Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Mon, 11 May 2026 16:44:09 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>When sensitive data is stolen in high-profile data breaches, the information doesn't simply vanish into a digital void. Data extraction is just the beginning of a calculated journey through a sophisticated criminal economy where files are tested, packaged, priced and listed on dark web marketplaces. There, buyers ranging from fraud rings to nation-state actors bid for access, after which the information is used to commit a host of cybercrimes.</p> <p>The <a href="https://www.techtarget.com/whatis/definition/dark-web">dark web</a> is an encrypted layer of the internet intentionally hidden from casual browsers. Accessing the dark web requires anonymizing software, often using Tor, which routes traffic through encrypted multihop relays and resolves .onion addresses invisible to standard <a href="https://www.techtarget.com/searchsecurity/tip/DNS-security-best-practices-to-implement-now">DNS</a>. The commodities traded on the dark web include credentials, payment card data, personally identifiable information (<a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">PII</a>), healthcare records, corporate network access, ransomware-as-a-service kits and forged documents.</p> <p>With the FBI's Internet Crime Complaint Center reporting cybercrime <a href="https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf" target="_blank" rel="noopener">losses exceeding $20.9 billion</a> in 2025, a 26% increase over the previous year, it's clear that threat actors are exploiting a dynamic market that converts stolen data into reliable cash, making criminal investment in organized attacks highly lucrative.</p> <p>The dark web is that market.</p> <section class="section main-article-chapter" data-menu-title="A professionalized supply chain: The players"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A professionalized supply chain: The players</h2> <p>The dark web operates with role specialization that mirrors a commercial supply chain.</p> <ul class="default-list"> <li><b>The collectors.</b> Phishing crews, infostealer operators and ransomware groups extract the raw data. Verizon's "2025 Data Breach Investigations Report" found that credential theft was present in 22% of breaches, 20% of exploited vulnerabilities and 16% of phishing activities. Flashpoint's "2025 Global Threat Intelligence Report" tracked more than 23 million hosts infected with infostealers, resulting in 2.1 billion harvested credentials.</li> <li><b>Initial access brokers.</b> IABs specialize in the intrusion phase, <ins datetime="2026-05-11T09:55" cite="mailto:Shea,%20Sharon"><a href="https://www.techtarget.com/searchsecurity/tip/What-role-does-an-initial-access-broker-play-in-the-RaaS-model">selling verified network access</a></ins> rather than executing attacks themselves.</li> <li><b>Marketplace operators and aggregators.</b> The platform layer includes BreachForums, Russian Market, 2easy and a growing number of Telegram channels. Operators collect listing fees while providing escrow systems, reputation scoring and dispute resolution. These markets often operate with commercial-grade controls.</li> <li> <p><b>The buyers.</b> Fraud rings form the largest demand segment, acquiring PII, "fullz" -- complete identity packages -- and card data for account takeovers, synthetic identity fraud and fraudulent loan applications. Ransomware affiliates and <ins datetime="2026-05-05T14:19" cite="mailto:Livingston,%20Richard"><a href="https://www.techtarget.com/searchsecurity/feature/What-executives-must-know-about-nation-state-threat-actors">nation-state actors</a></ins> buy IAB listings and proceed directly to encryption and exfiltration.</p> </li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Dark web prices and payment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Dark web prices and payment</h2> <p>Pricing on dark web markets follows consistent logic, dictated by data freshness, completeness, validity and country tier.</p> <p>DeepStrike's August 2025 dark web analysis, drawing on Trustwave, SOCRadar and live market data, found U.S. credit card data with CVV demand $10 to $40, while a card with a verified $5,000 balance fetches $110 to $120. Healthcare records can cost $500-plus per record and, unlike cards, they cannot be canceled or rotated. According to Check Point's 2025 IAB report, most corporate access listings price between $500 and $3,000, with domain admin credentials commanding far more.</p> <p>Payments are almost always made with cryptocurrency. Bitcoin is common for ransomware transactions, while Monero is preferred for marketplace trades due to its built-in privacy features. <a href="https://www.techtarget.com/searchcio/tip/CIO-guide-to-stablecoins">Stablecoins</a>, primarily USDT, account for 63% of illicit crypto volume according to Chainalysis's "2025 Crypto Crime Report."</p> </section> <section class="section main-article-chapter" data-menu-title="Market scale and the data lifecycle"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Market scale and the data lifecycle</h2> <p>The dark web's stolen data market operates at measurable scale. <a href="https://www.kelacyber.com/resources/research/state-of-cybercrime-2026/" target="_blank" rel="noopener">KELA's "State of Cybercrime 2026" report</a> tracked 2.86 billion compromised credentials circulating across criminal markets in 2025, spanning infostealer malware, breach databases and underground marketplaces.</p> <p>Once extracted, stolen data moves through four distinct stages:</p> <ol class="default-list"> <li><b>Aggregation.</b> Credentials are tested against live services before listing, with verified pairs commanding higher prices.</li> <li><b>Packaging.</b> Material is assembled into combo lists, fullz bundles or stealer logs with one folder per infected machine containing browser passwords, cookies, autofill data and crypto wallet files.</li> <li><b>Listing.</b> The package is posted on a marketplace, often within hours of capture.</li> <li><b>Distribution and reuse.</b> Buyers purchase data; monetize it through fraud, account takeover or further intrusion; and often resell the information. Recaptured identity records circulate in criminal markets for years, generating losses for organizations long after the breach that produced it.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Law enforcement: Progress and limits"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Law enforcement: Progress and limits</h2> <p>Prosecution for cybercrime remains the exception. Most operators work from jurisdictions with no extradition agreements with the U.S. or the EU. For example, LockBit leader <a href="https://www.techtarget.com/searchsecurity/news/366585124/What-LockBitSupp-charges-mean-for-ransomware-investigations">Dmitry Khoroshev</a> remains in Russia despite a $10 million U.S. State Department reward. BreachForums has been seized and reconstituted multiple times since 2023, with the most recent disruption in October 2025. While each takedown demonstrates what is possible, the reconstitutions demonstrate the limits.</p> <p>Multi-agency operations have produced some promising results, however. For example:</p> <ul class="default-list"> <li><b>Operation Cookie Monster.</b> In April 2023, the FBI-led takedown of Genesis Market -- a dark web platform selling browser fingerprints, cookies and session data from 1.5 million compromised machines -- resulted in 119 arrests across 17 countries.</li> <li><b>Operation Cronos.</b> In February 2024, the National Crime Agency, FBI and Europol <ins datetime="2026-05-11T11:14" cite="mailto:Shea,%20Sharon"><a target="_blank" href="https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group" rel="noopener">seized</a></ins> 34 LockBit servers, shut down the group's dark web leak site used for extortion, froze 200 cryptocurrency accounts and unmasked Khoroshev.</li> <li><b>Operation RapTor.</b> In 2025, the Europol-coordinated dark web crackdown <ins datetime="2026-05-11T11:14" cite="mailto:Shea,%20Sharon"><a target="_blank" href="https://www.europol.europa.eu/media-press/newsroom/news/270-arrested-in-global-dark-web-crackdown-targeting-online-drug-and-criminal-networks" rel="noopener">targeted</a></ins> vendors across multiple dark web platforms, resulting in 270 arrests across 10 countries.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What CISOs need to do now"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What CISOs need to do now</h2> <p>For security leaders, the dark web's underground economy changes monitoring priorities, risk thresholds and incident response assumptions. Security teams should consider taking the following actions to reduce risk.</p> <h3>Use the dark web for risk intelligence</h3> <p>Credentials surface in stealer-log data sets days before ransomware deploys. IAB listings target organizations by revenue range and sector, and ransomware leak sites name suppliers and customers alongside the primary victim. When <a href="https://www.techtarget.com/searchsecurity/tip/Weighing-costs-benefits-of-dark-web-monitoring">monitored regularly</a>, dark web intelligence can feed the security operations center with near-real-time criminal activity.</p> <h3>Bolster risk management</h3> <p>The dark web economy prices data based on freshness, completeness and usability. Data that cannot be quickly converted into access or fraud is less valuable on any marketplace. Three controls directly reduce that convertibility:</p> <ol class="default-list"> <li> <p>Enforcing <ins datetime="2026-05-11T11:20" cite="mailto:Shea,%20Sharon"><a href="https://www.techtarget.com/searchsecurity/tip/Traditional-MFA-isnt-enough-phishing-resistant-MFA-is-key">phishing-resistant MFA</a></ins> across all remote access, cloud admin and SSO entry points.</p> </li> <li> <p>Rotating credentials promptly on any stealer-log domain match.</p> </li> <li> <p>Applying the principle of least privilege across all accounts.</p> </li> </ol> <h3>Incident response</h3> <p>A breach does not end when ransomware is contained or a card number is reissued. Stolen records circulate and are resold, sometimes for years, fueling downstream attacks enabled by the original incident. Organizations that treat containment as closure are routinely wrong. Preserve forensic evidence early, engage law enforcement while the trail is fresh and share indicators through Information Sharing and Analysis Centers.</p> <p><i>Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.</i></p> </section> A breach is just the beginning. Once extracted, data moves through a sophisticated supply chain. Peek inside the dark web economy that turns stolen credentials into billions of dollars in profit. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a252657224.jpg https://www.techtarget.com/searchsecurity/feature/Data-after-the-breach-Economics-of-the-dark-web Mon, 11 May 2026 12:37:00 GMT <p>The traditional enterprise SIEM pulls security log data from sources across the IT environment, then normalizes it, analyzes it and retains it. But because SIEM providers typically charge more to hold more data, organizations generally must retain less data than they would prefer and accept the limitations of subsequent analyses.</p> <p>Additionally, <a href="https://www.techtarget.com/searchsecurity/tip/SIEM-benefits-and-features-in-the-modern-SOC">SIEMs</a> retain data in their own, often proprietary formats. In fact, how SIEM vendors parse and normalize data is one way they differentiate themselves from competitors. Each seeks to use unique schemas, compression techniques and specialized databases to improve both result quality and speed. Consequently, enterprises have limited input into how their data is ingested and digested, and proprietary parsing and formats can make it harder to change vendors.</p> <p>Some CISOs -- finding the limitations and trade-offs of data ingestion and retention in SIEM too constricting -- are choosing to decouple their security log data feeds from their SIEMs. By doing so, they typically gain freer access to the data, increase control over retention timelines, improve analytical capabilities, rein in SIEM costs and break free of vendor lock-in. But decoupling data from the SIEM also has its challenges and requires significant commitment, investment and planning.</p> <section class="section main-article-chapter" data-menu-title="How decoupling data from the SIEM works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How decoupling data from the SIEM works</h2> <p>To decouple security data sources from the SIEM, security teams insert systems that they control in the middle of these data flows. In practice, this means establishing a separate, dedicated data store to hold the security log data, typically a data lake living in a comparatively inexpensive cloud storage service. It also means establishing a new data pipeline that takes in log data, preprocesses and normalizes it and then dumps it in the data lake. The enterprise then feeds its SIEM with data from the lake.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of decoupling SIEMs from data pipelines and storage"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of decoupling SIEMs from data pipelines and storage</h2> <p>Establishing an independent, enterprise-controlled data layer between the sources of security log data and the applications that consume it -- e.g., SIEMs and other tools such as <a href="https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases">user and entity behavior and analytics</a> -- enables the enterprise to do the following:</p> <ul class="default-list"> <li>Dictate the data schema for log records.</li> <li>Completely control filtering of records and easily vary it by destination.</li> <li>Completely control the retention horizons for every kind of data from each platform.</li> <li>Accurately and easily track all security data sources and all security data consumers.</li> <li>Easily enforce consistent adherence to institutional <a href="https://www.techtarget.com/searchsecurity/feature/How-to-create-a-data-security-policy-with-template">polices on data collection and retention</a>.</li> <li>Easily add new security tools that need access to existing data feeds.</li> <li>Easily change -- and even drop -- SaaS and SIEM vendors without losing data.</li> </ul> <p>Trading costlier SIEM-based storage for cheaper cloud bulk storage will also probably reduce the cost of storing security data, per se. But -- and this is important to understand -- that cost reduction might not result in net savings, as new tools or services and staff time costs could overbalance those savings.</p> </section> <section class="section main-article-chapter" data-menu-title="Challenges of decoupling SIEM from the data layer"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of decoupling SIEM from the data layer</h2> <p>Of course, along with its benefits, decoupling data from SaaS or SIEM platforms also comes with challenges. These include the following:</p> <ul class="default-list"> <li>Designing a powerful, secure, scalable and cost-efficient data lake and data pipeline, including selecting appropriate data exchange protocols and data storage schemata.</li> <li>Engineering a powerful, secure, scalable and cost-efficient data lake and data pipeline, including selecting tools and services with which to build it and testing it adequately before putting it into production.</li> <li>Migrating to the new architecture without data loss or interruptions in security scanning.</li> <li>Operating and supporting the data lake and pipeline efficiently, including ensuring backups and continuity of service in the face of disruptions.</li> <li>Coping with latency created by interposing the new layer -- requiring attention in the design, engineering and operations phases, as well as continuous monitoring to ensure latency is within acceptable limits.</li> <li>Coping with compliance, as the new data layer must respect and enforce any applicable requirements -- depending on company type, sector and geography -- for data at rest and in motion.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="A decoupling toolbox"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A decoupling toolbox</h2> <p>CISOs creating a new enterprise security data lake will need to determine their strategies in the following areas.</p> <h3>SaaS data extraction</h3> <p>SaaS data extraction tools can be built in house using SaaS APIs. Alternatively, third-party approaches include such proprietary SaaS security posture management platforms as Obsidian Security, NetSkope SSPM and AppOmni, as well as open source tools such as Mondoo and OpenASPM.</p> <h3>Data pipeline</h3> <p>The data pipeline is the ingestion and pre-processing tool that receives raw logs and spits out records for the data lake in standardized format(s). Commercial products here include Cribl, DataDog and Splunk. Open source options include Vector, Logstash and Fluentd.</p> <h3>Data storage</h3> <p>Most larger organizations already have experience with data lakes, as well as preferred vendors, such as Snowflake and Google BigQuery, or open source options, such as Apache HDFS or MinIO.</p> <p>Enterprises also have to consider data formats. Open standards should be everyone's first choice: <a target="_blank" href="https://ocsf.io/" rel="noopener">Open Cybersecurity Schema Format</a> for the log records heading out to SIEMs or elsewhere, for example, and storage formats such as Apache Parquet or Delta Lake for the data lake proper.</p> <p>By decoupling cybersecurity data ingestion and retention from their SIEM platforms, CISOs can gain control, flexibility and depth while potentially reducing costs. But they will have to invest significant resources to capture these benefits.</p> <p><i>John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.</i></p> </section> Breaking up is hard to do -- but some CISOs find that decoupling SIEMs from security log data feeds is worth it. Learn about the benefits and challenges. https://cdn.ttgtmedia.com/rms/onlineimages/security_a244600171.jpg https://www.techtarget.com/searchsecurity/tip/The-breakup-Why-CISOs-are-decoupling-data-from-their-SIEMs Sat, 09 May 2026 22:00:00 GMT <p>"We live in a world that could become fraught with day-to-day hazards from the misuse of AI and we need to take ownership of the problems -- because the risks are real," warned Dr. Seán Ó hÉigeartaigh, executive director of Cambridge University's Centre for the Study of Existential Risk and co-author of the report, "Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation."</p> <p>This week's featured news is thus both encouraging and disquieting as AI experts urged caution and policymakers took steps to set up guardrails to mitigate the myriad risks associated with the unchecked adoption of the powerful technology.<br><br>While White House representatives sought more information on how major tech firms are using AI for cybersecurity, international thought leaders called attention to the hazards posed to national defense and critical infrastructure by <a href="https://www.techtarget.com/searchenterpriseai/definition/agentic-AI">agentic AI systems</a>. The concerns are warranted, as illustrated in a Zoho study that found 90% of surveyed organizations believe AI will strengthen cybersecurity, but 80% report that their tech stacks cannot handle modern threats. It's fertile ground for establishing safeguards that NIST and industry partners are exploring as they strive to develop standardized testing methods for AI models.</p> <p>The latest news suggests that after years of hype about the great promise of AI, followed by widespread adoption, more prudent voices are being heard as the pitfalls of impulsive AI use come to light.</p> <section class="section main-article-chapter" data-menu-title="Governments issue AI agent safety warning"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Governments issue AI agent safety warning</h2> <p>A document released by CISA, the NSA, the Australian Signals Directorate and international partners from the U.K., Canada and New Zealand urged "careful adoption" of <a href="https://www.techtarget.com/searchenterpriseai/feature/Real-world-agentic-AI-examples-and-use-cases">agentic AI systems</a>, addressing growing cybersecurity risks as key infrastructure and defense sectors increasingly deploy AI agents for mission-critical operations. Concerns noted include expanded attack surfaces, privilege creep, behavioral misalignment and obscured event records. The guidance strongly recommends organizations avoid granting AI agents broad or unrestricted access to sensitive data or critical systems.</p> <p><a href="https://www.cybersecuritydive.com/news/ai-agents-security-guidance-australia-us/819076/" target="_blank" rel="noopener"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="White House queries tech giants on AI cybersecurity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>White House queries tech giants on AI cybersecurity</h2> <p>The White House Office of the National Cyber Director has reached out to major tech companies with questions covering AI, cybersecurity, information sharing and federal collaboration opportunities. The outreach reflects the administration's focus on strengthening cybersecurity partnerships as AI adoption accelerates across critical sectors, seeking industry expertise to shape effective government support mechanisms. While the correspondence emphasized proactive engagement with frontier AI labs to address challenges in <a href="https://www.techtarget.com/searchenterpriseai/tip/Best-practices-for-building-scalable-AI-infrastructure">scaling AI technology safely</a>, some companies have been hesitant to share their sensitive information.</p> <p><a href="https://www.cybersecuritydive.com/news/white-house-oncd-ai-tech-industry-questions/819133/" target="_blank" rel="noopener"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="AI security confidence outpaces readiness, study finds"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI security confidence outpaces readiness, study finds</h2> <p>Businesses are rushing to adopt AI for cybersecurity but remain vulnerable due to critical gaps in <a href="https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it">zero-trust implementation</a> and identity controls, according to Zoho's "State of Workforce Password Security Report 2026."</p> <p>The global survey reveals a stark mismatch between confidence and capability. While 90% of organizations believe AI will enhance security measures, only 8% are currently equipped to deploy AI-powered security tools. The report highlighted several barriers slowing AI adoption, including legacy systems, migration complexity concerns and budget limitations.</p> <p><a href="https://www.cybersecuritydive.com/news/ai-security-zero-trust-identity-zoho/819455/" target="_blank" rel="noopener"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>..</i></p> </section> <section class="section main-article-chapter" data-menu-title="U.S. government to pre-screen AI models from tech giants"> <h2 class="section-title"><i class="icon" data-icon="1"></i>U.S. government to pre-screen AI models from tech giants</h2> <p>To assess cybersecurity threats, NIST's Center for AI Standards and Innovation will evaluate frontier AI models from Google, Microsoft and xAI before public release. This marks the U.S. government's effort to proactively address security risks from advanced AI systems. The partnerships enable information exchange, voluntary improvements and cross-agency testing, including in classified environments.</p> <p>This represents a policy shift for the Trump administration, which previously eliminated AI security reviews but reconsidered after Anthropic deemed its Claude Mythos model too dangerous to release due to vulnerability-finding capabilities. Questions remain about CAISI's testing standards and threat assessment criteria.</p> <p><a href="https://www.cybersecuritydive.com/news/nist-ai-model-testing-caisi-google-microsoft/819452/" target="_blank" rel="noopener"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>.