Guide to scale ready code security with event driven scans unified data and API first design for large teams seeking strong growth aligned control.

Choosing a security platform is more than just a feature-for-feature comparison. As organisations grow, the underlying architecture of their security tools becomes critically important. A solution that works for ten developers can quickly buckle under the weight of a hundred, leading to slow scans, missed alerts, and frustrated engineering teams. This is a common challenge for teams considering Cycode alternatives, as they seek solutions that can not only meet their immediate needs but also scale with their ambitions.

To successfully implement a code security platform at scale, you need more than just a good tool; you need the right architectural patterns. These patterns ensure that your security processes are decentralised, automated, and seamlessly integrated, allowing you to secure thousands of repositories and pipelines without creating a central bottleneck. This isn’t just about swapping out one tool for another; it’s about building a scalable blueprint for DevSecOps.

This guide explores the key architecture patterns that enable code security platforms to thrive at scale, providing a framework for evaluating and implementing a solution that will grow with you.

****Pattern 1: Decentralised, Event-Driven Scanning****

In a small organisation, it might be feasible to have a central security team manage scanning configurations and triage alerts. At scale, this model collapses. The “security as a service” model, where a central team is a gatekeeper, becomes a bottleneck that slows down development. A scalable architecture flips this model on its head.

**The Blueprint:** Instead of a centralised, polling-based system, a scalable architecture uses a decentralised, event-driven approach. This means security scanning is initiated by events happening within the development lifecycle itself.

*   **Event Triggers:** Scans are not run on a fixed schedule by a central server. Instead, they are triggered by webhooks from your Source Code Management (SCM) tool (like GitHub, GitLab, or Bitbucket). A git push to a new branch, a new pull request, or a merge to the main branch all become events that trigger targeted security scans.

*   **Ephemeral Runners:** When an event occurs, the CI/CD system spins up an ephemeral, or short-lived, runner to execute the scan. This containerised environment pulls the relevant code, runs the security analysis (SAST, SCA, IaC scanning), and then spins down. This is highly scalable, as you can run hundreds or thousands of scans in parallel without managing a fleet of dedicated scanning servers. For additional insight into microservices-based scalability, see Google Cloud’s guide to event-driven architecture. The CNCF’s guide on cloud native principles provides great context for why this ephemeral, microservices-based approach is so resilient. You can also explore Microsoft’s documentation on distributed event-driven architecture.

*   **Configuration as Code:** Scan configurations, policies, and rules are not managed through a central UI. Instead, they are defined in a simple configuration file (e.g., a YAML file) that lives inside each repository. This empowers individual teams to manage their own security settings within the context of their application, a concept often referred to as “Policy as Code.”

**Why It Scales:** This pattern removes the central security team as a bottleneck. It distributes the workload across your existing CI infrastructure and empowers development teams with the autonomy to manage their own security context, making the entire process faster and more efficient.

****Pattern 2: The Unified Data Model and “Single Pane of Glass”****

One of the biggest challenges with scaling security is tool sprawl. Teams often end up with one tool for SAST, another for SCA, a third for secrets detection, and a fourth for IaC scanning. This creates data silos. The alerts from these disparate tools lack context, making it impossible to prioritise effectively.

**The Blueprint:** A scalable architecture relies on a platform that can ingest findings from various security scanners into a unified data model. Whether you’re using an all-in-one solution or integrating best-of-breed scanners, the goal is to have a single place where all security data is normalised, deduplicated, and correlated.

*   **Normalisation:** The platform should translate alerts from different tools into a standard format. A “critical” vulnerability from your SAST scanner should be comparable to a “critical” one from your SCA tool.

*   **Deduplication:** A good system will recognise when the same vulnerability is found in multiple branches or by different scan types, presenting it as a single, persistent issue rather than a flood of duplicate alerts.

*   **Correlation:** The true power comes from correlating data. For example, the platform can link a vulnerability in an open-source library (SCA finding) to the specific lines of code in your repository that use it (SAST context). This tells you if the vulnerability is actually reachable and exploitable, allowing you to prioritise real risks over theoretical ones.

For deeper perspectives on the value of unified security data management and prioritisation, see Google’s commentary on unified security data lakes and SANS’s guide to vulnerability management prioritisation.

**Why It Scales:** A unified data model turns noise into signal. At scale, you will be dealing with tens of thousands of potential security findings. Without a way to prioritise, your teams will be paralysed by alert fatigue. A “single pane of glass” that provides this rich context is essential for focusing remediation efforts on the issues that matter most.

****Pattern 3: The API-First, Hub-and-Spoke Integration Model****

A scalable security platform doesn’t try to be everything to everyone. It acknowledges that it is one part of a larger, complex toolchain. An architecture built for scale is designed to integrate, not dictate.

**The Blueprint:** The platform should be built with an API-first philosophy. Every feature available in the UI should also be accessible via a well-documented REST API. This allows you to treat the security platform as a central “hub” that connects to other tools in a “hub-and-spoke” model. For an in-depth look at API-first design principles and their benefits in building extensible systems, see the Google Cloud API Design Guide. Additionally, organisations adopting integrated DevSecOps workflows may benefit from the guidance offered in the OpenAPI Initiative documentation, which supports API standardisation in complex environments.

