploit ends up being just a different outage.

And the data shows everything's moving the wrong way.

The Verizon 2026 DBIR tracked 13,000+ organizations:

  • Median fix time for known-exploited vulnerabilities: 43 days, up from 32 the year before
  • Amount that were fully patched: down from 38% to 26%

When offense runs in hours and remediation runs in weeks, the breach almost always happens in between.

Again, per Verizon's DBIR, even the best-performing organizations close only 30-40% of known-exploited vulnerabilities in the first week after detection: a rate that's barely moved despite years of steady investment.

So, ordering teams to patch faster doesn't change the physics, and it feels like ordering a freighter to brake on a dime.

The Bottleneck Moved. So Must the Strategy.

For two decades, vulnerability management ran on a tidy set of assumptions:

  • Find the flaws,
  • Score them by severity,
  • Patch the worst first.

When a few dozen criticals landed per quarter, CVSS triage worked. Unfortunately, it doesn't stand a chance against hundreds or thousands of disclosures a day.

Dipping back to Verizon's DBIR one more time, the median organization had to patch 16 known-exploited vulnerabilities in 2025, up from 11 the year before, a jump of nearly 50%.

That was before AI-discovered flaws began flooding the catalog.

Severity scores, meanwhile, don't tell you whether a flaw is reachable in your environment, whether your controls will already block it, or whether it chains to anything that matters. A severity list where everything is a "9" or "10" essentially prioritizes nothing.

So the useful question stops being "what's vulnerable?" and becomes "what's actually exploitable against us right now: and would our defenses catch it if someone tried?"

This is exactly the question Breach and Attack Simulation (BAS) was built to answer.

Why BAS Becomes the Cornerstone Against AI-Powered Attacks

BAS takes real-world adversary techniques, the TTPs behind the campaign in the latest headline, and safely runs them against your live prevention and detection stack. Not a scan. Not a theoretical mapping. An actual exercise that shows what your tools will actually block, what they'll detect, and what will slip through.

In a world drowning in disclosures, that does three things that vulnerability management alone can't. BAS:

  • Separates the theoretical from the real. A flaw your WAF, IPS, and EDR already neutralize is a very different problem from one that waltzes straight in. BAS shows which is which, so teams stop treating every CVE as a five-alarm fire.
  • Validates the controls you've already paid for. Most enterprises run anywhere from ten to seventy security tools with countless overlapping policies; BAS measures whether they fire as configured and surfaces the residual risks hiding in the gaps.
  • Buys time to patch safely. When you can prove a critical asset is already covered by hardened controls, the patch can move through normal change control instead of an emergency rollout. When it isn't covered, you know to mitigate first.

That payoff is starting to show up in budgets: field reports increasingly point to CISOs reserving dedicated spend for BAS that wasn't a separate line item a year ago.

This is the shift Gartner now labels Adversarial Exposure Validation: blending security effectiveness ("Are my controls working?") with business context ("Which assets matter most, and what's truly reachable?") to prioritize by your organization's reality instead of by hypothetical raw scores.

Paired with autonomous penetration testing, which proves whether an attacker can chain exposures from their initial foothold to your organization's crown jewels, BAS completes the picture.

One side asks, "Wait, can they breach us?" The other asks, "But would we catch it?"

Running together, BAS and autonomous pentesting replace guesswork with evidence.

BAS Has to Run Autonomously at Machine Speed Too

There's a catch.

If adversaries are operating autonomously, a validation cycle that takes a human a week to complete is obsolete on arrival. Machine-speed attacks demand machine-speed defenses, and the only thing fast enough to counter autonomous offense is autonomous defense.

The honest objection to pointing raw generative AI at this is safety. As Picus CTO Volkan Erturk has warned, a model told to invent an exploit might hand back a live malware sample, or hallucinate techniques a group never uses. You don't want unvetted binaries detonating in production, or defenses built against attacks that don't, or can't, exist.

You can watch it on demand here.

Picus' fix is to put the model in charge of coordination, not creation.

Rather than asking AI to write payloads, Picus' agentic BAS matches a fresh threat report against a curated, pre-vetted library of safe, ready-made test building blocks. A security team names a threat, and a multi-agent system takes it from there: one agent identifies the threat and builds a research plan, others gather and validate the intelligence from multiple sources, and a builder agent maps the adversarial TTPs into attack chains ready for simulation.

The output is an accurate, ready-to-run simulation, assembled in minutes.

This collapses the loop. A CISA alert or a forwarded headline becomes a scoped test, a posture score, prioritized mitigations, and an executive report, often in minutes, with humans reviewing exceptions rather than driving, and slowing down, every step.

This Is What the Picus Platform Is Built For

Patching is still essential, but where AI discovers flaws by the thousands and weaponizes them in hours, patching alone can't be your whole strategy. If the offense is autonomous, the defense has to operate at least at the same speed, and that's exactly what Picus was built to do.

What scales with the threat is validation: confirming what your controls will actually stop, proving what's exploitable, and spending remediation time and talent only where it will change the outcome. AI-powered, agentic BAS is one of the core pillars of the Picus Platform, continuously testing whether your defenses block and detect what matters without waiting on a human to kick off the process or advance to the next cycle. And when a gap is uncovered, the platform points to the vendor-specific mitigation needed, and doesn't just create another ticket on the pile, then re-validates to confirm that the gap has actually been closed.

The need to say, on the spot, whether a fresh headline puts the business at risk isn't going away anytime soon. The Picus Platform gives security teams that answer before anyone asks.

Find out if the next headline puts you at risk, before it drops. Request a demo.

Note: This article was written by Sıla Özeren Hacıoğlu, Security Research Engineer at Picus Security.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.