Welcome to The Cybersecurity Pulse (TCP)! I'm Darwin Salazar, Head of Growth at Monad and former detection engineer in big tech. Each week, I bring you the latest security innovation and industry news. Subscribe to receive weekly updates! 📧

Subscribe now

Share

Stop guessing about your Workspace Security

Google Workspace provides excellent native security, but without proper configuration, you can still have dangerous gaps. Material Security’s Google Workspace Security Scorecard provides in-depth review of your email, file, and account security, as well as global configurations.

See if your Workspace security meets best practices, and get actionable recommendations where it falls short.

Get My Score

Want to sponsor the TCP newsletter? Learn more here.

Howdy! Hope you’re having a great week wherever you’re reading from 🤗

Between building the best security data ETL platform on the mkt, holiday events (s/o Cyversity!), and 4 days at CyberMarketingCon (recap post coming tmr), it’s been a whirlwind for me, in the best way possible.

That said, security space is on hyperspeed 24/7 so we have tons to cover. It’s never a good week when a CVSS 10.0 vuln with 900k+ public instances rolls out.

Let’s get to it.

TL;DR 📰

• 🚨 React2Shell resembles Log4Shell velocity+scale — CVE-2025-55182 (CVSS 10.0) exploited within 72 hours; 30+ orgs compromised, 968K vulnerable React/Next.js instances

• 🎣 Active AITM campaign targets M365 + Okta — Datadog details two-stage phishing hijacking SSO flows; hundreds of users hit across dozens of orgs

• 🙅‍♂️ Gartner says block AI browsers — Atlas and Comet flagged for data leakage and prompt injection risks; ruled not secure enough for enterprise use yet

• 🐧 Action1 expands to Linux — Unified patching across Windows, macOS, and Linux from one console; first 200 endpoints free forever

• 🔍 Vega launches Data Explorer — Maps visibility gaps across distributed telemetry; scores coverage and prescribes fixes

• 🤝 Linux Foundation launches Agentic AI Foundation — Anthropic contributes MCP, OpenAI adds AGENTS.md, Block provides Goose

• 🚽 Kohler’s “E2EE” toilet camera isn’t actually E2EE — Researchers find it’s just TLS; company can access data and may use it for AI training

• 👤 Saviynt raises $700M at $3B valuation — KKR-led round for identity platform managing 100M+ identities across 600+ enterprises

• 📧 Proofpoint closes Hornetsecurity for $1.8B — ~$200M ARR at 9x revenue multiple

• 🤖 7AI raises $130M Series A — $700M valuation.. AI agent things

• 🎭 Imper.ai emerges with $28M — Real-time impersonation detection across Zoom, Teams, Slack from Unit 8200 veterans

• 🌱 Holly Ventures launches $33M seed fund — Solo GP John Brennan (ex-YL Ventures) backed by Bessemer, CRV, Wing, Okta Ventures

• 💰 Check Point raises $1.75B in convertible bonds — First debt raise ever; war chest approaches $5B for expected M&A spree

⚒️ Picks of the Week ⚒️

React2Shell (CVE-2025-55182): Critical RCE Actively Exploited Across 30+ orgs

A critical RCE vulnerability in React Server Components dubbed React2Shell achieved Log4Shell-level exploitation velocity within 72 hours of December 3 disclosure. CVE-2025-55182 (CVSS 10.0) affects React 19.x and Next.js 15.x/16.x, with 968,000 potentially vulnerable instances and 77,000 exposed IPs.

As of Dec. 6th, 30+ orgs had been compromised across multiple sectors. I imagine this this number has at least doubled by now.

The near-deterministic exploit combined with Next.js’s default-exposed attack surface creates perfect conditions for mass exploitation.

Attack mechanics: Exploits insecure deserialization in React Server Components Flight protocol. Attackers achieve near-100% reliable RCE by manipulating object references to invoke the native Function() constructor. Next.js is particularly exposed because the vulnerable flow is accessible by default via the next-action header.