*   **Source of Truth:** The security platform acts as the central source of truth for all security findings.

*   **CI/CD Spoke:** Your CI/CD pipeline (the spoke) communicates with the hub via API to trigger scans and retrieve results.

*   **Ticketing Spoke:** The hub integrates with ticketing systems like Jira or Azure DevOps. When a high-priority vulnerability is found, the platform’s API can automatically create a ticket, assign it to the right team, and populate it with all the necessary context.

*   **Notification Spoke:** The hub connects to Slack or Microsoft Teams to send targeted, actionable notifications to the developers responsible for the code.

*   **Business Intelligence Spoke:** The API allows you to pull data into BI tools like Tableau or Power BI to create custom dashboards and reports for leadership, tracking metrics like Mean Time to Remediate (MTTR). For more on key DevSecOps metrics, GitLab’s DevSecOps survey often has valuable insights.

**Why It Scales:** An API-first, hub-and-spoke model makes the security platform incredibly flexible and extensible. It allows you to embed security information into the tools your teams already use, creating a seamless and automated workflow that can adapt as your organisation’s toolchain evolves.

When evaluating alternatives to any security platform, look beyond the feature list. Examine the underlying architecture. A solution built on decentralised scanning, a unified data model, and API-first principles won’t just solve today’s problems; it will provide a robust foundation for a secure and scalable development lifecycle for years to come.

(Photo by Wesley Ford on Unsplash)

Architecture Patterns That Enable Cycode alternatives at Scale

Smarter SOC performance with faster triage, proactive defence, and a unified stack powered by instant alert context from ANY.RUN to cut MTTD and MTTR.

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research._

Speeding up the workflow in a **SOC** team is rarely just a matter of time management or additional staffing. To improve metrics like mean-time-to-detect (MTTR) and mean-time-to-response (MTTR), it’s often more important to step back, notice gaps in current processes, and close them with purpose-built solutions.

Below are three key steps to take as a CISO on the way to better SOC performance.

****Solution 1 – Providing context to alerts********Why it matters:****

Slow incident response isn’t usually caused by a lack of expertise on _how_ to respond to alerts. It’s more about wasting time on figuring out _why_ an alert occurred in the first place by consulting multiple sources and enriching indicators manually.

And even after this daunting investigation for each incident, there’s not always a complete context for analysts to make judgment calls based on.

Not knowing which alerts matter most might lead to a longer response cycle, burnout across tiers, and inconsistent decision-making. That’s why it’s important to provide access to high-fidelity threat context: malware behaviour, network IOCs, and related attacks. Clarity is the way to better prioritisation and a reduction in MTTR.

****Best way to implement:****

Use solutions that provide context to alerts instantly, without disruptions to investigation workflow. ANY.RUN’s **Threat Intelligence Lookup** draws on one of the world’s largest ecosystems of malware data accumulated by more than half a million analysts and 15,000+ SOC teams.

TI Lookup in action: delivering a verdict and threat context for a URL

Eliminating time-consuming manual enrichment not only creates room for faster triage but also helps prevent alert fatigue in teams. Analysts get immediate, high-confidence answers: IPs, domains, URLs, and other indicators get quick verdicts and threat context, from network activity and malware classification to relationships and related IOCs.

The result is faster triage, less alert fatigue, and a lower risk of missing critical signals.

**Cut MTTD & MTTR with instant alert context enrichment**

**Request a trial for TI Lookup**

****Solution 2 – Establishing a proactive defence********Why it matters:****

Given the unprecedented speed of malware evolution, a SOC team that only does reactive response is always one step behind. Detection rules require constant updates with fresh indicators. The only way to achieve a robust defence system in these conditions is to promote early detection and research.

Proactive defence gives analysts the advantages of pre-incident visibility, shifting the workflow from “respond to incidents only” to “prevent incidents altogether” mode. By doing research, gathering information on the latest threats, attacks, and campaigns active across industries, teams catch threats earlier in the kill chain. This reduces their dwell time and maintains focus on real risks.

****Best way to implement:** **

Equip your SOC team with intelligence that turns context into actionable insights. Threat Intelligence Lookup by ANY.RUN can be used for threat hunting, helping analysts gain an immediate, behaviour-based understanding of any artefact.

Data provided by TI Lookup for Agent Tesla threats researched in Germany

With over 40 parameters that cover all analysts’ needs, it’s never been easier to browse data collected by a global expert community of 15K teams all over the world. Analysts can uncover hidden threats quickly and validate suspicious activity in seconds. 

Using TI Lookup for threat hunting enables earlier detection and a consistently proactive security posture.

****Solution 3 – Unifying and automating the tech stack********Why it matters:****

A fragmented tech stack is never intentional. It’s a result of a long process of accumulating solutions over time. Each tool solves a specific problem, but the lack of integration between them causes friction: fractured visibility, duplicated work, and manual data transfer. As a result, the investigations get staggered.

