DEV Community: Atharv Gupta

From Assistive to Agentic AI: How Intelligent Automation Is Transforming Threat Management

Atharv Gupta — Fri, 19 Jun 2026 12:33:22 +0000

For years, security teams have poured resources into tools meant to improve visibility. Now, organizations basically run on dozens of security platforms, spanning vulnerability management, threat intelligence, endpoint security, cloud monitoring, and compliance.

Still, even with more visibility than ever before, many security teams end up dealing with long investigation cycles, alert fatigue, and this whole growing operational complexity, that never really stops.

So the real challenge is not a lack of data.

The real challenge is turning that data into meaningful action, before attackers move faster than defenders can respond.

This is where the cybersecurity industry is starting to pivot from assistive AI into agentic AI— and that shift could seriously change how organizations handle threat management overall.

Why More Security Tools Haven't Solved the Problem

The typical enterprise security setup includes a lot of specialized solutions, each aimed at one specific area.

Threat intelligence platforms surface emerging risks.

Vulnerability scanners uncover weaknesses.

Exposure management solutions map the attack surface.

Security information and event management (SIEM) platforms gather and connect logs.

Each tool can help on its own, but more often they work in separate lanes. So security teams end up spending a ton of time shuttling information between systems, rechecking results, and figuring out what needs immediate attention right now.

That’s where the operational gaps show up.

By the time threat intelligence has been interpreted, vulnerabilities prioritized, exposure confirmed, and remediation actions approved, attackers may already have pushed deeper into the environment.

The issue is not necessarily the tool quality. it is more like, the coordination between them is missing, or at least not consistent enough.

Understanding the Difference Between Assistive and Agentic AI

A lot of today’s cybersecurity AI tends to land in what some people would call assistive AI. In practice, it’s the kind of AI that helps security folks do their work faster, or at least with less busywork. It can summarize reports, analyze logs, produce documentation, and field questions about security events when someone asks.

That sort of thing absolutely saves time , and it often boosts productivity too. The catch is, assistive AI usually still needs a human in the loop. Meaning, an operator still has to stitch the context together, choose what matters, and coordinate actions across different, connected systems.

Agentic AI, on the other hand, takes a slightly different direction.

Instead of waiting around for instructions, agentic systems keep looking at incoming information, determine what is important, and then carry out workflows across linked security environments. Not just “read this summary” but more like “do the next steps” at the right moments.

So rather than only summarizing a threat report an agentic system can:

Look over the threat intelligence in a more hands-on way.
Measure it against organizational assets and known baselines.
Spot systems that might be exposed, at least potentially.
Check whether security controls actually hold up in reality.
Triage remediation activities, and sort them by urgency.
Automatically escalate critical findings without someone hitting a button first.

The key difference isn’t simply “more automation”, because it feels different in how it behaves.

It’s autonomous decision support operating at machine speed.

Why This Matters for Continuous Threat Exposure Management (CTEM)

As organizations start adopting Continuous Threat Exposure Management, CTEM, the pain from disconnected workflows becomes pretty obvious. CTEM is all about continuously finding, validating, prioritizing, and fixing exposures before attackers get the chance to exploit them.

But too often, companies run these pieces as if they’re separate projects… not one continuous rhythm. For example, threat intelligence might live in one platform. Exposure validation may get handled through periodic testing. And then remediation decisions show up, later, like weeks later.

This kinda fragmented approach limits effectiveness, like it just doesn’t really land.

To operationalize CTEM successfully, organizations need intelligence, validation, and response processes that actually work together continuously, not like in silos, in between shifts maybe.

Agentic AI offers a path toward that goal.

By connecting threat intelligence, exposure management, validation, and remediation workflows, organizations can create a more proactive security model where findings move automatically from detection to action, and they do it faster than before.

The Role of Context in modern Security Operations

One of the biggest limitations of traditional automation is this not just the lack of speed, but really the lack of context.

A vulnerability scanner might flag thousands of findings, and it just sits there.

A threat intelligence platform, could list hundreds of emerging threats, but often only as signals.

Without context security teams get stuck doing this manual sorting, like what is actually relevant, and what is just background.

Agentic systems can help bridge this gap, by weaving organizational context into the decision process instead of treating everything like the same kind of alert.

That kind of context can include things like:

Business-critical assets
Existing security controls
Known attack paths
Historical incident data
Current threat activity

So when the intelligence is paired with operational context, organizations can zero in on the exposures that are more likely to be exploited in the real world, not just in theory.

In the end, security teams spend less time cleaning up noise, and more time dealing with meaningful risk, which is kind of the whole point, really.

Building a More Proactive Security Architecture

The future of threat management is unlikely to be defined by organizations that simply deploy more tools.

Instead, success will come from creating connected security ecosystems where intelligence, validation, and response function as part of a unified process.

This is why many security leaders are exploring solutions that combine threat intelligence, attack surface visibility, exposure validation, and governance into a more integrated operating model.

Organizations looking to strengthen external visibility can benefit from advanced cyber intelligence capabilities that help identify exposed assets, leaked credentials, and emerging risks across the digital ecosystem.

Similarly, effective data governance and consent management practices play an important role in ensuring sensitive information remains properly controlled, monitored, and compliant as organizations expand their digital operations.

