โŒ

Normal view

Felons, Fraudsters Flog Offensive Cybersecurity Startup

8 July 2026 at 14:31

A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names.

The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities.

The IRIS C2 website dangles the possibility of million-dollar payouts for exploits to attract talent.

โ€œOur business model is this,โ€ reads a pinned post on top of the IRIS C2 account on X. โ€œAttract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We donโ€™t care if they have a college degree/industry experience.โ€

The website linked in that profile โ€” irisc2[.]com โ€” says the company is hiring for a number of open positions, and a recent post on its LinkedIn page enthuses about an overwhelming number of applications from potential employees. The website claims IRIS C2 is in the business of acquiring โ€œzero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms. Payouts range from $10,000 to $7 million depending on target, reliability, and operational value.โ€

The government contracting portal g2exchange.com reports that irisc2[.]com is operated by a business based in Virginia called Calvexa Group LLC. The โ€œcontactโ€ link on the website for Calvexa Group โ€” calvexagroup[.]com โ€” forwards visitors to irisc2[.]com. G2Exchange shows that while Calvexa Group LLC is registered as a federal contractor, it does not appear to be working on any direct government contracts.

A search on the Arlington, Va. address listed in the incorporation records for Calvexa Group LLC finds the property is occupied by Jack Burkman, the 60-year-old founder and managing partner of the lobbying firm Burkman & Associates. When approached with questions about IRIS C2, Burkman referred further inquiries to his longtime associate, 28-year-old Jacob Wohl.

Jack Burkman (left) and Jacob Wohl, at a press conference in August 2020. Image: Wikipedia.

Burkman and Wohl have a storied history of creating fake intelligence companies and using them to spread false claims about and frame public figures, including fabricated sexual assault claims against then FBI director Robert Mueller, and Pete Buttigieg, then mayor of South Bend, Indiana and a Democratic candidate for the presidency. In 2019, Burkman and Wohl held press conferences falsely alleging extramarital affairs by Sen. Elizabeth Warren (D-Mass.) and then-2020 presidential candidate Kamala Harris.

In the wake of the 2020 presidential election, Wohl and Burkman were prosecuted by multiple U.S. states for making thousands of robocalls to residents of battleground states and disseminating false claims about mail-in ballots. They were indicted in Cleveland on 15 felony counts of orchestrating a robocall scheme aimed at suppressing the black vote in Detroit, and were sentenced in late 2025 to probation after their appeals to dismiss the charges were rejected.

In 2022, Wohl and Burkman both pleaded guilty to a single felony charge of telecommunications fraud in Ohio, and sentenced to a fine, probation, and community service. In March 2023, a judge in a New York civil case ruled that Wohl and Burkman had violated federal and state civil rights laws, and the two agreed to pay a $1 million settlement.

In June 2023, the Federal Communications Commission (FCC) imposed a $5.1 million fine against Wohl and Burkman for their robocall campaigns, at the time the largest fine ever sought by the FCC under the Telephone Consumer Protection Act.

Jacob โ€œJayโ€ Wohlโ€™s GitHub account.

By the age of 17, Wohl had started multiple investment firms, and cultivated the nickname โ€œWohl of Wall Streetโ€ after appearing on Fox News in 2015 to discuss his new hedge funds. In 2017, the Arizona Corporation Commission charged Wohl and his investment funds with 14 counts of securities fraud, and ordered him to pay $35,000 in restitution. In 2019, Wohl pleaded guilty in California to four felony counts of selling unregistered securities and was sentenced to two years of probation.

The market for previously unknown security vulnerabilities has always been populated by a colorful mix of researchers, academics, charlatans, clout-chasers and people actively involved in cybercrime communities. But the market for selling offensive security services to the U.S. government tends to be far more circumspect. Plenty of government contractors recruit vulnerability researchers and pay for the exclusive rights to novel software exploits, yet none of them do so quite as brazenly and openly as IRIS C2.

Recent posts from the Twitter/X account IRISC2 (@c2iris).

Indeed, KrebsOnSecurity was unaware of IRIS C2 until last month, when an attendee at a regional cybersecurity conference shared that Wohl and Calvexa Group were pestering people at the conference about selling their vulnerability research.

In an interview with KrebsOnSecurity, Wohl said Mr. Burkman was not involved in the day-to-day operations of IRIS C2. Wohl shared that IRIS C2 originally began as a penetration testing company, but shifted its focus recently to selling phone-hacking services to the government. Several times throughout the interview, Mr. Wohl mentioned working on federal government contracts, but when pressed for specifics said he was not at liberty to speak publicly about them.

Mr. Wohl said he does not have any formal education or training in computer science or information security, and that most of his knowledge on the matter is self-taught.

โ€œI know more about tech than anyone,โ€ Wohl bragged. โ€œMy background has always been extremely technical, and Iโ€™ve always been deeply into tech. People know me as someone who is able to create spectacularly exquisite capabilities that would make your head spin.โ€

Wohl said security researchers bring the company unique vulnerability findings โ€œon a regular basis,โ€ but that in many cases those findings are preliminary and not fully fleshed-out.

โ€œLetโ€™s say someone finds a flaw in a media decoder on a phone,โ€ Wohl said. โ€œA lot of times what we receive is an exploit primitive, where the idea is there but the [execution] needs work. You need that exploit to be stable and reliable, and thatโ€™s what we do.โ€

Wohl claims IRIS C2 has approximately 40 employees, although he said none of them are allowed to list their employment on LinkedIn for operational security reasons. In May, the author of the IRIS C2 account on X said that his girlfriend had no idea what he did for a living. But if IRIS C2 has any other employees, they may be similarly unaware of Mr. Wohlโ€™s history of outright fabrications โ€” or even his real name.

In September 2024, Politico reported that Burkman and Wohl were bragging about big companies supposedly buying services from their now-defunct company LobbyMatic, which claimed to use artificial intelligence to assist in political lobbying efforts. However, Politico found the pair were running the company using pseudonyms, with Wohl reportedly adopting the name โ€œJay Kleinโ€ and Burkman using the moniker โ€œBill Sanders.โ€ Politico reported that two of the former LobbyMatic employees resigned after learning of their true identities, while other employees only learned after they had left the company.

Update, July 9, 9:44 a.m. ET: Several readers pointed our attention to a March 31 publication from journalist Molly White, which reported that Burkman and Wohl were paid a $300,000 retainer by a Canadian cryptocurrency fraudster wanted by the United States and several other countries for allegedly stealing $65 million from the crypto platforms KyberSwap and Indexed Finance. According to that report, the two were hired to pursue a โ€œpresidential pardon to avert a miscarriage of justiceโ€ on behalf of the accused hacker, who has not yet been convicted.

Insufficient Egress Filtering: How Weak Outbound Controls Enable Attacks

Insufficient egress filtering is a commonly identified vulnerability found during BHIS penetration tests. The insufficient egress filtering finding indicates that network traffic leaving the organizationโ€™s environment is not properly restricted.

The post Insufficient Egress Filtering: How Weak Outbound Controls Enable Attacks appeared first on Black Hills Information Security, Inc..

How AI and Evasion Demand a Radical Shift in Network Threat Prevention

The Future of Threat Defense Resides at the IP Layer

For years, network security operated on a relatively predictable premise: inspect traffic, identify malicious content, and block it. Because deep content inspection created a seemingly robust defense in depth, relatively static legacy approachesโ€”like reliance on threat intelligence feedsโ€”were allowed to simply persist in the background.

