Author: Mark

Oct 31, 2025The Hacker NewsBusiness Continuity / Risk Management

MSPs are facing rising client expectations for strong cybersecurity and compliance outcomes, while threats grow more complex and regulatory demands evolve. Meanwhile, clients are increasingly seeking comprehensive protection without taking on the burden of managing security themselves.

This shift represents a major growth opportunity. By delivering advanced cybersecurity and compliance services, MSPs can build deeper relationships, generate higher-value recurring revenue streams, and stand out in a competitive market.

However, the move from basic IT and security services to strategic cybersecurity offerings requires more than technical expertise. It demands a clear service strategy, the right internal resources, and the ability to communicate security value in business terms. Without this foundation, MSPs risk inconsistent service delivery, missed opportunities, and stalled growth.

We created the guide Turn Security Into Growth: Is Your MSP Ready to Expand? to help providers pinpoint their current capabilities. It includes a structured checklist for evaluating both strategic mindset and operational readiness.

Mindset Readiness: From Technical Support to Business Value

Traditional IT services keep systems operational. Cybersecurity ensures those systems remain protected, resilient, and able to support uninterrupted business operations. This requires a security-first mindset that extends beyond technical execution to address risk management, compliance, and resilience as integral components of the client’s overall business strategy.

Two mindset shifts are essential:

• From Checkbox Compliance to Continuous Risk Management
• Compliance is often treated as the finish line, the moment a business can pass audits and meet regulatory obligations. For MSPs aiming to deliver advanced cybersecurity and compliance services, it can be helpful to view compliance as the starting point instead. Regulations establish a baseline; Unfortunately, the reality is that threats often evolve faster than standards change. Viewing compliance as one part of an ongoing risk management process enables MSPs to uncover broader business risks, address them proactively, and help clients build resilience.
• From Technical Delivery to Strategic Outcomes
• Technical execution, such as deploying tools, configuring firewalls, and patching systems, is only part of the bigger picture. The greatest impact comes when these activities are connected to what matters most to the business: protecting revenue streams, maintaining operational continuity, safeguarding reputation, and supporting long-term growth. Framing security conversations in terms of business impact rather than technical detail can help clients better understand the value of your services. When security is positioned in this way, MSPs are often seen less as vendors and more as strategic partners contributing to resilience and shared success.

Assessing Mindset Readiness: Are You Positioned for Strategic Security?

A security-first mindset involves engaging clients in meaningful conversations, framing services in a way that aligns with their goals, and making clear connections between security initiatives and business value. Consider:

The guide Turn Security Into Growth: Is Your MSP Ready to Expand? doesn’t just break preparedness into categories, it provides a detailed checklist to help assess your readiness in each area. This structured approach ensures you can pinpoint strengths, identify gaps, and create a clear plan for scaling security services effectively.

Key categories include:

1. Service Definition: Map offerings to client needs and compliance frameworks to create packaged tiers with clear value.
2. Staffing & Expertise: Define and fill critical roles, whether in-house or outsourced, to cover compliance, incident response, and cybersecurity analysis.
3. Tool Alignment & Management: Ensure tools match the service scope and are actively managed by trained personnel.
4. Financial Planning: Budget for tools, training, and liability coverage to support sustainable growth.
5. Process Documentation: Standardize incident response, compliance workflows, and data handling procedures.
6. Sales Capability: Equip sales teams to communicate business outcomes, not just technical features.
7. Strategic Client Engagement: Be able to lead roadmap discussions that connect security to business goals.

Assessing Operational Readiness: Are You Positioned for Strategic Security?

If you can confidently check most of these boxes, your MSP is in a strong position to scale security services profitably. If not, this is your opportunity to strengthen operational foundations before committing to expansion.

From Readiness to Revenue

An MSP with a strong foundation in both mindset and operational capability can scale security services confidently, deliver measurable value, and unlock new revenue streams.

Whether you’re laying the groundwork or ready to refine your approach, our guide Turn Security Into Growth: Is Your MSP Ready to Expand? offers a clear framework for assessing strengths, closing capability gaps, and building a profitable expansion into advanced security and compliance services. It walks you through both mindset and operational readiness, helping you identify where you can scale confidently, deliver measurable value, and unlock new revenue opportunities while avoiding the pitfalls of reactive service and competitive disadvantage.