A well-integrated ecosystem reinforced by automation brings everything together. It ties together indicators and context, alerts and responses. Ultimately, it speeds up the analysis flow, strengthens threat hunting, and facilitates an efficient use of resources.

Connect ANY.RUN’s solutions with your stack for unified security

Best way to implement:

Choose solutions designed for frictionless workflows and interoperability. A unified system works better than a collection of disconnected components: “The whole is greater than the sum of its parts”.

Threat Intelligence Lookup fits into this approach in two ways:

*   **Integrations support:** From ready-to-use connectors to custom integrations, they drive an automated, fast workflow, making it easier to embed high-quality intelligence into existing SOC processes without disruption.
*   **Native connection to malware sandbox:** Every TI Lookup’s indicator is linked to tied to a real-life investigation done in **ANY.RUN’s Interactive Sandbox**. Analysts get one-click access to deeper visibility.

****Conclusion****

Fast and efficient SOC is about smarter workflows and decisions powered by quality threat intelligence. Rich alert context, proactive hunting, and refined tech stack lead to lower MTTR and better prevention of incidents.

Fixing a Slow SOC: Top 3 Solutions that Actually Work

Koi Security exposes ShadyPanda, a group that used trusted Chrome/Edge extensions to infect 4.3 million users over 7 years for deep surveillance and corporate espionage.

Cybersecurity researchers at Koi Security have exposed a massive espionage operation by a group named ShadyPanda that infected over 4.3 million Chrome and Microsoft Edge browser users over approximately seven years. The attackers used a highly patient and sneaky tactic: they uploaded normal-looking extensions, gained user trust, and then quietly converted them into dangerous spyware.

The investigation found two major operations, including a 300,000-user remote code execution (RCE) backdoor using extensions like Clean Master and a separate 4-million-user spyware campaign led by extensions such as WeTab.

****The Evolution of Deception****

ShadyPanda’s success relied on exploiting trust over time, beginning with simple cybercrime. In 2023, the group ran its first large campaign using 145 extensions (disguised as wallpaper or productivity apps) under names like ‘nuggetsno15’ and ‘Zhang’ to conduct affiliate fraud.

They added tracking codes to links for sites like eBay and Amazon, generating hidden commissions. In 2024, they grew bolder, moving to actively control the browser, redirecting searches through a known hijacker called trovi.com and stealing real-time search data. To avoid detection, the malware would also switch to benign behaviour if a security researcher opened the browser’s developer tools.

****The Two Major Active Threats****

**Threat 1: The RCE Backdoor Attack (300,000 Users)**

This operation employed the “long game” by exploiting extensions that had operated legitimately for years. Some, like Clean Master (with over 300,000 installs), had even earned Google’s “Featured” and “Verified” statuses. Then, in mid-2024, a silent update transformed them. This meant the automatic update feature, designed for user security, became an easy attack vector for the malware without anyone noticing.

These updated extensions effectively became a backdoor using Remote Code Execution (RCE), allowing the attacker to run any program remotely on an infected computer. The extensions checked an outside server hourly for new commands. This enabled ShadyPanda to monitor nearly everything, from every website you visited to collecting a complete “fingerprint” of your browser, Koi Security’s blog post explains.

Source: Koi Security

**Threat 2: The Spyware Empire (4 Million Users)**

A separate, massive operation involved five other extensions, including WeTab (with three million installs alone), that actively collected data. This included every URL visited, all search queries, and even mouse clicks, with the data being sent to servers in China.

Source: Koi Security

The threat isn’t just limited to individual users. For companies, an infected computer could lead to stolen API keys and compromised internal systems.

This long-running attack exposed a critical weakness: official marketplaces focus too heavily on the initial submission of an extension rather than monitoring its behaviour later. This allowed ShadyPanda to patiently build a massive user base before launching the strike.

The key takeaway is that trust itself proved to be the biggest vulnerability. Users must be cautious of the extensions they install, even those with high ratings, to prevent the next silent attack.

Cybersecurity experts commented on the significance of the ShadyPanda operation, emphasising its risk to businesses. Randolph Barr, Chief Information Security Officer at Cequence Security, highlighted the strategic nature of the attackers.

“The most recent acts of ShadyPanda reveal that they are part of one of the most advanced and long-running browser supply chain efforts we’ve seen. Not only are the technical aspects important, but so is the patience,” said Barr.

He noted how the group leveraged trust, stating, “ShadyPanda demonstrated their commitment to long-term strategies by releasing clean extensions that garnered hundreds of thousands of installs, earning Google’s ‘Featured’ and ‘Verified’ trust badges, and leveraging these badges through consistent updates years later.”

Diane Downie, Senior Software Architect at Black Duck, focused on the difficulty of detection and the need for stricter security: “Malicious code poses a real challenge since it closely resembles legitimate code, leveraging the same convenience features but with bad intent… The ShadyPanda incident shows just how far those bad actors are willing to go.”

