All news with #vulnerability management tag

🔍 The State of Trusted Open Source report analyzes Chainguard customer usage and security data from Dec 1, 2025 through Feb 28, 2026, covering 2,200+ container image projects, 33,931 fix instances, and 377 unique CVEs. It shows AI-driven development accelerating adoption of Python and PostgreSQL, broader standardization around language ecosystems, and the rise of chainguard-base as a minimal foundation. Vulnerability discovery and remediation scaled dramatically—unique CVEs rose 145% and fixes tripled—while median remediation time remained about 2.0 days. The report highlights persistent long-tail risk and a notable increase in FIPS-driven adoption.

🔐 AI is rapidly reshaping how software is written, deployed, and consumed, pointing toward a future of on-demand "instant software" that is created and discarded as needed. The essay examines how improved AI tools will change the attacker/defender dynamic by automating both vulnerability discovery and, potentially, patch creation. It highlights particularly exposed areas such as IoT and legacy industrial systems and outlines several key unknowns—AI effectiveness on closed-source code, patch reliability, update lag, coordination of defenses, and risks of poisoning or social-engineering attacks. The author sketches optimistic scenarios (self-healing networks, rapid coordinated patching) while warning that attackers will adapt by targeting unpatchable legacy code and human elements.

🔒 AWS announced general availability of AWS Security Agent for on-demand penetration testing in six AWS Regions. The service runs autonomous, persistent AI agents that discover, validate, and report vulnerabilities using sophisticated multi-step attack scenarios tailored to each application, producing CVSS scores, reproduction steps, and remediation guidance. Previewed at re:Invent 2025, it aims to convert periodic manual testing into a continuous, scalable capability and supports multicloud and on-premises environments. New customers can try a 2-month free trial and review pricing and documentation to get started.

🤖 AI-assisted triage is changing vulnerability workflows and forcing organizations to redesign ownership and decision-making. By enriching findings with exploitability indicators, ownership metadata and business-impact signals, AI platforms accelerate detection and reduce manual triage. Security teams must shift from routine investigation to governing models, defining owners, and maintaining human checkpoints for high‑risk actions. Treat AI-driven features as first-class risk surfaces and assign clear owners for model behavior, prompt safety and misuse prevention.

🛡️Research by Absolute Security finds endpoint cybersecurity software fails to protect one in five enterprise devices, creating an equivalent of 76 days per year of increased exposure to attackers. The 2026 Resilience Risk Index, published March 23, ties this gap to patch delays and rising endpoint complexity, with 24% of vulnerability platforms out of compliance. The report urges stronger enforcement of patch and update policies to reduce downtime and remediation costs.

🛑 Google will no longer accept AI-generated bug reports for the Open Source Software Vulnerability Reward Program it funds, citing a rising number of low-quality submissions that often contain hallucinated exploit paths or issues with minimal security impact. To reduce triage overhead, some reward tiers will now require higher-quality proof such as an OSS-Fuzz reproduction or a merged patch. Google says this will help teams focus on high-impact, verifiable vulnerabilities. Separately, the company is contributing to programs that use AI constructively to strengthen open-source security.

🛡️ Amazon Inspector adds agentless Windows EC2 vulnerability scanning, extending detection to Windows OS issues as well as common applications and packages like WordPress, Apache HTTP Server, Python packages, and Ruby gems. Customers receive findings automatically with no configuration changes. Inspector also replaces per‑CVE Windows findings with consolidated Windows Knowledge Base (KB) findings that group CVEs by patch and surface the highest CVSS, EPSS, and exploit availability. These capabilities are available in all AWS Regions.

🔍 Rapid7's 2026 Global Threat Landscape Report finds AI and automation compressed the window between vulnerability disclosure and exploitation in 2025, turning what once unfolded over weeks into days or even minutes. The median time to inclusion on CISA's Known Exploited Vulnerabilities catalog fell from 8.5 days to five, and the mean dropped from 61 to 28.5 days. Confirmed exploitation of CVSS 7–10 flaws rose 105% YoY to 146 incidents, with deserialization, authentication bypass and memory corruption among the most targeted issues. Rapid7 urges CISOs to adopt pre-emptive security that reduces attack surface, prioritizes material risk and improves contextual detection and response.

🔒 AWS Security Agent now lets users generate and download customizable penetration testing reports in PDF format. Reports include an executive summary, test scope and methodology, task details, and comprehensive findings with vulnerability data and risk assessments. Users can filter outputs by risk and confidence levels, finding and task status, and risk types to tailor reports for executives, engineers, or auditors. The capability is intended to accelerate on-demand pentesting from weeks to hours and simplify cross-team review and sharing.

