SANS Institute

The threats are evolving. So is our leadership. James Lyne is now CEO of @SANSInstitute. The next chapter starts now. 👏 Watch the full announcement → linkedin.com/feed/update/ur… #SANSInstitute #Cybersecurity

“We have startups today that are 4 people large that are reaching $10 million valuation,” says @robtlee, Chief AI Officer and Chief of Research at the @SANSInstitute, in a recent fireside chat with XBOW CEO @oegerikus. “If you’re able to do business that way, why can’t you similarly create an attack team?” Watch more of their conversation: bit.ly/422eZPo

Now live 🎙️ “Cybersecurity is about protecting trust.” Jitender Arora on leadership, pressure, and the reality of the role. 🔗 go.sans.org/MRrSOu

New talks just announced for SANS #SecAwareSummit 👇 The agenda goes live next week — in the meantime, here’s a preview: • @drjessicabarker - AI + deepfakes are changing how we approach awareness • Liz Gore - Building security culture — even as a team of one • Mark Sayewich - Turning customer security into measurable impact Start making plans to join @lspitzner, Hannah Hardee, and your community this August! 🗓️ Summit: Aug 27-28 📍 Las Vegas, NV | All-Access + Workshops or 🛜 Free Live Online | Select Talks Secure Your Spot: go.sans.org/hRdIo5 #SecurityAwareness #CyberSecurity

Many AI Security programs are strong in one pillar, inconsistent in two, and blind to how they interact. The SANS AI Security Maturity Model™ scores Protect AI, Utilize AI, and Govern AI independently so you can see exactly where the gaps are. Now available for download → go.sans.org/PJjMWh #AIGovernance #InfoSec

Looking to move into leadership? The @SANS_EDU Master’s in Information Security Engineering combines elite GIAC certifications with strategic management training. Explore the curriculum: go.sans.edu/MG5YgK

One in ten of you reading this have kids whose data is in the dump supposedly burned when Instructure paid the ShinyHunters ransom to avoid the liability of millions of minors' data hitting the field. 275 million records across 8,800 institutions in 50 countries, from kindergarten to Ivy League. Hard to trust that the data is destroyed when the hackers broke in a second time to post a ransom note across every school's Canvas login during the negotiation. First time that families saw a ransomware threat. I have twin teenagers. This just got personal. Criminals known for sophisticated social engineering are now capable of stitching the most credible spear-phishing ever assembled (student names and emails, schools and teachers, real message threads) onto WormGPT-class phishing at 93% success and SIM farms running thousands of numbers. You don't need to be a nation-state to run a convincing impersonation of a teacher, or to create illicit content and threaten to post to their social media accounts. You need a target list and a couple of hours. (And if it doesn't keep you up at night yet, ShinyHunters was responsible for the ADT breach and the AT&T breach, among many more in recent years.) What I would do now: 1. Freeze each kid's credit at all three bureaus. Block the long-tail identity attack that hits when the kid turns 18 and first applies for credit. Few parents have done this for their kids. 2. Set up a new email account for your kid's social media. Don't use that email address anywhere else.  3. Move 2FA off SMS and onto an authenticator app. If they didn't get contact numbers in this breach, ShinyHunters already had phone numbers from the AT&T breach. A SIM swap takes one social-engineered call. Google Authenticator and other apps are tied to the device, not the number.  4. Pick a family safe word. Make it weird, memorable, specific. Drill them often. Voice and video can be faked now, cheaply and fast. The word can't be faked unless the attacker is also at our dinner table. We told them AI was cheating at school. They are about to learn what it means to have AI used against them. We owe them a different conversation now.

AI is reshaping cyber teams. The key difference today: the ability to work alongside AI. See how roles, skills, and team structures are evolving. Download the report: go.sans.org/S2doPM #WorkforceStudy #WorkforceDevelopment #CyberWorkforce

Compliance ≠ a secure culture. The 2026 SANS Security Awareness Report® Survey closes May 20. Takes 5 minutes. $500 Amazon gift card draw for every completed submission. Take the survey: 👉 go.sans.org/isMrhn #SecurityAwareness #HumanRisk

Coming Friday 🎙️ “Cybersecurity is about protecting trust.” Jitender Arora on leadership & the reality of the role.

One word. That was the ask. Forward-thinking. Opportunity. Community. Humbling. The people who show up to SANS Live Training events are not there for a slide deck. They come because the security field moves faster than any individual can keep up with on their own, and being in a room with instructors and peers who are working the same problems changes something. The words they reach for tend to reflect that. If you have been to a SANS live event, we want your one word. Drop it in the comments. And if you have not joined us yet, find your next event at go.sans.org/T1lJxz

"They had read the global AI standards, they understood the risks, and they still did not know what to do on Monday morning." — Chris Cochran, Field CISO and VP of AI Security, SANS Institute That's exactly the gap the SANS AI Security Maturity Model™ was built to close. Now available.👇 Download now: go.sans.org/PJjMWh Full press release: go.sans.org/eCcyck #AIGovernance #InfoSec

