Welcome to The Cybersecurity Pulse (TCP)! I'm Darwin Salazar, Head of Growth at Monad and former detection engineer in big tech. Each week, I bring you the latest security innovation and industry news. Subscribe to receive weekly updates! 📧

Subscribe now

Share

I Can’t Believe It’s Not SIEM^TM

Never worry about normalization or learning another query language again. Now you can unify search, detection, and triage across all your data and tools with Vega’s Security Analytics Mesh (SAM), the AI-native layer for SecOps teams.

Analyze data where it already lives, cut ingestion costs, and unlock real-time visibility with zero disruption. Vega uncovers blind spots, creates precise detections, and auto-fixes rules to give you self-improving SecOps coverage that is truly vendor-agnostic. No SIEM required.

Learn More

Want to sponsor the TCP newsletter? Learn more here.

Howdy! Hope you’re having a great week wherever you’re reading from.

I wrote up a piece on my takeaways from the CyberMarketingCon. Of course I’m biased, but I’d say it’s worth a read if you’re doing any sort of GTM in security:

CyberMarketingCon 2025 Recap: What Matters Most in Security Marketing Today

Darwin Salazar

·

Dec 15

Read full story

Aside from that, even though the year is winding down, it was a very busy week in cyber across all fronts (geopol, breaches, funding, launches).

Let’s get to it.

TL;DR 📰

• 🎙️ How AI Is Changing SecOps w/ David Seidman — Plaid security lead (ex-Google, MSFT) on what’s actually working: alert triage real, detection rules coming. Left of the alert is the bottleneck

• 🎯 MITRE posts 2025 ATT&CK Evals with notable absences — First cloud testing; Microsoft, Palo Alto, SentinelOne sat out citing resources

• 🇷🇺 AWS: GRU shifting from N-days to misconfigured edge devices — Sandworm campaign targeting Western critical infrastructure via exposed routers, VPNs

• 🔮 Recorded Future: What’s Next for Enterprise TI in 2026 — Vendor consolidation, 25% embedding TI into IAM/fraud/GRC, 36% fusing external feeds with internal data

• 🌐 Cloudflare 2025 Year in Review — Post-quantum traffic hits 52%, peak DDoS 31.4 Tbps record, AI bots now ~9% of HTML requests

• 🏢 ServiceNow in advanced talks to acquire Armis for $7B — Asset visibility/VM play follows $1B+ Veza and $2.85B Moveworks

• 🤖 Cisco ships first product on its own security AI model — Identity Intelligence runs on 8B-parameter Foundation-sec model; 2,000+ customers

• 🛢️ Venezuela’s PDVSA hit by cyberattack — Blames US without evidence; sources say all systems down despite “contained” narrative

• 💰 Lightspeed raises record $9B across six funds — Security wins include Wiz ($32B exit), Rubrik, Netskope IPOs

• 🎭 Adaptive Security raises $81M Series B — NVIDIA, OpenAI Startup Fund back deepfake defense; 500+ customers in first year, deepfake attacks up 17x in 2024

• 🚀 Harness raises $240M at $5.5B valuation — Tackling “after-code” bottleneck as AI floods teams with more code than they can ship safely

• 📦 Echo raises $35M for CVE-free container images — Secure container images; Argon founders (sold to Aqua ~$100M)

• 🎯 Dux launches with $9M seed — Agentic exposure management from three Talpiot founders

⚒️ Picks of the Week ⚒️

How AI Is Changing SecOps w/ David Seidman - (Not the Marketing Version)

There has been billions in funding poured into AI for SecOps over the past few years. Vendors initially made wild claims like “fully autonomous SOC” and acted like hallucinations were a thing of the past. Security leaders and operators brought them back down to reality.

So where do we stand today compared to the ‘early days’ of AI SOC? Are we still in the ‘early days’ of the adoption curve? This podcast ep. with David Seidman, Head of Platform Security at Plaid (ex-Robinhood, Google, MSFT), Chang Xu and Ashish Popli (DefenderMate) provides a great perspective on where we’re at and what’s on the horizon for 2026.

Yes, alert triage automation is real and working. David highlights that AI rarely makes outright errors, but it lacks context, so conclusions tend to be tentative rather than definitive. The bottleneck has now become the engineering work to deploy and configure it properly. Activities that happen to the left of an alert.

He also highlights that AI-generated detection rules are coming. Not quite production-ready, but close. The vision is thousands of auto-generated rules covering attack variants humans would never write manually. Combine that with AI triage, and you’re looking at a fundamentally different SOC model.

David’s been a security leader for some of the most-forward thinking teams. He’s not trying to sell anything and seems generally like a nice, smart guy. Insights from folks like him are more grounded than those from vendors, investors etc. That said, I highly recommend watching this ep. if you play any part within the SecOps ecosystem.

