< ciso
brief />
Tag Banner

All news with #vulnerability management tag

213 articles · page 4 of 11

Amazon Inspector Now Available in Asia Pacific (Taipei)

🔔 AWS has launched Amazon Inspector in the Asia Pacific (Taipei) Region, extending automated vulnerability management to customers there. The service continuously scans Amazon EC2 instances, container images pushed to Amazon ECR, and AWS Lambda functions for software vulnerabilities and unintended network exposure across an AWS Organization. New accounts are eligible for a 15-day free trial that performs full scans of eligible resources at no cost. After the trial, usage is billed according to public Amazon Inspector pricing.
read more →

GitHub reduces low-impact bounties as AI submissions surge

🔒 GitHub is shifting low-impact bug bounty payouts from cash to swag and asking researchers to stop submitting low-quality or out-of-scope reports. The company says a sharp rise in submissions—exacerbated by generative AI tools—has produced many reports that don’t show meaningful security impact. GitHub welcomes AI-assisted research but requires human validation of AI-generated findings and will exclude certain report types from rewards. The change aims to speed triage and prioritize substantive vulnerabilities.
read more →

Critical Microsoft Vulnerabilities Double; Privilege Risk

🔍 The BeyondTrust 2026 Microsoft Vulnerabilities Report shows Microsoft disclosed 1,273 vulnerabilities in 2025, while critical flaws doubled from 78 to 157 year‑over‑year. The data highlights a concentration in Elevation of Privilege (40% of CVEs) and a 73% increase in Information Disclosure, signaling attacker focus on stealth and reconnaissance. Cloud and Office-critical bugs spiked, expanding potential blast radii beyond mere data leaks. Authors recommend prioritizing privilege reduction, identity visibility, and contextual remediation over patching alone.
read more →

AI-Driven Scanning Raises Vulnerability Expectations

🔍 ENISA chief Hans de Vries told ESET World that AI-powered vulnerability scanners mean firms can no longer claim ignorance of software bugs. He warned that the Cyber Resilience Act and emerging AI tools require security by design and that failure to use AI coherently risks exploitation and litigation. The NCSC also expects AI to expose poorly coded systems while vendors adopt AI to remove flaws.
read more →

Why Organizations Need a Vulnerability Operations Center

🔎 A Vulnerability Operations Center (VOC) centralizes how organizations qualify, prioritize, and drive remediation to turn vulnerability findings into measurable risk reduction. Unlike legacy vulnerability management, which relies on periodic scans and severity scores, a VOC applies exposure management, governance, and cross‑team coordination to focus remediation on reachability, exploitability, and business impact. VOC teams track execution KPIs, enforce SLAs, and work alongside SOCs to shift organizations from reactive patching to continuous prevention.
read more →

Preparing for an Imminent Surge in Software Patching

🔧 Cisco Talos argues that rapid advances in AI-driven code analysis will soon expose decades of latent software defects, triggering a likely surge in vulnerability disclosures and urgent patches. While AI can augment human reviewers by scanning code at scale, threat actors will also use these tools to find exploits. Organizations should reassess patch prioritization, scale deployment processes, and plan for systems that cannot be quickly patched. Talos recommends zero trust, centralized logging, PowerShell script block logging, and updated incident response playbooks.
read more →

Amazon RDS for PostgreSQL Adds Latest Minor Versions

📢 Amazon RDS for PostgreSQL now supports minor versions 18.4, 17.10, 16.14, 15.18, and 14.23. We recommend upgrading to these latest minor versions to remediate known security vulnerabilities and benefit from community bug fixes and improvements. This release also adds postgis_topology support in PostGIS 3.6.3 for PostgreSQL 18 to model and query topological relationships. Use automatic minor upgrades, AWS Organizations Upgrade Rollout Policy, or RDS Blue/Green deployments to orchestrate large-scale, low-downtime upgrades.
read more →

Kaspersky Container Security: Practical Team Insights

🔒 Kaspersky Container Security (KCS) is presented as a comprehensive platform that reaches beyond registry image scanning to secure container workflows across development and production. The Product Security Team uses KCS in CI/CD pipelines, registry correlation, and cluster runtime monitoring to tie findings to specific artifacts, pipelines, and scan times. KCS computes risk ratings, supports SBOM processing, and produces reports in SARIF, CycloneDX, SPDX and standard formats to integrate with AppSec and internal tooling.
read more →

Assessing the Risks of Anthropic’s Mythos AI Capabilities

🔍 Anthropic’s announcement that Claude Mythos Preview will not be released publicly underscores both genuine capability and strategic constraint. Independent testing and reproductions suggest similar performance from OpenAI’s GPT-5.5 and smaller community models, while Mythos’ cost and corporate incentives shape access. These generative systems dramatically improve automated vulnerability discovery, empowering both attackers and defenders. Mozilla’s use found 271 flaws, but many devices remain unpatchable, so organizations must adapt quickly.
read more →

Microsoft MDASH: Multi-Model AI for Vulnerability Discovery

🛡️ Microsoft introduced MDASH (multi-model agentic scanning harness), a model-agnostic AI system in limited private preview designed to discover, validate, and prove exploitable defects in large codebases. The system orchestrates more than 100 specialized agents across frontier and distilled models in a structured pipeline that builds threat models, runs auditor and debater stages, groups equivalent findings, and proves vulnerabilities. Microsoft reports MDASH uncovered 16 issues fixed in this month’s Patch Tuesday, including two critical Windows networking and authentication flaws.
read more →