The weaponization of agentic AI and highly evasive techniques has fundamentally shattered that model. Attackers are no longer just iterating on old threats. They are launching attacks at staggering velocity, completely outpacing threat feeds, and employing evasion tactics that actively starve legacy prevention solutions of the content they rely on to inspect.

Our new research report from Unit 42, Attackers Are Evading Threat Prevention at the Internet Edge, reveals how adversaries are actively exploiting the contextual vacuum at the IP layer to bypass standard security controls. For security leaders, understanding this shift is no longer optional. As the nature of the threat fundamentally changes, our strategic approach to network security must definitively change with it.

The AI-Accelerated, Evasive Attack Lifecycle

To understand why legacy defenses are failing, we must look at how adversaries are accelerating and obfuscating every stage of the attack lifecycle. As these threats progress, the commonly used network indicators we have long relied upon are vanishing, collapsing traditional defenses and leaving defenders with little to act on.

Powered by frontier AI, adversaries now automate reconnaissance and exploitation at huge scale and speed, while using anonymizers to mask their intent. Once an intrusion is launched, orchestration shifts to highly evasive command and control (C2). Attackers hide communications using advanced encryption and AI-built malware-less techniques. Theyโ€™re also bypassing traditional web and DNS inspection entirely by routing traffic directly to IP addressesโ€”a tactic Unit 42 found in 23% of modern malware

Ultimately, the takeaway is clear: network threat prevention can no longer rely solely on detecting malicious payloads. As AI-driven attacks continue to minimize their footprint, security strategies must augment content inspection with real-time IP layer monitoring to left-shift threat detection and counter these rapid, machine-speed threats at the network foundation.

Existing Approaches Arenโ€™t Working

Where content-based detection falls short, many security vendors and organizations still rely on IP threat intelligence feeds to pick up the slack in an attempt to filter out malicious connections on the network layer. However, after years of operating under this model, the results are inโ€”the traditional feed is showing its age.

Attackers have long relied on proxies, anonymizers, residential routers and public cloud providers as a tactic to evade detection. However, agentic AI morphs this process, enabling rapid infrastructure rotation and stealth at an unprecedented scale. As this autonomous evasion accelerates, experienced network defenders continue to run into the well-known limitations of classic IP blocklists:

  • Too slow to keep pace: Unit 42 found an average 20-day lag time before new threats hit popular feeds. Because agentic AI enables adversaries to autonomously rotate proxy IPs in hours, these lists are obsolete at the moment of delivery.
  • Fundamentally incomplete: IP feeds are unable to see a massive portion of the modern attack surface. Unit 42 research indicates that 52% of malicious IPs used for direct-to-IP connections are completely absent from these lists.
  • Unactionable on shared infrastructure: Even known threats are often impossible to block. The Unit 42 team reports that 37% of direct-to-IP traffic uses reputable CDNs and cloud providers. IP feeds cannot distinguish malicious connections from legitimate ones, making blocking too risky for business continuity.
  • A management nightmare: Among the security teams that Unit 42 polled, 30% indicate resource-intensive vetting and false-positive triage as their top pain point. To avoid breaking legitimate traffic, feeds are frequently relegated to an alert-only mode, defeating the entire purpose of prevention.

If modern and agentic AI-enabled attacks can outrun traditional network payload-based detections, we need a new weapon in the network defenderโ€™s arsenal. We can no longer depend on yesterdayโ€™s IP feeds to secure such an extremely agile threat environment.

The Blueprint for Modernizing the Internet Edge

To outpace the impact of agentic AI and advanced evasion on network threat prevention, security leaders must redefine their defense strategy and shift-left to track the attacker infrastructure itselfโ€”monitoring the exact IP layer locations where adversaries build and control their campaigns. Deep content inspection remains essential, but securing the modern edge requires establishing the context and intent of a connection before a session is established.

To achieve this goal, organizations must move beyond the limitations of static defense and adopt a modern security blueprint:

  • Proactive protection against attacker infrastructure: While high-quality threat feeds remain essential for SOC investigations and incident response, relying on them for frontline, real-time prevention creates major blind spots. Instead, security teams must use real-world, global telemetry to proactively identify and block connections to attacker-controlled hosts before requesting a URL or file.
  • Zero trust principles applied to the network layer: An IP address without a negative reputation does not equal a safe connection. Continuous verification requires extending zero trust down to the network foundation. It validates the real-time behavior and intent of every single session to ensure attackers cannot hide in the contextual vacuum of the IP layer.ย ย 
  • Reducing the attack surface with rich contextual attributes: Traditional IP blocking is like a blunt instrument that creates unacceptable false positives and alert fatigue. To modernize the edge, security teams need deep, attribute-based visibility across the entire Internet address space to reduce noise and replace legacy IP feeds entirely.ย ย 

By moving away from point-in-time assumptions and embracing real-time, inline protection, security leaders can reclaim the advantage at the network foundation.

To see how these evasion tactics operate in the wild, read the latest Unit 42 report, Attackers Are Evading Threat Prevention at the Internet Edge. Youโ€™ll find this report valuable in understanding the systemic gaps in legacy risk models and learning why continuous verification must be our new mandate.

The post How AI and Evasion Demand a Radical Shift in Network Threat Prevention appeared first on Palo Alto Networks Blog.

A New Era of Security: Frontier AI Defense

7 May 2026 at 23:45

For the last several months, we have had early, unbounded access to the latest frontier AI models. What weโ€™ve seen from that vantage point has made it clear that the window for organizations to get ahead of whatโ€™s coming is shorter than most leaders realize.

We have moved past the era of incremental AI improvements into a threat landscape shift. Our testing has revealed a step-change in capability that demonstrates an intuitive understanding of software vulnerabilities. This is more than faster code generation, it is a shift from AI as an assistant to AI as an autonomous agent capable of discovering and chaining flaws at a scale that most defenders arenโ€™t prepared for.

These capabilities will not stay confined to controlled environments for long. When Mythos first launched, we predicted a six-month window before attackers gained access. We now believe that timeline has accelerated significantly.

To meet this inflection point, defense must operate at the speed of the adversary. That is why Palo Alto Networks has introduced Frontier AI Defense. This initiative unites our AI-native security platforms with Unit 42ยฎ consulting and threat expertise with strategic partners to deliver continuous protection, prioritized risk mitigation and autonomous remediation.

What the Threat Looks Like Now

The latest frontier models, including OpenAIโ€™s GPT-5.5-Cyber, Anthropicโ€™s Mythos and Claude Opus 4.7, and the specialized variants emerging across major labs, represent roughly a 50% improvement in coding efficiency over their predecessors. That number sounds incremental, but in practice, itโ€™s the threshold at which AI crosses from a helpful assistant into an autonomous operator.

Based on our testing and review, we found four key developments that, taken together, redefine the modern threat landscape:

  • Vulnerability Discovery at Scale: Frontier AI is exceptionally effective at identifying vulnerabilities across massive, complex codebases. In our testing, three weeks of model-assisted analysis matched a full year of manual penetration testing, with broader coverage.
  • Exploit Chaining & Synthesis: What is more consequential than individual discovery is the modelsโ€™ ability to think like an attacker. They link multiple lower-severity issues into single, critical exploit paths, seeing full-stack logic, including SaaS and public-facing surfaces, in ways traditional scanners cannot.
  • Attack Cycle Compression: In AI-assisted scenarios, the time from initial access to exfiltration has collapsed to as little as 25 minutes. Detection and response measured in hours is no longer a viable standard; single-digit MTTR (Mean Time to Respond) is the new floor.
  • The Unsupervised Attack Surface: Rapid AI development and decentralized innovation are creating a massive, unsupervised attack surface in real-time. As local AI agents become commonplace, every desktop is now effectively a server, yet most organizations lack visibility into the code their own employees are generating and deploying.

