Trail of Bits57 · 2026-04-09 11:00
Master C and C++ with our new Testing Handbook chapter
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code . We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manual code review. LLM enthusiasts rejoice: we’re also developing a Claude skill based on this new ...
Qualys Threat Research45 · 2026-04-09 16:10
Scaling Modern AppSec: Moving from Static Profiles to AI-Powered Scan Optimization
Key Highlights Security teams today are accountable for an ever-expanding estate of web applications and APIs. In large enterprises, that often means hundreds or thousands of assets distributed across regions, cloud environments, and business units. And yet most organizations cannot confirm, within a given compliance window, that every asset in their environment has been scanned, […]
Qualys Threat Research40 · 2026-04-09 15:00
12 Best Practices for Securing AWS Cloud in 2026
Key Takeaways What Securing the AWS Cloud Really Means in 2026 Amazon Web Services (AWS) cloud security is the discipline of protecting cloud infrastructure, data, applications, and workloads on AWS through a combination of architectural choices, native controls, and continuous independent assurance. In 2026, this definition has materially evolved. Cloud environments are no longer static […]
Rapid7 Blog40 · 2026-04-09 12:46
What’s New in Rapid7 Products and Services: Q1 2026 in Review
If product releases had a runway moment, Q1 at Rapid7 would’ve walked out in Cloud Dancer; crisp, confident, and quietly powerful, before breaking into a full gallop in the Year of the Horse. At Rapid7, our first-quarter launches combined velocity with refinement: meaningful enhancements designed to move security teams faster without adding complexity. Let’s cover off the key launches, one by one. Detection and response MDR for Microsoft Getting more value from the tools you already have is a...
Rapid7 Blog35 · 2026-04-09 17:51
What Project Glasswing Means for Security Leaders
Anthropic’s Project Glasswing matters because it offers an early look at how quickly software flaws may soon be found, validated, and potentially turned into viable attack paths, even if that capability is currently limited to a closed partner program. Anthropic says its restricted Claude Mythos Preview model has already identified thousands of high-severity vulnerabilities, including flaws in major operating systems and browsers, and in some cases developed related exploits autonomously. Som...
Microsoft Security Blog32 · 2026-04-09 19:00
The agentic SOC—Rethinking SecOps for the next decade
In the SOC of the future, autonomous defense moves at machine speed, agents add context and coordination, and humans focus on judgment, risk, and outcomes. The post The agentic SOC—Rethinking SecOps for the next decade appeared first on Microsoft Security Blog .
Sophos News17 · 2026-04-09 00:00
We let OpenClaw loose on an internal network. Here’s what it found
Following our article on the challenges posed by agentic AI, we gave OpenClaw access to one of our legacy networks Categories: Threat Research Tags: OpenClaw, LLM, AI, penetration testing, Red Team, CISO, Sophos X-Ops
Sophos News14 · 2026-04-09 00:00
The vulnerability flood is here. Here’s what it means – and how to prepare
We can't control the pace of AI-driven vulnerability discovery, but we can control how fast we respond. Categories: Sophos Insights Tags: LLM, AI, Exploit, vulnerability, Active Adversary, Pacific Rim
gilesthomas.com11 · 2026-04-09 20:00
Writing an LLM from scratch, part 32j -- Interventions: trying to train a better model in the cloud
Since early February, I've been trying various interventions on a 163M-parameter GPT-2-style model that I trained from scratch on my local RTX 3090 , using code based on Sebastian Raschka 's book " Build a Large Language Model (from Scratch) ". My original model got a loss of 3.944 on my test set, while the original GPT-2 weights got 3.500 on the same dataset. I wanted to see if I could close that gap, and had a list of potential changes to the training setup, and to the model itself. Which o...
IEEE Spectrum11 · 2026-04-09 15:06
GoZTASP: A Zero-Trust Platform for Governing Autonomous Systems at Mission Scale
ZTASP is a mission-scale assurance and governance platform designed for autonomous systems operating in real-world environments. It integrates heterogeneous systems—including drones, robots, sensors, and human operators—into a unified zero-trust architecture. Through Secure Runtime Assurance (SRTA) and Secure Spatio-Temporal Reasoning (SSTR), ZTASP continuously verifies system integrity, enforces safety constraints, and enables resilient operation even under degraded conditions. ZTASP has pro...
miguelgrinberg.com11 · 2026-04-09 15:02
SQLAlchemy 2 In Practice - Chapter 4 - Many-To-Many Relationships
This is the fourth chapter of my SQLAlchemy 2 in Practice book. If you'd like to support my work, I encourage you to buy this book, either directly from my store or on Amazon . Thank you! Continuing with the topic of relationships, this chapter is dedicated to the many-to-many type, which as its name implies, is used when it is not possible to identify any of the sides as a "one" side.
Deeplinks10 · 2026-04-09 21:32
Yikes, Encryption’s Y2K Moment is Coming Years Early
Google moved up its estimated deadline for quantum preparedness in cryptography to 2029—only 33 months from now. That’s earlier than previous deadlines , and they proposed the new post-quantum migration deadline because of two new papers that comprise a big jump in the state of the technology. It’s ahead of schedule, but not altogether unexpected. Cryptographers and engineers have been working on this for years, and as the deadline gets closer, it’s not surprising to see more precise timeline...
The Daily WTF10 · 2026-04-09 06:30
CodeSOD: Take a Percentage
When looking at the source of a major news site, today's anonymous submitter sends us this very, very mild, but also very funny WTF: div class = "g-vhs g-videotape g-cinemagraph" id = "g-video-178_article_slug-640w" data-type = "videotape" data-asset = "https://somesite.com/videos/file.mp4" data-cinemagraph = "true" data-allow-multiple-players = "true" data-vhs-options = '{"ratio":"560:320"}' style = "padding-bottom: 57.14285714285714%" > Look, I know that percentage was calculated by JavaScr...
Microsoft Security Blog9 · 2026-04-09 15:00
Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees
Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. The post Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees appeared first on Microsoft Security Blog .
Sucuri Blog6 · 2026-04-09 19:00
Why 2FA SMS is a Bad Idea in 2026
What is 2FA? Two-factor authentication (2FA) offers a second layer of security to help protect an account from brute force, phishing, and social engineering attacks. 2FA requires an extra step for a user to prove their identity, which reduces the chance of a bad actor gaining access to their account or data. And since notifications are sent to verify the initial authentication via username and passwords, it also gives users and business the ability to monitor for potential indicators of a com...