🔒Google and industry partners are committing $12.5 million through the Linux Foundation's Alpha-Omega Project and OpenSSF to strengthen open source security for the AI era. The funding targets maintainer support, moving beyond vulnerability discovery to accelerated deployment of fixes and equipping projects with advanced AI-driven tooling to triage and remediate AI-generated findings. Google highlights internal tools such as Big Sleep and CodeMender, and research like Sec-Gemini, as examples of AI that can autonomously find and fix deep vulnerabilities.

⚠️ Boards and executive teams can no longer treat large vulnerability backlogs as a tolerable nuisance: agentic AI has collapsed attackers’ cost and speed of exploitation. Security leaders must present operational truth — not just compliance metrics — about current High and Critical findings, remediation timelines, and exposure costs. Boards should demand measurable remediation programs and a plan to reduce vulnerability accrual at the source. Regulation such as CRA and DORA raise legal and financial stakes, and 'patch faster' is not a complete answer when emergency fixes risk production outages.

⚠️ The Cloud Threat Horizons report from Google Cloud's Office of the CISO warns that AI-assisted exploitation has compressed the window from vulnerability disclosure to active attacks from weeks to days. In H2 2025, third-party software flaws became the leading initial access vector, surpassing weak credentials. The report urges automated defenses, identity-based controls, and tamper-resistant logging to improve forensic readiness.

🔐 Google Cloud's H1 2026 Threat Horizons Report finds that in the second half of 2025 threat actors shifted from credential-based access to exploiting unpatched third-party software. Third-party software entry rose to 44.5% of primary vectors (up from 2.9%), while credential abuse declined to 27.2%. Google highlights React2Shell (CVE-2025-55182) as a heavily exploited RCE and recommends automated defenses, stronger identity controls and WAF protections to mitigate rapid post-disclosure attacks.

🛡️ The window to respond to critical vulnerabilities is collapsing: disclosure-to-exploit can be as short as 24–48 hours today and is projected to shrink to minutes by 2028. Many organizations unknowingly expose unnecessary internet-facing services, turning unpatched systems into immediate attack opportunities. Intruder’s Head of Security recommends deliberate attack surface reduction through robust asset discovery, treating exposure as its own risk category, and continuous monitoring to prevent frantic, last-minute remediation.

🔁 I replaced annual manual penetration tests with continuous automated platforms to gain immediate, repeatable validation and rapid retesting. Platforms like Pentera and Horizon3.ai’s NodeZero simulated black‑box, grey‑box, and custom scenarios on a fortnightly cadence, increasing testing from a single yearly engagement to at least 38 automated simulations annually. This change improved ROI, shifted prioritization from CVSS severity to real attack paths, exposed misconfigurations and ineffective controls, and accelerated team learning and SOC validation.

🔍 OpenAI's Codex Security AppSec agent flagged over 11,000 high-severity and critical flaws during a 30-day research test, including about 800 critical issues across more than 1.2 million scanned commits. Built to act like a security researcher rather than a static scanner, it maps attack paths, verifies exploitability in sandboxes, and proposes fixes as easy-to-accept patches. Early access partners such as Netgear reported improved review workflows, and OpenAI has already coordinated fixes and CVEs for multiple open-source projects.

🔒OpenAI on Friday began rolling out Codex Security, an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web and will be free for the next month. During its beta, the agent scanned more than 1.2 million commits, identifying 792 critical and 10,561 high-severity findings across multiple open-source projects. OpenAI says the offering combines frontier-model reasoning with automated validation to reduce false positives and deliver actionable fixes.

📌 Cisco Talos' 2025 retrospective finds 48,196 CVEs (≈132 per day) and highlights persistent root causes—XSS, SQL injection, and insecure deserialization—responsible for roughly 10,000 vulnerabilities. Known Exploited Vulnerabilities rose ~30% to 241, with many affecting network devices and an expanded vendor set of 99, underscoring patching and supply-chain visibility challenges. The author stresses prioritized patch management, accurate asset inventories, and compensating controls (microsegmentation, network isolation, enhanced monitoring) for unpatchable systems, and also notes a near-doubling of AI-related CVEs.

🔒 The UK’s new vulnerability monitoring service (VMS) continuously scans more than 6,000 public bodies, detecting around 1,000 vulnerability types and processing roughly 400 confirmed findings a month. The service reduced median remediation for general vulnerabilities from 53 to 32 days and cut DNS fix times from 50 to eight days. VMS provides specific, actionable guidance and tracks issues until closure, while the government pairs the platform with a £210m Cyber Action Plan and a new Cyber Profession to address skills gaps.

🔍 For years organizations have relied on CVSS scores as the default measure of vulnerability severity, but severity does not equal operational risk. High CVSS numbers can misdirect remediation efforts while lower-scored but actively exploited flaws pose greater danger. KEV lists are useful yet inherently reactive; effective prioritization demands multi-source threat intelligence and real-time exploitation telemetry to focus fixes where they reduce true risk.