Our Approach

These emerging threats form the foundation of how we have architected our platform response for the agentic era โ€“ Frontier AI Defense. Our approach moves beyond traditional, reactive defense to provide a comprehensive framework built to outpace frontier-AI-enabled attackers. This initiative is defined by:

  • Advanced Access: We leverage early access to frontier AI models to harden defenses and simulate attacks before they reach the mainstream.
  • Intelligence-Led Resilience: Unit 42 experts leverage frontier AI to fast-track discovery and remediation of exposures at machine speed through our Unit 42 Frontier AI Defense service.
  • Unified Global Ecosystem: We provide the scale required for global protection through our Frontier AI Alliance of elite partners, including Accenture, Armadin, Deloitte, IBM, NTT DATA, and PwC.
  • Machine Speed Security: By natively integrating Frontier AI across our platforms, we deliver the automated, real-time defense necessary to counter autonomous threats.

The Window Is Open. It Wonโ€™t Be for Long.

The capabilities we tested under early-access conditions are expected to become widely available over the next several months. Success in this new environment requires adapting your cybersecurity stack before these tools are in the hands of every adversary.

The threat has never been more sophisticated. The window to prepare for this shift is closing. And we're here to help secure your future at the edge of the frontier.

Visit Palo Alto Networks Frontier AI Defenseย to learn more.

The post A New Era of Security: Frontier AI Defense appeared first on Palo Alto Networks Blog.

Securing open proxies in your AWS environment

4 May 2026 at 20:16

This article shows you how to identify and secure open proxies in your AWS environment to prevent abuse, protect your IP address reputation, and control costs.

An open proxy is a server that forwards traffic on behalf of internet users without requiring authentication. While proxies can support legitimate use cases such as load balancing or caching, open proxies allow unrestricted access that threat actors can use to hide harmful activity. In Amazon Web Services (AWS) environments, open proxies often result from misconfigured Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, or compute resources such as AWS Lambda functions. These resources expose proxy functionality without access controls.

Open proxies come in several forms. Common open proxies can include:

  • HTTP proxies: HTTP proxies forward HTTP requests to web servers, making them useful for web traffic management. These proxies can create potential issues when theyโ€™re unsecured.
  • SOCKS proxies: SOCKS proxies support a wider range of traffic types and provide more flexibility. These proxies create a broader potential for misuse.
  • Transparent proxies: Transparent proxies intercept traffic without the clientโ€™s knowledge and are often used to filter content. These proxies can become security liabilities when misconfigured.
  • Reverse proxies: Reverse proxies help with internal routing. Unauthorized users can misuse these proxies if theyโ€™re exposed.

Knowing these risks can help you better protect your AWS environment.

Security risks

Because of the unrestricted configuration of open proxy servers, threat actors target them to conduct denial of service (DoS) events, intrusion attempts, distribute spam, and other forms of unauthorized activity. These open proxy servers allow threat actors to hide their actual IP address and other forms of identification from the intended targets.

When your AWS infrastructure hosts an open proxy, several risks emerge that can affect both your operations and customers:

  • Threat actors can misuse your resources, which can result in your IP address being added to security service and reputation system block lists. This can affect your legitimate business operations and customer access. When external parties use your infrastructure for harmful activities, the reputation damage extends beyond immediate technical concerns to affect your ability to reach customers and partners.
  • Unexpected costs from resource consumption occur when threat actors use your bandwidth and compute capacity. The traffic patterns that proxy abuse generate can also alert AWS security monitoring systems and create additional operational overhead as you investigate and respond to these alerts.
  • Service disruptions might affect your legitimate workloads because unauthorized traffic competes for resources with your business-critical applications. This competition for resources can potentially degrade performance or cause availability issues for your customers.

Implementing security measures

To prevent the risks associated with open proxies, itโ€™s essential to implement proper security controls for proxy services in AWS environments. The following guidance is a comprehensive approach that you can follow to secure your proxy infrastructure.

Access control implementation

An important security step is to use passwords and authentication mechanisms to restrict access to proxy services. Configure your proxies to accept connections only from known, trusted IP address ranges. For Elastic Load Balancing (ELB), limit access based on source IP addresses and add authentication to proxies behind the load balancers. When you create new instances in Amazon Elastic Kubernetes Service (Amazon EKS), limit access to your balancer in each instance. If instances donโ€™t have public IP addresses, then you can limit access to the balancer instead. If instances have public IP addresses, then you must limit access to those IP addresses.

When possible, use AWS PrivateLink virtual private cloud (VPC) endpoints to provide private connectivity to AWS services without exposing them to the internet. Deploy proxy services in private subnets with controlled outbound access through NAT gateways or other controlled channels. For Amazon EC2 and Amazon Lightsail resources, update the attached security group to prevent public internet access. To secure the proxy, you must either limit access to specific IP addresses or implement authentication on the endpoint.

Authentication and authorization

Turn on authentication for the proxy software and use strong credentials, certificates, or integration with AWS Identity and Access Management (IAM) and AWS Directory Service. Apply IAM policies with the principle of least privilege to limit access to only what users need to perform their tasks. This approach reduces the potential effects of credential compromise and helps maintain clear accountability for resource access.

Monitoring and detection

To detect unusual proxy activity, configure Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty. Use Amazon CloudWatch alarms to notify you of abnormal traffic patterns that might indicate unauthorized use of your proxy services. These monitoring capabilities provide visibility into your network traffic patterns and help you identify both legitimate usage and potential security concerns.

Deployment best practices

Use HTTPS for ELB traffic to protect data in transit, and restrict security groups to necessary ports to minimize the surface area for potential misuse. Integrate AWS WAF with balancers to filter web traffic based on rules that you define. You can also use AWS Network Firewall for advanced traffic filtering capabilities. For APIs, deploy Amazon API Gateway with authentication and authorization controls to manage access to your backend services. This layered approach to security helps protect your infrastructure at multiple points in the traffic flow.

Regular security assessments

Run Amazon Inspector to scan for misconfigurations in your infrastructure, and use AWS Security Hub to centralize security findings across your AWS environment. Conduct penetration tests in accordance with AWS policy to identify potential security issues before they can result in unintended access.

Incident response planning

Automate remediation with AWS Config rules and Automation, a capability of AWS Systems Manager, to respond rapidly to security events. Maintain incident response runbooks that outline clear steps for addressing proxy-related security incidents, and decommission unused resources that could become security liabilities.

Documented procedures and automated responses reduce the time between detection and remediation and minimizes the potential effects of security incidents on your operations.

Benefits of proper proxy security

When you implement these security measures, you gain the following advantages for your AWS environment:

  • Protection of your IP address reputation helps maintain customer trust and prevents security services from blocking your legitimate traffic. When your infrastructure maintains a positive reputation, your business communications reach their intended recipients without interference.
  • Cost control prevents unauthorized users from consuming your AWS resources and generating unexpected charges on your account. When you restrict access to legitimate users and use cases, you maintain predictable costs that align with your business needs.
  • Operational stability reduces the risk of service disruptions that abuse of your proxy infrastructure can cause. When you dedicate your resources to serving your customers rather than supporting unauthorized activity, you can deliver consistent performance and availability.
  • Enhanced visibility into your network traffic patterns helps you identify both legitimate usage and potential security concerns. This awareness allows you to make informed decisions about capacity planning, security improvements, and operational optimizations.

