Patch the Planet, drain the CRMs, buy the OT
Klue's OAuth compromise exposed Salesforce data across the security vendor bench; Accenture spends $4.175B on Dragos, runZero, and NetRise; Cisco picks up WideField for Splunk's agentic SOC.
Welcome to The Cybersecurity Pulse (TCP)! I’m Darwin Salazar, Head of Growth at Monad and former detection engineer at Datadog. Each week, I bring you the latest security innovation and industry news. Subscribe to receive weekly updates! 📧
Hi 👋 - Hope you’re having a great week wherever you’re reading from!
It’s the week after Identiverse/Juneteenth and the week before holiday week, so the security news cycle has that weird pre-OOTO lull. Still, the Klue breach is ringing bells and stirring up Salesloft/Drift PTSD. Meanwhile, there still hasn’t been much movement on the Fable/Mythos front, which is pretty telling.
On the TCP front, Dr. Yonesy Núñez, CISO at Surf AI, teamed up with TCP on a guest post about security hygiene. Also, TCP sponsor Gist came out of stealth, tackling the very unsexy but very real problem of turning product and code changes into risk reviews, threat models, and audit-ready evidence.
Lastly, no TCP next week. We’ll be back with issue 138 on July 28th!
Now, onto the news!
Chaos is Not a Response Strategy
Cyber incidents no longer end at containment. Legal, privacy, IT, executives, and regulators all need answers fast. Our Cybersecurity Incident Response Management (CIRM) Buyer’s Guide shows how to evaluate platforms built for coordinated, defensible enterprise response.
Learn how AI-powered CIRM clarifies ownership, tracks obligations, preserves privilege, and creates an audit-ready record so your team can turn chaos into control.
TL;DR ✏️
🧩 Klue breach hits Salesforce: LastPass, Huntress, HackerOne, and more disclosed impact from stolen OAuth tokens.
🛠️ OpenAI shifts to patching: Daybreak adds GPT-5.5-Cyber, Codex Security updates, and Patch the Planet.
🏭 Accenture buys into OT: Accenture agrees to take a Dragos majority stake and buy runZero/NetRise for total $4.15B.
🧾 Gist comes out of stealth: Gist turns product and code changes into risk reviews, threat models, and audit-ready evidence.
🧹 Security’s cleanup era: Dr. Yonesy Núñez says the work is simple, not easy: close the gaps before they compound.
🧠 Dream raises $260M: Bicycle Capital and Group 11 co-led the round at a $3B valuation.
🪪 Cisco targets WideField: Cisco plans to add identity and session context to Splunk’s Agentic SOC.
Plus: OT-specific AI, coding-agent controls, SASE deployment skills, a cursed awareness test, and more.
⚒️ Picks of the Week ⚒️
Klue breach turns OAuth tokens into a Salesforce data-theft lane
The Klue breach appears to have started with a stale credential and ended with attackers using trusted SaaS integrations to pull customer data from Salesforce.
According to Huntress, attackers used a long-disused but still active credential tied to an abandoned integration prototype, pivoted into Klue backend systems, and pushed code that collected customer OAuth tokens. Those tokens were then used to access connected environments, including Salesforce. ReliaQuest observed attackers using Python scripts and the Salesforce REST API for bulk extraction, including nearly 1,000 queries in 15 minutes in one environment.
Klue disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while investigating. Publicly disclosed impacted companies include Huntress, LastPass, HackerOne, Recorded Future, Jamf, Snyk, OneTrust, Tanium, Gong, Sprout Social, and Insurity. LastPass said attackers accessed business contact info, support case data, and sales-related data, but said customer vaults were not affected.
Once again, a forgotten integration credential at one vendor became a working key into other companies’ CRM data. OAuth tokens are pretty much non-human identities with business context, access, and persistence.. That makes them perfect for this kind of campaign (remember Vercel and Salesloft/Drift breaches?).
OpenAI shifts Daybreak toward patching
OpenAI is expanding Daybreak with an updated Codex Security plugin, a limited release of GPT-5.5-Cyber, and Patch the Planet, an open-source remediation initiative with Trail of Bits, HackerOne, Calif, researchers, and maintainers.
The company says Codex Security has scanned 30M+ commits across 30,000+ codebases, with human reviewers marking 70,000+ findings as fixed and more than 500,000 findings automatically determined to be fixed. While GPT-5.5-Cyber outperformed GPT-5.5 on CyberGym, ExploitGym, and SEC-bench Pro.