The @Google Threat Intelligence Group report released today (11 May) identified a cyber crime group with a zero-day almost certainly built with AI: a 2FA bypass in a popular open-source admin tool. (I am not sure whether to be relieved GTIG caught this one or worried about the ones they did not.) The flaw was not memory corruption or input sanitization. It was a hardcoded trust assumption the developer left in the logic, the kind of dormant semantic gap fuzzers and static analyzers are not built to catch. We train people to recognize known patterns: known malware, known signatures, known bad behavior. You cannot pattern-match a logic gap that did not exist as a pattern until an AI reasoned its way to it. Defending against this requires humans who can run the same reasoning the attacker's AI did, which means operators who actually understand AI tools, know how to point them at the right data, interpret the output, and action on it. The @SANSInstitute 2026 Workforce Research Report @jameslyne and I presented at RSAC in March tells us whether those operators exist. 60% of organizations now say their bigger problem is skills, not headcount. That skills-versus-bodies differential was 4 points in 2025. It is 20 points now. 27% report breaches they trace directly to skills gaps. (Workforce report, case studies: sans.org/mlp/2026-evolv…) The bad news: This is not a "buy more AI" problem. It is a "we do not have the people to operate the AI we already have" problem. Two Fortune 500 companies can buy the same defensive AI tool. One team finds the threat in 10,000 tokens. The other burns 10 million and finds nothing. So defenders end up new to the tools, pointing AI at the wrong data with the wrong prompts, losing the cost war on top of the time war. The BAD bad news: There is no "AI security workforce" to hire from. It is a job category we are still inventing. The tool is not the bottleneck. The operator is. Without trained people, the budget burns and the threat still gets through. Train the team you have.

Registration is now open for the 2026 Aspen Cyber Summit on November 18! Join the top voices from government, industry, and civil society to help secure our shared digital future. 🎟️ Get your ticket: aspencybersummit.org

Your expertise matters—contribute to SANS Research by taking one of these surveys: 1️⃣ Benchmark your org, share insights, and influence better security for unstructured data risks. go.sans.org/unstructure-da… 2️⃣ Share your insights on threat hunting methodologies, tools, data sources, team structures, and challenges. go.sans.org/FYdrDG 3️⃣ Share your insights on exposure discovery, prioritization, remediation, and automation. go.sans.org/Px3jYq #ThreatHuntingSurvey #ExposureManagementSurvey #SANSResearch

AI security has a noise problem. New model. New capability. New use case. Security teams are drowning in information and starving for direction. The SANS AI Security Maturity Model™ cuts through it. Early access ends soon. Secure your copy now → go.sans.org/PJjMWh #Cybersecurity #ArtificialIntelligence #CISO

CVE-2026-0300 is one of those vulnerabilities where the nuance matters. On paper, this is absolutely a “pay attention now” issue Unauthenticated. Network reachable. Buffer overflow. Potential root-level code execution on a firewall. Confirmed exploitation in the wild. CISA KEV. That combination should make every defender sit up a little straighter. But let me walk through the part that can get lost when we only talk in CVSS scores. This does not mean every Palo Alto Networks firewall on the internet is immediately exploitable. The vulnerable condition depends on the User-ID Authentication Portal (Captive Portal - if that's a new term come take SANS Offensive Operations 660 with me next week in San Diego!) being enabled and exposed to untrusted networks or the public internet. That configuration detail becomes extremely important. Also, from the research side, public PoC availability does not automatically equal reliable weaponization. I have a taken a looked at the available PoC, and as of now, it is not a complete “copy, paste, root shell” situation. That said, I would not get comfortable. Once patches land, diffing becomes easier. AI-assisted analysis may accelerate some parts of that workflow. And when a vulnerability has confirmed exploitation, internet-exposed appliances, and delayed patch availability across versions, defenders do not need social media hype to justify action. The practical guidance is pretty simple: Check whether User-ID Authentication Portal is enabled. Check whether it is reachable from untrusted networks like the internet (Captive portals never should be). Restrict it to trusted internal zones or disable it if it is not required (This is a non-default feature btw). Prioritize patching as fixed versions become available. This is not a reason to panic, but it is absolutely a reason to verify exposure today. Critical vulnerabilities do not become less critical because engagement is low. Sometimes the quiet ones are quiet because exploitation is constrained. Sometimes they are quiet because the right people have not started paying attention yet. Do the boring defensive work now so this does not become exciting later.

Great breakdown from SANS instructor @fulmetalpackets on CVE-2026-0300. If you manage Palo Alto firewalls, this is worth two minutes of your time. linkedin.com/posts/douglas-…

Attackers are already running AI. Not testing it. Running it. SANS CEO @jameslyne on BBC Radio Today on why machine-speed defense isn't a future problem. 🎧 bbc.in/4cYbkbP To watch only James, head to 1h 15m

🥇 National champions. SANS.edu Sentinels finished 1st, 3rd, and 5th in the @NatlCyberLeague Spring 2026 Team Game. That’s how we compete. 🔴

💼 Built for working professionals. @SANS_EDU graduate programs are designed to fit alongside your career, not pause it. Get your questions answered live during our May 12 info session: go.sans.edu/IaQEEk