Login
I’ve been building a program that started as “I need to stop wasting time on tool output chaos” and turned into something that feels… different.
This is not a scanner. It’s not a SIEM. It’s not “AI security.”
It’s an engine that runs security investigations.
Most security workflows still look like this:
Run tool → stare at output → manually connect dots → rerun different tool → forget what you already tested → repeat
This program tries to turn that into:
Run tool → interpret signals → decide what matters → pick the next action → keep escalating until the lead is either proven or dead
So instead of “here are 900 findings,” the output is closer to: • what was tested • why it was tested • what changed the investigation’s direction • what got confirmed vs ruled out • what the next step would be if you kept going
The part that makes this unusual
I hit the wall where security automation always becomes a dumpster fire: scripts calling scripts calling scripts, YAML pipelines that grow teeth, glue code everywhere, no real structure, no replayability.
So I did something that sounds insane:
I built a purpose-built programming language inside it.
Not because I wanted “my own language,” but because security workflows need a way to be expressed as real programs: repeatable, constrained, auditable, and not dependent on a human remembering the next step.
The language exists for one reason: security automation should not collapse into spaghetti.
What I need help with
I’m not posting the full repo publicly yet, but I do want real critique from people who’ve built: • orchestration engines • DSLs / interpreters • security automation frameworks • pipelines with state, decision-making, and evidence trails
Please let me know if you’re interested in reviewing.
The French data protection regulator, CNIL, today issued a collective €42 million ($48.9 million) fine to two French telecom companies for GDPR violations stemming from a data breach.…
Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.…
Two hospitals in Belgium have cancelled surgeries and transferred critical patients to other facilities after shutting down servers following a cyberattack.…
Eurail has confirmed customer information was stolen in a data breach, according to notification emails sent out this week.…
The UK government has backed down from making digital ID mandatory for proof of a right to work in the country, adding to confusion over the scheme's cost and purpose.…
Spanish energy giant Endesa is warning customers about a data breach after a cybercrim claimed to have walked off with a vast cache of personal information allegedly tied to more than 20 million people.…
The Python Software Foundation (PSF) has an extra $1.5 million heading its way, after AI upstart Anthropic entered into a partnership aimed at improving security in the Python ecosystem.…
Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.
January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.
Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.
“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”
Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score.
“A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.
Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.
Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.
“That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”
According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?”
“Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”
Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.
Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.
“Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”
Goettl noted that Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).
“Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said.
As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.
Microsoft and Uncle Sam have warned that a Windows bug disclosed today is already under attack.…
Vulnerabilities in popular AI and ML Python libraries used in Hugging Face models with tens of millions of downloads allow remote attackers to hide malicious code in metadata. The code then executes automatically when a file containing the poisoned metadata is loaded.…
McAfee has once again earned the highest possible AAA rating from SE Labs, marking the 29th consecutive time our consumer protection has received this top-tier recognition.
In SE Labs’ latest Q4 Home Anti-Malware Test, McAfee Total Protection achieved 100% protection with zero false positives, reinforcing a streak that has remained unbroken since December 2018.
SE Labs is an independent, UK-based security testing organization known for evaluating products against real-world threats, not just controlled lab samples. Its test results are therefore referenced and trusted by numerous journalists and product reviewers alike.
Their Home Anti-Malware tests simulate the types of attacks people actually face, including:
To earn an AAA rating, products must demonstrate:
For people choosing security software, independent testing helps answer a simple question: Does this protection actually work when it matters? SE Labs’ results show that McAfee continues to block threats accurately, without over-flagging safe activity.
Independent recognition like this reinforces McAfee’s ongoing commitment to consumer-first security that is tested, proven, and trusted over time.
Learn more about McAfee’s core protection plans and how we can help keep you safe online. And find the full SE Labs report here.
The post McAfee Earns 29th Consecutive AAA Rating From SE Labs appeared first on McAfee Blog.
AI-pocalypse AI and automation could wipe out 6.1 percent of jobs in the US by 2030 – equating to 10.4 million fewer positions that are held by humans today.…
Dutch police believe they have arrested a man behind the AVCheck online platform - a service used by cybercrims that Operation Endgame shuttered in May.…
FreshRSS