CVE-2026-20147: A vulnerability in Cisco Hit with CRITICAL Denial of service
A vulnerability in Cisco denial of service (CVE-2026-20147) scores CVSS 9.9 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
Intelligence Feed
Dispatches from the lab
The Sherlock Forensics Intelligence Feed provides expert analysis of AI code security, vibe coding vulnerabilities, CVE advisories and digital forensics methodologies from certified examiners with over 20 years of field experience in Vancouver, BC.
Featured Analysis
CVE-2026-20180: A vulnerability in Cisco Denial of service Enables Remote Exploitation
A vulnerability in Cisco denial of service (CVE-2026-20180) scores CVSS 9.9 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
A vulnerability in the Vulnerability Scores 9.8 - CVE-2026-20184 Breakdown
A vulnerability in the vulnerability (CVE-2026-20184) scores CVSS 9.8 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
CVSS 9.9: A vulnerability in Cisco Denial of service Puts Organizations at Risk
A vulnerability in Cisco denial of service (CVE-2026-20186) scores CVSS 9.9 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-20204: In Splunk Enterprise versions Remote code execution Enables Remote Exploitation
In Splunk Enterprise versions remote code execution (CVE-2026-20204) scores CVSS 7.1 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
In Splunk MCP Server Vulnerability Scores 7.2 - CVE-2026-20205 Breakdown
In Splunk MCP Server vulnerability (CVE-2026-20205) scores CVSS 7.2 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-3599: The Riaxe Product Customizer SQL injection Enables Remote Exploitation
The Riaxe Product Customizer SQL injection (CVE-2026-3599) scores CVSS 7.5 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-3876: The Prismatic plugin for Hit with HIGH Cross-site scripting
The Prismatic plugin for cross-site scripting (CVE-2026-3876) scores CVSS 7.2 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-4880: The Barcode Scanner (+Mobile Hit with CRITICAL Privilege escalation
The Barcode Scanner (+Mobile privilege escalation (CVE-2026-4880) scores CVSS 9.8 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
CVSS 7.5: The Payment Gateway for Vulnerability Puts Organizations at Risk
The Payment Gateway for vulnerability (CVE-2026-5050) scores CVSS 7.5 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
Spring Security Cleaning: 10 Things to Review
Spring cleaning for your security posture. Remove old accounts, rotate keys, patch outstanding CVEs and test your incident response plan.
Cross-Site Scripting (XSS) Is Surging: 4 New CVEs This Week
4 new Cross-Site Scripting (XSS) CVEs this week including CVE-2026-27243 (CVSS 9.3). What SaaS Security teams need to know.
Does SOC 2 Require a Penetration Test? What SaaS Founders Actually Need
SOC 2 does not explicitly require a penetration test. But every auditor expects one. What the Trust Services Criteria actually say and what your report needs.
Scoping a SaaS Penetration Test: APIs, Auth Flows, and What Most Vendors Miss
How to scope a SaaS penetration test. Covers API endpoints, authentication flows, multi-tenant isolation, webhooks and third-party integrations that most vendors skip.
