2026-07-16
Your source for daily security alerts from some of the best experts in the world.
Find the problems, secure your systems now!
Scripts and tools to help manage your network found, managed and
happily shared with documentation on usage at the IP WORk eXchange.
https://www.ipworx.com
Get these alerts in your inbox every morning. Coming Soon
07/14TOCMicrosoft Patches a Record 570 Security Flaws Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.07/13TOCLessons Learned from CISAs Recent GitHub Leak The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important lessons that all security teams should absorb.
For years, the cyber security industry tracked AI as a force multiplier: something that made existing attack techniques faster, cheaper, and more accessible. That framing was accurate. But the Annual AI Security Report 2026 from Check Point Research documents a transition that goes further. AI has crossed from assistant to operator. Where it once helped attackers prepare, it now runs the […]
For the latest discoveries in cyber research for the week of 13th July, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES U.S. auto insurer AssuranceAmerica has disclosed a data breach affecting approximately 7 million people. Attackers targeted an employee and used compromised credentials to access company systems, stealing names, contact information, driver’s license […]
07/16TOCThe Hunter’s Paradox: Is it time to embrace automated threat hunting? Humans can no longer keep up with the volume and velocity of security data on their own, but AI can’t be fully trusted. David discusses the merits of both and muses on what the future might look like.07/16TOCUAT-11795 deploys novel Starland RAT and bespoke WLDR C2 implant in fi… Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025.07/14TOCMicrosoft Patch Tuesday for July 2026 Snort rules and prominent vulne… Microsoft has released its monthly security update for July 2026, which includes 622 vulnerabilities affecting a range of products, including 57 that Microsoft marked as “critical.”07/14TOC[Video] Where protection starts: Cisco Talos Intelligence Integrations… Every day, defenders make high-consequence decisions with incomplete information. Learn how Cisco Talos Intelligence Integrations help reduce uncertainty by turning the latest threat intelligence into proactive protections across Cisco technologies.07/14TOCThe serpents tongue: Luring the Python out of its den This blog examines the full lifecycle of a Python package, from hosting on repositories such as PyPI or custom web servers, through source and wheel distribution formats, to the final installation into virtual or system-wide Python environments.
Developed by CISA, the National Security Agency (NSA) and international partners, this joint guidance contains best practices for software manufacturers and online service providers to design and implement a coordinated vulnerability disclosure (CVD) program for working with external security researchers that includes a clear vulnerability disclosure policy (VDP) and process for triaging, remediating and assigning Common Vulnerabilities and Exposures (CVE) identifiers to reported vulnerabilities. The guidance also provides considerations for leveraging third-party intermediaries, like CISA or other national computer security incident response teams, to substitute or supplement a CVD program. By implementing a robust CVD program aligned with this guidance, organizations can work transparently and collaboratively with security researchers to remediate vulnerabilities, build constructive relationships, enhance product security while improving vulnerability management processes, and demonstrate their dedication to protecting customers.
CVE-2026-46817 Oracle E-Business Suite Improper Privilege Management Vulnerability Â
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.
While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.Â
CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability
These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.
While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.Â
CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances. These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware. Organizations should monitor affected SharePoint Servers closely for any signs of exploitation or unusual activity.Â
Additionally, the following newly disclosed CVEs are not yet known to have been exploited, but Microsoft has identified them as posing a potential risk if left unpatched:
CISA urges organizations to detect and remediate a potential compromise by implementing the following recommendations:
Apply the latest patches and security updates from Microsoft, verify that installation completes successfully, and shorten patching cycles when possible.
Verify that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application. Follow Microsoft’s Configure AMSI integration with SharePoint Server guidance to ensure proper configuration and select the “Full Mode†option for the Request Body Scan Mode, where feasible. When compromise is expected, use the following AMSI and Microsoft Defender Antivirus (MDAV) detections, and implement your organization’s incident response plan for any positive detections:
AMSI: Exploit:Script/SuspSignoutReqBody.A – request body scanning; SharePoint Server Subscription only; Microsoft has blocked observed attempts.
AMSI: Exploit:Script/ToolPaneAuthBypass.A – request header scanning; SharePoint Server 2016, 2019, and Subscription Edition.
AMSI: Exploit:Script/ToolPaneAuthBypass.C – RCE coverage; SharePoint Server 2016, 2019, and Subscription Edition.
In addition, CISA recommends that organizations implement the following SharePoint Server hardening measures:
Before rotating IIS machine keys, hunt for and remediate any intrusion artifacts, including machine-key harvesters, that could allow for the keys to be stolen again. Review Microsoft’s Improved ASP.NET view state security and key management for best practices.
Establish tailored logging mechanisms to detect and monitor exploitation activities. Review telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells, and machine-key access. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
Avoid exposing SharePoint Servers directly to the internet unless necessary; and if necessary, only configure a SharePoint Server behind a Layer 7 reverse proxy or equivalent application-layer security control that requires authentication and can inspect and filter requests.Â
Block external access to SharePoint Central Administration, restrict farm and database communications to required systems, and review Microsoft’s SharePoint Server security-hardening guidance for role-specific ports, services, and Web.config settings.
CISA added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-32201 on April 14, 2026; CVE-2026-45659 on July 1, 2026; and CVE-2026-56164 on July 14, 2026.Â
Note:Â CISA may update this Alert to reflect new guidance issued by CISA or other parties.
Organizations should report incidents or anomalous activity to CISA via CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472).
Disclaimer
The information in this report is being provided “as is†for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 
Successful exploitation of this vulnerability could allow an attacker to read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device.
The following versions of Rockwell Automation 1715-AENTR EtherNet/IP Adapter are affected:
A security issue exists within the 1715-AENTR EtherNet/IP Adapter. The affected product exposes a network-accessible debug port that does not enforce proper privilege controls, allowing unauthenticated remote access to intrusive command-line interface (CLI) commands. If exploited, a threat actor could read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device.
Rockwell Automation reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
Initial Release Date: 2026-07-14
Date
Revision
Summary
2026-07-14
1
Initial Republication of Rockwell Automation security advisory SD1785.
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.
While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.Â
Russian Government-Sponsored Activity Targets Poorly Configured and Vulnerable Devices Across Critical Sectors
Executive summary
Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decade-plus FSB Center 16 cyber activity by providing additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat. [1]Â
This CSA is being released by the following authoring and co-sealing agencies:Â
United States National Security Agency (NSA)
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Federal Bureau of Investigation (FBI)
United States Department of Defense Cyber Crime Center (DC3)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
New Zealand National Cyber Security Centre (NCSC-NZ)
United Kingdom National Cyber Security Centre (NCSC-UK)
Czech Republic National Cyber and Information Security Agency (NÚKIB)1Â
Italian External Intelligence and Security Agency (AISE)8Â
Italian Internal Intelligence and Security Agency (AISI)9
The Military Counterintelligence Service of Poland (SKW)10Â
Sweden National Cyber Security Centre (NCSC-SE)11Â
The authoring and co-sealing agencies strongly urge device owners and network defenders to take mitigation and remediation actions against Russian government-sponsored exploitation of vulnerable routers.
Figure 1: FSB Center 16 activity and recommended mitigation actions
The cybersecurity industry provides overlapping cyber threat intelligence, indicators of compromise (IOCs), and mitigation recommendations related to this activity. Although not all encompassing, the following list contains the most notable threat group names commonly used within the cybersecurity community related to this activity:Â
Berserk BearÂ
Energetic Bear
Crouching YetiÂ
Dragonfly
Ghost Blizzard
Static Tundra
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this list may not provide a 1:1 correlation to the authoring agencies’ understanding for all activity related to these groupings.
Targeting details
Critical infrastructure sectors most at risk from the Russian Federal Security Service (FSB) Center 16 cyber actors’ targeting include:
Communications,
Defense Industrial Base,
Energy,
Financial Services,
Government Services and Facilities, especially organizations at the state and local level, and
Healthcare and Public Health.
Technical details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise12 framework, version 19. See Appendix A for tables of the activity mapped to MITRE ATT&CK tactics and techniques. This advisory also uses MITRE DEFENDTM version 1.4.0.
The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation. The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication [T1595.001, T1595.002]. These scans, run via proxies, consist of SNMP Set-Requests from a spoofed IP address [T1027] containing Object Identifiers (OIDs) that instruct the SNMP agent on poorly configured networking devices to [T1569, T1602.001, T1090]:
Copy its configuration to a file, often called “config.bkp†or “output.txt†[T1003, T1602.002].
Transfer the file, typically using Trivial File Transfer Protocol (TFTP), to an actor-controlled leased virtual private server (VPS) or compromised FTP server [T1583.003, T1090, T1071, T1048].
While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices. The actors previously exploited at least the following CVEs [T1584.008, T1588.005, T1190, T1068]:Â
Many of these TTPs overlap with activity by other malicious cyber actors, such as Salt Typhoon. Even though this CSA focuses on Russian FSB Center 16 cyber activity, the mitigations below should detect and counter these and similar TTPs used by other actors.
