• CVSS Is Broken: Scoring Vulnerability Risk in the Real World
    Jul 1 2026

    Vulnerability management runs on a single number — and that number is lying to you. CVSS scores are embedded in scanner reports, regulatory frameworks, and executive dashboards worldwide, yet most defenders who work with real production environments eventually reach the same conclusion: the system, used in isolation, is a poor guide for prioritizing actual risk. This episode draws on this seven-minute breakdown of CVSS's real-world failures to examine five hard-earned lessons about what goes wrong — and how to fix it.

    Here's what the episode covers:

    • Context blindness: CVSS is deliberately environment-agnostic, which means an internet-facing payment gateway and an air-gapped lab server can carry identical scores despite wildly different blast radii — and the fix is tagging assets with business context before acting on any score.
    • Exploitability gaps: Base scores assume worst-case conditions even when no working exploit exists, while actively weaponized bugs sometimes sit below the critical threshold; pairing CVSS with CISA's Known Exploited Vulnerabilities list and EPSS closes that gap.
    • Score manipulation: The eight metrics that feed a CVSS calculation can be nudged — intentionally or not — by whoever files the advisory, producing legitimately different numbers for the same flaw; independent validation by internal engineering teams is the safeguard.
    • Temporal decay: Vendors freeze the base score at publication and rarely update it, so dashboards stay static even after proof-of-concept code drops publicly; automated score-aging policies tied to exploit maturity keep the queue honest.
    • Patch paralysis: A wall of 9.8s doesn't drive action — it drives overwhelm; replacing the binary "critical vs. everything else" model with a triage ladder built on reachability and live exploit status turns an unmanageable backlog into prioritized sprints.
    • What good looks like: A concrete case study shows how a global manufacturer handled two simultaneous 9.8-scored CVEs differently based on exposure and compensating controls — patching one the same day, scheduling the other for the following quarter — with zero incidents.

    The episode closes with a clear framework for enriching CVSS rather than discarding it: layer in asset criticality, live threat intelligence, compensating controls, and exposure surface data. When briefing leadership, swap raw CVE counts for plain-language statements about business risk — that's what actually moves patching decisions forward. For more on preparing for systemic shifts in security fundamentals, listen to the episode on Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis.

    SEC.CO

    Show More Show Less
    9 mins
  • Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis
    Jun 30 2026

    Every cryptographic algorithm has an expiration date, and the gap between "trusted standard" and "actively exploited weakness" is shrinking. This episode of Cybersecurity examines the algorithm lifecycle crisis — the accelerating convergence of advances in cryptanalysis, cloud-scale computing, and the approaching reality of quantum computers — and makes the case that the window for proactive action is narrower than most organizations realize. The discussion is grounded in this six-minute deep-dive on cryptographic agility, which informed the episode's research and framework.

    The episode covers the full arc from historical precedent to practical implementation, including:

    • The algorithm graveyard: How DES, SHA-1, and RSA each followed the same arc from crown jewel to liability — and what that pattern tells us about every algorithm in use today.
    • Why hard-wired crypto is so dangerous: When cryptography is baked into products, embedded systems, and compliance checklists, retiring a broken algorithm stops being a patch and becomes a multi-year engineering project or a board-level crisis.
    • The five pillars of a crypto-agile architecture: Inventory everything that encrypts (with specifics, not generalities), classify and prioritize by risk, decouple cryptographic logic from business code, design for dual-stack coexistence during migrations, and automate rollouts through CI/CD pipelines.
    • Common roadblocks and how to navigate them: The "wait for NIST to finalize" trap, vendor lock-in behind proprietary quantum-safe interfaces, post-quantum performance overhead, and legacy operational technology that can't be patched.
    • Two contrasting case studies: A global financial institution that rotated SHA-1 across two thousand microservices in under a week using a single feature flag — versus a regional hospital forced into frantic weekend remediation after a regulatory audit exposed decade-old RSA key sizes still in production.
    • Where to start this quarter: Concrete first steps — a crypto-asset inventory template, a low-risk algorithm toggle pilot, and a lab environment simulating post-quantum TLS handshakes — that turn agility from abstract strategy into practiced muscle memory.

    The central takeaway is that cryptographic agility isn't a one-time project; it's an organizational discipline. The cost of building it in from the start is a fraction of the cost of retrofitting it under pressure — and history offers no shortage of cautionary tales for teams that waited. For more on related credential and token risk, listen to the episode Cross-SaaS Token Sprawl: Discover, Rotate, and Revoke API Tokens.