CVSS 7.8: Improper access control in Access control Puts Organizations at Risk
Improper access control in access control (CVE-2026-26183) scores CVSS 7.8 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-27243: Adobe Connect versions 2025.3, Hit with CRITICAL Cross-site scripting
Adobe Connect versions 2025.3, cross-site scripting (CVE-2026-27243) scores CVSS 9.3 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-27245: Adobe Connect versions 2025.3, Cross-site scripting Enables Remote Exploitation
Adobe Connect versions 2025.3, cross-site scripting (CVE-2026-27245) scores CVSS 9.3 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
CVSS 9.3: Adobe Connect versions 2025.3, Cross-site scripting Puts Organizations at Risk
Adobe Connect versions 2025.3, cross-site scripting (CVE-2026-27246) scores CVSS 9.3 CRITICAL. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-27305: ColdFusion versions 2023.18, 2025.6 Vulnerability Enables Remote Exploitation
ColdFusion versions 2023.18, 2025.6 vulnerability (CVE-2026-27305) scores CVSS 8.6 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-27926: Concurrent execution using shared Hit with HIGH Vulnerability
Concurrent execution using shared vulnerability (CVE-2026-27926) scores CVSS 7.0 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
Use after free in Vulnerability Scores 7.8 - CVE-2026-32089 Breakdown
Use after free in vulnerability (CVE-2026-32089) scores CVSS 7.8 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-32090: Concurrent execution using shared Hit with HIGH Vulnerability
Concurrent execution using shared vulnerability (CVE-2026-32090) scores CVSS 7.8 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-32168: Improper input validation in Vulnerability Enables Remote Exploitation
Improper input validation in vulnerability (CVE-2026-32168) scores CVSS 7.8 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
Insufficiently protected credentials in Vulnerability Scores 8.8 - CVE-2026-32171 Breakdown
Insufficiently protected credentials in vulnerability (CVE-2026-32171) scores CVSS 8.8 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVSS 7.8: Deserialization of untrusted data Deserialization Puts Organizations at Risk
Deserialization of untrusted data deserialization (CVE-2026-32192) scores CVSS 7.8 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
CVE-2026-34617: Adobe Connect versions 2025.3, Hit with HIGH Privilege escalation
Adobe Connect versions 2025.3, privilege escalation (CVE-2026-34617) scores CVSS 8.7 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
ColdFusion versions 2023.18, 2025.6 Vulnerability Scores 7.7 - CVE-2026-34619 Breakdown
ColdFusion versions 2023.18, 2025.6 vulnerability (CVE-2026-34619) scores CVSS 7.7 HIGH. Analysis of affected systems, exploitation risk and remediation steps.
Does Your Cyber Insurance Cover Penetration Testing?
Many cyber insurance policies cover penetration testing under loss prevention or pre-breach services. Search your policy for four key terms to find out.
How a Penetration Test Reduces Your Cyber Insurance Premium
Spend $1,500 on a pentest, save $3,000 to $10,000 on your premium. The ROI math and what to include in your renewal package.
Cyber Insurance Policy Checklist: Security Benefits You Are Probably Missing
Most policyholders use 2 of 10 available security benefits. Here is the full checklist of what your premium pays for.
Your Insurance Broker Will Not Tell You This About Pentests
What brokers skip: proactive benefits, vendor lists and premium reduction strategies. Five questions to ask at renewal.
How to Submit a Penetration Test to Your Cyber Insurer for Reimbursement
Six steps from policy check to reimbursement. Our reports are formatted for insurance submission.
What Cyber Insurers Look for in a Penetration Test Report
Scope definition, CVSS ratings, remediation steps, executive summary, tester credentials and retest results. Our reports check every box.
Denied Cyber Insurance Claim? How a Pentest Would Have Helped
Five common denial reasons and how a $1,500 pentest provides the due diligence evidence that prevents each one.
How to Get Your Cyber Insurance to Pay for a Penetration Test
Many cyber insurance policies cover annual penetration tests as a preventive benefit. Your premium already includes this. Here is how to check and submit the request.
What Happens When You File a Cyber Insurance Claim
Step-by-step walkthrough of the cyber insurance claims process from notification through triage, investigation, report and claim resolution.
Why Your Cyber Insurer Requires a Penetration Test
Penetration tests reduce claims, demonstrate due diligence and satisfy policy conditions. Skip them and your coverage faces exclusions and denied claims.
Large Panel Vendor vs. Independent Forensics: Which Is Better for Your Claim?
The big firms handle 500 cases a year. We handle yours. Comparing large panel vendors to independent forensics for cyber insurance claims.
5 Things Your Cyber Insurer Wishes You Had Done Before the Breach
Recent pentest, IR plan, MFA, tested backups and logging. Do these five and your insurer loves you. Skip them and your claim gets complicated.