</i></p> <p><b>Editor's note:</b> <i>An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Richard Livingston is an editor with Informa TechTarget’s SearchSecurity site, covering cybersecurity news, trends and analysis.</i></p> </section> Check out the latest security news from TechTarget SearchSecurity's sister sites, Cybersecurity Dive and Dark Reading. https://cdn.ttgtmedia.com/rms/onlineimages/health%20security_g1418645103.jpg https://www.techtarget.com/searchsecurity/news/366642881/News-brief-Worries-and-warnings-as-AI-use-expands Fri, 08 May 2026 11:45:00 GMT <p>I once received an ad from a company that promised to lower home energy costs by conducting a free energy audit. The audit, it said, could be done over the phone -- no home visit -- and would require absolutely "zero questions asked" -- i.e., about our current energy use, heating and cooling systems, insulation or anything else.</p> <p>It struck me as objectively ridiculous. How can you reach a fact-based, evidence-driven conclusion without at least measuring something?</p> <p>I bring this up because I see CISOs promising something similar with their <a href="https://www.techtarget.com/searchsecurity/tip/How-to-develop-a-cybersecurity-strategy-Step-by-step-guide">security strategies</a>. Namely, they say they can manage their security controls in the absence of important contextual knowledge, without information about control efficacy -- let alone efficiency -- and, in some cases, without any operational performance data at all. Yet, just like the information-free "energy audit," this approach undermines decision-making. Missing information means we pay more for an outcome that diminishes our control, makes no impact on reducing risk and yields poorer security overall.</p> <p>By contrast, better measurement reduces risk. Contextualized performance information helps us understand how well controls perform relative to each other, which in turn makes investments more efficient and improves how we manage and operate those controls.</p> <p>Let's take a look at how to better measure security controls, how to use the data collected to best effect and why a security controls evaluation matters in the first place.</p> <section class="section main-article-chapter" data-menu-title="Multiple angles of security control evaluation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Multiple angles of security control evaluation</h2> <p>To start, it's important to realize there are multiple dimensions, or vantage points, from which to measure controls. And there are countless ways to measure control performance. The three I've found most helpful to measure are:</p> <ol class="default-list"> <li><b>Effectiveness.</b> Does the control work?</li> <li><b>Maturity.</b> How reliable is the process supporting the control?</li> <li><b>Efficiency.</b> How does the control perform economically?</li> </ol> <p>The first area is perhaps the easiest to intuitively understand. Effectiveness assesses how well the control performs at its intended task. Is it implemented? Does it work? Is it appropriately scoped? Does it cover the portions of the environment we need it to?</p> <p>If you were to conduct a compliance audit against a set of controls -- for example, something like the controls in ISO/IEC 27001:2022 Annex A, <a target="_blank" href="https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final" rel="noopener">NIST Special Publication 800-53</a> or specific controls required by a regulatory framework such as PCI DSS -- this is the lens that would magnify most of the evaluation. In addition to measuring whether the control exists or not, though -- as you would for a regulatory compliance audit, for example -- you also want to account for how well it performs. The specifics of this will vary based on the individual control. Some systems might involve comparing rates of false/true positives versus false/true negatives; others might measure remediated versus unremediated issues, for example, quarantined malware versus unquarantined.</p> <p>The second dimension is the maturity of the implementation or processes that support the control's operation. Different processes -- even those designed to achieve the same or similar outcomes -- can have different levels of maturity. Consider two separate approaches to a single task -- for example, <a href="https://www.techtarget.com/searchnetworking/tip/5-principles-of-the-network-change-management-process">change management</a>. One company might use a disorganized process for oversight, while another uses a well-documented, quantitatively measured one. Even if these processes perform equivalently, the more mature process has advantages that the less mature one does not -- for example, resilience to adverse events such as personnel attrition or process failure. This leads to, in aggregate, more predictable security outcomes.</p> <p>How might you measure maturity? There are whole frameworks devoted specifically to this. For example, the <a href="https://www.techtarget.com/searchsoftwarequality/definition/Capability-Maturity-Model">Capability Maturity Model</a> defines five levels of maturity:</p> <ol class="default-list"> <li><b>Initial.</b> Unpredictable, ad-hoc, reactive process.</li> <li><b>Managed.</b> Planned with controlled requirements.</li> <li><b>Defined.</b> Process documented and standardized.</li> <li><b>Quantitatively managed.</b> Quantitative measurements -- i.e., metrics -- manage process.</li> <li><b>Optimizing.</b> Continuous improvement loop in place.</li> </ol> <p>The last dimension is efficiency -- more specifically, economic efficiency. As with maturity, how a company implements a control will yield different economic characteristics.</p> <p>Once again, it's helpful to compare two implementations side by side. Take data discovery as an example. One company might use a software tool to find and flag files containing sensitive data, while another might pay hundreds of consultants to manually review individual files. Granted, no sane security program would use this second method. But this extreme example illustrates unambiguously that economic performance is not the same even if both approaches are equally effective and mature.</p> <p>Indeed, the economic disparities are stark, ranging from initial startup costs and monthly and annual fees to Capex/Opex composition and total operating costs. To understand the economics of control performance, then, you need to understand and document each one. How? A useful starting point is the budget -- i.e., the actual hard dollars spent on any services or products involved in delivering a control both year 1 and year <i>n</i> costs. Extend this to factor in soft costs -- e.g., head count required to support, staff time, etc. -- as well as any other required financial outlays, such as data center, compute, storage, bandwidth, etc. Ultimately, the goal is to calculate the control's total cost of ownership (<a href="https://www.techtarget.com/searchdatacenter/definition/TCO">TCO</a>) and use this as the unit cost in final risk/cost assessments.</p> </section> <section class="section main-article-chapter" data-menu-title="Putting it all together"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Putting it all together</h2> <p>The next step in a security controls evaluation is to bring the information together. An approach I've used is to correlate these dimensions with <a href="https://www.techtarget.com/searchcio/tip/Learn-how-to-harness-strategic-risk-and-improve-your-operations">quantitative risk scoring</a>. This enables you to view controls through the lens of the amount of risk reduced -- quantitatively expressed -- per dollar invested, or, as security metrics guru Pete Lindstrom terms it, "risk reduced per unit cost."</p> <p>This is valuable for a couple of reasons. First, it helps find underperforming controls and, once found, helps justify rescoping, realignment or even removal. If the idea of removing a control sounds scary or heretical, I get it. Security is, after all, a probabilistic discipline. Scenarios can arise where a legacy control -- even one that hasn't provided much value in years -- is precisely what would have prevented an attack.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> In this context, opportunity cost is what you could have done instead with resources you invest in a given control. Unless you have an infinite budget -- and who does -- every investment comes at the cost of other measures you could have done but didn't. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>But it's not realistic to keep every control around forever. One argument is opportunity cost: the second reason a risk/cost approach is valuable. In this context, opportunity cost is what you could have done instead with resources you invest in a given control. Unless you have an infinite budget -- and who does -- every investment comes at the cost of other measures you could have done but didn't.</p> <p>Say an organization has an old legacy control offering little value in the current environment -- for example, a modem wardialer. For most organizations and barring exceptional circumstances such as industrial control networks, remote substation facilities, etc., a control like this provides negligible value in modern ecosystems. But consider how else the organization could invest those same resources. Container scanning? Secrets management? <a href="https://www.techtarget.com/searchsecurity/feature/CASB-CSPM-CWPP-emerge-as-future-of-cloud-security">Cloud security posture management</a>? A large language model gateway? These represent choices you could have made but didn't because the resources were already engaged.</p> <p>Each of the three dimensions I covered earlier helps build your analysis. Effectiveness helps inform risk mitigation and, coupled with a quantitative risk modeling approach, can help you understand likelihood in a risk calculation. Likewise, maturity helps you understand impacts: lower maturity controls are less resilient, thereby increasing impact. Economic analysis helps you understand potential loss, opportunity cost and control selection.</p> <p>Just as no reasonable person would accept an energy audit conducted without any actual data collection, security leaders shouldn't attempt to conduct a security controls evaluation without proper measurement. Yet, many enterprise security strategies do exactly this. They make decisions about control investments without understanding effectiveness, maturity or efficiency. That results in unnecessary risk and wasted resources.</p> <p>The solution is straightforward: Evaluate controls by measuring their effectiveness -- does the control work as intended and cover what it needs to; their maturity -- how resilient and predictable are the processes supporting the control; and their efficiency -- what's the TCO.</p> <p>When you bring these dimensions together, you can calculate, articulate and defend what truly matters: risk reduced per dollar invested. This gives you the ammunition to identify underperforming controls worth removing, leads you to better risk-based decision making &nbsp;and reveals opportunity costs -- the better security investments you could make -- with those same resources. In short, measurement is the key to building a performance program that reduces risk efficiently.</p> <p><i>Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.</i></p> </section> Some CISOs believe their security controls are sufficient, but reach that conclusion without any method for measuring their effectiveness. There's a much better way. https://cdn.ttgtmedia.com/rms/onlineimages/strategy_a56806043.jpg https://www.techtarget.com/searchsecurity/tip/How-to-construct-an-effective-security-controls-evaluation Thu, 07 May 2026 16:49:00 GMT <p>Enterprise password managers are must-have tools for organizations of all shapes and sizes. While consumer-based password managers are good for users' personal lives, enterprise security and desktop administrators require more comprehensive password managers that offer greater security, control and visibility across the entire organization.</p> <p>Let's examine the key features to evaluate in enterprise password managers and look at five leading product options.</p> <section class="section main-article-chapter" data-menu-title="What to look for in an enterprise password manager"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What to look for in an enterprise password manager</h2> <p>While both consumer and enterprise password managers securely store user passwords, offer encryption and support <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a>, enterprise password managers also offer stronger security features for controlling access to enterprise systems, enforcing policies and mitigating <a href="https://www.techtarget.com/searchsecurity/answer/What-are-some-of-the-top-identity-and-access-management-risks">credential-based risks</a>.</p> <p>When evaluating enterprise password managers, consider the following features:</p> <ul class="default-list"> <li>Secure storage and retrieval of passwords.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-company-password-policy-with-template">Enterprise password policy</a> enforcement, such as <a href="https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices">password length and strength</a> requirements, and generation of new passwords that meet those guidelines.</li> <li>Password synchronization across each user's devices and applications.</li> <li>Secure password sharing, for those cases where password sharing is permitted.</li> <li>Notification when a password has likely been compromised.</li> <li>Centralized administration and reporting.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Leading enterprise password managers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Leading enterprise password managers</h2> <p>Let's look at some popular enterprise password managers. The following tools were selected based on market research. Each has sizable customer bases, is under active development and has numerous publicly available user reviews contributed by verified purchasers. This list is organized alphabetically.</p> <p>A word of caution before we continue: Enterprise password manager vendors are inconsistent in their labeling of "enterprise" password managers versus "business" password managers. NordPass, for example, offers a Business version and a more fully functional Enterprise version built on the framework of the Business version. On the other hand, 1Password's Business and Enterprise Password Manager offerings are completely different. The Enterprise version is part of a larger Extended Access Management suite and the Business version is more consistent with what other enterprise password managers offer.</p> <p>This article chooses the appropriate tier -- Business, Enterprise, etc. -- for each product based on functionality, not the tier's name.</p> <h3>1Password Business</h3> <p><a target="_blank" href="https://1password.com/resources/enterprise-credentials-management-datasheet" rel="noopener">1Password Business</a> integrates with several major identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>) platforms, including Duo, Entra ID, Okta and OneLogin, as well as with a variety of developer tools, enabling capabilities such as signing SSH keys and <a href="https://www.techtarget.com/searchsoftwarequality/tutorial/Pick-up-basic-Git-commands-with-a-hands-on-tutorial">Git commits</a>.</p> <p>Pros</p> <ul class="default-list"> <li>UI ease of use, especially its autofill capabilities.</li> <li>Integration with mobile apps, particularly on iOS devices.</li> </ul> <p>Cons</p> <ul class="default-list"> <li>Reauthentication required too frequently -- e.g., every few hours.</li> <li>Initial setup and configuration can be more challenging than expected.</li> </ul> <p>Pricing</p> <ul class="default-list"> <li>$7.99 per user per month, paid annually.</li> <li>14-day free trial.</li> </ul> <h3>Bitwarden Password Manager for Business</h3> <p><a target="_blank" href="https://bitwarden.com/pricing/business/" rel="noopener">Bitwarden Password Manager for Business</a> provides secure generation and storage for passwords, passkeys, SSH keys and time-based one-time passwords, as well as secure storage of notes and other forms of credentials. The product's source code is independently audited and is also publicly available for security review and testing.</p> <p>Pros</p> <ul class="default-list"> <li>Stellar documentation and outstanding customer support.</li> <li>Excellent integration with <a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-SCIM-can-automate-user-provisioning">system for cross-domain identity management</a> (SCIM).</li> </ul> <p>Cons</p> <ul class="default-list"> <li>Unnecessarily difficult UI.</li> <li>Hard to distinguish the admin and user portions of the interface.</li> </ul> <p>Pricing</p> <ul class="default-list"> <li>Enterprise version costs $6 per month per user, paid annually.</li> <li>7-day free trial.</li> </ul> <h3>Dashlane for Business</h3> <p><a target="_blank" href="https://www.dashlane.com/resources/category/white-papers-reports" rel="noopener">Dashlane for Business</a> provides secure storage for passwords, passkeys, secrets -- e.g., private keys -- and other credentials, as well as payment card information. It supports integration with SCIM provisioning, single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>) and log management technologies.</p> <p>Pros</p> <ul class="default-list"> <li>Clear and easy to use UI.</li> <li>Ease of sharing passwords, secrets and other items among users.</li> </ul> <p>Cons</p> <ul class="default-list"> <li>Deployment and initial configuration are more complicated than expected.</li> <li>Lacks some of the admin features that most competing password managers offer.</li> </ul> <p>Pricing</p> <ul class="default-list"> <li>$8 per month per user per month, paid annually.</li> <li>14-day free trial.</li> </ul> <h3>Keeper Enterprise Password Manager</h3> <p><a target="_blank" href="https://www.keepersecurity.com/resources/datasheets/" rel="noopener">Keeper Enterprise Password Manager</a> synchronizes with Active Directory and Lightweight Directory Access Protocol, and integrates with Entra ID and MFA via Duo and RSA. It also offers CLI and SCIM provisioning.</p> <p>Pros</p> <ul class="default-list"> <li>Easy to use and easy to manage.</li> <li>Comprehensive technical support services, documentation and training.</li> </ul> <p>Cons</p> <ul class="default-list"> <li>Not as customizable and flexible as some organizations would like.</li> <li>Some third-party integrations not sufficiently strong.</li> </ul> <p>Pricing</p> <ul class="default-list"> <li>$6 per user per month, paid annually.</li> <li>Free trial available (duration not specified).</li> </ul> <h3>NordPass Business</h3> <p><a target="_blank" href="https://nordpass.com/business-whitepaper/" rel="noopener">NordPass Business</a> integrates with IAM and SSO platforms from Entra ID and Okta, and supports SSO through Google and Microsoft. It is regularly audited by third parties and offers a bug bounty program.</p> <p>Pros</p> <ul class="default-list"> <li>Autofilling passwords through browser extensions.</li> <li>Customizable, flexible password policy configurations.</li> </ul> <p>Cons</p> <ul class="default-list"> <li>Performance issues, most notably slow password synchronization between devices.</li> <li>Integration support is not as comprehensive as competitors'.</li> </ul> <p>Pricing</p> <ul class="default-list"> <li>Enterprise: $5.99 per user per month with a one-year commitment.</li> <li>14-day free trial.</li> </ul> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> </section> Admins need their password managers to provide a wide range of features and capabilities. Learn what every password manager must have, along with available options. https://cdn.ttgtmedia.com/rms/onlineimages/keys_a280346470.jpg https://www.techtarget.com/searchsecurity/tip/Leading-enterprise-password-managers-to-consider Thu, 07 May 2026 15:06:00 GMT <p>When Anthropic announced its latest large language model, Claude Mythos, the news hit with a jolt. Anthropic wasn't putting out word that it was about to release Mythos -- it wanted the world to know that it would <i>not</i> release the frontier LLM.</p> <p>The unreleased Mythos preview showed capabilities that no one saw coming. The LLM identified security gaps in every major browser and OS, some of which were said to have existed for many years, even decades. This meant that in some cases an entire generation of developers, cybersecurity experts and attackers had missed them.</p> <p>Concerns were exacerbated by Anthropic's revelation that the LLM was finding zero days even when the model hadn't specifically been asked to seek them out. And in situations where Mythos was asked to create exploits, it did so in ways described as effective, unprecedented and fast.</p> <p>In addition to keeping a lid on Mythos, Anthropic decided to give access to a select group of leading companies so that those companies could learn about -- and fix -- vulnerabilities in their products. This initiative, dubbed Project Glasswing, involves key players in tech and security, including Google, Apple, Microsoft, AWS, CrowdStrike and Palo Alto Networks. Early access to Mythos is meant to give the industry the opportunity to perform critical defensive work before bad actors turn those advanced AI capabilities into weapons.</p> <p>Worries about <a href="https://www.techtarget.com/searchsecurity/tip/What-AI-zero-days-mean-for-enterprise-cybersecurity">an AI arms race between attackers and defenders</a> existed before the Mythos news. Now, the anxiety is ratcheted up.</p> <p>Governments, too, are expressing varying degrees of alarm about the potential security consequences of a super-charged LLM. A top cybersecurity official in the German government described Mythos as a paradigm change, and Japan's finance minister called the model "<a target="_blank" href="https://www.darkreading.com/cyber-risk/claude-mythos-startle-japans-financial-sector" rel="noopener">a crisis that is already upon us</a>."</p> <p>In this Reporters' Notebook video, Becky Bracken, senior editor of Dark Reading, Eric Geller, senior reporter of Cybersecurity Dive, and Phil Sweeney, industry editor of TechTarget SearchSecurity, discussed what they're seeing about Mythos and Project Glasswing.</p> <p><i>Phil Sweeney is an industry editor and writer focused on cybersecurity topics.</i></p> <transcript> <p><b>Editor's note: </b><i>This transcript has been edited for clarity and length. For the full experience, please watch the video.</i></p> <p><b>Dark Reading’s Becky Bracken:</b> Hello everybody, and welcome to Reporters' Notebook. I am Becky Bracken and I am here with my two colleagues to discuss this month's big blockbuster story, "Mythos, the AI Model to End All Cybersecurity," and Glasswing, the forum that was established to wrap industry and government's head around it. I'm joined today by Eric Geller, senior reporter with Cybersecurity Dive, as well as Phil Sweeney, who is with TechTarget SearchSecurity. Welcome both of you. I figured this was a pretty easy one for us to tackle. Do you wanna walk us through the background as you understand it?</p> <p><b>TechTarget SearchSecurity's Phil Sweeney:</b> For the <a target="_blank" href="https://www.darkreading.com/cloud-security/csa-cisos-prepare-post-mythos-exploit-storm" rel="noopener">Mythos preview</a>, Anthropic developed it and had some pretty startling success with it, things they did not expect. And before release, they said, 'OK, we can't do this. We can't release this. We need to talk about this and the implications for that, especially security-wise.' They found incredible volumes of <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">zero days</a>, unknown vulnerabilities, and some of them going back years; they said many, in fact, are 10, 20 years old, not just a few outliers. There were many, many that were going back many years undiscovered and the LLM found them in almost no time at all. So, it was quite a jolt and, as a result, Anthropic has reached out to partners across the IT industry to try to come to some kind of consensus about, what are we going to do about this before this becomes major security crisis?