The Shift Is Already Underway

The move from assistive AI to agentic AI represents more than a technology trend.

It reflects a broader shift in how organizations approach cybersecurity.

As attackers continue to leverage automation and AI-driven techniques, defensive strategies must evolve as well.

The organizations that gain the greatest advantage will not necessarily be those with the largest security teams or the most tools.

They will be the organizations capable of connecting intelligence, validation, and response into a continuous, adaptive process.

In a threat landscape that increasingly operates at machine speed, the future belongs to security programs that can do more than observe risk.

It belongs to those that can understand it, validate it, and act on it automatically.

Why an Incident Response Retainer Doesn't Guarantee Incident Readiness

Atharv Gupta — Fri, 19 Jun 2026 09:54:45 +0000

When organizations sign an Incident Response (IR) retainer, there’s this kinda quiet reassurance that everything is handled. The idea feels straightforward: if something cyber-ish happens, help is right there, just a phone call away.

But a retainer, and actual readiness are two different worlds. A retainer mainly guarantees someone answers, a person or a team on the other side of the line. Operational readiness decides whether real, meaningful action can start immediately after that call.

In today’s threat landscape attackers don’t wait around while an organization goes through approvals, creates emergency accounts, or figures out who owns critical security systems. Every pause gives the attacker more time to walk through the environment, increase privileges, find sensitive data ,and generally push the incident toward a bigger impact.

That’s why the gap between a contained incident and a major breach is often counted in hours, not in days.

What really measures Incident Readiness

Lots of organizations have incident response plans, escalation procedures, and external response partners already lined up. Still, in a live security event, they frequently hit gaps they didn’t even know existed when the documents were being written.

Readiness isn’t proven by the files sitting in some shared folder, nor by how many security tools are deployed across the environment. True readiness is about speed, specifically how fast responders can answer three key things:

1) How did the attacker get access?

2) What systems were affected?

3) What actions need to happen right away?

If security teams can’t answer those questions quickly, then containment slows down, investigations become harder, and the business impact grows.

Visibility comes before containment

One of the biggest misconception during incident response is the idea that responders must have control first.
In reality responders need visibility before they need authority. Like, before anything gets locked down or pushed into a “do later” box, you have to see what’s going on.

Before systems can be isolated or credentials reset , investigators have to understand what has happened. They need access to identity systems, endpoint telemetry, cloud environments, logs, and the security monitoring platform.

Without visibility organizations risk making containment decisions based on partial information, which is kind of a problem since those choices can ripple.

This is one reason many organizations run regular Threat Modeling exercises. When you already understand critical assets, trust relationships, and attack paths before the incident, responders can move faster and make more informed decisions when every minute matters , even a small delay hurts.

Why Identity Is Usually the Most Critical Starting Point

Modern cyberattacks often revolve around identity, no question. Whether attackers are using stolen credentials ,compromised tokens, abused privileges, or misconfigured access controls identity becomes the foundation for lateral movement and persistence.

During the first hours of an investigation, visibility into authentication activity can reveal, things like

Compromised accounts
Privilege escalation attempts
Suspicious logins
Unauthorized access patterns
Persistence mechanisms

Organizations that struggle to provide immediate access to identity systems tend to create unnecessary delays for internal responders and also for external teams. And by the time that access is provisioned valuable investigation time may already be gone, like it just quietly slipped away.

Cloud and endpoint visibility, the whole challenge thing.

Cloud environments bring a kind of unique problem in the middle of incident response.

Instead of “classic” infrastructure, where you expect what you’re looking at, attacker activity in cloud platforms often looks like normal administrative behavior—API calls, role assignments, or those automation workflows that everyone already has running. And without fast access to cloud logs plus current configurations, the real evidence can kind of vanish, before investigators even get a calm look.

And on the endpoint side, telemetry is usually the clearest picture of what the attacker did. Modern Endpoint Detection and Response (EDR) systems can show process execution, command patterns, credential theft attempts, and those lateral movement tactics that are easy to miss otherwise.

Organizations that routinely run Vulnerability Assessment and Penetration Testing (VAPT) exercises, tend to be in a better place. Not because they “prevent” everything, but because they already know where the sightline gaps are, before a real incident forces the issue.

Then there’s the communication problem which keeps slowing everything down.

Technical visibility is only part of being ready. Communication failures are still one of the biggest hurdles during major security incidents. A lot of teams just assume corporate email, collaboration platforms, and internal messaging will stay reliable during an attack. But sometimes… those systems are already compromised, and then you learn it the hard way.

If attackers can see or use communication channels, they may learn about containment plans, investigative outcomes, and response actions as they happen. For that reason, more mature security programs set up secure out-of-band communication channels, so they can flip them on immediately when an incident starts.

Also, it helps to appoint a dedicated incident manager. That person coordinates the stakeholders, handles messaging, and makes sure decisions move quickly and consistently, without turning into a confusing loop of approvals.

Readiness needs more than “just paperwork” really

One of the most common mistakes organizations make is mixing up documentation with real capability. Policies may define emergency access procedures. Response plans may sketch out responsibilities. Governance frameworks may describe escalation paths… but if the emergency accounts have never been tested, if permissions have not been validated, or if teams have never actually run through the response procedures then those controls can fail exactly when they’re needed most.