The Indie Hacker's Guide to Not Getting Hacked
You are one person against every bot on the internet. A casual, direct guide to the attacks that actually hit solo builders and how to stop them.
The Solopreneur's Security Checklist: 10 Things to Check Before You Launch
10 quick security checks with how-to steps for each. Free checklist for solopreneurs and indie hackers launching web apps.
I Built a SaaS in a Weekend. Is It Secure?
First person narrative. Relatable. Honest. The answer is almost certainly no. But that is fixable.
Security on a Bootstrap Budget: What to Prioritize When You Cannot Afford Everything
A priority ladder from free tools to $5,000 pentests. Genuinely helpful at every budget level. No hard sell.
Your First Paying User Changes Everything About Security
The moment someone gives you money or personal data, you are responsible for protecting it. Legal obligations kick in.
How Can I Audit My Code for Vulnerabilities Using AI?
AI-assisted code auditing with ChatGPT, Claude and SAST tools. What AI catches, what it misses and when to call a professional.
Vibe Coding Prompts for Secure Development
10 copy-paste security prompts for vibe coders. Check your AI-generated code for SQL injection, hardcoded secrets, broken auth and more.
Claude Mythos: What It Means for Your Security in 2026
Claude Mythos can find zero-days faster than any human. If AI discovers vulnerabilities this fast, your unaudited code is a sitting target.
Digital Forensic Investigation Services Across Canada
National reach, court-qualified in BC and Newfoundland, remote forensic capabilities and on-site collection anywhere in Canada.
How to Test If Your Website Is Secure (Free Methods)
5 free methods to test your website security. Security headers, SSL, exposed files, admin panels and Google dorking.
Active Incident: What to Do in the First 60 Minutes
Step-by-step guide for the first 60 minutes of an active breach. Isolate, preserve, assess, communicate and engage forensics.
Sherlock Forensics: Who We Are and What We Do
20 years of cybersecurity and forensics. Services, pricing, credentials, CBC appearances and what makes Sherlock different.
SaaS Penetration Testing: The Complete Guide for 2026
SaaS penetration testing covers multi-tenant security, API testing, auth/authz review and compliance reporting. From $5,000 CAD.
Vibe Code Audit: What to Expect and How It Works
What happens during a vibe code audit, what we check, common findings and how to prepare your AI-built app for review. From $1,500 CAD.
Penetration Testing in Vancouver: Why Local Expertise Matters
On-site forensic collection, BC court testimony, PIPEDA compliance and same-day incident response from two Metro Vancouver offices.
Digital Forensics in Vancouver: Expert Services for Legal and Corporate Cases
Court-qualified examiner with 20+ years experience. Computer forensics, cellphone forensics, eDiscovery and expert witness testimony.
AI Code Slop: The Security Risks Nobody Is Talking About in 2026
AI code slop is getting worse. Our 2026 audit data shows what happens when AI-generated code ships without security review.
Claude Mythos Security Vulnerabilities: What We Know in 2026
Analysis of Claude Mythos vulnerability discovery capabilities, what remains unpatched and what it means for your security posture.
Your Firewall Configuration Has Never Been Tested. That Is a Problem.
Most firewalls are configured once and never validated. Years of rule bloat create hidden pathways through your perimeter.
Top 10 Firewall Misconfigurations We Find in Every Pentest
Default credentials, any-any rules, no egress filtering and seven other misconfigurations we find in nearly every firewall we test.
EDR Is Not Enough: Why You Still Need a Penetration Test
Fileless attacks, LOLBins and credential abuse bypass EDR detection. A penetration test reveals what your endpoint protection misses.
Zero Trust Is Not Zero Risk
Zscaler, Cloudflare Zero Trust and BeyondTrust have limitations. Insider threats and misconfigurations bypass the architecture.
When Was the Last Time You Tested Your Entire Security Stack?
