TCP #95: SharePoint Hell; M&A Rumor Mill; Scattered Spider; & Product News
What's hot in security🌶️ | July 16th - July 23, 2025
Welcome to The Cybersecurity Pulse (TCP)! I'm Darwin Salazar, GTM lead at Monad and former detection engineer in big tech. Each week, I bring you the latest security product innovation and industry news. Subscribe below for weekly updates!
On-Device web security–No Traffic Backhauling
Your off-site team can barely load a deck because the Secure Web Gateway is throttling the connection.
If you switch the SWG off, you lose inspection and compliance; leave it on, and every click crawls through a distant data center. Productivity tanks either way.
dope.security executes SSL inspection, URL filtering, and Cloud App Controls locally, right on each device—no detours. Sub-100 ms page loads, reliable uptime, full privacy, and airtight protection on any network, anywhere.
What’s up everyone! 👋🏽 Hope you’re having a great week! As always, things have been heating up leading into hacker summer camp🔥
Here’s a recap of what I’ve been up to on the personal front:
We (Monad) announced our acquisition of Tarsal. I led all the comms for this and man, was it a large effort, but also a very rewarding one. There’s still so much work to be done on the ETL+ side of SecOps. Very excited to have the Tarsal crew onboard 🔨
Cyber Takes podcast interview w/ AJ Yawn about importance of security culture
Readying up for BlackHat. We’re hosting an event for Detection Engineers + SecOps folks. You can register here: https://lu.ma/fl3rg9ns
Travel from Austin → Cambridge for HBS SVMP reunion → Rhode Island → Austin
Unveiling the TCP rebrand tomorrow (!!) 👀
More major news on the Monad front next week + dropping a research report I’ve been working on for the past couple of months
All that said, your boy is a little busy so pardon for the delay on this week’s issue and the lackluster commentary/color.
I typically only lean on AI for TCP when I come across stuff that’s tough to parse and understand. This week is a little AI heavy since I am time-strapped. If you hate it, lmk. Feedback is always welcome!
Okay, onto what’s happened over the past week!
Tl;dr
🔓 ToolShell Zero-Day: Microsoft Attributes SharePoint Attacks to Chinese APT Groups - Attackers exploited critical SharePoint zero-day CVE-2025-53770 ("ToolShell") to breach 400+ organizations globally, with Microsoft attributing the campaign to three Chinese APT groups affecting critical sectors including the US National Nuclear Security Administration.
👀 M&A Rumor Mill - Palo Alto Networks potentially acquiring SentinelOne. DataDog potentially acquiring Upwind for $1B.
One more likely than the other.
🕷️ Microsoft Exposes Scattered Spider's Latest Tactics - Scattered Spider has evolved its tactics to target aviation, retail, and insurance sectors while deploying DragonForce ransomware against VMware ESX environments, shifting from cloud-only to simultaneous on-premises attacks during initial intrusions. TTPs covered.
🛒 United Natural Foods loses up to $400M in sales after Scattered Spider hit
🚨 Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services - CVE-2025-23266 ("NVIDIAScape"), a CVSS 9.0 container escape vulnerability in NVIDIA Container Toolkit, allows full host takeover with a simple three-line Dockerfile exploit, affecting 37% of cloud environments using NVIDIA GPUs.
💰 Cybersecurity Funding Surged Higher in Q2 Global cybersecurity and privacy startups raised $4.9 billion in Q2 2025, driven by major rounds including Cyera's $540M Series E, Cato's $359M Series G and Island's $175M Series D.
🛡️ How OpenAI's red team made ChatGPT agent into an AI fortress - OpenAI's comprehensive red team testing involving 110 attacks from 16 PhD researchers discovered seven universal exploits in ChatGPT Agent, leading to a 95% defense rate against documented attack vectors and implementation of enterprise-grade security controls.
🦄 Vanta raises $150M Series D @ $4.15B valuation - Vanta raised $150 million in Series D funding at a $4.15 billion valuation led by Wellington Management, bringing total funding to $504 million, with plans to accelerate AI innovation and expand into third-party risk management and government compliance.
📊 Microsoft Sentinel data lake: Unify signals, cut costs, and power agentic AI - Microsoft launched Sentinel data lake in public preview, a cloud-native data architecture that unifies security data from Microsoft and third-party sources into a cost-effective storage tier priced at less than 15% of traditional analytics logs.
🤖 Daylight Security Raises $7M to Combine AI Agents with Human Analysts for MDR - Israeli cybersecurity startup Daylight Security emerged from stealth with $7 million in seed funding led by Bain Capital Ventures to deliver hybrid managed detection and response (MDR) services that blend AI automation with human expertise.
🧠 Empirical Security Raises $12M to Bring Custom AI to Cyber Defense -Chicago-based Empirical Security emerged from stealth with $12M seed funding to develop custom AI models for organization-specific cybersecurity threat prioritization, using a dual-architecture approach combining global models with local organization-specific customization.
