Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Today we’re announcing the beginning of the next phase of our journey. We’re launching our Vulnerability Intelligence feed, Nucleus Insights. As we’ve worked with many companies, partners, and clients over the years, this became an obvious next step for Nucleus, and I want to share with you why. Fixing vulnerabilities is expensive. Not just in terms of patching costs or system downtime, but in people, time, and lost focus.

In Part 1 of this blog series, we explored the architecture, capabilities, and risks of the Model Context Protocol (MCP). In this post, we will focus on two attack vectors in the MCP ecosystem: prompt injection via tool definitions and cross-server tool shadowing. Both exploit how LLMs trust and internalize tool metadata and responses, allowing attackers to embed hidden instructions or persistently influence future tool calls without direct user prompts.

Software delivery today is a delicate balancing act between moving quickly and maintaining security. CXOs chase release velocity, PMs measure success by the number of features shipped, and developers are asked to code faster with every sprint. However, every pipeline that prioritizes speed without embedded security is essentially gambling with the risk of a breach. Legacy security models still act like toll gates, piling on reviews and post-deploy scans that stall progress.

Most teams run on velocity budgets, not risk budgets. While features get sprints, milestones, and release slots, risk, on the other hand, gets hope. When scan depth and speed decisions are made without an explicit budget for risk, the outcome is predictable: throughput is optimized while exposure compounds silently in the background.

When engineers stress-test a bridge, they don’t ask the pedestrians to sign off on safety. They put the liability squarely on the designers, contractors, and city officials, i.e., if it fails, it’s their names on the line. CERT-In 2025 audit guidelines and framework apply the same logic to digital infrastructure. No more passing the buck to auditors; CXOs must sign risks, PMs must certify vendors, and developers must prove security in every build.

In 2021, a critical vulnerability in a popular Node.js library allowed hackers to carry out code injection and silently compromise thousands of applications, with disastrous effects. It wasn’t a brute-force attack. It wasn’t ransomware. It was some wittily constructed pieces of malevolent code that got through defences and provided attackers with complete carte blanche. Code injection attacks are no longer rare. They’re alarmingly common.

For security teams, the stakes are rarely as high as they are during mergers and acquisitions (M&A). Suddenly, you’re tasked with managing two companies' worth of devices, applications, identities, and data. There can be serious issues lurking within the newly acquired (or soon-to-be-acquired) company, including legacy systems, poorly vetted third-party contractors, and incompatible security policies.

If you operate a website, run targeted ads, or use third-party analytics, the answer is likely yes. Since its enforcement began in 2020, the California Consumer Privacy Act (CCPA) has reshaped data privacy obligations in the U.S., granting California residents GDPR-like rights to access, delete, and opt out of data sales. But while companies scramble to update privacy policies and cookie banners, the client-side risks often go unaddressed.

Financial services and insurance companies live under some of the toughest compliance rules in the world. Regulations keep multiplying. Cyber threats keep evolving. And the penalties for getting it wrong range from multi-million-dollar fines to reputational damage that takes years to recover. The problem? Too many GRC programs are still manual, reactive, and siloed. Outdated tools and processes force teams to spend countless hours chasing evidence and preparing for point-in-time audits.

The speed of software development today is driven by fierce competition and the constant demand for innovation. Organizations are launching software faster than ever to keep up with the market and drive growth. This need for speed has led to several key trends: These trends introduce a critical dilemma: How do you balance speed vs. trust? While fast releases are essential to meet market and user demands, sacrificing trust for speed can lead to severe business repercussions.