Companies buy firewall, EDR, NDR, SIEM and MFA but never test them together. ShadowTap tests the whole stack simultaneously.
Who Checks the Checker? Why You Need to Validate Your Security Tools
Companies spend millions on Darktrace, CrowdStrike and Sentinel but never test if they work. Why security tool validation is the missing piece.
Darktrace Blind Spots: What It Cannot See
Known limitations of behavioral analysis: encrypted tunnels, MAC spoofing, low-throughput DNS tunnels and traffic mimicking normal patterns.
Blindly Trusting AI Security Is the New Blind Spot
AI detection tools need training data and baseline. New devices have no baseline. Slow-moving attackers stay under radar.
How We Test Darktrace Without Breaking It
Sanitized methodology: Darktrace stays fully operational, controlled phase escalation and joint review after testing.
Your NDR Sees 80% of Traffic. What About the Other 20%?
Encrypted tunnels, DNS exfiltration, ICMP tunnels, non-standard ports and identity rotation. The gaps attackers exploit.
From NIDS to Offensive: How We Built ShadowTap
Years watching networks for attackers taught us exactly how to be one. 12,000+ signatures became 12,000+ things we know how to test for.
The Device Your Network Cannot See
ShadowTap Ghost Mode: physically on your network, generating zero outbound traffic. All C2 through cellular. Your IDS cannot see what is not there.
We Cloned Your Network Identity. Your AI Did Not Notice.
Anti-Antigena MAC prefix matching and hostname mimicry. To the AI, we looked like just another Intel workstation named WS4827.
4 Ways to Tunnel Out of a Corporate Network (And Which Ones Your IDS Catches)
Cloudflare ARGO, Iodine DNS, ICMP ptunnel, SSH reverse and JML ICMP timing. Each tunnel that fails teaches us about your detection.
How Fast Does Your NDR Detect a New Device?
When ShadowTap plugs in, the clock starts. The baseline window is the attacker's window. A real attacker has the same opportunity.
5 Questions to Ask Your Darktrace Vendor
If your vendor cannot answer these five questions about detection coverage, we can. By testing it.
Red Team vs. Blue Team: Why You Need Both
Blue team monitors. Red team attacks. Purple team approach delivers collaborative improvement that neither side achieves alone.
How to Vibe Code Securely: Build Fast Without Getting Hacked
AI coding is incredible. Here is how to do it without leaving the door open. Secure environments, security prompts, pre-commit hooks and deploy checks.
AI Is the Future of Software Development. And That Is Fine.
Every revolution needed a security layer. Assembly needed memory safety. The web needed HTTPS. AI needs audit.
The CTO Guide to Letting Your Team Use AI Coding Tools Safely
Ban AI and your developers use it anyway. Embrace it with guardrails. Policy template for enterprise CTOs who want to say yes to AI.
We Audited Our Own Website. Here Is What We Found.
We pointed our own tools at sherlockforensics.com and documented everything honestly. Missing headers, demo files, permission issues and more.
What Is a Penetration Test? [Simple Definition]
A penetration test is an authorized simulated cyberattack to find vulnerabilities. Learn types, cost, timeline and what to expect.
How Much Does a Penetration Test Cost in 2026?
Penetration test costs from $1,500 to $50,000 CAD. Pricing table by tier, scope and timeline. Transparent pricing breakdown.
What Is AI Slop? [Definition and Examples]
AI slop is unreviewed AI-generated code that compiles correctly but hides security vulnerabilities. Definition, examples and how to fix it.
What Is Vibe Coding? [2026 Definition]
Vibe coding is building apps with AI assistants and minimal manual coding. Learn the security risks and how to protect vibe-coded applications.
Steps in a Penetration Test [The 7-Step Process]
The complete 7-step penetration testing process from scoping and planning through exploitation, reporting and remediation support.
Types of Penetration Testing [Complete Guide]
External, internal, web app, API, mobile, social engineering, cloud and red team. Which type of penetration test do you need?
