Privacy left the chat. A misconfigured Kafka broker effectively undid the anonymity many users rely on.

The Cybernews research team found that video call app Huddle01 exposed email addresses, real names, and other identifiers through an unprotected Kafka broker.

Think of an unprotected Kafka broker like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the front doors wide open, with no locks, guards, or ID checks. Anyone can walk in, look through private letters and photos, and grab whatever catches their eye.

Huddle01 is a video call app that focuses on decentralized Web Real-Time Communication (WebRTC). WebRTC is appealing because it lets people talk and share data directly between devices without using a central server. Done right, this can reduce latency, cut costs, and improve privacy.

But leaving your Kafka broker open to anyone who happens to stumble upon it does not qualify as “doing privacy right.” The Kafka broker operated without authentication or encryption, meaning anyone could listen in, collect logs, or potentially alter data if write access existed. This demonstrates a fundamental misconfiguration that puts both users and the platform at risk.

The Kafka instance contained over 621,000 log entries from the last 13 days, belonging to Huddle01, including:

*   Usernames (sometimes real names)
*   Email addresses
*   Crypto wallet addresses (Huddle01 supports many wallets across blockchains like Bitcoin and Ethereum)
*   Detailed activity data, such as which users joined specific calls, participants in each call, country, time, date, and duration
*   Other identifiers

The app is popular among cryptocurrency users, but in this case the open Kafka instance could have deanonymized their wallets by tying their crypto wallets to usernames and email addresses. Which also paints a target on their back as potentially high-value targets.

It also makes users more vulnerable to social engineering since attackers can craft credible emails or messages using real names and meeting data.

And hold on for the worst part. Cybernews states it responsibly disclosed the data leak to the company behind Huddle01…

> “However, it did not respond to the initial disclosure and subsequent attempts. After one month, the exposed server remained accessible. It’s unclear how many other third parties might have accessed the data.”

**Security tips for affected users**

Knowing that the exposed information goes back about two weeks doesn’t help much, since anyone with access could have set up a data collector, listening in on the real-time data streaming and processing going on.

So, any Huddle01 users should:

*   Change passwords on accounts linked to the exposed email or username, and use strong, unique passwords for each site.
*   Set up two-factor authentication (2FA) wherever possible to prevent unauthorized access.
*   Monitor inboxes for suspicious messages. Be extra cautious of emails or texts asking for crypto transactions or sensitive information, as targeted phishing is a possibility. Be especially wary of social engineering attempts that reference details from meeting logs, such as who you spoke to or when meetings occurred.
*   Stay updated on official statements from Huddle01 or news coverage, as they may release more guidance later.

**Pro tip:** Did you know that you can submit suspicious messages like these to Malwarebytes Scam Guard, which instantly flags known scams?

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Video call app Huddle01 exposed 600K+ user logs 

Former GOP operative Scott Leiendecker just bought Dominion Voting Systems, giving him ownership of voting systems used in 27 states. Election experts don't know what to think.

The news last week that Dominion Voting Systems was purchased by the founder and CEO of Knowink, a Missouri-based maker of electronic poll books, has left election integrity activists confused over what, if anything, this could mean for voters and the integrity of US elections.

The company, acquired by Scott Leiendecker, a former Republican Party operative and election director in Missouri before founding Knowink, said in a press release that he was rebranding Dominion, which has headquarters in Canada and the United States, under the name Liberty Vote “in a bold and historic move to transform and improve election integrity in America” and to distance the company from false allegations made previously by President Donald Trump and his supporters that the company had rigged the 2020 presidential election to give the win to President Joe Biden.

The Liberty release said that the rebranded company will be 100 percent American-owned, that it will have a “paper ballot focus” that leverages hand-marked paper ballots, will “prioritize facilitating third-party auditing,” and is “committed to domestic staffing and software development.” The press release provided no details, however, to explain what this means in practice.

Dominion, the second leading provider of voting machines in the US, whose systems are used in 27 states—including the entire state of Georgia—has developed its software in Canada and Belgrade, Serbia, for two decades. A search on LinkedIn shows numerous programmers and other workers in Serbia who claim to be employed by the company.

The Liberty statement does not say whether the company plans to rewrite code developed by these foreign workers—which would potentially involve rewriting hundreds of thousands of lines of code—or whether the company will move foreign developers to the US or replace them with American programmers. (Dominion has a US headquarters in Colorado.) A Liberty official, who agreed to speak on the condition that they not be named, told WIRED only that Leiendecker “is committed to 100 percent … domestic staffing and software development.” An unnamed source told CNN, however, that Liberty will continue to have a presence in Canada, where its machines are used across the country.

Philip Stark, professor of statistics at UC Berkeley and a longtime election-integrity advocate, says Liberty’s assurance about domestic-only workers is a red herring. “If the claim is that this is somehow a security measure, it isn’t. Because programmers based in the US also … may be interested in undermining or altering election integrity,” he tells WIRED.

