Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new Personal Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs and other cyber leaders who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Adam Markowitz — “Win With Trust.”

In this episode of the Human Side of Cyber series, I sat down with Adam Markowitz , founder and CEO of Drata, to talk about entrepreneurship, trust, GRC, and the philosophy behind building one of the fastest-growing companies in the security and compliance space. What stood out most was that Adam’s story was never really about compliance software—it was always about trust.

Adam’s journey started far away from cybersecurity. His background was in aerospace engineering, where he worked on the tail end of the NASA space shuttle program before eventually teaching himself to code and launching his first company, Portfolium. That company focused on helping students prove their skills beyond a traditional resume through real evidence and portfolios of work. The same underlying concept eventually became the foundation for Drata: trust should not be claimed—it should be proven continuously with evidence.

The idea for Drata emerged from Adam’s firsthand frustration dealing with security questionnaires, audits, and compliance requirements while running Portfolium. As universities began asking for proof that student data would be protected, his team experienced the painful, manual nature of compliance workflows and third-party risk assessments. That friction led to a bigger realization: the entire ecosystem of trust between companies was bottlenecked by outdated, point-in-time processes and checkbox-driven assessments.

A few themes consistently surfaced throughout the conversation:

• Trust is foundational. Adam described trust as one of the most valuable assets in life and business, second only to time itself.
• Compliance can become a strategic advantage. Organizations that proactively demonstrate trust and transparency can accelerate sales cycles and outperform competitors.
• Automation changes the role of GRC teams. The future is moving from manual work toward orchestration, where AI agents and automation handle repetitive tasks while humans focus on oversight and judgment.
• Culture matters deeply. Drata intentionally built a culture around clear “rules,” not vague corporate values. Adam emphasized that culture should have sharp edges and be specific to the company’s mission.
• Integrity matters most when nobody is watching. One of the strongest moments of the discussion centered around maintaining strict independence and ethical boundaries in compliance and audit relationships, even when shortcuts might have accelerated growth.
• Founders must trust their gut. Adam shared that many of his biggest mistakes came from ignoring intuition and over-correcting based on outside opinions.
• AI will massively accelerate GRC. Adam believes GRC professionals are evolving from task executors into orchestrators of intelligent systems and agents.
• Trust will become even more important in the AI era. As barriers to building software collapse, trust will increasingly become the differentiator between companies.

One of the most interesting parts of the conversation was Adam’s perspective on how Drata evolved from simply helping organizations automate compliance into building what he described as a “trust layer” or “trust graph” between companies. The idea is that continuous visibility, proactive sharing of assurance data, and real-time evidence dramatically reduce friction in business relationships.

When I asked Adam what message he would put on a billboard for founders and entrepreneurs, his answer was simple: “Win with trust.” He also shared another piece of advice that clearly reflects the entrepreneurial journey: “Get comfortable being uncomfortable.”

If there was one central takeaway from this conversation, it’s this: technology changes rapidly, but trust remains constant. Whether it’s AI, cybersecurity, compliance, or business relationships, the organizations that consistently prove trustworthiness—not just claim it—will ultimately win.

Watch the Full Interview Here: https://www.youtube.com/watch?v=lOiVoNrrOlQ

Echelon Events & Thought Leadership Highlight

The SEC's cybersecurity disclosure rules aren't new anymore.

The question has shifted from "what do they require?" to "are we actually ready when something happens?"

Echelon's Cybersecurity Consultant, Renata Uribe, updated our 2024 breakdown with what's changed heading into 2026, from how materiality determinations are being scrutinized to what board oversight needs to look like in practice.

Worth a read if you're in finance, legal, or security at a publicly traded company. https://lnkd.in/eG98ZX-8

Away we go!

1.  CISA Orders Emergency Patching for Critical Cisco SD-WAN Vulnerability

A newly disclosed vulnerability in Cisco SD-WAN infrastructure has triggered an emergency response across the U.S. government after federal cybersecurity officials confirmed active exploitation in the wild. The flaw, tracked as CVE-2026-20182, affects Cisco SD-WAN systems and carries the maximum possible CVSS severity score of 10.0. According to Cisco, the vulnerability allows an unauthenticated remote attacker to bypass authentication mechanisms and gain full administrative privileges over affected systems. In response, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies to apply Cisco’s newly released patches by Sunday while also conducting immediate threat hunting and compromise assessments across their environments.

The vulnerability was uncovered by incident responders at Rapid7 during an investigation into a related Cisco SD-WAN exploitation campaign that raised alarms earlier this year. Researchers described the flaw as effectively functioning like a “master key” for targeted networks. By impersonating trusted network devices, attackers can trick SD-WAN controllers into granting privileged access without properly validating identity or trust relationships. Security experts warn that this type of access is especially valuable because SD-WAN infrastructure often sits directly in the middle of critical enterprise communications, branch connectivity, cloud routing, and security policy enforcement.