Conclusion

Open proxies present a serious risk in AWS environments, but you can effectively secure proxies with the right measures. By implementing strict access controls and additional security practices such as authentication, monitoring, and regular assessments, you can prevent misuse, protect your infrastructure, and maintain your IP address reputation.

Taking proactive steps strengthens your own environment and supports the broader security of the internet ecosystem. Under the AWS shared responsibility model, youโ€™re responsible for the configuration and maintenance of these security controls, while AWS provides the underlying secure infrastructure. By following the guidance in this article, you can build a robust security posture that protects your proxy infrastructure while supporting your legitimate business needs.

If you have feedback about this post, submit comments in the Comments section below.

Dodd Mitchell

Dodd Mitchell

Dodd is a member of the AWS Trust and Safety team in Virginia, supporting customers in navigating abuse, phishing, and content-related risks. He works closely with partners to strengthen response processes and build more resilient, trustworthy platforms.

Unit 42 Expands Frontier AI Defense with Armadin Partnership

Frontier AI is changing what is possible for attackers. To meet this escalating threat, Palo Alto Networks is teaming up with Armadin, the new offensive security company founded by Kevin Mandia. This partnership expands our newly introduced Unit 42 Frontier AI Defense service, scaling our ability to identify and remediate AI-driven exposures, and accelerating protection across the enterprise.

Over the past few weeks, weโ€™ve spoken with hundreds of CISOs who universally feel the urgency on the frontlines. Security leaders need to know exactly where they stand against the AI-driven attacks happening right now, and the ones coming in the next six months.

Expanding Frontier AI Defense โ€” The External AI Hyperattack Assessment

For organizations seeking to actively pressure-test their perimeter, this partnership introduces an autonomous, AI-driven offensive assessment of your external attack surface.

This added layer identifies real attack paths and proves exploitability across internet-facing assets. The platform begins with passive discovery, validating publicly exposed assets, cloud resources and secrets. Next, Armadin deploys a coordinated swarm of autonomous AI attack agents, operating at machine speed across your external footprint.

These agents execute active reconnaissance, launch attacks and exploit vulnerabilities in parallel, using over 50,000 templates. Upon initial access, the swarm simulates post-exploitation behavior to demonstrate impact, logging every attack chain as decision-grade evidence of exploitable risk.

Decision-Grade Proof of Exploitable Risk

With this added layer of autonomous simulation, Unit 42 Frontier AI Defense provides an even more rigorous, pressure-tested view of an organization's external attack surface. This allows our experts to accurately simulate the tradecraft of the most capable, AI-equipped threat actors, compressing complex attack lifecycles from days into minutes.

AI may change what is possible for attackers, but in the hands of defenders, it becomes a decisive advantage. This partnership is another important step in making sure that advantage stays with the defenders.

A member of Project Glasswing and OpenAIโ€™s Trusted Access for Cyber (TAC) program, Palo Alto Networks remains the only company equipped to deliver this strategic level of partnership through Unit 42 Frontier AI Defense and the Frontier AI Alliance, driven to integrate cutting-edge technologies into our products and services.

Get started with Unit 42 Frontier AI Defense today.

The post Unit 42 Expands Frontier AI Defense with Armadin Partnership appeared first on Palo Alto Networks Blog.

Introducing Unit 42 Frontier AI Defense

17 April 2026 at 15:13

Frontier AI models have given the security industry a preview of what comes next. As they become weaponized, attackers will automate the discovery and chaining of vulnerabilities in near real-time โ€“ compressing timelines, increasing scale and outpacing human-led defense.

Zero-day discovery at scale, immediate exploitation, defense-in-depth evasion, systemic supply chain exposure, autonomous attack execution.

Until now, defenders have had time to detect activity, investigate signals and contain threats before exposures were chained into full attacks. AI is quickly closing this window.

Defending against AI-driven threats means engineering a resilient architecture that limits how easily attackers can exploit discovered weaknesses, that contains the blast radius when they do, and enables faster response at scale. It also means using AI to accelerate the security program itself, from vulnerability discovery and code review to triage, remediation and incident response.

The transition should cover three areas. First, discover and remediate your current exposure before attackers do. Second, strengthen controls that reduce exposure and contain impact. Third, modernize operations so teams can detect and respond in real-time.

To help organizations make this shift, Palo Alto Networks is launching Unit 42ยฎ Frontier AI Defense.

Powered by the latest AI models, Unit 42 Frontier AI Defense helps organizations answer a critical question: Are your defenses ready for AI-powered attacks?

Unit 42 Frontier AI Defense combines three core components delivered by expert consultants, coupled with 6 months of complimentary access to Cortexยฎ XDR, Cortex Xpanseยฎ and Koi Agentic Security.

Frontier AI Exposure Analysis: Identify and validate the exposures most likely to be chained into real attacks before attackers weaponize them.

Actions

    • Use the latest frontier models, Unit 42 offensive security expertise, threat telemetry and Unit 42 Threat Intelligence to assess your environment.
    • Identify the vulnerabilities, misconfigurations and posture gaps most likely to be exploited across infrastructure, applications, code, identity and cloud.
    • Validate the attack paths most likely to matter in real-world attacks.

Outputs

    • A prioritized view of vulnerabilities and attack paths that matter most
    • Clear actions to fix the exposures that matter first

Autonomous Security Blueprint: Benchmark current capabilities and define the changes required for machine-speed defense.

Actions

    • Assess current-state capabilities across attack surface, identity, software supply chain, zero trust containment, as well as real-time detection and response.
    • Identify where AI-powered threats create the greatest exposure and where current controls are most likely to fail.
    • Define the technical and operational changes required to close those gaps.

Outputs

    • A clear blueprint for immediate action
    • A prioritized roadmap to reduce exposure, strengthen containment and modernize security for the AI era

Agentic Defense Transformation: Implement the prioritized architecture, control and operating changes needed to modernize defenses for AI-driven threats.

Actions

    • Implement the architectural, operational and control changes required to defend against AI-driven threats.
    • Modernize exposure management, harden the software supply chain, and advance zero trust architecture.
    • Build response capabilities that can keep pace with autonomous attacks.

Outputs

    • Accelerated implementation of the changes that matter most
    • A more modern security architecture, built to reduce exposure and improve containment

The Window Is Still Open, for Now

AI is the biggest security inflection point since enterprises moved to the cloud. Organizations that act now will be the ones that are ready. Those that wait will be forced to respond under maximum pressure on the worst possible day.

Frontier AI is changing what is possible for attackers. In the hands of defenders, it can become a decisive advantage.

Human-speed security is no longer enough. A modern security approach is required. Get started with Unit 42 Frontier AI Defense today.

*The complimentary offer is not available to public sector customers or current Cortex XDR, Cortex Xpanse or Koi customers.

The post Introducing Unit 42 Frontier AI Defense appeared first on Palo Alto Networks Blog.

March 2026 Patch Tuesday fixes two zero-day vulnerabilities

11 March 2026 at 11:47

Microsoft releases important security updates on the second Tuesday of every month, known as Patch Tuesday. This monthโ€™s update fixes 79 Microsoft CVEs including two zero-day vulnerabilities.

Microsoft defines a zero-day as โ€œa flaw in software for which no official patch or security update is available yet.โ€ So, since the patch is now available, those two are no longer zero-days. There is also no reason to believe they were ever actively exploited.

