Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In late May and early June 2026, Arctic Wolf began observing increased exploitation of CVE-2026-0257, a high-severity authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect and Prisma Access. The increase in CVE-2026-0257 exploitation began on May 30, 2026, following a smaller initial wave that had taken place between May 17 and May 21.

The cybersecurity industry is entering a new phase of AI adoption. Frontier AI models are increasingly capable of identifying vulnerabilities, investigating threats, analyzing code, and accelerating security operations at machine speed. At the same time, innovation is moving rapidly. New models, platforms, and security-focused AI initiatives are emerging across the market, each pushing the boundaries of how AI can be applied to real-world cybersecurity workflows.

Endpoint security has become one of the most difficult layers of the modern security stack to operate effectively. Endpoints sit at the intersection of user behavior, identity compromise, phishing, ransomware, and hands‑on‑keyboard activity. At the same time, attackers increasingly rely on fileless techniques, memory abuse, and legitimate tooling to evade signature‑based defenses.

Security teams are not struggling to find vulnerabilities. They are struggling to deal with them in a way that actually reduces risk. Most environments generate thousands of new findings every month. While vulnerability scanners, cloud tools, and endpoint platforms all contribute, that data does not come together in a way that is actionable. Teams end up with long lists of vulnerabilities, limited context, and no clear way to determine what should be fixed first.

The 2026 FIFA World Cup is a once-in-a-generation opportunity, and threat actors have already begun capitalizing on it. The 2026 FIFA World Cup, set to kick off on June 11, has already broken records for the most host nations, the most matches, and the highest amount of prize money to date for winning teams. Arctic Wolf set out to proactively investigate the criminal ecosystem surrounding the tournament.

The conversation around AI in cybersecurity is changing. The first question was whether AI could help security teams move faster. It can. AI-led security operations can accelerate investigations, correlate signals, reduce manual work, and help defenders respond at the speed modern threats demand. But as AI moves from experimentation into production, the next question becomes harder: can organizations operate it at scale without creating a new cost problem?

Mobile devices are becoming the highest‑trusted endpoints that are the least protected. They approve logins. They hold authentication apps. They carry email, collaboration, and business applications. And they travel everywhere your workforce travels: across corporate networks, home Wi‑Fi, airports, hotels, and cafés. That combination (high trust plus constant movement) is why mobile has become such a reliable entry point for credential theft and account takeover.

In our previous post, Token Bingo: Don’t Let Your Code Be the Winner, we documented Kali365, a phishing-as-a-service (PhaaS) kit abusing Microsoft’s OAuth 2.0 device authorization flow to steal Entra ID tokens. In this follow-up report, we track the same operator into new territory as they expand their operation and infrastructure.

Security teams are being asked to operate at machine speed while still making decisions they can trust. Attackers move faster. Exposure changes continuously. Manual workflows struggle to keep up. Following the recent announcement of the Aurora Superintelligence Platform and Aurora Agentic SOC, Arctic Wolf continues to advance its portfolio with new capabilities that help teams see risk clearly, prioritize what matters, and act with confidence.