Opinion & Analysis
Commentary
Practitioner perspectives on security strategy, threat trends, and industry challenges. Opinionated, argued from experience, and written for professionals in the trenches — not the boardroom.
The Risk Calculus Changed Today
Google's confirmation of the first AI-developed zero-day used in live exploitation is not a warning about the future. It is a statement about the present. The security industry's habit of treating AI-assisted exploitation as a 'horizon threat' just ran out of runway.
CipherWatch Editorial
Security Intelligence Platform
Post-Quantum Cryptography: The Decision Is Not Whether to Migrate, It Is When to Start Counting
Proton Mail's post-quantum encryption launch is another data point in an accelerating migration across email, messaging, and enterprise security platforms. The industry debate has shifted from 'should we?' to 'how urgent is the harvest-now-decrypt-later threat?' For most organisations the answer is more urgent than their current roadmap reflects — because the data being generated today has a longer confidentiality requirement than the planning horizon that informs most security investment decisions.
CipherWatch Editorial
Security Intelligence Platform
AI Platforms Inherited the npm Trust Model and Its Problems Are Arriving on Schedule
A fake OpenAI repository reached #1 trending on Hugging Face and delivered an infostealer to 244,000 users. This was predictable. The AI/ML developer ecosystem adopted the open-publishing, community-trust model of package registries without adopting the hard-won security lessons those registries learned over the past decade. The attack surface Hugging Face presents in 2026 looks remarkably like the attack surface npm presented in 2016.
CipherWatch Editorial
Security Intelligence Platform
Developer Credentials Are the New Supply Chain Entry Point and the Industry Has Not Caught Up
QLNX's Linux RAT specifically harvests npm tokens, PyPI credentials, and cloud provider keys to enable malicious package publishing under the compromised developer's identity. This is not a new threat — it is a threat that has been escalating systematically for three years while the defensive response has been fragmented. The combination of credential-based package publishing and minimal post-publish scrutiny makes the developer credential the most valuable initial access target in software supply chain attacks.
CipherWatch Editorial
Security Intelligence Platform
The ICS Security Debt Is Now in the Middleware Layer, Not Just the PLCs
Eclipse BaSyx's CVSS 10.0 vulnerability is not a story about old OT equipment running Windows XP. It is a story about new, modern, actively maintained open-source ICS infrastructure that was deployed rapidly into Industry 4.0 architectures without the security scrutiny that its network position demands. The security debt in operational technology environments has migrated upward — into the integration and orchestration layer that connects IT and OT.
CipherWatch Editorial
Security Intelligence Platform
Attackers Discovered That Developer Tools Make Better C2 Infrastructure Than Their Own Servers
KidsProtect's use of VS Code Remote Tunnels and Discord webhooks for command-and-control is not a stalkerware quirk — it is the latest example of a systematic shift toward legitimate cloud services as attack infrastructure. When defenders cannot block VS Code tunnels without breaking developer workflows, the standard network-layer controls that security architecture depends on stop working.
CipherWatch Editorial
Security Intelligence Platform
Seven Thousand Ransomware Victims in a Year and We're Still Surprised Every Time
Fortinet's 2026 threat landscape report documents 7,831 confirmed ransomware victims last year — nearly five times the 2024 figure. The industry will spend a week discussing what this means. Then a new disclosure will arrive, and the conversation will move on. The problem is not that we lack threat intelligence. The problem is that threat intelligence is not changing behaviour fast enough to matter.
CipherWatch Editorial
Security Intelligence Platform
Managed File Transfer Is a Permanent Attack Surface and You Should Treat It That Way
MOVEit's latest critical vulnerability is not a surprise — it is the latest instalment in an unending series. The industry keeps treating each managed file transfer vulnerability as an exceptional event requiring exceptional response, when the correct model is to treat MFT platforms as inherently hostile internet-facing infrastructure requiring architectural controls that assume compromise is inevitable.
CipherWatch Editorial
Security Intelligence Platform
Defenders Can't Block Google. That's Why Attackers Are Routing Through It.
AccountDumpling abuses Google AppSheet to deliver phishing. EtherRAT uses Cloudflare and Ethereum nodes for C2. DEEP#DOOR tunnels over Cloudflare. The pattern is consistent: sophisticated attackers have discovered that the fastest route past enterprise security controls is through infrastructure defenders cannot block. The defence posture that assumes blocking bad infrastructure will stop bad traffic is being systematically rendered obsolete.
CipherWatch Editorial
Security Intelligence Platform
The Patch-to-Exploit Window Has Collapsed — cPanel in 48 Hours Is Not an Anomaly, It's the New Baseline
The 'Sorry' ransomware group compromised 44,000 cPanel servers within 48 hours of a critical patch release. The industry still plans patch cycles in weeks. These two realities are incompatible, and the gap between them is where organisations keep getting destroyed.
CipherWatch Editorial
Security Intelligence Platform
AI Didn't Make Attackers Smarter — It Removed the Barrier That Was Keeping Them Small
DPRK's AI-generated npm malware campaign is not remarkable because AI made it more sophisticated. It's remarkable because AI let a small team produce something that would previously have required many more people to build and maintain. The scale constraint on supply chain attacks has just changed fundamentally.