</p> <p><b>Bracken:</b> Eric, what's the headline for you here?</p> <p><b>Cybersecurity Dive's Eric Geller:</b> To me, this is a story about how the government is going to be increasingly dependent on the technology companies&nbsp;in a way that wasn't even really true in earlier phases of this kind of government-industry relationship. We think about cybersecurity as a domain where the <a target="_blank" href="https://www.darkreading.com/cybersecurity-operations/hand-cve-over-to-private-sector" rel="noopener">private sector</a>, because it runs the infrastructure, has the best visibility; and the government is really dependent on it to understand cyberattacks. I think in the AI space, that reliance is even stronger because now it's not just that the AI companies have all this information about how hackers are trying to launch cyberattacks using their products. And you see <a target="_blank" href="https://www.darkreading.com/application-security/anthropic-exploit-writing-mythos-ai-safe" rel="noopener">Anthropic</a> putting out that report last year about the first AI-powered cyberattack. So, they have that visibility. They also have the ability, unlike say critical infrastructure operators, to actually define the terms of the battlefield, because it's their products that are being used to do some of this work.</p> <p>That's not to say AI is the only thing that hackers are using or the only thing that they need, but it is increasingly going to be part of the initial phase of an attack to use AI to figure out if your target has any vulnerabilities. And so it's incumbent on the vendors to do as much as they can to prevent their tools from being weaponized in a way that really isn't true with a lot of other technology out there, with the exception of pen-testing software where we know that hackers use things like <a target="_blank" href="https://www.darkreading.com/threat-intelligence/less-lucrative-ransomware-market-makes-attackers-alter-methods" rel="noopener">Mimikatz</a> for attacks. This is a totally different ballgame, and the government is entirely dependent on the vendors to not only make products that are not capable of being weaponized, but also to proactively share with the government what they're finding and what their partners are finding with these tools.</p> <p>You know, we're going to talk about <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/glasswing-secured-code-stack-on-you" rel="noopener">Project Glasswing</a>, and what I'll be looking for there is, as companies use Mythos and discover vulnerabilities, what is the tempo of information-sharing with federal agencies like CISA? Is there something formally in place that says, when a Glasswing partner finds a vulnerability, does it have to tell CISA? I don't think so. So, we're really seeing an environment where these relationships haven't been well defined, and how quickly that stuff gets ironed out is going to go a long way toward answering the question of how rocky are the next few years are going to be, to prevent weaponization of these tools.</p> <p><b>Bracken:</b> You are, Eric, the person that I look to to read the Washington, D.C., tea leaves about what's going on in cyber. So, what's your analysis of where we are? The executive branch has been very clear that they want AI to run rampant and do nothing to hamper any kind of innovation. How do you see this playing out in, let's say, the next six months? I think that's a pretty long runway in the AI.</p> <p><b>Geller:</b> I mean, I do think that there's no real appetite in Washington to regulate what a company like Anthropic can do, in part because how would you <a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/finding-balance-us-ai-regulation" rel="noopener">define the boundaries of the regulation</a>? How would you define safe behavior and unsafe behavior, safe coding and unsafe coding? I mean, if you define it based on the output, i.e., can this tool help a hacker find a vulnerability, then you're going to be prohibiting a lot of behavior that we actually want to see because any tool that can help a hacker find a vulnerability can also help a defender find a vulnerability -- the technology is agnostic. There's no way to create an AI model that checks who you are, peers into your soul and based on that decides whether it's going to tell you about a CVE in an internet-facing network appliance or what have you.</p> <p>That would be what we would want in a fantasy world, but that doesn't exist. So, you can't regulate the problem out of existence. That's not to say you can't have any regulation. I'm not taking a stance here, but the idea that you can solve this particular problem through a regulatory framework, it's not like environmental pollution. You can't say, 'Only do the good things and don't do the bad things.' That's not how the technology works.</p> <p>And I think you see <a target="_blank" href="https://www.darkreading.com/cyber-risk/rethinking-cyber-risk-traditional-models-fall-short" rel="noopener">policymakers</a> recognizing that. In the absence of a regulatory answer, the next best option is close conversations and collaboration so that as Anthropic is finding out that its product can do something potentially dangerous, they're telling the government, and the government is deciding whether it ought to warn critical infrastructure operators.</p> <p>It does at least speak to this idea of, OK, harm is going to happen. The best thing we can do to get ahead of it is talk to each other as we're learning about the harm. And that's not a satisfying answer, but I think it's kind of the best that Washington has at this point.</p> <p><b>Bracken:</b> A healthy answer. People talking is not happening just here and there, hither and thither right now. So, to see it happening here is important. But also, there is a real dearth of talent and expertise right now in government; the experts that do exist are working in private-sector businesses right now. Would you agree with that?</p> <p><b>Geller:</b> Yeah, especially with all the <a target="_blank" href="https://www.darkreading.com/cybersecurity-operations/cisa-layoffs-weaken-civilian-cyber-defense" rel="noopener">layoffs</a> that we've seen recently. And I'm going to be looking to see what happens with NIST, the National Institute of Standards and Technology. They have an AI Safety Institute that was created in the last administration. It's been refocused now to really look at these core technical issues of AI models and the double-edged sword of this technology. So, I'm going to be very curious to see if that agency gets more involved in working side by side with the vendors to understand the implications of their product.</p> <p><b>Bracken:</b> And on the expertise front, Phil, enter Project Glasswing. And so, this is the roundtable at which this conversation that Eric's been referring to is happening, correct? Tell us a little bit about what it is and what its parameters are.</p> <p><b>Sweeney:</b> Right, right. It is a group of 12 companies or organizations involved at the point of the spear. Forty or so others are going to be involved in other ways. But yeah, the big ones. You're talking about your cloud providers: AWS is involved here, Google is involved here. Microsoft. Anthropic itself, Apple, Cisco, CrowdStrike, JP Morgan Chase. It's a dozen big powerful players in IT and finance and security and name it. So, they are <a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/ai-finds-38-security-flaws-openemr" rel="noopener">getting access to the preview</a> before any kind of release publicly. The idea being to give some sort of head start on fixing these vulnerabilities [before they're weaponized].</p> <p>It's an unusual level of cooperation. Rival companies will sometimes cooperate on some cybersecurity standards, interoperability, that sort of thing. There is the Linux Foundation, the Cloud Native Computing Foundation. They have cooperative relationships across industries. There's a boldness here, an urgency that feels different, and it's coordination on a scale that is rarely seen. So, among rivals, some bitter rivals in case, competitors, they're saying this can't be fixed in Washington. It can't be fixed by individual companies. There has to be some sort of collective action. CrowdStrike's CTO said something to the effect of&nbsp;this needs to happen for defenders to unify, to put these capabilities to work now before the adversaries can become involved in a serious way. Someone from Cisco supporting Glasswing said that the work is just too important and too urgent to do it alone. So, there's a sense here that this is a massive risk that's going to require massive effort to address.</p> <p><b>Bracken:</b> I wonder what you all make of this notion that this might be a bit overhyped. It's not lost on me that it's called "Mythos." It's not lost on me that a lot of this is very secret squirrel; it's really big, but you can't see it. The AI Security Institute in the UK did a <a target="_blank" href="https://www.darkreading.com/cyber-risk/industrialized-exploitation-agentic-offensive-security-existential-threat" rel="noopener">technical evaluation on Mythos</a> that found that maybe it's not as potent of a tool as they're making it out to be. A lot of the criticism was that what they ran it against wasn't particularly well-defended, really not as well-defended as even a midsize organization would be. I wonder what you all make of this idea that maybe this is overhyped or that people are falling for what's essentially a marketing scheme, because I have heard that.</p> <p><b>Geller:</b> Well, I think partly it is true that the way you defend yourselves from the kinds of attacks that this tool can find is the same as the way you defend yourself from an attack that a human discovers and weaponizes and launches. Really, what we're talking about here is not the kind of attack that gets launched. Not for the most part anyway. It's the democratization of being able to do that work.&nbsp;</p> <p>If you're using default passwords, if you have&nbsp;a network appliance that's got out-of-date firmware, a human can exploit that if they know how to do so. But it's something that AI is making it easier to do. So, it's not as if AI has created new forms of attack. It's made it easier for more kinds of people with less knowledge to launch those attacks.&nbsp;</p> <p>You still need to be doing the same kinds of things you were doing in the past in terms of verifying your network perimeter, checking to make sure your user accounts are not being abused, employ 'identity as the perimeter' -- all these buzzwords that we know about from going to conferences over the years. These are still the things you need to do. You need strong passwords just as you always have.</p> <p><b>Bracken:</b> Strong <a href="https://www.techtarget.com/searchsecurity/definition/cyber-hygiene">security hygiene</a>, all the things.</p> <p><b>Geller:</b> Absolutely, you need to do the same things you've always needed to do. It's just that now you have to worry about more people trying to exploit your failure to do those things.</p> <p><b>Bracken:</b> That's a great point. Phil, did you have anything to add to that?</p> <p><b>Sweeney:</b> Just to add to that, yeah, there is, I think, a range of opinion and thought here. I think because this is somewhat unprecedented, you can't look at previous examples and say, this is just like that. So, there's going to be some optimism, some skepticism, some cynicism even. I get that. But what I would add is that if we take Anthropic at its word, it has said that they had engineers with no formal security training just work with Mythos Preview and say, find remote code-execution (RCE) vulnerabilities, and then boom, the next morning, there would be a complete working exploit right there waiting for them. So, it does certainly lower the bar for sophistication. This can find and also link together vulnerabilities and chain them in a way that usually requires a lot of expertise, if what Anthropic is saying is possible. That certainly changes and makes cybercrime a pretty low bar for entry.</p> <p><b>Bracken:</b> Another smart point. One of the nuggets out of this was the timing; there was an acknowledgment that the model could do some pretty amazing things, and then a <a target="_blank" href="https://www.cnn.com/2026/04/08/china/china-supercomputer-hackers-hnk-intl" rel="noopener">major hack of Chinese data</a>. There was maybe more twittering than hard reporting that maybe the two were linked, but here is a tool of unprecedented danger that falls in the laps of the American government. And the next thing you know, the Chinese are getting their data swiped in a huge, big way. Are you hearing that there's any connection, Eric?</p> <p><b>Geller:</b> I'd be very interested to learn more about that&nbsp;situation. I don't think at this point we have any reason to think it's connected to this tool. And in part because, think about that Chinese organization as a target of <a target="_blank" href="https://www.darkreading.com/endpoint-security/coruna-darksword-democratizing-nation-state-exploit-kits" rel="noopener">nation-state espionage</a>. If you think about the range of organizations that want to hack into that entity, it includes the best hackers in the world. So, the idea that somebody could break into that organization, you don't need the advent of Claude Mythos to explain that. If that had happened a year ago, two years ago, I would not have been surprised, because the people trying to get in are the best in the world. So, I do think the timing is just a matter of coincidence because you don't need Claude Mythos to get in there if you are the typical group trying to get in, which is NSA, CIA, British intelligence. And I doubt that they are relying on Claude Mythos to do their attacks.</p> <p><b>Bracken:</b> OK, that is a more reasonable take. And so, Phil, what are some of the questions that you are hoping your reporting will be able to answer about this moving forward?</p> <p><b>Sweeney:</b> Right. I think it'll be interesting to see how&nbsp;the typical security organization, CISOs and their teams, how they respond to this, how they react. If they're not among the special invitees for this endeavor, what do they do to prepare and guess how all this branches out and spreads throughout the security ecosystem. There was something interesting that came out from the Cloud Security Alliance just the other day&nbsp;in response to all this.&nbsp;They wanted to give CISOs and boards and executives something to hang onto and say, 'OK, this is how you should be thinking about it, even if you're not directly involved. This is going to change your life in a significant way, perhaps.' They had some thoughts about sounding the alarm and being ready; they said, prepare now, <a target="_blank" href="https://www.darkreading.com/cybersecurity-operations/navigating-cybersecurity-budget-tug-of-war" rel="noopener">ask for more budget</a>, hire more people, do more automation, because there will be a very shortened window between when a vulnerability is disclosed and the time when it can be exploited; and security teams are going to have to be ready to step in and act quickly.</p> <p><b>Bracken:</b> I heard that at RSAC quite a bit, 'attack at machine speed.' And to me, that is the biggest question that teams are going to have to answer is the patching problem. They are going to have to get patching done at machine speed. And I think there are still a lot of questions about how that is going to happen, and it needs to happen yesterday. And I think practitioners are pretty well aware of that fact. It's just a matter of catching up to reality.</p> <p>Eric, I want to give you the final word here. What questions are you looking to get answered in your reporting?</p> <p><b>Geller:</b> I'm very curious to see if this changes how the government thinks about its role in overseeing the sprawl of AI technology. President Biden tried to get these companies to report to the government when they were doing red-teaming tests and basically provide the results of those tests so that the government can, in real time, understand what's happening with the security audits that the companies are doing. <a target="_blank" href="https://www.darkreading.com/application-security/trump-administration-rescinds-biden-era-sbom-guidance" rel="noopener">President Trump got rid of that requirement</a>. He described it as anti-innovation and too onerous and burdensome.</p> <p>But I'll be interested to see if the Trump administration rethinks the hands-off approach it's taken to AI. I don't think it's going to completely rethink it, but I think there might be some folks advocating for a little bit more looking over the shoulder of some of these AI companies. Not with regulation, but with just some degree of oversight and input.</p> <p><b>Bracken:</b> Where would that come from? I mean, we're looking at the incredible shrinking CISA. You know, they're standing up a State Department quasi-cyber wing. There's NSA. Where is this sort of thought leadership shift going to come from?</p> <p><b>Geller:</b> Well, don't think there's a lot of appetite right now for it from anywhere, but there are some agencies that would be a natural fit to kind of have these kinds of interactions with the AI companies. NIST is the one that comes to mind because it's not regulatory. So, if you have the companies provide their reports to NIST, they're not worried that NIST is going to prosecute them or file a civil case. It's not like the FTC or the Justice Department where if you tell them about something, they might look at it and say, 'You know what? You violated the law here, we're going to take you to court.' That's not going to happen if you go to NIST, because that's not the culture of the agency. So, I think it would be a good fit if they wanted to bring something like the <a target="_blank" href="https://www.darkreading.com/cyber-risk/biden-administration-unveils-data-privacy-executive-order" rel="noopener">Biden executive order</a> back into force. But again, I emphasize, I don't think there's a lot of appetite anywhere in the government for doing exactly what President Biden had in mind.</p> <p><b>Bracken:</b> Makes sense. Well, gentlemen, I've learned a lot today. Thank you so much for helping me understand this topic better and helping our audience understand as well. Eric, where can we find more of your thoughtful, deep reporting on this and other topics?</p> <p><b>Geller:</b> You can just go to <a target="_blank" href="https://www.cybersecuritydive.com" rel="noopener">cybersecuritydive.com</a>.</p> <p><b>Bracken:</b> And Phil, tell us where we can find you.</p> <p><b>Sweeney:</b> I'm at <a href="https://www.techtarget.com/searchsecurity/">techtarget.com/searchsecurity</a></p> <p><b>Bracken:</b> My name is Becky Bracken. I am a senior editor with Dark Reading. You can find this along with every other sort of podcast and video and, of course, our deep, thorough reporting at <a target="_blank" href="https://www.darkreading.com/" rel="noopener">darkreading.com</a>. Thank you all for listening. This has been another episode of Reporters' Notebook. We'll see you next time.</p> </transcript> The Claude Mythos preview has raised alarms about AI-driven threats. Is this a new era for cybersecurity professionals? https://www.techtarget.com/searchsecurity/video/Claude-Mythos-changes-the-AI-security-threat-matrix Thu, 07 May 2026 14:19:00 GMT <p>Cloud security posture management has become a core layer of modern cloud defense because it addresses a basic but persistent problem: many cloud security incidents begin with misconfigurations, excessive privileges, unmanaged assets, weak network exposure decisions and drift from approved baselines. In fast-moving AWS, Azure and Google Cloud environments, these mistakes can be introduced by developers, DevOps engineers, platform teams or third parties. CSPM tools help organizations continuously identify and reduce these risks.</p> <p>For CISOs, the appeal of CSPM is practical. These tools provide a clear view of real <a href="https://www.techtarget.com/searchsecurity/tip/Why-organizations-need-cloud-attack-surface-management">cloud exposure</a>, highlight where governance is breaking down and create a measurable path toward risk reduction. Instead of relying on periodic manual reviews or scattered <a href="https://www.techtarget.com/searchsecurity/tip/How-cloud-monitoring-dashboards-improve-security-operations">native-cloud dashboards</a>, an effective CSPM platform centralizes posture visibility, prioritizes issues and supports remediation at scale.</p> <section class="section main-article-chapter" data-menu-title="What CSPM tools do and why they matter"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What CSPM tools do and why they matter</h2> <p>CSPM tools connect to cloud platforms through <a href="https://www.techtarget.com/searchapparchitecture/tip/What-are-the-types-of-APIs-and-their-differences">APIs</a> and evaluate the control plane. They inspect settings related to identity and access management (IAM), storage, compute, networking, logging, encryption, key management, containers, <a href="https://www.techtarget.com/searchitoperations/tip/Kubernetes-automation-Use-cases-and-tools-to-know">Kubernetes</a> and sometimes SaaS offerings. Their goal is to detect insecure states, such as publicly exposed resources, disabled logging, weak <a href="https://www.techtarget.com/searchsecurity/tip/Best-practices-for-a-bulletproof-IAM-strategy">IAM policies</a>, missing encryption, risky trust relationships or services that violate internal policy and regulatory requirements.</p> <p>This functionality matters because cloud environments change constantly. New accounts, subscriptions, virtual private clouds, storage repositories and workloads can appear in hours, not months. Teams might also deploy infrastructure through multiple paths, including infrastructure as code (IaC), native consoles, continuous integration/continuous delivery pipelines and third-party orchestration tools. Without an automated posture layer, security teams often discover problems too late, after exposure has already occurred or after auditors uncover the gap.</p> <p>For security leaders, CSPM solves three business problems at once. First, it reduces avoidable exposure by identifying misconfigurations earlier. Second, it improves governance by measuring adherence to standards, such as Center for Internet Security, <a href="https://www.techtarget.com/searchsecurity/definition/NIST-Cybersecurity-Framework">NIST</a>, PCI DSS, <a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>, SOC 2 and <a href="https://www.techtarget.com/whatis/definition/ISO-27001">ISO 27001</a>. Third, it gives SecOps and cloud teams a shared operational view of risk, which is valuable in large organizations where ownership of cloud controls is distributed across many teams.</p> </section> <section class="section main-article-chapter" data-menu-title="Key CSPM features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key CSPM features</h2> <p>Leading CSPM platforms offer a broad range of features, including the following:</p> <ul class="default-list"> <li><b>Visibility.</b> Prioritize platforms that provide broad, agentless visibility across AWS, Azure and Google Cloud, with support for multiple accounts and regions. Most organizations need unified posture data rather than separate views per cloud. Strong inventory mapping is equally important because teams cannot secure assets they cannot see.</li> <li><b>Customization.</b> Look for strong policy coverage and customization. Out-of-the-box checks for <a href="https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one">major compliance frameworks</a> are useful, but mature buyers need the ability to define custom guardrails based on internal standards, business exceptions and architectural patterns. CSPM tools should also make it easy to suppress accepted risk without losing audit traceability.</li> <li><b>Risk analysis.