Patrick Roland

4/ Patch FortiClient now. Drop management interfaces from the public web. Zero Trust starts with not putting your admin panels on the internet.

3/ Treat this KEV drop as a live fire exercise for NIST SP 800-171A (3.14.1 Flaw Remediation). Documenting your response timeline today generates the exact evidence assessors need to validate your CMMC Level 2 continuous monitoring.

2/ APTs aren't burning sophisticated zero-days. They are walking through the front door because management planes like Fortinet, Citrix, and F5 are left exposed to the internet.

1/ CVE-2026-35616 is a critical access control failure. Attackers are already exploiting it. If you manage defense supply chain networks, the clock started today.

CISA just added FortiClient EMS (CVE-2026-35616) to the KEV. Unauthenticated RCE. For MSSPs managing DIB environments, your edge devices are active liabilities. 🧵👇

🚨 CISA KEV Update | CRITICAL CISA just batched multiple Zoho ManageEngine vulnerabilities into the KEV (including CVE-2021-40539 & CVE-2020-10189). These are classic APT initial access vectors for DIB perimeters. If you're an MSSP managing Zoho for defense contractors, check your patch delta immediately. Don't wait for the compliance deadline. Source: CISA / Roland Fleet CTI #CMMC #MSSP #CVE #KEV

🚨 Supply Chain Alert | High Confidence UNC1069 (North Korea-linked) used social engineering on an Axios maintainer to compromise the npm package. T1195.001 → T1059 If you're pulling Axios in your CI/CD pipelines without strict version pinning and integrity checks, you are exposed. Your SBOM isn't enough if you don't monitor registry anomalies in real-time. Source: Roland Fleet CTI | Reliability: A2 #SupplyChain #AppSec #ThreatIntel #DIB

@Allsourcedataio @HackingDave Gold

@HackingDave Yup, i swear, working with Claude is like having a high-level engineer with a drinking problem. Every day is an adventure.

Dude Claude is total trash - seen massive degrading of code quality, bugs, and more over the past several weeks. This week, I can’t even use it or rely on it to complete basic bug fixes or implementations. Codex has been performing substantially better. Anyone else ?

@HackingDave Are you using PRDs and governance documents to enforce quality? that seems to be the best fix for my own projects, but Im not sure how everyone else is approaching it

@Master2Uall88 @unusual_whales figures.

@DeusLogica @unusual_whales Not even sure what the hell you're talking about and to be quiet honest I really don't give to Fox either

Nvidia CEO discusses AGI:

@Master2Uall88 @unusual_whales if that was true it would be doing way more that vibe coding shitty web apps...

@unusual_whales There's nothing real about artificial general intelligence. It is and always has been Fallen Angelic intelligence and the disembodied spirits of the Nephilim that you idiots are bringing back

@wildpinesai @unusual_whales is it?

@unusual_whales Declaring AGI by redefining it as "can run a billion-dollar company" is doing a lot of heavy lifting here

⚠️ UAC-0255 | High Confidence 1M emails spoofing CERT-UA (Ukrainian CERT) delivered AGEWHEEZE RAT in password-protected ZIPs. T1566 → T1059 Target: Ukrainian/European entities Timeline: Mar 26-27, 2026 Watch for spoofed CERT-UA domains. Verify sender before opening attachments. Source: Roland Fleet CTI | Reliability: A2 #Phishing #CERT #Ukraine #ThreatIntel

🚨 CRITICAL: CVE-2026-3055 High Confidence | CVSS 9.0 | Active exploitation Citrix NetScaler SAML IDP RCE — MuddyWater (Iran) actively scanning DIB perimeters for exposed VPN endpoints. T1190 → T1059 → Network compromise Patch now. Check your NetScaler ADC/Gateway configs. Source: Roland Fleet CTI | Reliability: A2 #CTI #CVE #NetScaler #MuddyWater #DIB

Random though for vulnerability management. If we and just vibecode products and are concerned about the FOSS libararies being backdoored why dont we just vibecode our own?

This is why your SBOM isn't compliance theater. LiteLLM is in 36% of cloud environments. 40 minutes of malicious PyPI packages = exfiltration at CI/CD speed. Your MSSP should be monitoring package registry anomalies in real-time, not quarterly.

