All Posts

A text arrived on my phone this morning. Final Warning. Today’s date. Massachusetts Department of Transportation. License suspension if I don’t pay by end of day. A code citation. Five escalating consequences. A payment link. A clever instruction at the bottom, reply “Y” and reopen the message to activate the link. Every element is engineered. None of it is real. Massachusetts has no “Centralized Violation Registry.” There is no Administrative Code 15C-16.003. The RMV does no

Companies under $100M in revenue sit in the most exposed seat in the cyber economy. Large enough to be worth attacking, small enough to lack the staff, tooling, and governance maturity the threat now demands. Three risks dominate, and the typical response misreads each one. The first is third-party and MSP exposure. Mid-market firms outsource IT to keep headcount lean, Datto RMM here, Meraki there, a fractional CISO somewhere, handing persistent privileged access to organizat

Mid-tier regional banks occupy the most exposed position in financial services, large enough to be worth the attacker’s time, too small to fund the defense the megabanks built. The vectors hitting this segment are not exotic. They are the same five every quarter, dressed in slightly different clothing, and the boards keep being surprised. 1) Vendor and MSP compromise is first. The core processor, the managed service provider, the loan origination platform, each is a jump b

The economy is rolling over, and the security profession is about to relearn environmental criminology the hard way. Cohen and Felson laid it out fifty years ago, crime requires a motivated offender, a suitable target, and the absence of a capable guardian. In a downturn, all three legs of the triangle move in the wrong direction at the same time, and the firm’s interior risk surface lights up faster than any external one. Motivated offenders multiply. Layoffs, frozen pay, ev

ShinyHunters hit Instructure twice in seven days. The first breach on May 1st, names, email addresses, student IDs, internal messages across the Canvas user base, was disclosed, “contained,” and patched. Six days later the same actor replaced login pages at roughly nine thousand institutions worldwide with a ransom note, citing Instructure’s refusal to engage as the reason. Harvard, Princeton, Columbia, Penn, the UT system, UCLA, Duke, Wisconsin, Northwestern, caught flat-foo

ShinyHunters breached Instructure, the parent company of Canvas, on April 30. Same crew behind Ticketmaster, AT&T, McGraw-Hill, Infinite Campus, Amtrak. Same Salesforce attack surface they exploited in the September 2025 breach of the same company. Eight months. Two breaches. 3.65 terabytes. 275 million students and teachers. Nearly 9,000 institutions named, Harvard, Stanford, MIT, Penn, Princeton, Duke, Berkeley, Columbia, Georgetown. Ransom deadline May 12. Now look at what

In 2025, 48,185 CVEs (Common Vulnerabilities and Exposures) were published, a record, up 20.6 percent year over year. That’s 131 new vulnerabilities every single day. Median time to exploit dropped under five days. AI finds real bugs autonomously. Anthropic disclosed a Chinese state-sponsored actor running an 80-to-90 percent autonomous campaign against thirty global targets via Claude Code last November. Meanwhile, the major risk and security credentialing bodies refresh exa

A 615-acre data center campus in Fayetteville, Georgia drew nearly 30 million gallons of water, quietly, without proper billing, while the surrounding county was under drought advisory and the governor was declaring a wildfire state of emergency. Residents discovered it because their own pressure dropped. This is not an outlier. It is the model. Two hundred data centers in Georgia alone. Each one a thirsty industrial tenant grafted onto municipal infrastructure sized for the

Most physical penetration tests succeed on the first attempt, and the tooling fits in a tailored suit. No zero-day. No pretext more elaborate than confidence. No badge cloner. I put on a suit and walk toward reception at the same pace as the people in front of me, smile at the receptionist already overwhelmed by the morning rush, says “I’m here for the nine o’clock with [name pulled off the company website],” and wait to be told where to sit. Inside in under sixty seconds. If

The tech founders promising a humanoid robot in every garage and AI in every appliance are pitching a fantasy to a generation that cannot afford the present, never mind the future. The math is plainly broken, and nobody on stage seems willing to say it. The numbers are not subtle. The average federal student loan borrower carries roughly $39,000 . The average new car payment is now around $750 per month, often on a seven-year term. A one-bedroom in Boston averages around $3,0