This is why practical security validation becomes essential, and yeah it’s not a nice-to-have. Organizations that regularly do Red Teaming exercises can test not only technical controls, but also operational readiness, the communication workflows, escalation procedures, and the way decisions get made under realistic conditions.

These exercises often expose gaps that traditional compliance assessments rarely uncover, or sometimes they don’t even notice in the first place.

Governance plays a crucial role in incident response

Technology alone cannot guarantee readiness. Effective incident response relies on clear ownership, well-defined authority, and governance processes that hold up in the real world.

Organizations should know ahead of time:

Who can declare an incident , and who cannot
Who can authorize containment actions
Who communicates with leadership
Who engages external responders
Who owns critical systems and data

Strong consent governance , along with better data management practices, also helps organizations keep visibility into sensitive information. So the security teams understand which data may be affected and what regulatory obligations could apply during an incident.

Incident Readiness gets built before anything even happens, not after, sort of like you notice it too late. The organizations that rebound the quickest from cyber incidents are, well, rarely the ones with the slickest, most impressive documentation. It’s more like they did the work ahead of time, quietly.

They tested access procedures. They went through the logging and monitoring capabilities, to be sure they were actually working, not just written down. They practiced communication workflows and the right channels. They found ownership gaps and resolved them before a crisis, or a “surprise problem” showed up.

An Incident Response retainer still counts as a valuable investment, but it should be treated as only one piece of a wider readiness approach, not the whole thing. The real yardstick of preparedness isn’t whether help is available at all. It’s whether that help can start creating real impact, the moment it arrives.

In cybersecurity, every minute truly matters, and time does not politely wait. Organizations that invest in visibility, validation, governance and operational readiness before an incident occurs will always be standing in a stronger position when the inevitable call comes.

The Growing Reality of AI Powered Surveillance and Why Organizations Should Pay Attention

Atharv Gupta — Fri, 19 Jun 2026 07:08:28 +0000

For many years, digital surveillance was pretty much tied to intelligence agencies and very targeted investigations. Today, that whole landscape has shifted a lot, and pretty fast, too.

With advances in artificial intelligence, biometric identification systems, large-scale data aggregation, and commercial spyware, the reach of government monitoring across the world has widened. What used to be restricted to specialized operations is now, quietly, working its way into everyday digital infrastructure.

For organizations security teams, and business travelers, getting a grip on these changes isn’t just some “privacy” talk anymore. It has turned into a real cybersecurity and risk management issue, even if nobody is saying it out loud.

Surveillance Isn’t Really Limited to Old School Monitoring Anymore

Modern governments now can access far more data than before.

Telecommunications networks, public surveillance cameras, biometric databases, social media platforms, mobile devices and cloud services all generate useful signals, that can then be collected, interpreted, and connected at scale.

And then AI shows up and moves the entire tempo. It helps governments process huge amounts of information much faster than human analysts, can do by hand, or with slower workflows.

So surveillance programs are not just about watching anymore. They increasingly focus on recognizing patterns, tracking movement, stitching identities together, and composing comprehensive digital profiles of people.

For organizations that operate internationally, this shift creates security complications that stretch beyond the usual cybersecurity threats people expect.

The Expanding Role of AI and Biometric Data

One of the most significant developments is this whole, growing use of AI-powered public surveillance systems. In a lot of cities worldwide, they now deploy things like facial recognition systems , automated license plate recognition, and smart CCTV monitoring. On top of that, there are behavioral analytics platforms and biometric identity verification systems too.

Individually, these tools can still be framed as legitimate public safety purposes, but in practice when they get stacked together with large scale data collection programs they turn into very powerful monitoring capabilities. And that’s where it gets tricky, because biometric databases are a particularly sensitive piece of the ecosystem. Unlike passwords, or even identification cards, biometric information cannot just be swapped out if it is compromised.

So organizations that handle biometric information should focus on strong data governance practices and also on clearly defined consent management frameworks. The goal is to make sure sensitive personal data is collected, processed, and stored responsibly, not just in theory, but consistently.

Why This Matters for Organizations

People often talk about surveillance as if it’s only a human rights or privacy question. And yeah those concerns matter, but businesses also get pulled into this, because the risks don’t just sit in theory.

For example, employees who travel internationally might be walking around with:

Corporate credentials
Intellectual property
Research data
Customer information
Sensitive communications

If the place they go has strong surveillance capabilities, then the unauthorized access to any of that material can turn into real operational headaches, and also reputational trouble. It can look minor at first, but it stacks up.

That’s one of the reasons organizations are starting to use more structured Threat Modeling approaches. The goal is basically to map how data moves across borders, spot the highest-risk exposure points, and then evaluate how sensitive information might get accessed during travel or day to day business activities.

When potential attack paths are understood before something goes wrong, organizations can make security decisions that are more informed, more grounded, and less reactive.

Commercial spyware Is Lowering the Barrier to Surveillance

Also beyond the public monitoring systems, governments and other threat actors are starting to use commercial spyware and endpoint surveillance tools more and more.

Unlike the older surveillance methods, these kinds of tools instead target the device itself, not only the traffic around it. And modern spyware may potentially, monitor communications capture screenshots, record keystrokes access stored files, and extract authentication credentials too.

