Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure…

Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure to determine if there is a viable way in. External attack surface management (EASM) is how security teams stay ahead of such vulnerabilities, which is why it’s become so critical for shoring up defences.

However, many security teams only rely on Microsoft Defender for EASM, which might not be enough. We regularly see some of the most security-mature organisations suffer breaches, indicating that there are some gaps in how EASM is being implemented across industries.

****How EASM Blind Spots Become Entry Points****

With powerful, widely available scanners like Shodan, Censys, or custom-built scanners, attackers are always probing the internet to identify any exposed assets. Something as simple as an open port or misconfigured server can signal to them that a service is active and potentially exploitable.

In more targeted attacks, a malicious actor might even correlate data from multiple sources to map the target’s entire external footprint. This may include exposed admin panels coupled with leaked secrets on GitHub, or open APIs with weak or missing authentication.

Because our digital footprints are so extensive nowadays, there is a real challenge in maintaining visibility and control across all assets. Even the most powerful companies are struggling. In the spring of 2025, Oracle, a leading provider of cloud infrastructure services, suffered a breach that exposed millions of customer records.

The cause was a single unmanaged subdomain, which attackers used to gain initial access and identify other security gaps before moving laterally.

****The Most Common EASM Blind Spots****

Regardless of how much emphasis is placed on EASM, exposures still can and do happen. There are simply too many dynamics at work. Perhaps the most obvious one is the rise of remote work policies, which significantly accelerated the spread of shadow IT.

Employees now often use their own devices for work, which includes any applications or services installed that the company’s IT team has no idea about. Without integration into the EASM inventory, such assets are a major blind spot for defenders and a huge opportunity for attackers.

Old infrastructure is another blind spot. Old servers, domains, or staging environments regularly outlive their purpose. Even though they’re not in use, they remain online and unpatched. Without security updates or proper configuration management, these are the easiest targets.

Because businesses are so interconnected, third-party risk is another gap. Organisations have very little control over how their partners secure and manage their infrastructure, outside of any initial due diligence, before starting the relationship.

With so many possible exposures, relying on a single tool to identify them adds to the risk. Most companies only use Defender, which is a great tool, but it also gives false confidence that all internet-facing assets are accounted for.

****Does AI Close or Create More Blind Spots?****

A big topic around EASM and cybersecurity in general is the impact of artificial intelligence and how it aids attackers and defenders.

On the offensive side, AI has made it slightly easier for attackers to automate reconnaissance by generating exploit scripts or analysing vast amounts of publicly available data. The main advantage adversaries get is speed, which is crucial when a missing a patch install by a day can turn into a security incident.

For defenders, the benefits are equally significant. Modern EASM platforms leverage AI to improve asset discovery, correlate data across the environment, and prioritise findings based on asset criticality and exploitability.

So it’s a double-edged sword, and it’s unlikely that AI will create any meaningful advantage for either side, as both parties are constantly adapting.

****Hardening Your External Attack Surface Management****

If you’re already implementing EASM, a few small tweaks can have a huge impact in reducing external exposure.

The frequency of scanning is very important. Adversaries don’t scan your infrastructure just once per quarter, and neither should you. Scanning should be continuous, with automated discovery across domains, endpoints, IPs, and cloud instances. Any old or unused infrastructure that is discovered should be removed.

To improve the breadth of scanning, consider implementing an additional EASM layer on top of Defender. It’s important to incorporate validation and remediation capabilities, particularly surrounding unmanaged SaaS applications, external cloud providers, and third-party relationships.

Once your EASM stack is in order, it’s best to integrate it with your SIEM, SOAR, DRPS and ticketing workflows. This way, security teams can easily analyse external exposure findings and implement any necessary fixes, prioritised by risk levels.

****Final Thoughts****

The effectiveness of your security program depends on what you can see, but even more so on what you can’t. EASM has become one of the most valuable tools for uncovering exposures before attackers do. But it’s not a silver bullet. Blind spots will always exist where visibility, context, or ownership breaks down.

How Adversaries Exploit the Blind Spots in Your EASM Strategy

In this week’s newsletter, Amy recounts her journey from Halloween festivities to unraveling the story of the 2022 Viasat satellite hack, with plenty of cybersecurity surprises along the way.