Best Penetration Testing Companies in Canada (2026)
Comparing the top pentest firms in Canada: Sherlock Forensics, Mandiant, Coalfire, GoSecure, Herjavec Group and KPMG. Specialties, pricing and target markets.
Automated Scanning vs. Manual Penetration Testing: Which Do You Need?
What Nessus, Qualys and Burp Suite find vs. what a human pentester catches. Pricing comparison and why you likely need both.
CrowdStrike Alternative for Small Business Security
CrowdStrike protects endpoints. We test if your application can be broken into. Why SMBs need pentesting, not just EDR.
Penetration Testing Cost Comparison: What Companies Actually Charge in 2026
Real pricing from $1,500 quick audits to $50,000+ enterprise red teams. Transparent comparison with factors affecting cost.
Free Security Tools vs. Professional Audit: Where to Draw the Line
What OWASP ZAP, Nikto, nmap and SSL Labs do well and where free tools stop. Use them for hygiene. Hire professionals for assurance.
I Audited My Own Vibe-Coded App. Here Is What I Found.
I built a SaaS with Cursor in a weekend. Then I ran our own security testing tool against it. 14 vulnerabilities in 45 minutes.
The Password Was Literally in a Text File
Took us 4 minutes to find the database password. passwords.txt in the public directory. A war story of escalating findings from one engagement.
The AI Coding Security Checklist Nobody Talks About
15 practical security checks for AI-generated code. Each item includes what to check, why it matters and a copy-paste fix you can use right now.
Your Cursor App Is Probably Leaking .env Variables
How .env files end up exposed in apps built with Cursor, Bolt and Lovable. How to check if yours is leaking and how to fix it in 5 minutes.
We Scanned 100 Websites Built With AI. Here Is What We Found.
92% had critical vulnerabilities. 78% stored secrets in plaintext. Data-driven analysis with visual breakdowns by vulnerability category and AI tool.
Why Choose a 20-Year Veteran Over a Startup Pentester
Experience catches business logic flaws, court-admissible documentation and auditor-ready reports. What 20 years and CISSP/ISSAP/ISSMP certifications actually deliver.
10 Questions to Ask Before Hiring a Penetration Tester
A buyer's guide covering certifications, manual testing, compliance reports, retesting, expert witness capability and more. With Sherlock's answers to each.
The Top 10 Things We Find in Every Penetration Test
Default credentials, missing rate limiting, exposed admin panels, SQL injection and more. The 10 most common findings from real pentests with severity ratings.
7 Security Prompts Every Vibe Coder Needs Before They Ship
Seven essential security prompts to paste into your AI coding tool before deploying. Catch broken auth, injection flaws, exposed secrets and more.
Corporations Are Mandating AI Coding. Who Audits the Output?
The security gap between mandating AI coding tools and auditing what they produce. References Linus Torvalds, Zuckerberg and the enterprise accountability problem.
How to Verify That AI-Suggested Packages Are Real (Not Hallucinated)
Practical npm and pip verification commands to confirm AI-suggested packages exist before installing them. Prevent supply chain attacks from hallucinated dependencies.
SOC 2 Pentest Checklist: What CPAs Need From the Penetration Tester
A 7-point checklist for CPAs reviewing SOC 2 pentest reports. Scope, methodology, CVSS findings, remediation status, retest evidence and red flags.
How Much Does a Pentest Cost in 2026? Real Pricing Breakdown
Transparent pricing from $1,500 to $25,000+ CAD. Four tiers compared to industry averages, cost factors and why cheap pentests are expensive.
Top 10 Things We Find in Every Penetration Test
Aggregate data from hundreds of engagements. Default credentials, SQL injection, broken access controls and more, with severity ratings and fixes.
Pentest vs. Vulnerability Scan: What Is the Difference and Which Do You Need?
Clear comparison of pentests, vulnerability scans, bug bounties and red teams. Table format with costs, use cases and a decision tree.
