FortiBleed isn’t a Fortinet vulnerability — it’s years of leaked configs, infostealer logs, and legacy password hashing compounding into tens of thousands of working FortiGate logins. There’s nothing to patch. Here’s what that changes for detection and response.
Keyless OIDC federation killed long-lived AWS keys in CI, but it moved the trust boundary into a JSON condition block most teams wrote once and never reread. Here is where the sub-claim hole lives, what CloudTrail can and can’t tell you, and why this is a configuration audit before it is ever a detection.
CVE-2025-32463 lets any local user reach root through sudo’s chroot option, and it patches in an afternoon. The detection most teams wrote for it alerts on the wrong binary — here’s the field to key on and the false positives that flood you first.
Ubuntu 24.04 enabled AppArmor mediation of unprivileged user namespaces by default, then Qualys published three ways around it. Here’s what the control actually stops, the audit chain that proves it fired, and how to detect abuse without flooding the SOC.
An attacker with app-management rights doesn’t need another password. They add their own secret to a trusted service principal and authenticate as the app, outside MFA and outside Conditional Access. Here is what the audit event looks like, what the first round of tuning has to fix, and where the cleanest preventive control hides behind a SKU you probably didn’t buy.
GTG-1002 showed an AI agent running recon through exfiltration at machine speed across roughly 30 targets. A blue-team analysis of the behavioral tells, the identity and SIEM signals that expose autonomous operations, how to break the adversary’s loop, and where defensive AI agents help versus where the human-in-the-loop line stays.
Short-lived OIDC federation from GitHub Actions to cloud IAM roles is the right pattern — and the trust policy condition is exactly where it goes wrong. What the abuse looks like in CloudTrail, why the obvious detection doesn’t fire, and what the first round of tuning has to fix.
CVE-2025-29927 let attackers skip Next.js middleware entirely with a single request header, including the middleware doing your auth. The detection is trivial once you capture the field — and the architecture mistake underneath it is the part worth your attention.
Adversary-in-the-middle kits steal the session token after MFA succeeds, then replay it from somewhere else. Here is how the replay actually looks in your sign-in logs, why token protection only half-closes the gap, and where it maps to 800-53.
System-preferred authentication is moving to the first factor, the password prompt is about to vanish for passkey holders, and break-glass accounts are not exempt from mandatory MFA. Here’s what that actually changes for Entra defenders and home users.
