News & updates

Field notes from the offensive security desk.

Insights on vulnerabilities, cloud security, API testing, compliance, and penetration testing - written by the consultants who do the work.

FeaturedVulnerability

CVE-2026-48282: a CVSS 10.0 ColdFusion flaw is already being exploited - patch now

An unauthenticated path-traversal flaw in ColdFusion's Remote Development Services turns a single crafted HTTP request into full remote code execution as the service account. Disclosed 30 June 2026 (APSB26-68), weaponised within hours, and being exploited in the wild right now. Here's the five-minute briefing and the to-do list.

StaatseJul 07, 20269 min read
Read article
May 2026 monthly report: ransomware and the MOVEit three-year retrospective

May 2026 monthly report: ransomware and the MOVEit three-year retrospective

Three years on from CVE-2023-34362 (MOVEit Transfer SQLi) and the Cl0p mass-exploitation campaign that defined modern data-exfiltration ransomware. Plus the 2024-2025 ransomware retrospective: LockBit takedown, BlackCat exit-scam, and what survives them.

May 26, 202611 min
April 2026 monthly report: open-source critical infrastructure - regreSSHion at year two

April 2026 monthly report: open-source critical infrastructure - regreSSHion at year two

Two years after regreSSHion (CVE-2024-6387), the OpenSSH CVE that didn't quite weaponise globally - plus what CUPS, OpenSSL, and the rest of the critical OSS stack look like in April 2026.

Apr 28, 20269 min
March 2026 monthly report: supply chain hardening, one year after tj-actions

March 2026 monthly report: supply chain hardening, one year after tj-actions

It's been a year since CVE-2025-30066 (the tj-actions/changed-files compromise) and the XZ Utils backdoor (CVE-2024-3094) is two years old this month. Where supply-chain defence stands, what changed, and what most teams still haven't done.

Mar 30, 202610 min
February 2026 monthly report: Microsoft patch tuesday in retrospect

February 2026 monthly report: Microsoft patch tuesday in retrospect

Microsoft shipped fixes for more in-the-wild zero-days in 2024 than in any prior year - and the Windows MSHTML, TCP/IP, and Task Scheduler issues remain pre-prevalent on unpatched estate. A February inventory of the Microsoft CVEs you still need to verify are gone.

Feb 26, 20268 min
January 2026 monthly report: identity perimeter under siege

January 2026 monthly report: identity perimeter under siege

Two years after Snowflake, the credential-theft + SaaS-misconfiguration pattern is the most consistent breach vector we triage. A digest of the real incidents and CVEs that should anchor your January retrospective.

Jan 30, 20269 min
March 2025 zero-day report: GitHub Actions supply-chain compromise

March 2025 zero-day report: GitHub Actions supply-chain compromise

tj-actions/changed-files was compromised in March 2025 and used to leak CI secrets across thousands of repositories. Plus Q1 2025's other actively-exploited zero-days, what was chained with what, and what defenders should patch first.

Mar 28, 202514 min
2024 CMS security insights: lessons from a year of plugin compromises

2024 CMS security insights: lessons from a year of plugin compromises

WordPress, Drupal, and Joomla took the brunt of 2024's web compromises - and the pattern was the same as 2023. What Wordfence, Sucuri, and Patchstack data tells us, plus the controls that materially reduce breach probability.

Dec 11, 202410 min
Top cloud security threats of 2024: the year of credential theft

Top cloud security threats of 2024: the year of credential theft

Snowflake customer compromises, Microsoft Midnight Blizzard, AnyDesk - the 2024 cloud incident pattern was consistent: stolen credentials reused against unprotected SaaS. Eight failure modes, ranked by real-world incident frequency.

Oct 22, 202412 min
Securing the cloud: a 2024 framing of shared responsibility

Securing the cloud: a 2024 framing of shared responsibility

The shared-responsibility model isn't ambiguous - it's just frequently unread. A practical map of what AWS, Azure, and GCP own versus what you own, and the three architectural patterns that move the needle for mid-market customers.

Sep 04, 202411 min