TCP #93: EU AI Act in Peril; SecOps HypeCycle; fwd:cloudsec talks; and Product News
What's hot in security🌶️ | June 26th - July 8th, 2025
Welcome to The Cybersecurity Pulse (TCP)! I'm Darwin Salazar, GTM lead at Monad and former detection engineer in big tech. Each week, I bring you the latest security product innovation and industry news. Subscribe below for weekly updates!
Are Your Cloud Configurations Leaving Doors Open?
Misconfigured storage. Open ports. Overly permissive IAM roles. In the cloud, small mistakes create big risks. Under the shared responsibility model, it’s your job to spot them - before attackers do.
Intruder gives you clear, real-time visibility across AWS, Azure, and GCP. No noise. Just a focused view of the misconfigurations and vulnerabilities that matter. Get the coverage you need, with clear guidance and predictable price.
What’s up everyone! 👋🏽 If you’re in the US, I hope you had a great 4th! I’m just getting back from a week+ of vacation in DR and am feeling recharged 🔋. I’ve added a small recap of the trip at the end of the newsletter if you’d like to see what I’ve been up to 🌴
In any case, we have two weeks of security news to catch up on so let’s get to it!
Tl;dr
🤝 Navigating M&A: What every security leader needs to know - 1Password webinar on July 17th w/ Wendy Nather, Dave Lewis, and Kane Narraway (Canva)
🇪🇺 Europe's biggest companies call for 2 year pause on EU'sAI Act
Let’s cyber 🕺🏽
⚒️ Picks of the Week ⚒️
fwd:cloudSec NA 2025 talks + summaries are live
Fwd:cloudsec is hands-down the premier cloud security conference and my favorite when I was a practitioner. Though, not much of a presenter myself, I even presented at it once. In any case, all talks from this year's con are live on YouTube and Christophe Limpalair was nice enough to summarize all talks for us here.
Lots of gold in here for security leaders + CloudSec teams. Kudos to the fwd:cloudsec team for putting on such an intimate and unique conference experience every year! Their EU con is coming up in mid-Sept in Berlin!
Navigating M&A: What every security leader needs to know
M&A is exciting. New products, new colleagues, new possibilities. Security is often overlooked yet can drive down valuations and make or break the success of a deal. Acquirers often inherit fragmented systems, different security cultures, and a massive backlog of vulnerabilities. These issues introduce real security risks.
On July 17th, security leaders Dave Lewis, Wendy Nather, and Kane Narraway draw on the collective experience of 30+ M&As to examine the security implications of M&A and outline strategies for mitigating risk.
Join the 1Password webinar for practical advice on:
What to evaluate during due diligence, and how to prioritize risks.
How to approach access control across fragmented systems.
How to respond to growing risks like social engineering and insider threats.
How compliance adherence becomes more complex—and the first steps you should take.
🥇 Chainguard Containers: 98% fewer CVEs compared to OSS alternatives🥇
The status quo in open-source software (OSS) delivery has led to high profile security breaches, compliance failures, and constantly growing CVE backlogs. Security teams need more visibility into the OSS used by dev teams.
Enter Chainguard: Minimal, hardened containers rebuilt daily, so your teams can ship quickly and confidently.
Europe’s biggest companies call for two-year pause on EU’s landmark AI Act
Europe is at it again with another stringent, anti-innovation regulation. The EU AI Act was introduced in 2021 and intends to regulate the development of AI to ensure that systems are safe, secure, and respect fundamental human rights. It entered into enforcement in Aug. 2024 with phased implementation expected between 2025 and 2027. As most EU tech laws/policies, its stringent and carries heavy fines for non-compliance. It also applies to any company providing or deploying AI in EU market, so most companies fall within scope.
Well now, 44 CEO's are pushing for a 2 year pause on the act. Companies like Airbus, Mercedes Benz, ASML, Mistral AI and others highlight how this would lead to the EU falling behind in the AI race, and limit investments.
In my opinion, the EU already lags behind in innovation in key sectors including cybersecurity, defense, and tech. This regulation would nearly ensure they fall behind in AI as well + would create high barriers for startups looking to enter EU markets. No bueno.
Azure Machine Learning Escalation: When Pipelines Go Off the Rails
Orca found a privilege escalation vuln in Azure Machine Learning (AML) service where anyone with Storage Account write access could hijack ML pipeline executions.
Attack breakdown: AML stores invoker scripts in blob storage that execute during pipeline runs. Modify these scripts = execute arbitrary code with the compute instance's permissions. If the instance uses system-assigned identity with SSO enabled (default), you inherit the permissions of whoever created the compute instance - potentially "Owner" on the entire subscription.
Microsoft's response was basically "working as intended" - they treat Storage Account access = AML compute access. However, they did update the AML service to now use code snapshots for scheduled jobs instead of reading directly from storage at runtime.
For additional AML security, Orca recommends restricting Write access to AML Storage Account, disabling SSO on AML instances, and few other tips listed in the write up.
Kudos to Orca for the finding + making Azure a more secure cloud.
Cloudflare Puts a Default Block on AI Web Scraping
A few months ago, Imperva reported on how bot traffic now makes up over half of ALL internet traffic (51%) with 'bad' bots making up 37% of that. Not only has AI web scraping and training led to copyright legal showdowns but it also drives infrastructure costs astronomically high if not kept in check. This is why Cloudflare put a default block on AI web scrapers.