The tricky part is that these actions often run quietly, so detection is hard. As organizations keep leaning on mobile devices plus remote work setups, it becomes more important to validate endpoint security in practice. Running regular Vulnerability Assessment and Penetration Testing (VAPT) programs can help reveal weaknesses that could be used, in order to get unauthorized access to sensitive systems and data.

The Importance of Context in Modern Security

Technology alone cannot solve every surveillance related risk.

Organizations have to grasp not only what assets they keep, but also how those assets might get targeted by crafty adversaries.

This is where human-led security assessments still bring real, maybe quieter, but significant value.

When you run realistic Red Teaming exercises, teams can see how an attacker might stitch together surveillance data, compromised credentials, exposed infrastructure, and even social engineering tricks to reach their objectives.

The aim is not just to spot vulnerabilities. The aim is to understand how multiple weaknesses can become one chain in real world situations.

And often, that context is what decides whether something stays theoretical risk, or turns into actual exposure.

AI Creates New Security Challenges Alongside New Opportunities

Artificial intelligence is taking a dual role in all this, kind of at the same time.

On one hand, AI helps organizations strengthen threat detection, speed up investigations, and interpret security events at scale.

On the other hand, AI is also being used to expand surveillance capabilities, boost facial recognition accuracy, process behavioral data, and back large scale monitoring programs.

As AI adoption keeps accelerating, organizations should review potential risks tied to AI-powered systems. Do that through dedicated AI and LLM Security Assessments, so they can surface vulnerabilities that older testing approaches might miss, or just not see at all.

Building Resilience During a Time of Growing Digital Surveillance

The growth of AI -powered surveillance probably is not going to ease off in the next years.

For organizations, the answer is not really to just avoid technology. It’s more like to make stronger security, governance, and risk management habits around how data is gathered, stored, passed along, and kept protected.

When teams blend Threat Modeling, Red Teaming, ongoing Vulnerability Assessment and Penetration Testing (VAPT), plus solid consent governance approaches, organizations can get a clearer view of their exposure, and then make more informed security choices.

As digital surveillance tools keep changing, the organizations most likely to do well will not be simply the ones with the most advanced technology. They’ll be the ones who know where their risk sits, how that risk can be leveraged, and how to handle it in a responsible way.

Why Security Teams Need Validation, Not Just Visibility

Atharv Gupta — Thu, 18 Jun 2026 17:43:17 +0000

For years, cybersecurity investments kind of focused on one main objective, which is visibility.

Organizations rolled out vulnerability scanners, attack surface management platforms, threat intel solutions, endpoint detection tools, and cloud security technologies to get a clearer sort of picture of their environments. Because of that, modern security teams can spot more risks than ever before.

But visibility by itself is no longer the real headache.

Right now, the problem is more like figuring out which findings actually matter, and which ones are just noise. Security teams are inundated with alerts, vulnerabilities, misconfigurations, and risk reports. Yes, finding potential issues has become much easier yet choosing what needs instant action stays painfully consistent. In a lot of organizations, the question is not really "What vulnerabilities exist?" anymore. It's more like "Which vulnerabilities create the biggest business risk?"

This is where security maturity starts to shift, from detection toward validation.

The bitty Growing Gap Between discovery and prioritization

Modern security programs crank out a huge pile of data. Vulnerability assessments, attack surface monitoring , threat intelligence feeds ,and security testing continuously surface possible weaknesses across environments.

But the main snag is that not every "finding" lands at the same risk level.

A vulnerability may still exist, yet can it actually be leveraged? Is the impacted system truly reachable? Does it hand over access to sensitive assets? Can a real attacker exploit it in a practical way, then push deeper into the environment?

To answer that you need more than plain visibility. You need context, like real surrounding meaning, not just a list.

This is one reason many organizations are putting more effort into structured threat modeling exercises to get a firmer grip on attack paths, trust boundaries, and the possible downstream impact of what they found.

Instead of treating each issue as equally urgent, security teams can, sort of, concentrate on the risks most likely to hit critical business operations .

Why Context Matters More Than Volume

Security teams end up with thousands of findings, all clashing for limited remediation bandwidth . And, well , it gets messy fast.

If there's no context, then prioritization is just guessing in the dark. You might end up with a team polishing off lower-risk issues , while the more urgent exposures sit there quietly, still unhandled.

A vulnerability report by itself tells only half of the story. What organizations really need is clarity around whether the weakness is reachable , whether it's actually exploitable, and whether it can drive a real business impact , not just a theoretical problem.

This is exactly where human expertise still matters a lot.

Running more realistic Red Team exercises helps organizations test how adversaries could progress across an environment, it also helps surface usable attack paths and it clarifies which specific weaknesses turn into operational risk. So the outcome is not just more alerts, it's stronger confidence about which findings deserve immediate attention .

The Rise of Adversarial Exposure Validation

As cybersecurity programs get more grown up, a lot of organizations are drifting toward Adversarial Exposure Validation (AEV) without really noticing the exact moment it started.

Instead of traditional security assessments that mainly concentrate on spotting vulnerabilities, AEV is more about checking whether those weaknesses can actually be used in a real-world setting, not just in a lab sense.