With regard to third-party audits mentioned in the press release, a Liberty official told WIRED this means the company will conduct a “third-party, top-to-bottom, independent review of \[Dominion\] software and equipment in a timely manner and will work closely with federal and state certification agencies and report any vulnerabilities” to give voters assurance in the machines and the results they produce. The company didn’t say when this review would occur, but a Liberty representative told Axios it would happen ahead of next year's midterm elections, and the company would "rebuild or retire" machines as needed.

But Stark and other election experts believe this is unrealistic and appears to be aimed just at making the company “look good” to right-wing critics. “There isn’t time between now and 2026 to design, test, and certify new voting equipment,” Stark says. Federal and state testing and certification is expensive and can take months, depending on what changes a company makes to its voting systems. And many states have legal limitations on how close to an election updates to voting systems can occur. If Liberty plans to replace foreign Dominion workers with US ones, this will likely also slow down any review and rebuilding.

What’s more, Stark, who developed procedures for risk-limiting audits used in some jurisdictions to verify the integrity of election results, says the only audits that can provide assurances about election outcomes are postelection audits of paper ballots. An audit of voting software can’t even provide assurance that a voting machine hasn’t been subverted, because the software and machine configurations can be altered after auditing and certification. A software audit can only identify existing vulnerabilities, but many of these have already been identified by third-party computer security experts who examined Dominion code in the past. And if Liberty were to rewrite any Dominion code, it would need to be audited for new vulnerabilities introduced by the recoding.

**The Shrinking Voting Industry**

News of the acquisition apparently caught Dominion customers off guard last week. Leiendecker reportedly held a conference call on Friday with Colorado county election clerks who were angry that they’d learned of the sale from media reports instead of the company. The election clerks reportedly grilled Leiendecker about conspiracy claims about Dominion and his plans for the company. The company’s sparse new website currently has only a brief note from Leiendecker on the homepage announcing that the company is “100% American‐owned.”

Leiendecker’s acquisition of Dominion is not a big surprise, however. Knowink and Dominion have worked together closely for a while. Dominion has used Knowink as a subcontractor when bidding for election contracts in order to offer customers a turnkey election solution that includes voting machines and poll books. And Leiendecker’s acquisition continues a long history of consolidation in the voting industry.

For the past two decades, there have only been three primary makers of voting machines in the US, the identities of which have changed frequently through mergers and acquisitions. Currently, the top three are Election Systems & Software, Dominion (now Liberty Vote), and Hart InterCivic, in that order.

Dominion was founded in 2003 in Toronto and was not a big player in the US until 2010, when it acquired two other voting firms—Premier Election Solutions (formerly Diebold Election Systems) and Sequoia Voting Systems. Premier/Diebold, like Dominion, exited the elections business after being beleaguered by security problems with its systems and lingering mistrust over the company’s close ties to the Republican Party (the former CEO had been a fundraiser for President George W. Bush). Sequoia left in large part due to financial issues. In acquiring Dominion, Leiendecker also acquires any remaining remnants of Premier/Diebold and Sequoia—equipment, software, and people—that Dominion may still possess.

With the Dominion acquisition, Leiendecker gains control of election equipment in more than half of the states. Dominion equipment is used across 26 states plus Puerto Rico. Knowink electronic poll books, which replace traditional paper poll books used to verify the eligibility of voters when they sign in at precincts, are used in 29 states plus the District of Columbia. But there are jurisdictions across 14 states, covering 20 million registered voters, that use both Dominion and Knowink systems. This gives companies that Leiendecker controls ownership of equipment that covers the entire election process in those jurisdictions—from the verification of registered voters to the casting of ballots and tabulation of results. And Georgia uses Knowink and Dominion systems statewide. Knowink poll books even interact with Dominion voting machines since a voter smart card inserted into the poll books gets encoded and then inserted into voting machines to pull up a digital ballot for the voter.

Nonetheless, some might be confused about why Leiendecker would want to acquire Dominion, since the voting machine industry has never been particularly lucrative. A 2017 study estimated it to be a $300 million-a-year business, with Dominion’s annual revenue estimated at the time to be about $100 million. Unlike IT systems that get replaced every three to five years, election systems get replaced once in a decade or longer. Voting equipment vendors often rely on long-term maintenance and election-services contracts to stay solvent while vying for new equipment contracts.

It’s not clear how much Dominion is worth today. In 2018, Dominion’s management team partnered with Staple Street Capital, a private equity firm, to acquire a controlling stake in the company. Staple estimated the company’s value at $80 million at the time. A more recent report produced by an accounting firm hired by Dominion to support its claim for damages in Fox defamation lawsuit said the company would have been worth about $741 million in December 2020 if not for Fox’s false election-rigging claims.

The Liberty official who spoke with WIRED would not disclose the price Leiendecker paid or whether other parties contributed funds. He said only that Leiendecker “is the sole owner and he privately financed” the acquisition.

**Rife With Speculation**

On social media, users have expressed concern about Leiendecker’s close ties to the Republican Party as a possible reason for his interest in buying Dominion, raising questions about whether he sides with conspiracy theories about Dominion and the 2020 election. Recent settlements in Dominion lawsuits against conspiracy theorists raises further questions about this, as have Leiendecker’s connection to Trump ally Ed Martin. Leiendecker didn’t respond to questions about these concerns.