Your developers are already using Agentic AI. I'm not talking about someone copy-pasting an email into ChatGPT. I'm talking about autonomous agents operating within terminal windows, executing bash commands, writing code, and traversing your network. If your organization is part of the Defense Industrial Base (DIB) and handles Controlled Unclassified Information (CUI), this is a massive problem. Why? Because traditional security operations centers (SOCs) are completely blind to how these agents operate. The Compliance Collision When we look at the regulatory landscape, we have a collision of frameworks: - NIST SP 800-171Ar3: Protects CUI and demands rigorous audit and accountability (the AU family). - NIST SP 800-63-4: Demands stringent Digital Identity Guidelines, including phishing-resistant MFA. - OWASP AIVSS & Academic Research: Highlights unique vulnerabilities. Recent studies prove that autonomous agents are highly susceptible to "skill supply chain contamination" and "memory poisoning"—systemic risks that point-based defenses cannot stop. The issue is attribution. When an Agentic AI system executes a script that modifies a database, your SIEM logs the action. But it logs it under the service account (the Non-Human Identity, or NHI) used by the AI. It does not log the prompt that triggered the action. It does not log the "chain-of-thought" the AI used to determine that action was necessary. The Missing Link You lack an Identity Chain of Custody. To pass a CMMC assessment—and more importantly, to actually secure your environment against Advanced Persistent Threats (APTs) targeting these AI workflows—you need cryptographic proof linking the human intent to the AI execution. 1. Human User Authenticates: Using AAL3 / Phishing-Resistant MFA. 2. Session Binding: The human session is cryptographically bound to the AI's execution context. 3. Trace Logging: The SOC must deploy Agentic Memory/Execution Monitoring (A-MEM) to capture the semantic reasoning (the prompt, the context window, the tool outputs) alongside the traditional syslog. Without this chain, a compromised developer workstation isn't just a compromised endpoint; it's a compromised autonomous actor operating with your compliance boundary. Stop treating Agentic AI like a web application. Treat it like a highly-privileged user that requires constant, semantic auditing.

Want to run an automated pentest tool in GOV cloud? Start your FedRAMP paperwork. You'll have it in 12-18 months. Last I checked, LockBit wasn't FedRAMP authorized either. But here we are. (thread)

United States 🇺🇸 - Wolf Technology Group has allegedly been breached by the Nova ransomware group, compromising 100GB of corporate and business services data. dailydarkweb.net/wolf-technolog…

🧵 The KEV Lag 1/ 6 days. That's how long watchTowr had CVE-2026-3055 intel before CISA added it to KEV. If you're waiting for KEV to patch, you're already behind. 2/ The timeline: - Day 0: Iranian MuddyWater starts scanning Citrix NetScaler - Day 2: Honeypots confirm reconnaissance - Day 4: Exploitation attempts in the wild - Day 6: CISA adds to KEV By then, your SAML IDP was already leaking tokens. 3/ KEV isn't a proactive tool. It's reactive confirmation. Federal agencies get a "patch by" date. Everyone else gets a "you should've patched 6 days ago" notification. 4/ The real timeline: Threat actors → Vuln disclosure → Exploitation → CISA notices → KEV listing → Your alert fires → You patch By step 5, the game is over. 5/ What watchTowr proved: Active scanning of attack surface > Passive KEV monitoring They found exposure before CISA confirmed exploitation. That's the gap between threat intel and threat reaction. 6/ Here's the uncomfortable truth: CISA KEV exists because someone else already got owned. It's not prevention. It's documentation. If you're waiting for KEV to prioritize patches, you're accepting 6+ days of known exposure. 7/ The MSSP reality: Your clients assume you're watching KEV. They don't know KEV is a lagging indicator. Your value isn't KEV alerts. It's KEV anticipation. 8/ What proactive looks like: - EPSS 95%+ = patch now, not later - Threat intel feeds (not just CISA) - Honeypot telemetry - Exploit code monitoring (GitHub, Pastebin, Telegram) 9/ The KEV Lag isn't CISA's fault. They're doing retrospective analysis on exploitation at scale. The lag is structural. Your job is to front-run that structure. 10/ Actionable takeaway: Build your own KEV. Not the list—the capability. Patch on EPSS. Patch on exploit code. Patch on honeypot hits. KEV should validate your decision, not trigger it. #ThreatIntel #CISA #KEV #MSSP #PatchManagement