Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

You Can't Secure AI Agents You Haven't Found

Most organizations have a reasonable handle on their sanctioned SaaS apps. Model Context Protocol - hit 10,000 public servers within a year of launch, with 97 million monthly SDK downloads. None of those numbers capture the servers your developers configured locally. Those don't appear in any registry. They were added at the IDE level, one developer at a time, with no approval step and nothing that touches a central system. That's the inventory problem. It comes before any question of enforcement.

How Do AI Agents Create Data Exfiltration Risk?

AI agents create data exfiltration risk by combining three capabilities that are dangerous together: access to private data, exposure to untrusted content, and the ability to communicate externally. When all three exist in one agent, an attacker can hide instructions inside an email, document, or webpage the agent processes and trick it into sending sensitive data out. No software vulnerability is required. The attacker doesn't need to break in. They just need to talk to your agent.

After the Vercel Breach, Do You Know What Your AI Tools Can Access?

In April 2026, Vercel disclosed that attackers had accessed internal systems and customer credentials — not by breaking into Vercel directly, but by compromising a third-party AI tool one of its employees had connected to their corporate account.

Browser AI Plugins, Agentic AI, and MCP: The 3 Blind Spots Legacy DLP Can't See

A recently patched Google Chrome vulnerability is a signal security leaders cannot ignore. But it's only the beginning of a much larger story. In January 2026, a high-severity vulnerability was disclosed in Chrome's Gemini AI integration: CVE-2026-0628. The flaw allowed a malicious browser extension with only basic permissions to escalate privileges and gain access to a user's camera, microphone, local files, and the ability to screenshot any website, all without user consent. Google patched it quickly.

Powering Wider Global DLP Coverage with Three New Detectors from Nightfall

‍A DLP solution is only as strong as what it can detect. Gaps in detector coverage aren't just a technical inconvenience; they're exposure windows. Every format that goes unrecognized is a policy that can't fire, a remediation that can't happen, and a breach waiting to occur. Three new detectors are now available in Nightfall: personal photos (selfies and headshots), Malaysian Driver's License numbers, and South African National ID numbers.

WhatsApp Is the Latest Example Of Why Every New AI Feature Outpaces Legacy DLP

Every new AI feature that ships into a platform your employees already use is a security question your stack probably can't answer yet. It sounds like hyperbole, but it's the structural reality of how AI adoption works in 2026. A recent update to WhatsApp is a useful illustration of why.

100 SaaS Apps. One Query. Zero Alerts: How Glean and Claude Cowork Expose the Agentic AI Data Risk

A sales rep opened Glean—an AI-powered enterprise search platform that connects to your company's SaaS apps and lets anyone query across all of them in natural language—typed "Who are my top 10 customers?" and got a clean, formatted list pulled from Salesforce, cross-referenced with HubSpot, and confirmed against data sitting in Google Drive. They copy-pasted that list into a personal Gmail draft. No alerts fired. No policies triggered. No one noticed. This isn't a hypothetical.

AI Can Scan Your Code. It Can't Secure Your Organization.

When Anthropic announced Claude Code Security on February 20th—a tool that scans codebases for vulnerabilities and suggests patches for human review—the reaction from markets was swift and brutal. Major cybersecurity names watched their stock prices fall by double digits within days. The implied thesis behind the selling: AI can now do what these companies do, so why pay for them? It's a compelling fear and an inaccurate conclusion at the same time. The DLP space is a clear example of why.

How Conduent Lost 25 Million Records in 83 Days: The DLP Failure Everyone Missed

For 83 days, attackers moved freely through Conduent's systems and exfiltrated 8 terabytes of healthcare records, Social Security numbers, and personal data belonging to tens of millions of Americans. No alarm sounded. No transfer was blocked. The breach was discovered when systems stopped working. Not because anyone detected the data leaving.