But letโ€™s have a look at the possible consequences if you donโ€™t install the update.

The vulnerability tracked as CVE-2026-21262 (CVSS score 8.8 out of 10) is a bug in Microsoft SQL Server that lets a logged-in user quietly climb the privilege ladder and potentially become a full database administrator (sysadmin). With that level of control, they can read, change, or delete data, create new accounts, and tamper with database configurations or jobs. Where SQL Server is supposed to check what each user is allowed to do, in this case it can be tricked into granting more power than intended.

There is no user interaction required once the attacker has that foothold: exploitation can happen over the network using crafted SQL requests that abuse the flawed permission checks. In a typical realโ€‘world scenario, this bug would be the second act in an attack chain: first get in with low privileges, then use CVE-2026-21262 to quietly promote yourself to database king and start rewriting the script.

CVE-2026-26127 (CVSS score 7.5 out of 10) is a bug in Microsoftโ€™s .NET platform that lets an attacker remotely crash .NET applications, effectively taking them offline for a while. The flaw lives in Microsoft .NET 9.0 and 10.0, across Windows, macOS, and Linux, in the .NET runtime or libraries, not in a specific app. In other words, itโ€™s a bug in the engine that runs .NET code, so any app created with affected .NET versions could be at risk until patched.

The main outcome is denial of service: an attacker can cause targeted .NET processes to crash or become unstable, leading to downtime or degraded performance. For a publicโ€‘facing web API, a payment service, or any lineโ€‘ofโ€‘business app built on .NET, this can mean realโ€‘world outages and angry users while services are repeatedly knocked over.

Vulnerabilities affecting Microsoft Office users are two remote code execution flaws in Microsoft Office (CVE-2026-26110 and CVE-2026-26113) which can both be exploited via the preview pane, and aย Microsoft Excel information disclosure flaw (CVE-2026-26144), which could be used to exfiltrate data via Microsoft Copilot. Office vulnerabilities appear regularly in Patch Tuesday releases, and in this case none have been reported as actively exploited.

How to apply fixes and check if youโ€™re protected

These updates fix security problems and keep your Windows PC protected. Hereโ€™s how to make sure youโ€™re up to date:

1. Openย Settings

  • Click theย Startย button (the Windows logo at the bottom left of your screen).
  • Click onย Settingsย (it looks like a little gear).

2. Go toย Windows Update

  • In the Settings window, selectย Windows Updateย (usually at the bottom of the menu on the left).

3.ย Check for updates

  • Click the button that saysย Check for updates.
  • Windows will search for the latest Patch Tuesday updates.
  • If you have selected to get the latest updates as soon as theyโ€™re available, you may see this underย More options.
  • In which case you may see aย Restart requiredย message. Restart your system and the update will complete.
    Restart now to apply patches
  • If not, continue with the steps below.

4.ย Download and Install

  • If updates are found, theyโ€™ll start downloading right away. Once complete, youโ€™ll see a button that saysย Installย orย Restart now.
  • Clickย Installย if neededย and follow any prompts. Your computer will usually need a restart to finish the update. If it does, clickย Restart now.
    Windows up to date

5. Double-check youโ€™re up to date

  • After restarting, go back toย Windows Updateย and check again. If it saysย Youโ€™re up to date,ย youโ€™re all set!

We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

March 2026 Patch Tuesday fixes two zero-day vulnerabilities

11 March 2026 at 11:47

Microsoft releases important security updates on the second Tuesday of every month, known as Patch Tuesday. This monthโ€™s update fixes 79 Microsoft CVEs including two zero-day vulnerabilities.

Microsoft defines a zero-day as โ€œa flaw in software for which no official patch or security update is available yet.โ€ So, since the patch is now available, those two are no longer zero-days. There is also no reason to believe they were ever actively exploited.

But letโ€™s have a look at the possible consequences if you donโ€™t install the update.

The vulnerability tracked as CVE-2026-21262 (CVSS score 8.8 out of 10) is a bug in Microsoft SQL Server that lets a logged-in user quietly climb the privilege ladder and potentially become a full database administrator (sysadmin). With that level of control, they can read, change, or delete data, create new accounts, and tamper with database configurations or jobs. Where SQL Server is supposed to check what each user is allowed to do, in this case it can be tricked into granting more power than intended.

There is no user interaction required once the attacker has that foothold: exploitation can happen over the network using crafted SQL requests that abuse the flawed permission checks. In a typical realโ€‘world scenario, this bug would be the second act in an attack chain: first get in with low privileges, then use CVE-2026-21262 to quietly promote yourself to database king and start rewriting the script.

CVE-2026-26127 (CVSS score 7.5 out of 10) is a bug in Microsoftโ€™s .NET platform that lets an attacker remotely crash .NET applications, effectively taking them offline for a while. The flaw lives in Microsoft .NET 9.0 and 10.0, across Windows, macOS, and Linux, in the .NET runtime or libraries, not in a specific app. In other words, itโ€™s a bug in the engine that runs .NET code, so any app created with affected .NET versions could be at risk until patched.

The main outcome is denial of service: an attacker can cause targeted .NET processes to crash or become unstable, leading to downtime or degraded performance. For a publicโ€‘facing web API, a payment service, or any lineโ€‘ofโ€‘business app built on .NET, this can mean realโ€‘world outages and angry users while services are repeatedly knocked over.

Vulnerabilities affecting Microsoft Office users are two remote code execution flaws in Microsoft Office (CVE-2026-26110 and CVE-2026-26113) which can both be exploited via the preview pane, and aย Microsoft Excel information disclosure flaw (CVE-2026-26144), which could be used to exfiltrate data via Microsoft Copilot. Office vulnerabilities appear regularly in Patch Tuesday releases, and in this case none have been reported as actively exploited.

How to apply fixes and check if youโ€™re protected

These updates fix security problems and keep your Windows PC protected. Hereโ€™s how to make sure youโ€™re up to date:

1. Openย Settings

  • Click theย Startย button (the Windows logo at the bottom left of your screen).
  • Click onย Settingsย (it looks like a little gear).

2. Go toย Windows Update

  • In the Settings window, selectย Windows Updateย (usually at the bottom of the menu on the left).

3.ย Check for updates

  • Click the button that saysย Check for updates.
  • Windows will search for the latest Patch Tuesday updates.
  • If you have selected to get the latest updates as soon as theyโ€™re available, you may see this underย More options.
  • In which case you may see aย Restart requiredย message. Restart your system and the update will complete.
    Restart now to apply patches
  • If not, continue with the steps below.

4.ย Download and Install

  • If updates are found, theyโ€™ll start downloading right away. Once complete, youโ€™ll see a button that saysย Installย orย Restart now.
  • Clickย Installย if neededย and follow any prompts. Your computer will usually need a restart to finish the update. If it does, clickย Restart now.
    Windows up to date

5. Double-check youโ€™re up to date

  • After restarting, go back toย Windows Updateย and check again. If it saysย Youโ€™re up to date,ย youโ€™re all set!

We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

Microsoft Patch Tuesday, March 2026 Edition

11 March 2026 at 01:32

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing โ€œzero-dayโ€ flaws this month (compared to Februaryโ€™s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this monthโ€™s Patch Tuesday.

Image: Shutterstock, @nwz.

Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.

โ€œThis isnโ€™t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,โ€ Rapid7โ€™s Adam Barnett said. โ€œThe CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.โ€

The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesnโ€™t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated โ€œexploitation more likelyโ€ โ€” across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include:

โ€“CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8)
โ€“CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
โ€“CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
โ€“CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8).