    SEC

    Show More Show Less
    9 mins
  • Cross-SaaS Token Sprawl: Discover, Rotate, and Revoke API Tokens
    Jun 29 2026

    API tokens are the invisible connective tissue of the modern SaaS stack — and they accumulate far faster than security teams can track them. This episode tackles cross-SaaS token sprawl head-on, drawing on this in-depth eight-minute read on discovering, rotating, and revoking API tokens to walk through a full governance lifecycle that actually holds up at scale. Whether you're running a lean security program or managing a sprawling enterprise integration mesh, the conversation offers concrete, actionable steps rather than abstract principles.

    The episode covers the full token sprawl lifecycle, from root cause to measurable outcomes:

    • Why sprawl is a context problem, not just a counting problem — a single over-scoped, forgotten token is more dangerous than dozens of well-managed ones, making ownership and scope as important as raw inventory.
    • Continuous discovery as a discipline — using vendor APIs, static and dynamic code analysis, and repository scanning to build a living inventory tagged with owners, lineage, and blast-radius estimates.
    • Telemetry and anomaly detection — turning raw token logs into an actionable signal layer that flags unusual geography, call-volume spikes, and access to sensitive endpoints before an attacker can pivot.
    • Rotation architecture that makes secrets boring — moving away from hard-coded values toward secret managers, runtime injection, and risk-tiered cadences so that rotating a token feels like a routine deployment, not a crisis.
    • Revocation as a verified campaign — building kill switches before you need them, checking for residual access in cached sessions and downstream copies, and codifying each incident's timeline to speed up the next one.
    • Governance that engineers will actually follow — designing secure token flows to be the fastest flows, using procurement conversations as a security control, and tracking meaningful metrics like mean time to revocation and the ratio of short-lived to long-lived tokens.

    The episode closes with a look at the most common failure modes — sprawling spreadsheets, rotation without monitoring, and policies that sound rigorous but can't be executed with available tooling — and explains how a tight feedback loop between inventory, rotation, and revocation compounds into a program that scales gracefully with each new integration your teams add.

    For more on protecting credentials from evolving attack techniques, check out the earlier episode Credential Stuffing Is Evolving—Are Your Defenses?

    SEC

    Show More Show Less
    9 mins
  • Credential Stuffing Is Evolving—Are Your Defenses?
    Jun 28 2026

    Credential stuffing is no longer the noisy, easily-blocked brute-force attack it once was. In this episode of Cybersecurity, the hosts draw on this six-minute deep dive into evolving credential stuffing defenses to map exactly how attackers have refined their tradecraft — and why organizations that haven't updated their mental model of this threat are already behind. From underground combo-list economies to headless browser farms that mimic human behavior, the episode makes a compelling case that this is one of the most persistently underestimated attack categories in enterprise security today.

    Here's what the episode covers:

    • Why the attack still works at all — password reuse remains the core enabler, and aging breach data retains surprising hit rates because most users never rotate credentials across every account after a notification.
    • How automation has industrialized the threat — modern frameworks rotate residential IPs, emulate full browsers, randomize device fingerprints, and solve CAPTCHAs in real time using AI, making volume-based defenses largely obsolete.
    • Layered evasion tactics — low-and-slow pacing to stay under velocity thresholds, headless browser tools like Playwright and Puppeteer, mobile API abuse against lighter-hardened endpoints, and targeted list enrichment using social media cross-referencing.
    • MFA isn't a silver bullet — stolen session cookies, push-notification fatigue attacks, and poorly implemented TOTP flows all give attackers viable bypass routes; the how of MFA deployment matters as much as the whether.
    • The full cost picture — beyond direct fraud losses, organizations absorb infrastructure overload bills, false-positive-driven help-desk spikes, customer churn after visible account-takeover incidents, and real regulatory exposure under GDPR, HIPAA, and PCI.
    • What a modern defense stack looks like — phishing-resistant FIDO2/passkey MFA, adaptive risk engines, behavioral-biometric bot management, automated session-revocation workflows, and proactive threat intelligence monitoring for brand mentions in underground combo-list markets.

    The episode closes with a strategic reminder that no single control has an indefinite shelf life: red-teaming your own login flows, rotating mitigation providers before entropy sets in, and keeping user education current are all ongoing commitments, not one-time projects. For more on attacker persistence techniques, check out the episode Covert Persistence via Scheduled Task Abuse for a complementary look at how adversaries maintain footholds after initial access.