Mitigation actions
The authoring agencies highly recommend network defenders implement the following mitigations to harden networks against this exploitation:
Disable Cisco Smart Install on all devices [D3-ACH]. [2]
Use SNMPv3 with “authPriv†configured to the most modern encryption standard that is supported by the device instead of SNMPv1 or SNMPv2 [D3-ACH]. [3]
Disable SNMPv1 and SNMPv2. These are legacy protocols and should no longer be needed on current devices. If they are necessary, change all community strings from defaults and only allow read-only community strings rather than read-write access.
SNMPv3 adds strong authentication and data encryption that are unavailable in SNMPv1 and v2. SNMPv3 replaces clear text shared passwords, known as community strings, with more securely encoded parameters, and authenticates and encrypts data [D3-MAN, D3-MENCR].
Use strong, unique passwords for local accounts on network devices and configure credentials to be stored securely to prevent reuse of compromised passwords [D3-CH].
Cisco devices protect passwords in the configuration file using different hashing types. Use hashing type 8 for user credentials. Avoid using hashing type 0, 4, and 7 as they are insecure or store passwords in plaintext in the configuration file. [4]
Monitor for unusual credentials that do not conform to standard organizational naming conventions [D3-PM].Â
 Monitor for and alert on logins using local accounts. Local accounts should only be used in emergency situations when accounts supported by centralized authentication servers are unavailable. Centralized authentication to network devices should support multi-factor authentication where feasible. [3]
Monitor and restrict access to SNMP OIDs using a Management Information Base (MIB) allow list [D3-ACH]. [5] Reference the vendor-specific MIB for the network devices and monitor OIDs for indications of reconnaissance or misconfiguration in logs or intrusion detection systems (IDS). IDS rules should be written for inbound SNMP Set-Requests that contain OIDs targeting sensitive device data [D3-PM].
Example OIDs include:
1.3.6.1.4.1.9.9.96.1.1 (Cisco Config Copy)
1.3.6.1.4.1.9.9.96.1.1.1.1.5 (Config Copy Server Address, value for this OID is where the configuration file is being sent to)Â
Use Access Control Lists (ACLs) to only allow management protocols, such as SNMP, from management devices, preferably on an out-of-band network. [3]
On edge firewalls and devices deny all external communications on the following ports unless mission critical, with strict monitoring if blocking is not feasible:
User Datagram Protocol (UDP) port 69 (TFTP)Â
Transmission Control Protocol (TCP) port 4786 (SMI)
UDP ports 161 and 162 (SNMP)
TCP/UDP ports 10161 and 10162 (SNMPv3)
Update network device software and firmware images, especially to patch known vulnerabilities, and upgrade end-of-life devices to supported ones.Â
Use an attack surface management service to identify and secure Internet-facing systems with weak configurations and known vulnerabilities [D3-NVA].
U.S.-based federal, state, local, tribal, and territorial governments and U.S. critical infrastructure organiztions should consider signing up for CISA’s no-cost Cyber Hygiene services.
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Media Inquiries / Press Desk: NSA Media Relations: 443-634-0721, MediaRelations@nsa.gov
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
 U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.Â
United States Department of Defense Cyber Crime Center (DC3) Â
Defense Industrial Base Inquiries and Cybersecurity Services:Â DC3.DCISE@us.af.milÂ
Defense Industrial Base mandatory cyber incident reporting as required by 10 U.S. Code Sections 391 and 393 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 is submitted at https://dibnet.dod.mil.
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
The Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment, encourages Canadian organizations to report cyber incidents and to strengthen the security of their networking devices.Â
French organizations are encouraged to report suspicious activity or incident related information found in this advisory by contacting ANSSI/CERT-FR at:Â cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
Italian Organizations
Italian External Intelligence and Security Agency (AISE):Â
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.
Cisco recommends that customers upgrade to the fixed software that is documented in the Catalyst SD-WAN Security Advisory that was published on May 14, 2026, and verify the configuration of the edge devices.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Important: To preserve possible indicators of compromise, customers should issue the request admin-tech command from each of the control components in the SD-WAN deployment before upgrading. After the admin-tech file has been collected, software should be upgraded at the earliest opportunity.
Before upgrading an SD-WAN deployment to a fixed release, retain relevant logs. After upgrading, verify that the system has not been compromised by checking the logs for the indicators of compromise as documented in this advisory. If the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability. In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.
Live Protect Shield
Cisco has released a Live Protect shield for CVE-2026-20245 to provide temporary security coverage to allow time for software upgrade planning, including preserving any information that customers may require for governance or compliance purposes.
This shield offers only temporary partial protection. The only way to remediate this vulnerability is to upgrade to the first fixed software release, as noted in the Fixed Releases section of this advisory. Cisco strongly recommends prioritizing system upgrades and scheduling them as soon as possible to ensure remediation.
Before deploying the shield, read the following information:
Before deploying this shield, set up disaster recovery operations, which have been tested to continue to operate. The new SD-WAN Disaster Recovery operations will not succeed after deployment of this shield. For more information, see TOCCisco Advance Notification for Publication of July 15, 2026, Security …
On July 15, 2026, the Cisco Product Security Incident Response Team (PSIRT) published the following advisories:
To fully remediate the vulnerabilities that were disclosed on July 15, 2026, Cisco strongly recommends that customers upgrade to the fixed software that is indicated in the advisories.Â
As part of Cisco’s ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. Â
These vulnerabilities were found during internal testing and are not known to be actively exploited. To assist customers in patching and to streamline the disclosure process, Cisco has grouped these issues by their underlying vulnerability class — Common Weakness Enumeration (CWE) — and assigned a single Common Vulnerabilities and Exposures Identifier (CVE ID) to each CWE grouping.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
A vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system to either read or delete arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials.Â
This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files or delete arbitrary files on the affected system.
Cisco plans to release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Security Impact Rating: Medium
CVE: CVE-2026-20146
DataBreaches.net
07/15TOCCalgary 911 employee charged with breach of trust Manjot Singh reports: Calgary police say a City of Calgary 911 employee has been charged following an investigation into the unauthorized disclosure of confidential information. Police say the investigation began in January after allegations that sensitive information was being accessed and shared outside authorized channels. Investigators allege the accused used her position to access and…
07/15TOCWilmerHale Sued Over Client Personal Information Data Breach Alex Ebert reports: Wilmer Cutler Pickering Hale & Dorr should pay millions of dollars in damages for loss of clients’ personal information in a May data breach, a putative class action claims. The lawsuit, filed Tuesday in the US District Court for the District of Columbia, seeks negligence and contract damages on behalf of “thousands†of…
07/15TOCFiles relating to Indias largest nuclear power plant Kudankulam expose… Munsif Vengattil and Aditya Kalra Ransomware group World Leaks has posted on the dark web a huge cache of files related to India’s largest nuclear plant, including purported blueprints of parts of its ​facilities and supplier details — information it labelled as coming from Reliance Group. The Kudankulam Nuclear Power Plant, located in the southern…
07/15TOCNayax updates its incident status; states it wont pay any extortion de… It’s common for victims and threat actors to disagree sharply over the scope of an attack or its significance. Today’s example involves Israeli fintech Nayax and a group called The Syndicate. In previous coverage, DataBreaches cited Nayax’s submission to the Securities and Exchange Commission. At the time, Nayax reported an incident involving an unnamed subsidiary,…
07/15TOCAU: Partnered Health Data Breach Exposes Patient Records at Family Cli… Trevor Long reports: A large health care chain that owns family medical clinics across Australia has been the victim of a cyber breach which has exposed the data of their patients, including potentially treatment information. Partnered Health runs a large number of clinics across Australia, with sixteen of them listed as directly affected, and a…
07/14TOCElon Musk promises to delete all data following a leak of users confid… Abror Shuhratov reports: xAI, the company founded by Elon Musk, has announced emergency measures following a serious controversy involving the unauthorized uploading of users’ private code and confidential information to a server via the Grok Build CLI tool. The company’s head stated that, for security reasons, all previously uploaded user data will be permanently deleted. This decision…
07/14TOCSynopsys Finds No Evidence of Data Breach Amid Bosch Hack Claims Eduard Kovacs reports: A new ransomware group named D1R in recent days listed Synopsys and Bosch on its Tor-based leak website. The cybercriminals claimed to have exploited a vulnerability in Synopsys’ website to access a corporate client database containing 40,000 entries, and they are threatening to leak the stolen data unless a ransom is paid….