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says itโ€™s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent.

XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code.

โ€œAlthough Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,โ€ McCarthy said. โ€œThis development suggests AI-assisted vulnerability research will play a growing role in the security landscape.โ€

Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) update on March 2 for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business.

Separately, Adobe shipped updates to fix 80 vulnerabilities โ€” some of them critical in severity โ€” in a variety of products, including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Centerโ€™s Patch Tuesday post. Windows enterprise admins who wish to stay abreast of any news about problematic updates, AskWoody.com is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this monthโ€™s patches.

AWS European Sovereign Cloud achieves first compliance milestone: SOC 2 and C5 reports plus seven ISO certifications

10 March 2026 at 21:06

In January 2026, we announced the general availability of the AWS European Sovereign Cloud, a new, independent cloud for Europe entirely located within the European Union (EU), and physically and logically separate from all other AWS Regions. The unique approach of the AWS European Sovereign Cloud provides the only fully featured, independently operated sovereign cloud backed by strong technical controls, sovereign assurances, and legal protections designed to meet the sensitive data needs of European governments and enterprises.

One of the foundational components of how AWS European Sovereign Cloud enables verifiable trust of technical controls and delivers assurance is through our compliance programs and assurance frameworks. These programs help customers understand the robust controls in place at AWS European Sovereign Cloud to maintain security and compliance of the cloud. To meet the needs of our customers, we committed that the AWS European Sovereign Cloud will maintain key certifications such as ISO/IEC 27001:2022, System and Organization Controls (SOC) reports, and Cloud Computing Compliance Criteria Catalogue (C5) attestation, all validated regularly by independent auditors to assure our controls are designed appropriately, operate effectively, and can help customers satisfy their compliance obligations.

Today, AWS European Sovereign Cloud is pleased to announce that SOC 2 and C5 Type 1 attestation reports, along with seven key ISO certifications (ISO 27001:2022, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 20000-1:2018, and 9001:2015) are now available. The attestation reports cover 69 AWS services operating within the AWS European Sovereign Cloud, while the certificates have integrated the AWS European Sovereign Cloud region into the global AWS Management Systems. This achievement marks a pivotal first step in our journey to establish the AWS European Sovereign Cloud as a trusted and compliant cloud for European organizations. By securing these foundational certifications and attestation reports early in our implementation, we are demonstrating our commitment to earning customer trust. AWS European Sovereign Cloud customers in Germany and across Europe can now run their applications with enhanced assurance and confidence that our infrastructure aligns with internationally recognized security standards and the AWS European Sovereign Cloud: Sovereign Reference Framework (ESC-SRF). These certifications and attestation reports provide independent validation of our security controls and operational practices, demonstrating our commitment to meeting the heightened expectations towards cloud service providers. Beyond compliance, these certifications and reports help customers meet regulatory requirements and innovate with confidence.

SOC 2 Type 1 report

SOC reports are independent third-party examinations that show how AWS European Sovereign Cloud meets compliance controls and sovereignty objectives. The AWS European Sovereign Cloud SOC 2 report addresses three critical AICPA Trust Services Criteria: Security, Availability, and Confidentiality and includes internal controls mapped to the ESC-SRF. The ESC-SRF establishes sovereignty criteria across key domains including governance independence, operational control, data residency, and technical isolation. As part of the SOC 2 Type 1 attestation, independent third-party auditors have validated suitability of the design and implementation of our controls addressing measures such as independent European Union (EU) corporate structures, operation by EU-resident AWS personnel, strict residency requirements for Customer Content and Customer-Created Metadata, and separation from all other AWS Regions. The ESC-SRF controls in our SOC 2 report show customers how AWS delivers on its sovereignty commitments.

C5 Type 1 report

C5 is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) and represents one of the most comprehensive cloud security standards in Europe. The AWS European Sovereign Cloud C5 Type 1 report provides customers with independent third-party attestation on the suitability of the design and implementation of our controls to meet both C5 basic criteria and C5 additional criteria.

The basic criteria establish fundamental security requirements for cloud service providers, covering areas such as organization of information security, human resources security, asset management, access control, cryptography, physical security, operations security, communications security, system acquisition and development, supplier relationships, incident management, business continuity, and compliance. The additional criteria address enhanced requirements for handling sensitive data and critical applications, making this attestation particularly valuable for AWS European Sovereign Cloud customers with stringent data security and sovereignty requirements.

Key ISO certifications

AWS European Sovereign Cloud region has achieved successful onboarding to seven key ISO certifications that collectively demonstrate comprehensive operational excellence:

These certifications confirm that AWS European Sovereign Cloud region has been integrated into comprehensive frameworks for managing security, privacy, continuity, service delivery, and quality, helping to ensure sensitive information remains secure, services remain available, and operations meet the highest standards through systematic risk management processes and continuous improvement practices.

How to access the reports

To access SOC 2, C5 reports and ISO certifications, customers should sign in to their AWS European Sovereign Cloud account and navigate to AWS Artifact in the AWS Management Console. AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports and certifications.

We recognize that compliance is not a destination but a continuous journey, and these initial SOC 2, C5 reports and ISO certifications represent the beginning of our certification portfolio. They lay the essential groundwork upon which we will continue to build to meet AWS European Sovereign Cloud customersโ€™ compliance needs as they continue to evolve. As we expand our compliance coverage in the months ahead, customers can be confident that security, transparency, and regulatory alignment have been part of the very DNA of the AWS European Sovereign Cloud design from day one. To learn more about our compliance and security programs, visit AWS European Sovereign Cloud Compliance, or reach out to your AWS European Sovereign Cloud account team.

Security and compliance is a shared responsibility between AWS European Sovereign Cloud and the customer. For more information, see the AWS Shared Security Responsibility Model.

If you have feedback about this post, submit comments in the Comments section below.

Julian Herlinghaus

Julian Herlinghaus

Julian is a Manager in AWS Compliance & Security Assurance based in Berlin, Germany. He is the third-party audit program lead for EMEA and has worked on compliance and assurance for the AWS European Sovereign Cloud. He previously worked as an information security department lead of an accredited certification body and has multiple years of experience in information security and security assurance and compliance.

Tea Jioshvili

Tea Jioshvili

Tea is a Manager in AWS Compliance & Security Assurance based in Berlin, Germany. She leads various third-party audit programs across Europe. She previously worked in security assurance and compliance, business continuity, and operational risk management in the financial industry for 20 years.

Atul Patil

Atulsing Patil
Atulsing is a Compliance Program Manager at AWS. He has 29 years of consulting experience in information technology and information security management. Atulsing holds a Master of Science in Electronics degree and professional certifications such as CCSP, CISSP, CISM, ISO 42001 Lead Auditor, ISO 27001 Lead Auditor, HITRUST CSF, Archer Certified Consultant, and AWS CCP.

Introducing Unit 42 Managed XSIAM 2.0

17 February 2026 at 12:01

24/7 Managed SOC Built for Tomorrow's Threats

The window for defense has collapsed, and most SOCs werenโ€™t built for the speed of todayโ€™s attacks. According to the 2026 Unit 42ยฎ Global Incident Response Report, some end-to-end attacks now unfold in under an hour. Attacks that used to take days or weeks now happen in minutes.

Most traditional SOC models are trapped in a cycle of alert overload, fragmented tools and limited engineering capacity that slow investigations and delay response. Traditional SIEM and MDR models were designed to react to alerts. They were not designed to continuously improve detections, correlations and response with threats that move at machine speed. Over time, that gap between attacker speed and defender capability keeps widening, and itโ€™s exactly why we built Unit 42 Managed XSIAM 2.0 (MSIAM).