She advised organisations to adopt a tougher stance: “As this level of sophistication fast becomes the new normal, organisations need to take a serious zero-trust posture with their systems.”

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, pointed out a flaw in standard security practices: “ShadyPanda learned that Chrome’s review process, like most enterprise security teams, are focused on initial submissions… and not ongoing behaviour after initial approval.”

He concluded that modern attackers are strategic and patient: “The scariest ones play the long game… requiring continuous vigilance to detect and defend against.”

7 Year Long ShadyPanda Attack Spied on 4.3M Chrome and Edge Users

Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox.

A new claim by the **Everest** ransomware group suggests that ASUS, one of the world’s largest hardware and electronics companies, has been compromised. According to a post on the group’s dark web leak site, they are in possession of more than 1TB of stolen data, which they say includes camera source code.

In this case, “Camera Source Code” likely refers to proprietary firmware or software used in ASUS devices with built-in cameras, such as laptops or smartphones. This could include low-level control code for camera modules, internal drivers, or even entire applications tied to image processing or device integration.

Everest Ransomware claiming ASUS breach (Image credit: Hackread.com)

The group is demanding that **ASUS** contact them through Qtox, an encrypted messaging platform, and has given the company a 21-hour deadline to respond. No ransom amount has been made public, and there’s no clear indication yet of the specific contents or sensitivity of the alleged data.

This claim adds to a series of recent announcements by Everest, which in the past two weeks alone have claimed responsibility for attacks on high-profile organisations, including **Under Armour**, Brazil’s **Petrobras**, and Spain’s **Iberia airline**. Those incidents involved user data, internal documentation, and what the group described as full network access.

ASUS has not yet confirmed or denied the breach. Hackread.com has reached out to the company for comment and will update this story as more details become available.

ASUS, a company known globally for its PCs, motherboards, and consumer electronics, has been targeted before by threat actors. In 2019, the company confirmed that attackers had compromised its Live Update utility in what later became known as **ShadowHammer**, an attack believed to be state-backed.

If this new claim proves credible, it would be the second significant compromise of ASUS’s infrastructure in recent years. Until there is confirmation or denial from the company, the scope of the incident remains unverified.

Hackread.com will continue monitoring the situation for updates.

Everest Ransomware Claims ASUS Breach and 1TB Data Theft

North Korean hackers escalated the "Contagious Interview" attack, flooding the npm registry with over 200 malicious packages to install OtterCookie malware. This attack targets blockchain and Web3 developers through fake job interviews and coding tests.

A security alert has been issued by software security firm Socket, revealing that North Korean threat actors have dramatically escalated their ongoing Contagious Interview attack. They are now flooding the popular software platform npm registry, where JavaScript developers share and download code, with nearly 200 new malicious packages since October 10, 2025. The attack targets blockchain and Web3 developers through fake job interviews and “test assignments,” Socket’s investigation found.

Further probing revealed that these new malicious packages have already been downloaded over 31,000 times, and are designed to secretly install the dangerous OtterCookie malware.

****Connecting to Past Attacks****

This campaign follows earlier Contagious Interview attacks covered by Hackread.com, including a 2024 report on the campaign (also called Eager Crypto Beavers) where the Lazarus Group used fake job offers and malicious video conferencing apps (like FCCCall) to distribute the BeaverTail malware.

In April 2025, Silent Push also linked this campaign to the Lazarus Group, detailing their use of AI-generated employee images and fake companies (BlockNovas LLC) to lure job seekers. Cisco Talos later found evidence that BeaverTail has merged its functions with OtterCookie. Socket’s discovery confirms the attackers are continuing this campaign, deploying the same malware family.

****The Triple Threat: GitHub, Vercel, and Malware****

According to Socket’s blog post, the attackers use a clever, multi-part system to deliver their malware. First, they disguise malicious code packages (like tailwind-magic, node-tailwind, and react-modal-select) on the npm registry, appearing like harmless utility tools. When a victim installs a fake package, it secretly reaches out to a temporary online storage spot on Vercel (tracked as tetrismicvercelapp) to launch the next part of the attack.

This Vercel site then fetches the final, malicious code from a hidden account on GitHub (specifically, one tracked as stardev0914, which had 18 repositories and has since been removed). The infrastructure relies on a separate server (tracked by the IP address 144.172.104.117) to handle data collection once a machine is compromised.

It is worth noting that attackers use fake projects, including a cloned version of a crypto-themed website, as lures to make the malicious packages seem legitimate.

Contagious Interview attack chain (Source: Socket)

****How the Malware Steals Your Secrets****

OtterCookie (a variant of BeaverTail) is designed to steal a massive amount of personal data. Right after infecting the victim’s computer, it first checks if it’s being analysed by security experts and, if everything looks clear, it connects back to the hackers’ server.

This connection gives the attackers what the report calls a “remote shell,” basically letting them take control of the infected machine from afar. The multi-feature malware then starts its job, including continuously stealing anything copied to the clipboard, keylogging, capturing screenshots, and scanning for valuable documents. It also hunts for browser credentials and cryptocurrency wallet data across Windows, macOS, and Linux computers.

