From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

IT Brew

Tom McKay

itbrew.com

Graphic of gravestones in descending height order

Scam obituary sites draw enterprise traffic, research finds

Obituary sites that currently scam users into installing push notifications and pop-ups could be a vehicle for malware.

Amanda Florian

Threat actors in China becoming ‘more brazen,’ NSA says 

Dave Luber of the NSA told IT Brew new incidents tied to Volt Typhoon are unfolding every day based on “industry and incident response reporting.”

Billy Hurley

HSB adds cyber protections to automotive coverage

The insurance provider sees the car a lot like a computer—both can be hacked.

A shield with a checkmark inside icon denoting cybersecurity

Cybersecurity

Maybe it’s the confidence that comes from meeting 20,000 of your peers in Las Vegas, but security professionals at this year’s Black Hat conference expressed optimism about using AI and automation to thwart attackers.

Citing bug-bounty programs, automated code-flaw discoveries, and the increasing automation of the security operations center (SOC), infosec veterans and industry professionals—some of who work for companies designing AI-assisted defenses, funnily enough—shared a few early AI wins for defenders.

“AI is the key because that’s one of the few fields where defenders are ahead of the attackers,” said Mikko Hypponen, a cybersecurity practitioner since 1991.

In a conference-opening speech on August 6 highlighting his many decades of threat research, Hypponen, who recently left cybersecurity company WithSecure to join the drone-detection firm Sensofusion as chief research officer, shared how defenses have evolved from reverse-engineering floppy-disk computer viruses in the ’90s to finding never-before-seen code vulnerabilities (aka 

) with the help of today’s large language models.

 revealed how UC Berkeley researchers used a “CyberGym” of AI models to find 15 previously unknown vulnerabilities, or zero days, in 188 large open-source code bases. Google’s Project Zero team, 

, revealed how they used an AI agent to find a previously unknown software flaw.

“I’m already losing count,” Hypponen said of how many zero days have been discovered by large language models (LLMs).

Speaking of losing count, there are many adversaries using AI in their attacks today:

, according to its dark-web ads, create undetectable malware;

 can lead to a convincing phishing message.

“Adversaries definitely have an edge for the simple reason that adversaries don't have a compliance department slowing them down,” Ian L. Paterson, CEO at cybersecurity provider Plurilock (and Black Hat attendee), told us, adding that AI has helped drive an uptick of high-quality phishing messages in a variety of languages.

Security vendors and defenders, however, showed off their own AI-powered defenses. Microsoft says its “Project Ire” agent prototype, 

, fully reverse-engineers a software file to determine if code is malicious. Threat intel platform SOCRadar released an agentic approach to detect domain impersonation. Meanwhile, 

 of its AI Cyber Challenge—an effort to use autonomous systems to secure critical application software.

In a conference-closing panel featuring Black Hat’s review-board members, VP of security engineering at Google Heather Adkins and Black Hat founder Jeff Moss agreed that AI will help defenders enforce cybersecurity mechanisms—shutting down accounts and sending malicious code quickly for review—across their infrastructures.

“It’ll take a while for us to trust that. But in the end, I think the definition of winning will be that the defense has better tooling to be able to shut these [cyberattacks] down fast,” Adkins told attendees.

One problem for defenders, according to Jason Haddix, CEO at Arcanum Information Security, has been “scaling the humans that we have that protect us, and scaling the technologies across massive amounts of code or infrastructure.”

“I think that the scale that AI brings will help defenders more than it will help attackers,” he told the crowd.

While security pros expressed confidence in AI’s assistive capabilities, one attendee raised concerns about AI replacing today’s human security analyst. Security budgets have tightened, and orgs are increasingly willing to spend on tooling rather than people, 

An informal poll of the room revealed more confidence in numbers amongst the Vegas security professionals.

“How many people here are concerned that they will be losing their role to our robotic overlords?” Daniel Cuthbert, global head of cyber security research at Santander, asked.

According to Cuthbert’s count (which did not include a “yes” vote from Adkins onstage): only four in the crowd raised their hands.


A crystal ball containing a lock, with mouse cursors surrounding it.

At Black Hat, security pros say defenders have AI edge against adversaries

Cybersecurity veterans at the annual conference shared some early AI wins.