The contrast with the Mythos/Glasswing circus is pretty loud. Anthropic turned frontier cyber capability into a global shock. OpenAI is trying to frame similar capabilities as remediation infrastructure: find, validate, patch, land the fix.
Accenture makes a $4.175B OT security bet
Accenture agreed to acquire a majority stake in Dragos and all of runZero and NetRise in a deal valued at approximately $4.175B.
The move gives Accenture a much larger software footprint in OT security: Dragos brings industrial threat detection, runZero adds asset intelligence and exposure assessment, and NetRise adds firmware and software supply chain visibility. Accenture says the three companies are estimated to generate roughly $208M ARR as of June 2026. Dragos will keep operating independently, with runZero and NetRise rolling under Dragos.
This is Accenture buying its way from OT services into OT security software. Having worked in Accenture’s security consulting biz, I can say that they service a strong portion of the federal govt. and critical infrastructure co’s (i.e., energy). These are great pickups for Accenture, especially considering that AI has disrupted the value of all their other offerings.
Dream raises $260M for sovereign AI cyber defense
Dream raised $260M at a $3B valuation to expand its sovereign AI and cyber defense platforms for governments and critical infrastructure.
The round was co-led by Bicycle Capital and Group 11, with participation from Antler, Bain Capital Ventures, Tru Arrow Partners, and other global investors. Dream was founded by Shalev Hulio, former CEO and co-founder of NSO Group, former Austrian Chancellor Sebastian Kurz, and CTO Gil Dolev. Its pitch is national cyber defense and sovereign AI for governments that want more control over data, models, and critical infrastructure security.
Dream is selling the same geopolitical anxiety that is reshaping the whole AI security market: countries do not want their defensive stack dependent on someone else’s frontier model, cloud, or export policy. The uncomfortable part is the founder history. A former NSO CEO building sovereign defensive AI for governments is interesting.
Health board apologizes for tasteless phishing test
Newfoundland and Labrador Health Services apologized after sending staff a phishing simulation that dangled an extra paid vacation day as bait.
The test thanked employees and physicians for their work on the CorCare software rollout, then invited them to click a button to redeem the day off. Anyone who clicked failed the test. The Registered Nurses’ Union called the exercise insensitive, pointing to staffing shortages, burnout, and the difficulty healthcare workers already face getting paid time off.
It’s 2026. Pretty wild that this is still happening 🙃
🔮 The Future of Security 🔮
AI Security
Snyk launches Agentic Development Security
Snyk launched Evo Agentic Development Security, a new capability for governing AI-driven development workflows before agent-generated code hits repos, pipelines, or production. The pitch is to secure what agents use, what they do, and what they generate, including MCP servers, tools, permissions, agent actions, and AI-written code. This is the right problem: AppSec tooling was built around humans committing code, but coding agents are starting to act before traditional controls even see the artifact.
More AI Security News
IoT/OT Security
Dragos unveils EmberAI for OT security
Dragos unveiled EmberAI, an OT-specific AI capability built on its Intelligence Fabric dataset, which includes adversary tracking, vuln research, asset and protocol research, and incident response experience. EmberAI lets analysts ask plain-language questions, correlate threat intel, assets, vulnerabilities, and network activity, and keep data inside the customer-controlled Dragos deployment. The useful bit is not “AI for OT,” it is context: generic copilots are weak in industrial environments unless they understand protocols, process risk, and why taking something offline can be worse than leaving it exposed.
Security Operations
Cisco buys WideField for Splunk’s Agentic SOC
Cisco plans to acquire WideField Security to strengthen Splunk’s Agentic SOC with identity, credential, session, and blast-radius context. WideField maps human and non-human identities, detects weak authentication paths and policy drift, and adds live session monitoring into investigations. This is the right direction for agentic SOC: autonomous response is mostly theater unless the system understands who the actor is, what they can touch, and what breaks if it takes action.
More Security Operations News
Interested in sponsoring TCP?
Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎
Bye for now 👋🏽
That’s all for this week… ¡Nos vemos la próxima semana!
Disclaimer
The insights, opinions, and analyses shared in The Cybersecurity Pulse are my own and do not represent the views or positions of my employer or any affiliated organizations. This newsletter is for informational purposes only and should not be construed as financial, legal, security, or investment advice.