Explain This: What NIST's Password Guidance Actually Changed
NIST did not just relax password rules. It shifted accountability toward phishing-resistant MFA and verifier-side controls.
Latest
Exhibit A(I): Your AI security news diet is part of your threat model
If your team learns about agentic security from hype posts, malware lures, and unverified thread summaries, you are already behind. The lesson this week is simple: source hygiene is now a security control.
Exhibit A(I): If your team downloads AI tooling from search results, your policy is already broken
Fake AI developer tooling, poisoned packages, and weak intake habits now create governance risk long before a formal incident report lands on your desk.
Breach Autopsy: CISA KEV Adds CVE-2026-35616 in Fortinet FortiClient EMS
Breach Autopsy: CISA KEV Adds CVE-2026-35616 in Fortinet FortiClient EMS
On April 6, 2026, CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of April 9, 2026. The flaw affects Fortinet FortiClient EMS and can allow unauthenticated code or command execution through crafted
Breach Autopsy: Microsoft Ties Storm-1175 to High-Tempo Medusa Ransomware Operations
Breach Autopsy: Microsoft Ties Storm-1175 to High-Tempo Medusa Ransomware Operations
Microsoft reported on April 6, 2026 that threat actor Storm-1175 is running rapid intrusion-to-encryption operations and chaining vulnerable internet-facing systems into Medusa ransomware campaigns. The activity pattern matters for defenders because it compresses the detection window: initial access, privilege movement,
The Docket: OpenAI Buys TBPN and Steps Into Media Governance Risk
OpenAI's purchase of TBPN is not just a media story. It raises disclosure, independence, and governance questions for the most powerful company in AI.
Exhibit A(I): Claude Code Leak Turns Curiosity Into a Malware Trap
A Claude Code source leak became bait for GitHub malware, exposing the legal and operational gap between leaked code and trusted software.