Today marks the availability of the next evolution of our managed SOC offering โ€“ one that reflects how modern security operations must run in todayโ€™s threat landscape. MSIAM 2.0 is built on Cortex XSIAMยฎ, Palo Alto Networks SOC transformation platform, and operated by Unit 42 analysts, threat hunters, responders and SOC engineers who handle the most complex incidents in the world. With this solution, Unit 42 provides organizations with a 24/7 managed SOC that delivers continuous detection, investigation and full-cycle remediation across the entire attack surface while improving operations over time.

We donโ€™t just manage alerts. Unit 42 continuously engineers detections, correlations and response playbooks within XSIAM, refining them as attacker behavior evolves. This ongoing engineering ensures defenses improve over time, driven by real-world incidents and frontline threat intelligence, not static rules that quickly fall behind.

Why Managed XSIAM 2.0 Is Different

Elite SOC on Day One

We want SOC teams up and running as fast as possible. Experts lead onboarding, data mapping and configuration, and then your managed SOC team takes responsibility for operating and optimizing XSIAM on a day-to-day basis. The result is a SOC that improves over time without adding operational burden.

Every Threat Exposed

Unit 42 goes beyond reactive monitoring with continuous, proactive threat hunting across the entire attack surface. When a new threat is found in the wild, we produce threat impact reports that show how those techniques apply to each customerโ€™s environment. We then translate those insights into custom detections and automated response actions, while also monitoring and investigating the correlation rules your team creates. Both the global threat intelligence and your unique use cases are backed by our 24/7 analysis, closing gaps quickly and strengthening defenses over time.

We also now support both native and third-party EDR telemetry, so organizations can benefit from Unit 42 expertise and Cortexยฎ AI-driven analytics, regardless of the security technologies they use today. This enables customers to receive the strongest possible managed defense now, while creating a natural, low-friction path toward deeper platform consolidation as their environment evolves.

Machine-Speed Response

When incidents escalate, we donโ€™t just hand you a ticket; we take ownership. Collaborating with your team, we establish pre-authorized workflows to execute immediate responses across your entire environment, from endpoints and firewalls to identity and cloud. We pair the platformโ€™s native speed with expert oversight. By validating threat context and business impact, every response action is precise and safe, giving you the confidence to unleash full-cycle remediation. This allows MSIAM 2.0 to move seamlessly from detection to resolution with both velocity and precision.

And we stand behind our solution with a Breach Response Guarantee. If a complex incident strikes, you have the worldโ€™s best responders in your corner with up to 250 hours of Unit 42 Incident Response included. This built-in coverage removes the administrative hurdles of crisis response, enabling our experts to immediately transition from monitoring to deep forensic investigation and complete eradication, so you can focus on recovery.ย 

Proven in the Real World with the Green Bay Packers

Working with Unit 42 and the Cortex XSIAM platform, the Green Bay Packers modernized their security across a complex hybrid environment, demonstrating what Unit 42's managed services deliver in real-world operations. By consolidating telemetry and accelerating investigation and response, they reduced response times from hours to minutes, investigated 54% more alerts and saved over 120 hours of analyst time without adding headcount.

These outcomes reflect the key benefits of MSIAM: Unit 42 experts working to apply frontline intelligence as new attacker behavior emerges, translating it into reporting and tailored detections that improve response where it matters most. When a machine-speed platform is operated by experts handling real incidents every day, defenses continuously strengthen as threats evolve.

The Future of the SOC

Unit 42 MSIAM 2.0 helps your SOC operate as it should by combining AI-driven analytics and automation with expert-led operations and engineering. This combination provides teams with the confidence that their defenses are always on, always improving and ready when it matters most. Thatโ€™s the SOC that security leaders need today, and the one weโ€™re building for tomorrow.

MSIAM is now delivered through two service tiers, Pro and Premium. Organizations can start where they are and grow at their own pace. Pro provides AI-driven managed SOC operations with continuous detection, investigation and response. Premium extends into full-lifecycle SOC engineering, with designated experts and customized detections, automation and tailored response playbooks as your security maturity grows.

To learn more about Managed XSIAM 2.0, join us at Symphony 2026, a Palo Alto Networks premier virtual SOC event, where Unit 42 and Cortexยฎ experts will share frontline threat intelligence from the new 2026 Unit 42 Incident Response Report alongside real-world SOC transformation insights from organizations operating at machine speed.

The post Introducing Unit 42 Managed XSIAM 2.0 appeared first on Palo Alto Networks Blog.

2026 Unit 42 Global Incident Response Report โ€” Attacks Now 4x Faster

17 February 2026 at 12:00

AI-Accelerated Attacks, Identity-Enabled Breaches and Expanding Software Supply Chain Exposure Define the 2026 Cyberthreat Landscape

Each year, thousands of organizations experience a cyber incident. An incident can begin with a SOC alert, zero-day vulnerability, ransom demand or widespread business disruption. When the call comes, our global incident responders quickly mobilize to investigate, contain and eradicate the threat.

This yearโ€™s Unit 42ยฎ 2026 Global Incident Response Report analyzed over 750 major cyber incidents across every major industry in over 50 countries to reveal emerging patterns and lessons for defenders.

The data shows a clear shift in how attacks unfold. Threat actors are moving faster, increasingly leveraging identity and trusted connections, and expanding attacks across multiple attack surfaces. The accelerating speed, scale and complexity of these intrusions mean the window between initial access and business impact is shrinking. Most breaches, however, still succeed due to preventable gaps in visibility and security controls.

Key Findings Show Attacks Are Faster, Broader and Harder to Contain

As adversaries adapt their playbooks, the report highlights several defining trends shaping the 2026 threat landscape:

  • AI Is Compressing the Attack Timeline: In the fastest cases we investigated, attackers needed just 72 minutes to move from initial access to data exfiltration, 4X faster than last year. Weโ€™re seeing AI used in reconnaissance, phishing, scripting and operational execution, which enables machine-like speed at scale.
  • Identity Is Now a Primary Attack Vehicle: Identity weaknesses played a material role in nearly 90% of our investigations. More often than not, attackers arenโ€™t breaking in; theyโ€™re logging in with stolen credentials and tokens, and then exploiting fragmented identity estates to escalate privileges and move laterally without triggering traditional defenses.
  • Supply Chain Risk Now Drives Operational Disruption: In 23% of incidents, attackers leveraged third-party SaaS applications. By abusing trusted integrations, vendor tools and application dependencies, they bypassed traditional perimeters and expanded the impact well beyond a single system.
  • Attack Complexity Is Growing: We found that 87% of intrusions involved activity across multiple attack surfaces. Rarely does an attack stay in one environment. Instead, we see coordinated activity across endpoints, networks, cloud, SaaS and identity, forcing defenders to monitor across all of them at once.
  • The Browser Is a Primary Battleground: Nearly 48% of incidents included browser-based activity. This reflects how often modern attacks intersect with routine workflows, like email, web access and day-to-day SaaS use, turning normal user behavior into an attack vector.
  • Extortion Is Moving Beyond Encryption: Encryption-based extortion declined 15% from the year before, as more attackers skip encryption and move straight to data theft and disruption. From the attackerโ€™s perspective, itโ€™s faster, quieter and creates immediate pressure without the signals that defenders once relied on to detect ransomware attacks.