Brianna Monsanto

April Fools’ Day came late last year for employees at Albert Invent, an AI-powered research and development platform for scientists.

Last year, Albert Invent co-founder and CEO Nick Talken hired a cybersecurity firm to carry out a sophisticated spear phishing attack on a group of unsuspecting engineers at his company.

Talken, a chemist, told IT Brew that he was inclined to perform the offensive raid on his employees because the startup’s systems house the intellectual property of its consumers, which comprise Fortune 500 companies and chemical and personal care companies. That means it’s crucial the startup’s security posture is top-notch.

“A lot of them, in their own words, say that we’re housing the crown jewels of the organization, and we take that responsibility extremely seriously,” Talken said.

Talken sought the help of Coalfire, a cybersecurity and compliance service provider, to craft the elaborate phishing attack against his employees. He said he wanted Coalfire to target the employees on his team with the highest level of privileged access into its systems.

The attack was simple. Employees were sent a spear phishing email containing a malicious link, followed by a spoofed phone call from their CEO coaxing them to click it. John Hendley, VP of offensive security at Coalfire, told IT Brew that his team was able to clone Talken’s voice by inputting audio from a public webinar into an open-source model. Hendley said the tool only needed 30 seconds of audio to train with.

“We used open-source tool sets to create a facsimile of his voice, and then we used commercial spoofing software to call and spoof his phone number, to call his employees and try to get them to open a link in an email that we sent,” Hendley said. He added that anyone could perform the attack.

While Coalfire regularly offers offensive security services to clients, Hendley said Albert Invent’s request was different because Talken wanted a more advanced phishing attack simulation with AI-voice cloning.

The night before the attack, Talken said the Coalfire team used the spoofed number and cloned voice to call his wife.

“It was scary,” Talken said. “I was like, ‘This could work.’”

After the email and phone call was made to employees, skeptical employees quickly called Talken to verify what had happened.

“I was like, ‘I have no idea what you’re talking about…and by the way, you’ve passed the test. Thank you for calling me,’” Talken said. He said only a few employees clicked on the faux-malicious link in the email, though single sign-on blocked any further havoc. None of the employees gave up their credentials, and client data was never at risk during the exercise.

Looking back, Talken said the experience was “eye-opening” for his company and caused Albert Invent to “accelerate” internal changes to its system authentication.

“Everyone was secure, but it got close, and that is what we were looking for. Maybe more than anything else, it brought a heightened sense of awareness to our entire company of what is possible today.”

Two men in front of computers over purple background.

Why a science tech startup performed an offensive raid on its employees

Albert Invent CEO Nick Talken tells IT Brew the hack carried out by a cybersecurity firm was “eye-opening.”

First impressions are important, even when you’re confronting a cybercriminal.

Mark Lance, a ransomware negotiator and VP of digital forensics and incident response (DFIR) and threat intelligence at GuidePoint Security since 2022, often has to initiate interactions with his clients’ cyberattackers, using chat functionality on a ransomware as a service platform or a dark-web site.

And these days, there are way more groups to track, each with their own track record of encrypting, decrypting, deleting, or posting sensitive information online. In Q2 of last year, Lance told IT Brew that he and his team were tracking 45 threat groups; today the number has grown to 71. Lance said he takes the groups’ histories and backgrounds into account during the negotiation process.

“You have to look at these groups and what their primary motivation is,” he told us.

Lance spoke with us about how the conversation begins with today’s (many) adversaries.

These responses have been edited for length and clarity.

What is your first message, and what’s important to establish in it?

It really is dependent upon the intent of what a client is trying to get out of the negotiations. They might believe they have a drastic need to potentially consider making a ransom payment. Other times, it’s about just delaying the process and figuring out what ransomware amounts are. Generally our first message, in most circumstances, is going to be more acknowledgement that we know that they’ve impacted us, and we’re opening up the channels for communication. It’s like, ‘Hey, we received your note. Can you tell us more about what we have going on in the environment?”

What are you trying to discover in these early interactions with the adversary?