Microsoft's MDASH AI Finds 16 Windows Vulnerabilities

🔍 Microsoft disclosed MDASH, an AI-driven vulnerability discovery system that found 16 previously unknown Windows flaws, including four critical remote code execution bugs that were patched as part of the May 12 Patch Tuesday release. Built by the Autonomous Code Security and Windows Attack Research teams, the platform orchestrates more than 100 specialized AI agents across multiple models to scan, validate and construct triggering inputs before human review. Microsoft said MDASH is intentionally model-agnostic and will enter private enterprise preview next month.
read more →

GPT-5.5 Matches Mythos in Security Vulnerability Tests

🔍 The UK’s AI Security Institute evaluated GPT-5.5’s ability to identify software security vulnerabilities and concluded it performs comparably to Claude Mythos, based on a series of red-team style tests and benchmark prompts. The assessment highlights that GPT-5.5 is generally available from OpenAI, making high-quality automated vulnerability detection more accessible to organizations and researchers. The Institute also analyzed a smaller, cheaper model which, when given additional prompting scaffolding and careful supervision, delivered similar detection performance. Overall, the study suggests parity among leading LLMs for initial vulnerability discovery, with differences largely hinging on prompt engineering and deployment context.
read more →

Breaking Things to Keep Them Safe: Philippe Laulheret

🔍 In this Humans of Talos interview, Senior Vulnerability Researcher Philippe Laulheret explains how his lifelong curiosity and Capture The Flag experience led him from French engineering school to a career in ethical hacking. He describes selecting research targets, reverse engineering techniques, and memorable tests—like bypassing a fingerprint reader with a green onion—to find flaws before adversaries exploit them. Philippe also contrasts the methodical reality of research with movie portrayals and outlines his path through industry roles to Talos.
read more →

Microsoft's MDASH: Multi-Model Agentic Security System for Windows

🔒 Microsoft announced MDASH, a multi-model agentic scanning harness that orchestrates over 100 specialized AI agents to discover, validate, and prove exploitable bugs in Windows. In internal tests it found 21 of 21 seeded driver vulnerabilities with zero false positives and achieved an industry-leading 88.45% score on the CyberGym benchmark. The harness produced 16 CVEs in today’s Patch Tuesday across networking and authentication stacks, including four Critical remote code execution flaws, and is in limited private preview with select customers.
read more →

AWS Security Agent: Full Repository Code Review Launch

🔒 AWS today introduced full repository code review in AWS Security Agent, a capability that performs deep, context-aware security analysis across entire codebases. Unlike traditional static scanners, it reasons about architecture, trust boundaries, and data flows to surface systemic vulnerabilities. When issues are identified, the scanner generates file- and line-specific remediation guidance and exploit proofs-of-concept to accelerate fixes; preview access is available at no extra charge in all Regions.
read more →

Patching SLAs Should Be the Minimum, Not the Strategy

🔒 The author warns that relying on patching SLAs creates a misleading dashboard: SLAs show ticketing discipline, not true exposure. Easy, agent-patchable items keep scores green while legacy systems and architectural flaws remain in exception queues. Drawing on experience as a CISO and industry reports, the piece promotes cyber risk quantification to express exposures in dollars. It recommends treating SLAs as a floor, tightening exception hygiene, and funding remediation.
read more →

OpenAI launches Daybreak to harden software defenses

🛡️ OpenAI announced Daybreak, a cybersecurity initiative that combines GPT-5.5 family models with Codex Security to identify, test, and propose fixes for vulnerabilities before attackers exploit them. Daybreak builds editable threat models, runs isolated vulnerability tests, and suggests prioritized remediation and patch validation. Access is tightly controlled and available by request, and major vendors are integrating under Trusted Access for Cyber.
read more →

CISA Adds KEV Entry for BerriAI LiteLLM SQLi Risk Now

🔔 CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-42208, a SQL injection affecting BerriAI LiteLLM. The agency cites evidence of active exploitation and notes that SQLi remains a common, high-risk vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by their due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Pen Tests Reveal AI Flaws More Severe Than Legacy Bugs

🔒 Penetration testing shows AI and LLM deployments contain a disproportionate share of severe vulnerabilities. Cobalt’s State of Pentesting Report finds 32% of LLM findings rated high risk versus 13% for legacy enterprise tests, and only 38% of those high-risk LLM issues are remediated. Experts point to emerging attack surfaces — notably prompt injection, now OWASP’s top LLM risk — broader blast radii from model integrations, and fragmented ownership for fixes. Recommended countermeasures include threat modeling, red teaming, least-privilege access, strict output validation, and human approval gates for high-consequence actions.
read more →

Refresh Timing Risks: CVE Exposure in Aging Servers

🔍 A healthcare customer bought servers in 2017 and, due to COVID-era lifecycle extensions and current supply-chain bottlenecks, now faces expiring vendor support and long lead times that prevent timely hardware refresh. The article recommends building a complete inventory using scanners (Nessus, Qualys, Rapid7, Greenbone/OpenVAS), network discovery (Nmap) and device fingerprinting (runZero), then mapping assets to NVD and CISA Known Exploited Vulnerabilities (KEV). Use a weighted risk formula to prioritize remediation and sort systems into immediate, managed, and monitored tiers. Document risk acceptance, deploy compensating controls where needed, and consider continuous monitoring with Wazuh.
read more →