</b> Assess platforms that prioritize contextual risk analysis. Early CSPM tools often produced long lists of findings with limited prioritization. Today's platforms correlate posture issues with internet exposure, identity privilege, workload sensitivity and attack paths. This matters because a publicly exposed workload tied to an overprivileged identity deserves more attention than a minor issue in an internal development account.</li> <li><b>Remediation workflows.</b> Some products provide guided fixes, some support auto-remediation through cloud-native functions and others integrate with ticketing and workflow systems. The right approach depends on operating model, but manual-only remediation can become a bottleneck in large environments.</li> <li><b>Integrations.</b> CSPM should connect to SIEM, SOAR, DevOps pipelines, IT service management and, ideally, broader cloud security workflows, &nbsp;such as cloud workload protection platforms, cloud-native application protection platforms (<a href="https://www.techtarget.com/searchsecurity/definition/cloud-native-application-protection-platform-CNAPP">CNAPPs</a>), cloud infrastructure entitlement management and data security posture management tools. Buyers should also look for support for IaC scanning and shift-left policy checks, even if those capabilities are packaged separately.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Limitations of CSPM"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Limitations of CSPM</h2> <p>CSPM tools deliver clear value, but buyers should have realistic expectations. <a href="https://www.techtarget.com/whatis/definition/alert-fatigue">Alert fatigue</a> remains one of the biggest problems. If every misconfiguration is treated equally, teams can drown in findings and miss the most important exposures. <a href="https://www.techtarget.com/searchsecurity/tip/How-to-reduce-false-positive-alerts-and-increase-cybersecurity">False positives and duplicate findings</a> across clouds can also slow adoption and undermine trust in the tool.</p> <p>Operational complexity is another challenge. Large organizations often have multiple cloud landing zones, inconsistent tagging, legacy subscriptions and delegated admin models. Deploying a CSPM platform across that sprawl can expose governance issues that are organizational, not technical. The tool might identify the problem, but leadership still must enforce ownership and remediation.</p> <p>Another limitation is scope. Traditional CSPM tools focus on the control plane, not runtime behavior. They can identify if a storage bucket is open or if logging is disabled, but might detect whether a workload is actively compromised. That is why many vendors now position CSPM <a href="https://www.techtarget.com/searchsecurity/tip/CNAPP-vs-CSPM-Comparing-cloud-security-tools">inside broader CNAPP tools</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Leading CSPM tools to consider"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Leading CSPM tools to consider</h2> <p>The CSPM market is relatively mature today. When evaluating platforms, consider the following vendors.</p> <h3>Check Point CloudGuard</h3> <p>CloudGuard focuses on posture, governance and compliance, with a strong policy engine and solid multi-cloud support. It is a good fit for organizations that value broad policy control, as the engine uses either custom-designed rules or out-of-the-box rulesets.</p> <p>Packaging and pricing vary by environment size and capability.</p> <h3>CrowdStrike Falcon Cloud Security</h3> <p>Cloud Security extends the CrowdStrike Falcon platform from endpoint and identity into cloud posture and workload coverage. Its key differentiator is consolidation inside the Falcon platform, which can appeal to security operations teams that want fewer consoles.</p> <p>Contact CrowdStrike for quote-based pricing.</p> <h3>Fortinet FortiCNAPP</h3> <p>FortiCNAPP is a sound option for buyers that value behavioral analytics and cloud activity context alongside posture.</p> <p>Pricing is dependent on environment scale and purchased capabilities.</p> <h3>Microsoft Defender for Cloud</h3> <p>Defender for Cloud is the natural option for many Microsoft-centric organizations. It offers posture management across Azure and supports AWS and Google Cloud as well. Its biggest differentiators are native Azure integration and ties into Defender and Sentinel.</p> <p>Pricing depends on enabled plans and workloads.</p> <h3>Orca Security</h3> <p>Orca Security is known for its SideScanning approach, which provides deep visibility without requiring agents in workloads. It has been strong in vulnerability and asset context, with a cloud-first operating model. Orca consolidates cloud workload, configuration, identity and entitlement security, container security, sensitive data discovery, and detection and response into a single platform across the software development lifecycle.</p> <p>Contact Orca Security quote-based pricing.</p> <h3>Palo Alto Networks Cortex Cloud</h3> <p>Palo Alto calls Cortex Cloud the next version of Prisma Cloud, its SaaS CNAPP. Cortex Cloud provides security teams with multicloud protection using real-time detection and response capabilities. It is attractive to organizations looking for more consolidated CNAPP and cloud detection and response strategies.</p> <p>Pricing varies by module and consumption model.</p> <h3>SentinelOne Singularity Cloud Security</h3> <p>Singularity Cloud Security offers posture and cloud runtime capabilities with an emphasis on automation and correlation across the broader Singularity portfolio. It is more often considered by organizations already aligned to SentinelOne in endpoint security.</p> <p>The Singularity platform is available in multiple tiers. Complete costs $179.99 per endpoint per year and Singularity Commercial costs $229.99 per endpoint per year. Singularity Enterprise is quote-based.</p> <h3>Wiz</h3> <p>One of the most visible cloud security platforms in the market, Wiz is known for agentless deployment, graph-based analysis and strong risk prioritization. <a href="https://www.cybersecuritydive.com/news/google-32-billion-acquisition-wiz/814437/" target="_blank" rel="noopener">Acquired by Google</a> in 2026, it is particularly differentiated in how it links posture findings to attack paths and toxic combinations of exposure.</p> <p>Pricing is quote-based.</p> </section> <section class="section main-article-chapter" data-menu-title="Final buyer guidance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Final buyer guidance</h2> <p>The most effective CSPM buying strategy is to start with an operating model rather than a feature checklist. Determine whether the main goal is compliance reporting, proactive posture reduction, developer guardrails, multi-cloud governance or broader CNAPP consolidation. Then evaluate how the tool fits into ownership workflows, remediation processes and executive reporting.</p> <p>For CISOs, the strongest platforms are usually the ones that reduce noise, support accountability and help security teams explain cloud risk in business terms. A CSPM tool should not simply generate findings. It should help the organization decide what matters, who owns it and how quickly it can be fixed.</p> <p><i>Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.</i></p> <p><b>Editor's note:</b><i> The tools profiled in this article were selected based on market research. Each has a sizable customer base, is under active development and has numerous publicly available user reviews from verified purchasers. This list is organized alphabetically. Pricing and product details were current as of article publication. Information is subject to change at any time.</i></p> </section> Cloud security posture management is a critical component of cloud defense strategy. Need help choosing a CSPM platform? This guide lists key features and platforms to consider. https://cdn.ttgtmedia.com/rms/onlineimages/cloud_g470542178.jpg https://www.techtarget.com/searchsecurity/tip/Buyers-guide-for-CISOs-Cloud-security-posture-management Wed, 06 May 2026 09:59:00 GMT <p>Cybersecurity insurance has never been a "must-have" purchase for enterprises, with many still forgoing any form of coverage. Others, however, have found it attractive as a way to hedge against the failure of their cybersecurity investments.</p> <p>Cyber insurance can help an enterprise cover incident-related costs, such as fines for allowing personally identifiable information to leak or new laptops to replace those bricked by ransomware. In addition to financial support, some insurers can provide incident response assistance, ranging from expert technical advice and regulatory compliance guidance to <a href="https://www.techtarget.com/searchdisasterrecovery/tip/How-to-manage-and-mitigate-reputational-risk">crisis-specific public relations support</a>.</p> <p>But, as with other forms of insurance, cybersecurity insurers are ready and willing to disallow claims. And, for many years, they raised rates rapidly as they realized the true extent of enterprise vulnerabilities and saw how quickly the universe of threats evolved.</p> <p>In the last couple years, the rise in premiums has slowed and even sometimes reversed itself -- if certain conditions are met. Typically, insurers require enterprises to have in place cybersecurity measures that should be baseline practices in all enterprises but, sadly, still are not. That includes controls such as the following:</p> <ul class="default-list"> <li>Comprehensive use of MFA.</li> <li>Deployment of endpoint detection and response.</li> <li>Adoption of write-once, <a href="https://www.techtarget.com/searchstorage/tip/Immutable-storage-What-it-is-why-its-used-and-how-it-works">immutable</a> storage for backups.</li> </ul> <p>In addition to requiring companies to practice <a href="https://www.techtarget.com/searchsecurity/definition/cyber-hygiene">cyber hygiene</a> and properly deploy key security technology, insurers can require that potential clients create internal policies covering a wide range of standard cyber risks -- e.g., requiring the disabling of former employees' accounts as soon as they leave the organization. Insurers will also want audit-based evidence of ongoing, uniform enforcement of those policies -- e.g., that accounts are actually being disabled every time a staff member is fired or quits. If a breach occurs because the organization failed to follow the policy and did not immediately disable an employee's account upon termination -- thus allowing <a href="https://www.techtarget.com/searchsecurity/tip/Five-common-insider-threats-and-how-to-mitigate-them">him or her to access systems and data</a> -- the insurance company will likely dispute any claim.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/OhVcvGC_XNM?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <section class="section main-article-chapter" data-menu-title="Devil in the details"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Devil in the details</h2> <p>While coverage is not getting steadily more expensive, the scope of coverage is getting more sharply defined and often narrower. Enterprises that do not carefully review policy changes during renewal, or that are only now getting into the market, might find their coverage is not what they were counting on or hoping for.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Enterprises that do not carefully review policy changes during renewal, or that are only now getting into the market, might find their coverage is not what they were counting on or hoping for. </figure> <figcaption> <strong>John Burke</strong>Research analyst and CTO, Nemertes Research </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Things to look for when reviewing a cyber insurance policy's fine print include the following:</p> <h3>1. Patching latency</h3> <p>Insurers sometimes require IT staff to install patches for known vulnerabilities within a specified window of their release. They can even include a policy requirement that an enterprise's third-party service providers meet a similar threshold. Failing to <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Use-this-10-step-patch-management-process-to-ensure-success">patch in a timely way</a>, or engaging service providers that fail to, can lead to insurers rejecting related claims.</p> <h3>2. Third-party risk</h3> <p>Insurers will often only insure against <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-third-party-risk-management-policy">problems with an organization's suppliers and service providers</a> that it explicitly names in its policy. For example, an enterprise using CRMs-R-us.com for its <a href="https://www.techtarget.com/searchcustomerexperience/infographic/The-history-and-evolution-of-CRM">customer relationship management</a> platform must list that provider in the policy if it wants business-affecting outages there to be covered. If CRMs-R-us.com uses an IaaS provider such as AWS or Azure for its infrastructure needs, and the root cause of a problem was an outage there, the enterprise's policy likely also has to <i>name that third party</i> to get coverage.</p> <h3>3. Systemic event risks</h3> <p>Some insurers are rewriting policies to exclude coverage for attacks or outages that affect a large segment of the economy or a specific industry. In other policies, insurers are not eliminating coverage but instead reducing the potential payouts for such events -- known as imposing a <em>sublimit</em>.</p> <h3>4. Nation-state activity</h3> <p>Insurers have long refused to pay out for incidents that they can trace back to an adversarial national government -- in the early days, even invoking standard force majeure clauses that would protect them against having to pay out in the case of a military invasion. Over the last decade or more, insurers have expanded the exclusions relating to <a target="_blank" href="https://www.cybersecuritydive.com/news/cyber-director-warnings-nation-state/716181/" rel="noopener">nation-state involvement</a>. For example, they now might explicitly exclude from coverage breaches originating with non-state actors, such as criminal gangs, if the non-state actor is known to be -- or even simply understood to be, by the FBI or other competent authority -- operating under the direction of a state actor.</p> <h3>5. User behavior requirements</h3> <p>Insurers have been instrumental in pushing enterprises to aggressively <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">train users to guard against common cyberthreats</a>. Now, however, they are increasingly likely to require that users demonstrate cybersecurity awareness and proactively avoid attacks. For example, before it will pay out on phishing-related claims, an insurer might demand proof that users attempted <a href="https://www.techtarget.com/searchsecurity/feature/Deepfake-era-demands-proof-based-security-not-just-awareness">out-of-band verification to mitigate the risk of phishing-related fraud</a>. Suppose an accounting staffer receives an email invoice that appears to come from a reputable supplier but is actually a phishing attempt. To pay out on any related claim, the insurer might require proof that a staffer called the supplier to confirm the email actually came from the supposed sender.</p> <h3>6. AI risk</h3> <p>Assume policies won't cover AI-related damages unless explicitly included. Enterprises need to specify, in detail, what they want covered and -- based on how they use AI -- should consider including incidents such as the following:</p> <ul class="default-list"> <li>Data leakage through external AI, including both leakage through prompting and leakage of training data.</li> <li>Data leakage from in-house AI, including both leakage through prompting and leakage of training data.</li> <li>Breach via <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work">prompt injection</a>.</li> <li>Breach via AI subversion.</li> <li>Damages due to AI-driven automation -- e.g., of network infrastructure operations.</li> </ul> <p>Enterprises should also expect insurers to expand their governance requirements to include AI-specific policies and to exclude coverage for any unsanctioned use of AI. Let's say, for example, a media company's AI policy allows creative staff to use a large language model (LLM) AI to generate advertising copy, but it does not allow any other teams to use the LLM. The company should expect no coverage for a network outage caused by an automation script generated by network operations staff using that same LLM. The company might, however, expect coverage for outages caused by the AI built into its network infrastructure provider's management tools -- assuming it allows that use in its AI governance policy and explicitly calls out that platform in the insurance policy.</p> </section> <section class="section main-article-chapter" data-menu-title="Constant vigilance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Constant vigilance</h2> <p>Cybersecurity insurance can be a good investment, but it is all too easy for an organization to find itself with less coverage than it needed and expected, as insurers seek to insulate themselves from excessive financial risks. CIOs and CISOs should collaborate closely with risk management and legal staff to ensure the organization not only understands what it is getting in a cyber insurance policy, but also gets what it needs -- whether in a first-time policy or the renewal of an existing one.</p> <p><i>John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.</i></p> </section> Cyber insurance premiums are stabilizing, but coverage is narrowing. From AI risks to nation-state attacks, here's what your policy might no longer cover. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsecurity/tip/What-CISOs-should-look-for-in-cyber-insurance-policy-fine-print Tue, 05 May 2026 19:53:00 GMT <p>Since its emergence in the 1990s, cyber insurance has become a critical part of enterprise risk management. Initially an offshoot of errors and omissions insurance, cyber insurance coverage, which was limited in scope, swiftly matured as companies became more reliant on data and technology -- and as attackers posed a greater threat.</p> <p>Cyber insurance, also known as <i>cyber liability insurance</i>, is a commercial product that transfers financial risk arising from cyberattacks to a third party, helping victims recover from financial losses and <a href="https://www.techtarget.com/searchdatamanagement/feature/Operational-resilience-is-a-benchmark-for-executive-success">operational disruptions</a>. While terms vary from policy to policy, insurers typically cover a range of scenarios, including data breaches, <a href="https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them">malware</a>, social engineering attacks, system failures and business interruptions. According to MarketsandMarkets, the cyber insurance market, <a href="https://www.insurancebusinessmag.com/us/news/cyber/global-cyber-insurance-market-could-hit-new-highs-by-2030-gallagher-forecasts-562203.aspx" target="_blank" rel="noopener">valued</a> at $16.5 billion in 2025, is forecasted to grow to $32 billion by 2030.</p> <section class="section main-article-chapter" data-menu-title="Do organizations really need cyber insurance?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Do organizations really need cyber insurance?</h2> <p>The FBI, in its IC3 Internet Crime Report, <a href="https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf" target="_blank" rel="noopener">disclosed</a> losses exceeding $20.8 billion as a result of cybercrime in 2025, a 26% increase from the prior year. Despite elevated cybersecurity awareness and sophisticated defenses, no organization is immune to digital threat actors.</p> <p>The fallout from data breaches has grown more severe, too. Beyond financial damages, organizations recovering from a cyberattack potentially face negative press, <a href="https://www.techtarget.com/searchdisasterrecovery/tip/How-to-manage-and-mitigate-reputational-risk">loss of public trust</a>, <a href="https://www.techtarget.com/searchcio/feature/Regulatory-trends-every-CIO-should-watch">regulatory costs and concerns</a>, unanticipated business disruptions and legal action from stakeholders. A successful data breach can easily cost millions and affect a company for years.</p> <p>Traditional business insurance does not cover cybersecurity risks; cyber insurance carriers offer the only contract model that can help an operation get back on its feet after a breach. In recent years, businesses of all sizes and across industries have discovered the benefits and risks of cyber insurance coverage. The following incidents are a few of the high-profile data breaches that occur all too often, and highlight how cyber insurance policyholders responded.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber insurance carrier breached"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber insurance carrier breached</h2> <p>The CNA Financial Corporation breach is one of the most significant ransomware incidents to affect the insurance industry, particularly because CNA itself is a major provider of cyber insurance.</p> <p>In March 2021, CNA disclosed that it had suffered a sophisticated cyberattack that disrupted its network and internal systems, including corporate email and employee services. The attack was later identified as ransomware, widely attributed to the Russian-linked Evil Corp/Phoenix group. It reportedly encrypted more than 15,000 devices across the company's network, including remote systems connected via VPN. This widespread disruption forced CNA to shut down parts of its IT infrastructure and engage forensic experts and law enforcement to investigate the breach.</p> <p>CNA decided to pay approximately <a href="https://www.cybersecuritydive.com/news/cna-financial-ransomware-payment-treasury-sanctions/600591/" target="_blank" rel="noopener">$40 million in ransom</a>, negotiated from a $60 million demand, to regain access to its systems. At the time, it was one of the largest publicly known ransomware payments.</p> <p>Cyber insurance played a paradoxical role in this event. As a leading cyber insurer, CNA offered policies designed to help other organizations recover from cyberattacks, including coverage for ransomware incidents, business interruption and incident response services. However, in its Securities and Exchange Commission filings, CNA said its cyber insurance coverage would probably not fully offset the financial losses from the attack.</p> </section> <section class="section main-article-chapter" data-menu-title="Resort pays to recover loyalty data"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Resort pays to recover loyalty data</h2> <p>In August 2023, Caesars Entertainment, operator of the Caesars Palace resort, was the victim of a <a href="https://www.techtarget.com/searchsecurity/tip/How-to-avoid-and-prevent-social-engineering-attacks">social engineering attack</a> targeting a third-party IT vendor. Attackers linked to the Scattered Spider group impersonated Ceasers employees and tricked its outsourced IT support vendor into sharing access credentials. Once inside, they exfiltrated a large database tied to Caesars' loyalty program, compromising sensitive personal information belonging to its rewards members, including some driver's license and Social Security numbers.</p> <p>The attackers demanded a ransom of around $30 million. Caesars ultimately chose to pay $15 million in exchange for the attackers' assurances that the stolen data would be deleted. Caesars' decision to pay enabled casino and hotel operations to continue largely uninterrupted, an example of the high-stakes trade-offs organizations face during ransomware incidents.</p> <p>In its regulatory filings, Caesars acknowledged that the total financial impact of the breach -- including ransom payment, investigation and remediation costs -- would be partially offset by its cybersecurity insurance coverage.</p> </section> <section class="section main-article-chapter" data-menu-title="MGM Resorts refuses to pay"> <h2 class="section-title"><i class="icon" data-icon="1"></i>MGM Resorts refuses to pay</h2> <p>A month after the Caesars breach, MGM Resorts International suffered a similar incident. Scattered Spider used social engineering techniques to access MGM's systems by impersonating an employee and convincing the IT help desk staff to reset credentials. Attackers deployed ransomware, encrypting systems and forcing MGM to shut down large portions of its operations.