Following the 2020 election in which right-wing Trump supporters accused Dominion of having ties to Venezuela—apparently confusing the company with Smartmatic, a voting machine company founded by Venezuelan engineers—and rigging the election, Dominion filed defamation lawsuits against right-wing news outlets Fox News and One America News Network for $1.6 billion for amplifying the false claims. It also filed suit against MyPillow CEO Mike Lindell, and former Trump campaign lawyers Rudy Giuliani and Sidney Powell, for $1.3 billion each.

In 2023, Fox News settled its suit for $787.5 million, and Newsmax recently settled for $67 million. But last month, Dominion reached agreements with OAN, Powell, and Giuliani for undisclosed terms. These latest settlements were a condition of Leiendecker’s acquisition of Dominion. Dominion still has pending lawsuits against Lindell and former Overstock CEO Patrick Byrne. The Liberty official who spoke with WIRED says these will be ending soon as well. “All litigation has been resolved or is in the process of being resolved,” the official wrote in an email. But Stefanie Lambert, Byrne’s attorney, wrote in an email to WIRED: “There is no settlement. Dr. Byrne is looking forward to trial.” A lawyer for Lindell did not respond to an inquiry but Lindell told Infowars this week that he will never settle with Dominion.

The settlements raise questions about whether Leiendecker simply didn’t want to be saddled with lawsuits or if he was doing right-wing defendants a favor by forcing Dominion into settlements favorable to them. Leiendecker didn’t respond to a question about the undisclosed settlement terms.

While Leiendecker hasn't directly addressed the issue around conspiracy theorists and election manipulation publicly, his response to allegations of vote-rigging made more than a decade ago suggests he considers election integrity to be paramount, even when doing so might not be politically advantageous. Leiendecker was appointed by Missouri's Republican secretary of state to investigate St. Louis elections administration after problems arose in the 2000 election there, according to Axios. Leiendecker was then hired by Ed Martin to be the Republican director of the St. Louis City Board of Election Commissioners from 2005 until 2009

Martin, now a staunch Trump ally and supporter of his stolen-election claims, is currently the US pardon attorney and prior to this served under the current Trump administration as the interim US attorney for DC, where he demoted prosecutors who worked on January 6 insurrection cases. But in 2005, he was chair of the St. Louis City Election Board when he hired Leiendecker. Five years after hiring Leiendecker, Martin ran unsuccessfully as a GOP candidate for a congressional seat against the Democratic incumbent and was backed by the St. Louis Tea Party. Similar to what occurred following Trump’s 2020 presidential loss, Martin alleged there were irregularities in the vote counting. A Tea Party spokeswoman called the election “stolen,” and Martin refused to concede the election. Leiendecker, instead of supporting his former boss, disputed the stolen election claim at the time, saying there were "no shenanigans” and challenged the critics to prove otherwise. St. Louis Public Radio reported that he directed this challenge at Martin.

During his time as director of the St. Louis elections board, Leiendecker was widely credited by both political parties for improving the election board’s procedures and ensuring that it processed votes more efficiently than previous boards.

**Paper Chase**

When it comes to future elections, Leiendecker has said in Liberty’s press release and media statements that the company is committed to providing election technology that leverages “hand-marked paper ballots” in “compliance with President Trump's executive order.”

Trump, acting on his false vote-rigging claims, has called for all-paper elections, and his March executive order has called for all voting systems to use or produce a voter-verifiable paper ballot that voters can review to ensure machines didn’t alter their votes. Some media outlets have interpreted Leiendecker’s statements to mean he aligns with Trump’s stance to ban systems that don’t produce a paper record. The Liberty official who spoke with WIRED says Leiendecker meant only that Liberty will offer products that “enable compliance with federal and state standards”—whatever those standards may be. Current voting system standards advise states to use systems that produce a paper record but cannot require this; states decide on their own what voting systems they use. Similarly, Trump has no authority to decide what voting systems states use; the Constitution gives this authority to states alone, and the EO is currently being litigated in court.

Notably, Trump’s EO also wants states to stop using paper ballots that have bar codes or QR codes to record and tabulate votes, because the codes are not human-readable. These ballots are produced by so-called ballot-marking devices, or BMDs—voting systems that allow voters to make selections through a touchscreen tablet or other assistive device, which then prints a paper ballot showing the voter’s selections that the voter can read to verify that the machine marked their votes correctly. The ballot is then passed through an optical scanner to record and tabulate the results.

Many BMDs print ballots with a bar code or QR code on them that is encoded with the voter’s choices; it is this encoded portion that the scanner reads to record and tabulate the votes, not the human-readable portion of the ballot that the voter can verify. Ironically, like Trump, election-integrity activists (on the left and right) have long opposed the use of paper ballots with bar codes or QR codes for security reasons: Someone could theoretically program the systems to print a voter’s choices on the human-readable portion while encoding something else in the bar code or QR code that the scanner reads and tabulates. Dominion makes a BMD called the ImageCast X, most of which produce ballots with QR codes, which is used in all or parts of 15 states, according to Verified Voting, which tracks election equipment usage in the US. They are used statewide in Georgia, an important swing state that was the subject of much controversy in the 2020 election.

