Expert Analysis – Help Net Security

Most security teams know the drill: A new autonomous penetration testing tool gets deployed, and the first run is genuinely impressive. The dashboard surfaces critical findings, maps lateral movement paths nobody had documented before, and exposes a legacy service account that has been sitting idle for years. Great. The red team feels like it’s found a force multiplier. The CISO feels like the “human element” of validation has finally been automated away. Then, troublingly, by … More → The post Why you need BAS and autonomous pentesting together appeared first on Help Net Security.

Why are machine identities becoming the majority of “things with access”? Every automation, integration, and workload needs a way to authenticate and the right permissions to act. That quiet requirement has created a massive population of machine identities, also called non-human identities (NHIs): service accounts, service principals, workload roles, OAuth apps, AI agents, and IAM roles. Machine identities authenticate using credentials like access keys, secrets, and tokens. Many of these identities hold privileges equal to … More → The post Manage machine identities: The hidden privileged access layer you need to manage appeared first on Help Net Security.

This is my favourite time of the year, not just because spring is here and the promise of summer is on the way. But also, because one of my must reads each year gets published. There are a few must read reports that I have on my reading list for each year and the Verizon Data Breach Investigations Report is on top of that list. The latest Verizon 2026 Data Breach Investigations Report (DBIR) once … More → The post Lessons for organizations from the Verizon 2026 Data Breach Investigations Report appeared first on Help Net Security.

In 2025, trusted Git hosting platforms became a playground for cyber criminals. This is the main conclusion from the latest “DevOps Threat Unwrapped Report 2026” by GitProtect. If you want to effectively counter attacks targeted at your code (and business), you need security measures, good practices, and knowledge. Strengthen your organization’s security posture. Learn about 7 hard truths from the report to discover the latest threats and ways to fight them off. #1 AI assistants … More → The post 7 hard truths security pros should know: 2026 DevOps Threats Report appeared first on Help Net Security.

An employee with persistent, unsupervised admin access across critical systems, with no audit trail, no clear owner, and no regular access reviews, would raise immediate concern in most organizations. Yet non-human identities and AI agents are often granted that same kind of persistent, broadly privileged access. As AI adoption grows, that gap is becoming harder to ignore. NHIs today encompass far more than traditional service accounts and API keys. They also often include AI agents … More → The post The hidden risk of non-human identities in AI adoption appeared first on Help Net Security.

Microsoft May 2026 Patch Tuesday is now live: Many fixes, but no zero-days Project Glasswing. This is one of three major security industry changes I’ll cover today. The Anthropic Mythos vulnerability discovery model has already proven to be game changing in its ability to identify new vulnerabilities in software. Many of these vulnerabilities have existed for 10 to 15 years without human discovery. In a recent announcement from Mozilla, they discovered 271 vulnerabilities when running … More → The post May 2026 Patch Tuesday forecast: AI starts driving security industry changes appeared first on Help Net Security.

If you ask a CISO what keeps them up at night, the answer usually isn’t “lack of tools.” It’s uncertainty. Uncertainty about what they don’t see. Uncertainty about how far an attacker could move once inside. Uncertainty about whether identity programs are actually reducing risk, or just managing symptoms. Identity discovery sits at the center of that uncertainty. It is not glamorous. It does not get the same attention as AI-driven detection or zero trust … More → The post Identity discovery: The overlooked lever in strategic risk reduction appeared first on Help Net Security.

Identity and access management was built for a simpler world. One where the hardest problem was a human logging in, and where “Who are you?” was sufficient to decide what someone could do. That model served enterprises well for decades. It was not built for a world where non-human identities now account for more than 90% of all authentications, where AI agents act across systems, trigger chains of API calls, and make access decisions in … More → The post Your IAM was built for humans, AI agents don’t care appeared first on Help Net Security.

The EU AI Act is 144 pages long. The logging requirements that matter for AI agent developers sit across four articles that keep referencing each other. Here’s what they say, when the deadlines hit, and where the gaps are. Your agent is probably high-risk The Act doesn’t mention “AI agents” by name. What matters is what the system does. If your agent scores credit applications, filters resumes, decides who gets healthcare benefits, prices insurance, or … More → The post What the EU AI Act requires for AI agent logging appeared first on Help Net Security.

AI agents need credentials to work. They authenticate with LLM platforms, connect to databases, call SaaS APIs, access cloud resources, and orchestrate across dozens of external services. Every integration point requires an identity. Most organizations are handling this badly, and the evidence is in the code. GitGuardian’s State of Secrets Sprawl Report found 28,649,024 new secrets exposed in public GitHub commits across 2025, a 34% year-over-year increase and the largest annual jump in the report’s … More → The post 29 million leaked secrets in 2025: Why AI agents credentials are out of control appeared first on Help Net Security.