So, rather than asking "Does a vulnerability exist ?" , AEV asks "Can an attacker successfully leverage this vulnerability to reach their objectives?"

That little change seems simple at first, but it really flips how risk is viewed.

In practice, many security teams pair continuous Vulnerability Assessment and Penetration Testing (VAPT) with exposure validation approaches. The intent is to separate, at least in a more grounded way, the merely theoretical weaknesses from practical security threats. That helps orgs decide remediation priorities using demonstrated risk, instead of relying only on severity scores which can be misleading, or overly optimistic, depending on the context.

And it's important, the goal is not to churn out more alerts. The goal is to build real confidence in decision-making, so the next steps are clearer, and less guessy.

AI helps, and also where human judgment still matters

Artificial intelligence is kind a transforming cybersecurity operations, by improving visibility, speeding up analysis, and helping orgs chew through huge, enormous volumes of security data.

With AI-powered tools, teams can spot patterns, connect the dots between findings, and lift likely exposures at a scale that would be hard to even try manually.

But AI can't replace human judgment, not fully.

As organizations integrate AI into critical workflows, AI/LLM Penetration Testing is becoming increasingly important to identify prompt injection, model manipulation, and AI-specific security risks.

Risk prioritization often rides on elements that go past pure technical indicators. The business impact, operational dependencies, the organizations risk appetite, and even attacker behavior all influence how a finding should be interpreted.

So that's why many organizations still lean on expert-led Secure Code Reviews, plus offensive security assessments to confirm the automated findings and reveal risks that technology alone might overlook.

In other words, AI can speed up security operations, yet accountability and the actual decision making still depends on human expertise.

The Shift Toward Validation Is Already Underway

A lot of more mature security programs are already drifting past simple vulnerability totals, and instead honing in on exploitability, attack paths, and actual exposure that's been demonstrated.

The discussion among security leaders feels different now, success isn't really about how many findings get pulled out, it's about how well teams can figure out which ones actually need action.

Organizations that do well here usually don't just "report," they build mechanisms that tie technical findings back to business outcomes. They make sure the context shows up with every security choice and they craft workflows so prioritization becomes faster , and also more considered.

Solid risk management also rests on strong consent governance along with disciplined data management practices, this helps organizations stay aware of how sensitive information is captured, queried , and secured across digital landscapes that keep getting more complicated.

Turning Visibility into Confident Action

With cyber threats keep evolving, security teams really need more than just visibility. they need a kind of confidence, and not only dashboards.
If an organization wants to toughen up security prioritization, the best path is usually to blend Threat Modeling, Red Teaming, continuous security validation, and disciplined governance practices. Put together these methods turn what looks like raw findings into actionable intelligence, it helps teams decide where to spend time and effort, in the places that cut the biggest amount of risk.

So yeah, the future of cybersecurity probably won't go to the orgs that find the most vulnerabilities. It'll go to the organizations that can reliably tell which vulnerabilities are truly important, and then move, quickly and calmly, on those decisions.

Why Most SOCs Are Still Struggling to Unlock the Full Value of AI

Atharv Gupta — Thu, 18 Jun 2026 14:41:47 +0000

Artificial Intelligence has kind of rapidly moved from being this futurist concept to a core investment area for Security Operations Centers (SOCs). Now, organizations are deploying AI-powered security tools, copilots, and autonomous agents at an unprecedented pace, mostly expecting more accurate threat detection , better investigation, and faster response, in a very straightforward way.

But, recent industry findings kinda suggest that adoption alone doesn’t really turn into success, not the way people assumed.

For example, the SOC-CMM 2026 Maturity Report says only about 10% of SOCs report getting excellent value from their AI investments. Most others describe the outcomes as moderate, or even limited. So then the question becomes… if companies are investing heavily in AI, why arent they getting the expected results.

The AI Adoption Boom in Security Operations

The report also points out strong growth across basically every major category of AI used in SOC environments. AI copilots, AI agents, machine learning models, and large language models (LLMs) have all been adopted a lot over the last year.

Still, even with that growth, many security teams keep running into issues around operational efficiency, workflow complexity, and results that are inconsistent, sometimes reliable, sometimes not.

So it doesn’t seem like the problem is a lack of money or tools. More and more organizations are realizing that just plugging in AI capabilities into existing security products, does not automatically improve Security Operations.

The Real problem is fragmented security workflows.

Most orgs have already rolled out AI across separate security platforms, like SIEM, EDR, SOAR , ticketing systems, and threat intelligence tools.

Each of those platforms might ship with its own kind of AI features, for example AI-powered alert triage , automated investigations, incident summaries, threat hunting recommendations, and response automation.

All of this can help with individual steps ,but it tends to run sort of on its own,like standalone.

So an AI assistant looking at alerts might not have any visibility into what threat intelligence got gathered earlier that same day. And at the same time, an automated response system may fail to fully grasp the situation that was uncovered during a previous investigation.

In the end, organizations often land on multiple AI tools, running in silos, instead of behaving like one connected security ecosystem.

That is the reason a lot of teams see diminishing returns over time.

A structured Threat Modeling approach can help, by letting teams spot workflow gaps trust boundaries and operational bottlenecks , before they add even more AI-driven automation.