Many election-integrity activists want states that use these types of ballots to tabulate only from the human-readable portion of the ballot, not the QR code or bar code, or simply have voters fill out regular paper ballots by hand instead. Trump is seeking the latter.

One Republican Now Controls a Huge Chunk of US Election Infrastructure

Scaling the SOC with AI - Why now? 
Security Operations Centers (SOCs) are under unprecedented pressure. According to SACR’s AI-SOC Market Landscape 2025, the average organization now faces around 960 alerts per day, while large enterprises manage more than 3,000 alerts daily from an average of 28 different tools. Nearly 40% of those alerts go uninvestigated, and 61% of security teams admit

****Scaling the SOC with AI - Why now?****

Security Operations Centers (SOCs) are under unprecedented pressure. According to SACR's _AI-SOC Market Landscape 2025_, the average organization now faces around **960 alerts per day**, while large enterprises manage more than **3,000 alerts daily** from an average of **28 different tools**. Nearly **40% of those alerts go uninvestigated**, and **61% of security teams admit** to overlooking alerts that later proved critical.

The takeaway is clear: the traditional SOC model can't keep up.

AI has now moved from experimentation to execution inside the SOC. **88% of organizations** that don't yet run an AI-driven SOC plan to evaluate or deploy one within the next year.

But as more vendors promote **"AI-powered SOC automation,"** the challenge for security leaders has shifted from awareness to evaluation. The key question is no longer _whether_ AI belongs in the SOC, but how to measure its real impact and select a platform that delivers value without introducing significant risks.

This article provides a practical framework for doing just that. It explores AI-SOC architectures, implementation models, and risks, while outlining phased adoption strategies and the essential questions every organization should ask before choosing a platform.

****The Mindset Shift: From Legacy to a Modern SOC****

Building an AI-augmented SOC starts with a mindset shift, not a technology purchase.

Legacy SOCs depend on static rules, manual triage, and reactive workflows. Analysts spend hours chasing alerts and fine-tuning detections to manage noise — a model that doesn't scale and fuels alert fatigue.

Modern SOCs operate differently. Analysts move from _doing the work_ to _guiding the system_—overseeing outcomes, validating AI decisions, and setting the policies that govern automation. Leaders must also adapt, learning to trust AI to assist analysts without replacing their judgment.

The motivation for this shift is straightforward:

*   Reduce alert fatigue and prevent missed incidents
*   Ensure every alert is investigated
*   Improve productivity and scale SOC capacity without expanding headcount

The first step isn't selecting a platform. It's evolving the SOC model itself — and defining _why_ the change is necessary.

****AI-SOC Architectural Models and Delivery Framework****

SACR's _AI-SOC Market Landscape 2025_ defines the emerging market across four key dimensions — what the platform automates, how it's delivered, how it integrates, and where it runs.

****1\. Functional Domain - What it automates****

The first dimension describes what part of the SOC life-cycle the platform targets and how advanced its automation is.

****Automation / Orchestration (SOAR+) & Agentic SOC****

These systems function as the SOC's _central nervous system_, coordinating actions across SIEM, EDR, cloud, and ticketing tools. They combine deterministic rules with agentic AI that can reason, enrich alerts, and execute containment steps automatically.

Unlike traditional SOAR tools, they move beyond static playbooks — dynamically sequencing responses across multiple systems. Their strength lies in scale and consistency, making them well-suited for complex enterprise or MSSP environments.

****Pure-Play Agentic Alert Triage****

Focused on the SOC's most persistent challenge: alert overload. These platforms deploy Agentic AI analysts to triage, investigate, and prioritize alerts, filtering false positives and escalating only validated threats.

This approach delivers immediate operational value by reducing Tier-1 workload and ensuring that every alert receives at least an initial level of investigation. For many teams, it represents the most practical starting point for adopting AI in the SOC, as it integrates easily with existing tools.

****Analyst Co-Pilot / Investigation Assist****

Acts as a digital assistant for human analysts. It helps generate queries, summarize evidence, and assemble context during investigations, improving speed and accuracy while keeping human judgment central.

****Workflow / Knowledge Replication****

Captures how experienced analysts investigate incidents and replays those workflows as repeatable automation. This model scales institutional knowledge and ensures consistency across teams, though it requires time and expert input to train effectively.

****2\. Implementation Model (How It's Delivered)****

This dimension defines how much control an organization retains over how automation is built, tuned, and maintained. SACR identifies two primary implementation models.

****User-Defined / Configurable****

These platforms offer partial to full flexibility. Security teams can design and adjust agents, detection logic, and workflows using scripting or low-to-no-code interfaces. The result is a SOC environment customized to internal processes — but one that requires skilled personnel and ongoing maintenance.

This model is typically favored by mature enterprises or managed service providers that value adaptability and ownership over simplicity.