Link here.

What’s Next for Enterprise Threat Intelligence in 2026

Recorded Future outlines what enterprises should expect from threat intelligence programs next year.

Key trends for 2026:

• Vendor consolidation: Enterprises moving from fragmented feeds to unified platforms seeking a “single source of truth.” Fewer tools, less complexity.

• Deeper workflow integration: 25% of enterprises plan to embed TI into adjacent workflows (IAM, fraud, GRC) beyond traditional SOC use cases.

• Automation and AI augmentation: Machine-speed correlation and enrichment, with analysts focused on high-level judgment rather than manual data gathering.

• Internal + external data fusion: 36% plan to combine external threat feeds with internal environment data for contextual risk posture, including peer benchmarking.

Cloudflare report shows how AI bots, encryption, and growing attacks shaped the internet in 2025

Cloudflare’s sixth annual Radar report shows encrypted post-quantum traffic jumped from 29% to 52% over the year. Other highlights: global traffic up 19% YoY, 6.2% of all traffic mitigated as malicious, peak DDoS attack hit 31.4 Tbps (new record), Starlink traffic more than doubled, 5.6% of emails flagged malicious.

The AI crawler numbers confirm what site operators suspect: Googlebot (search + AI training) generated 4.5% of HTML requests to Cloudflare-protected sites. All other AI bots combined averaged 4.2%. GPTBot and ClaudeBot among the most frequently blocked via robots.txt. The crawl-to-referral ratio is increasingly lopsided: platforms harvesting content while sending proportionally less traffic back.

MITRE Posts Results of 2025 ATT&CK Enterprise Evaluations

When three major EDR players skip the industry benchmark, worth asking why. MITRE released its seventh ATT&CK Enterprise Evaluation, emulating Scattered Spider (financially motivated, cloud-targeting) and Mustang Panda (Chinese state-sponsored espionage). First-ever cloud adversary emulation on AWS infrastructure, first Reconnaissance tactic testing, greater emphasis on protection alongside detection.

Participants (11): Acronis, AhnLab, CrowdStrike, Cyberani, Cybereason, Cynet, ESET, Sophos, Trend Micro, WatchGuard, WithSecure. Several claiming 100% detection rates.

Who sat out: Microsoft, Palo Alto Networks, and SentinelOne, all citing “resource-intensive commitment.”

Dig Deeper: MITRE Evals

ServiceNow reportedly in advanced talks to buy Armis for up to $7 billion

ServiceNow is reportedly in advanced talks to acquire asset visibility and security company Armis for up to $7 billion, per Bloomberg. No deal has been announced yet, but sources indicated it could come “in the coming days.”

The context: This follows ServiceNow’s agreement to acquire identity security firm Veza for reportedly over $1 billion and its $2.85 billion Moveworks acquisition earlier this year. ServiceNow is building out a security portfolio alongside its workflow automation core.

Armis by the numbers:

• Founded 2015, focused on agentless asset discovery across IT, OT, IoT, and IoMT

• $300 million ARR as of August 2025 (up from $200M in 2024)

• $1.17 billion raised across seven rounds

• Last valued at $6.1 billion after a $435 million pre-IPO round led by Goldman Sachs in November 2025

The valuation math: $7B on a $6.1B last-round valuation represents a ~15% premium. Armis CEO Yevgeny Dibrov had been targeting an IPO for late 2026/early 2027 just weeks ago.

ServiceNow is making a serious platform play in security. Armis gives them asset visibility across the hybrid IT/OT estate, Veza handles identity, Moveworks adds AI. The combined thesis: security visibility + identity + workflow automation + AI governance in one platform.

Venezuelan Oil Company Downplays Alleged US Cyberattack

PDVSA, Venezuela’s state oil company, acknowledged a cyberattack this week, blamed the US without evidence, and claimed damage was limited to “administrative systems.” Reuters and Bloomberg sources tell a different story: all systems down, cargo delivery impacted, export loading suspended, employees told to disconnect everything.

The disruption may have been self-inflicted: sources indicate chaos stemmed from antivirus remediation after a ransomware attack, not the attack itself. Timing notable given US forces seized a sanctioned Venezuelan oil tanker days prior.

Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure

Amazon Threat Intelligence reports a years-long GRU/Sandworm campaign against Western critical infrastructure has shifted tactics: from vulnerability exploitation (WatchGuard, Confluence, Veeam CVEs 2021-2024) to compromising misconfigured network edge devices in 2025.

