The IT Nerd

SafeBreach today announced the launch of its AI-powered Continuous Threat Exposure Management (CTEM) solution. This solution is designed to help organizations move beyond siloed security activities toward a complete, closed-loop CTEM program that continuously identifies, prioritizes, and remediates cyber risk at scale.

As enterprises struggle with challenges like AI-generated threats, tool fatigue, and alert overload, traditional reactive security measures are no longer sufficient. Organizations are increasingly turning to the five-phased CTEM framework developed by Gartner™ as a more proactive way to manage exposures, but this has historically required the manual integration of disparate tools, datasets and processes.

SafeBreach is changing that with a unified solution that operationalizes the full CTEM lifecycle. The solution is grounded in the SafeBreach Exposure Validation Platform, which provides the safe, scalable adversarial exposure validation (AEV) capabilities that underpin the entire CTEM framework. Building on this foundation, the SafeBreach Helm AI Agent unifies the platform’s AEV capabilities with data and insights from a customer’s existing security ecosystem to provide a complete 360-degree CTEM solution that ensures exposures are not only identified but continuously validated and resolved.

SafeBreach Helm accomplishes this with a specialized set of capabilities aligned to each CTEM stage. Users query Helm with simple, conversational prompts to initiate each CTEM phase:

1. The Scoping Phase: SafeBreach Helm leverages contextual data from Threat Intelligence (TI) tools to identify critical assets, business priorities, and relevant segments of the attack surface.
2. The Discovery Phase: SafeBreach Helm continuously aggregates and correlates exposure data across internal and external environments, using Vulnerability Management (VM) and External Attack Surface Management (EASM) tools.
3. The Prioritization Phase: SafeBreach Helm uses asset context from the Discovery phase to precisely highlight the exposures that present the greatest risk, helping users cut through the noise. 
4. The Validation Phase: SafeBreach Helm utilizes the breach and attack simulation (BAS) of SafeBreach Validate and the attack path validation of SafeBreach Propagate to confirm the exploitability of the highlighted exposures and map realistic attack paths using real-world adversary techniques.
5. The Mobilization Phase: SafeBreach Helm uses SafeBreach’s AI Remediation technology to translate validated findings into actionable guidance that can be shared with Security Information and Event Management (SIEM); Security Orchestration, Automation, and Response (SOAR); and other workflow management and ticketing tools—including ServiceNow and Jira— to enable teams to remediate risk efficiently and effectively.

Key Offerings of the CTEM by SafeBreach Solution:

• SafeBreach Helm: The AI CTEM Agent that unifies data from sources including AEV, TI, VM, EASM, SIEM, SOAR, and other workflow management and ticketing tools into a single, intelligent interface for proactive risk management.
• AEV: The SafeBreach Exposure Validation Platform, which combines SafeBreach Validate to test control effectiveness and SafeBreach Propagate to reveal how adversaries could traverse environments to reach critical assets.
• AI Remediation: Provides context-aware, AI-driven guidance and integrates with SIEM, SOAR, and ticketing systems to operationalize remediation workflows and accelerate risk reduction.
• Breach Studio: Advanced capabilities to design custom attack scenarios, including a VS Code extension for environment-specific testing.
• Exposure Hub (Upcoming): A centralized hub that correlates data from VM, EASM, and other tools to provide comprehensive visibility into the attack surface.

Built for large, distributed environments, the CTEM by SafeBreach solution empowers organizations to evolve from fragmented, reactive security practices to a unified, AI-driven CTEM program—grounded in proven AEV and elevated by SafeBreach Helm—to deliver continuous, measurable risk reduction aligned to real-world attacker behavior.

To learn more about the CTEM by SafeBreach solution or the SafeBreach Helm Agent: 

• Visit the CTEM by SafeBreach solution page
• Schedule a customized demo 

Read the recent blog about SafeBreach Helm

Happy Monday. You may want to keep an eye on CVE-2026-24061 which is a critical telnetd authentication bypass flaw that attackers are actively exploiting to gain root access: New research from SafeBreach Labs deepens the story with the first full root cause analysis and proof-of-concept exploit that explains exactly how this vulnerability works—and why it’s highly dangerous and easy to exploit. 

The researchers have also released tooling and simulation artifacts that allow organizations to test exposure. 

The full research blog available here.

SafeBreach has released its 2026 State of the Breach Report, analyzing results from millions of real-world attack simulations conducted by large, global enterprises over a 12-month period using the SafeBreach Exposure Validation Platform.

