Anthropic launched Project Glasswing with 12 major tech companies, using its unreleased Claude Mythos Preview model to find and patch zero-day vulnerabilities at a scale and speed that didn’t exist six months ago. The implications for vulnerability management, patching cycles, and defensive security programs are enormous.
Device code phishing has gone from a niche state-sponsored technique to a commoditized attack with at least 11 phishing kits and a 37x surge in 2026. The attack abuses the legitimate OAuth 2.0 Device Authorization Grant flow, routes victims through real Microsoft login pages, and bypasses MFA entirely. What practitioners need to understand.
Check Point Research disclosed a ChatGPT vulnerability that used DNS tunneling to silently exfiltrate conversation data from an isolated runtime. The technique is decades old. The blind spot that enabled it is not.
On March 23, 2026, the FCC updated its Covered List to include every consumer-grade router produced outside the United States. New models can’t get FCC equipment authorization, which means they can’t be imported or sold here. Existing models already on shelves aren’t affected, and manufacturers can apply for a “Conditional Approval” exemption through the Department of War (formerly Department of Defense) or the Department of Homeland Security.
The ruling names the Volt, Flax, and Salt Typhoon campaigns as direct justification. And that’s where this gets interesting for anyone working in network security.
Two weeks before a Substack investigation exposed Delve for allegedly rubber-stamping SOC 2 reports at scale, I wrote about the structural problems with compliance automation platforms. The allegations confirmed the warning.
RSAC 2026 opens today at the Moscone Center in San Francisco. I’m not there in person this year, but I’ve spent the past week tracking every pre-conference announcement, keynote preview, and vendor press release. There’s a lot to take in, so here’s my attempt to highlight what’s most relevant for practitioners this week.
The conference covers a wide range of ground this year. Post-quantum cryptography, supply chain security, social engineering, cloud security, governance under the EU AI Act, workforce burnout, and even vibe coding as an emerging security risk all have dedicated sessions and tracks. RSAC themselves identified seven key trends from this year’s submissions: MCP, agentic AI, vibe coding, identity, governance, addressing burnout, and the power of partnerships.
NHIs are the privileged service account problem reborn at 100x scale. Same mistakes, same inertia, same excuses. Except now the service account can reason, make decisions, and talk to other service accounts autonomously.
On March 10, 2026, AppsFlyer’s JavaScript SDK was compromised in an active supply chain attack. If you run an ecommerce site and that script loads on your payment pages, you’ve potentially been serving malicious code to every customer who checked out over the past 72+ hours. No changes to your codebase required. No alerts from your WAF. No red flags on your server logs.
This is actively happening.
And for anyone who’s been wondering why the PCI Security Standards Council added requirements 6.4.3 and 11.6.1 to PCI DSS 4.0.1, this is your answer.
A practitioner breakdown of the IBM X-Force Threat Intelligence Index 2026. Vulnerability exploitation overtakes phishing as the top attack vector, supply chain compromises quadruple, and AI accelerates attacker operations while defenders struggle with the basics.
A reality check on why running your environment through Vanta, Drata, Secureframe,Delve, or a SaaS app doesn’t make you PCI-DSS compliant, and why enterprises should be asking harder questions about their vendors.