</p> <p>MGM did not pay its attackers. Hotels and casinos across Las Vegas experienced widespread outages, including inoperable slot machines, malfunctioning digital room keys and disabled booking systems. The disruption lasted several days, significantly impacting customer experience and revenue. MGM later confirmed that personal information, including names, contact details and some Social Security numbers, had been accessed.</p> <p>Cyber insurance mitigated some of these losses but did not eliminate the financial impact. The company <a href="https://www.cybersecuritydive.com/news/mgm-las-vegas-100m-hit-cyberattack/695852/" target="_blank" rel="noopener">reportedly had a policy</a> covering $200 million in business interruption- and ransomware-related costs, but it still disclosed a $100 million financial impact from the incident, with an additional $10 million incurred in costs for consultants, advisors and legal fees.</p> </section> <section class="section main-article-chapter" data-menu-title="A city denied due to MFA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A city denied due to MFA</h2> <p>The February 2024 cyberattack on the city of Hamilton, Ontario, highlighted how failing to meet cyber insurance requirements might leave an organization fully exposed to financial loss. Attackers gained access to the city's network through weak credentials on public-facing systems. The incident crippled 80% of the municipal IT infrastructure. Critical services, including business licensing, property tax and transit planning, were offline for weeks. Some system backups, including permit applications and fire department records, were unrecoverable.</p> <p>The attackers demanded $18.5 million in ransom. Hamilton chose not to pay, citing unreliable decryption tools and concerns about funding organized crime. Instead, it spent nearly the same amount -- about $18.3 million -- on recovery efforts.</p> <p>Under normal circumstances, Hamilton's cyber insurance policy would help offset the losses. However, the city's IT teams had <a href="https://www.cp24.com/local/hamilton/2025/07/31/hamilton-taxpayers-on-the-hook-for-full-183m-cyberattack-repair-bill-after-insurance-claim-denied/" target="_blank" rel="noopener">failed</a> to fully implement MFA, as required under the policy, and the claim was <a href="https://www.hamilton.ca/city-council/news-notices/news-releases/cybersecurity-update-city-provides-more-incident-details" target="_blank" rel="noopener">denied</a>. A lack of <a href="https://www.techtarget.com/searchsecurity/feature/Types-of-cybersecurity-controls-and-how-to-place-them">proper cybersecurity controls</a> resulted in a fully uninsured financial burden shouldered by taxpayers.</p> <p>With cybercrime costs surging and the fallout from breaches growing more severe, organizations should consider the role of cyber insurance in safeguarding operations, reputation and the bottom line. Whether policyholders decide to cede to threat actor demands or take a stand on principle, organizations must clearly understand what's covered, what's not and what cybersecurity measures are necessary to keep systems safe.</p> <p><i>Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.</i></p> </section> Four organizations, each with cyber insurance policies, responded differently to data breaches. Read the real-world examples of what went right and wrong. https://cdn.ttgtmedia.com/rms/onlineimages/arvr_g1245297617.jpg https://www.techtarget.com/searchsecurity/feature/How-cyber-insurance-helped-with-breach-recovery-or-not Mon, 04 May 2026 10:24:00 GMT <p>The Stuxnet worm is widely recognized as the first confirmed cyberattack designed to damage critical infrastructure. Discovered in 2010 but used as early as 2009, it targeted uranium enrichment systems at Iran's Natanz Nuclear Facility, causing physical destruction of centrifuges.</p> <p>Fast-forward to the post-IT/OT convergence boom of the mid- to late-2010s, and attacks on operational technology and critical infrastructure have become significantly more widespread and impactful, driven by increased <a href="https://www.techtarget.com/searchitoperations/definition/IT-OT-convergence">connectivity between IT and OT environments</a> that has expanded the attack surface and enabled attackers to infiltrate industrial systems through enterprise IT networks.</p> <p>TXOne Networks, a cybersecurity company, reported that 96% of OT incidents in 2025 could be traced back to IT system compromises. Forescout, meanwhile, found that attacks on OT protocols increased by 84% in 2025 over the previous year, led by Modbus (57% of attacks) and Ethernet/IP (22%). Dragos reported a nearly 95% increase in the number of ransomware attacks in the same time frame, as well as a 49% increase in the number of ransomware gangs targeting industrial organizations.</p> <p>Industrial and OT systems were targets before they were connected to the internet, and IT/OT convergence -- despite its benefits -- is making such systems systematically more accessible, visible and valuable for attackers.</p> <p>This week's featured news highlights the latest OT and critical infrastructure attacks and trends, as well as why the government is touting <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero trust</a> as a solution to the problem.</p> <section class="section main-article-chapter" data-menu-title="Lotus Wiper: Destructive cyberattack targets Venezuelan energy sector"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lotus Wiper: Destructive cyberattack targets Venezuelan energy sector</h2> <p>In December 2025, Venezuela's energy sector suffered a sophisticated cyberattack using Lotus Wiper malware, which employed <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-living-off-the-land-attacks">living-off-the-land techniques</a> to destroy system data and disrupt operations.</p> <p>The attack, analyzed by Kaspersky Lab, used batch scripts to coordinate network infiltration, disable defenses and delete critical files, leaving systems unrecoverable.</p> <p>Experts noted this reflects a growing trend of nation-state actors using <a href="https://www.techtarget.com/searchsecurity/tip/How-to-mitigate-wiper-malware">wiper malware</a> as an effective cyber weapon against critical infrastructure, emphasizing the need for network segmentation and immutable backups to counter such threats.</p> <p><a target="_blank" href="https://www.darkreading.com/cyber-risk/lotus-wiper-attack-targeted-venezuelan-energy-firms-utilities" rel="noopener"><i>Read the full article by Robert Lemos on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Manufacturing remains most targeted by cyberattacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Manufacturing remains most targeted by cyberattacks</h2> <p>The manufacturing sector accounted for one in four cyberattacks in 2025, yet remains inadequately prepared to address cyberthreats, according to cybersecurity insurer Resilience.</p> <p>Ransomware attacks on manufacturers surged 61% compared to 46% across all sectors, driven by low downtime tolerance and tight security budgets. Between March 2021 and February 2026, ransomware caused 90% of sector losses despite representing only 12% of claims by Resilience clients.</p> <p><a href="https://www.cybersecuritydive.com/news/manufacturing-cybersecurity-threats-resilience/818680/"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Critical infrastructure vendor Itron discloses network breach"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Critical infrastructure vendor Itron discloses network breach</h2> <p>Itron, a major supplier of smart meter devices for energy and water utilities, disclosed a cyberattack on its computer networks discovered April 13.</p> <p>The Liberty Lake, Washington-based company, which serves over 7,700 utility providers across 100 countries, stated it remediated the unauthorized activity and detected no subsequent intrusions or customer data access.</p> <p>Itron's devices are widely deployed in electric, gas and water sectors, and the company partners on smart city projects controlling energy infrastructure.</p> <p>According to its Securities and Exchange Commission filing, operations were not disrupted, insurance will cover significant incident costs and the breach is not expected to materially impact the company.</p> <p><a target="_blank" href="https://www.cybersecuritydive.com/news/critical-infrastructure-cyberattack-itron-smart-meters/818547/" rel="noopener"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Iran escalates cyber capabilities against U.S. critical infrastructure"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Iran escalates cyber capabilities against U.S. critical infrastructure</h2> <p>Since the U.S.-Iran conflict began in February, Iranian-backed cyberthreat groups have evolved toward more destructive attacks, according to security researchers.</p> <p>Iran-linked actors increasingly deploy data-wiping malware, target critical infrastructure and exploit vulnerabilities in programmable logic controllers and Rockwell Automation devices. Notable incidents include a March <a href="https://www.techtarget.com/searchsecurity/news/366640592/News-brief-Stryker-recovering-after-large-scale-cyberattack">wiper attack on medical device maker Stryker</a> and threats to Israeli water systems.</p> <p>CISA warned that poorly secured, internet-accessible infrastructure remains vulnerable. Experts recommended removing internet-facing devices, enabling MFA and hardening admin accounts.</p> <p><a href="https://www.cybersecuritydive.com/news/iran-nexus-threat-groups-refine-attacks-against-critical-infrastructure/818299/"><i>Read the full article by David Jones on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="DC power regulators emerge as hidden cyberattack vector"> <h2 class="section-title"><i class="icon" data-icon="1"></i>DC power regulators emerge as hidden cyberattack vector</h2> <p>Direct current power regulators, which stabilize voltage for devices across critical infrastructure, represent an overlooked attack surface, Andy Davis, research director at NCC Group, warned.</p> <p>Operating below the OS level, these increasingly sophisticated, firmware-driven components can hide malicious activity outside traditional security monitoring. Attackers exploiting vulnerabilities in programmable regulators could trigger DoS attacks, cause hardware damage or compromise safety-critical systems such as connected vehicles. Davis said that these incidents could fly under the radar as random equipment failures.</p> <p>Experts recommend treating power regulation as part of security architecture, implementing network segmentation, monitoring, cryptographic signing and secure boot mechanisms to defend against this emerging threat as power systems grow more complex.</p> <p><a href="https://www.darkreading.com/cyber-risk/electricity-growing-area-cyber-risk"><i>Read the full article by Arielle Waldman on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="U.S. agencies issue zero-trust guidance for critical infrastructure OT systems"> <h2 class="section-title"><i class="icon" data-icon="1"></i>U.S. agencies issue zero-trust guidance for critical infrastructure OT systems</h2> <p>U.S. government agencies, including CISA, the FBI and the Departments of Defense, Energy and State, released guidance Wednesday on applying zero-trust principles to OT environments.</p> <p>The document addresses unique OT challenges -- legacy systems, availability requirements and physical safety constraints -- that complicate traditional security approaches.</p> <p>Recommendations include establishing governance frameworks, supply chain oversight using software bills of materials, network segmentation, identity management and layered compensating controls where ideal access restrictions aren't operationally feasible.</p> <p>The guidance emphasizes cross-team collaboration among IT, OT and cybersecurity personnel, warning that technology alone is insufficient.</p> <p><a href="https://www.cybersecuritydive.com/news/zero-trust-operational-technology-us-guidance/818950/"><i>Read the full article by Eric Geller on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="More on OT and critical infrastructure security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More on OT and critical infrastructure security</h2> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/Key-OT-security-best-practices">Key OT security best practices</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Top-OT-threats-and-security-challenges">Top OT threats and security challenges</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-ensure-OT-secure-remote-access-and-prevent-attacks">How to ensure OT secure remote access and prevent attacks</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/What-CISOs-need-to-know-to-build-an-OT-cybersecurity-program">What CISOs need to know to build an OT cybersecurity program</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/SBOM-formats-compared-CycloneDX-vs-SPDX-vs-SWID-Tags">SBOM formats explained: Guide for enterprises</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-SBOM-with-example-and-template">How to create an SBOM: Example and free template</a></li> <li><a href="https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it">How to implement zero trust: Expert steps</a><a href="Top%206%20benefits%20of%20zero-trust%20security%20for%20businesses"></a></li> </ul> <p><b>Editor's note:</b> <i>An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><em>Sharon Shea is executive editor of TechTarget Security.</em></p> </section> Check out the latest security news from TechTarget SearchSecurity's sister sites, Cybersecurity Dive and Dark Reading. https://cdn.ttgtmedia.com/rms/onlineimages/security_a375027496.jpg https://www.techtarget.com/searchsecurity/news/366642732/News-brief-Critical-infrastructure-OT-cybersecurity-attacks Fri, 01 May 2026 18:45:00 GMT <p>The necessity of data backup has been clear since the early days of computing. And the oldest backup method -- tape -- is still a viable option.</p> <p>In the past decade, tape use declined in favor of the cloud due to its comparable costs, easy scalability and quicker data retrieval. However, data protection teams are revisiting tape-based backup as cyberattacks target online vulnerabilities and strategies evolve from the 3-2-1 backup rule to the <a href="https://www.techtarget.com/searchdatabackup/tip/How-the-3-2-1-1-0-backup-rule-reflects-modern-needs">3-2-1-1-0 rule</a>, which adds an offline, verified restore point -- a feature regulators and cyber-insurance providers are pressuring enterprises to adopt.</p> <section class="section main-article-chapter" data-menu-title="Tape-based backup makes a comeback"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tape-based backup makes a comeback</h2> <p>Even the most sophisticated hardware and software will fail. Over the years, many alternative <a href="https://www.techtarget.com/searchdatabackup/tip/Long-term-data-backup-options">backup methods</a> emerged but most organizations long relied on tape for economical, high-capacity retention, said Kevin Ripa, a senior instructor at the SANS Institute, a cybersecurity training, certification and research organization.</p> <p>"It was the backbone of how organizations recorded and stored data at scale," added Chasserae Coyne, a member of the Emerging Trends Working Group at the professional governance association ISACA and manager of AI, data and privacy risk at an insurance and fintech firm.</p> <p>Low-cost disk and public cloud shifted enterprise backup architectures away from tape. Organizations looked at <a href="https://www.techtarget.com/searchdatabackup/feature/Top-20-cloud-backup-services-for-2019">cloud services</a> not just for day-to-day computing and data processing, but also for backup storage, said Harshad Sadashiv Kadam, a member of ISACA's Emerging Trends Working Group and a senior infrastructure security engineer at a technology company.</p> <p>The use of tape never disappeared and has experienced a recent resurgence. Although the market size for tape storage varies by research firm, the consensus is it's growing. The Business Research Company, for example, <a target="_blank" href="https://www.thebusinessresearchcompany.com/report/tape-storage-global-market-report" rel="noopener">valued the storage market size</a> at $6.27 billion in 2025 and predicted that it will grow to $11.18 billion in 2030 at a compound annual growth rate of 12.3%.</p> </section> <section class="section main-article-chapter" data-menu-title="Why tape is back in the enterprise mix"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why tape is back in the enterprise mix</h2> <p>Two major factors drive the upswing in tape storage for backup.</p> <h3>1. The limits of always-on storage</h3> <p>Risk leaders recognize online storage -- whether accessed through the cloud or on-premises -- has drawbacks, Coyne said. Cyberattacks can corrupt enterprise systems, including the data in those storage systems.</p> <p>"Some thought that cloud storage for their backups was a good idea, until their cloud storage gets compromised in a ransomware attack," Ripa added.</p> <p>Ripa said overall cloud costs are sending some <a href="https://www.techtarget.com/searchdatabackup/answer/How-can-you-use-magnetic-tape-storage-in-this-big-data-age">organizations back to tape</a> for specific backup and archive needs.</p> <h3>2. Regulators and insurers raise the bar for backups</h3> <p>Coyne pointed to <a href="https://www.techtarget.com/searchdatamanagement/tip/Data-governance-regulations-that-executives-should-know">regulations and standards</a> related to data protection that emphasize immutable records and separate backups, features that are enabled by offline retention, which is driving renewed interest in tape. Similarly, cyber insurance carriers increasingly require evidence of offline or immutable backups and may offer more favorable terms with those controls in place.</p> </section> <section class="section main-article-chapter" data-menu-title="How tape storage stacks up against SSDs and HDDs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How tape storage stacks up against SSDs and HDDs</h2> <p>Tape fits neatly into broader <a href="https://www.techtarget.com/searchdatabackup/feature/The-7-critical-backup-strategy-best-practices-to-keep-data-safe">data protection and risk frameworks</a>, as well as organizational resilience strategies, because it can be stored offline. Air-gapped protection is critical for organizations because it's disconnected from the network and internet, making it inaccessible to hackers, ransomware and other cyberattacks. When combined with WORM media and controlled processes, tape supports immutability and long-term retention for compliance and archival governance.</p> <p>Philipp Jung, a senior partner in the digital and analytics practice at consulting firm Kearney, listed tape's advantages versus <a href="https://www.techtarget.com/searchstorage/tip/SSD-vs-HDD-Key-differences-and-when-to-use-each">SSDs and HDDs</a>:</p> <ul class="default-list"> <li>Higher reliability in cold storage scenarios, with no wear-out or mechanical risk failure.</li> <li>Higher durability with a shelf life of 20 to 30-plus years versus disk's three to 10 years.</li> <li>More scalability with petabytes and beyond, whereas HDDs have rack, power and cooling restraints, and SSDs get expensive with scale.</li> <li>No power consumption when at rest.</li> <li>Higher security offline when media are taken off the network, whereas HDD and SSD are accessible online.</li> <li>Lower costs per terabyte.</li> </ul> <p>Tape should complement, not replace, other backup methods. Many backup strategies, especially the 3-2-1-1-0 approach, call for data storage on at least two different types of media, with one kept offline for <a href="https://www.techtarget.com/searchdatabackup/definition/What-is-an-air-gap-backup-Strategy-benefits-and-use-cases">air-gapped protection</a>. Tape is also ideal for long-term archiving.</p> <p>"Tape is good for archives, compliance and back-ups that are accessed in [an] emergency and where you have time to restore," Jung said.</p> <p><em>Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.</em></p> </section> As the backup playbook gets rewritten, tape returns to quietly strengthen resilience, complementing the cloud and disk with dependable recovery and predictable long-term costs. https://cdn.ttgtmedia.com/visuals/searchDataBackup/tape_libraries/databackup_article_015.jpg https://www.techtarget.com/searchdatabackup/feature/Why-tape-based-backup-is-making-a-comeback Fri, 01 May 2026 15:45:00 GMT <p>Most organizations have embraced zero trust, but many are early in their adoption journey. Yet with the rising volume, velocity and sophistication of attacks, security teams are under pressure to accelerate those journeys.</p> <p>"We're definitely seeing higher rates of adoption today than one or two years ago," said Jimmy Nilsson, vice president of professional services at Kyndryl, a security consulting firm.</p> <p>Zscaler's ThreatLabz 2026 VPN Risk Report found that 84% of surveyed organizations had or were planning to implement a zero trust, up from 81% the prior year and 78% the year before that.</p> <p>Those figures, however, tell only part of the story. Researchers, security advisers and others in the field say enterprise security teams have just begun to take advantage of what zero trust can do to counter the many threats they face.</p> <p>Let's examine what zero trust is capable of and the specific uses cases where it can be put to work.</p> <section class="section main-article-chapter" data-menu-title="Zero-trust's capabilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Zero-trust's capabilities</h2> <p>Cybersecurity professionals view <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero trust</a> as an approach, a framework, a philosophy and a security model. Mike Monday, managing director of security and privacy at global business consulting firm Protiviti, called it an "engineering strategy."</p> <p>Zero trust is built on the idea that no user, device, system, workload or network segment -- even if it sits within an enterprise perimeter -- should be inherently trusted. Instead, the zero-trust security model requires entities to be authenticated and verified before they can access resources. Every access request must be authenticated, authorized and continuously validated based on identity, device health, context and risk signals.</p> <p>"That whole authentication has to happen through that end-to-end process," Monday explained.</p> <p>By removing inherent trust and adding authentication requirements and continuous validation, zero trust helps ensure that only authorized, authenticated entities are permitted access to an organization's IT environment and the data it holds. It also helps contain entities that do gain access, such as threat actors, by preventing unauthorized entities from moving freely throughout the environment.</p> <p>John Kindervag <a href="https://www.techtarget.com/whatis/feature/History-and-evolution-of-zero-trust-security">introduced the zero-trust security model</a> in 2010 while he was an analyst at Forrester Research. He and other early advocates championed zero trust as a necessary replacement for the traditional castle-and-moat security model, which by default extends trust to anything within the corporate environment. Such a hard-perimeter, soft-interior model relies on firewalls. In an era when cloud computing and other technologies were quickly eliminating the perimeter, <a href="https://www.techtarget.com/searchsecurity/tip/Perimeter-security-vs-zero-trust-Its-time-to-make-the-move">this approach provided inadequate protection</a> against threat actors.