07/14TOCFinland issues wanted notice for hacker behind massive psychotherapy d… I was really unpleasantly surprised when they let him out while on appeal, and now they may not be able to return him to prison? Did no one foresee that he might not stick around to be sent back to prison? Daryna Antoniuk reports: Finnish police have reportedly issued a wanted notice for convicted hacker Aleksanteri…
07/14TOCRewards For Justice offers reward for info on Media Land, ML.Cloud, an… Rewards for Justice announced a $10M reward for information on the Russian-based bulletproof hosting (BPH) services company Media Land, its associated company ML.Cloud, and associated staff Aleksandr Alexandrovich Volosovik, Kirill Andreevich Zatolokin, and Yuliya Vladimirovna Pankova: Media Land offers BPH services such as hosting illicit and illegal content, registering private domains on behalf of customers,…
07/14TOCDefending SaaS-based applications against ShinyHunters OAuth abuse From Microsoft Security Research and Microsoft Defender Security Research Team: In a series of campaigns observed between mid-2025 and mid-2026, Microsoft identified threat actor activity with overlapping tradecraft commonly associated with ShinyHunters, including voice phishing (vishing), supply chain compromise, and misconfigured guest access to target customer SaaS-based applications such as Salesforce instances. The threat actors…
07/16TOCCVE-2025-26529 Currently trending CVE – Hype Score: 28 – Description information displayed in the site administration live log
required additional sanitizing to prevent a stored XSS risk.07/16TOCCVE-2026-15409 Currently trending CVE – Hype Score: 20 – A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.07/16TOCCVE-2026-56196 Currently trending CVE – Hype Score: 20 – Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network.07/16TOCCVE-2026-58631 Currently trending CVE – Hype Score: 20 – Improper authorization in Windows Admin Center allows an authorized attacker to execute code locally.07/16TOCCVE-2026-56164 Currently trending CVE – Hype Score: 19 – Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network.07/16TOCCVE-2026-56155 Currently trending CVE – Hype Score: 18 – Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.07/16TOCCVE-2026-15410 Currently trending CVE – Hype Score: 18 – Post-authentication improper control of generation of code (‘Code Injection’) vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute …07/16TOCCVE-2026-55040 Currently trending CVE – Hype Score: 13 – Weak authentication in Microsoft Office SharePoint allows an unauthorized attacker to bypass a security feature over a network.07/16TOCCVE-2025-62221 Currently trending CVE – Hype Score: 10 – Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.07/16TOCCVE-2026-58536 Currently trending CVE – Hype Score: 10 – Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Graham Cluley
07/16TOCSmashing Security podcast #476: Remote-control rickshaws and rogue boo… An app has appeared in India that lets anyone with a smartphone stop a passing e-rickshaw dead in its tracks – no login, no passwords, no permissions needed.
Meanwhile, Geoff – swimming in money and Lamborghinis, as all published authors are – has been on the receiving end of a slew of AI-generated scam pitches from fake book marketing experts. Rather than ignore them, he’s been playing them at their own game…
All this and more in this episode of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Geoff White.07/14TOCThe ransomware negotiator who was working for the other side When a company falls victim to a ransomware attack, it is not uncommon for it to turn to experts for help.
Specialist ransomware negotiation firms handle communications with criminal gangs on a victim’s behalf.
What victims don’t expect is that their trusted negotiator might be separately sharing details of the victim’s cyber-insurance policy and negotiation strategy directly with the attackers themselves.
Read more in my article on the Hot for Security blog.
Hacker News
07/16TOCAI Can Find Bugs, But Human Knowledge Still Proves Them Artificial intelligence (AI) is changing offensive security, but it has not changed the standard that matters most: a finding has to be proven before it becomes useful. AI-assisted tools can read code quickly, generate payloads, summarize attack surfaces, explain unfamiliar APIs, and run repetitive testing workflows at impressive speed. That is a real advantage for security teams. It also07/16TOCUnpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums … Pull the certificate off the flash of a Shark RV2320EDUS robot vacuum, and you can run root commands on other people’s Shark vacuums across the same AWS region: watch the camera, drive the robot, read the map of the house, and take the Wi-Fi password in plaintext.
A researcher publishing under the handle tokay0 put the method online on Monday, having tested it only against vacuums he07/16TOCOpenAIs GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 S… OpenAI has disclosed details of GPT-Red, an internal automated red-teaming model that scales prompt injection vulnerability discovery with an aim to fix issues before the tools are deployed widely.
“GPT‑Red is a strong red-teamer, and our previous models are highly vulnerable to its prompt injection attacks,” the artificial intelligence (AI) company said. “We use GPT‑Red to adversarially train07/16TOCZoom Patches Critical Windows Flaw That Could Enable Account Takeover Zoom has released security updates for a critical security flaw impacting Zoom Workplace for Windows that could facilitate account takeover.
The vulnerability, tracked as CVE-2026-53412 (CVSS score: 9.8), affects Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows.
“Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for07/15TOCTuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development… Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results.
“While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed07/15TOCOkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and … A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase.
On an infected PC, the request comes from inside the wallet’s own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and07/15TOCFirefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Secur… Mozilla has released updates to address two critical flaws in Firefox for which it warned that exploit code has been published.
The vulnerabilities are listed below –
CVE-2026-15718, an invalid pointer in the JavaScript: WebAssembly component
CVE-2026-15719, a site isolation in the DOM: Navigation component
“We are aware that exploit code for this is public, however we are not aware of07/15TOCSASE Has An AI Blind Spot. Inspecting Packets Is No Longer Enough. For years, routing traffic through cloud proxies was good enough. Then work moved to the browser, AI entered the workflow, and the inspection model stopped keeping up.
Enterprise workflows now live across SaaS applications, browsers, and an expanding ecosystem of generative AI tools, unsanctioned browser extensions, and autonomous agents. Employees routinely paste intellectual property into07/15TOCResearcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch … Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive.
It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments.
“The PoC requires07/15TOCNew Webinar: Closing the Approval Gap in AI-Era Ad Tech A single approved marketing tag can quietly load fourth-party code your security team has never seen, granting full access to your forms, customer data, and checkout pages.
This on-demand webinar reveals how this Approval Gap forms, and gives your team the blueprint to close it before an auditor, regulator, or attacker finds it first.
The Reality of the Approval Gap
It’s a pattern every07/15TOCCursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Ex… Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute.
Whatever that binary does, it does as you, with your source, your SSH keys and your cloud tokens. Cursor keeps re-running it for as long as the project stays open.
No prompt07/15TOCCompromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.
The affected packages are listed below –
@asyncapi/generator-helpers@1.1.1
@asyncapi/generator-components@0.7.1
@asyncapi/generator@3.3.1
@asyncapi/specs(v6.11.2, v6.11.2-alpha.1)
“The07/15TOCTwo SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Com… SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution.
The vulnerabilities are listed below –
CVE-2026-15409 (CVSS score: 10.0) – A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to07/14TOCMicrosoft Patches Record 622 Flaws, Including Two Zero-Days Under Acti… Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft’s own CVEs by its Security Update Guide count, more than triple June’s previous high of around 200.
Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are07/14TOCSAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify D… SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP.
The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could07/14TOCResearchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger G… Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar.
Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the07/14TOCLabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments.
“LabubaRAT creates a reusable foothold for hands-on activity,” Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. “Once deployed, it can profile the host,07/14TOCRabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue … Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries.
Miggo’s security team, which discovered and reported the flaws, said one “leaks the broker’s confidential OAuth07/14TOC11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Se… Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard.
“An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,”07/14TOCStudy of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Sit… Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them.
The way these wallets talk to websites and blockchain servers can tie a person’s separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or07/14TOCHow Pentera Turns AI Security Workflows into Validation Engines AI security agents are starting to influence real security decisions. They summarize findings, prioritize remediation, recommend next steps, and help teams move faster. But most still rely on fragmented risk signals: scanner output, severity scores, threat intelligence, configuration findings, and exposure data.
That fragmentation matters because attackers do not move through environments one07/14TOCOAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entr… At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry.
The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun07/14TOCGrok Build Uploaded Entire Git Repositories to xAI Storage, Not Just F… xAI’s Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed.
A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not07/14TOCU.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ranso… The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors’ and other cybercriminals’ malicious activities, including ransomware attacks against Americans.
The VPN, named First VPN Service (1VPNS), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian07/14TOC148 npm Packages Disguised as Student Proxies Turned Browsers Into a D… A campaign of 148 npm packages disguised as student web proxies turned visitors’ browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog.
The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge07/14TOCMicrosoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHu… Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform.
The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it.
In07/13TOCCrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper C… Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that’s capable of harvesting sensitive data from compromised systems.
Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs.
“It validates the victim’s login password locally before07/13TOCGoogle and Microsoft Pull ModHeader With 1.6 Million Installs After Do… Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version.
The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain.
The07/13TOCWeekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding A… Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That’s supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don’t file tickets.
That’s the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too07/13TOCNew MemGhost Attack Plants Persistent False Memories in AI Agents Thro… Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false “fact” about the user, hide the change, and quietly steer its answers in later sessions.
When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with.
The07/13TOCForg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session … A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts.
Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing07/13TOCMeta Files Patent for AI That Can Listen All Day and Track How You’re … Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read.
Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would07/13TOCThinking Fast and Slow in the SOC: The Case for Combining Autonomous A… A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building07/13TOCAttacker Uses Suspected AI-Generated PowerShell Script to Map Active D… Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration.
“The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the07/13TOCMisconfigured Server Reveals Three Evilginx Phishing Operations Target… An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history.
From that one lapse, French security firm Lexfo lifted the operator’s entire toolkit and pivoted through it to two more07/13TOCiCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-D… The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild.
The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below –
CVE-2026-48939 – A vulnerability in the
Researchers from ETH Zurich in Switzerland, however, managed to create a new type of pixel that can simultaneously do both. This hypercharged pixel, called a Fourier pixel, can generate and sense arbitrary light fields and tap into a pixel’s full potential for carrying information by manipulating light’s intensity, oscillation phases, and polarization. The team reported its findings in a paper published yesterday in Nature.