CipherWatch Editorial
Security Intelligence Platform
Your Security Tools Are the Crown Jewels — Attackers Already Know This
A remote code execution vulnerability in Wazuh's SIEM platform is a reminder that security monitoring infrastructure is among the highest-value targets in any enterprise environment. Most security programmes defend it like a server, not like a choke point that controls visibility across the entire estate.
CipherWatch Editorial
Security Intelligence Platform
The Model Context Protocol's Security Debt Is Already Piling Up
MCP's rapid enterprise adoption has outpaced its security design. The protocol was built to solve an integration problem, not a security one — and the debt is accumulating faster than the ecosystem can audit it.
CipherWatch Editorial
Security Intelligence Platform
Security Awareness Training Was Built to Spot Bad Phishing — AI Has Made That Irrelevant
The FTC's $2.1 billion social media fraud figure is not a user education failure. It is evidence that the threat model security awareness training was designed for no longer exists. AI-generated fraud does not produce the observable cues our training teaches users to detect — and the industry needs to acknowledge this before it spends another decade on the wrong solution.
CipherWatch Editorial
Security Intelligence Platform
Managed Identity Is the New Local Admin — and Most Enterprises Haven't Noticed
CVE-2026-26117 in the Azure Arc agent is not just a patching story. It reveals that managed identity has quietly become the most powerful unguarded credential in enterprise infrastructure. We dismantled local admin accounts and hardcoded passwords over the past decade — and then rebuilt the same concentration of privilege under a different name, with even less monitoring attached.
CipherWatch Editorial
Security Intelligence Platform
Lockfiles Don't Protect You When the Maintainer Is the Threat
Three npm supply chain attacks in a single week — Axios, @bitwarden/cli, and CanisterSprawl — have been met with the same industry response: update your lockfile. This is wrong. When the original maintainer account is compromised, a new legitimate-signed version is published, and lockfiles pin to whatever is current, the entire model breaks down. The industry is treating a trust infrastructure failure as a dependency hygiene problem.
CipherWatch Editorial
Security Intelligence Platform
The 13-Hour Problem: Your AI Inference Infrastructure Is Already a Tier-One Target
LMDeploy was exploited 13 hours after its RCE vulnerability was disclosed. Langflow took 20 hours. Marimo lasted days. The pattern is not bad luck — it is the predictable consequence of treating AI inference infrastructure as development tooling while exposing it like a production web server. The window for getting ahead of this has closed.
CipherWatch Editorial
Security Intelligence Platform
AI Inference Frameworks Are a First-Class Attack Surface — and Most Enterprises Are Treating Them Like Research Tools
Two critical AI inference framework vulnerabilities disclosed this week — one exploited within 13 hours, one scoring CVSS 9.8 — reveal an uncomfortable truth: the AI toolchain has become enterprise infrastructure, but most security programmes are still treating it like a research curiosity. That gap is now being actively exploited.
CipherWatch Editorial
Security Intelligence Platform
TeamPCP Has Now Hit Every Developer Distribution Channel. The Pipeline Is the Perimeter.
In six weeks, one supply chain threat group has successfully backdoored GitHub Actions, PyPI, npm, Docker Hub, and the VS Code Marketplace. The security industry's response has been to treat each incident as a separate patching problem. It isn't. It's a systematic demonstration that the developer distribution stack has no defence-in-depth, and that the security controls the industry has built — SCA, SBOM, SAST — operate at entirely the wrong layer.
CipherWatch Editorial
Security Intelligence Platform
When Ransomware Deploys via Group Policy, You Were Already Owned
The Gentlemen ransomware group's use of Group Policy Objects to distribute encryption payloads domain-wide is not just a clever tactic — it's a forensic signal. GPO deployment requires Domain Admin access. The ransomware event you detected was not the attack. It was the end of an attack that was already over.
CipherWatch Editorial
Security Intelligence Platform
The Hallucination Problem in Your AI Security Tools Is Not Getting Fixed
A new paper by Vishal Sikka and Varin Sikka uses settled computational complexity theory to prove that transformer hallucinations and fixed reasoning depth are architectural facts, not engineering failures. For security practitioners building operational dependencies on LLM-based tools, the implication is uncomfortable: the limitations most vendors are implicitly promising to train away cannot be trained away. They are proven.
CipherWatch Editorial
Security Intelligence Platform
AI Has Learned to Find Bugs Faster Than We Can Fix Them
Claude Mythos discovering thousands of zero-days confirms what was already theoretically obvious: AI vulnerability research is orders of magnitude faster than human-paced remediation. The industry's response — private disclosure programmes — is a delay mechanism, not a solution to the structural asymmetry between discovery speed and patch deployment speed.
CipherWatch Editorial
Security Intelligence Platform
The Shared Responsibility Model Is a Liability Shield, Not a Security Framework
McGraw Hill's statement that its Salesforce breach 'appears to be part of a broader issue involving a misconfiguration within Salesforce's environment' exposes what the shared responsibility model actually is: a contractual arrangement that tells you who to blame after a breach, not a security control that prevents one.