Oct 31, 2025Ravie LakshmananVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.

“By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks,” CISA said.

The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.

Some of the best practices outlined are listed below –

• Maintain security updates and patching cadence
• Migrate end-of-life Exchange servers
• Ensure Exchange Emergency Mitigation Service remains enabled
• Apply and maintain the Exchange Server baseline, Windows security baselines, and applicable mail client security baselines
• Enable antivirus solution, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), and AppLocker and App Control for Business, Endpoint Detection and Response, and Exchange Server’s anti-spam and anti-malware features
• Restrict administrative access to the Exchange Admin Center (EAC) and remote PowerShell and apply the principle of least privilege
• Harden authentication and encryption by configuring Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), Extended Protection (EP), Kerberos and Server Message Block (SMB) instead of NTLM, and multi-factor authentication
• Disable remote PowerShell access by users in the Exchange Management Shell (EMS)

“Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions,” the agencies noted. “Continuously evaluating and hardening the cybersecurity posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organizations.”

CISA Updates CVE-2025-59287 Alert

The guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly re-patched security flaw in the Windows Server Update Services (WSUS) component that could result in remote code execution.

The agency is recommending that organizations identify servers that are susceptible to exploitation, apply the out-of-band security update released by Microsoft, and investigate signs of threat activity on their networks –

• Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe
• Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands

The development follows a report from Sophos that threat actors are exploiting the vulnerability to harvest sensitive data from U.S. organizations spanning a range of industries, including universities, technology, manufacturing, and healthcare. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update.

In these attacks, the attackers have been found to leverage vulnerable Windows WSUS servers to run a Base64-encoded PowerShell commands, and exfiltrate the results to a webhook[.]site endpoint, corroborating other reports from Darktrace, Huntress, and Palo Alto Networks Unit 42.

The cybersecurity company told The Hacker News that it has identified six incidents in its customer environments to date, although further research has flagged at least 50 victims.

“This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations,” Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, told The Hacker News in a statement.

“It’s possible this was an initial test or reconnaissance phase, and that attackers are now analyzing the data they’ve gathered to identify new opportunities for intrusion. We’re not seeing further mass exploitation at this time, but it’s still early, and defenders should treat this as an early warning. Organizations should ensure their systems are fully patched and that WSUS servers are configured securely to reduce the risk of exploitation.”

Michael Haag, principal threat research engineer at Cisco-owned Splunk, noted in a post on X that CVE-2025-59287 “goes deeper than expected” and that they found an alternate attack chain that involves the use of the Microsoft Management Console binary (“mmc.exe”) to trigger the execution of “cmd.exe” when an admin opens WSUS Admin Console or hits “Reset Server Node.”

“This path triggers a 7053 Event Log crash,” Haag pointed out, adding it matches the stack trace spotted by Huntress at “C:Program FilesUpdate ServicesLogfilesSoftwareDistribution.log.”

Oct 31, 2025Ravie LakshmananMalware / Secure Coding

Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace.

The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft’s VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain.

“Upon investigation, we confirmed that a small number of tokens had been leaked and could potentially be abused to publish or modify extensions,” Mikaël Barbero, head of security at the Eclipse Foundation, said in a statement. “These exposures were caused by developer mistakes, not a compromise of the Open VSX infrastructure.”

Open VSX said it has also introduced a token prefix format “ovsxp_” in collaboration with the Microsoft Security Response Center (MSRC) to make it easier to scan for exposed tokens across public repositories.

Furthermore, the registry maintainers said they have identified and removed all extensions that were recently flagged by Koi Security as part of a campaign named “GlassWorm,” while emphasizing that the malware distributed through the activity was not a “self-replicating worm” in that it first needs to steal developer credentials in order to extend its reach.

“We also believe that the reported download count of 35,800 overstates the actual number of affected users, as it includes inflated downloads generated by bots and visibility-boosting tactics used by the threat actors,” Barbero added.

Open VSX said it’s also in the process of enforcing a number of security changes to bolster the supply chain, including –

• Reducing the token lifetime limits by default to reduce the impact of accidental leaks
• Making token revocation easier upon notification
• Automated scanning of extensions at the time of publication to check for malicious code patterns or embedded secrets

The new measures to strengthen the ecosystem’s cyber resilience come as the software supplier ecosystem and developers are increasingly becoming the target of attacks, allowing attackers far-reaching, persistent access to enterprise environments.