Why AI by itself can’t really raise SOC maturity

One of the most important findings from the SOC-CMM report is that tech maturity keeps moving ahead faster than process maturity, and that gap is sort of the whole problem. in simple terms, organizations buy more security technology but they do not make matching improvements to their processes, governance, and day to day execution.

Security operations rely on more than tools. effective SOC work needs things like well-defined workflows, solid institutional knowledge, cross-team cooperation, clear governance frameworks, and continuous improvement routines.

Without those pieces, AI often speeds up the same old inefficiencies, rather than actually removing the friction.

Organizations should also balance automation with recurring Secure Code Review and security assessments, so AI-enabled workflows don’t accidentally bring new weaknesses, or operational exposure.

What the best SOCs are doing differently

The organizations reporting the highest value from AI tend to share one theme. they do not treat AI like some standalone feature, they treat it like part of the operational architecture.

Instead of tossing in isolated AI assistants, they build connected workflows where threat intelligence, threat hunting, detection engineering, investigations, and remediation keep sharing context and updates.

That setup creates a feedback loop where investigations make better future detections, threat hunts sharpen intelligence collection, and response actions improve the next round of decisions.

Over time, the institutional memory becomes reusable across the SOC. and the overall outcome is a more adaptable, more efficient security operation.

Also, a lot of these teams are folding in DevSecOps , specifically Secure CI/CD practices, so security stays embedded throughout development and operational workflows, not treated as a separate job you “bolt on” later.

Governance Will Define the Future of AI Security Operations

As AI systems start acting a bit more on their own, governance kind of becomes more important, like right away. Security teams, they need some real sight into what’s going on, not just vibes. Things like, how AI decisions are made, what data is actually being used, which actions can be automated, and also how accountability stays intact when things get weird.

If there’s no governance, organizations can end up with black box style systems, and analysts may hesitate to trust them , even if the outputs look good on paper. On the other hand, strong consent governance and privacy management practices can help keep transparency clearer, bolster accountability, and make sure sensitive information is treated responsibly across these AI powered environments. In the end, trust is the big lever - whether AI becomes a productivity multiplier or turns into yet another layer of complexity.

Looking Ahead

So, the future of AI in security operations won’t really be decided by how many AI tools an organization decides to drop in. More than that, it will hinge on how well those tools work together, not only as separate instruments but as a connected set. The next generation of SOCs will probably concentrate on linking security functions, preserving institutional knowledge, and putting governance frameworks in place so AI can run safely and effectively.

Organizations that invest in architecture, process maturity, and governance together with AI will likely be in a better spot to shift security operations from reactive workflows to intelligent ecosystems that keep improving, kind of continuously. And since cyber threats keep evolving, success won’t belong only to the orgs with the most AI, but to the ones that use AI as part of a connected, governed, strategically designed security operation.

Agentjacking: This New AI Security Threat, Every Development Team Should Know About

Atharv Gupta — Thu, 18 Jun 2026 14:11:54 +0000

Since a lot of organizations keep adopting AI coding assistants to speed up software creation, security researchers are seeing something that feels new-ish, but still, it hits hard. The idea is that attackers aren’t only after the code or the network, they target the AI agent itself, the thing so many teams rarely question, and kinda just assume it’s safe.

Researchers at Tenet Security recently shared a technique they call Agentjacking. In plain terms, it’s a way to trick AI coding assistants into running attacker-controlled actions on a developer’s own machine. And yeah, the implications are broader than one tool or one vendor.

Because,as AI keeps getting woven into the software development lifecycle, it stops being “just assistance” and becomes, effectively, part of the overall attack surface. That’s the emerging cybersecurity reality researchers are pointing at.

How Agentjacking Actually Works

The whole attack leans on a trust gap between the AI coding agent and the outside services it uses to grab information.Basically, the agent believes those sources,or it treats what comes back from them as dependable context.

In the scenario that was demonstrated, researchers used Sentry, a common error monitoring platform. Attackers were able to provide specially crafted error messages. These messages look normal and believable once they’re pulled back by an AI coding assistant through connected tools and existing integrations.

Then, when a developer says something like, “Hey AI, please investigate this issue, or help resolve it,” the assistant might go and retrieve those malicious error reports. It then interprets them as trusted signals, like they’re instructions rather than bait.

From there, the AI agent can be nudged into doing unintended actions, and it does so using the developer’s own permissions. So the damage isn’t theoretical, it can actually be executed on the endpoint that the developer uses day to day.

Why This Is Extra Concerning

One reason this is so worrying is that it doesn’t depend on phishing emails, malware downloads, or any direct access into company infrastructure. Instead, the manipulation happens through data that appears legitimate to the AI system. It’s a kind of “credible enough” input that slips through because the agent is set up to trust what it reads.

Why this matters beyond AI

Agentjacking surfaces a wider issue hitting orgs that are moving into AI driven workflows—trust, like not in a vague way but in a day to day operational sense. Most traditional security setups still revolve around confirming who’s using what, where the device is coming from, which app is actually running, and so on. With AI though there’s another layer. Organizations also have to judge whether what the intelligent system is absorbing, and then acting on, is trustworthy or not.