“This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm,” Socket’s Threat Research Team concluded.

****Expert Take:****

Security experts, who reviewed Socket’s research, shared their comments exclusively with Hackread.com, emphasising how organised and persistent this North Korean operation is.

Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, noted that the campaign is highly structured and professional. He stated, “Contagious Interview is an industrialised software supply chain campaign, not a one-off backdoor.”

He highlighted how the hackers use GitHub for source control, Vercel for payload staging, npm for distribution, and a separate C2 tier for exfiltration, showing the modular nature of the attack. Hogue-Spears warned that a malicious ‘take-home test’ can give attackers “the access that an insider would have, without ever appearing on your payroll.”

Randolph Barr, Chief Information Security Officer at Cequence Security, echoed this sentiment, pointing out that the attackers are imitating legitimate development teams. He observed, “It seems just like a simplified software development lifecycle, but for malware instead of product features.” He stressed that these attackers “can send out malicious updates on a large scale with relatively little trouble” by using open developer systems.

Jason Soroko, Senior Fellow at Sectigo, supported this comparison, saying the term “simplified software development lifecycle for malware is accurate in spirit.” He noted that the operators prioritise patterns that “maximise agility and survivability,” such as separating delivery from the payload and rapidly cloning the same core malware into many lures.

NK Hackers Push 200 Malicious npm Packages with OtterCookie Malware

Bethesda, USA / Maryland, 2nd December 2025, CyberNewsWire

**Bethesda, USA / Maryland, December 2nd, 2025, CyberNewsWire**

While most cybersecurity companies pour resources into AI models, massive compute, hoovering up all the data, and enhanced analytics to detect and prevent threats, Frenetik, a Maryland cyber startup, is betting on something simpler: making sure attackers don’t know what defenders know.

The company emerged today with a fundamentally different approach using novel cyber deception and a newly issued U.S. patent to back it.

> “The industry has turned cybersecurity into a compute and analysis war,” said founder Hans Ismirnioglou. “Bigger models, more data, faster analysis. But you can’t out-compute or out-analyze an adversary forever. We’re not trying to. We’re exploiting information asymmetry.”

Traditional deception tools deploy fake systems, wait for attackers to find them, and hope they interact. Frenetik’s patented “Deception In-Use” technology (U.S. Patent 12,463,981 – “Systems and Methods for Counter-Reconnaissance in Cloud Infrastructure to Disrupt Adversarial Targeting”) takes a different path: it continuously rotates actually used identities and resources across Microsoft Entra (M365), AWS, Google Cloud, and on-premises environments. The critical details of who changed, what changed, when, where, and how travel through out-of-band channels accessible only to trusted parties.

> Defenders stay informed. Attackers work from stale intelligence. “Adversaries, especially AI-driven ones, build models based on reconnaissance. They assume the environment they mapped earlier is the environment they’ll exploit today,” Ismirnioglou explained. “We break that assumption without needing a bigger GPU cluster by simply depriving them of easily discoverable information.”

Users can think of it as musical chairs for hackers: by the time they figure out where to sit, everything has moved—and only defenders know which chairs are real and which have become traps.

The technology transforms existing deception tools from passive traps into active ones. When Frenetik rotates real resources, attackers following stale intelligence get funneled straight into honeypots and decoys, supercharging interaction rates with classic deception elements that previously only hoped to look real. Unlike solutions requiring extensive tuning or analyst oversight, Frenetik works because attackers simply lack the information needed to know the difference.

> “I want the adversary to have to continuously put a dedicated body onto every target they go after – no more free lunches or easy days for America’s adversaries,” says Ismirnioglou.

**About Frenetik**

Frenetik, a Maryland-based cybersecurity startup, just emerged from stealth with a new approach: instead of flooding defenders with more data, it starves attackers of the information they need to move. Focused on measurable security outcomes, and pricing transparency, Frenetik is built to tip the balance of power by denying adversaries trustworthy insight into targeted environments. Frenetik offers a free community version at www.frenetik.us.

**Contact**

**Founder**  
**Hans Ismirnioglou**  
**Frenetik**  
**\[email protected\]**

Cyber Startup Frenetik Launches with Patented Deception Technology That Bets Against the AI Arms Race

Baltimore, MD, 2nd December 2025, CyberNewsWire

**Baltimore, MD, December 2nd, 2025, CyberNewsWire**

The 2025 State of AI Data Security Report reveals a widening contradiction in enterprise security: AI adoption is nearly universal, yet oversight remains limited. Eighty-three percent of organizations already use AI in daily operations, but only 13 percent say they have strong visibility into how these systems handle sensitive data.

Produced by Cybersecurity Insiders with research support from Cyera Research Labs, the study reflects responses from 921 cybersecurity and IT professionals across industries and organization sizes.