Typically, we can ask them, “Hey, you’re asking for X amount. Why do you believe that [data] is of value to us?” And [maybe] they’ll provide a file tree and that file tree can help determine, “OK, well, here’s what information they might have.” A lot of times if encryption is involved, you might not have access to those servers…Once they got in, what did they touch? What did they steal? A lot of times those breadcrumbs aren’t there, but by having them provide us a file tree, that’s something we can then turn over to the forensics workstream and say, “Hey, where were these files located? On which systems?”

How long do these interactions usually last?

It generally happens over the span of days to weeks. It’s not generally in a matter of hours. These kinds of communications occur over an extended period. Again, it’s the level of urgency; how frequently we’re responding is contingent on what we’re trying to get out of the negotiation itself.

And what is being negotiated exactly here?

One of the things that we need to determine is what are the terms of the negotiation: Are we trying to get access to decryptors? Are we trying to ensure that the information won’t be published to their dark-web site? Are they going to give us the method of ingress and how they actually got into the environment?...We try to get agreement with the cybercriminals: “Hey, if we make a payment, here’s what we expect.” We expect access to decryptors, or we expect that this information won’t be published, and we want indications that it’s been deleted. Realistically, can you expect them to fully delete it and not retain that information? No, these are still cybercriminals…Of course, the ransom payment itself is negotiable as well.

Would you say it’s best for organizations to 

We are complete advocates for not making a payment if it’s unnecessary. It is our responsibility as consultants to educate clients on what will potentially occur or what can potentially transpire and the associated risks of paying or not making a payment. But ultimately, it is up to the client…We are not in a position where we think anybody should be funding cybercriminals or these types of organizations if they don’t have to.

A photo GuidePoint Security’s Mark Lance, a man wearing a white button down and suite jacket smiles.

How to start talks with a ransomware group

GuidePoint Security’s Mark Lance talks life in the cybercriminal group chat.

Eoin Higgins

Confidence is important, but when it comes to cybersecurity, you can have too much of a good thing.

 from BeyondID which revealed a disconnect in how defenders think of security and how it’s applied in the workplace. BeyondID CEO and co-founder Arun Shrestha told IT Brew that what he sees as a “confidence paradox” can lead to disaster.

“The paradox is that sometimes we feel like we are in better shape than really we are,” Shrestha said. “And in reality, when you really assess the core of the situation, we find that the facts are very different than the perception.”

Often, according to Sophos Red Team Technical Lead Eric Escobar, firms develop unearned confidence by simply purchasing products and assuming that the threat is taken care of. It’s an understandable reaction. But, as Escobar noted, it’s not real. It’s the “magical unicorn of protection.”

“It definitely scares me that people buy tools and then just assume that you know that they’re going to do everything 100% of the time,” Escobar said.

Confidence can be a good thing, Huntress co-founder and CEO Kyle Hanslovan told IT Brew. But it’s important to acknowledge that with every step forward in tech—be it cloud, new products, software, and the like—security may have to take a few steps backward to cover the adoption process. Overconfidence can lead to thinking about these issues incompletely, resulting in a failure to ensure things are properly configured and appropriately developed.

“A lot of people just say, ‘I feel good, but I don’t know what I’m getting wrecked by,’” Hanslovan said. “I think the bigger question is, why are vendors allowed to sell solutions that aren’t secure or configured or fully managed?”

BeyondID’s report numbers indicate that there’s “a systemic misalignment between perception and reality,” and the implementation of AI on both sides of the threat surface is only making things worse. A majority of respondents say their posture is established or advanced, but the reality of their abilities tells a different story.

Those self-identifying as “advanced” in their security posture were only following an average 4.7 of 12 best security practices. Less than three in 10 devote over 20% of their cybersecurity budget to identity, and 34% have failed a compliance audit because of identity security issues. Individually, any one of these concerns could theoretically be chalked up to allocation and decision-making—but all together, it looks like potential trouble.

“We work with customers to really organize their thoughts, saying that we all collectively realize, based on the actual true assessment signal of your infrastructure, you are maybe in the traditional foundational, not quite advanced and optimal [level of security],” Shrestha said, adding that’s “because of the disparity and understanding of the real facts versus what they believe they are. That’s really the basis for our report around this confidence paradox.”

