Sign in Subscribe

Karla Ortiz-Flores

Karla Ortiz-Flores

Chicago, IL

Exhibit A(I): 500 zero-days is not a governance strategy

Exhibit A(I): 500 zero-days is not a governance strategy

A headline about 500 zero-days sounds dramatic. The real governance question is whether your team knows how to validate, prioritize, and act before the number turns into theater.

Explain This: What NIST's Password Guidance Actually Changed

Explain This: What NIST's Password Guidance Actually Changed

NIST did not just relax password rules. It shifted accountability toward phishing-resistant MFA and verifier-side controls.

Exhibit A(I): Your AI security news diet is part of your threat model

Exhibit A(I): Your AI security news diet is part of your threat model

If your team learns about agentic security from hype posts, malware lures, and unverified thread summaries, you are already behind. The lesson this week is simple: source hygiene is now a security control.

Exhibit A(I): If your team downloads AI tooling from search results, your policy is already broken

Exhibit A(I): If your team downloads AI tooling from search results, your policy is already broken

Fake AI developer tooling, poisoned packages, and weak intake habits now create governance risk long before a formal incident report lands on your desk.

Breach Autopsy: CISA KEV Adds CVE-2026-35616 in Fortinet FortiClient EMS

Breach Autopsy: CISA KEV Adds CVE-2026-35616 in Fortinet FortiClient EMS On April 6, 2026, CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of April 9, 2026. The flaw affects Fortinet FortiClient EMS and can allow unauthenticated code or command execution through crafted

Breach Autopsy: Microsoft Ties Storm-1175 to High-Tempo Medusa Ransomware Operations

Breach Autopsy: Microsoft Ties Storm-1175 to High-Tempo Medusa Ransomware Operations Microsoft reported on April 6, 2026 that threat actor Storm-1175 is running rapid intrusion-to-encryption operations and chaining vulnerable internet-facing systems into Medusa ransomware campaigns. The activity pattern matters for defenders because it compresses the detection window: initial access, privilege movement,

The Docket: OpenAI Buys TBPN and Steps Into Media Governance Risk

The Docket: OpenAI Buys TBPN and Steps Into Media Governance Risk

OpenAI's purchase of TBPN is not just a media story. It raises disclosure, independence, and governance questions for the most powerful company in AI.