What a Pentest Actually Looks Like (No, It Is Not Like the Movies)
Step-by-step walkthrough of a real engagement. Scoping, reconnaissance, exploitation, reporting and debrief demystified for founders and CTOs.
What Is Penetration Testing? Explained for Non-Technical Founders
Penetration testing explained in plain language. What it is, why it matters, what happens during one, what the report looks like and how much it costs.
Penetration Testing vs. Bug Bounties: Which One Do You Need?
Side-by-side comparison for CTOs. Pros, cons, costs and a decision framework for choosing between pentests and bug bounty programs.
What Happens During a Penetration Test: Day by Day
A detailed day-by-day walkthrough of a standard penetration test. Scoping, reconnaissance, active testing, exploitation, reporting and debrief.
API Security Testing: Why Your Endpoints Are Probably Exposed
The most common API vulnerabilities mapped to the OWASP API Security Top 10. Broken auth, BOLA, mass assignment, rate limiting and SSRF with real findings.
Pentest Report Red Flags: What to Look For
How to tell a good pentest report from a bad one. Red flags, green flags and what to demand from your security vendor.
SOC 2 Pentest Requirements: What Your Auditor Actually Wants to See
SOC 2 penetration testing requirements for startups. What the standard requires, how to scope, timing and what auditors look for in the report.
State of AI Code Security: What We Found in 2026
Top 5 findings from the 2026 AI Code Security Report. 92% of AI-generated codebases have critical vulnerabilities. 88% lack rate limiting. 78% expose secrets.
What We Found Auditing 50 AI-Built Applications
Aggregate data from 50 AI code audits. 92% had critical vulnerabilities, 78% stored secrets in plaintext and 54% had SQL injection. Vibe-coded vs professional comparison.
How a $1,500 Audit Saved a Startup From a Data Breach
Anonymized case study. 3-person SaaS startup built with Cursor. 8 critical vulnerabilities found in a $1,500 quick audit and fixed in 2 days.
Security Audit vs. Doing Nothing: The Real Cost
$1,500 audit vs $4.88M breach. The math of prevention vs doing nothing, including PIPEDA fines, cyber insurance and reputation damage.
Is Your Vibe-Coded Login Page Actually Secure? (Probably Not)
The 10 most common security disasters in vibe-coded authentication. Plaintext passwords, client-side auth, exposed .env files and more.
The 5-Minute Security Check Before You Launch Your AI-Built App
Ten checks you can run right now. If you fail more than two you need a professional audit before launch.
Your AI-Built App vs. a Real Attacker: What Actually Happens
A realistic 60-minute attack walkthrough on a typical vibe-coded SaaS. From recon to database dump to Stripe access.
Do I Need a Pentest for My Side Project?
Decision tree for founders. If it handles user data, processes payments or has login, the answer is yes.
What Happens When You Store Passwords in Text Files
Directory traversal, server misconfiguration and zero hashing. Why flat file password storage is catastrophic and what to use instead.
Audit Your AI Slop Before It Costs You Everything
AI slop ships fast and breaks faster. Unreviewed AI-generated code carries injection flaws, hallucinated dependencies and hardcoded secrets that survive to production.
Your AI Masterpiece Might Be a Security Timebomb
Working code is not secure code. AI writes functional applications that hide auth bypasses, injectable queries and unprotected API endpoints.
Your Vibe-Coded App Got Hacked. Now What?
You built it in a weekend with Cursor. An attacker dismantled it in an afternoon. The incident response playbook for AI-built applications.
The 2026 AI Code Audit Checklist: What Every CTO Needs to Review
Nine security categories every CTO must check before shipping AI-generated code. Dependency verification, secrets scanning, auth review and more.
5 Vulnerabilities AI Code Assistants Introduce
Hallucinated packages, weak randomness, SQL injection, hardcoded secrets and insecure deserialization. The five patterns we find in every AI code audit.