What makes the situation particularly concerning is the nature of the threat actors believed to be exploiting the flaw. Officials tied the broader activity to an advanced threat actor campaign that had already prompted emergency directives earlier this year from both CISA and Five Eyes intelligence partners. Analysts believe the vulnerability is highly attractive to nation-state operators seeking long-term persistence inside sensitive environments rather than immediate disruptive attacks. Compromising SD-WAN controllers can provide stealthy access into trusted enterprise pathways, enabling adversaries to quietly monitor traffic, pivot laterally across environments, and potentially prepare for future operations without triggering traditional security alerts.

The incident serves as another stark reminder that networking and edge infrastructure remain prime targets in modern cyber warfare. Devices that manage authentication, routing, segmentation, and trusted communications are increasingly becoming strategic attack surfaces for both espionage and disruptive operations. Organizations using Cisco SD-WAN should immediately prioritize patching, review management plane exposure, collect and analyze logs for suspicious administrative activity, and validate trust relationships across connected infrastructure. As attackers continue targeting the systems that sit at the center of enterprise trust, defenders must assume that network infrastructure itself is now part of the front line.

Critical Palo Alto Firewall Vulnerability Under Active Exploitation

One of the biggest cloud and edge infrastructure stories this week centers around a critical vulnerability in Palo Alto Networks PAN-OS firewalls that is already being actively exploited in the wild. The flaw, tracked as CVE-2026-0300, allows unauthenticated attackers to execute arbitrary code with root privileges through exposed User-ID Authentication Portals. Because Palo Alto firewalls sit at the edge of many enterprise and cloud-connected environments, this issue has quickly become a high-priority concern for security teams across multiple industries.

What makes this threat particularly dangerous is the operational discipline being used by the attackers. Palo Alto confirmed that a state-sponsored group has been quietly leveraging stolen credentials and open-source tools to move laterally through victim environments while staying below traditional detection thresholds. Rather than deploying noisy malware, the attackers are favoring stealthy persistence techniques and short access windows to avoid triggering automated alerts.

Organizations using PAN-OS should immediately determine whether the User-ID Authentication Portal is exposed to the public internet. Palo Alto recommends restricting portal access to trusted internal IP ranges, disabling unnecessary response pages on internet-facing interfaces, and enabling Threat ID 510019 for customers with Threat Prevention subscriptions. Permanent patches are being rolled out over the coming weeks, but mitigation steps should happen immediately rather than waiting for maintenance windows.

This incident is another reminder that perimeter infrastructure remains one of the most valuable targets for both nation-state and criminal actors. Firewalls, VPN gateways, identity services, and cloud edge devices increasingly represent the front door into hybrid enterprise environments. Security teams should treat these systems as high-value assets requiring continuous monitoring, aggressive patching, and privileged access controls.

2. New Linux Root Privilege Escalation Bug Raises Alarm Across Enterprises

Linux administrators are facing another urgent kernel security issue, marking the third publicly disclosed local privilege escalation vulnerability in less than two weeks. The latest flaw, dubbed “Fragnesia” and tracked as CVE-2026-46300, affects the Linux kernel’s XFRM ESP-in-TCP subsystem and allows an unprivileged local attacker to escalate privileges to root through page-cache corruption. Security researchers warn that the vulnerability impacts many of the same major Linux distributions recently exposed by the “Dirty Frag” and “Copy Fail” flaws, continuing a troubling trend of rapidly emerging kernel exploitation techniques targeting foundational Linux infrastructure.

What makes Fragnesia especially concerning is the timing. Proof-of-concept exploit code was publicly released before many Linux vendors had an opportunity to distribute patches, leaving defenders scrambling for temporary mitigations. According to researchers, the flaw creates a “write-what-where” condition that can overwrite sensitive system files in memory, enabling attackers to manipulate cached file pages and gain root-level control of affected systems. While there is currently no confirmed evidence of Fragnesia being exploited in the wild, both Dirty Frag and Copy Fail reportedly saw active exploitation shortly after disclosure, raising concerns that attackers may move quickly to weaponize this latest issue as well.

For organizations running Linux workloads in cloud, hybrid, or containerized environments, the operational implications are significant. The vulnerability can be exploited through namespace creation combined with CAP_NET_ADMIN privileges, meaning environments that heavily rely on containers, Kubernetes, or network segmentation technologies may face elevated exposure if local access is already achieved. Security experts are urging administrators to temporarily disable the vulnerable kernel modules where possible, specifically esp4, esp6, and rxpc modules, until official patches become broadly available. Monitoring for suspicious namespace creation, unusual XFRM activity, or abnormal use of AF_ALG interfaces may also help identify exploitation attempts before privilege escalation succeeds.