“Incidents like this remind us that supply chain security is a shared responsibility: from publishers managing their tokens carefully, to registry maintainers improving detection and response capabilities,” Barbero said.

Oct 31, 2025Ravie LakshmananVulnerability / Cyber Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system.

“Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability,” CISA said in an alert. “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”

The vulnerability was addressed by Broadcom-owned VMware last month, but not before it was exploited as a zero-day by unknown threat actors since mid-October 2024, according to NVISO Labs. The cybersecurity company said it discovered the vulnerability earlier this May during an incident response engagement.

The activity is attributed to a China-linked threat actor Google Mandiant tracks as UNC5174, with NVISO Labs describing the flaw as trivial to exploit. Details surrounding the exact payload executed following the weaponization of CVE-2025-41244 have been currently withheld.

“When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root),” security researcher Maxime Thiebaut said. “We can, however, not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”

Also placed in the KEV catalog is a critical eval injection vulnerability in XWiki that could permit any guest user to perform arbitrary remote code execution by means of a specially crafted request to the “/bin/get/Main/SolrSearch” endpoint. Earlier this week, VulnCheck revealed that it observed attempts by unknown threat actors to exploit the flaw and deliver a cryptocurrency miner.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by November 20, 2025, to secure their networks against active threats.

Oct 31, 2025The Hacker NewsEndpoint Security / Network Security

A design firm is editing a new campaign video on a MacBook Pro. The creative director opens a collaboration app that quietly requests microphone and camera permissions. MacOS is supposed to flag that, but in this case, the checks are loose. The app gets access anyway.

On another Mac in the same office, file sharing is enabled through an old protocol called SMB version one. It’s fast and convenient—but outdated and vulnerable. Attackers can exploit it in minutes if the endpoint is exposed to the internet.

These are the kinds of configuration oversights that happen every day, even in organizations that take security seriously. They’re not failures of hardware or antivirus software. They’re configuration gaps that open doors to attackers, and they often go unnoticed because nobody is looking for them.

That’s where Defense Against Configurations (DAC) comes in.

Misconfigurations are a gift to attackers: default settings left open, remote access that should be off (like outdated network protocols such as SMB v1), or encryption that never got enabled.

The goal of the latest release from ThreatLocker is simple. It makes those weak points visible on macOS so they can be fixed before they become incidents. Following the August 2025 release of DAC for Windows, ThreatLocker has launched DAC for macOS, which is currently in Beta.

The built-in ThreatLocker feature scans Macs as many as four times per day using the existing ThreatLocker agent, surfacing risky or noncompliant settings in the same dashboard you already use for Windows.

High value controls in the Beta

The agent runs a configuration scan and reports results to the console. On macOS, the initial Beta focuses on high value controls:

• Disk encryption status with FileVault
• Built in firewall status
• Sharing and remote access settings, including remote login
• Local administrator accounts and membership checks
• Automatic update settings
• Gatekeeper and app source controls
• Selected security and privacy preferences that reduce attack surface

Findings are grouped by endpoint and by category. Each item includes clear remediation guidance and mapping to major frameworks such as CIS, NIST, ISO 27001, and HIPAA. The intent is to shorten the path from discovery to fix, not to add another queue of alerts.

Why DAC matters

Design firms, media studios, and production teams often build their workflows around Macs for good reason. The M-series processors are powerful, quiet, and efficient for video and design software. But security visibility hasn’t always kept up.

Extending configuration scanning to macOS helps these teams find weak spots before they’re exploited, things like unencrypted drives, disabled firewalls, leftover admin accounts, or permissive sharing settings. It closes the gaps that attackers look for and gives administrators the same level of insight they already rely on for Windows.

This Beta isn’t just about macOS coverage. It’s about giving IT and security teams real insight into where they stand. When DAC shows a Mac out of compliance, it doesn’t stop there. It connects those findings to the ThreatLocker policies that can fix them. That visibility helps organizations align with their security frameworks, meet insurance requirements, and harden their environments without guesswork. Some users come to ThreatLocker specifically because of DAC and stay because it makes the other ThreatLocker controls make sense. Configuration visibility is the gateway to real control.

Oct 30, 2025Ravie LakshmananMalware / Cybercrime

The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs.

AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. While the server component is written in Golang, the GUI Client is written in C++ QT for cross-platform compatibility.

It comes with a wide range of features, including fully encrypted communications, command execution, credential and screenshot managers, and a remote terminal, among others. An early iteration was publicly released by a GitHub user named “RalfHacker” (@HackerRalf on X) in August 2024, who describes themselves as a penetration tester, red team operator, and “MalDev” (short for malware developer).

In recent months, AdaptixC2 has been adopted by various hacking groups, including threat actors tied to the Fog and Akira ransomware operations, as well as by an initial access broker that has leveraged CountLoader in attacks that are designed to deliver various post-exploitation tools.

Palo Alto Networks Unit 42, which broke down the technical aspects of the framework last month, characterized it as a modular and versatile framework that can be used to “comprehensively control impacted machines,” and that it has been put to use as part of fake help desk support call scams via Microsoft Teams and through an artificial intelligence (AI)-generated PowerShell script.

While AdaptixC2 is offered as an ethical, open-source tool for red teaming activities, it’s also clear that it has attracted the attention of cybercriminals.

Cybersecurity company Silent Push said RalfHacker’s GitHub bio about them being a “MalDev” triggered an investigation, allowing them to find several email addresses for GitHub accounts linked to the account’s owner, in addition to a Telegram channel called RalfHackerChannel, where they re-shared messages posted on a dedicated channel for AdaptixC2. The RalfHackerChannel channel has more than 28,000 subscribers.

In a message on the AdaptixFramework channel in August 2024, they mentioned their interest in starting a project about a “public C2, which is very trendy right now” and hoped “it will be like Empire,” another popular post-exploitation and adversary emulation framework.

While it’s currently not known if RalfHacker has any direct involvement in malicious activity tied to AdaptixC2 or CountLoader at this stage, Silent Push said their “ties to Russia’s criminal underground, via the use of Telegram for marketing and the tool’s subsequent uptick in utilization by Russian threat actors, all raise significant red flags.”

The Hacker News has reached out to RalfHacker for comment, and we will update the story if we hear back.

Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month.

The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent.

In recent years, the company has adopted various safeguards to combat phone call scams and automatically filter known spam using on-device artificial intelligence and move them automatically to the “spam & blocked” folder in the Google Messages app for Android.

Earlier this month, Google also globally rolled out safer links in Google Messages, warning users when they attempt to click on any URLs in a message flagged as spam and step them visiting the potentially harmful website, unless the message is marked as “not spam.”

Google said its analysis of user-submitted reports in August 2025 found employment fraud to be the most prevalent scam category, where individuals searching for work are lured with fake opportunities in order to steal their personal and financial information.

Another prominent category relates to financially-motivated scams that revolve around bogus unpaid bills, subscriptions, and fees, as well as fraudulent investment schemes. Also observed to a lesser extent are scams related to package deliveries, government agency impersonation, romance, and technical support scams.

In an interesting twist, Google said it has increasingly witnessed scam messages arrive in the form of a group chat with a number of potential victims, as opposed to sending them a direct message.

“This shift may have happened because group messages can feel less suspicious to recipients, particularly when a scammer includes a fellow scammer in the group to validate the initial message and make it appear to be a legitimate conversation,” Google said.

The company’s analysis also found that the malicious messages stick to a “distinct daily and weekly schedule,” with the activity commencing around 5 a.m. PT in the U.S., before peaking between 8 a.m. and 10 a.m. PT. The highest volume of fraudulent messages is typically sent on Mondays, coinciding with the start of the workday, when recipients are likely to be the busiest and less wary of incoming messages.

Some of the common aspects that tie these scams together are that they begin with a “Spray and Pray” approach by casting a wide net in hopes of reeling in a small fraction of victims by inducing a false sense of urgency through lures related to topical events, package delivery notifications, or toll charges.

The intention is to rush prospective targets into acting on the message without thinking too much, causing them to click on malicious links that are often shortened using URL shorteners to mask dangerous websites and ultimately steal their information.

Alternatively, scams can also embrace what’s called as “Bait and Wait,” which refers to a more calculated, personalised targeting method where the threat actor establishes rapport with a target over time before going for the kill. Scams like romance baiting (aka pig butchering) fall into this category.