Claude Mythos Just Changed the Game
Anthropic's Claude Mythos found thousands of zero-days for under $50 each. Over 99% remain unpatched.
You Vibe Coded It. Now Secure It.
The rise of non-developers shipping production apps and why scanning alone is not enough to secure vibe coded software.
Why Every AI Product Needs a Security Audit Before Launch
EU AI Act, NIST AI RMF and investor expectations are making AI security audits a pre-launch requirement.
Real AI Attacks in 2026: What Actually Happened
Documented cases of AI systems being exploited in production. Prompt injection, model poisoning and supply chain attacks with real-world impact.
Can AI Be Hacked?
A forensic examination of AI attack surfaces. Model extraction, data poisoning, adversarial inputs and the security gaps most teams overlook.
Shadow AI: The Employee Risk You Are Not Tracking
Employees are using AI tools you did not approve on data you did not authorize. The compliance and security implications are significant.
Best Penetration Testing Tools in 2026
The tools our team actually uses on engagements. From reconnaissance to exploitation to reporting.
PIPEDA Compliance Guide for 2026
What Canadian businesses need to know about PIPEDA compliance, data breach notification and privacy impact assessments.
Encrypted Memory Forensics in the Post-Quantum Era
How evolving post-quantum encryption standards are reshaping volatile memory analysis and what forensic examiners must adapt.
AI-Generated Deepfakes in Legal Proceedings
A forensic methodology for authenticating digital evidence when AI-generated media enters the courtroom.
Why Your AI Startup Needs a Pen Test Before Demo Day
Investors are asking about security posture. Here is what a pre-funding penetration test actually covers and why waiting costs more.
CVE Intelligence
Latest CVE Alerts
High and critical vulnerabilities relevant to cloud, web and AI infrastructure. Updated daily from the National Vulnerability Database.
| CVE | Severity | CVSS | Affected Product | Vulnerability |
|---|---|---|---|---|
| CVE-2026-23696 | CRITICAL | 9.9 | Windmill CE/EE | SQL injection in folder ownership management |
| CVE-2021-4473 | CRITICAL | 9.8 | Tianxin Management System | Command injection in Reporter component |
| CVE-2026-22679 | CRITICAL | 9.8 | Weaver E-cology 10.0 | Unauthenticated RCE via debug endpoint |
| CVE-2026-3296 | CRITICAL | 9.8 | Everest Forms (WordPress) | PHP Object Injection via deserialization |
| CVE-2026-4631 | CRITICAL | 9.8 | Cockpit (Linux) | SSH command injection via login endpoint |
| CVE-2026-1346 | CRITICAL | 9.3 | IBM Verify Identity Access | Privilege escalation for local users |
| CVE-2026-22683 | HIGH | 8.8 | Windmill | Missing authorization bypasses operator restrictions |
| CVE-2026-3357 | HIGH | 8.8 | IBM Langflow Desktop | Insecure FAISS deserialization enables code execution |
| CVE-2026-1342 | HIGH | 8.5 | IBM Verify Identity Access | Local users can execute malicious scripts |
| CVE-2026-4788 | HIGH | 8.4 | IBM Tivoli Netcool Impact | Sensitive data exposure in log files |
| CVE-2026-4740 | HIGH | 8.2 | Red Hat ACM / Open Cluster Mgmt | Certificate forgery via improper validation |
| CVE-2026-5736 | HIGH | 7.3 | PowerJob | detailPlus endpoint manipulation |
| CVE-2026-5739 | HIGH | 7.3 | PowerJob | Code injection via OpenAPI workflow endpoint |
| CVE-2026-5741 | HIGH | 7.3 | docker-mcp-server | OS command injection via HTTP interface |
| CVE-2026-1343 | HIGH | 7.2 | IBM Verify Identity Access | SSRF exposes internal auth endpoints |
| CVE-2026-22682 | HIGH | 7.1 | OpenHarness | Improper access control exposes local files |