The data shows AI increasingly behaving as an ungoverned identity — a non-human user that reads faster, accesses more, and operates continuously. Yet most organizations still use human-centric identity models that break down at machine speed. As a result, two-thirds have caught AI tools over-accessing sensitive information, and 23 percent admit they have no controls for prompts or outputs.

Autonomous AI agents stand out as the most exposed frontier. Seventy-six percent of respondents say these agents are the hardest systems to secure, while 57 percent lack the ability to block risky AI actions in real time. Visibility remains thin: nearly half report no visibility into AI usage and another third say they have only minimal insight — leaving most enterprises unsure where AI is operating or what data it touches. 

Governance structures lag behind adoption as well. Only 7 percent of organizations have a dedicated AI governance team, and just 11 percent feel prepared to meet emerging regulatory requirements, underscoring how quickly readiness gaps are widening.

The report calls for a shift toward data-centric AI oversight with continuous discovery of AI use, real-time monitoring of prompts and outputs, and identity policies that treat AI as a distinct actor with narrowly scoped access driven by data sensitivity.

> “AI is no longer just another tool — it’s acting as a new identity inside the enterprise, one that never sleeps and often ignores boundaries,” said Holger Schulze with Cybersecurity Insiders. “Without visibility and robust governance, enterprises will keep finding their data in places it was never meant to be.”

As the report cautions: “You cannot secure an AI agent you do not identify, and you cannot govern what you cannot see.”

The full 2025 State of AI Data Security Report is available for download at: https://www.cybersecurity-insiders.com/portfolio/2025-state-of-ai-data-security-report-cyera/

Media Contact: \[email protected\]

**About Cybersecurity Insiders**

Cybersecurity Insiders provides strategic insight for security leaders, grounded in more than a decade of independent research and trusted by a global community of 600,000 cybersecurity professionals. We translate shifting market trends into clear, actionable guidance that helps CISOs strengthen their programs, make informed technology decisions, and anticipate emerging risks.

We connect practitioners and innovators by giving CISOs the clarity needed to navigate a noisy market while helping solution providers align with real-world priorities. We drive this alignment through evidence-backed research, strategic CISO guides, independent product reviews, data-driven message validation, and peer-validated recognition through the Cybersecurity Excellence Awards and AI Leader Awards.

More: https://cybersecurity-insiders.com

**Contact**

**Founder**  
**Holger Schulze**  
**Cybersecurity Insiders**  
**\[email protected\]**

AI Adoption Surges While Governance Lags — Report Warns of Growing Shadow Identity Risk

Proxyearth is a new site that shows names, Aadhaar numbers, and live locations of users in India using only mobile numbers, raising serious privacy and security concerns.

Everyone values privacy, especially online. But every once in a while, a tool surfaces that completely shatters that illusion. That’s exactly what Proxyearth does. This website, along with its connected Telegram bot, claims to pinpoint the exact location of any Indian citizen using nothing more than their mobile phone number.

****How Proxyearth Works****

Launched in October 2025, Proxyearth asks users to input a mobile phone number, then returns detailed information linked to that number. It pinpoints the target’s location on a map similar to Google Maps. But it doesn’t stop there. The site displays full biodata of the individual, including:

1.  **Full name**
2.  **Father’s name**
3.  **Email address**
4.  **Telecom provider**
5.  **House or flat number**
6.  **Building or society name**
7.  **Alternate mobile numbers**
8.  **Postal code, city and district**
9.  **Plain text Aadhaar card number**

Hackread.com tested a private mobile number belonging to a friend. The site returned accurate and up-to-date details, raising serious concerns about how easily personal data can be exposed without consent. This isn’t just a breach of privacy; it shows how vulnerable millions of **Indian** citizens may be to tracking and surveillance.

Proxyearth displaying precise personal details linked to a mobile number (Image credit Hackread.com)

There’s also an option labeled “View Full API Responses”, which reveals even more. One section shows a Mobile Details API Response, and another contains an Aadhaar Details API Response.

Both View Full API Responses expose additional data such as linked email accounts, secondary addresses, extra phone numbers and other personal identifiers. This level of detail suggests the tool is using data from past KYC leaks, possibly leaked Aadhaar databases, and other state-linked data sources.

(Image credit: Hackread.com)

However, while the exact backend of Proxyearth remains unclear and we are intentionally not sharing the link for privacy and security reasons, there are only a few realistic explanations.

One possibility is **insider access** from within the Indian telecom sector, where employees may have exposure to subscriber data at scale. A more likely scenario is that the tool is pulling from past breaches involving telecom companies or government-linked databases.

For context, in January 2024, _Hackread.com_ **reported** how a 1.8TB database was being sold on cybercrime forums. The dump allegedly contained names, phone numbers, addresses, and Aadhaar numbers of 750 million Indian mobile users, nearly half of the country’s population. The origin of this database was never officially confirmed, but the scale and structure match what tools like Proxyearth now appear to use.

In another case, back in February 2021, a hacking group known as **Red Rabbit Team claimed** to have breached Bharti Airtel, one of India’s largest telecom operators. They alleged access to millions of customer records, including Aadhaar card scans and personal details. Airtel publicly denied any breach, but the attackers released partial samples as proof.