    SEC

    Show More Show Less
    8 mins
  • Covert Persistence via Scheduled Task Abuse
    Jun 27 2026

    Scheduled tasks are one of the most overlooked real estate in any enterprise environment — and that obscurity is precisely what makes them attractive to attackers. This episode of Cybersecurity examines how threat actors abuse task schedulers to plant persistent footholds that survive reboots, password resets, and even closed incident tickets, all while blending in with the everyday automation every organization relies on. The discussion is grounded in this eight-minute deep dive on covert persistence via scheduled task abuse, and translates it into actionable guidance defenders can apply right away.

    The episode walks through the full arc of the problem — from why schedulers are structurally easy to exploit, to the specific habits and controls that raise the cost of hiding inside them. Key topics covered include:

    • Why covert persistence is different: The distinction between simply surviving a reboot and actively disguising that survival inside normal operations — and why scheduled tasks are nearly purpose-built for the latter.
    • How attackers stay invisible: The playbook relies on mimicking existing task names, borrowing the tone of official tooling, timing execution during off-hours, and keeping payloads minimal so dashboards stay quiet.
    • Baseline and inventory as a first line of defense: Treating every scheduled task like an asset — with a known owner, a business justification, and a version-controlled record — so that anything unaccounted for is a finding, not a curiosity.
    • Hardening the scheduler infrastructure: Applying least-privilege service accounts, protecting task binary directories, enforcing script signing, and ensuring detailed task history is forwarded to logs that analysts actually review.
    • Monitoring signals that cut through noise: What to watch for — interpreters launched from unusual paths, tasks created after odd-hours privileged logins, spikes in scheduler errors, and behavior changes with no associated change record.
    • Tuning alerts to avoid fatigue: Why alert volume is a design problem, not a staffing problem, and how requiring justification fields and weighted context at creation time makes triage faster and more accurate.

    The episode closes with a practical incident response framework for when abuse is suspected despite strong controls: enumerating and diffing tasks fleet-wide, preserving evidence before remediation, rotating affected credentials, hunting for adjacent persistence, and — critically — documenting whatever gap allowed the task to blend in so that condition gets fixed, not just the symptom. For more on how attackers exploit trusted network behaviors to stay hidden, check out the episode Covert Channels: How Hackers Hide in Your Everyday Network Traffic.

    SEC

    Show More Show Less
    8 mins
  • Covert Channels: How Hackers Hide in Your Everyday Network Traffic
    Jun 26 2026

    When every firewall rule shows green and no alerts are firing, an attacker could still be quietly draining your network — one DNS query at a time. This episode of Cybersecurity examines covert channels: the technique of weaponizing trusted, everyday protocols to smuggle data and commands past security controls that were never designed to look twice at them. Drawing on this deep-dive on covert channels in legitimate protocols, the episode walks through why these attacks are so difficult to catch and what defenders can realistically do to surface them.

    Here's what the episode covers:

    • Why legitimate protocols are ideal hiding spots — DNS, ICMP, and HTTP are pervasive, plausible at any hour, and typically waved through by firewalls that only check whether a packet is syntactically valid, not what it's actually carrying.
    • DNS tunneling in depth — how attackers base64-encode stolen data into subdomain labels, route it through port 53 to an attacker-controlled name server, and run a full bidirectional command-and-control channel entirely within normal-looking DNS traffic.
    • ICMP and beyond — embedding encrypted C2 instructions inside ICMP echo request payloads, and how the same covert-channel logic extends to HTTP POST bodies, WebSocket frames, cloud storage APIs, VoIP packet slack space, and more.
    • The emerging blind spot of DoH and DoT — how DNS over HTTPS and DNS over TLS, introduced to protect user privacy, inadvertently defeat traditional DNS monitoring and give tunneling traffic a nearly invisible path out of the network.
    • A layered detection framework — building per-host baselines for DNS and ICMP volume, applying deep packet inspection for payload entropy, routing all internal DNS through logged resolvers, correlating network anomalies with endpoint process telemetry, and enforcing Zero Trust egress segmentation.
    • Operational hardening — extending log retention beyond 30 days to catch slow-drip exfiltration, tuning SIEMs for high-entropy domain labels, and running purple-team exercises that specifically test DNS and ICMP tunneling detection.

    The central takeaway is that covert channels are not undetectable — they leave fingerprints in query volume, payload entropy, and timing regularity. The gap between "undetected for months" and "caught in hours" usually comes down to whether defenders have built the visibility infrastructure to see those fingerprints in the first place. For more on securing the infrastructure attackers love to abuse, check out the episode on Container Security: Hardening Kubernetes and Docker Environments.