We are one step closer to 1984 technology:
The telescreen received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it; moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment…
This essay was written with Nathan E. Sanders, and originally appeared in The Guardian.
Opposition to AI data centers has emerged as a primary theme in US politics, one that—surprisingly—doesn’t fallalong party lines. We applaud people coming together for constructive debate on any issue, and agree that communities need to evaluate whether any economic benefits these data centers bring is worth their costs. Still, we worry that a focus on data centers obscures the larger impacts of AI on people’s lives: the concentration of power of AI companies, and their widespread political and financial influence…
07/15TOCZDI-26-444: 7-Zip XZ Decompression Heap-based Buffer Overflow Remote C… This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2026-14266.07/15TOCZDI-26-443: Linux Kernel vmwgfx Integer Overflow Local Privilege Escal… This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8.07/15TOCZDI-26-442: Linux Kernel CAN ISO-TP Protocol Race Condition Local Priv… This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8.07/15TOCZDI-26-441: dnsmasq DNS Response Heap-based Buffer Overflow Remote Cod… This vulnerability allows remote attackers to execute arbitrary code on affected installations of dnsmasq. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2026-2291.07/15TOCZDI-26-440: Fuji Electric Tellus pcid64 Driver Untrusted Pointer Deref… This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Fuji Electric Tellus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.5. The following CVEs are assigned: CVE-2026-8108.07/15TOCZDI-26-439: Fuji Electric Tellus pcid64 Driver Exposed Dangerous Metho… This vulnerability allows local attackers to escalate privileges on affected installations of Fuji Electric Tellus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-8108.07/15TOCZDI-26-438: Rockwell Automation Arena Simulation DOE File Parsing Out-… This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-6071.07/15TOCZDI-26-437: (Pwn2Own) Autel MaxiCharger AC Elite Home WebSockets Integ… This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2026-13308.07/15TOCZDI-26-436: (Pwn2Own) Autel MaxiCharger AC Elite Home USB Heap-based B… This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.8. The following CVEs are assigned: CVE-2026-13307.07/15TOCZDI-26-435: (Pwn2Own) Autel MaxiCharger AC Elite Home NFC Stack-based … This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.8. The following CVEs are assigned: CVE-2026-13309.07/15TOCZDI-26-434: (Pwn2Own) Autel MaxiCharger AC Elite Home USB Authenticati… This vulnerability allows physically present attackers to bypass authentication on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2026-13306.07/15TOCZDI-26-433: (Pwn2Own) Autel MaxiCharger AC Elite Home Software Update … This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Home EV chargers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.4. The following CVEs are assigned: CVE-2026-13305.07/15TOCZDI-26-432: G DATA Total Security Backup Service Link Following Local … This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-13268.07/15TOCZDI-26-431: ASUS Business Manager Service Client-Side Authentication L… This vulnerability allows local attackers to escalate privileges on affected installations of ASUS Business Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-8921.07/15TOCZDI-26-430: MSI Center NTIOLib_X64 Origin Validation Error Local Privi… This vulnerability allows local attackers to escalate privileges on affected installations of MSI Center. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-6102.07/15TOCZDI-26-429: NVIDIA NeMo Framework Deserialization of Untrusted Data Re… This vulnerability allows remote attackers to execute arbitrary code on affected installations of NVIDIA NeMo Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-24157.07/15TOCZDI-26-428: WatchGuard FireWare OS admd Stack-based Buffer Overflow Re… This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchGuard FireWare OS. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-8247.07/15TOCZDI-26-427: WatchGuard FireWare OS iked ike2_hmac Null Pointer Derefer… This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of WatchGuard FireWare OS. Authentication is not required to exploit this vulnerability, but only systems using VPN with IKEv2 are vulnerable. The ZDI has assigned a CVSS rating of 5.9. The following CVEs are assigned: CVE-2026-13084.07/15TOCZDI-26-426: OpenSSL X.509 Email Validation Out-Of-Bounds Read Informat… This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenSSL. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2026-42771.07/15TOCZDI-26-425: OpenSSL OCSP Stapling Verification Double Free Remote Code… This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenSSL. User interaction is required to exploit this vulnerability in that the target must make a request to a malicious server. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-35188.07/15TOCZDI-26-424: Synology DiskStation DS925+ MailPlus Improper Restriction … This vulnerability allows network-adjacent attackers to access the Redis instance on affected installations of Synology DiskStation DS925+ devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2026-13135.07/15TOCZDI-26-423: Synology DiskStation DS925+ MailPlus Redis Weak Cryptograp… This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation DS925+ devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-15660.07/15TOCZDI-26-422: Samsung rlottie Numeric Truncation Remote Code Execution V… This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung rlottie. Interaction with the rlottie library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-15551.07/15TOCZDI-26-421: Cisco Identity Services Engine validFileNameOrPath Directo… This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Identity Services Engine. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.5. The following CVEs are assigned: CVE-2026-20146.07/15TOCZDI-26-420: Adobe Creative Cloud AGSService Incorrect Permission Assig… This vulnerability allows local attackers to escalate privileges on affected installations of Adobe Creative Cloud Desktop Application. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-48344.07/15TOCZDI-26-419: Adobe Creative Cloud AdobeUpdateService Uncontrolled Searc… This vulnerability allows local attackers to escalate privileges on affected installations of Adobe Creative Cloud. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2026-48272.07/15TOCZDI-26-418: Microsoft SharePoint SPFieldMultiLineText Cross-Site Scrip… This vulnerability allows remote attackers to execute web requests with a target user’s privileges on affected installations of Microsoft SharePoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2026-55126.07/15TOCZDI-26-417: Microsoft Windows ServerManager Exposed Dangerous Method L… This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-50311.07/15TOCZDI-26-416: Microsoft Hyper-V netvsc Out-Of-Bounds Read Local Privileg… This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Hyper-V. An attacker must first obtain the ability to execute low-privileged code within a Windows virtual machine under Hyper-V in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-54129.07/15TOCZDI-26-415: Microsoft Windows WMI Providers Incorrect Authorization Lo… This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2026-49805.07/15TOCZDI-26-414: Microsoft PowerShell Help Directory Traversal Remote Code … This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft PowerShell. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-40400.07/15TOCZDI-26-413: (Pwn2Own) Microsoft SharePoint Improper Verification of Cr… This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2026-50522.07/15TOCZDI-26-412: (Pwn2Own) Microsoft SharePoint Deserialization of Untruste… This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2026-50522.07/15TOCZDI-26-411: NVIDIA NVTabular Pickle File Parsing Deserialization of Un… This vulnerability allows remote attackers to execute arbitrary code on affected installations of NVIDIA NVTabular. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-24237.07/15TOCZDI-26-410: NVIDIA NeMo Framework Deserialization of Untrusted Data Re… This vulnerability allows remote attackers to execute arbitrary code on affected installations of NVIDIA NeMo Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-24228.07/15TOCZDI-26-409: X.Org Server Glamor Font Heap-based Buffer Overflow Privil… This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-55999.07/15TOCZDI-26-408: X.Org Server ComputeScaledProperties Heap-based Buffer Ove… This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-56003.07/15TOCZDI-26-407: X.Org Server PCF Font Parsing Heap-based Buffer Overflow P… This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-56002.07/15TOCZDI-26-406: X.Org Server BitmapScaleBitmaps Integer Overflow Privilege… This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-56001.07/15TOCZDI-26-405: X.Org Server GLX Extension Use-After-Free Privilege Escala… This vulnerability allows local attackers to escalate privileges on affected installations of X.Org Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-56000.07/15TOCZDI-26-404: Delta Electronics DTM Soft Project File Parsing Deserializ… This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DTM Soft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-12578.07/13TOCZDI-26-400: (0Day) AnyDesk Screen Recording Link Following Denial-of-S… This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.7. The following CVEs are assigned: CVE-2026-15681.
Summary: Microsoft has launched the Vulnerability Remediation Agent for Security Copilot in Microsoft Intune, now in public preview. This agent automates the identification, prioritization, and remediation of vulnerabilities on Intune-managed Windows devices using data from Microsoft Defender. It provides prioritized recommendations, Copilot-assisted impact analysis, and step-by-step remediation guidance, all within the Intune admin center. The agent operates securely under a dedicated agentic identity, ensuring clear governance and accountability. The streamlined workflow helps IT teams quickly address critical threats, reduce exposure, and track progress, supporting a more proactive, AI-driven security posture.
Summary: The article details Microsoft’s internal deployment of Platform Single Sign-On (PSSO) for pre-macOS 26 devices using Intune. It highlights the benefits of Secure Enclave-backed authentication—phishing-resistant MFA, device-bound tokens, and improved Conditional Access—while outlining setup steps, user experience, troubleshooting, and best practices. Key challenges included password policy mismatches and users dismissing registration prompts. The authors recommend starting with Secure Enclave, deploying during enrollment, aligning password policies, and piloting thoroughly. PSSO enables passwordless, hardware-backed SSO across Microsoft 365 apps, improving security and user experience for Mac fleets.