CipherWatch Editorial
Security Intelligence Platform
Patch Tuesday Is Not a Patching Programme
Every second Tuesday, the industry runs a collective sprint to triage, test, and deploy hundreds of Microsoft patches before the next cycle begins. We call this a patching programme. It isn't. It's a treadmill — and the real security question is whether we're measuring the right thing.
CipherWatch Editorial
Security Intelligence Platform
Security Awareness Training Is Solving the Wrong Problem
We spend billions every year teaching employees not to click malicious links. The same employees work in environments where clicking a malicious link can collapse the company. The problem isn't the clicking.
CipherWatch Editorial
Security Intelligence Platform
TOTP MFA Is Security Theatre and We Need to Admit It
Adversary-in-the-Middle toolkits that defeat time-based one-time passwords are commercially available for under £400. The security industry's continued recommendation of TOTP as meaningful phishing protection is not a minor technical nuance — it is a significant misrepresentation of what MFA actually protects against in 2026.
CipherWatch Editorial
Security Intelligence Platform
The CISO Role Is Structurally Broken — and Fixing It Requires Honesty About Why
The average CISO tenure is 18 to 26 months. We treat this as a talent pipeline problem. It isn't. It's a governance problem that the industry has been unwilling to name clearly for fifteen years.
CipherWatch Editorial
Security Intelligence Platform
The Threat Intelligence Report That Nobody Reads
Most organisations have a threat intelligence subscription. Fewer have a threat intelligence programme. The gap between the two is not a budget problem — it is a clarity problem about what intelligence is actually for, and it costs the industry significantly in both money and security posture.
CipherWatch Editorial
Security Intelligence Platform
Vendor Security Ratings Are a Confidence Trick — And We Keep Buying Them
The third-party security ratings industry has built a billion-dollar business on a simple premise: that an outside-in scan of your suppliers' infrastructure tells you something meaningful about their security posture. It doesn't. And the gap between what these tools imply and what they deliver is creating a false sense of supply chain security in boardrooms everywhere.
CipherWatch Editorial
Security Intelligence Platform
Ransomware in Healthcare Is a Patient Safety Crisis, Not an IT Problem
The ransomware attack on ChipSoft paralysing 80% of Dutch hospitals and the Anubis attack on Signature Healthcare this week are not data breach incidents with clinical inconvenience as a side effect. They are patient safety events. The healthcare sector's continued treatment of ransomware as a cybersecurity problem rather than a clinical risk is costing lives.
CipherWatch Editorial
Security Intelligence Platform
BYOVD Is a Commodity Technique Now — Your EDR Vendor Knows
Qilin's Warlock toolkit, capable of disabling over 300 security tools using Bring Your Own Vulnerable Driver techniques, is not a nation-state capability — it is an affiliate-accessible ransomware tool. EDR is a necessary control. It is not a sufficient one, and the industry's marketing has outpaced what the technology can actually guarantee.
CipherWatch Editorial
Security Intelligence Platform
Active Directory Keeps Getting Owned Because We Keep Letting It
A Kerberos authentication bypass and an Active Directory privilege escalation were both patched this week, adding to a multi-year catalogue of critical flaws in Microsoft's foundational identity infrastructure. The problem is not that Microsoft keeps shipping vulnerabilities — it is that organisations keep deploying Active Directory in configurations that maximise their exposure when those vulnerabilities arrive.
CipherWatch Editorial
Security Intelligence Platform
Ransomware Has Industrialised — Your Response Strategy Probably Has Not
Qilin's 131 confirmed victims in March alone is not a spike — it is what a mature criminal enterprise operating at scale looks like. The ransomware ecosystem has industrialised completely, with dedicated development, HR, and affiliate management functions. Enterprise response strategies built for a different threat model are overdue for review.
CipherWatch Editorial
Security Intelligence Platform
AI Infrastructure Is Accumulating Security Debt Faster Than Anyone Admits
LangFlow's actively exploited remote code execution vulnerability and this week's LiteLLM supply chain attack are not isolated incidents — they are early symptoms of an ecosystem that has scaled faster than its security practices. Organisations deploying AI infrastructure are inheriting technical debt they have not yet been asked to account for.
CipherWatch Editorial
Security Intelligence Platform
Your CI/CD Pipeline Is Now a Primary Attack Surface
Two supply chain attacks this week — one against a widely-used vulnerability scanner, another poisoning an AI framework via PyPI — targeted the tools developers trust without question. CI/CD pipelines and open-source tooling are not peripheral attack surfaces. They are the path of least resistance into production.
CipherWatch Editorial
Security Intelligence Platform
The KEV List Is Not a Vulnerability Management Strategy
CISA's Known Exploited Vulnerabilities catalogue has become the de facto patch priority list for thousands of organisations — most of whom had no coherent strategy before it arrived. Treating the KEV list as a vulnerability management programme is a category error that leaves organisations systematically exposed to everything that has not yet been exploited.
CipherWatch Editorial
Security Intelligence Platform