In the wild: Unit 42 observed cryptominers, credential harvesting targeting AWS/npm/Docker/Git/SSH configs, Cobalt Strike, and Sliver implants for persistent C2. Scripts recursively scan for secrets and attempt cloud instance metadata access for IAM credentials. Unit 42 attributed one campaign to CL-STA-1015, a suspected PRC Ministry of State Security-linked IAB, which deployed SNOWLIGHT and VShell trojans.

Patches: React 19.0.1, 19.1.2, 19.2.1; Next.js 16.0.7, 15.5.7 and earlier patched versions. Organizations running containerized Next.js apps in Kubernetes/managed cloud services face immediate credential harvesting risk and should patch asap.

Dig Deeper:

• React2Shell (CVE-2025-55182): Critical RCE Actively Exploited Across 77K+ IPs - Unit42 Research

• React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182 - Wiz Research

• Fireship YouTube Video Breakdown

Gartner Calls For Pause on AI Browser Use

Gartner has advised enterprises to block agentic browsers like OpenAI’s ChatGPT Atlas and Perplexity Comet until security catches up. The advisory, “Cybersecurity Must Block AI Browsers for Now,” warns that default settings prioritize convenience over security, and data sent to cloud AI backends creates “irreversible and untraceable” exposure risk. Imo, if Gartner is sound the alarm then it must be some pretty serious shit + it feels like there’s a new AI browser vuln every other week.

Gartner breaks the risks into two buckets.

• AI sidebars that ship browsing history, open tabs, and session data to external AI services.

• Agentic capabilities vulnerable to prompt injection that could trigger rogue actions, phishing navigation, or credential theft. They also flag the delightful possibility of employees using AI browsers to auto-complete their mandatory security training.

A blanket ban recommendation is pretty significant coming from Gartner given how much weight they hold in the corporate world.

Dig Deeper: AI Browser Vulnerability Tracker

• ChatGPT Atlas OAuth Token Exposure

• ChatGPT “Tainted Memories” CSRF Attack

• Atlas OAuth Token Hijacking via Mojo Pipes

• CometJacking

• HashJack Indirect Prompt Injection

• Comet and Atlas Phishing Vulnerability

• From Inbox to Wipeout: Perplexity Comet’s AI Browser Quietly Erasing Google Drive

Unified Patching for Windows, macOS, and Now Linux 🐧

Action1 just expanded to Linux, completing our unified platform for autonomous patching across every major OS and third-party app. Get real-time enterprise-wide visibility, automate remediation, and deploy patches at scale, all from one cloud-native console with zero infrastructure.

Plus, your first 200 endpoints are free, forever—not a free trial, no feature limits, never expires— so you can deploy Action1 in real environments and scale when ready.

See it in action »

Datadog Deep Dive on Active AITM Phishing Campaign Targeting M365 and Okta SSO

Datadog Security Labs detailed an active adversary-in-the-middle phishing campaign targeting organizations using Microsoft 365 and Okta for SSO, active since August and ongoing as of December 10. The campaign targeted hundreds of users across dozens of organizations in early December.

Attack mechanics: Two-stage attack starts with M365 phishing pages on HR/benefits-themed domains that proxy legitimate Microsoft authentication. JavaScript detects when victims use Okta as their IdP, then redirects to second-stage Okta phishing pages using lookalike domains (sso[.]oktasecure[.]io, sso[.]okta-cloud[.]com). The Okta phishing kit steals session cookies client-side and proxies all traffic to legitimate Okta tenants to preserve branding. Phishing emails sent from compromised Salesforce Marketing Cloud mailboxes spoofing ADP benefits notifications.

The dynamic SSO flow hijacking based on federation detection shows sophisticated understanding of enterprise authN deployments. Orgs relying on push-based MFA (i.e., Okta Verify) without phishing-resistant methods like FastPass or FIDO2 remain vulnerable. Datadog provides specific log queries for detection in the blog.

Kudos to the DD Security Labs team for continuing to uncover bad actors and showing how the sausage is made across attack mechanics + detections.

Meet Vega’s Data Explorer: The Smart Way to Find and Fix Security Blind Spots

Security teams live with an uncomfortable fact: gaps can stay hidden until an investigation exposes them. Modern distributed data architectures scatter telemetry across SIEMs, data lakes, cloud services, and object storage. While decentralized architectures have advantages, one tradeoff is often a loss of visibility.