Summary: The article announces expanded capabilities for Foundry Local on Azure Local, including multi-node inference scheduling, vLLM runtime support, and a broader model catalog. These enhancements enable scalable, high-concurrency AI deployments fully on-premises—even in disconnected environments—using Kubernetes-native and OpenAI-compatible patterns. vLLM boosts throughput for large models and concurrent workloads, with automatic GPU tuning via vLLMplanner. Identity-based access is supported for multi-user scenarios. The platform now accommodates more models, including Mistral and Nemotron, and offers seamless integration and operation for regulated, sovereign, and edge environments.
Summary: The article introduces Agentic Retrieval in Foundry Local, a new on-premises platform enabling advanced, context-rich AI interactions without relying on cloud connectivity. Powered by Azure Arc and Foundry models, it offers orchestration, governed knowledge management, and a production-ready chat UI for regulated, disconnected, and mission-critical environments. Key features include flexible deployment, auditable reasoning, multi-document synthesis, data sovereignty, and seamless user experience. This release supports Microsoft’s Adaptive Cloud vision, delivering resilient, intelligent GenAI solutions wherever customer data and operations reside, ensuring compliance and autonomy for enterprise and public sector users.
Summary: The article highlights that staged rollout plans for Microsoft 365 Copilot on mobile often miss how quickly real-world usage spreads. Mobile access accelerates adoption in “in-between†work moments, making usage less linear and more socially driven than planned. Desktop-focused governance and communication strategies may not apply to mobile-first behaviors, leading to early questions and confusion. IT teams should focus on rollout sequencing, setting user behavior expectations, governance/readiness, and clear communication to align planned deployment with actual adoption momentum. Early signals of mobile usage require proactive adjustments to maintain clarity and control.
Summary: The article introduces two new Azure CLI flags—`–skip-subscription-discovery` and targeted `–subscription`—which significantly speed up the `az login` process for users with many tenants and subscriptions. By skipping the post-authentication subscription enumeration, login times drop from minutes to seconds. These features, available from Azure CLI v2.86.0, are ideal for enterprise users or CI/CD scenarios needing quick access to specific subscriptions, but may not suit cases requiring access to multiple subscriptions or discovery.
Summary: Network security perimeter support for Azure Service Bus is now generally available, including in Azure Government regions. This enables centralized security boundaries, perimeter-based governance, and secure PaaS-to-PaaS communication for messaging services. Customers can define explicit access controls, confine communications, and enhance audit/compliance visibility. The feature supports regulated and mission-critical workloads, ensuring consistent security across commercial and sovereign environments. Future plans include expanding onboarding to more PaaS services and improving access rule capabilities.
Summary: The article explains how large Azure deployments can migrate from MSEE hairpin routing to Azure Virtual Network Manager (AVNM) mesh for VNet-to-VNet connectivity. AVNM mesh enables direct, in-datacenter east-west traffic, eliminating MSEE as a single point of failure, reducing latency, and supporting up to 5,000 VNets and 20,000 Private Endpoints. Migration is incremental, reversible, and doesn’t disrupt existing network paths or security inspection, with AVNM centrally managing connectivity. The article details migration steps, scaling considerations, and validation processes, emphasizing operational simplicity and improved performance for large-scale Azure environments.
Summary: Azure set a new MLPerf Training benchmark record by training Llama 3.1 405B in just over seven minutes, scaling to 8,192 NVIDIA GB200 NVL72 GPUs across 128 racks. This was achieved through high operational efficiency, resilient networking, and topology-aware workload mapping. Azure’s Fairwater AI supercomputing infrastructure, with NVLink and MRC networking, minimized communication bottlenecks, enabling near-perfect scaling and stable step times. The result demonstrates Azure’s ability to handle massive, synchronous LLM training workloads efficiently, showcasing both hardware and system-level innovations for frontier-scale AI.
Summary: The study validates Siemens NX 2506 running on Azure Virtual Desktop with NVIDIA RTX PRO 6000 GPU, supporting up to 30 concurrent users with stable graphics and consistent performance. Single-host setups efficiently consolidate users, while multi-host configurations boost responsiveness and performance, especially for GPU-intensive tasks at higher user densities. All certification workloads passed successfully, confirming reliable GPU sharing and scalability. Azure AVD with RTX PRO 6000 proves suitable for enterprise CAD deployments, enabling centralized infrastructure, high user density, reduced hardware dependency, and scalable engineering workflows for real-world tasks and assemblies.
Summary: The article introduces the Azure Deployment Agent, showcased at the Microsoft Azure Infra Summit 2026. This AI-driven tool helps IT professionals design, review, and provision Azure workloads by conversing in natural language, grounding plans in the Well-Architected Framework, and generating production-ready infrastructure code. It enables consistent, efficient deployments, supports both Terraform and Bicep, integrates with Copilot and popular IDEs, and is open-source for customization. Currently focused on new workloads, the agent aims to simplify cloud architecture and standardize operations, with ongoing improvements for existing estates.
Summary: The article highlights the Azure Landing Zone (ALZ) Infrastructure as Code Accelerator, showcased at the Microsoft Azure Infra Summit 2026. The ALZ Accelerator drastically reduces deployment time for secure, governed Azure platforms from weeks to about twelve minutes using Bicep or Terraform modules. It automates setup, supports multiple scenarios and options, aligns with the Well-Architected Framework, and is open source. The accelerator enables rapid, production-grade deployments, saving IT pros from manual configurations, and supports both GitHub and Azure DevOps pipelines, making cloud adoption faster and easier.
Summary: The Path to Production for Agents Webinar Series, held July 27-28, helps organizations transition AI projects from prototypes to secure, scalable, production-ready systems. Sessions cover governance frameworks, production architecture, multi-agent design, operational best practices, security, observability, and optimization techniques. Attendees will learn practical, actionable patterns for deploying and managing AI agents at enterprise scale, with real-world examples and reference architectures. The series targets architects, engineers, and technical leaders seeking to operationalize AI, and offers follow-up engagements for Microsoft customers to implement these practices. Registration is available online.
Summary: The article explores how Generative AI and Azure AI services are revolutionizing document extraction in the construction industry, addressing challenges like low productivity and high costs. By automating the analysis of design documents, AI increases accuracy, reduces manual labor, and improves coordination. The proposed hybrid architecture combines deterministic extraction with generative gap-filling for scalable, auditable workflows, resulting in cost savings, reduced errors, and faster project delivery. The solution emphasizes robust security and adaptability, offering a blueprint for AI-driven document intelligence across multiple sectors, including insurance, legal, healthcare, and finance.
Summary: The article explains how SRE.Azure.com helps Azure engineers analyze Availability Zone mappings and VM resilience. Logical zone numbers (1, 2, 3) do not directly map to physical datacenter zones across subscriptions, impacting high availability and disaster recovery planning. The SRE agent enables discovery of zone mappings, VM distribution, resilience gaps, and generates reports. Understanding these mappings is essential for ensuring workload separation and compliance. The guidance includes suggested prompts for generating analysis and emphasizes that physical separation cannot be assumed based solely on logical zone numbers.
Summary: Microsoft has announced new Azure Virtual Desktop updates, including general availability of FSLogix user profile management and Azure Role-based Access Control (RBAC) for external identities. SAML IdP can now be configured as domainless (public preview), easing integration for developers. External identity support is expanded to Android and macOS platforms in Azure public cloud and is generally available for US Government cloud. These enhancements streamline access for users outside organizations without needing new accounts and improve application and identity functionality. More technical details and resources are available on Microsoft’s Learn and Community pages.
Summary: Azure Bastion Premium’s session recording feature captures RDP and SSH sessions for improved security, compliance, and forensic analysis. Recordings are stored in Azure Storage accounts, authenticated via either SAS URL or Managed Identity. While SAS URLs require manual token management and pose security risks, Managed Identity offers automated, secure authentication with no credentials to rotate, better RBAC integration, and improved compliance. The article details setup steps for both options and recommends Managed Identity for enterprise environments due to its simplicity and robust security. Session recordings are easily accessed within the Bastion resource’s Session recordings blade.
Summary: The article advocates for a security-driven, DMZ-first cloud landing zone architecture in Microsoft Azure, emphasizing defense-in-depth and clear trust boundaries for traffic flows. It recommends multi-hub designs to separate Internet-facing (DMZ) and internal (Core) traffic inspection, improving security, scalability, and operational clarity. Scenarios using third-party firewalls, Azure Firewall, and Azure Virtual WAN illustrate approaches for inbound, outbound, East-West, and hybrid connectivity. The distributed hub-and-DMZ model reduces complexity, supports regulatory compliance, and enhances resiliency, making it essential for large, regulated, and multi-region enterprise workloads.
Summary: Kubernetes Center now offers enhanced security and cluster version support insights in the Azure portal. The new Security page provides an overview of vulnerabilities, runtime alerts, misconfigurations, and regulatory compliance, with actionable recommendations, requiring Microsoft Defender for Containers. The Cluster Version Support Status panel displays Kubernetes version support across clusters, highlighting those expiring soon, out-of-support, or eligible for Long Term Support (LTS), and enables easy remediation. These features help platform teams monitor security posture, prevent version drift, address misconfigurations, and report compliance efficiently across all AKS clusters.