Top three scam categories

“The scammer engages you in a longer conversation, pretending to be a recruiter or old friend,” Google explained. “They may even include personal details gathered from public websites like your name or job title, all designed to build trust. The tactics are more patient, aiming to maximize financial loss over time.”

Regardless of the high-pressure or slow-moving tactic employed, the end goal remains the same: to steal information or money from unsuspecting users, whose details, such as phone numbers, are often procured from dark web marketplaces that sell data stolen from security breaches.

The operation is also supported by suppliers that provide the necessary hardware for operating phone and SIM farms that are used to blast smishing messages at scale, Phishing-as-a-Service (PhaaS) kits that deliver a turnkey solution to harvest credentials and financial information and manage the campaigns, and third-party bulk messaging services to distribute the messages themselves.

“[The messaging services] are the distribution engine that connects the scammer’s infrastructure and target lists to the end victim, delivering the malicious links that lead to the PhaaS-hosted websites,” Google said.

The search behemoth also described the scam message landscape as highly volatile, where fraudsters seek to purchase SIM cards in bulk from markets that present the fewest obstacles.

“While it may appear that waves of scams are moving between countries, this constant churn doesn’t mean scammers are physically

relocating,” it added. “Once enforcement tightens in one area, they simply pivot to another, creating a perpetual cycle of shifting hotspots.”

“While it may appear that waves of scams are moving between countries, this constant churn doesn’t mean scammers are physically relocating,” it added. “Once enforcement tightens in one area, they simply pivot to another, creating a perpetual cycle of shifting hotspots.”

Oct 30, 2025Ravie LakshmananBrowser Security / Vulnerability

A severe vulnerability disclosed in Chromium’s Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds.

Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash.

“It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed,” Pino said in a technical breakdown of the shortcoming.

At its core, Brash stems from the lack of rate limiting on “document.title” API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process.

The attack plays out in three steps –

• Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes per interval so as to maximize the impact of the attack
• Burst injection phase, where bursts of three consecutive document.title updates are executed, injecting approximately 24 million updates per second in default configuration (burst: 8000, interval: 1ms)
• UI thread saturation phase, where the continuous stream of updates saturates the browser’s main thread, causing it to go unresponsive and requiring forced termination

“A critical feature that amplifies Brash’s danger is its ability to be programmed to execute at specific moments,” Pino said. “An attacker can inject the code with a temporal trigger, remaining dormant until a predetermined exact time.”

“This kinetic timing capability transforms Brash from a disruption tool into a temporal precision weapon, where the attacker controls not only the ‘what’ and ‘where,’ but also the ‘when’ with millisecond accuracy.”

This also means that the attack can act like a logic bomb that’s configured to detonate at a specific time or after a certain amount of time has elapsed, all while evading initial inspection or detection. In a hypothetical attack scenario, all it would take is a click of a specially crafted URL to trigger the behavior, leading to unintended consequences.

The vulnerability works on Google Chrome and all web browsers that run on Chromium, which includes Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.

The Hacker News has reached out to Google for further comment on the findings and its plans for a fix, and we will update the story if we hear back.

Security doesn’t fail at the point of breach. It fails at the point of impact.

That line set the tone for this year’s Picus Breach and Simulation (BAS) Summit, where researchers, practitioners, and CISOs all echoed the same theme: cyber defense is no longer about prediction. It’s about proof.

When a new exploit drops, scanners scour the internet in minutes. Once attackers gain a foothold, lateral movement often follows just as fast. If your controls haven’t been tested against the exact techniques in play, you’re not defending, you’re hoping things don’t go seriously pear-shaped.

That’s why pressure builds long before an incident report is written. The same hour an exploit hits Twitter, a boardroom wants answers. As one speaker put it, “You can’t tell the board, ‘I’ll have an answer next week.’ We have hours, not days.”

BAS has outgrown its compliance roots and become the daily voltage test of cybersecurity, the current you run through your stack to see what actually holds.

This article isn’t a pitch or a walkthrough. It’s a recap of what came up on stage, in essence, how BAS has evolved from an annual checkbox activity to a simple and effective everyday way of proving that your defenses are actually working.

Security isn’t about design, it’s about reaction

For decades, security was treated like architecture: design, build, inspect, certify. A checklist approach built on plans and paperwork.