Let’s cyber 🕺🏽
⚒️ Picks of the Week ⚒️
ToolShell Zero-Day: Microsoft Attributes SharePoint Attacks to Chinese APT Groups
Attackers exploited critical SharePoint zero-day CVE-2025-53770 ("ToolShell") to breach 400+ of organizations globally, with Microsoft attributing the campaign to three Chinese APT groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
Amongst orgs impacted are the US National Nuclear Security Administration (NNSA) and other critical sectors like banking and government agencies.
This is probably the biggest, most far-reaching vuln of 2025 so far.
Carlos Perez from TrustedSec has a great breakdown of the vuln here:
🧘🏽♂️Extend Your SOC Team with AI-Powered Security Operations 🧘🏽♂️
Tired of an endless alert backlog and too many false positives?
Intezer's Autonomous SOC solution automates investigations and triage decisions, freeing up your team to focus on what matters most. Discover how enterprise teams and top MSSPs are using AI-powered alert triage to cut through the noise, enhancing their SOC analysts' efficiency and accuracy.
Microsoft Exposes Scattered Spider's Latest Tactics
Microsoft revealed Scattered Spider (Octo Tempest) has evolved its tactics to target aviation, retail, and insurance sectors while deploying DragonForce ransomware against VMware ESX environments.
Microsoft's latest threat intelligence shows Scattered Spider has shifted from primarily using cloud identity privileges for on-premises access to now impacting both on-premises accounts and infrastructure simultaneously during initial intrusion phases. The financially motivated cybercriminal group continues using aggressive social engineering tactics, help desk impersonation, and SIM swapping to gain access, but has recently deployed DragonForce ransomware with particular focus on VMware ESX hypervisor environments. Key TTPs include using tools like ngrok, Chisel, AADInternals, Mimikatz, and ADExplorer for credential theft and lateral movement.
United Natural Foods loses up to $400M in sales after cyberattack
United Natural Foods (UNFI), Whole Foods' primary distributor, suffered a cyberattack on June 5, 2025, resulting in $350-400M in lost sales and widespread grocery shortages.
The cyberattack, discovered on June 5 and attributed to the Scattered Spider cybercrime collective, forced UNFI to shut down its network completely, impacting its 52 distribution centers that serve 30,000 customer locations across North America. The attack resulted in empty shelves at Whole Foods stores nationwide and operational disruptions lasting weeks. UNFI restored core systems by June 16 and achieved normalized operations by June 26. Financial impact includes $350-400M in lost sales, $50-60M in net income loss, $20M in manual workaround costs, and $5M in remediation expenses.
Critical NVIDIA Container Toolkit Flaw Allows Privilege Escalation on AI Cloud Services
CVE-2025-23266 ("NVIDIAScape"), a critical container escape vulnerability in NVIDIA Container Toolkit, allows full host takeover with a simple three-line Dockerfile exploit.
Discovered by Wiz Research, this CVSS 9.0 vulnerability affects all NVIDIA Container Toolkit versions up to 1.17.7 and GPU Operator versions up to 25.3.0, impacting 37% of cloud environments using NVIDIA GPUs.
Cybersecurity Funding Surged Higher in Q2
Global cybersecurity and privacy startups raised $4.9 billion in Q2 2025, driven by major rounds including Cyera's $540M Series E, Cato's $359M Series G and Island's $175M Series D.
The global cybersecurity insurance market will more than double from $16.54 billion in 2025 to $32.19 billion by 2030, driven by a 14.2% CAGR as businesses face escalating cyber threats and regulatory compliance requirements.
🔮 The Future of Security 🔮
AI Security
How OpenAI's red team made ChatGPT agent into an AI fortress
OpenAI's comprehensive red team testing involving 110 attacks from 16 PhD researchers discovered seven universal exploits in ChatGPT Agent, leading to a 95% defense rate against documented attack vectors and the implementation of enterprise-grade security controls.
Kudos to OpenAI for leading the way on security + transparency.
Agent System Card: https://openai.com/index/chatgpt-agent-system-card/
Confident Security, 'the Signal for AI,' comes out of stealth with $4.2M
San Francisco startup Confident Security emerged from stealth with $4.2M funding and CONFSEC, an end-to-end encryption tool that guarantees AI model providers cannot access user prompts or data.
Confident Security's "Signal for AI" approach addresses enterprise concerns about AI data privacy by wrapping foundational models with end-to-end encryption that prevents prompts and metadata from being stored, seen, or used for training by model providers or third parties.
Cequence unveils AI Gateway to secure real-time connectivity between agents and enterprise apps
Cequence Security launched AI Gateway, an enterprise-grade solution that enables secure, real-time connectivity between AI agents and enterprise applications using emerging standards like Model Context Protocol while enforcing authentication, authorization, and monitoring policies.
The Cequence AI Gateway addresses the critical security gap as enterprises rush to deploy agentic AI without proper guardrails, converting any API into MCP-compatible endpoints within minutes without requiring code changes or developer upskilling.