The playbook: compromise exposed routers, VPN concentrators, or management appliances; deploy packet capture; harvest credentials from intercepted traffic; replay against victim online services. Targets span energy, critical infrastructure, telecoms, and tech/cloud across North America, Europe, and Middle East. Exposed management interfaces achieve strategic access without burning exploit capabilities.

Dig Deeper: AWS Security Blog

🔮 The Future of Security 🔮

AI Security

Cisco Ships First Product Powered by Its Own Security AI Model

Cisco Identity Intelligence is now the first Cisco product running entirely on the company’s homegrown AI model, Foundation-sec-1.1-8B-Instruct. The model powers the weekly identity digest that summarizes suspicious login behavior, unusual geographic activity, MFA fatigue attempts, and session hijacking indicators for 2,000+ customers.

What’s under the hood: An 8-billion-parameter model built on Meta’s Llama 3.1 backbone, tuned specifically for cybersecurity. Cisco optimized it for three use cases: SOC acceleration (triage, summarization, case notes), proactive threat defense (TTP mapping, attacker behavior modeling), and engineering enablement (config validation, compliance evidence). Model is hosted on Amazon SageMaker.

The model itself isn’t revolutionary, it’s a fine-tuned Llama. What’s notable is a major vendor shipping production AI features on their own infrastructure rather than wrapping OpenAI/Anthropic APIs. Gives them more control over security-specific tuning and avoids external dependencies. Whether the output quality justifies the investment over commercial models remains to be seen.

More AI security news ⬇️

• Red Hat acquires AI security startup Chatterbox Labs

• Falcon AI Detection and Response expands CrowdStrike platform to protect AI interactions

Application Security

Harness Raises $240M; Reaches $5 Billion Valuatio to Tackle 'Post-Code’ Challenges

Harness raised $240M Series E led by Goldman Sachs at a $5.5B valuation (up 49% from $3.7B in April 2022). On track to exceed $250M ARR in 2025 with 1,000+ enterprise customers including United Airlines, Morningstar, National Australia Bank.

Echo Raises $35 Million in Series A Funding

Echo raised $35M Series A led by N47, with SentinelOne’s S Ventures, Notable Capital, and Hyperwise Ventures. Total raised: $50M in 10 months. Chainguard + Root.io competitor.

Identity and Access Management

Cyderes acquires Lucidum to strengthen identity-aware security data foundation

Cyderes acquired Lucidum (undisclosed price), a security data fabric company that raised $19M from Point72 Ventures, GGV Capital, and SVCI since its 2020 founding.

Lucidum ingests data from hundreds of sources, normalizes into a unified graph of assets, identities, relationships, and configurations. Uses ML and entity resolution to surface unknown or unmanaged assets. Cyderes is positioning it as the entity fabric across its MDR, IAM, and exposure management portfolio.

More IAM news ⬇️

• Commvault and Delinea partner to boost protection against credential-based attacks

• Verisoul Raises $8.8 Million for Fraud Prevention

Security Awareness

Adaptive Security Raises $81M Series B for AI-Powered Social Engineering Defense

Adaptive Security closed $81M Series B led by NVIDIA and Bain Capital Ventures, with Capital One Ventures, Citi Ventures, and existing backers participating.

Less than one year after launch: 500+ enterprise customers including PayPal, Bose, NHL, Xerox, Figma, Ramp, Vimeo, Perplexity. Deepfake-enabled attacks increased 17x in 2024 with over 100,000 incidents in the U.S. alone. Eighteen months ago, 1 in 10 CISOs had encountered a sophisticated deepfake attack. Today, more than half.

What they do: OSINT-based exposure analysis, realistic phishing simulations across email/SMS/voice (including personalized deepfakes), dynamic risk scoring, targeted training. 39+ languages.

Venture Land

Lightspeed raises record $9B in fresh capital

Lightspeed Venture Partners closed $9 billion across six funds, the largest raise in the firm’s 25-year history. Includes a $3.3B opportunity fund for follow-on investments. Meanwhile, 2025 is on pace for the fewest VC fund closings in a decade.

Security track record: Co-led Wiz’s $1B Series E (acquired by Google for $32B in March 2025). Early investor in Rubrik and Netskope, both IPO’d in 2024-2025 as rare cybersecurity exits. Also backs Cato Networks. Largest institutional investor in all three at public debut.

For security startups eyeing growth rounds, Lightspeed’s Wiz, Rubrik, and Netskope wins signal they know the path from growth-stage to exit.

Vulnerability Management

Dux launches with $9M seed round to tackle AI-driven cyber exposure

Dux emerged from stealth with $9M seed led by Redpoint Ventures, TLV Partners, and Maple Capital. Angels include execs from CrowdStrike, Okta, and Armis. Three IDF Talpiot founders.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!