Confidence can lead to security lapses, report finds

“The paradox is that sometimes we feel like we are in better shape than really we are,” BeyondID CEO tells IT Brew.

Threat hunters are fighting with added urgency in 2025, as a yearslong spike in attackers utilizing new tactics is adding fuel to the security fire. In 2024, 

, ransomware attacks were up for the third year in a row, and this year is expected to continue the trend. It’s a dangerous world out there for security teams—even as ransom payments saw a decline, 

Mike Mitchell, Intel 471 VP of threat hunt intelligence, told IT Brew that the security industry subsector is in a good position in 2025. He stressed the importance of continuing to get in front of the danger rather than falling behind.

“We’re seeing a lot of these actors and threats being able to persist and maintain access by hiding in plain sight, using things that aren’t easily detectable,” Mitchell said. “And so we try to proactively hunt for those behaviors.”

” report, 49% of those surveyed said they were victims of a breach; 72% of those respondents noted that threat hunting teams helped prevent or mitigate the attack. In order to improve their outcomes, Team Cymru said, organizations need to access better tools—like threat hunting.

Ryan Fetterman, Splunk Surge security strategist, told IT Brew that he was skeptical of that usage of threat hunting. Threat mitigation is a more reactive approach to security than threat hunting, which is more proactive and aimed at exploring the threat surface.

“The intention of threat hunting is still the same: You still are going in with the purpose of finding undetected security incidents,” Fetterman said. “But that’s a bad measuring stick for defining your success, because there’s obviously no guarantee that there are undetected attackers in your network or incidents to find.”

It’s unclear how seriously threat hunting is being taken at the federal level. In April, the US Cybersecurity and Infrastructure Security Agency told staffers they were 

 of two relevant threat hunting tools, Censys and Google’s VirusTotal.

But the private sector is paying attention. In the past, threat hunting firms and vendors would have to start by educating organizations on the benefits of deploying the tactic. Today, threat hunting is a well-known quantity; the tooling is often in place for hunters to get working. And the education they share now is about how threat actors operate.

“You sit in front of those tools and start to dig into the data, become the subject matter experts on that infrastructure, that organization, the security policies, the skeletons in the closet, the networks that are kind of off in no-man’s-land doing XYZ,” Mitchell said. “Those threat hunters end up educating themselves and again become that source of truth.”

Going forward, threat hunting will continue to be a part of the security posture. And Fetterman noted that mainstream acceptance goes a long way—but with technology moving fast, particularly AI, the state of the security industry subsector remains fluid.

“It’s in a good place where it’s kind of gotten mainstream adoption, and organizations know that it’s important and that it should be part of their security program,” Fetterman said. “But I also think it’s very much in flux at the moment.”

Whether or not AI is part of threat hunting for 2025, Mitchell said the tactic will continue to pay off for organizations.

“Threat hunting really helps with that risk and prioritization conversation,” Mitchell said. “Risk is the million-dollar word for C-level folks, CISOs of organizations. You have to define your risk, and you need to protect against that risk.”

A deer bellows as the sun rises over the Chateau de Chambord in central France.

Threat hunting is gaining in popularity—and importance

“We try to proactively hunt for those behaviors,” threat hunter evangelist says. 

Palo Alto Network’s latest acquisition may be a sign that identity security is poised for a big breakout moment in the industry, according to cybersecurity professionals who recently spoke with IT Brew.

 that it had entered a definitive agreement to acquire CyberArk for about $25 billion in cash and stock. The deal is expected to close in the second half of Palo Alto Networks’s 2026 fiscal year, pending the “receipt of regulatory clearances and approval by CyberArk shareholders.”

She’s an icon, she’s a legend, and she is the moment. 

The purchase marks Palo Alto’s largest deal to date and the second largest acquisition in the cybersecurity space for the year, right behind 

 in March. In a statement, Palo Alto Networks CEO Nikesh Arora said the cybersecurity company’s market entry strategy has always focused on entering new business categories “at their inflection point” and that identity security was currently having its moment in the industry.

“CyberArk is the definitive leader in identity security with durable, foundational technology that is essential for securing the AI era,” Arora said. “Together, we will define the next chapter of cybersecurity.”

