TCP #83: CVE whiplash; 4chan breached; and road to RSAC
🌶️ What's hot in security | Apr. 10th - Apr. 16th, 2025
Welcome to The Cybersecurity Pulse (TCP)! I'm Darwin Salazar, Head of Growth + Marketing at Monad and former detection engineer in big tech. Each week, I dig through all the major headlines to bring you the latest security product innovation and industry news. Subscribe below for weekly updates! 📧
👋🏼 Howdy! Crazy past 24 hours in security land with the CVE kerfuffles going on. Gladly it seems like we’ve found a resolution which we’ll cover a bit further down.
That said, t-minus 8 days before the BSidesSF x RSAC marathon kicks off. DM me if you’d like to catch up!
Security Teams Need Outcomes, Not More Alerts
While other solutions drown you in findings, Varonis delivers actionable and automated outcomes that practitioners can trust. Our platform continuously discovers critical risks, applies intelligent prevention, and provides proactive detection across your entire environment—multi-cloud, on-premise, SaaS, and third-party applications.
See for yourself with our free data risk assessment. In less than 24 hours, we'll provide you with a clear, risk-based view of your data and a clear path to automated remediation.
This week’s highlights below:
🎙️ Greg Martin interviews HD Moore, founder of Metasploit Project #DialedIn
🤖CrowdStrike researchers use multi-agent approach to secure AI-generated code
🫱🏻🫲🏽 CyberArk expands partnership w/ Accenture; Oasis doubles down on channel efforts (I’ll be covering channel/sales more moving forward 🤠)
💰 Loads more product and fundraising news heading into RSAC, as you might expect
Let’s cyber 🕺🏽
Is Your SOC Ready for AI?
AI is a force multiplier for the SOC, triaging and investigating alerts to significantly improving efficiency and effectiveness. That’s why Intezer created this framework to assess your SOC's maturity and readiness for AI implementation.
These 12 key questions were created by security expert and Intezer CEO Itai Tevet, based on how he guides security leaders through technology and operational readiness for AI adoption with impactful outcomes. Learn more and take the quiz to find out if your SOC is ready to leverage AI.
⚒️ Picks of the Week ⚒️
If you're suffering from whiplash regarding all the recent developments around the MITRE CVE (Common Vulnerabilities and Exposures) program, you're not alone. I'll try to capture it in a few bullet points:
Yesterday PM, a letter addressed to CVE board members leaked mentioning that the current government funding for the program (and others incl. CWE) would expire today.
Given the importance of these programs, the security community was pissed off… rightly so. CVE program has powered almost all vulnerability disclosure and scoring initiatives for the past several decades. There would be a huge gap to fill without the CVE program.
This AM, the CVE foundation, made up of current CVE board members, is formed to secure the future of the CVE program.
As I'm writing this, U.S. CISA confirms that they've extended funding for the CVE program.
I don't care what side of the isle you're on, it's bullshit that our government has been targeting critical national security services and individuals. This comes on the heels of China admitting that they are actively directing cyberattacks on US infrastructure and Microsoft reporting a record high number of vulnerabilities in 2024. Now is simply not the time to be messing around or 'FAFO'ng.
From Air Force to Exploits: HD Moore on MetaSploit, runZero, and Building Like a Hacker
In episode 3 of Dialed In, Greg Martin interviews HD Moore, creator of the Metasploit Project. The ep. takes us from HD's childhood, writing exploits for USAF at 15yo, all the way up to today where he's founded RunZero, a leader in the exposure management space.
Ghost Security and RunZero are both Tier 1 startups leading the charge globally and here in Austin, TX (and they're hiring!!)
4chan, the 'internet’s litter box,' appears to have been pillaged by rival forum
4chan, one of the internet's favorite corners and meme sites, may have been hacked by rival forum 'soyjack party', aka 'sharty'.
More details about the breach here.
OpenAI ships GPT-4.1 without a safety report
The latest OpenAI model, GPT 4.1, was launched without a system card that typically details the safety/security testing and results that the model underwent. OpenAI claims that it's because 4.1 is not a frontier model, but safety researchers aren't happy with that. According to the TechCrunch article, safety reporting standards are slowly reverting and this is another concerning notch in that trend.
While this sucks, I'm not surprised. The AI race is on overdrive and OpenAI is playing defense given all the new serious contenders that have emerged recently (i.e., Grok, DeepSeek).