When AI assistants are given access to source code, cloud environments, repositories, and development tools, a poisoned reasoning process can turn into a lot of downstream damage. Not instantly always, but enough that the cost shows up later, maybe in the form of bad changes, data exposure, or weird behaviors that are hard to trace.

This is why more organizations are putting money and time into Threat Modeling practices. The goal is to map out how these newer technologies can open up attack paths before someone else gets a head start.

The Growing Need for secure AI development

AI-assisted coding is changing how software gets built, and yes, it’s faster. But the pace should not become the excuse for skipping security. Development teams should look at things like

how AI tools receive information, and from where it originates
which outside systems they allow as trusted inputs
what permissions AI-assisted workflows can actually reach
how instructions are checked, and validated, before any execution

Also, regular secure code review still matters a lot, even when AI tools generate or tweak code. Human oversight stays important, because automated systems may miss risks that a person can spot , or at least flag quickly.

Building Governance Around AI

The Agentjacking research also highlights how governance matters a lot in AI adoption. A lot of organizations spend time on the AI capabilities, but they kind of forget the less-visible part, like how these systems should access , process, and talk to sensitive information. Setting up consent governance that’s actually strong and data management practices that are reliable, tends to keep organizations in the loop, so there’s visibility into how information moves across AI-enabled environments, and at the same time it helps satisfy compliance and accountability needs.

And as AI adoption keeps speeding up, governance is going to feel just as critical as innovation, maybe even more so.

Looking Ahead

Agentjacking might be one of the earliest cases where attackers target the trust relationships that help AI assistants function, but it’s probably not the last one. The big takeaway for organizations is pretty straightforward: securing AI systems is no longer just about guarding the models. It also means digging into the data, the integrations, the permissions, and those day to day workflows that end up shaping AI decision-making.

Organizations that pair solid security practices with workable governance, should end up in a better place to adopt AI safely. They’ll also maintain trust in the systems their teams depend on every single day.

CISA Advises Review of Software Development Processes Following Supply Chain Incidents

Atharv Gupta — Thu, 18 Jun 2026 09:40:34 +0000

With the U.S. Cybersecurity and Infrastructure Security Agency (CISA) putting out a warning over the latest round of supply chain attacks, organizations are being told to take a hard look at their software development pipelines.

The agency’s advisory has put the matter of software supply chain security back in the limelight. It comes on the heels of two incidents that show a shift in tactics: attackers are no longer content with traditional network entry points and are instead zeroing in on the tools and workflows of developers.

Take the so-called Megalodon attack for instance. In that case, more than 5,500 open-source repositories were hit. For any organization with a heavy dependence on open-source parts, it is a timely reminder to put regular Software Composition Analysis (SCA) in place to weed out vulnerable or compromised dependencies before they make it to production. Reports have it that the intruders made off with cloud credentials, SSH keys and API tokens by slipping malicious GitHub Action workflows into repositories where branch protection was lacking.

Then there was the matter of the Nx Console, a Visual Studio Code extension that was turned against its users. A tainted version was up on the Visual Studio Marketplace for a time, posing a risk to anyone who put it on their system. This compromise is thought to be tied to an earlier assault on Nx developer systems and in the end led to a GitHub employee’s device being compromised.

Why you should be concerned

These days, modern development is all about efficiency through automation and third-party platforms, but that also means a wider attack surface for threat actors. Supply chain attacks don’t go after the end user in the way a conventional cyberattack might; they target the very tools a developer puts his trust in day in and day out. One workflow or repository left exposed can have a ripple effect on hundreds of downstream users. To head off such weaknesses before they are exploited, CISA suggests a combination of automated scanning and a thorough Secure Code Review.

Out of sight, these development zones grow harder to track. Staying alert means guarding every piece of code like it matters - because it does. Watch how tools move,who accesses what, when things shift without warning. A quiet system today might hide tomorrow’s problem. Trust nothing, verify everything, repeat often.

Organizations and Their Actions

Start checking workflow files,along with how contributors act- this matters most when changes show up after May 18. Watch repositories closely if edits arrived past that date. Teams building software should look at these details before anything else shows wrong. Security groups must stay on top of shifts others might miss nearby that time mark.

Pay close attention to these points:

Unexpected workflow modifications
Suspicious pull requests
Unauthorized commits

Out of the ordinary paths open up when tools for building things show up where you least expect them.

When odd changes show up, firms need to check how deep the issue goes then replace corrupted files fast - using clean backups helps. A surprise shift means trouble started somewhere quiet. Finding it takes looking through logs carefully. Fixing things means rolling back to what worked before. The clock runs once detection happens. Speed matters but so does accuracy when rebuilding systems.

Watch out for odd activity in dev workflows spotting trouble early cuts down on serious breaches later. To stay ahead, some teams map how attackers might move through systems, spotting weak spots before they become problems. Looking at risks this way shapes better defenses across every phase of building software. Noticing patterns early means fewer surprises when code goes live.

Responding to Possible Security Breach

If your organization might be impacted, check CI/CD logs carefully - CISA recommends it. Review developer machines along with cloud audit records. Go through each piece slowly, one after another. Look closely at activity timelines across systems. Pay attention to unusual entries in deployment histories. This kind of scan can reveal hidden issues. Dig into access patterns tied to build processes. Watch for mismatches in authorization events. Take time to cross-check tool interactions. Let nothing skip past close inspection.