Hed Kovetz, CEO and co-founder of Silverfort, told IT Brew that identity security is the “next frontier” as companies are starting to realize that it’s the “last line of defense in cybersecurity.” A 

 that surveyed 300 technology leaders found that more than three-fourths (78%) of those queried were planning to increase identity security spending within the next year.

“After years of investing a lot in cloud security and network security and endpoint security and data security, I think that the organizations realize that identity has been neglected and for too long it was relying on a patchwork of point solutions and legacy products,” Kovetz said. “So, a lot of companies and CISOs understand that identity is really the top priority.”

Palo Alto’s recent acquisition puts it in a very “strategic position,” according to Aviatrix Chief Product Officer Chris McHenry. He told IT Brew that there are “three fundamental legs of the stool” in runtime security: network security, endpoint security, and identity. McHenry said the CyberArk acquisition is what will round off Palo Alto’s presence in all three categories.

“Being able to cover…all three of the posts of the stool is an incredibly strategic position to be in,” McHenry said. “I don’t actually think there’s any other company that has all three pillars.”

McHenry said the challenge ahead for Palo Alto will be how well it will be able to integrate CyberArk into its wider portfolio.

“CyberArk is a very well established company. [Palo Alto] has done a lot of growth by acquisition.” McHenry said. “To get to a place where they can deeply integrate identity into those other pillars…is going to take a lot of work for them.”

Palo Alto Networks’s acquisition of CyberArk signals identity security growth

The acquisition is expected to close in the second half of Palo Alto’s 2026 fiscal year.

Palo Alto Networks’s $25 billion acquisition of CyberArk signals that identity security is having its moment

Like a knuckle sandwich slowly forming in the hand of the overworked IT pro, security resources are tightening.

Growth of security spending budgets—and security staff—has lagged for the first time in five years, according to IANS Research. And money is more likely to go to tools than people, according to the report’s researchers.

“We are seeing incredibly small budget availability for staff and much more willingness to spend on tools than people,” Nick Kakolowski, senior research director at IANS told us, referring to conversations he’s had with CISOs.

A 2024 Information Services Group survey, referenced in Forrester’s budget planning guide for 2025, revealed that software made up 35.9% of security budgets, while personnel made up 28.3%.

From 2020 to 2024, security budgets as a percentage of IT spending “grew steadily” from 8.6% to 11.9%. In 2025, the party slowed down, dipping for the first time in five years to 10.9% growth.

The IANS report, released in August, cites budget constraints across org departments, due to uncertainty caused by global market volatility, fluctuating inflation and interest rates, and unclear tariff policies.

“Cyber is not immune to macro conditions. Despite that, there’s still investment in the function,” Steve Martano, partner at Artico Search,which contributed to the IANS report, said.

“Most organizations have a baseline of security at this point, so the transformational days of having to really spend a lot on program build in terms of capex versus opex for most organizations: that’s already been done—not all organizations, but most,” he told us.

IANS found that the security teams, like budgets, are growing, just less than they used to. The average growth rate of the size of security teams reached 7%, according to the newly published research—the lowest increase percentage in the past five years.

Only 45% of CISOs were able to “add net new headcount,” a decline from 67% three years ago, and 51% in 2023.

47% of CISOs kept their team size flat in 2024.

Jill Knesek, CISO at financial operations platform BlackLine, shared in an email that budget growth “has slowed” for the company, “but not significantly.” Knesek shared that the company has invested in “cloud-agnostic security tools that provide a holistic view” of the company’s security posture, as well as products that automate software development and data collection for security audits.

“Leveraging automation, machine learning and AI capabilities will provide better efficiencies in our operations,” wrote Knesek. “This is allowing for the growth of our business while not requiring a like-for-like increase in security headcount.” Knesek noted that the company continues to add headcount “strategically.”

For CISOs and security pros facing tighter budgets and the same number of security threats, Martano recommends practitioners tie their security responsibilities to business needs.

“There’s an opportunity for an information security leader or a CISO to really take charge in the assessment of those products, and to really have a perspective on if and how those products maybe change a risk profile for an organization,” he said. “CISOs should have a voice in that room, and they should think of themselves as AI thought leaders internally. It would really be helpful to their career and would be helpful to their company.”