For your information, **Aadhaar** is India’s national ID system, which assigns a unique 12-digit number to every resident. It is linked to biometric and demographic data.

****The “About Us” Section of Proxyearth****

A look at Proxyearth’s About Us page reveals an obvious attempt to downplay what the tool actually does. It brands itself as a basic “mobile number tracking” site for Indian users, suggesting it simply helps people find general information tied to a phone number. Nowhere does it mention that the site exposes highly sensitive personal data, including full names, Aadhaar numbers, residential addresses and even building-level geolocation.

There is zero mention of where this data comes from, who operates the platform, or whether any of it is legal. There’s no privacy policy, no disclosure of third-party APIs, and no accountability.

By calling itself a “tracker” and leaving out any reference to the real scope of its capabilities, the site clearly aims to lower suspicion. It leans into the language of convenience while quietly enabling large-scale data exploitation. The omissions are deliberate and speak to the intent to keep the tool running without scrutiny from regulators, platforms, or security researchers.

****A Direct Threat to Indian National Security****

The existence of a tool like Proxyearth isn’t just a privacy disaster; it poses a direct threat to national security. If accurate geolocation, Aadhaar numbers, and full identities of Indian citizens can be pulled by anyone with a phone number, it opens the door to large-scale surveillance, profiling, and targeting.

Law enforcement officials, government employees, military personnel, whistleblowers, fact-checkers, and journalists are equally exposed. In the wrong hands, this level of access can be easily used for espionage and even destabilization efforts in some cases.

Proxyearth Tool Lets Anyone Trace Users in India with Just a Mobile Number

Menlo Park, USA, 2nd December 2025, CyberNewsWire

**Menlo Park, USA, December 2nd, 2025, CyberNewsWire**

Travel and hospitality industry leader **Sonesta International Hotels** partners with AccuKnox to deploy Zero Trust Integrated Application and Cloud Security for Microsoft Azure.

**AccuKnox****, Inc.**, announced that Sonesta International Hotels has partnered with AccuKnox to deploy Zero Trust CNAPP.

**Gartner Group, in its 2024 findings, reported that security leaders should:**

*   Adopt CNAPP offerings to safeguard cloud-native applications and counter the growing attack surface. These solutions protect against threats in the runtime environment, mitigate misconfigurations in cloud infrastructure, and streamline security integration and collaboration throughout the overall development experience.
*   Leverage CNAPP to strengthen defenses against network attacks, compute, storage, identities, permissions, APIs, and the software supply chain, thereby mitigating potential risks and safeguarding critical assets.
*   Prioritize solutions that cater to the increasing operational responsibilities of developers and cloud architects

Furthermore, Gartner opined that enterprises that do not employ a unified CNAPP will lack extensive visibility into the cloud attack surface and consequently fail to achieve their desired zero-trust goals.

In its 2024 report on Vulnerability Management, Gartner advised organizations to implement an RVBM (Risk-based Vulnerability Management) and conduct CTEM (Continuous Threat Exposure Management) to achieve actionability, risk control, security integration, and prioritization. 

Sonesta Security Engineering and Cloud Platform DevOps leaders were focused on implementing an integrated application security and cloud security platform with the following goals/objectives:

*   Multi-Cloud misconfigurations with a focus on reducing Alert Deluge
*   Compliance conformance against CIS, SOC2 Type II, NIST, MITRE, PCI across Multi-Cloud Infrastructure
*   DevSecOps with SAST, DAST & IaC security integrations with Azure DevOps
*   Automation of the Findings & Ticketing Lifecycle

Sonesta conducted an extensive POC (Proof of Concept) with multiple vendors and selected AccuKnox for the following reasons:

*   Multi-cloud misconfiguration detection 
*   Special focus on toxic combinations. 
*   Continuous Compliance visibility against cloud in CIS, SOC2 Type II, NIST, MITRE, PCI across Multi-Cloud Infrastructure
*   Consolidated view of the DevSecOps with SAST, DAST & IaC security integrations with Azure DevOps pipeline
*   45% reduction in the Engineering efforts due to the Automation of Findings & Ticketing Lifecycle

**Supporting Quotes**

> “We are thrilled that an industry leader like Sonesta chose us for their integrated Zero Trust ASPM/CNAPP platform. Their vision and strategy are very well aligned with ours, and we look forward to a great partnership”,

**Nat Natraj, co-founder and CEO, AccuKnox.**

> “We conducted an extensive evaluation of best-in-class vendors in the industry and selected AccuKnox based on their comprehensive features, ease of deployment, ease of use, 3rd party integrations, and real-time security to prevent advanced zero-day attacks. Their strong roadmap offerings in API Security, AI/LLM Security made AccuKnox the best choice for an integrated AppSec/CloudSec platform”

**David Billeter, Cybersecurity Leader, Sonesta International Hotels.**

**About** **AccuKnox**

AccuKnox provides a Zero Trust CNAPP Security platform that secures public clouds, private clouds, edge/IoT & 5G assets. AccuKnox is funded by leading security investors like National Grid Partners, MDSV, Avanta Venture Partners, Dolby Family Ventures, DreamIT Ventures, 5G Open Innovation Lab, and Seedop. AccuKnox was formed in partnership with SRI International (previously Stanford Research Institute) and has seminal patents on different aspects of Zero Trust security. 

