Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Over the last year, AI-assisted malware development has evolved from an experimental practice into a common part of the attacker toolkit. In a rolling window from February 2025 to February 2026, Arctic Wolf Labs observed over 22,000 distinct files triggering AI-focused YARA rules across multiple malware repositories. These files included AI-generated code, large language model (LLM)-style scaffolding, runtime AI API integration, and DeepSeek-derived artifacts.

Cybersecurity has always been defined by moments of inflection. Periods of steady progress are followed by breakthroughs that fundamentally reshape how defenders operate and how technology enables them to succeed. Today we are entering one of those moments.

Every year at RSA Conference, I spend time with security leaders who are trying to solve the same fundamental challenge. They know what strong security operations should look like, but the path to building and sustaining that capability inside their own organization has become increasingly difficult. The market is shifting from buying tools to buying outcomes.

Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet. This vulnerability was patched in May 2025. Quest KACE SMA is an on-premises appliance for centralized endpoint management, providing inventory, software deployment, patching, and endpoint monitoring capabilities.

Endpoint security encompasses the processes and technologies used to protect end-user devices—including laptops, servers, mobile devices, IoT systems, and any connected asset with access to corporate resources. As organizations become more distributed and adversaries become more sophisticated, the endpoint has evolved into both a preferred target for threat actors and a pivotal control point within a modern security architecture.

On March 11, 2026, U.S. medical technology company Stryker Corporation disclosed a cyber attack that disrupted its global internal networks and Microsoft systems, leaving thousands of employees unable to access corporate systems and devices inoperable. In its SEC filing, Stryker stated it has no indication of ransomware or malware, considers the incident contained, and is assessing the full impact, with no timeline provided for full restoration.

Security leaders are being squeezed from both sides. On one side, threat actors are scaling operations with AI automation, using it to craft more convincing social engineering attacks, accelerating reconnaissance, and improving lateral movement. On the other side, defenders are drowning in telemetry, suffering under staffing constraints, and facing the harsh reality that threat actors don’t keep business hours.

On March 12, 2026, Veeam released fixes for multiple high and critical severity vulnerabilities in their Backup & Replication product that could allow remote code execution (RCE), privilege escalation, and credential theft. Arctic Wolf has not identified publicly available proof-of-concept exploits for these vulnerabilities, nor have we observed any exploitation.

On March 4, 2026, Cisco released fixes for two maximum-severity vulnerabilities impacting Cisco Secure Firewall Management Center (FMC), which is used to centrally manage Cisco Secure Firewall devices. Arctic Wolf has not observed threat actors exploiting these vulnerabilities, nor have any public proof-of-concept exploits been reported.

On March 03, 2026, pac4j released fixes for a maximum severity vulnerability in pac4j-jwt, tracked as CVE-2026-29000. The flaw arises from improper verification of cryptographic signatures in the JwtAuthenticator component when processing encrypted JWTs (JWE). A remote, unauthenticated threat actor who knows the server’s RSA public key can bypass authentication and impersonate arbitrary users (including administrators) by submitting a crafted JWE whose inner token is an unsigned PlainJWT.