The report provides never-before-seen insights about how enterprises fared against 2025’s high-profile threats by examining how security controls actually performed under real attack conditions, moving beyond traditional metrics such as alerts generated, patches applied, or tools deployed. Drawing on more than 1.8 million high-fidelity simulations executed throughout 2025, the data shows where modern enterprise defenses are performing well, where threats continue to evade controls, and how outcomes differ across industries, threat actors, and MITRE ATT&CK techniques.

Key findings show that attacks like ransomware were consistently prevented, while stealthy, identity-driven campaigns continue to evade enterprise defenses. The data highlights persistent gaps in credential abuse, post-compromise activity, and lateral movement, with more than 60% of organizations exposing harvestable credentials during testing. The report also finds that industries with integrated, centralized security stacks demonstrate stronger resilience, while fragmented IT/OT and endpoint-heavy environments fail regardless of budget or tool count.

You can read the report here: https://www.safebreach.com/white-papers/safebreach-2026-state-of-the-breach-report/

The U.S. government recently issued two critical cybersecurity alerts: AA25-141A and AA25-141B. These alerts highlighted a surge in sophisticated threat activity, from Russian state-sponsored campaigns to the rise of LummaC2 malware. SafeBreach recently published in-depth breakdowns of both alerts, offering insights into the attack chains and how enterprises can validate their defenses against them.

Links to the related blog posts can be found here:

• AA25-141A
• AA25-141B

 SafeBreach today announced the launch of its enhanced Managed Security Service Provider (MSSP) program, an expanded element of the company’s successful “Elevate” partner initiative that was unveiled in 2024. The new MSSP program is specifically designed to support service providers who host, manage, or resell SafeBreach’s continuous security validation solutions, enabling them to deliver greater value to their clients while accelerating their own business growth.

Following the recent launch of the SafeBreach exposure validation platform in February, this new MSSP program represents the company’s continued commitment to empowering partners with the tools, resources, and support needed to address the evolving cybersecurity challenges that organizations face today.

The enhanced MSSP program builds on the strengths of SafeBreach’s previous partner framework, incorporating industry best practices to enhance growth, scalability, and reliability. The program provides a clear framework for partners to establish consistent client engagement expectations, ensuring successful deployment and ongoing management of SafeBreach’s security validation solutions.

SafeBreach empowers partners to accelerate business growth by expanding their client services portfolio with advanced, continuous security validation. Through scalable and automated simulations, partners can help their clients better understand, detect, and defend against cyber threats.

Key benefits of the enhanced MSSP program include:

• Comprehensive Solution Portfolio: Partners can offer clients continuous security validation through SafeBreach’s Validate and Propagate solutions, providing a more holistic view of cyber risk
• Seamless Technology Integration: The SafeBreach ecosystem integrates into existing client technology stacks, giving partners confidence in compatibility and enhancing client satisfaction
• Accelerated Sales Cycles: By streamlining security vendor evaluations, SafeBreach enables clients to make faster, more informed product decisions
• Increased Revenue Opportunities: Partners can assess clients’ security postures and offer targeted recommendations, such as optimizing existing licenses or identifying opportunities for new security solutions

With traditional, point-in-time security control validation tactics like penetration testing and red teaming proving insufficient, organizations increasingly need comprehensive and continuous views of security performance combined with prioritized remediation of gaps. The SafeBreach exposure validation platform addresses this need with an innovative combination of breach and attack simulation (BAS) and attack path validation that provides enterprises with deeper insight into threat exposure and a more holistic view of cyber risk.

Through this enhanced MSSP program, SafeBreach partners can now more effectively help their clients combat the ongoing challenges of an evolving threat landscape. “The updates to the SafeBreach MSSP program and strategy build on the strengths of our previous program to position our partners as trusted advisors,” added Wilkinson. “As a result, they can better help their clients select, validate, and implement a comprehensive security validation platform.”

For more information on the Elevate MSSP program, visit https://www.safebreach.com/partners/. 

SafeBreach, the leader in enterprise security validation, today announced the launch of the SafeBreach exposure validation platform, which combines the power of its time-tested breach and attack simulation (BAS) product—now called Validate—and its new attack path validation product, Propagate. Together, they provide enterprise security teams with deeper insight into threat exposure and a more comprehensive view of cyber risk, a concept most recently described by Gartner® as “adversarial exposure validation.”

According to Gartner, “Adversarial exposure validation technologies offer offensive security technologies simulating threat actor tactics, techniques and procedures to validate the existence of exploitable exposures and test security control effectiveness.”