    SEC

    Show More Show Less
    9 mins
  • Container Security: Hardening Kubernetes and Docker Environments
    Jun 25 2026

    Container adoption has outpaced container security at organizations of every size. Kubernetes and Docker power modern software delivery, but their default configurations were built for ease of use — not for defense. This episode of Cybersecurity draws on the five-minute deep dive on hardening container environments published by SEC to walk through the most consequential security gaps teams are leaving open, and exactly what to do about them.

    The episode covers the full threat surface of containerized infrastructure, from initial configuration through runtime monitoring:

    • Dangerous defaults: Out-of-the-box Kubernetes and Docker settings — permissive RBAC, open networking, unrestricted API access — are well-known attack vectors that threat actors actively scan for and exploit at scale.
    • The root container problem: Running containers with root privileges creates a path from a single compromised container to the underlying host and beyond; the principle of least privilege, applied consistently, limits the blast radius.
    • Network policy enforcement: By default, any pod can reach any other pod in a Kubernetes cluster — a lateral movement dream for attackers. Kubernetes Network Policies enable granular, deliberate segmentation that turns a cluster-wide compromise into a significantly harder attack.
    • Locking down APIs: The Kubernetes API server and Docker daemon are master control planes; exposed without strong authentication and firewall restrictions, they hand attackers the ability to create, destroy, and pivot across an entire environment.
    • Supply chain vigilance: Pulling unverified images from public registries is trusting strangers with infrastructure access — image signing, vetted registries, and continuous vulnerability scanning with tools like Clair or Trivy are the baseline, not a bonus.
    • Runtime monitoring and secrets hygiene: Build-time and deploy-time controls go dark the moment containers are running; tools like Falco catch behavioral anomalies in real time, while proper secrets management — not hardcoded credentials or base64 encoding — keeps sensitive data from becoming low-hanging fruit.

    The episode makes a point that cuts through the complexity: container security is not a one-time checklist completed at deployment. It is a continuous discipline that spans configuration, access control, network design, supply chain, runtime behavior, and secrets management. Teams that treat containerization as a security-neutral infrastructure decision are, statistically, the ones issuing breach notifications. The controls covered here are well-understood and entirely achievable — they simply require intention. For more on what happens when container defenses fail, listen to Container Escape via Kernel Modules: Real Exploits, Real Risk.

    SEC

    Show More Show Less
    8 mins
  • Cloud-Native Security: Protecting Serverless Architectures the Right Way
    Jun 25 2026

    Serverless computing promises less operational overhead, faster deployment, and infinite scalability — but it doesn't promise security. The shared responsibility model means cloud providers manage the infrastructure, while everything above that line remains squarely in your hands. This episode of Cybersecurity unpacks the specific threats that emerge in serverless environments and what engineering and security teams need to do differently to stay ahead of them. The discussion draws from this in-depth guide on cloud-native serverless security best practices published by the team at SEC.

    Here's what the episode covers:

    • IAM misconfigurations as a top breach vector — Why overpermissioned function roles are so common, how the pressure of fast product launches creates dangerous shortcuts, and how tools like AWS IAM Access Analyzer can surface problems before attackers do.
    • API Gateway hardening — The case for enforcing authentication and authorization through established standards like OAuth and JSON Web Tokens rather than rolling custom solutions, and why rate limiting belongs in every serverless deployment from day one.
    • Securing the code itself — How insecure coding practices reach production not through carelessness but through deadline pressure, and why static analysis, code reviews, and runtime protections need to be automated into the pipeline rather than scheduled as afterthoughts.
    • Supply chain risk and dependency scanning — The reality that every third-party library or package imported into a function is an uninspected link in a chain of custody, and how tools like Snyk and AWS CodeGuru can flag known vulnerabilities before they become two-in-the-morning incidents.
    • Data security and storage misconfiguration — Why cloud storage defaults to public access far too often, how misconfigured buckets have driven some of the most embarrassing data breaches in recent memory, and why encryption at rest and in transit should be a baseline rather than an optional hardening step.
    • Visibility, cold starts, and runtime monitoring — How the dormancy cycles unique to serverless functions create aging dependencies and abandoned-but-reachable deployments, why logging is only useful when someone — or something automated — is actually watching, and how real-time monitoring closes the dwell-time gap before damage compounds.

    The episode closes with a broader mindset argument: serverless doesn't reduce your security obligations, it transforms them. Organizations that treat serverless security as a future problem tend to discover it's a present one when it's already too late. For more on securing cloud runtime environments, check out the related episode Cloud Egress Control: Policy-as-Code for Secure Runtime Traffic.

    SEC

    Show More Show Less
    7 mins