****Pre-Packaged / Black-Box****

Delivered as ready-to-run solutions with vendor-managed agents and prebuilt workflows. These platforms can be deployed quickly, provide fast time-to-value, and benefit from continuous vendor R&D. The trade-off is limited visibility into decision logic and less ability to customize.

They are best suited for teams prioritizing ease of use and rapid modernization over granular control.

****3\. Architecture Type (How It Integrates)****

AI-SOC platforms differ in how they integrate into the broader SOC life-cycle and where they source and process data. SACR's _AI-SOC Market Landscape 2025_ identifies three primary integration models, with **Integrated AI-SOC Platforms** emerging as the most comprehensive approach.

****Integrated AI-SOC Platforms****

These platforms ingest and analyze raw security logs directly, functioning as both an AI-SOC and, in many cases, a SIEM alternative. By maintaining their own data stores, they enable historical baselines, anomaly detection, and retrospective investigation, all within a unified system.

The key advantage is full visibility and analytical depth. Integrated platforms reduce dependence on external SIEMs, consolidate triage and response in one control plane, and significantly lower log-storage and licensing costs.

This model aligns closely with the industry's move toward unified operations — where detection, investigation, and response happen in a single workflow instead of across stitched-together tools.

****Connected & Overlay Model (on Existing SOC/SIEM)****

It adds an intelligent AI layer to current systems via APIs. The platform ingests alerts from tools such as SIEMs, EDRs, and cloud services, then enriches, triages, and reports results back to analysts.

Its appeal lies in speed. It delivers value quickly and requires no data migration or infrastructure changes. However, it relies on the quality of upstream alerts and offers limited behavioral analytics, since it typically lacks access to raw telemetry.

****Human &Browser-Based Workflow Emulation****

This approach replicates how analysts work within existing interfaces, observing their actions and replaying investigations automatically. It helps scale expert knowledge and drive consistency, but requires initial setup and validated analyst workflows to perform effectively.

****4\. Deployment Model (Where It Runs)****

Finally, deployment options determine where the AI-SOC operates and how data is managed.

*   **SaaS**: Hosted entirely by the vendor and accessed over the internet. Fastest to deploy and easiest to maintain.
*   **BYOC (Bring Your Own Cloud)**: The vendor provides the AI layer, but data and infrastructure remain in the customer's cloud environment. This is common for teams balancing compliance with flexibility.
*   **Air-Gapped On-Prem**: Fully isolated deployment for regulated industries or high-security environments where external connectivity is not permitted.

****Risks and Considerations When Adopting an AI-SOC Platform****

AI-driven SOCs promise efficiency and speed, but also introduce new categories of potential risks. SACR highlights several, and additional considerations deserve equal attention.

1.  **Lack of Standardized Benchmarks -** There is currently no universally accepted method for measuring AI-SOC accuracy, efficiency, or ROI. Without standardized metrics, vendor comparisons often rely on marketing claims rather than validated outcomes.
2.  **Opaque Decision-Making (Explainability Risk) -** Some systems operate as black boxes, offering little visibility into how alerts are analyzed or classified. This limits transparency, makes auditing difficult, and can reduce analyst trust in automated outcomes.
3.  **Compliance and Data Residency -** Cloud-hosted AI systems can raise concerns about where data is processed and stored, particularly in regulated sectors. Teams should verify compliance with frameworks such as GDPR, ISO 27001, and local data residency laws.
4.  **Vendor Lock-In -** Integrated platforms that centralize data storage or detection logic can create migration challenges over time. Clear data export policies and open APIs are essential for maintaining flexibility.
5.  **Skill Shift and Change Management -** AI-SOCs change how analysts work. Teams shift from manual investigation to automation oversight, which can lead to uncertainty or skill gaps if retraining isn't planned. Structured onboarding and updated workflows are critical for success.
6.  **Integration Complexity -** Platforms that don't integrate cleanly with existing SIEM, EDR, and case management systems can add friction instead of reducing it. Evaluating API coverage and interoperability should be part of the selection process.
7.  **Over-Reliance on Automation -** Treating automation as infallible introduces risk. AI systems should complement, not replace, human judgment, with clear escalation and override mechanisms to prevent blind spots.
8.  **Model Drift and Update Frequency -** AI performance can degrade over time if models aren't retrained regularly with new threat intelligence and environmental data. Ongoing monitoring and retraining cadence should be confirmed with vendors.
9.  **Economic Risk -** Pricing models that charge by data volume or event ingestion can quickly erode the cost benefits of automation. Evaluating the total cost of ownership across data, users, and response volume is key to long-term sustainability.

Mitigating these risks starts with transparency — selecting solutions that provide explainability, flexible integration, strong governance, and a clear balance between automation and human control.

****What to Ask Your AI-SOC Vendor****

Selecting the right AI-SOC platform requires a structured, evidence-based evaluation.

SACR's _AI-SOC Market Landscape 2025_ provides a strong foundation for due diligence, highlighting the questions that help security leaders separate proven capabilities from marketing claims.