Wrapped up a red team engagement against an enterprise AI deployment, here is the post mortem. Some specifics have been removed for obvious reasons. The target was a small to mid-sized company that had rolled out an internal LLM-powered assistant wired into corporate data, email, ticketing, HR records, a handful of internal APIs (right off the bat- what could go wrong:)). The kind of “AI copilot” deployment everyone is racing to ship right now. The scope was broad: see what

The numbers tell a story every professional services firm should pause over. Grant Thornton UK just reported a 78% drop in pretax profit, from £143.6m to £32m, as costs tied to Cinven’s private equity takeover swallowed the bottom line. Revenue actually grew 4% to £787m. The business is performing. The ownership model is the problem. Let that sink in. A profitable, growing, well-respected mid-tier firm, one that delivered £147m in operating profit and 11% revenue growth the p

We are being told, at every conference, every vendor pitch, every executive offsite, that we MUST embrace AI. Faster. Wider. Everywhere. It is being rammed down our throats at every corner and there is nowhere left to hide from it. Meanwhile, the compliance world still has not figured out crypto. And AI makes crypto look like a first grader walking into a graduate-level class. Stop. Breathe. Think about what we are actually doing. Most organizations cannot tell you, right now

In November 2024, US prosecutors unsealed one of the most damning corporate indictments of the decade. Gautam Adani, Asia’s richest man, and seven others were charged with running a roughly $265 million bribery scheme to win solar energy contracts from Indian government officials. The charges were serious: securities fraud, wire fraud, FCPA violations, and conspiracy to obstruct justice. The mechanics were simple. While bribes flowed to officials, Adani Green raised $750 mill

Domino 1 — Oracle (already cracking). ORCL is down ~25% YTD. They issued $18B in bonds in September, then another $50B for AI capex. Free cash flow is negative $10B. They just cut up to 30,000 jobs, 18% of the workforce, not because revenue collapsed, but to fund $156B in data centers. When you fire your people to pay for GPUs, the bond market notices. First credit downgrade lights the fuse. Domino 2 — Meta (8,000 cuts on May 20). 2026 capex is $125-145B against $27B in total

Shadow AI, unsanctioned LLM use, citizen-built agents, and SaaS-embedded models, is now the fastest-moving governance gap in the enterprise. The numbers make the audit case unambiguous: shadow AI was a factor in 1 in 5 data breaches, increasing average breach costs by $670,000 per incident (IBM 2025) , and takes 10 additional days to contain . Netskope’s 2026 Cloud and Threat Report found that 47% of GenAI users access tools through unmanaged personal accounts, bypassing ente

You paid $75,000 for a red team engagement. You got a polished 60-page report with CVSS scores, redacted screenshots, and a remediation roadmap. Looks legitimate. Problem: zero packets ever hit your network. The “test” was LLM-fabricated theater built from your public asset inventory, CVE feeds, and the tech-stack you broadcast on LinkedIn job posts. Welcome to phantom pentest fraud, the audit-grade scam AI made trivial, and almost nobody is monitoring. Why it thrives: • The

A 200-page report lands the night before close (yah we have all been there). Management interviews, working capital adjustments, an EBITDA bridge, customer concentration, a quality-of-earnings opinion. Your buy-side advisor invoiced $400,000 on a $40M deal. Bulletproof. What you don’t know: half the interviews never happened. The churn was extrapolated from three invoices. The opinion was generated by a language model in 40 seconds. Your R&W binder now contains a materially f

For two decades, buyers/clients evaluated vendors (consultants/CPA’s) by sample work. Decks, case studies, writing samples, design comps, proxies for what you’d actually receive. That proxy is broken. Today, any agency, consultancy, CPA, or freelancer can ship a sample that looks senior because AI made it look senior. The pitch is no longer the product. It’s a demo of the tools used to make the pitch. This isn’t a quality complaint. It’s a contract problem. If you’re buying k

A contractor for CISA, the Cybersecurity and Infrastructure Security Agency, maintained a public GitHub repository called, almost comically, “Private-CISA.” Inside it: administrative credentials to three AWS GovCloud accounts. Plaintext passwords in a CSV file. Tokens. Build logs. Terraform code. Kubernetes manifests. The actual blueprint of how CISA builds and ships software. A GitGuardian researcher called it “the worst leak I’ve witnessed in my career.” Let that sink in.