Summary: Microsoft and Ginkgo Bioworks are collaborating to integrate Microsoft Discovery’s agentic AI platform with Ginkgo’s autonomous lab infrastructure, enabling researchers to design, execute, and analyze biological experiments seamlessly. This integration supports iterative, Design–Make–Test–Analyze workflows, streamlining experiment planning, execution, and data analysis. The partnership aims to accelerate biological discovery by increasing speed, scale, transparency, and reproducibility, reducing manual effort and connecting AI-driven reasoning directly to real-world lab validation. The approach is extensible, supporting broader scientific and engineering research needs.
Summary: Microsoft announced new ways for developers to learn and demonstrate skills, including Microsoft Pro Badges—credentials that recognize real-world proficiency without separate tests, assessed via Verified Proficiency telemetry. Pro Badges launch in June 2026, starting with GitHub Copilot. Microsoft Applied Skills lab assessments will soon award Pro Badges. New co-authored AI skilling paths, beginning with Anthropic, are available in AI Skills Navigator. The Microsoft AI Skills Fest (June 8–12, 2026) offers practical sessions, a hackathon, and opportunities to earn certification vouchers, all aimed at advancing developers’ real-world capabilities.
Summary: The article discusses how deep-reasoning agents, like Researcher and Analyst in Microsoft 365 Copilot, enhance academic research by supporting source comparison, assumption testing, and data analysis. It compares these specialized tools to general-purpose AI, highlighting their alignment with academic standards. The Academic Researcher’s Guide to Deep-Reasoning Agents offers practical advice for selecting and using these tools effectively, managing limitations, and improving outputs. Researchers are encouraged to treat these AI agents as supportive tools, document their processes, and critically evaluate results to ensure rigorous research practices.
Summary: Azure has launched a public preview of Automatic OS Image Upgrades for Virtual Machine Scale Sets (VMSS) using Flexible Orchestration Mode. This feature streamlines OS updates across VMSS fleets, enhancing security, performance, and compliance while reducing manual effort and operational complexity. It provides consistent, fleet-wide orchestration with health-based safety measures. To use it, prerequisites include registering the feature, installing health extensions, and enabling the upgrade policy. Azure is now expanding onboarding and validating the experience across more workloads. Feedback is encouraged during the preview.
Summary: Microsoft has launched a preview of Guest RDMA in Azure’s UK South region, enabling high-throughput, ultra-low latency networking within guest virtual machines via Azure Boost. This allows VMs to bypass the traditional networking stack, reducing CPU usage and improving performance for AI, storage, database, and HPC workloads. Guest RDMA supports various VM series and Linux distributions, but is currently limited to direct VM-to-VM connections within a VNET. Broader network scenarios will be supported at general availability. Interested users can sign up for the preview and provide feedback to Microsoft.
Summary: The article explains how FinOps teams can use Azure’s Benefit Recommendations API and a companion PowerShell script to extract hourly Pay-As-You-Go (PAYG) usage and alternative Savings Plan commitment levels. This approach enables more accurate, data-driven decisions instead of relying on a single recommended figure. The script produces analyst-friendly outputs for deeper analysis, allowing teams to visualize demand patterns, optimize savings, and minimize wastage. Full documentation and code are available on GitHub, encouraging users to improve their Azure savings strategies with transparent, defensible data.
Summary: GitHub Pre-Purchase Plans offer organizations a way to simplify and save on GitHub spending by committing upfront to a prepaid amount, which can be used across eligible services over 12 months. Larger commitments unlock higher discounts, up to 15%. This approach enables predictable budgeting for variable, usage-based costs like Copilot and AI Credits, and aligns GitHub billing with Azure subscriptions. Two plan types are available via Azure Reservations, providing flexibility for platform-wide or AI-specific usage. Pre-Purchase Plans do not replace existing purchasing methods but offer an additional budgeting option for commercial customers.
Summary: The article details a Logic App solution for automating daily Microsoft Defender for Endpoint (MDE) compliance checks across Azure VMs. It addresses gaps where VMs may silently lose MDE coverage and provides automated owner notifications, daily IT summary reports with CSV attachments, and explicit handling of VMs lacking owner tags. The workflow queries all running Azure VMs, matches them to MDE device records, and sends compliance alerts. It requires a Logic App, managed identity, specific API permissions, and proper tagging. The approach streamlines compliance monitoring, reduces manual effort, and ensures prompt visibility of security gaps.
Summary: The article explains how Microsoft Security Copilot integrates AI-powered assistance directly within security platforms like Defender XDR and Sentinel, streamlining SOC operations. It details a three-layer Role-Based Access Control (RBAC) model—Security Copilot, Microsoft Entra, and service-specific roles—to ensure secure, least-privilege access. Copilot uses an On-Behalf-Of model, limiting data access to user permissions. Key use cases include summarization, guided response, script analysis, and reporting, all mapped to SOC processes. Proper RBAC alignment enables Copilot to accelerate investigations, enhance accuracy, and strengthen security while maintaining compliance and governance.
Summary: Microsoft Azure has announced the general availability of a new, simplified file share management experience for premium SSD NFS file shares. This update enables independent provisioning, security, and billing for each file share, aligning management boundaries to workload needs. Key benefits include faster provisioning, enhanced scalability (up to 10,000 shares per region), share-level security and networking, improved cost tracking, and robust data protection with snapshots. The new experience supports Infrastructure-as-Code automation and is designed to reduce complexity, improve operational agility, and facilitate easier chargeback and resource management for Linux workloads in Azure.
Summary: The article explains how Azure NetApp Files, OneLake, Azure AI Search, and Azure OpenAI combine to create an AI-powered knowledge pipeline for enterprise file data. This pipeline indexes and semantically searches files in place, enabling retrieval-augmented generation (RAG) for accurate, traceable, and grounded AI responses without moving or duplicating data. The architecture ensures compliance, scalability, and seamless integration with existing workflows, transforming file data into a living, queryable resource. It prepares enterprises for AI-driven user experiences, like Copilot, by delivering controlled, authoritative answers with source citations.
Summary: The article highlights three crucial lessons for successful AWS-to-Azure workload migration: (1) Ensure ongoing stakeholder alignment through readiness assessments and clear approvals; (2) migrate workloads like-for-like before optimizing to avoid complexity and build confidence; and (3) use a blue-green cutover strategy to minimize risk and downtime, enabling easy rollback. Avoid common pitfalls like overengineering, misaligned stakeholders, and believing in instant cutovers. The article recommends Microsoft’s structured migration process and resources for further guidance.
Summary: Azure Migrate now integrates with GitHub Copilot Modernize CLI (preview) to provide scalable code insights for .NET and Java web apps. This collaboration enables migration teams to assess multiple applications simultaneously, reduce analysis time, and make informed refactor-versus-replatform decisions. Users receive actionable code-fix recommendations and effort estimates, improving modernization planning and adherence to security guidelines. Setup involves downloading a configuration file from Azure Migrate, mapping repositories, and running the CLI. Code assessments are automatically reported back to Azure Migrate for centralized review and remediation guidance.
Summary: Microsoft has announced general availability of DNS over HTTPS (DoH) for Windows DNS Server on Windows Server 2025, enabling encrypted and authenticated DNS client-to-server traffic. This feature enhances privacy, reduces spoofing risks, and supports Zero Trust architectures without requiring new resolver infrastructure. Organizations can deploy DoH alongside traditional DNS, preserving compatibility and allowing incremental adoption. Built on IETF standards, DoH helps meet regulatory requirements and strengthens DNS security. Future updates will support encrypted server-to-resolver traffic, advancing fully secure DNS resolution. The release is production-ready, reflecting feedback from real-world enterprise deployments.
Summary: Microsoft has announced the public preview of Windows CLAT, a feature designed to aid IPv6 adoption by enabling IPv4/IPv6 translation. Available in Windows Insider Canary build #29599-1000 and rolling out to other channels, it now supports Group Policy Object (GPO) configuration. The preview is for evaluation only, not production use, and feedback is encouraged. Notable limitations include lack of support for DHCPv6 Prefix Delegation and Windows Subsystem for Linux, with known issues in Wi-Fi roaming and diagnostics. Participant feedback from the private preview has shaped this release.
Summary: The article introduces the Azure Resource Manager MCP Server, a remote Model Context Protocol server enabling AI agents to perform Azure infrastructure operations using six core tools. It details the arm-mcp-poc-catalog, a public repository of 24 proof-of-concept agents covering governance, FinOps, platform engineering, and SRE scenarios. The catalog emphasizes deterministic, safe agent operations, with most PoCs focused on read-only tasks. Write-capable agents are carefully gated. The Reliability Posture Scorecard is highlighted as a reference implementation. The article encourages teams to explore and adapt these PoCs for practical cloud management needs.
In brief:Â Defenders can now easily identify logons involving high-privilege identities or special logon flags to better hunt threats and fine-tune detections.
When a user logs on, Windows’ Local Security Authority (LSA) constructs an access token that represents the user’s security context for that session. This token includes the user’s SID, group memberships, user rights, and logon flags, the information that determines what the session is allowed to access. The challenge was that, although Microsoft Defender has been collecting a token creation event at logon to supplement standard logon telemetry, the most important privilege context inside that token was not directly exposed for hunting. It was possible to see that a logon occurred, but much harder to quickly answer questions like: Did this session include Domain Admin membership? Was the logon tied to a local account?