Attack path validation specifically can play a significant role in combatting the ongoing challenge of cyber attacks—including ransomware and nation-state attacks whose primary goal is to gain a foothold within large organizations and move laterally to steal critical information and assets. Products like SafeBreach Propagate can help enterprises proactively understand these real attack paths and take preemptive action to close them off. However, large enterprises have had legitimate concerns about the inherent risks that some solutions present to their environments.  

Facing increasingly severe cybersecurity incidents, tool fatigue, deployment complexity, and alert overload, enterprise CISOs need a single exposure validation platform that combines multiple critical security capabilities to provide a more holistic view of cyber risk and empower them to make data-driven decisions to manage it.

To address this need, SafeBreach has launched the SafeBreach exposure validation platform, a suite of exposure validation tools that provide end-to-end visibility into the effectiveness of security controls and the potential impact of a successful breach. The platform draws on SafeBreach’s ten-year history working with the world’s most mature enterprise organizations to offer: 

• Enterprise-Grade Safety: The platform is purpose-built to meet the stringent safety and privacy requirements of large enterprises, enabling comprehensive security testing without impacting customer environments.
• Predictable Scalability: Regardless of the environment or deployment model, the SafeBreach platform allows clients to get started with a breadth and depth of testing that provides immediate value—then scale up when they are ready. 
• World-Class Support: The SafeBreach platform is backed by world-renowned threat researchers and an award-winning customer success team who provide a level of service and support not available anywhere else. 

The SafeBreach exposure validation platform enables clients to leverage Validate to identify security gaps, then dig deeper with Propagate to understand what an attacker could accomplish by exploiting them to develop a more comprehensive understanding of cyber risk—all from one convenient management console.

Looking toward the future, SafeBreach plans to continue to develop not only its existing capabilities in Validate and Propagate, but also new capabilities within the SafeBreach exposure validation platform to continue serving the needs of the enterprise market.

Schedule a customized demo here.

In August of 2024, SafeBreach labs security researcher Alon Leviev discovered Windows Downdate, which was first presented at Black Hat USA 2024 and DEF CON 32 (2024), where he developed a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. Using this downgrade ability, he discovered CVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack.

While CVE-2024-21302 was patched because it crossed a defined security boundary, the Windows Update takeover, which was also reported to Microsoft, has remained unpatched because it did not cross a defined security boundary. Alon’s follow-up research exposes a severe flaw in Windows Update that allows the reactivation of the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, permitting the loading of unsigned kernel drivers. This can be exploited to deploy custom rootkits, disable security features, and compromise system integrity.

You can read more here.

SafeBreach has announced original research from its SafeBreach Labs team will be featured in three separate sessions at Black Hat Asia 2024. SafeBreach’s Vice President of Security Research Tomer Bar and fellow researchers Or Yair and Shmuel Cohen are set to release a series of high-profile research pieces following a successful year at Black Hat USA 2023 and DEFCON 2023, where the SafeBreach Labs team presented an unprecedented five sessions.

The sessions at Black Hat Asia will include several significant discoveries exploring how endpoint detection and response (EDR) solutions and unfixed, known software issues can be exploited to present a significant security risk to enterprises. Details about the sessions, including dates and times, are included below:

• MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces – Thursday, April 18 1:30 pm – 2:10 pm: Security Research Team Lead Or Yair will explore how he was able to exploit a seemingly harmless known issue associated with the DOS-to-NT path conversion process in Microsoft Windows to discover a set of vulnerabilities—including a remote code execution (RCE) vulnerability—and rootkit-like techniques accessible to unprivileged attackers.
• The Dark Side of EDR: Repurpose EDR as an Offensive Tool – Friday, April 19 11:20 am – 12:00 pm: Security Researcher Shmuel Cohen will explore his discovery of a novel attack vector that allowed him to secretly take control of an EDR solution and bypass important security measures, like real-time prevention rules and machine learning detection modules. He will also explain how he was able to insert malicious code into the EDR itself, causing it to run very stealthy malware within the EDR process.
• EDR Reloaded: Erase Data Remotely – Friday, April 19, 1:30 pm – 2:10 pm: VP of Security Research Tomer Bar and Security Researcher Shmuel Cohen will provide an overview of their previous research originally published in August 2023, which identified a vulnerability in several EDR products that enabled remote deletion of critical files. They will highlight how they have been able to continue exploiting the vulnerability—and even achieve a generic Windows Defender bypass—despite the release of two patches.

For more information about the sessions and to connect with SafeBreach at Black Hat Asia 2024 on April 16-19, visit www.safebreach.com/events.