Attacks Succeed Because Exposure Still Beats Sophistication

Despite the speed and automation weโ€™re seeing, most of the incidents we respond to donโ€™t start with something radically new. They start with gaps that show up again and again. In many cases, attackers didnโ€™t rely on a sophisticated exploit, but on an overlooked exposure.

  • Environmental Complexity Undermining Defenses: In over 90% of the incidents we investigated, misconfigurations or gaps in security coverage materially enabled the attack. A big driver of that is tool sprawl. Many organizations are running 50 or more security products, making it extremely difficult to deploy controls consistently or clearly understand what their data is telling them.
  • Visibility Gaps Delay Detection: In many engagements, the signals were there. When we look back forensically, the evidence is in the logs. But during the attack, teams had to stitch together data from multiple disconnected sources, slowing detection during the most critical early minutes.
  • Excessive Trust Expands Impact: Once attackers gain a foothold, overly permissive access and unmanaged tokens frequently let them move farther than they should. We repeatedly see identity trust relationships turn a single compromised account into broad lateral movement and privilege escalation.

Attackers are evolving their tools and tactics, but they still win most often from exploited complexity, limited visibility and excessive trust inside modern enterprise environments.

Recommendations for Security Leaders and Defenders

Across more than 750 frontline investigations, three priorities come up again and again in conversations with CISOs and security teams.

  • Reduce Exposure: Many of the attacks we see begin in places teams didnโ€™t realize were exposed โ€“ third-party integrations, unmanaged SaaS connections or everyday browser activity. Reducing exposure means securing the full application ecosystem and treating trusted connections with the same scrutiny as core infrastructure.
  • Reduce Area of Impact: Once attackers get in, the difference between a contained incident and a major disruption often comes down to identity. Tightening identity and access management while removing unnecessary trust limits how far an attacker can move and how much damage they can cause.
  • Increase Response Speed: What happens in the first minutes after initial access can determine whether an incident becomes a breach. Security teams need the visibility to see whatโ€™s happening across environments and the ability to use AI to detect, identify and prioritize what matters, so the SOC can contain threats at machine speed, faster than the adversary can move.

Conclusion

Every investigation tells a story. How the attacker got in. How quickly they moved. What made the impact worse. Across hundreds of these cases, patterns emerge. Unit 42 operates 24 hours a day, 7 days a week on the frontlines of these incidents, and each year we distill what we learn into practical guidance. The goal of this report is to turn those frontline lessons into decisions that help you close the gaps that attackers still rely on and stop incidents before they become breaches.

Stay informed. Read the 2026 Unit 42 Global Incident Response Report and download the Executive Resource Kit.

The post 2026 Unit 42 Global Incident Response Report โ€” Attacks Now 4x Faster appeared first on Palo Alto Networks Blog.

Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense

24 January 2026 at 01:00

Unit 42 celebrates 9 years of the Cyber Threat Alliance, tracing its journey from a bold idea to a global leader in collaborative cyber defense.

The post Happy 9th Anniversary, CTA: A Celebration of Collaboration in Cyber Defense appeared first on Unit 42.

Unit 42 Incident Response Retainer for AWS Security Incident Response

2 December 2025 at 14:00

Palo Alto Networks Unit 42 and AWS Announce Expanded Collaboration, Launching No-Cost Retainer for AWS Security Incident Response available in AWS Marketplace

Speed is everything in todayโ€™s security landscape. From Unit 42ยฎโ€™s frontline experience responding to more than 500 incidents last year, we've seen that in nearly one in five incidents, attackers go from initial compromise to data exfiltration in less than an hour. It leaves almost no time to react.

The challenge is compounded by the distributed nature of the modern IT environment; cyberattacks are rarely confined to one location. In fact, 70 percent of incidents now span three or more attack surfaces, from endpoints and networks to multiple cloud environments. This complexity increases vulnerabilities, which is a key reason why 86 percent of major incidents disrupt business operations.

When a breach moves at this speed and crosses complex silos, an enterprise has two immediate, critical needs:

  1. Rapid, integrated expertise to contain the threat at its source within the cloud.
  2. Holistic, end-to-end investigation to determine the full scope of the attack, tracing the attacker's path wherever it leads, across all systems and environments.

The No-Cost Unit 42 IR Retainer Available on AWS Marketplace

Recognizing customers need a faster, more comprehensive incident response strategy in the cloud, Palo Alto Networks Unit 42 is expanding our partnership with Amazon Web Services (AWS) Security Incident Response service. The collaboration introduces a no-cost Unit 42 Incident Response Retainer, which is now available to qualified customers in AWS Marketplace. Our value-added offer provides qualified customers with rapid access to Unit 42โ€™s world-class investigative expertise and dramatically minimizes the critical time between an alert and full containment.

For qualified customers, here's what the no-cost Unit 42 Incident Response Retainer offers:

  • 250 hours of initial Unit 42 Incident Response services at no cost.
  • A 2-hour response time agreement for incident response.
  • 24/7/365 access to the Unit 42 Incident Response team.

As an AWS Security Incident Response Service Ready partner, this collaboration is designed to deliver seamless, end-to-end incident response and proactive security services. By combining Unit 42โ€™s deep experience in managing complex, legally privileged investigations with the rapid engagement of AWS Security Incident Response, organizations can resolve critical incidents faster and more comprehensively.

Unit 42 also offers preferred pricing to AWS Security Incident Response customers for proactive services through paid retainer offerings, also available in AWS Marketplace.

Hart Rossman, Vice President of Global Services Security, AWS:

When cyberattacks move at cloud speed, customers need immediate access to comprehensive expertise. By integrating Unit 42's end-to-end investigative capabilities with AWS Security Incident Response, we're delivering a unified response that helps customers contain threats faster and minimize business disruption. The no-cost retainer ensures they can activate the full scope of resources they need within minutes, not hours.

Effective response to a cloud breach demands deep technical skill and the ability to manage complexity under pressure. Unit 42 excels at managing high-stakes incidents. By coupling our expertise with AWS Security Incident Responseโ€™s capabilities to prepare, respond and recover from security incidents, Unit 42 offers customers a unified defense. Streamlining the entire process, from initial alert to final resolution, allows organizations to get back to business faster and limit operational disruption.

A Unified Front Against Complex Cloud Incidents

The collaboration is designed to solve a critical customer problem: Reduce the time and complexity of responding to incidents that span both AWS resources and the broader enterprise.

The combined offering delivers three key benefits, providing customers with a holistic and agile defense strategy:

  • Comprehensive Investigation: Unit 42โ€™s expertise enables an investigation across multiple environments, including endpoints, networks and other enterprise data sources, complementing AWSโ€™s incident response technologies and expertise.
  • Rapid, 24/7 Access to Experts: AWS Security Incident Response provides direct, 24/7 access to the AWS Customer Incident Response Team (CIRT), capable of engaging within minutes. Unit 42 is skilled at serving in the incident command role, coordinating efforts among internal stakeholders, other forensic and recovery vendors, as well as legal counsel.
  • Response Readiness with No-Cost Retainer: The offering removes the typical administrative and procurement overhead of incident response engagements. The added value ensures qualified customers can activate the full resources of Unit 42 instantly, often at the direction of counsel.

Availability

The Unit 42 Incident Response and proactive service offerings are available in AWS Marketplace today. More information on the partnership will be shared during AWS re:Invent 2025 (December 1-5, 2025).

To learn more, visit the Unit 42 listing available in AWS Marketplace.

The post Unit 42 Incident Response Retainer for AWS Security Incident Response appeared first on Palo Alto Networks Blog.

โŒ