</p> <p>A zero-trust environment requires a combination of security technologies and IT architecture patterns and principles. These technologies include identity and access management, <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a>, zero trust network access (<a href="https://www.techtarget.com/searchnetworking/tip/The-basics-of-zero-trust-network-access-explained">ZTNA</a>) and endpoint detection and response tools. Key enabling IT architectures include microsegmentation and microperimeters.</p> <p>"Zero trust is a journey. It's a way of leveraging various technologies to address a specific problem, which is securing networks and securing data," said Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group.</p> </section> <section class="section main-article-chapter" data-menu-title="Key use cases for zero trust"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key use cases for zero trust</h2> <p>An organization can apply zero-trust principles in a variety of ways. Key use cases include the following:</p> <ul type="disc" class="default-list"> <li><b>Employees working on-site</b><b>.</b> Zero trust ensures on-site workers access only the systems and data necessary to perform their jobs at the time they need that access. This limits the <a href="https://www.techtarget.com/searchsecurity/tip/Five-common-insider-threats-and-how-to-mitigate-them">risks posed by insider threats</a>.</li> <li><b>Remote workers</b><b>.</b> With zero trust, remote workers access only the systems and data they are authorized to access when that access is required. They do so from devices and networks that are secure through contextual security enabled by ZTNA and other measures.</li> <li><b>Third parties</b><b>.</b> Zero trust can be applied to third parties outside the organization, such as contractors, partners and customers. Strictly controlled access for them reduces the risk of unwanted, unintended exposure and third party-related data breaches.</li> <li><b>System-to-system or machine-to-machine access.</b> These require continuous authentication for every request, and zero trust adds protection through the <a href="https://www.techtarget.com/searchsecurity/tip/Why-zero-trust-requires-microsegmentation">use of microsegmentation</a>. This zero-trust use case helps <a href="https://www.techtarget.com/searchsecurity/answer/Use-microsegmentation-to-mitigate-lateral-attacks">prevent lateral movement</a> by entities and ensures that if one service or device is compromised, attackers cannot automatically access other parts of the environment.</li> <li><b>Endpoints and remote devices.</b> In this use case, which includes operational and IoT technologies, zero trust requires that devices be authenticated and validated before they are permitted to access networks, systems and data.</li> <li><b>Access to APIs</b><b>.</b> Zero trust can be used for strict, continuous authentication and authorization for every API request, regardless of origin. This design is meant to permit legitimate access while preventing lateral movement by unauthorized entities. The result is a minimized blast radius in the event of an unauthorized entry somewhere in the environment.</li> <li><b>Data.</b> Zero trust can help protect data in the era of generative AI and large language models by authenticating and verifying AI identities and roles before granting them access to data they are authorized to use. Gartner has predicted that 50% of organizations will implement a zero-trust posture for data governance by 2028. This is increasingly relevant as unverified AI-generated data proliferates.</li> <li><b>AI agents</b><b>.</b> Organizations that apply zero trust to AI agents deny trust by default. Instead, agents are assigned individual identities, which enables each to be tracked. Zero trust prevents agents from sharing credentials, and agents are subject to continuous authentication and task-based permissions, as well as behavioral and semantic analysis.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Zero-trust implementation strategies and challenges"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Zero-trust implementation strategies and challenges</h2> <p>To <a href="https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it">implement or advance their use of zero trust</a>, experts advise organizations to develop a new mindset, yet many struggle to do this, Nilsson said.</p> <p>"Many organizations aren't successful because they're too focused on cybersecurity technology. They end up with siloed cybersecurity technologies, which is no different than how security organizations focused on cybersecurity two decades ago," Nilsson said. "Zero trust requires a new operating model. It's a change in how organizations approach security architecture."</p> <p>Nilsson and others cautioned organizations against implementing zero trust in every area of their digital environment all at once.</p> <p>"Zero trust can protect the entire ecosystem, but realistically, the number of tools you'd have to deploy to protect all those elements is onerous," Jean-Louis said.</p> <p>Experts also noted that organizations might struggle to implement zero-trust principles in legacy systems and to balance user experience with zero-trust requirements.</p> <p>Jean-Louis said he advises organizations to identify their <i>protect surface</i> -- that is, the portion of the larger attack surface they deem most necessary to protect. Consider how to apply zero trust to identities, devices, applications, data and the network using tools and technologies that can work across as many of those five areas as possible.</p> <p>Nilsson recommended a similar strategy, saying organizations should be as specific as they can in how they define their use cases. Build a zero-trust strategy for a specific use case, he said, and then use that as a blueprint for the next use cases.</p> <p>"Always think about what you are trying to secure, understand the asset you're trying to secure, how it is used by the business, how it collaborates with other systems in the business, and then build the security around that," Nilsson said.</p> <p><i>Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.</i></p> <p></p> </section> When applied correctly, zero trust can minimize an organization's attack surface. Experts weigh in on the best use cases where zero trust can deliver results. https://cdn.ttgtmedia.com/visuals/German/zero-trust-adobe.jpg https://www.techtarget.com/searchsecurity/tip/Zero-trust-use-cases-highlight-both-its-benefits-and-misconceptions Fri, 01 May 2026 00:00:00 GMT <p>No SIEM strategy, platform or service is perfect. Enterprise needs and circumstances change. Providers and offerings evolve. New options arise. Inevitably, many organizations must eventually migrate from their existing SIEMs or SIEM providers to new ones.</p> <p>Upon deciding a <a href="https://www.techtarget.com/searchsecurity/tip/SIEM-implementation-steps-and-best-practices">new SIEM</a> is necessary, the CISO should approach implementation strategically, ensuring important data, rules, playbooks and workflows remain available during and after the transition. A successful and responsible SIEM migration also minimizes disruptions stemming from the discovery of forgotten technical integrations and undocumented use cases. &nbsp;</p> <section class="section main-article-chapter" data-menu-title="Don’t forget the data"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Don’t forget the data</h2> <p>The lifeblood of a cybersecurity operation is data: data about entities in the environment, data about what those entities are and aren't supposed to do, data about how those entities behave, data about the cybersecurity infrastructure itself and so on.</p> <p>Before a SIEM migration, CISOs must lay careful plans to ensure necessary data from the old platform is preserved and usable by the new one. The following data is especially important:</p> <ul class="default-list"> <li><b>Entity behavioral data</b>. A zero-trust environment requires three kinds of data: <a href="https://www.techtarget.com/searchsecurity/tip/How-to-write-an-information-security-policy-plus-templates">policy data</a> that dictates which entities are allowed to talk to each other, identity data that determines whether an entity is in fact who or what it claims to be, and behavioral data that shows how entities act in the environment and whether those actions deviate from baseline norms. While not involved in maintaining policy or identity data, the <a href="https://www.techtarget.com/searchsecurity/tip/Top-SIEM-use-cases-in-the-enterprise">SIEM is integral to collecting behavioral data</a>. When switching tools or providers, a CISO must ensure the security team can preserve and transfer baseline behavioral data for all entities in the environment.</li> <li><b>Policy enforcement data</b>. Logs showing security policy enforcement are important to incident investigations, <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response</a> and after-incident reporting. This data should transfer to the new SIEM platform and remain available during migration. At every step of the transition, it must also be clear to the security team which platform -- old or new -- is the authoritative source.</li> <li><b>Compliance-related data</b>. Many organizations are required by law to maintain cybersecurity-relevant log data. For example, power utilities and telecommunications providers must be able to provide evidence that they were, at any given point in time, compliant with specific security requirements in their respective industries. Ensure continuity in compliance-related data collection and confirm that historical data from the old platform will be available after migration -- either by ingestion into the new tool or through an archival platform.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Take custom rules, playbooks and workflows with you"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Take custom rules, playbooks and workflows with you</h2> <p>If data is the lifeblood of cybersecurity, <a href="https://www.techtarget.com/searchsecurity/tip/Use-the-CIA-triad-to-shape-security-automation-use-cases">automation is rapidly becoming its beating heart</a>. Some SIEM automation includes obviously SIEM-specific things, such as -- possibly at the behest of another tool or human operator, or possibly based on the SIEM's native <a href="https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases">user and entity behavior analytics</a> functionality -- instituting extra monitoring on a network entity that is acting unusually.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> If data is the lifeblood of cybersecurity, automation is rapidly becoming its beating heart. </figure> <figcaption> <strong>John Burke</strong>Research analyst and CTO, Nemertes Research </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Less obviously, multiple facets of automation and process knowledge are often now embedded in SIEM systems and services, which -- like many cybersecurity tools -- have porous functional boundaries. <a href="https://www.techtarget.com/searchsecurity/tip/Incident-response-automation-What-it-is-and-how-it-works">SIEM platforms can play key parts in incident response</a>, for example, and might also serve as repositories of institutional knowledge in the form of automated workflows among roles or teams. During a SIEM migration, CISOs should pay attention to preserving important automation and process information, such as the following:</p> <ul class="default-list"> <li><b>Custom detection rules</b>. SIEMs filter incoming data to look for notable events and anomalies. Any event-parsing rules the organization has developed, or that a service provider has developed on its behalf, need to be documented for replication in the new platform.</li> <li><b>Preservation of organization-specific playbooks and workflows</b>. <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-incident-response-playbook">Incident response playbooks</a> define the steps that staff and automation tools should take in the event of a suspected or confirmed cybersecurity incident. Workflows automate many of the actions and processes that playbooks dictate, as well as day-to-day operational processes. Ensure all active and relevant workflows and playbook components from the old SIEM platform are replicated in the new one. Note that <i>active and relevant </i>are important considerations. A SIEM migration is an opportunity to prune dead wood by leaving behind workflows or playbooks that have been superseded but not yet deleted.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Minimize surprises: Forgotten integrations and unknown users"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Minimize surprises: Forgotten integrations and unknown users</h2> <p>A <a target="_blank" href="https://www.darkreading.com/cybersecurity-operations/cisa-soar-siem-implementation-guidance" rel="noopener">SIEM migration</a> stress tests how well the cybersecurity organization knows itself and the larger enterprise. Often, the actual migration process uncovers forgotten integrations with other cybersecurity systems or network management systems.</p> <p>Similarly, it is not unheard of for other SIEM stakeholders in the enterprise to be flushed from the underbrush by the transition. For example, application developers might quietly lean on the SIEM in some previously undocumented way and fail to make their use case known until the migration disrupts it.</p> <p>Late discovery of a group whose needs should have influenced requirements for the new SIEM might result in only a slight delay in the migration's timeline. Be warned, however, that this oversight can easily drive up expenses, especially if required features cost extra in the new platform, or if the new SIEM can't meet the group's needs -- forcing a new round of product selection.</p> <p><i>John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.</i></p> </section> Before starting a SIEM migration, the security team must identify the data, rules, workflows and policies they need to transition to the new tool or service. Here's how to get started. https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Security-data-protection.jpg https://www.techtarget.com/searchsecurity/tip/What-every-CISO-should-consider-before-a-SIEM-migration Thu, 30 Apr 2026 19:03:00 GMT <p>Organizational complexity, cloud adoption and distributed teams are forcing IT leaders to rethink security structures. At enterprise scale, the way security responsibilities are structured directly affects how an organization manages risk, supports innovation and responds to threats. Those established security structures will become essential to the organization's overall strategy.</p> <p>Leaders have two approaches available to manage <a href="https://www.techtarget.com/searchitoperations/tip/Top-IT-governance-best-practices">security governance</a> at enterprise scale: centralized security and federated security. While <a href="https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks">centralized authentication</a> and access control have long been hallmarks of well-designed environments, they are not always the best choice for today's global enterprises. In contrast, the decentralized, federated approach might offer greater flexibility and efficiency. Neither model is necessarily superior -- effectiveness depends on organizational structure, operational maturity and risk tolerance.</p> <section class="section main-article-chapter" data-menu-title="Centralized security: Control and consistency"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Centralized security: Control and consistency</h2> <p>With centralized security, all authority, tooling, policies and decision-making are concentrated within a single security organization. The team is typically led by the CISO and extends standardized governance across the enterprise. This design offers significant benefits for many organizations, including consistent <a href="https://www.techtarget.com/searchapparchitecture/tip/Privacy-compliance-and-governance-are-changing-development">policy enforcement</a>, <a href="https://www.techtarget.com/searchitoperations/tip/Observabilitys-role-in-mitigating-IT-security-risks">security visibility</a> across environments, simplified compliance and efficient resource allocation. Potential drawbacks include bottlenecks, slower response times, limited flexibility and rigidity when business needs change.</p> </section> <section class="section main-article-chapter" data-menu-title="Federated security: Distributed ownership with central guidance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Federated security: Distributed ownership with central guidance</h2> <p>Federated security designs take a more distributed approach. Responsibilities are spread across business units, product teams or regional organizations, while a central body still provides standards and oversight. Security teams are typically embedded in business units with local decision-making for tooling and controls.</p> <p>Federated security is best suited for enterprises with dynamic development and operations. The approach aligns security operations with specific business unit needs and improves agility in <a href="https://www.techtarget.com/searchcloudcomputing/opinion/Decipher-the-true-meaning-of-cloud-native">cloud-native</a> and product-led organizations. While this model empowers teams closest to the technology, strong governance is needed to avoid inconsistent policies, fragmented tooling and visibility gaps.</p> </section> <section class="section main-article-chapter" data-menu-title="The hybrid model: Balancing control and agility"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The hybrid model: Balancing control and agility</h2> <p>As with many designs, there is a middle ground. Many organizations find success with a hybrid approach, drawing from the benefits of both models.</p> <p>In a hybrid model, a central team owns governance, policy, architecture and core platforms, while business units retain embedded security capabilities aligned with local operations. For example, the central team provides security architecture, <a href="https://www.techtarget.com/searchcio/feature/Top-12-risk-management-skills-and-why-you-need-them">risk management</a> and <a href="https://www.techtarget.com/searchsecurity/tip/Threat-intelligence-vs-threat-hunting-Better-together">threat intelligence</a>, while the federated components manage application security, DevSecOps and cloud security.</p> <p>This hybrid model maintains enterprise security standards while enabling operational flexibility in distributed development environments. To be successful, the hybrid approach requires clear accountability, governance frameworks and communication channels.</p> </section> <section class="section main-article-chapter" data-menu-title="How CISOs should decide: Key considerations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How CISOs should decide: Key considerations</h2> <p>Selecting the best model for an organization means understanding its design and business flow. CISOs should evaluate the following criteria:</p> <ul class="default-list"> <li><b>Organizational structure.</b> Highly centralized enterprises will likely benefit from centralized security. Conglomerates or global companies favor federated models for flexibility.</li> <li><b>Technology and architecture.</b> Legacy-heavy environments often run best with centralized control. Cloud-native or product-driven environments benefit from federated or hybrid approaches.</li> <li><b>Security maturity.</b> Newer organizations establishing security standards might need centralization for effective control. Mature organizations can often distribute responsibility more safely.</li> <li><b>Talent and resources.</b> Federated and hybrid models require <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-skills-gap-Why-it-exists-and-how-to-address-it">skilled security professionals</a> across business units, which may be difficult to attract and support.</li> <li><b>Governance and risk appetite.</b> <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">Regulatory requirements</a>, auditing and compliance often influence the degree of central oversight required. Highly regulated industries will lean toward a centralized model.</li> </ul> <p>Focus on outcomes, not the security model itself. The goal is effective risk reduction and business enablement. Many large organizations evolve, often shifting from centralized to hybrid or federated models as they scale and expand.</p> <p>Regardless of structure, establish clear security standards, accountability and communication channels to ensure consistency across teams. Evaluate whether the current security structure aligns with the organization's scale, operating model and risk tolerance, then identify where centralization, federation or something in between could improve outcomes.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</i></p> </section> CISOs must juggle flexibility, consistency and risk when considering the enterprise's security structure. Discover the benefits and drawbacks of different security models. https://cdn.ttgtmedia.com/rms/onlineimages/security_a226543052.jpg https://www.techtarget.com/searchsecurity/tip/CISOs-guide-to-centralized-vs-federated-security-models Thu, 30 Apr 2026 10:52:00 GMT <p>The state of digital user authentication today is undeniably messy. Many users rely on hundreds of authenticators, including passwords, biometrics and cryptographic keys, to have their digital identity verified by devices, applications, services and other digital entities. Adding to the authentication mess are misunderstandings and misconceptions about the pros and cons of each method.</p> <p>Let's take a look at the most common digital authentication methods and explore why combining methods using <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a> helps achieve stronger authentication.</p> <section class="section main-article-chapter" data-menu-title="Knowledge-based factors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Knowledge-based factors</h2> <p>Knowledge-based authentication methods involve something the user knows, such as a password, passphrase or PIN.</p> <p>Passwords are sequences of characters that only one person should know or be able to retrieve. Types of passwords include PINs -- short numeric passwords -- and passphrases -- <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-strong-passphrase-with-examples">long phrase-style, multiword passwords</a>. Pundits have proclaimed the impending death of passwords for a good 20 years because of their numerous weaknesses. While their use has begun to decline, passwords remain widely used.</p> <p>Passwords deliver some important benefits. Most people are accustomed to passwords, so they require little or no training. Users who forget or lose their password can typically reset it rapidly and regain access regardless of where they are or what day or time it is. Plus, nearly every technology already supports password use, potentially making its use inexpensive and fast.</p> <p>Passwords, however, do <a href="https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices">have their weaknesses</a>. They can be guessed, <a href="https://www.techtarget.com/searchsecurity/definition/password-cracker">cracked</a>, <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">phished</a> and intercepted. Attackers can then use stolen passwords to launch attacks. Also, password management, including password creation, storage, retrieval and especially memorization, is often a burden for users and organizations.</p> <p>While passwords still play a valuable role in digital authentication, they are frequently compromised, and many users dislike them.</p> </section> <section class="section main-article-chapter" data-menu-title="Inherence-based factors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inherence-based factors</h2> <p>Inherence-based methods include user features, such as biometric or behavioral authentication.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/biometrics">Biometric characteristics</a>, including fingerprints, facial recognition, iris scans and voice recognition, have become increasingly common. Most laptops, smartphones and other devices available today have added native support for reading these characteristics. Behavioral authentication involves analyzing keystrokes or mouse movements to identify users.