****Detection and Triage****

*   What percentage of alerts are triaged automatically versus escalated to analysts?
*   How are low-confidence or ambiguous alerts handled to avoid missed detections?
*   Can the AI's reasoning and verdicts be audited by analysts for validation?

These questions help determine how automation interacts with human oversight and how reliably the system maintains coverage without sacrificing accuracy.

****Data Ownership and Privacy****

*   Who retains ownership of ingested data and alerts once inside the platform?
*   Where is security data stored, and can customers manage retention, deletion, or export?

Clarifying how data is managed, stored, and controlled ensures compliance with internal governance and external regulatory requirements.

****Explainability and Human Control****

*   Can analysts override AI verdicts or modify investigation outcomes?
*   How is analyst feedback incorporated into system retraining or future decisions?
*   What safeguards exist to prevent incorrect automated actions or over-escalation?

These questions help confirm the level of transparency, explainability, and human control within the AI's decision-making loop.

****Integration and Tech-stack Fit****

*   Does the platform integrate with existing SIEM, EDR, identity, and ticketing systems?
*   Can it operate within the current SOC workflow without introducing additional interfaces or tool sprawl?

Understanding how the platform fits into the existing security stack helps prevent integration friction and avoid replacing one layer of complexity with another.

****Pricing and Scalability****

*   Is pricing based on data volume, alert count, or user capacity?
*   How does cost scale as the organization adds new log sources or increases data velocity?
*   What is the expected time to achieve full operational value post-deployment?

Cost structure, scalability, and deployment timelines are key to understanding both immediate and long-term return on investment.

An effective vendor evaluation balances technical depth with operational realism.

The most important questions are not just about _what the AI can do,_ but also about _how it does it_, _how it fits into existing workflows_, and _how its decisions can be understood, verified, and improved over time._

****AI-SOC Adoption Framework****

SACR outlines a straightforward, phased approach to AI-SOC adoption that balances speed with operational trust.

1.  **Define the AI Strategy -** Identify the specific challenges AI should solve, such as alert fatigue, MTTR, or staffing constraints. Align objectives with business outcomes.
2.  **Select Core Capabilities -** Prioritize triage, investigation, response automation, explainability, and data governance.
3.  **Run a Proof of Concept (POC) -** Evaluate performance using real alert data from your environment. Measure improvements in detection and response times.
4.  **Trust-Building Phase (1–2 Months) -** Allow AI to operate in an "assist" mode, while analysts validate its decisions. Implement feedback loops to fine-tune confidence thresholds.
5.  **Gradual Automation -** Enable autonomous response for low-risk events first, then scale up as trust grows.
6.  **Operationalize and Iterate -** Continuously review false positives, analyst feedback, and integration efficiency. Periodically recalibrate models and policies.

Organizations treating AI as a partner, not a replacement, see the most sustainable outcomes.

****Measuring Success Over Time********Short-Term (0–3 months)****

*   Reduction in alert triage length
*   Increased alert coverage percentage
*   Reduction in alerts per analyst

****Mid-Term (3–9 months)****

*   Shorter mean time to respond (MTTR)
*   At least a 35% reduction in false positives and manual investigations
*   Reduced analyst burnout and turnover

****Long-Term (9 months +)****

*   Stable automation performance across incident types
*   Predictable SOC operating costs
*   Improved auditing and compliance reporting

Each metric should relate to a business outcome. Focusing on high-value work can reduce missed alerts, improve response consistency, and increase analyst productivity.

****Conclusion****

AI-SOC platforms are reshaping how security teams detect, investigate, and respond to threats at scale.

But success depends on more than advanced technology. It requires understanding architectures, evaluating risks, and adopting automation in stages that build trust and transparency.

Teams that balance AI-driven efficiency with explainability and human oversight will be best positioned to achieve faster, more resilient security operations.

For deeper insights and vendor evaluations, read the full _SACR AI-SOC Market Landscape 2025 Report_.

It offers detailed benchmarks, architectural comparisons, and adoption guidance for security leaders assessing AI-driven solutions.

****About Radiant Security****

Radiant Security is the unified AI-SOC platform that combines **agentic triage**, **automated response**, and **integrated log management,** eliminating the need to stitch tools together.

The platform is the only AI-SOC that can triage 100% of alerts, regardless of the source, providing complete coverage over the IT infrastructure.

Radiant is more like an SOC operating system than a point product, and SACR recognized it as the **"most unique value proposition."** It helps security teams scale capacity, improve outcomes, and control costs with complete visibility and analyst oversight.

**Book a demo** to see how Radiant enables faster, smarter, and more cost-effective security operations.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Architectures, Risks, and Adoption: How to Assess and Choose the Right AI-SOC Platform

The Cofense Phishing Defense Centre warns of a new tech support scam using Microsoft’s brand to lock browsers and steal data. Learn how the attack uses fake 'payment lures' and urgent security alerts to trick victims into calling a fraudulent support number.

A new, aggressive tech support scam has been discovered by experts at the Cofense Phishing Defense Centre, who say it’s actively exploiting the public’s trust in huge brands like Microsoft. The attackers are now using Microsoft’s logo and branding to trick people into thinking their computers are locked by a virus, forcing them to call a fake support number.