Vega was built for this reality. Mapping visibility across every repository, Vega’s Data Explorer scores coverage across domains and reveals blind spots. Using a data mesh approach, Vega analyzes telemetry in place without migrations or re-ingestion. You get a continuous gap assessment highlighting any data quality or quantity gaps that emerge, along with prioritized and prescriptive fixes.

Finally, security teams can easily close gaps, strengthen detections, and harness fragmented telemetry. With AI-powered detections, federated search, and a threat intel hub, Vega gives you everything you need for full visibility without the high cost or tradeoffs.

See How Vega Closes The Gaps

Linux Foundation Launches Agentic AI Foundation with Anthropic, OpenAI, Block

The Linux Foundation launched the Agentic AI Foundation (AAIF) with founding members Anthropic, OpenAI, and Block contributing major open-source projects. Platinum members include AWS, Bloomberg, Cloudflare, Google and Microsoft.

Anthropic contributed MCP. OpenAI contributed AGENTS.md, a markdown-based convention adopted by 40,000+ open-source projects. Block provided Goose, an open local-first AI framework.

Will be interesting to see how the AAIF loops security into its initiatives. Hopefully the security teams at the forefront of AI security are looped in.

Kohler’s ‘End-to-End Encrypted’ Smart Toilet Camera Isn’t Actually E2EE

Kohler’s smart toilet camera Dekoda claims “end-to-end encryption” but security researchers identified the company is describing TLS encryption (HTTPS), not true E2EE. This means that Kohler can actually access customer data and may use “de-identified data” to train AI if users opt-in.

I’m not sure why anyone would need a poop camera, but I think this is a masterclass on corporate comms/marketing gone terribly wrong. In fact, there are many things wrong here lol. Shame on Kohler.

🔮 The Future of Security 🔮

Attackers are targeting your team where they work most: in the browser.

In 2024, human error caused nearly 95% of data breaches, even the best systems fail at the human interface. Enter Neon Cyber.

Neon Cyber delivers real-time protection directly within the browser, blocking phishing, credential theft, and shadow AI risks before they can spread. Faster, safer, and built for how the modern workforce functions.

Lock Down the Browser

AI Security

Lumia Security Raises $18M for AI Agent Governance Platform

Lumia Security closed an $18M seed round led by Team8 Capital, with New Era Capital participating. The 2024-founded startup was created by Omri Iluz (former PerimeterX CEO) and Bobi Gilburd (former CTO of Israel’s Unit 8200) to bring governance and control to enterprise AI agents.

The differentiator is that Lumia deploys at the network layer rather than requiring endpoint agents, monitoring AI-driven activity across systems. The platform’s “Protocol Analysis Engine” analyzes AI interactions across different modalities and protocols, assessing risk and enforcing policies dynamically. It provides visibility into agent actions, permissions and system access while supporting thousands of AI applications.

Worth noting: Admiral Michael Rogers (former NSA director and U.S. Cyber Command commander) joined the advisory board.

More AI security news ⬇️

• Helmet Security Emerges From Stealth Mode With $9 Million in Funding

• SandboxAQ Launches AI-SPM to Tackle Hidden AI Security Risks

Application Security

Prime Security Raises $20M Series A for Agentic Product Security

Prime Security closed a $20M Series A led by Scale Venture Partners. The 2023-founded startup’s Agentic Product Security Platform uses autonomous AI agents to embed security reviews into the design phase before code is written. Early customers include PayPal, Qualtrics, Bumble, ThoughtSpot and Redis.

Competing with Clover Security which recently raised $36m.

Identity and Access Management

Saviynt Closes $700M Series B at $3B Valuation

Saviynt raised $700M in a Series B led by KKR, reaching a $3B valuation. The identity and access management platform manages 100M+ identities for 600+ enterprises, including 20% of the Fortune 100.

The platform handles both traditional identity governance and machine identity challenges, with focus on securing AI agents. They’ve also recently added just-in-time security for privileged accounts.