**About Sonesta International Hotels**

Sonesta is the 8th largest hotel company in the U.S., according to Smith Travel Research (STR), with approximately 1,100 properties totaling 100,000 guest rooms across 13 brands in eight countries. Sonesta owns, manages, and/or franchises under The Royal Sonesta; The James, Classico Collection by Sonesta, Sonesta Hotels, Resorts & Cruises; MOD Collection by Sonesta, Sonesta Select Hotels; Sonesta Essential Hotels, Sonesta ES Suites, Sonesta Simply Suites, Red Lion Hotels, Inns & Suites by Sonesta; Signature Inn by Sonesta; Americas Best Value Inn by Sonesta; and Canada’s Best Value Inn by Sonesta.

**Contact**

**Syed Hadi**  
**AccuKnox**  
**\[email protected\]**

Sonesta International Hotels Implements Industry-Leading Cloud Security Through AccuKnox Collaboration

New York, New York, 1st December 2025, CyberNewsWire

**New York, New York, December 1st, 2025, CyberNewsWire**

BreachLock, the global leader in Penetration Testing as a Service (PTaaS), has been named a Leader and Fast Mover in the 2025 GigaOm Radar Report for PTaaS for the third year in a row.

The GigaOm Radar Report for PTaaS is published annually to help security leaders and practitioners evaluate PTaaS solutions for more informed decision-making. This year’s report evaluated 16 of the top PTaaS providers in the market based on key feature capabilities, their ability to meet enterprise business requirements, deployment models, and other important decision-making criteria.  

2025 marks the third year in a row BreachLock has been positioned as a leader and fast mover in the Maturity and Platform Play Quadrant of the GigaOm PTaaS Radar Report, demonstrating both its consistency and platform innovations geared towards enterprise customers.  

BreachLock and the 15 other PTaaS providers evaluated in the report were scored based on the following key feature capabilities: 

1.  Built-in vulnerability scanners 
2.  Integration with SDLC technologies 
3.  API access 
4.  Customizable testing methodologies 
5.  Retesting of findings 
6.  Streamlined procurement 
7.  Crowdsourcing pentesters 
8.  Compliance Reporting 

BreachLock scored highly in all but one category, with the exception of crowdsourcing pentesters, helping earn its position as a leader and fast mover in this year’s report. While crowdsourcing pentesters has its benefits, BreachLock’s 100% in-house team of highly skilled, certified expert pentesters offers enterprises a higher level of consistency, scalability, and reliability to guarantee quality results when penetration testing critical systems and applications. 

BreachLock also scored highly in GigaOm’s business criteria comparison focused on non-functional requirements buyers commonly consider for purchase decision-making to determine a solution’s impact on an organization. The five factors evaluated as part of the business criteria comparison included: 

1.  Flexibility 
2.  Scalability 
3.  Speed 
4.  Risk Reduction 
5.  Cost 

While the key capabilities and business criteria scores were the most heavily weighted criteria for radar positioning, GigaOm also scored each provider on emerging features, which scored providers’ integration capabilities with attack surface management (ASM) and private PTaaS platforms. 

Lastly, GigaOm’s solution overview of BreachLock highlights its unified, cloud-native platform that combines PTaaS, Continuous Threat Exposure Management (CTEM), and Adversarial Exposure Validation (AEV), addressing how it enables organizations to transition from traditional point-in-time security testing to continuous, threat intelligence-driven offensive security. 

> Commenting on BreachLock’s position in the report, Seemant Sehgal, Founder & CEO of BreachLock, expressed, “It’s an honor to be recognized by GigaOm as a PTaaS leader for the third year in a row, which is a clear reflection of BreachLock’s constant innovation and focus on enterprise needs.” He added, “The world is evolving fast with Agentic AI—and so are attackers. BreachLock is one of the very few offensive security companies leading this shift. Our unified, agentic, and automation-first approach is reshaping enterprise-scale offensive security, and we’re proud to be ranked alongside the best—driving innovation, speed, and measurable outcomes for our clients.” 

> Chris Ray, author of the GigaOm Radar Report for PTaaS, highlighted BreachLock’s strengths in the report, writing, “BreachLock excels for enterprises with CI/CD pipelines requiring continuous security validation through its deep SDLC integration, risk-contextualized findings, and pipeline security gates. Its unified PTaaS and ASM solution provides seamless visibility for organizations transitioning from periodic to continuous security testing, eliminating blind spots between scheduled assessments.” 

**About BreachLock** 

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries. 

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

**Contact**

**Senior Marketing Executive**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

Source

HackRead