The research report, published on October 14 and shared with Hackread.com, explains that this campaign is more complex than a typical phishing email. It reportedly begins with an email trying to grab your attention with a “payment lure.”

This means the scammer offers a fake refund or reimbursement, usually from a company like Syria Rent a Car, and promises you access to the funds if you simply confirm your email address, as shown in the sample email.

****The Deceptive Steps****

Once someone clicks that link, they are redirected to a CAPTCHA challenge, where they must prove they are human. This step achieves two goals: it makes the process look more realistic and helps prevent automatic security systems from analysing the threat.

Further probing revealed the most frightening step- the final landing page. After getting past the verification, victims are suddenly overwhelmed by pop-ups that perfectly imitate genuine Microsoft security alerts.

The browser is then manipulated to appear locked, with the user losing control of their mouse. This terrifying situation creates a fake ransomware attack experience. Dylan Main, the report author for Cofense, notes that this shows the attacker’s goal is “exploitation by any means necessary to steal information and infiltrate systems.”

Email lure, Fake CAPTCHA Page, and Locked out Screen (Source: Cofense)

****The Call for Help is a Trap****

The sudden, visual shock and loss of control are the scam’s main psychological tools, making the victim feel their system is completely compromised and that they must call for help immediately.

This, combined with the reassuring presence of the Microsoft logo and official-looking text, effectively compels them to call the fake Microsoft Support number displayed on the screen. It is worth noting that this lock is merely an illusion, and you can easily defeat it by holding down the ESC key.

During the scam’s final stage, the victim makes the call and is quickly connected to a fake technician. Their true objective is to steal the victim’s account credentials or convince them to install remote desktop tools, which gives the criminal full access to their computer.

This entire campaign shows “how brand trust can be weaponized against users,” Main notes. To stay protected, always remember that a legitimate tech company like Microsoft won’t call you out of the blue or lock your browser with an alert asking you to call a number. Stay safe and be sceptical, even of familiar logos.

New Tech Support Scam Uses Microsoft Logo to Fake Browser Lock, Steal Data

The fashion retailer says a breach at a marketing partner exposed limited contact details—but no financial data or passwords.

Mango has reported a data breach at one of its external marketing service providers. The Spanish fashion retailer says that only personal contact information has been exposed—no financial data.

The breach took place at the service provider and did not affect Mango’s own systems. According to the breach notification, the stolen information was limited to:

*   First name (not your last name)
*   Country
*   Postal code
*   Email address
*   Telephone number

> “Under no circumstances has your banking information, credit cards, ID/passport, or login credentials or passwords been compromised.”

Because Mango operates in more than 100 countries, affected individuals could be located across multiple regions where Mango markets to customers through its external partner. As Mango has not named the third-party provider or disclosed how many customers were affected, we cannot precisely identify where these customers are located.

Mango has not released any details about the attackers behind the breach. Although the stolen data itself does not pose an immediate risk, cybercriminals often follow breaches like this with phishing campaigns, exploiting the limited personal information they obtained.

We’ll update this story if Mango releases more information about the breach or the customers impacted.

****Protecting yourself after a data breach****

Affected customers say they have received a data breach notification of which we have seen screenshots in Spanish and English.

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable** **two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
*   **Set up** **identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Mango discloses data breach at third-party provider 

Florida claims Roku ignored clear signs its users were minors, collecting and selling viewing habits, voice recordings and precise locations.

The state of Florida has accused Roku, which powers many smart TVs and streaming devices, of selling children’s data to third parties without their consent. According to the Florida Attorney General James Uthmeier, Roku collected viewing habits, voice recordings, and precise geolocation from kids without approval from parents.

Roku, which reaches around 145 million people across half of US households, allegedly gathered children’s data despite clear signals that the viewers were minors, the AG said.

After collecting the data, Roku made it available to advertisers and sold it to data brokers, including Kochava, according to the Florida government. Kochava is already facing its own lawsuit from the Federal Trade Commission, which claims the company sells highly sensitive consumer information.

Uthmeier’s office said in a news release:

> “The State contends that Roku’s practices violated Florida’s privacy and consumer-protection laws by failing to obtain parental consent before selling or processing children’s data and by misrepresenting the effectiveness of its privacy controls and opt-out tools.”

In the complaint filed in court, the AG’s office accused Roku of turning a blind eye to the collection of minors’ data.

> “Roku knows that some of its users are children but has consciously decided not to implement industry-standard user profiles to identify which of its users are children.”

The lawsuit claims Roku ignored obvious indicators, such as when users installed its Kids Screensaver or Kids Theme Pack products.

Uthmeier’s office also said that although Roku sells deidentified data to brokers (that is, data that has identifying information removed), it’s still possible for brokers like Kochava to reidentify users. Brokers often have troves of information of their own, such as device IDs linked to potentially identifying information, which can allow them to match records to specific people.