On top of that, refresh or remove every credential that might have been seen - like passwords, keys, tokens

API tokens
Cloud credentials
SSH keys
CI/CD pipeline secrets

Here’s what matters most - securing how software gets built isn’t only about coders anymore but shapes the safety of entire companies. While it once lived in backrooms now it stands front and center where risks meet real damage.

When companies move toward cloud-based coding, watching over their code storage, tools, plus login details becomes key. Staying aware helps lower threats to how software is built and delivered. Without clear sight, weak spots grow. Spotting issues early keeps the process safer in the long run.

Chinese hackers turned Google Workspace against its own users, a new lesson in cloud security

Atharv Gupta — Wed, 17 Jun 2026 14:11:18 +0000

As orgs harden up their defenses against malware and ransomware, attackers are apparently having more luck with something that sounds almost boring, like legitimate tools already sitting inside the environment.

A campaign, uncovered by Google’s Threat Intelligence Group (GTIG), shows how that kind of “normal” abuse can go very wrong.

Google’s investigation says a China-linked cyber espionage group tracked as UNC6508 spent more than a year inside the networks of healthcare, academic, and military research organizations across North America. They weren’t trying to stop work. Not really. Instead they quietly gathered sensitive research, defense-related communications, and strategic information, with the intent of not triggering any real alarms.

What makes the incident really stand out is that the intruders didn’t lean on advanced data theft malware. Rather, they misused a trusted Google Workspace function, to automatically copy targeted emails into accounts they controlled.

How it all Worked

At first the attackers got in by using compromised REDCap servers, which is this popular research data management platform that lots of universities hospitals and research institutions rely on.
Once they had some sort of foothold, the group rolled out a custom piece of malware called INFINITERED, and this thing let them grab credentials, keep a steady presence, and then later move further into internal networks.

Later on, the attackers ended up with administrator-level access.
And yeah, that changed everything.

Rather than using usual exfiltration tools, UNC6508 went with a different angle: they set up a Google Workspace content compliance rule. This rule quietly watched emails that contained certain terms tied to military strategy, advanced technologies, artificial intelligence, cybersecurity programs, and also medical research.

If an email matched, Google Workspace then silently forwarded a copy to an inbox that the attackers controlled.
Because the whole process leaned on a genuine platform feature, it produced relatively little weird network traffic. It just looked like normal operations, so it blended.

*Why This Attack Matters
*
The campaign shows a kind of rising pattern in modern cyberattacks: people behind the scenes increasingly decide to abuse trusted cloud features, instead of dropping the usual obvious malware.

A lot of organizations pump real budget into endpoint protection, threat detection, and constant network monitoring. Still, the legitimate administrative tools get much less attention, in practice.

Once someone lands privileged access, those built in cloud abilities can turn into very effective channels for data theft or outflow, sort of like quiet pathways you do not notice right away.

For security teams this becomes a major problem because the behavior can look completely normal technically, and that makes it harder to flag.
This attack also points to a governance gap: companies often concentrate on defending data from outside dangers, while forgetting that internal permissions and administrative controls can be misused too, quietly.

If there is a solid data governance framework in place, organizations can keep stronger visibility into who can reach sensitive information, how that information is being shared, and which controls should stop unauthorized movement of data before it goes too far.

*The Growing Importance of Cloud Governance *

As businesses move critical operations into cloud spaces, security is no longer just about infrastructure defense.

Organizations also need to understand, kind of how the platform tools can be abused by attackers, or at least misused by mistake.

That means there has to be continuous observation of :

Administrative permissions
Email forwarding rules
Data sharing policies
Compliance configurations
Third-party integrations

Security teams should regularly audit these controls, to spot unauthorized changes before they grow into something more serious.

Also, it’s equally crucial to keep solid privacy and compliance
stewardship in place, because it helps the organization map how sensitive information travels across systems and who ends up being able to access it.

Without clear visibility, even “trusted” cloud setups can turn into blind spots, quietly.

*Key Lessons for Organizations *

The UNC6508 campaign, gives a clear little reminder that modern cybersecurity is not just malware detection, it goes further than that and honestly it keeps moving.

Organizations should

Patch externally facing systems promptly
Remove outdated software versions
Monitor administrative activity continuously
Review email forwarding and compliance rules regularly
Implement phishing-resistant multi-factor authentication
Audit privileged accounts frequently

But, most importantly, organizations should really recognize that trust alone is not a security control, not even if it feels safe.

Even legitimate features can turn into attack vectors, when governance and oversight are weak or maybe just inconsistent.

*Looking Ahead *

The most concerning part of this campaign is not exactly how the attackers got in, it’s more like how quietly they worked after the access was already there.

By abusing built-in cloud functionality , they showed a trend—modern attacks increasingly target processes, permissions, and governance gaps rather than only technical vulnerabilities.

As organizations keep expanding their cloud footprint, visibility and accountability will matter just as much as traditional security controls, maybe even more in practice.

Learn how ConsentX helps organizations strengthen governance, improve visibility into sensitive data processes, and build a more resilient foundation for privacy, compliance, and trust in today’s cloud-first environment.