</p> <p>A widespread misconception about biometrics is that they are a much stronger form of authentication than passwords. As <a target="_blank" href="https://pages.nist.gov/800-63-3/" rel="noopener">NIST's Digital Identity Guidelines</a> explain, the major drawback of biometrics is that they aren't necessarily secret. A user's face, fingerprints and other biometric characteristics are visible to others and can potentially be stolen or replicated. For some, this raises concerns about <a href="https://www.techtarget.com/searchsecurity/tip/In-biometrics-security-concerns-span-technical-legal-and-ethical">privacy concerns</a>.</p> <p>Biometrics and behavior-based factors are also susceptible to false positives and false negatives. While convenient, biometric authentication requires careful consideration of its <a href="https://www.techtarget.com/searchsecurity/tip/Evaluate-biometric-authentication-pros-and-cons-implications">pros and cons</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Possession-based factors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Possession-based factors</h2> <p>Possession-based methods are something the user has. Most involve cryptographic keys stored on a device. Once the system issues a challenge to an authentication request, the device uses the secret key to sign or decrypt it, proving its legitimacy.</p> <ul class="default-list"> <li><b>One-time passwords</b> verify users with a single-use, time-based code, often sent via text. While they offer stronger security than solely password-based authentication when used for MFA, they are susceptible to phishing, interception and user friction.</li> <li><b>Authenticator apps</b> verify users' identities using a mobile app that generates a time-based, one-time password or push approval notification. While safer than text-based one-time passwords, they introduce user friction and issues related to device loss, phishing and authentication fatigue.</li> <li><b>Hardware tokens</b> authenticate users with a dedicated, tamper-resistant physical object, such as a key fob or USB token, that stores a cryptographic key. The device displays a code that changes frequently and is synchronized with a remote server. While resistant to credential theft or phishing, hardware tokens can be costly -- issuing, replacing and managing them -- and they might introduce user friction and management challenges, for example, if a token is lost or stolen.</li> <li><b>Smart cards</b> authenticate using a physical card with an embedded chip that stores a secret cryptographic key. Like hardware tokens, <a href="https://www.techtarget.com/searchsecurity/definition/smart-card">smart cards</a> are resistant to credential theft or phishing, but can be costly and introduce user friction.</li> <li><b>Device-based authentication</b> verifies users' identities based on whether they are using a trusted, registered device, usually using a stored credential such as a device certificate, cryptographic key or secure token bound to the device. While generally user-friendly, it can be a security risk if attackers gain physical access to trusted devices.</li> <li><b>Passkeys</b> use cryptographic key pairs to authenticate users. Users who want to use a passkey often receive a password first; after they have been authenticated once using a password, the OS on a device asks them if they would like to use a passkey instead of the password. This results in a secret cryptographic key being securely stored within the device. When users need to authenticate, they provide a PIN or biometric that unlocks access to that secret key, a second authentication factor.<br><br>The <a href="https://www.techtarget.com/searchsecurity/tip/Benefits-and-challenges-of-passkeys-in-the-enterprise">primary benefit of passkeys</a> is that they provide passwordless authentication, greatly reducing the odds of successful phishing attacks. Even if an attacker steals a user's device password, for example, the attacker would still have to gain unauthorized access to the device itself to use that password and access the key. Passkeys, however, are still relatively nascent and not universally supported across all systems. They also introduce privacy concerns and can be difficult to provision and manage.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Adaptive authentication"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Adaptive authentication</h2> <p>Adaptive authentication, related to <a href="https://www.techtarget.com/searchsecurity/definition/risk-based-authentication-RBA">risk-based authentication</a>, grants or denies users access based on a list of factors, including IP address, user role, location, device, sensitivity of the data being accessed and other risk factors. These context-based elements are the basis of the <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust security model</a>. Using zero trust, organizations can set strict authentication requirements to ensure continuous, rigorous authentication rather than a single check at the security perimeter.</p> </section> <section class="section main-article-chapter" data-menu-title="One factor isn't enough; organizations need MFA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>One factor isn't enough; organizations need MFA</h2> <p>It is not recommended to use any single knowledge-based, inherence-based or possession-based authentication factor as the sole verification method. Using MFA adds layers of security, reducing the risk of account compromise.</p> <p>For example, an application might require users to verify themselves first using a username and password, then send a push notification to an authentication app for a second factor -- knowledge and inherence. Or users might sign onto their trusted laptops using facial recognition -- possession and inherehence.</p> <p>MFA is not immune to issues, however. User friction, operational and integration complexity, and management issues are common. Certain forms of MFA are also susceptible to phishing and MFA-related attacks, such as push bombing and SIM swapping. This is why <a href="https://www.techtarget.com/searchsecurity/tip/Traditional-MFA-isnt-enough-phishing-resistant-MFA-is-key">phishing-resistant MFA</a> methods, such as those listed above that use cryptographic methods, are recommended.</p> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/_3rlQVXGKZc?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p></p> </section> To authenticate users, security teams have a range of options available. Note, however, that a combination of methods is the best and safest approach. https://cdn.ttgtmedia.com/visuals/ezines/carousel/ezine_security_06.jpg https://www.techtarget.com/searchsecurity/answer/What-are-the-most-common-digital-authentication-methods Wed, 29 Apr 2026 00:00:00 GMT <p>Many enterprises have a lurking threat embedded deep in their systems, and the risks to privacy and cybersecurity can be grave: shadow code.</p> <p>Shadow code is any code -- libraries, scripts, APIs, and web browser plugins and extensions -- that an organization runs in web browsers without first performing standard security checks. It includes all first-party and third-party code that hasn't had its security confirmed, as well as any unverified code that it calls. In other words, shadow code is all the code that an organization relies upon for its web applications without being aware of its associated risk and, therefore, is not able to properly manage that risk.</p> <p>Shadow code is often deployed when developers and other personnel want to save time and meet deadlines. Instead of writing code themselves, they might find existing code to reuse. While the practice can save time, it can be perilous if the security of that code isn't first assessed. Shadow code can also occur when a <a href="https://www.techtarget.com/searchsecurity/tip/Insider-threat-hunting-best-practices-and-tools">disgruntled employee</a> or other malicious actor intentionally injects malware or other unauthorized functionality into an organization's software.</p> <p>CISOs and other security leaders should clearly understand the risks shadow code can pose and how to identify, manage and prevent shadow code use in their enterprises.</p> <section class="section main-article-chapter" data-menu-title="The risks of shadow code"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The risks of shadow code</h2> <p>Consider the following cybersecurity and privacy risks inherent when using shadow code:</p> <ul class="default-list"> <li>The code might contain unmitigated <a href="https://www.techtarget.com/searchsecurity/tip/Top-web-app-security-vulnerabilities-and-how-to-mitigate-them">coding vulnerabilities</a>, misconfigurations, design flaws or other problems that could negatively impact systems.</li> <li>Embedded malicious code could perform <a href="https://www.techtarget.com/searchsecurity/tip/Common-browser-attacks-and-how-to-prevent-them">client-side attacks</a> via web browsers.</li> <li>Shadow code often violates cybersecurity and <a href="https://www.techtarget.com/searchcio/news/366623115/Policymakers-look-to-state-laws-for-federal-data-privacy-law">privacy laws</a>, regulations and other organizational policies.</li> <li>The code could violate <a href="https://www.techtarget.com/searchcio/definition/software-license">software licensing terms</a> or subject an organization to unanticipated terms.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to identify shadow code"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to identify shadow code</h2> <p>Because shadow code executes within web browsers, identification should focus largely on the client side, not the server side. Many tools can monitor the code executing in web browsers, including application security monitoring and browser tools. CISOs should mandate the use of these tools and closely monitor their logs and alerts to rapidly identify the use of shadow code.</p> <p>Organizations should create and maintain an up-to-date inventory of all the code it uses, including first-party and third-party code and code services. Compare this inventory to detected code to improve the accuracy of shadow code detection. Constantly monitor approved code, both in operational environments and in code repositories, to identify any calls to shadow code and to detect any changes to code that could indicate new uses of shadow code.</p> </section> <section class="section main-article-chapter" data-menu-title="How to manage and prevent shadow code"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to manage and prevent shadow code</h2> <p>Managing and preventing shadow code requires a combination of methods, including the following:</p> <ul class="default-list"> <li>Ensure developers and other personnel, contractors and vendors involved in web application development are aware of shadow code risks and train teams on the procedures to properly assess all code.</li> <li>Make it easy and quick for developers and others to request use of safe third-party code.</li> <li>Set automatic triggers for a cybersecurity assessment process when new third-party code is detected within the enterprise.</li> <li>Have automated tools and processes in place to regularly review the security of all code, with trained personnel reviewing and validating automation outputs.</li> <li>Enforce <a href="https://www.techtarget.com/searchsecurity/definition/content-filtering">content security policies</a> that restrict code execution by web browsers.</li> </ul> <p>When planning how to manage and prevent shadow code, always keep in mind that once code is in production, it's much harder to change its configuration or remove it from the enterprise entirely. Identifying shadow code early in the software development process and preventing it from being executed in production environments will help safeguard the enterprise's cybersecurity.</p> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> </section> The shadow code running in your web apps could be a ticking time bomb. Learn more about the cybersecurity risks of shadow code and how to protect your enterprise. https://cdn.ttgtmedia.com/rms/onlineimages/code_g122204403.jpg https://www.techtarget.com/searchsecurity/tip/Shadow-code-The-hidden-threat-for-enterprise-IT Tue, 28 Apr 2026 10:35:00 GMT <p>The rapid adoption of agentic AI is radically shifting how enterprises operate, automate workflows and interact with digital systems. Autonomous <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-agents">AI agents</a> -- intelligent systems that are capable of executing commands, accessing sensitive data and making decisions on behalf of users -- represent both tremendous business opportunities and profound security risks.</p> <p>AI agents exist in a liminal space between tools and actors. Unlike traditional software applications that operate within clearly defined boundaries, they possess agency, make autonomous decisions and interact with systems using credentials and permissions. This creates a fundamental identity problem and one of the most pressing challenges in enterprise cybersecurity today: Who or what is truly responsible when an agent takes an action? Is it the human who deployed the agent, the organization that owns the infrastructure or the agent itself?</p> <p>When agents are compromised or manipulated, ambiguity around agent identity and authentication becomes a critical vulnerability. Traditional security models built around human identity and authentication struggle to accommodate digital entities that operate autonomously, learn from interactions and execute actions without real time human oversight. To protect themselves against catastrophic security failures, enterprises must establish clear frameworks governing agent identity, authentication, authorization and accountability.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Exhibit A: OpenClaw's vulnerabilities</h3> <p>OpenClaw -- formerly known as Clawdbot and Moltbot -- is an open-source AI agent that runs locally on users' machines. These agents have deep system access, controlling such functions as terminal commands, file system operations, email, calendar and browsers. Despite launching only in November 2025, OpenClaw rapidly gained viral popularity and, in turn, the attention of security researchers -- who uncovered a cascade of critical vulnerabilities.</p> <p>The OpenClaw architecture created an especially dangerous attack surface because agents run with elevated privileges on users' host machines, lack sandboxing by default and periodically fetch updates from external sources.</p> <p>This design enabled prompt injection attacks, supply chain attacks and coordinated compromises across connected instances. Researchers scanning internet-facing OpenClaw deployments found exposed admin interfaces, leaked API keys, OAuth tokens and conversation histories stored in plaintext.</p> </div> </div> <section class="section main-article-chapter" data-menu-title="Building a framework for enterprise AI agent security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Building a framework for enterprise AI agent security</h2> <p>To secure their agentic AI deployments, enterprises need to implement some fundamental security principles. Agentic identity and authentication must move beyond simple API keys toward robust, verified identity frameworks that establish clear chains of custody and accountability. Consider the following:</p> <h3>Agent authorization and privilege management</h3> <p>Permissions should follow <a href="https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it">zero-trust principles</a>, granting agents only the minimum necessary access -- including time-bounded authorizations that expire automatically -- to perform specific, sanctioned tasks. Implement <a href="https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC">role-based access control</a> for agents, segregate duties to prevent any single agent from executing high-risk operations independently and maintain AI audit trails that capture every agent action with full context.</p> <p>Critical operations should require human approval, mandate MFA for sensitive actions and include clear escalation paths in the event of an anomalous request.</p> <h3>Agent isolation and sandboxing</h3> <p>Running agents with unrestricted host access carries potentially catastrophic risks. Instead, deploy agents only in isolated containers or VMs with minimal privileges, restricted by network segmentation to limit lateral movement and bound by runtime application self-protection to detect and block malicious behavior. Only execute code in sandboxed environments with strict resource limits, monitored file system access and network connections that prohibit access to unauthorized destinations.</p> <h3>Prompt injection defenses</h3> <p>Agents that process external inputs -- e.g., emails, web pages or other agents -- are under constant pressure from <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work">prompt injection threats</a>. Implement input validation and sanitization, separate system prompts from user-provided content and use prompt filtering to detect and block injection attempts. Restrain agent behavior through strict operational boundaries, allowlists of permitted actions and anomaly detection systems that flag unusual command sequences. Any agent interaction with untrusted content requires additional scrutiny and validation.</p> <h3>Monitoring, logging and incident response</h3> <p>Agentic AI security requires comprehensive observability. Log all agent authentication attempts, track credential usage patterns to detect token theft and monitor API calls for anomalous behavior. Use <a href="https://www.techtarget.com/searchsecurity/tip/SIEM-benefits-and-features-in-the-modern-SOC">security information and event management</a> systems to correlate agent activities across the enterprise, flagging unusual patterns such as privilege escalation attempts, unexpected data exfiltration or <a href="https://www.techtarget.com/searchsecurity/feature/Agentic-AIs-role-in-amplifying-and-creating-insider-risks">coordination among compromised agents</a>.</p> <p>Design incident response plans to address agent-specific scenarios, including procedures for agent quarantine, credential revocation cascades and forensic analysis of agent decision-making.</p> </section> <section class="section main-article-chapter" data-menu-title="The path forward"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The path forward</h2> <p>Securing AI agents successfully requires enterprises to fundamentally rethink traditional identity and access management. Agents are not simply applications to be deployed but autonomous actors requiring robust identity frameworks, continuous monitoring and architectural isolation. If security is treated as an afterthought rather than a foundational requirement, the speed of <a target="_blank" href="https://www.darkreading.com/application-security/how-to-vibe-code-with-security-in-mind" rel="noopener">vibe coding</a> and AI-assisted development becomes a liability rather than a benefit.</p> <p><i>Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI.</i></p> <p></p> </section> AI agents are transforming enterprise operations, but their autonomy poses critical security challenges. Learn how to secure these powerful digital actors. https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Hero-Danger-by-InfiniteFlow-Adobe-10.jpg https://www.techtarget.com/searchsecurity/tip/Cybersecuritys-agentic-AI-identity-crisis-and-how-to-fix-it Mon, 27 Apr 2026 21:19:00 GMT <p>A security, incident and event management system collects, centralizes and analyzes data from across the IT environment to uncover cybersecurity and operational problems.</p> <p>As with so many formerly distinct and well-defined cybersecurity systems, "SIEM" is now as often a set of features as it is a separate product or service. In the current era of category drift and <a href="https://www.techtarget.com/searchsecurity/tip/What-cybersecurity-consolidation-means-for-enterprises">tool convergence</a>, an extended detection and response (XDR) platform might include SIEM features, a SIEM offering might include user and entity behavior analytics (UEBA) and so on. &nbsp;</p> <p>Whether in a standalone product or as part of a broader offering, <a href="https://www.techtarget.com/searchsecurity/feature/SIEM-isnt-dead-its-place-in-the-SOC-is-just-evolving">enterprises continue to rely on SIEM functionality</a>. Top SIEM use cases span cybersecurity and IT ops and include log management, attack detection, event detection, event forensics and cybersecurity posture management.</p> <section class="section main-article-chapter" data-menu-title="1. Log management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Log management</h2> <p>This is job No. 1 for a SIEM. In addition to serving as the destination for logs from core security systems such as firewalls and intrusion detection and protection systems, SIEMs also aggregate and normalize streams from more far-flung data sources, such as <a href="https://www.techtarget.com/searchsecurity/tip/EDR-vs-XDR-vs-MDR-Which-does-your-company-need">endpoint detection and response and XDR</a> systems. A centralized repository for security event log data is useful for monitoring, analysis and compliance purposes.</p> <p>SIEMs gather operational logging data -- e.g. performance data on a router's interfaces -- as well as cybersecurity logs, so they are useful to the NOC and IT ops staff as well as to the SOC.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Attack detection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Attack detection</h2> <p>While SIEMs can do a lot to detect attacks on their own, they <a href="https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases">benefit from integration with UEBA systems</a>. UEBAs are specifically built to apply advanced behavioral analytics to the kinds of real-time activity data that a SIEM provides.</p> <p>Note that a <a href="https://www.techtarget.com/searchsecurity/tip/SIEM-vs-SOAR-vs-XDR-Evaluate-the-differences">SIEM typically does not coordinate the response to an attack</a>. That responsibility traditionally falls to a <a href="https://www.techtarget.com/searchsecurity/feature/Is-SOAR-dead-or-alive-Sort-of">security orchestration, automation and response system</a>, which can also integrate with the SIEM.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">And, of course, AI</h3> <p>SIEM systems have made use of machine learning for more than a decade. Now, like everything else in cybersecurity, they are getting liberal doses of AI. A SIEM infused with LLM capabilities can accept natural-language queries from users and offer them "guide by the side" advisory functionality with natural-language explanations.</p> <p>Agentic AI is finding its way into SIEM systems as well, and SIEMs with AI agents are providing new levels of flexible and context-aware response automation.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="3. Event detection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Event detection</h2> <p>Not all events are attacks. Equipment failures and performance problems can lead to events that show up in logs, and a SIEM can alert IT ops staff and the network operations (NOC) team when such issues occur. For example, when a router stops reporting normal traffic from a branch office, the SIEM might alert the NOC to the problem.