Attackers never agreed to that plan, however. They treat defense like physics, applying continuous pressure until something bends or breaks. They don’t care what the blueprint says; they care where the structure fails.

Pentests still matter, but they’re snapshots in motion.

BAS changed that equation. It doesn’t certify a design; it stress-tests the reaction. It runs safe, controlled adversarial behaviors in live environments to prove whether defenses actually respond as they should or not.

As Chris Dale, Principal Instructor at SANS, explains: The difference is mechanical: BAS measures reaction, not potential. It doesn’t ask, “Where are the vulnerabilities?” but “What happens when we hit them?”

Because ultimately, you don’t lose when a breach happens, you lose when the impact of that breach lands.

sıla-blog-video-1_1920x1080.mp4

Then assume a breach and work backward from the outcome you fear the most.

Take Akira, for instance, a ransomware chain that deletes backups, abuses PowerShell, and spreads through shared drives. Replay that behavior safely inside your environment, and you’ll learn, not guess, whether your defenses can break it midstream.

Two principles separated mature programs from the rest:

• Outcome first: start from impact, not inventory.
• Purple by default: BAS isn’t red-versus-blue theater; it’s how intel, engineering, and operations converge — simulate → observe → tune → re-simulate.

As John Sapp, CISO at Texas Mutual Insurance noted, “teams that make validation a weekly rhythm start seeing proof where they used to see assumptions.”

The real work of AI is curation, not creation

AI was everywhere this year, but the most valuable insight wasn’t about power, it was about restraint. Speed matters, but provenance matters more. Nobody wants an LLM model improvising payloads or making assumptions about attack behavior.

For now, at least, the most useful kind of AI isn’t the one that creates, it’s the one that organizes, taking messy, unstructured threat intelligence and turning it into something defenders can actually use.

sıla-blog-video-2_1920x1080.mp4

AI now acts less like a single model and more like a relay of specialists, each with a specific job and a checkpoint in between:

• Planner — defines what needs to be collected.
• Researcher — verifies and enriches threat data.
• Builder — structures the information into a safe emulation plan.
• Validator — checks fidelity before anything runs.

Each agent reviews the last, keeping accuracy high and risk low.

One example summed it up perfectly:

“Give me the link to the Fin8 campaign, and I’ll show you the MITRE techniques it maps to in hours, not days.”

That’s no longer aspirational, it’s operational. What once took a week of manual cross-referencing, scripting, and validation now fits inside a single workday.

Headline → Emulation plan → Safe run. Not flashy, just faster. Again, hours, not days.

Proof from the field shows that BAS works

One of the most anticipated sessions of the event was a live showcase of BAS in real environments. It wasn’t theory, it was operational proof.

A healthcare team ran ransomware chains aligned with sector threat intel, measuring time-to-detect and time-to-respond, feeding missed detections back into SIEM and EDR rules until the chain broke early.

An insurance provider demonstrated weekend BAS pilots to verify whether endpoint quarantines actually triggered. Those runs exposed silent misconfigurations long before attackers could.

The takeaway was clear:

BAS is already part of daily security operations, not a lab experiment. When leadership asks, “Are we protected against this?” the answer now comes from evidence, not opinion.

Validation turns “patch everything” into “patch what matters”

One of the summit’s sharpest moments came when the familiar board question surfaced: “Do we need to patch everything?”

The answer was unapologetically clear, no.

sıla-blog-video-3_1920x1080.mp4

BAS-driven validation proved that patching everything isn’t just unrealistic; it’s unnecessary.

What matters is knowing which vulnerabilities are actually exploitable in your environment. By combining vulnerability data with live control performance, security teams can see where real risk concentrates, not where a scoring system says it should.

“You shouldn’t patch everything,” Volkan Ertürk, Picus Co-Founder & CTO said. “Leverage control validation to get a prioritized list of exposures and focus on what’s truly exploitable for you.”

A CVSS 9.8 shielded by validated prevention and detection may carry little danger, while a medium-severity flaw on an exposed system can open a live attack path.

That shift, from patching on assumption to patching on evidence, was one of the event’s defining moments. BAS doesn’t tell you what’s wrong everywhere; it tells you what can hurt you here, turning Continuous Threat Exposure Management (CTEM) from theory into strategy.

You don’t need a moonshot to start

Another key takeaway from Picus security architecture leaders Gürsel Arıcı and Autumn Stambaugh’s session was that BAS doesn’t require a grand rollout; it simply needs to get started.