Offensive Security

Equixly Raises $11M for AI-Powered API Pen Testing

Equixly raised €10M (~$11.6M) in Series A led by 33N Ventures, bringing total funding to $13.3M. The 2022-founded Florence, Italy startup built a pen testing platform using AI agents that act like hackers to surface API vulnerabilities across the development lifecycle. The platform maps an organization’s entire API ecosystem, embeds into CI/CD pipelines, and runs continuous attack simulations.

SaaS Security

Proofpoint Completes $1.8 Billion Acquisition of Hornet security

Proofpoint closed its $1.8B acquisition of Hornet security, the Germany-based M365 security provider. The deal was initially reported around $1B when announced; the final number came in significantly higher.

Proofpoint gets early $200M ARR growing at 20% YoY, plus instant access to 12,000+ MSPs and 125,000 customers across Europe. Hornet security’s flagship 365 Total Protection covers email security, backup, compliance, awareness training, and access controls in a single platform purpose-built for MSP multi-tenant management.

Proofpoint has historically focused on enterprise; this acquisition is a deliberate downmarket push into SMB via the MSP channel. Hornet security will operate as a dedicated business unit with founder Daniel Hofmann staying on as EVP and GM.

Valuation math: $1.8B on ~$200M ARR = 9x revenue multiple, a healthy but not frothy price for a 20% growth asset with strong European channel presence.

Security Operations

7AI Raises $130 Million for Agentic Security Investigations

7AI closed a $130M Series A led by Index Ventures with Blackstone Innovations Investments, the largest cybersecurity Series A in history according to the company. Valuation hit $700M per the WSJ. Total raised now sits at $166M, just 10 months after emerging from stealth. They’ve got like 40+ AI agents for different security use cases. They’re deployed in many large enterprises and they’re founded by the Cybereason founders which explains investor confidence.

Will be fun watching 7AI continue to grow.

More SecOps news ⬇️

• Resemble AI Raises $13 Million for AI Threat Detection

• SpecterOps and Tines partner to add native BloodHound and automated attack path workflows

Social Engineering Security

Imper.ai Emerges From Stealth With $28 Million in Funding

Imper.ai raised $28M from Redpoint Ventures and Battery Ventures to tackle real-time impersonation detection across Zoom, Teams, Slack, WhatsApp, and Google Workspace.

Founded by Unit 8200 veterans, the company analyzes device telemetry, network diagnostics, and behavioral patterns to detect impersonation attempts.

Deloitte estimates AI-driven impersonation losses could hit $40B annually in the U.S. by 2027.

Competitive landscape: Reality Defender (multimodal detection, $33M Series A), GetReal Security (real-time protection for Teams/Webex/Zoom), Pindrop (audio deepfakes), and Clarity ($16M seed, video focus) are all chasing this market. Imper.ai’s differentiation is the metadata-first, agentless approach.

Venture Land

Holly Ventures Launches $33M Fund for Early-Stage Cyber

Holly Ventures launched a $33M debut fund, a solo-GP vehicle led by John Brennan (formerly Senior Partner at YL Ventures). The thesis: early-stage cyber founders don’t lack capital, they lack access to decision-makers and flexibility on cap tables.

LP roster reads like a cyber VC all-star team: Bessemer, Ballistic, CRV, Wing, IVP, TCV, Notable Capital, Team8, Ten Eleven, plus Okta Ventures and Vanderbilt University.

Holly invests exclusively at seed, participating alongside larger leads in $5-10M rounds. Of its first six investments, two have already advanced to Series A with leads including Index, Notable, Team8, Cyberstarts, Sequoia, General Catalyst, and Foundation Capital.

If I were to raising a seed round in security, I’d be calling HV asap ¯\_(ツ)_/¯

Check Point Raises $1.75 Billion, Eyeing AI Expansion

Check Point raised $1.75B in convertible bonds, its first debt raise ever under new CEO Nadav Zafrir. Originally targeting $1.5B, strong demand pushed the total higher, with an option for an additional $250M.

$3B in cash reserves + zero-interest bonds maturing in 2030 give Check Point a war chest approaching $5B in total liquidity, with minimal cost beyond potential dilution if converted.

I assume Check Point will be going on an acquisition spree soon.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!