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Forensics and root cause analysis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Forensics and root cause analysis</h2> <p>SIEMs are repositories of huge volumes of data relevant to attacks -- whether successful or averted -- and provide search and filter features to help investigators tease out relevant information and patterns. Similarly, IT ops teams searching for <a href="https://www.techtarget.com/searchitoperations/definition/root-cause-analysis">root causes</a> of problems in WANs, campus networks or data centers can benefit from these capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Cybersecurity posture management -- i.e., breach prevention"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Cybersecurity posture management -- i.e., breach prevention</h2> <p>SIEM offers a view not just into performance and alert data but also device configurations, making it useful in monitoring for policy deviations and supporting <a href="https://www.techtarget.com/searchsecurity/feature/Security-posture-management-a-huge-challenge-for-IT-pros">cybersecurity posture management</a>. SIEMs can see and report when running configurations differ from documented ones, whether because of an insider attack or normal configuration drift from ad-hoc changes made in the course of problem solving.</p> <p><i>&nbsp;</i><i>John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.</i></p> </section> In the age of AI everything, SIEM isn't exactly flashy -- but it still matters. Explore top SIEM use cases that span the enterprise, from cybersecurity to IT ops. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/Data%20security.Getty.jpg https://www.techtarget.com/searchsecurity/tip/Top-SIEM-use-cases-in-the-enterprise Fri, 24 Apr 2026 21:53:00 GMT <p data-end="3972" data-start="3847">E-signature software is now a standard business tool for contracts, approvals and customer-facing forms.</p> <p data-end="4203" data-start="3974">Since the Electronic Signatures in Global and National Commerce, or <a href="https://www.techtarget.com/searchsecurity/definition/Electronic-Signatures-in-Global-and-National-Commerce-Act">ESIGN</a>, Act passed in 2000 and set <a href="https://www.techtarget.com/searchcontentmanagement/answer/Are-electronic-signatures-legally-binding">legal requirements for e-signatures</a>, the market has shown no signs of slowing down. With legal frameworks in place and a mature vendor market, organizations now evaluate e-signature platforms less as a convenience tool and more as part of a broader <a href="https://www.techtarget.com/searchcontentmanagement/tip/7-key-stages-of-enterprise-content-lifecycle-management">document workflow</a>, compliance and customer-experience strategy.</p> <p>E-signature software has various benefits for organizations, like improved performance and reduced costs. <a href="https://www.techtarget.com/searchcontentmanagement/tip/How-to-build-a-successful-paperless-office-strategy">Paper usage also decreases</a>, which is better for the environment, and e-signatures are convenient and avoid having users print out, sign, scan and mail documents.</p> <p>However, not all e-signature software is the same. As organizations evaluate options, they should consider signing volume, integrations, workflow automation, <a href="https://www.techtarget.com/searchcontentmanagement/tip/6-enterprise-content-management-best-practices-for-deployment">compliance features</a>, mobile support and whether the software fits internal approvals, customer-facing transactions or both.</p> <p>The unranked, alphabetical list of platforms below was created based on reports from leading analyst firms, such as Gartner and Forrester, and user reviews on G2 and Capterra, plus additional research by TechTarget editors.</p> <section class="section main-article-chapter" data-menu-title="1. Adobe Acrobat Sign"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Adobe Acrobat Sign</h2> <p>Most Adobe Acrobat users understand its e-signature capabilities, but full access to those features requires a purchase. <a href="https://www.techtarget.com/searchcontentmanagement/definition/Adobe-Sign">Adobe Acrobat Sign</a> lets recipients sign documents without downloading anything. Like other e-signature platforms, Adobe Acrobat Sign integrates with various tools, including Salesforce, Zoho CRM, SAP SuccessFactors, Microsoft and Box, among others.</p> <p>Users can create digital forms on their websites and integrate Adobe Acrobat Sign for e-signatures. The software also offers a mobile app to scan and upload PDFs, along with customizable templates, notifications and reminders. Adobe Acrobat Sign is easy to use, has responsive customer support and simplifies how users upload a signature.</p> <p>However, the mobile app can be clunky, and its features can overwhelm some users -- making Adobe Acrobat Sign a better choice for enterprise customers. It also lacks integration capabilities beyond its existing choices.</p> <p>Adobe Acrobat Sign's pricing for the Acrobat Standard for teams starts at $14.99 per user monthly.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Docusign"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Docusign</h2> <p>Docusign offers standalone eSignature plans as well as its broader Intelligent Agreement Management platform. Organizations that handle a high volume of contracts should distinguish between Docusign’s basic e-signature plans and its more advanced IAM suite. The software has a mobile-responsive web app to simplify how parties sign agreements. It also supports document routing to multiple parties and lets users create reusable templates with standard and customizable fields.</p> <p>Docusign uses APIs to integrate with over 350 apps, including Microsoft, Salesforce, Zoom, SAP, Google and Oracle products. The platform is user-friendly, offers multilanguage support and enables visibility into who views and signs documents. However, users can't download multiple documents at once with this tool, and it can't integrate with other PDF apps.</p> <p>When billed annually, Docusign’s standalone eSignature pricing starts at $10 per month for the Personal plan and $25 per user monthly for the Standard plan for small-to-medium-sized teams. Docusign’s IAM plans start at a higher price point, with IAM Starter at $40 per user monthly and IAM Standard at $45 per user monthly.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> E-signature software has various benefits for organizations, like improved performance and reduced costs. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> </section> <section class="section main-article-chapter" data-menu-title="3. Dropbox Sign"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Dropbox Sign</h2> <p>Formerly known as HelloSign, Dropbox Sign is part of the Dropbox suite. It offers document templates for commonly used forms, like nondisclosure agreements and tax forms, and sends automated reminders so unsigned documents don't fall through the cracks.</p> <p>Dropbox Sign also integrates with Salesforce, HubSpot, Google Workspace, Box and SharePoint. Users can embed e-signatures into websites or apps using APIs, and <a href="https://www.techtarget.com/searchhrsoftware/feature/How-RPA-can-simplify-the-onboarding-process">automate employee onboarding</a> and hiring processes. It also encrypts data during transfer and at rest to protect user privacy.</p> <p>The platform is mobile-friendly, with notification and reminder options. However, some challenges include difficulty editing documents and limited customization.</p> <p>Dropbox Sign’s current pricing centers on an Essentials plan for individuals and a Standard plan for small teams. Essentials is listed at $15 per month, and Standard is listed at $25 per user per month when billed annually.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Jotform Sign"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Jotform Sign</h2> <p>Jotform Sign is e-signature software that includes workflow automation to let users sign documents on any device. It also lets users <a href="https://www.techtarget.com/searchcontentmanagement/tip/How-to-add-digital-signatures-to-a-PDF">turn PDFs into documents with e-signature capabilities</a>, automate processes and reuse document templates. Users can create approval workflows, embed documents for signatures in websites and receive alerts about document status through Jotform Sign Inbox.</p> <p>Users said Jotform Sign is easy to use and set up, with an intuitive UI. However, customization is limited, and the number of signatures it collects is limited based on the pricing tier.</p> <p>Jotform Sign offers a free version for users to collect 10 signatures per month. The paid tiers start with Bronze, which starts at $34 per month and is described in terms of broader monthly submission and active-form limits rather than just a simple signature cap.</p> </section> <section class="section main-article-chapter" data-menu-title="5. PandaDoc"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. PandaDoc</h2> <p>Organizations looking for e-signature software with a lot of features might consider PandaDoc. It <a href="https://www.techtarget.com/searchcustomerexperience/tip/7-reasons-why-businesses-need-mobile-apps">offers a mobile app</a> so users can track documents' statuses and get notified when someone opens, views, comments on or signs a document. The tool also offers a template library with over 450 contract, proposal and invoice templates, and users can drag and drop elements of them into documents to create their own templates.</p> <p>The PandaDoc API lets users integrate with third-party apps, and users can add it to PDFs and Word documents. It offers prebuilt integrations with apps like Salesforce, Zapier, Zoho, HubSpot and Dropbox.</p> <p>The software is easy to use, especially for creating documents. However, the signing space is small and can benefit from more out-of-the-box integrations.</p> <p>PandaDoc still offers a free tier, Starter at $19 per user monthly and Business at $49 per user monthly.</p> </section> <section class="section main-article-chapter" data-menu-title="6. ReadySign"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. ReadySign</h2> <p>Like its counterparts, ReadySign's e-signature software includes customizable templates and forms. It can also create an AnySign link, which lets signers opt in to sign the forms they need. Other features include bulk sending, notifications, reminders, custom signatures, <a href="https://www.techtarget.com/searchcontentmanagement/tip/Document-management-vs-content-management-How-they-differ">document management to organize signed forms</a> and user management with role-based permissions.</p> <p>ReadySign is easy to use, cost-effective, enables a comprehensive audit trail and offers responsive customer service. However, users might struggle to control the reminders, and the search features are not easy to use. Also, the vendor's website lacks integration information.</p> <p>ReadySign's pricing starts at $25 per user monthly for 10 users. The 40-user plan is $10 per user monthly, and the 100-user plan is $6 per user monthly -- all when billed annually.</p> </section> <section class="section main-article-chapter" data-menu-title="7. SignNow"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. SignNow</h2> <p>As a <a href="https://www.techtarget.com/searchcloudcomputing/definition/private-cloud">private cloud</a> e-signature software provider, SignNow lets users add e-signatures to various forms, documents and templates, including PDFs, Word documents and contracts. The software uses APIs for website, CRM and other app integrations.</p> <p>SignNow enables conditional documents, which means organizations can set documents to route by role. It also lets teams collaborate to create documents and templates and add custom branding to content. The platform is easy to use and supports e-signature management for multiple documents. It's also easy to sign documents from mobile phones.</p> <p>Yet, the tool presents challenges. The documents don't open immediately and instead prompt the recipient to download the file. It also lacks a commenting feature for users to provide feedback before signing.</p> <p>SignNow’s plans still start at a lower entry price point than many competitors, with current pricing beginning at $8 per user per month.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Zoho Sign"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Zoho Sign</h2> <p>Zoho Sign enables users to upload PDFs, Microsoft Word or other documents and add e-signature fields. It also offers reusable templates for frequently used documents and enables public URLs for <a href="https://www.techtarget.com/whatis/definition/customer-self-service-CSS">self-service</a> document signing. The tool also includes features for bulk sending, document status tracking, identity verification and <a href="https://www.techtarget.com/searchcontentmanagement/answer/252523027/What-are-the-pros-and-cons-of-electronic-signatures">regulatory compliance</a>. It can be used on mobile devices.</p> <p>Users said Zoho Sign offers good security, is easy to use and can easily integrate with other products and place e-signatures. However, the tool offers limited customization, and customer support is lacking.</p> <p>Zoho Sign still offers a free tier and entry-level paid pricing starting at $10 per user monthly billed annually. Its current paid tiers extend upward through Professional and Enterprise plans.</p> <p><b>Editor's note: </b><em>This article was originally published in 2022 and was updated in 2026 to reflect current e-signature software pricing, packaging and market positioning.</em></p> <p><i>Christine Campbell is a freelance writer specializing in business and B2B technology.</i></p> </section> E-signature software enhances workflows and reduces paper use. Organizations should compare integrations, workflows, compliance features, and pricing before choosing a platform. https://cdn.ttgtmedia.com/rms/onlineimages/container_g1294273513.jpg https://www.techtarget.com/searchcontentmanagement/tip/Top-e-signature-software-providers Fri, 24 Apr 2026 11:02:00 GMT <p data-end="5614" data-start="5350">Organizations use digital signatures when an agreement needs more than convenience. They use them when a workflow requires <a href="https://www.techtarget.com/searchcontentmanagement/answer/E-signature-vs-digital-signature-Whats-the-difference">stronger signer verification</a>, tamper evidence and a better evidentiary trail than a basic electronic signature provides.</p> <p data-end="5871" data-start="5616">That distinction matters because not every document needs the same level of trust. Routine approvals may only need a simple e-signature, while regulated, high-value or dispute-sensitive transactions often benefit from certificate-based digital signatures.</p> <p data-end="6126" data-start="5873">In practice, the goal is to match the signing method to the risk. The right question is not whether a business can sign electronically. It is whether the transaction needs stronger identity assurance, document integrity controls and compliance support.</p> <section class="section main-article-chapter" data-menu-title="Digital signatures vs. e-signatures"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Digital signatures vs. e-signatures</h2> <p>Organizations must understand the <a href="https://www.techtarget.com/searchcontentmanagement/answer/E-signature-vs-digital-signature-Whats-the-difference">difference between digital signatures and e-signatures</a> so they can implement a level of security that meets their needs.</p> <p>An e-signature is a broad term that includes any signature a user sends electronically. Some e-signatures, such as those retail stores use for small transactions, don't require identity verification. However, other types, such as digital signatures, involve a strict authentication process.</p> <p>In the U.S., the E-SIGN Act gives <a href="https://www.techtarget.com/searchcontentmanagement/answer/Are-electronic-signatures-legally-binding">electronic signatures legal standing </a>when key conditions are met, but organizations still use digital signatures when they need stronger identity assurance and tamper evidence. In the EU, trust-service frameworks make those assurance levels even more explicit.</p> <p>Digital signatures rely on <a href="https://www.techtarget.com/searchsecurity/definition/public-key">public key cryptography</a> and <a href="https://www.techtarget.com/searchsecurity/definition/public-key-certificate">digital certificates</a> to verify authenticity and detect tampering. In a typical workflow, the system creates a hash of the document and signs that hash with the sender's private key. The recipient then uses the corresponding public key and certificate to verify the signature and confirm that the document has not been altered since it was signed.</p> <p>To create a digital signature, organizations typically use an<a href="https://www.techtarget.com/searchcontentmanagement/tip/Top-e-signature-software-providers"> e-signature system</a>. E-signature systems offer digital signature capabilities, but they can also streamline workflows. For example, they can send reminder notifications to late signatories and assign roles to specific individuals.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">When to use a digital signature instead of a basic e-signature</h3> <p>Use a basic e-signature when speed and convenience are the priority and the workflow does not require higher assurance. Use a digital signature when the organization needs certificate-backed signer verification, tamper evidence and a stronger audit trail. In practice, the choice depends on transaction risk, compliance requirements and the evidentiary burden if the agreement is challenged later.</p> </div> </div> </section> <section class="section main-article-chapter" data-menu-title="What are digital signatures used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are digital signatures used for?</h2> <p>Organizations can use digital signatures anywhere a signature is required, but they usually reserve them for transactions where stronger trust, signer verification and document integrity matter most. Common examples include the following:</p> <ul class="default-list"> <li>Real estate purchase and sale agreements</li> <li>Sales contracts</li> <li>Insurance agreements</li> <li>Tax documents and forms</li> <li>Construction change orders</li> <li>Clinical trials</li> <li>Loans</li> <li>Mortgages</li> <li>Leases</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/uw4aTvRDHB4?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="How digital signatures work"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How digital signatures work</h2> <p>Digital signatures rely on digital certificates that trust service providers issue to signers. These providers are legal entities that use processes and tools in accordance with a national authority, such as the U.S. government or EU, to verify e-signatures' authenticity.</p> <p>"The trust service provider verifies the identity of the signer prior to the issuance of the digital certificate using various mechanisms, [such as] near-field communication, automated video-based identity documents and biometric verification," Manaila said.</p> <p>After the trust service provider verifies the signer's identity, it issues the digital certificate in the cloud. It stores the required cryptographic keys on a hardware security module (<a href="https://www.techtarget.com/searchsecurity/definition/hardware-security-module-HSM">HSM</a>) and protects it with two-factor authentication (2FA). These security measures let people sign documents and get digital certificates from any type of platform, device or smartphone, Manaila said.</p> <p>Some countries issue electronic identification cards that store the owner's biometric data, such as their fingerprint or facial structure, on a chip. Citizens and organizations can use these cards to prove their identity online and quickly obtain a digital certificate.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/how_digital_signatures_work-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/how_digital_signatures_work-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/how_digital_signatures_work-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/how_digital_signatures_work-f.png 1280w" alt="Diagram showing the digital-signature workflow from document hashing and certificate-backed signing to signature verification and downstream processing." height="260" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The digital-signature process uses certificates, private/public keys and document hashes to verify signer identity, detect tampering and support downstream workflows. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How cloud affected the digital signature landscape"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How cloud affected the digital signature landscape</h2> <p>Before the proliferation of cloud services, organizations relied on physical devices, such as <a href="https://www.techtarget.com/searchsecurity/definition/security-token">security tokens</a> or smart cards, to protect their digital certificates with an HSM. This traditional approach posed implementation challenges. For example, the approach isn't user-friendly because it requires users to carry a physical device, Manaila said.</p> <p>Cloud tools, on the other hand, store the cryptographic keys on the cloud provider's HSM so organizations don't need to track physical tokens or replace them over time. Cloud products are also more scalable and require no physical maintenance costs.</p> <p>The digital signature landscape changed after the CSC standardized remote, cloud-based digital signatures with its open source API. This technology offers the following benefits:</p> <ul class="default-list"> <li>Generates remote digital signatures across desktop, web and mobile devices.</li> <li>Protects legally binding signatures with 2FA.</li> <li>Integrates with various <a href="https://www.techtarget.com/searcherp/definition/ERP-enterprise-resource-planning">ERP</a> and <a href="https://www.techtarget.com/searchcontentmanagement/feature/How-to-choose-the-right-document-management-system">digital transaction management systems</a>.</li> <li>Reduces IT governance costs.</li> <li>Ensures compliance with e-signature laws in the U.S. and EU, such as the <a href="https://ico.org.uk/for-organisations/guide-to-eidas/what-is-the-eidas-regulation" target="_blank" rel="noopener">Electronic Identification, Authentication and Trust Services Regulation</a>. <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The right question is not whether a business can sign electronically. It is whether the transaction needs stronger identity assurance, document integrity controls and compliance support. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote></li> </ul> <ul class="default-list"></ul> </section> <section class="section main-article-chapter" data-menu-title="Security benefits of digital signatures"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Security benefits of digital signatures</h2> <p>Digital signature technology can help organizations prevent bad actors from tampering with important transactions. Security benefits include the following:</p> <ul class="default-list"> <li>Links signer's identity to the signature.</li> <li>Makes the signer legally responsible for their actions.</li> <li>Securely stores the digital certificate's cryptographic keys on a certified HSM and protects them with 2FA.</li> <li>Offers <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access control</a> to strengthen security.</li> <li>Can prove a signature's authenticity in court.</li> </ul> <p>Digital signatures add assurance, but they also add process and training overhead. That is why organizations should treat them as a fit-for-purpose control: use them where the business needs higher trust, stronger evidence or stricter compliance, and use simpler e-signatures where speed and convenience matter more.</p> <p><strong>Editor's note:</strong> <em>This article was originally published in 2023 and was updated in 2026 to reflect current digital-signature workflows, legal context and enterprise use cases. </em></p> </section> Digital signatures help organizations verify signer identity and detect tampering, but teams should choose them only when a transaction needs stronger trust, evidence and compliance controls https://cdn.ttgtmedia.com/rms/onlineimages/check_g530502390.jpg https://www.techtarget.com/searchcontentmanagement/tip/How-do-digital-signatures-work Fri, 24 Apr 2026 10:13:00 GMT 60 webmaster@techtarget.com