Starting this month, they're implementing this change for all new domains hosted on Cloudflare (affecting ~20% of the internet 🤯). The key here is that they've updated this setting from opt-in to opt-out (cough cough secure defaults FTW).
They also launched "Pay Per Crawl," letting publishers charge AI companies per page scraped.
Cloudflare's using their bot detection tech (from fighting DDoS attacks) to identify and block sneaky AI crawlers that try to evade robots.txt. This could force AI companies into actual licensing deals rather than their current predatory scraping + training methods. I think this is a net positive for publishers and a negative for foundational model co's who will now have to invest in partnerships with the likes of PubMed, Bloomberg (paywalled) content etc.
All that aside, it's been fun watching Cloudflare cook in the AI era.
📚New Book: GRC Engineering for AWS📚
My good friend, AJ Yawn, just released a book and its an absolute masterclass on GRC engineering. It's also a #1 best seller on Amazon. If you're in GRC, looking to get in, or simply learn more, this is the go-to. It has labs, tons of code snippets + practical examples, and approaches GRC from a lens rooted in over a decade of GRC experience. I would not expect anything less from AJ! 🔨
Mexican drug cartel hacker spied on FBI official’s phone to track and kill informants, report says
This is a wild one and probably deserves a deep dive on Darknet Diaries pod.
Tl;dr: The Sinaloa Cartel (El Chapo) employs blackhats and has serious TechOps. US DOJ just released a report that covers how a blackhat tapped an FBI assistant's phone (calls + geolocation), Mexico City's camera system to track their movements, + people they met with. They used this intel to "to intimidate and, in some instances, kill potential sources or cooperating witnesses,”.
Pretty wild stuff.
Great reporting by Lorenzo Franceschi-Bicchierai.
Transparently, I haven't had the time to dig into all 94 pages of the report and I've never placed too much weight on a 'hype cycle'. It reminds me too much of financial charts, especially the "Anatomy of a Bubble" chart. In security, it's all about the basics and meeting the org's unique security requirements which means you'll need tools that are at the "Trough of Disillusionment" or at the right of it… And there's absolutely nothing wrong with that.
Imagine if a security team said, "I'm not gonna do Digital Forensics and Incident Response because Gartner found it to be at the Trough of Disillusionment" lol.
Imo, this is more for VCs and investors looking at where the puck is going and where to invest. In any case, Prophet was nice enough to provide access to a complimentary (gated) version of the full report here.
OX Security Top AppSec Influencers to Follow in 2025🎉
OX recently put out a list of top AppSec voices to follow and it’s star-studded w/ great folks. We made it on the list due to our weekly coverage of the AppSec space and I found that pretty cool.
Huge kudos to the OX team for sponsoring TCP and the great work they do for AppSec teams!
🔮 The Future of Security 🔮
AI Security
Dope.Security adds capabilities to secure ChatGPT use
Dope.Security is an endpoint-based secure web gateway (SWG) and they've recently added capabilities for security teams to have fine-grained control over ChatGPT use in their org. The offering has block, warn, and tenant restriction capabilities that can block personal ChatGPT use entirely, govern sensitive data uploads, and direct users to approved ChatGPT workspaces.
Kudos to the Dope.Security team on this!
More AI Security news ⬇️
Clearspeed raises $60M to expand voice-based risk assessment platform
Bonfy.AI Raises $9.5 Million for Adaptive Content Security Platform
Application Security
Legit Security Launches MCP Server
Legit recently launched an MCP server which integrates with IDEs and assistants like Cursor, Windsurf, Copilot etc. This is super helpful for dev and AppSec teams because it enables them to bring security insights directly to dev environments using natural language. Less friction for users = better security + adoption rates.
More AppSec news ⬇️
Cloud Security
From Container Escape to Privilege Escalation and Beyond: Orca Sensor Expands Runtime Detections
Orca has added a new set of detections to their eBPF-based sensor including added coverage for container breakouts, recon activity, "living of the land" TTPs (ie. Using GTFOBins), and more cloud microservice detections.
More Cloud Security news ⬇️
Data Security
Concentric AI acquires Swift and Acante
Companies typically announce one acquisition at a time, but Concentric just announced two and I think that's pretty baller. Both are plays to expand their data security offerings.
Network Security
Cato Networks raises $359M Series G at $4.8B valuation
Cato has been dominating the SASE game for the past decade now with over 3.5K customers. The Series G round was led by new investors Vitruvian Partners and ION Crossover Partners, with participation from existing investors including Lightspeed Venture Partners, Acrew Capital, and Adams Street Partners.
Their founder Shlomo Kramer co-founded Checkpoint and Imperva. Both IPO’d. Cato is on its way to being the 3rd company he leads to IPO. Legendary.
This interview with the Inside the Network crew provides an inside look on how he does it.
DR Trip Recap
If you stuck around for the DR trip recap, you’re awesome. tl;dr - Fun was had. Gained a couple pounds. Relaxed a good bit 🔋
Here are some pics:
Sunset in Las Terrenas🌴
7AM Tennis in 90 degrees 🎾
DJ/Singing set w/ me and the GF!🚀
Interested in sponsoring TCP?
Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of ~6,000 CISOs, practitioners, founders, and investors across 100+ countries 🌎
Bye for now 👋🏽
That’s all for this week… ¡Nos vemos la próxima semana!
Disclaimer
The insights, opinions, and analyses shared in The Cybersecurity Pulse are my own and do not represent the views or positions of my employer or any affiliated organizations. This newsletter is for informational purposes only and should not be construed as financial, legal, security, or investment advice.