Teams began without fuss or fanfare, proving value in weeks, not quarters.

• Most picked one or two scopes, finance endpoints, or a production cluster, and mapped the controls protecting them.
• Then they chose a realistic outcome, like data encryption, and built the smallest TTP chain that could make it happen.
• Run it safely, see where prevention or detection fails, fix what matters, and run it again.

In practice, that loop accelerated fast.

By week three, AI-assisted workflows were already refreshing threat intel and regenerating safe actions. By week four, validated control data and vulnerability findings merged into exposure scorecards that executives could read at a glance.

The moment a team watched a simulated kill chain stop mid-run because of a rule shipped the day before, everything clicked, BAS stopped being a project and became part of their daily security practice.

BAS works as the verb inside CTEM

Gartner’s Continuous Threat Exposure Management (CTEM) model: “Assess, validate, mobilize” only works when validation is continuous, contextual, and tied to action.

This is where BAS lives now.

It’s not a standalone tool; it’s the engine that keeps CTEM honest, feeding exposure scores, guiding control engineering, and sustaining agility as both your tech stack and the threat surface shift.

The best teams run validation like a heartbeat. Every change, every patch, every new CVE triggers another pulse. That’s what continuous validation actually means.

The future lies in proof

Security used to run on belief. BAS replaces belief with proof, running electrical current through your defenses to see where the circuit fails.

AI brings speed. Automation brings scale. Validation brings truth. BAS isn’t how you talk about security anymore. It’s how you prove it.

Be among the first to experience AI-powered threat intelligence. Get your early access now!

Note: This article was expertly written and contributed by Sila Ozeren Hacioglu, Security Research Engineer at Picus Security.

Oct 30, 2025Ravie LakshmananDevSecOps / Software Security

Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers’ machines.

The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first packages were uploaded to the repository. It has since ballooned to a total of 126 npm libraries, attracting more than 86,000 installs.

Some of the packages have also been flagged by the DevSecOps company DCODX –

• op-cli-installer (486 Downloads)
• unused-imports (1,350 Downloads)
• badgekit-api-client (483 Downloads)
• polyfill-corejs3 (475 Downloads)
• eslint-comments (936 Downloads)

What makes the attack stand out is the attacker’s pattern of hiding the malicious code in dependencies by pointing to a custom HTTP URL, causing npm to fetch them from an untrusted website (in this case, “packages.storeartifact[.]com”) as opposed to npmjs[.]com each time a package is installed.

“And npmjs[.]com doesn’t follow those URLs,” security researcher Oren Yomtov laid out in a report shared with The Hacker News. “Security scanners don’t fetch them. Dependency analysis tools ignore them. To every automated security system, these packages show ‘0 Dependencies.’”

More worryingly, the fact that the URL is attacker-controlled means that it can be abused by the bad actor to tailor their payloads and serve any kind of malware, and make it more stealthy by initially serving completely harmless code before pushing a malicious version of the dependency after the package gains broader adoption.

The attack chain kicks off as soon as a developer installs one of the “benign” packages, which, in turn, leads to the retrieval of the remote dynamic dependency (RDD) from the external server. The malicious package comes with a pre-install hook that triggers the execution of the main payload.

The malware is designed to scan the developer environment for email addresses, gather information about the CI/CD environment, collect a system fingerprint, including the public IP address, and exfiltrate the results to a remote server.

Koi Security said the choice of the package names is not random, and that the threat actor has resorted to capitalizing on a phenomenon called slopsquatting – where large language models (LLMs) hallucinate non-existent yet plausible-sounding package names – in order to register those packages.

“PhantomRaven demonstrates how sophisticated attackers are getting [better] at exploiting blind spots in traditional security tooling,” Yomtov said. “Remote Dynamic Dependencies aren’t visible to static analysis. AI hallucinations create plausible-sounding package names that developers trust. And lifecycle scripts execute automatically, without any user interaction.”

The development once again illustrates how threat actors are finding novel ways to hide malicious code in open-source ecosystems and fly under the radar.

“The npm ecosystem allows easy publishing and low friction for packages,” DCODX said. “Lifecycle scripts (preinstall, install, postinstall) execute arbitrary code at install time, often without developer awareness.”