Â
We’re excited to share that Microsoft Defender is closing this visibility gap by surfacing key privilege context from token creation events that occur during login. It surfaces these new token context fields in Advanced Hunting, making it possible to query the privileged groups and logon attributes that were present in the user’s token at logon time. With this context available directly in hunting data, it is now much easier to isolate privileged sessions, investigate suspicious logons, and build higher-fidelity detections around privilege misuse.
Â
New fields include:
TokenHasDomainAdminSid – The token contained the Domain Admins group SID.
TokenHasSchemaAdminSid –The token contained the Schema Admins group SID.
TokenHasEnterpriseAdminSid – The token contained the Enterprise Admins group SID.
TokenHasGroupPolicyCreatorSid – The token contained the Group Policy Creator Owners group SID.
TokenHasDomainControllerSid – The token contained the Domain Controllers group SID (indicates a DC’s computer account logon).
TokenHasCertificatePublisherSid – The token contained the Certificate Publishers group SID (relevant in AD Certificate Services scenarios).
TokenHasLocalAccountSid – The token contained a local account SID (not a domain account).
TokenHasNtlmAuthSid – The token contained the NTLM authentication SID (rather than Kerberos).
TokenHasThisOrgCertificateSid – The token contained a SID associated with certificate-based authentication issued by the organization (e.g., PKINIT logon).
NumberOfSidsInDomainAdminToken – If the token contained the Domain Admins group SID, this represents the total number of SIDs in that token (a measure of how many group memberships/privileges/logon flags were in an admin’s token).
Â
These fields are available under AdditionalFields in the DeviceLogonEvents table.
How it works
Defender is deriving these fields from the token’s SID list at the moment of logon. Essentially, when the access token is created, Defender inspects it for any well-known high-privilege SIDs or special logon flags (see [MS-DTYP]: Well-Known SID Structures | Microsoft Learn for reference). By capturing privileges at token creation, the data offers an accurate snapshot of the user’s rights at logon. This is valuable because it can catch ephemeral privilege elevations. For example, whether an account is temporarily added to an admin group and quickly removed, or an attacker manipulates the PAC directly using a Silver or Golden Ticket, any logon during that window will still contain the admin SID in the token, even if the directory no longer reflects that membership later.
Note: This token context telemetry is additive to existing Windows logon events. Standard Security Log events like 4624 (logon success) provide information on network context (source IP, etc.) but don’t tell you about group memberships or special authentication methods. The new token fields fill that gap by focusing on privilege context. To correlate a token event with a traditional logon event and obtain a more complete view of the logon, you can match common attributes such as timestamp, account SID, device, logon type and logon ID (see the example query under “1. Spot suspicious privileged logons†below). Together, the two sources let you understand both how the logon happened and what privileges it carried.
Why this is powerful for defenders
The new token context fields unlock powerful ways to detect misuse of privileged accounts and unusual authentication patterns. For example:
1. Spot suspicious privileged logons
Identify cases where privileged tokens appear in unexpected contexts (e.g., admin accounts logging into low-tier devices, unusual logon types, or rare hosts).
Â
// Token creation events
let TokenCreateEvents =
DeviceLogonEvents
| where InitiatingProcessFileName == “lsass.exe” // Token creation events
| where AdditionalFields has “TokenHasDomainAdminSid”
| project DeviceId, AccountSid, AccountDomain, AccountName, LogonType, LogonId,
AdditionalFields, TokenTime = Timestamp;
// Standard logon events
DeviceLogonEvents
| where ActionType == “LogonSuccess”
| where InitiatingProcessFileName != “lsass.exe” // filter out Token creation events
| project DeviceId, AccountSid, AccountDomain, AccountName, LogonType, LogonId,
RemoteDeviceName, RemoteIP, Timestamp
// Correlate both events (same logon, small time window)
| join kind=inner TokenCreateEvents on DeviceId, AccountSid, AccountDomain, AccountName, LogonType, LogonId
| where Timestamp between (TokenTime – 1s .. TokenTime + 1s)
// Example filter (specific source device)
| where RemoteDeviceName == “kali”
2. Detect privilege escalation attempts
As previously detailed, whether an adversary utilizes ephemeral group modifications or direct PAC manipulation, the outcome is the same. These temporary group memberships used during an attack will still be reflected in the token captured at logon, making this activity easier to identify retrospectively. For instance, a standard user who suddenly logs on with TokenHasDomainAdminSid is a red flag for potential token manipulation or group membership abuse.
let lookback = 14d;
let recent = 1d;
let token_priv = “TokenHasDomainAdminSid”;
// Baseline: users who historically were DAs
let baseline_users =
DeviceLogonEvents
| where Timestamp between (ago(lookback) .. ago(recent))
| where InitiatingProcessFileName == “lsass.exe” // Token creation events
| summarize DA_sids = make_set_if(AccountSid, AdditionalFields has token_priv),
non_DA_sids = make_set_if(AccountSid, AdditionalFields !has token_priv);
// Recent: new users with DA token
DeviceLogonEvents
| where Timestamp > ago(recent)
| where AdditionalFields has token_priv
| where AccountSid in (baseline_users | project non_DA_sids) and
AccountSid !in (baseline_users | project DA_sids)
3. Monitor certificate-based logons
If your environment does not normally use smart cards or certificate-based authentication, or if a user who does not typically authenticate using smart cards suddenly generates events with TokenHasThisOrgCertificateSid, this may warrant investigation, as it could indicate authentication using a fraudulently issued certificate.
let lookback = 14d;
let recent = 1d;
// Baseline: users who historically used certificate-based auth
let baseline_users =
DeviceLogonEvents
| where Timestamp between (ago(lookback) .. ago(recent))
| where AdditionalFields has “TokenHasThisOrgCertificateSid”
| summarize by AccountSid;
// Recent: new certificate-based logons
DeviceLogonEvents
| where Timestamp > ago(recent)
| where AdditionalFields has “TokenHasThisOrgCertificateSid”
| where AccountSid !in (baseline_users)
 4. Identify local account lateral movement
Pivot on TokenHasLocalAccountSid to identify logons where a local account was used, especially in remote or network logon scenarios. Such activity is uncommon in well-managed environments and may indicate lateral movement using shared credentials or local administrator reuse.
Â
DeviceLogonEvents
| where Timestamp > ago(7d)
| where AdditionalFields has “TokenHasLocalAccountSid”
| where LogonType == “Network” or LogonType == “RemoteInteractive”
Â
These examples illustrate how token privilege context can improve both threat hunting and detection engineering. Analysts can quickly isolate high-interest logons from large volumes of authentication telemetry, while custom detection rules can leverage these fields to focus on sessions with elevated privileges and improve fidelity.
Security teams rely on scheduled scans to ensure consistent coverage across devices, detect dormant or missed threats, and meet compliance requirements. However, managing scans on Linux has traditionally required custom scripts and cron-based setups, which can be hard to scale and maintain. That’s why we’re excited to introduce centrally managed scheduled antivirus scans for Linux in Microsoft Defender. With this release, we are bringing built-in, flexible scheduling capabilities directly into Defender – making it easier to manage and standardize scan behavior across Linux environments.
What’s new
With this capability, customers can now configure scheduled antivirus scans on Linux using security settings management policies in the Microsoft Defender portal for centralized policy enforcement or local Managed JSON configuration that can be deployed via configuration management tools like ansible, puppet and chef.
Â
Â
The feature supports a flexible set of scheduling options, including hourly quick scans (interval-based scheduling), daily quick scans at a defined time, and weekly scans with configurable scan type (quick or full). In addition, customers can control how scans run with advanced options such as:
Running scans only when the device is idle
Reducing CPU impact using low CPU priority
Checking for definition updates before scanning
Randomizing scans start times
Ignoring exclusions during scheduled scans
These capabilities allow security teams to balance coverage, performance, and operational needs across large Linux environments.
Why this matters
From a security perspective, scheduled scans play a critical role in detecting dormant threats, missed detections, and malicious artifacts that may not be caught through real-time protection alone. Without consistent and centrally enforced scheduling, these gaps can increase risk across the environment.
With this release, scheduled scans are now:
Centrally managed through Defender policies
Consistently enforced across devices
Aligned with security best practices for regular scanning
Integrated into the broader Defender security posture
Â
This helps organizations strengthen their overall security posture while reducing operational complexity.
Get started
To get started, ensure devices are running agent version 101.26032.0000 or later (production ring), and configure scheduled scans using managed JSON or Defender portal policies.
To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Creating high-quality ASIM parsers has always required deep knowledge about source data and ASIM schemas, careful KQL design, and repeated validation cycles. That process is meaningful to understand the whole Sentinel ecosystem, but it can be slow when you are starting from raw source data and trying to get to a production-ready parser.
Today, we are introducing a new agentic experience available now as open source that helps security teams move faster: an AI-guided workflow for creating ASIM parsers end to end.