Application Security
Intruder releases free tool to detect broken API authorization
Attack surface management company Intruder launched AutoSwagger, a free open-source tool that automatically scans OpenAPI-documented APIs to detect broken authorization vulnerabilities that can be exploited without authentication.
The tool works by detecting API schemas across common formats, parsing OpenAPI/Swagger documentation, and executing targeted scans to flag endpoints that return valid responses instead of expected HTTP 401/403 errors.
JFrog launches MCP Server to connect AI agents with developer tools
JFrog introduced an MCP Server that allows developers to interact with their Software Supply Chain Platform through natural language commands via AI assistants and IDEs.
Cloud Security
AWS open-sources Security Reference Architecture assessment tool
AWS released SRA Verify as an open-source security assessment tool that automatically validates whether organizations' AWS security service implementations align with the prescriptive guidance in the AWS Security Reference Architecture across multi-account environments.
SRA Verify addresses the challenge of validating complex AWS security implementations by providing automated checks that directly map to AWS SRA recommendations, covering services including CloudTrail, GuardDuty, IAM Access Analyzer, Config, Security Hub, S3, Inspector, and Amazon Macie. The tool helps organizations verify proper security service configurations according to the reference architecture while providing clear remediation guidance through accompanying infrastructure-as-code examples in the AWS SRA GitHub repository.
Wiz MCP Server Now Available in the new AWS Marketplace AI Agents and Tools category
Wiz launched their Model Context Protocol (MCP) Server on AWS Marketplace, enabling AI agents to access cloud security insights through natural language queries.
Governance, Risk, and Compliance
Vanta raises $150M Series D @ $4.15B valuation
Vanta raised $150 million in Series D funding at a $4.15 billion valuation, led by new investor Wellington Management. Existing investors including Growth Equity at Goldman Sachs Alternatives, Sequoia, J.P. Morgan, Craft Ventures, Y Combinator, Atlassian Ventures, and CrowdStrike Ventures also participated in the round. This brings Vanta's total funding to $504 million since 2021. The company plans to use the capital to accelerate AI innovation and expand into new markets including third-party risk management and government compliance.
Network Security
Darktrace Acquires Mira Security for Network Visibility
Darktrace acquired network traffic visibility provider Mira Security to enhance encrypted traffic analysis capabilities and strengthen its network detection and response offerings for regulated industries.
Security Operations
Microsoft Sentinel data lake: Unify signals, cut costs, and power agentic AI
Microsoft launched Sentinel data lake in public preview, a cloud-native data architecture that unifies security data from Microsoft and third-party sources into a cost-effective storage tier priced at less than 15% of traditional analytics logs.
I have thoughts on this, but will save for later 😈
Daylight Security Raises $7M to Combine AI Agents with Human Analysts for MDR
Israeli cybersecurity startup Daylight Security emerged from stealth with $7 million in seed funding to deliver hybrid managed detection and response (MDR) services that blend AI automation with human expertise. Funding led by Bain Capital Ventures with participation from Maple VC and prominent Israeli security founders including teams from Torq, Cyera, and EON.
Threat Intelligence
Cyber Intelligence Firm iCOUNTER Emerges From Stealth With $30 Million in Funding
Dallas-based cyber risk intelligence firm iCOUNTER emerged from five years in stealth mode with $30 million in Series A funding led by SYN Ventures, under the leadership of former Mandiant president John Watters.
iCOUNTER officially launched from within Apollo Information Systems with backing from SYN Ventures, marking a significant entry into the cyber risk intelligence market focused on countering AI-enabled targeted attacks. The company is led by cybersecurity veteran John Watters, who previously served as president and COO of Mandiant before its acquisition by Google for $5.4 billion. iCOUNTER's platform uses artificial intelligence to detect and deflect highly customized attacks at scale, positioning itself as the "only intelligence capability exclusively focused on countering targeted attacks" according to SYN Ventures' Jay Leek. The company has operated quietly since 2020, serving about a dozen large enterprise customers with market caps exceeding $1 billion and claiming to have prevented collective losses worth hundreds of millions of dollars.
Vulnerability Management
Q3 2025 Forrester Wave for Unified Vulnerability Management
Empirical Security Raises $12M to Bring Custom AI to Cyber Defense
Chicago-based Empirical Security emerged from stealth with $12M seed funding to develop custom AI models for organization-specific cybersecurity threat prioritization.
Founded by former Kenna Security executives (co-creators of the Exploit Prediction Scoring System), Empirical Security addresses the limitation of generic cybersecurity threat models. The company's dual-architecture approach combines global models trained on 2 million daily exploitation events with local models customized to each organization's unique infrastructure and data.
Interested in sponsoring TCP?
Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of ~6,000 CISOs, practitioners, founders, and investors across 100+ countries 🌎
Bye for now 👋🏽
That’s all for this week… ¡Nos vemos la próxima semana!
Disclaimer
The insights, opinions, and analyses shared in The Cybersecurity Pulse are my own and do not represent the views or positions of my employer or any affiliated organizations. This newsletter is for informational purposes only and should not be construed as financial, legal, security, or investment advice.