The broader concern emerging from this recent wave of Linux kernel disclosures is not just the vulnerabilities themselves, but the accelerating pace at which they are being discovered, weaponized, and publicly released. Some researchers now believe AI-assisted vulnerability research is contributing to the increased discovery rate, compressing the timeline between identification and exploitation. For defenders, this reinforces a difficult but increasingly important reality: organizations can no longer rely solely on patch cycles to stay protected. Strong segmentation, hardened local access controls, behavioral monitoring, rapid response procedures, and the ability to quickly isolate vulnerable systems are becoming essential layers of defense in modern Linux environments.

AI-Generated Offensive Tooling Accelerates Real-World Cyberattacks

Researchers this week highlighted a troubling evolution in cyber operations after attackers targeting operational technology environments in Mexico were found using AI-generated malicious scripts and offensive tooling to accelerate intrusion activity. According to Dragos, analysts reviewed roughly 350 artifacts tied to the campaign, many of which appeared to be generated or enhanced using AI-assisted techniques. The attackers reportedly used the tooling to rapidly expand access across multiple compromised enterprise environments.

The most important takeaway is not that AI created entirely new attack methods. Instead, AI dramatically accelerated existing offensive techniques that already work. Tasks like reconnaissance, script generation, privilege escalation support, and infrastructure enumeration can now be performed at machine speed with far less human effort. That shift compresses defender response timelines and increases the scale attackers can operate at simultaneously.

This trend also reinforces growing concerns around operational technology and industrial control system security. Many OT environments still rely on legacy systems, flat network architectures, and limited visibility into east-west traffic. When adversaries can use AI to rapidly adapt tools and automate portions of the attack lifecycle, those longstanding weaknesses become even more dangerous.

Organizations should begin preparing now for AI-enabled threat activity by strengthening behavioral detection capabilities, increasing segmentation between IT and OT networks, and investing in faster incident response workflows. Traditional signature-based defenses alone will struggle against adaptive AI-assisted attacks. The future of defense will require defenders to increasingly fight automation with automation, leveraging AI-enabled security platforms, detection engineering, and advanced telemetry to keep pace with adversaries operating at machine speed.

3. OpenAI Pulled Into Expanding npm Supply Chain Attack Campaign

A widening software supply chain campaign targeting the npm ecosystem has now reached one of the most closely watched technology companies in the world. OpenAI confirmed this week that attackers compromised two employee devices during the ongoing “Mini Shai-Hulud” operation, allowing threat actors to steal a limited amount of internal credential material tied to development repositories. The incident did not impact production systems, customer environments, or deployed AI services, but it once again demonstrates how modern attackers are increasingly targeting the software assembly line itself rather than traditional perimeter defenses.

According to OpenAI, the compromise stemmed from poisoned npm packages connected to the broader TanStack supply chain attack. The malicious packages were designed to steal credentials from developer environments, including GitHub tokens, cloud secrets, CI/CD authentication data, and npm publishing credentials. OpenAI explained that the affected employee systems had not yet received newly deployed supply chain security controls that were being rolled out internally following an earlier security incident. Once the compromise was identified, the company rotated signing certificates tied to several desktop products, including ChatGPT Desktop, Codex App, Codex CLI, and Atlas, as a precautionary measure.

The broader campaign surrounding TanStack is becoming increasingly concerning for defenders across the software industry. Security researchers linked the activity to a threat group known as TeamPCP, which has spent the past several weeks compromising developer tooling, GitHub workflows, CI/CD pipelines, and trusted open source packages. TanStack disclosed that attackers published 84 malicious package versions across 42 separate packages after infiltrating portions of its release infrastructure. The same campaign has also been tied to previous attacks involving SAP-related npm packages and other developer ecosystems, suggesting attackers are methodically targeting trusted software distribution channels to maximize downstream access opportunities.

For security leaders, the OpenAI incident reinforces a growing reality: supply chain attacks are no longer isolated edge cases targeting obscure projects. They are becoming a mainstream attack vector aimed directly at organizations with privileged developer environments, automation workflows, and highly interconnected cloud infrastructure. Traditional endpoint protections alone are no longer sufficient to defend modern development ecosystems. Organizations should be aggressively implementing package integrity verification, least privilege access controls, hardened CI/CD pipelines, signed artifact validation, dependency monitoring, and behavioral detection around developer workstations. The attackers behind campaigns like Mini Shai-Hulud are proving that compromising the tools developers trust may be one of the fastest paths into some of the world’s most valuable environments.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about