Why this matters
ASIM parsers are the normalization layer that makes detections, hunting, and analytics portable across data sources. They are foundational, but building them involves many steps:
Gathering source requirements and schema targets
Authoring a parameter-less and a parameterized ASIM parser
Validating schema conformance and data quality
Packaging the parsers into a GitHub pull request for open-source contributions
ASIM normalization is important because it gives security teams a common language across different products and log formats. Without normalization, every detection, hunting query, and workbook has to be rewritten per vendor table, which increases engineering effort and creates blind spots when data sources change. With ASIM, the same analytic logic can operate across multiple sources through consistent field names and semantics.
This directly improves security outcomes by enabling faster content reuse, easier cross-source correlation, and more reliable incident triage. It also reduces long-term maintenance costs, because teams update parsers at the query and mapping layer instead of rewriting detection content each time a connector changes.
The new agentic experience orchestrates those steps for you with clear checkpoints and repeatable outputs.
What is the ASIM parser creation agentic experience?
The experience is built around a specialized set of skills that work together as a workflow. Instead of using a single prompt and hoping for the best, the agent walks through parser creation as a structured process.
At the center is the orchestration skill that coordinates:
Requirement collection
Parser generation
Validation loops that test the parser schema and data outputs
Optional deployment to Log Analytics and PR packaging for Azure-Sentinel
Where can I find these skills?
If you have cloned or forked the Azure-Sentinel repository, the skills are already there! All you need is GitHub Copilot CLI to get started. For more information, you can visit the README or our Learn Docs.
Another way to access these skills is through our Microsoft Sentinel Visual Studio Code Extension. You can simply chat with GitHub Copilot with your intention to create ASIM parsers, and it will call its loaded skills.
What you can expect in practice
When you start with a request like “Create a new ASIM parser for my source table” the agent can:
Gather critical inputs
Build the initial ASIM parser from source requirements
Run schema and data validation
Refine the parser in a loop until error-level findings are resolved (or report remaining blockers)
Build the matching parameterized parser and re-validate
Help deploy or package your parsers into a PR to contribute to open-source
Where this helps most
This workflow is especially useful when:
Data is already flowing into Sentinel, but there are no supporting ASIM parsers yet
Migrating legacy parsing logic to ASIM conventions
Creating a parser needs to happen with almost no delay, without sacrificing validation confidence
It will also reduce onboarding time for analysts who are new to ASIM but comfortable with KQL and Sentinel operations.
Closing
The ASIM parser creation agentic experience is not about replacing engineering judgment. It is about amplifying it.
If you are building ASIM parsers today, now is the right time to pilot an agentic workflow and shape what comes next.
If you are new to ASIM, getting started with parsers is easier than ever. The guided agentic flow walks you through requirements, parser generation, and validation step by step, so you can learn the ASIM model while still producing useful, high-quality parser outputs quickly.
Modern Security Operations Centers are not short on tools. They are short on continuity. Analysts jump from alert consoles to data exploration, from enrichment to investigation, and from evidence gathering to response—often across multiple interfaces and disconnected workflows.
A single malware incident may begin in Microsoft Sentinel, require enrichment in Defender, depend on targeted KQL hunting, and end with manual response actions somewhere else. Every handoff adds friction. Every context switch slows triage. And every inconsistency increases the risk of missed signals or delayed containment.
To explore what an Agentic SOC could look like in practice, I built a portable, autonomous malware investigation agent: a user-invocable workflow that takes an incident from investigation to evidence correlation to verdict and, when appropriate, to action.
The goal is simple: one prompt, one workflow, and a full incident lifecycle that moves cleanly from Investigate to Decide to Act.
The Real Problem: SOC Work Is Still Too Fragmented
In a conventional malware investigation, even experienced analysts spend too much time stitching the workflow together:
Pivoting across Sentinel and Defender
Manually extracting entities
Writing and optimizing multiple KQL queries
Context switching between tools
Making decisions with incomplete evidence
The operational impact is familiar to every SOC team:
Increased MTTR
Analyst fatigue
Inconsistent investigation quality
This fragmentation is exactly what a unified Microsoft Sentinel and Defender experience is built to solve, and it is where such an investigation agent demonstrates its value.
The Approach: A Portable Agent for End-to-End Malware Investigations
The agent is designed to handle the full investigation loop—not just enrichment, not just summarization, and not just response orchestration.
End-to-end malware investigation
Evidence-based verdicting
SOC-ready summarization
Optional automated response
Because it is defined as a portable agent, the same investigation pattern can be reused across environments with consistent logic, standardized outputs, and controlled automation boundaries.
Standardized investigations
Repeatable execution
Controlled automation
Cross-environment portability
Architecture Overview (End-to-End Flow)
Visual 1: Agentic SOC Investigation Workflow
User / Analyst Input “Investigate Incidentâ€
↓
SOC AI Agent Portable Investigator
↓
Microsoft Sentinel SecurityIncident • SecurityAlert • Data Lake (KQL)
↓
Entity-Driven Queries Device • User • File • IP
Microsoft Sentinel MCP server (provides the Triage and Data Lake exploration tools the agent runs on)
Microsoft Defender for Endpoint data (for the Device* hunting tables)
API permissions for any response action (e.g. endpoint isolation)
 1. Input & Trigger
The workflow starts with a simple natural-language prompt, for example:
Investigate Defender incident 1939
The input includes:
Defender Incident ID
Optional Sentinel workspace
2. Sentinel-First Investigation
The first design choice is deliberate: the agent starts from Sentinel as the investigation plane, within the Unified Defender Portal, where incidents are correlated across Sentinel and Defender, using it to retrieve incident structure, alert context, severity, timelines, and alert relationships before moving deeper.
Queries:
SecurityIncident
SecurityAlert
Extracts:
Severity
Timeline
Alert relationships
This ensures:
Consistent data plane
Reduced dependency on multiple APIs
3. Entity-Driven Correlation
Instead of launching broad hunts across the environment, the agent narrows the scope using the entities already present in the incident. That makes the investigation faster, cheaper, and more precise.
Once the signals are correlated, the agent produces one of three explicit outcomes—grounded in evidence rather than guesswork.
True Positive
False Positive
Benign True Positive
The verdict is:
Based on evidence only
Not guess-driven
Not heuristic overreach
5. SOC-Ready Output Standardization
The final output is intentionally standardized so an analyst can review the outcome quickly, understand the reasoning, and decide what happens next.
One-line verdict
ASCII findings table
Analyst summary
Actions taken
Optional containment recommendation
Visual 3: Standardized Investigation Output
Verdict: True Positive
Category
Findings
Incident Details
Severity: High
Malware Details
Trojan X detected
Device Posture
Real-time protection enabled
User Context
Standard user
Observed Activity
Suspicious process tree
Recommendation
Isolation recommended
Summary
Malware execution confirmed.
Blocked by Defender.
No lateral movement observed.
Actions Taken
Comment added.
Tag applied.
Awaiting isolation decision.
Optional Response & Containment
If permissions are available, the agent can:
Add incident comments
Tag incidents
Update classification
Close incidents
Perform endpoint isolation (gated with human in the loop)
With strict safeguards:
Evidence-backed decisions
Permission validation
Audit traceability
Visual 4: Workspace Portability Logic
Decision Point
Outcome
Workspace provided?
Yes → Use the specified workspace.
Workspace provided?
No → Detect available workspaces.
Only one workspace available?
Yes → Use it automatically.
Multiple workspaces available?
Ask the user to select one.
Missing permissions?
Fall back to read-only behavior.
Â
Security & Operational Rigor
The agent enforces:
No secret storage
Use of existing authentication context
Clear reports of missing permissions
Minimized unnecessary queries
Why This Matters for the Agentic SOC Journey
This solution demonstrates three core pillars of agentic SOC:
1. Deterministic AI Execution
Standardized workflow
Repeatable outcomes
Consistent investigation depth
2. Human-in-the-Loop Control
Analyst decides final actions
No blind automation
Clear explainability
3. End-to-End Closure Capability
This is the most important:
Not just detection
Not just enrichment
Full lifecycle:
Investigate
Decide
Act
What’s Next
This pattern can be extended to:
Identity investigations
Insider risk
Multi-cloud threat correlation
Security Copilot-driven SOC agents
Final Thoughts
Most SOC automation still stops too early—at playbooks, enrichment, or isolated workflow steps. What is still missing in many environments is a cohesive execution model that can carry an investigation from signal to decision without losing context along the way.
Playbooks
Alert enrichment
Partial workflows
This pattern points to something more powerful: composable, intelligent SOC agents that can operate across the full incident lifecycle while keeping humans firmly in control of high-impact actions.
If an agentic SOC is the destination, portable investigation agents are a practical and credible way to start building toward it today.
Get the agent, setup steps, and instructions on GitHub: Â
Content on this page is collected from remote sources by IPWorx but is not created by IPWorx. The contents belong to the creators and should be considered theirs for all legal purposes, we have no editorial control or responsibility over them. IPWorx does not represent or endorse the accuracy or reliability of any opinion, statement, or other information provided by any third party.
This page contains links to third-party websites. These links are provided solely for your convenience. IPWorx does not control, maintain, or endorse the content, accuracy, or reliability of any third-party resources, and you access them at your own risk.