Featured
5,000 vibe-coded apps just proved shadow AI is the new S3 bucket crisis
our security stack was built for servers and cloud accounts — not the Lovable app your PM deployed on a public URL last weekend.
Louis Columbus
An AI agent rewrote a Fortune 50 security policy. Here's how to govern AI agents before one does the same.
Every identity check passed — and the security policy still got rewritten. Here's the 6-stage framework for governing AI agents in production.
Louis Columbus
Anthropic Skill scanners passed every check. The malicious code rode in on a test file.
Gecko Security proved Anthropic Skill scanners miss bundled test files that execute via Jest and Vitest with full local permissions. The Anthropic Skill Audit Grid maps seven detection gaps plus three CI hardening steps.
Louis Columbus
One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it
CLI-Anything and similar agent bridge tools created an integration layer no security scanner monitors. Two exclusive interviews, a prescriptive matrix, and a five-step action plan for security directors.
Louis ColumbusSubscribe to get latest news!
Deep insights for enterprise AI, data, and security leaders
Microsoft takes Agent 365 out of preview as shadow AI becomes an enterprise threat
The product, first announced at Microsoft's Ignite conference in November, positions itself as a unified control plane that lets enterprise IT and security teams observe, govern, and secure AI agents wherever they run: inside Microsoft's own ecosystem, on third-party cloud platforms like AWS Bedrock and Google Cloud, on employee endpoints, and increasingly across a sprawling ecosystem of SaaS agents built by partner software companies.
200,000 MCP servers expose a command execution flaw that Anthropic calls a feature
OX Security found 200,000 MCP servers running with an execution surface Anthropic says is by design. A product-by-product patch audit for security teams.
Louis Columbus
Claude Code, Copilot and Codex all got hacked. Every attacker went for the credential, not the model.
A branch name stole a GitHub token. A PR description triggered RCE. The attack surface isn't the model — it's the credential the agent is holding.
Louis Columbus
CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.
Five ways CVSS vulnerability triage misses the kill chain — and the specific actions security directors can take this month.
Louis Columbus
85% of enterprises are running AI agents. Only 5% trust them enough to ship.
An 80-point gap separates AI agent pilots from production. Patel's RSAC interview reveals why trust — not technology — is what's keeping enterprises stuck.
Louis Columbus
Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain
One AI tool OAuth grant. Four organizational boundaries. No zero-day required. How the Vercel breach exposed a detection gap most security programs can't close.
Louis Columbus
Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it
A researcher typed one malicious PR title and exfiltrated API keys from three AI coding agents. One vendor's system card warned it was possible.
Louis Columbus
Adversaries hijacked AI security tools at 90+ organizations. The next wave has write access to the firewall
The AI tools attackers hijacked in 2025 could only read data. The autonomous SOC agents shipping now can rewrite infrastructure.
Louis Columbus