Florida has filed the lawsuit under the Florida Digital Bill of Rights (FDBR), which came into effect on July 1, 2024. The law protects Florida residents’ privacy, including children’s data rights, and gives parents the ability to opt out of data processing for their kids.

The penalty for violating the FDBR is up to $50,000 per violation, but that triples for violations where the consumer involved is a known child. That includes cases of “willful disregard of a child’s age.”

This isn’t the only case that Roku must navigate in court. In April, Michigan Attorney General Dana Nessel also sued Roku for similar violations, accusing it of violating laws including the Children’s Online Privacy Protection Act (COPPA), along with federal and state privacy laws. Roku is fighting the suit.

Smart TV advertising is big business in the US. So much, in fact, that Roku appears to sell its devices at a loss to power its platform revenues, which include not just subscriptions, but advertising. In fiscal 2024, it lost $80.3 million on device sales, up from $43.9 million in device-based losses the prior year. Yet it made $1.9 billion profit from its platform business, up from $1.567 billion in 2023.

According to reports, Roku’s Automatic Content Recognition (ARC) technology captures thousands of images each hour from smart TVs. These can be used to help track viewing activity.

In January, Roku launched its Data Cloud, a service that allows its partners to use the company’s proprietary TV data. It was the latest step in a multi-year strategy to build out its data offering. In 2022, it launched a ‘clean room’ product that allowed other companies to combine their data with Roku’s own, conducting queries about viewer behavior while preserving privacy (this is how companies access its Data Cloud). Then, in 2024, it launched Roku Exchange—an advertising hub for partners.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Roku accused of selling children’s data to advertisers and brokers 

Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK).

BeaverTail and OtterCookie evolve with a new Javascript module

Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure.

Thursday, October 16, 2025 06:00

What does it take to lead through chaos and keep organizations safe in the digital age? This week, Amy sat down with Laura Faria, an incident commander at Cisco Talos Incident Response, to explore a career built on empathy, collaboration, and a passion for cybersecurity.

Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure.

**Amy Ciminnisi: Laura, it's great to have you on. You're an incident commander, like Alex from last episode. When did your time at Talos start, and what did your journey here look like?**

Laura Faria: My entire career, I've worked in many large cybersecurity vendors - endpoint vendors, firewall vendors, RAV vendors... So I've been in a lot of different roles, but they were mostly in sales. I was actually a Cisco employee prior to joining Talos IR. I've been at Cisco for a little over a year now, and Talos is one of the best places to work in Cisco, in my opinion. They have a really high reputation because everyone knows the quality of research that Talos provides our customers with.

I'd never been an incident commander before, so it was a really new position to me. But it was definitely something I was interested in, and the more I learned about what the role entailed, the more I was excited to pursue it.

**AC: This is a very high-pressure role, and I'm sure you have to deal with a lot of chaos, a lot of moving parts. How do you stay focused and motivated to keep going when you're tackling these really serious incidents for our clients?**

LF: A common phrase in Talos IR is "It's never a good day when an incident happens." During very serious episodes, being there to help the customer feels really good, especially if you're a people person, and especially if you're empathetic and a lot with people's emotions.

Recently, I had a very difficult incident where a large health care facility was seeing a lot of outages in different locations throughout the nation. Every time we saw a site outage, it was devastating because we knew what that meant. We actually had people's lives in our hands. Although it's a very difficult job, taking the time to look at the big picture and understand the importance of your job is really what keeps you going.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

Laura Faria: Empathy on the front lines

*** UNSUPPORTED WHEN ASSIGNED ***
Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.

This issue affects Apache Traffic Control: all versions.

People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.

As this project is retired, it is not planned to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-61581

**Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability**

Low severity GitHub Reviewed Published Oct 16, 2025 to the GitHub Advisory Database • Updated Oct 16, 2025

**Package**

gomod github.com/apache/trafficcontrol/v8 (Go)

**Affected versions**

<= 8.0.2

\*\*\* UNSUPPORTED WHEN ASSIGNED \*\*\*  
Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.

This issue affects Apache Traffic Control: all versions.

People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.

As this project is retired, it is not planned to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-61581
*   https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp

Published to the GitHub Advisory Database

Oct 16, 2025

Last updated

Oct 16, 2025

GHSA-9m49-p2j3-c6xm: Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability

Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Spark New
        
        Build and deploy intelligent apps
        
    *   GitHub Models New
        
        Manage and compare prompts
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    
    View all features
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-41410

**Mattermost has a Missing Authorization vulnerability**

Moderate severity GitHub Reviewed Published Oct 16, 2025 to the GitHub Advisory Database • Updated Oct 16, 2025

**Package**

gomod github.com/mattermost/mattermost-server (Go)

**Affected versions**

\>= 10.10.0, < 10.10.3

\>= 10.5.0, < 10.5.11

\>= 10.11.0, < 10.11.3

**Patched versions**

10.10.3

10.5.11

10.11.3

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250822083415-01b95392a450

8.0.0-20250822083415-01b95392a450

**Description**

Published to the GitHub Advisory Database

Oct 16, 2025

Last updated

Oct 16, 2025

**EPSS score**

Tag

#git