So much of a company's success and reputation stems from branding. That's why I love me a great, thoughtful rebrand. It helps tremendously in shaping+communicating the company's identity and in turn, helps shape outsider's perception of the company. It's also a great hint at what's to come from the company and whether they're doubling down or pivoting.
In this case, we have two companies that are doubling down. Recorded Future (RF) introduced their new brand here with a heavy dose of blue, red, + black and white overlays. This comes on the heels of MasterCard's acquisition of RF in Q4 of '24.
Intezer modernized their entire website and graphic design look and feel to something more playful, colorful and animation-based. They updated many things including their font choice and they leaned into their logo more which, to me, is a great take on the SOC being made up of many building blocks. Here's the before and the after 🔥
🔮 The Future of Security 🔮
AI Security
Virtue AI Raises $30M Series A to Address Critical AI Deployment Risks
Seems like each week we have a new startup popping up to tackle AI security. Most share similar approaches. Virtue AI is one that's approaching the space with a novel approach.
They have dedicated models with built-in security+privacy guardrails including:
VirtueGuard-Text, a customizable guardrail model focused on long-context text applications;
VirtueGuard-Image, a guardrail model developed for image-based AI applications;
VirtueGuard-Video, a real-time guardrail model for video applications; and
VirtueAgent, customizable AI agents designed with safety and security guarantees.
They also have VirtueRed which is their AI risk assessment solution with broad red teaming coverage.
Notable: Virtue AI is used by Uber, Glean, and Microsoft. Intel’s new CEO is an investor in the company.
Their Series A funding round was led by Lightspeed Venture Partners and Walden Catalyst Ventures.
More AI Security news ⬇️
Cato Networks introduces controls to manage shadow AI use in enterprises
Operant AI introduces AI Gatekeeper for runtime protection across hybrid cloud environments
Pillar Security raises $9M to address growing AI-specific security risks
Application Security
CrowdStrike Research: Securing AI-Generated Code with Multiple Self-Learning AI Agents
The data science team at CrowdStrike has introduced a proof-of-concept approach to securing code generated by AI agents. Thes multi-agent system uses self-learning AI agents, each fulfilling the following roles:
Vulnerability Scanning Agent: Identifies code vulns and determines the best SAST scanning methods for each application.
Red Teaming Agent: Develops exploitation scripts using internal knowledge and historical exploitation data, learning from previous iterations to associate specific vulnerabilities with effective exploitation code.
Patching Agent: Generates security unit tests and patches based on inputs from the Vulnerability Scanning Agent, feedback from unit tests, and results from the Red Teaming Agent.
Layered defense-in-depth on steroids. Love to see these types of approaches emerging and can't wait to see it applied across the different security domains.
More AppSec news ⬇️
c/side Launches Partner Program to Tackle Web Script Threats
NetRise Raises $10 Million to Grow Software Supply Chain Security Platform
Identity Security
CyberArk and Accenture Expand Partnership to Secure Enterprise AI Agents
CyberArk has expanded their partnership with Accenture, the largest managed service provider in the world per CRN. The two will focus on securing AI agent identities for clients using a zero-trust based approach.
More Identity Security news ⬇️
Oasis Expands Channel Efforts, Plans for MSSP and MSP Program
Unosecur raises $5M in seed funding for AI-driven identity security
Security Operations
QevlarAI raises $14M for AI SOC platform
Paris-based startup, Qevlar AI announced a $14 million funding round for its agentic AI SOC platform.
More SecOps news ⬇️
Vulnerability Management
Seemplicity Adds AI Tools to Streamline Vulnerability Remediation
Seemplicity has launched the 2 following features to help streamline vuln remediation:
Find the Fixer: Uses ML to analyze data and org context to assign the vuln remediation tickets to the appropriate responsible party.
Automatic Scoping: Improves asset categorization and tagging by interpreting inconsistent tags and grouping assets based on business units and environments to streamline vuln management.
This is the first time Seemplicity has come on my radar and I like their first-principles based approach the vuln management 👍🏼
More Vulnerability Management news ⬇️
PlexTrac for CTEM helps security teams centralize security data
Transforming security with Microsoft Security Exposure Management initiatives
Interested in sponsoring TCP?
Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of ~6,000 CISOs, practitioners, founders, and investors across 100+ countries 🌎
Bye for now 👋🏽
That’s all for this week… ¡Nos vemos la próxima semana!
Disclaimer
The insights, opinions, and analyses shared in The Cybersecurity Pulse are my own and do not represent the views or positions of my employer or any affiliated organizations. This newsletter is for informational purposes only and should not be construed as financial, legal, security, or investment advice.