Thursday, November 13, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

A year ago, fresh off a layoff, I never would have guessed I’d be spending Halloween weekend bouncing between conversations about space policy, satellite hacking, and wedding plans. That’s exactly what happened when my space analyst friend came to stay with us for a few days. Between coffee runs, getting sneak peeks of his upcoming book, and painting on skull makeup for a party, we found ourselves deep in discussions about putting data centers in space and, inevitably, the world of satellite cybersecurity. 

Somewhere within all of that, I realized I was on deck for the newsletter intro soon, and I did what any cyber newbie would do: I asked the nearest expert if there had ever been a well-known cyberattack on satellites. My friend didn’t even blink before answering, “KA-SAT.”

Some light research and a few Webex messages later, I was speaking with our own Joe Marshall — who, lucky for me, might be the only person at Cisco who’s been to satellite hacking training.

Joe walked me through how on Feb. 24, 2022, just hours before Russia’s invasion of Ukraine, a cyber attack targeted Viasat’s KA-SAT satellite network. The attackers exploited a vulnerability in a VPN appliance, gaining access to the network’s management systems. They then deployed a wiper malware called AcidRain, which was designed to erase data on modems and routers across Europe.

Satellite communications were disrupted for thousands of users in Ukraine, but surprisingly, beyond Ukraine’s borders, approximately 5,800 Enercon wind turbines in Germany lost connectivity for remote monitoring and control. 

One surprise from the conversation was the overlap between the AcidRain wiper and VPNFilter, which you may remember from Joe’s September newsletter. AcidRain may be VPNFilter’s successor. Take a look:

Figure 1. Section headers strings tables for VPNFilter (left) and AcidRain (right). Credit: SentinelOne.

Identical, hinting at a shared compiler and other technical links, as SentinelOne's blog details.

What followed this summary was a LOT of questions on my part. What _was_ the VPN vulnerability? How did the wiper work, exactly? What are the pros and cons of replacing vs. fixing the modems, and what about the logistics of the winning decision? Ultimately, while the AcidRain attack was destructive, it was, in the context of what else was happening to Ukraine’s infrastructure, a blip.

As a newcomer to both cybersecurity and Talos, I keep discovering that there are always gaps in the story. I didn’t get all my questions answered because companies guard details, official statements leave out key information, and sometimes, even years later, we’re still piecing things together. Being okay with that is a tall order for people who scour logs looking for a needle in a stack of needles. But when attacks are raining down, customers aren’t asking you to send a flawless analysis. They want to know what you'redoing to keep them safe. 

So, as I write this, still with more questions than answers about AcidRain and the KA-SAT attacks, I’m learning to find peace in knowing that curiosity is the foundation for future expertise. Keep acquiring knowledge, asking questions (both basic and complex), and being okay with some uncertainty.

**The one big thing **

Cisco Talos published a new blog today on the Kraken ransomware group. Linked to HelloKitty, they double-extort organizations globally with cross-platform attacks and use advanced techniques like encryption benchmarking and anti-analysis. Kraken has also launched a new underground forum to strengthen ties within the cybercrime community. 

**Why do I care? **

Kraken’s advanced, cross-platform techniques — including encryption benchmarking and evasion methods — raise the threat level for organizations of all sizes, and may inspire similar advancements in future ransomware. Plus, their new secure underground forum may accelerate collaboration between threat actors, making robust, layered defenses and intelligence sharing among defenders even more critical. 

**So now what? **

Prioritize patching known vulnerabilities (especially SMB), strengthen credential management, and implement comprehensive endpoint, network, and access security solutions. Continuous monitoring, incident response planning, and user awareness training are crucial to detect and contain threats early. 

**Top security headlines of the week **

**SAP fixes serious security issues - here's how to stay safe**   
A patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward. (TechRadar) 

**Phishing tool uses smart redirects to bypass detection**   
A new phishing tool targeting Microsoft 365 users called Quantum Route Redirect simplifies what was once a technically complex campaign flow, as well as offers a uniquely evasive redirect feature that can bypass even robust email protections. (Dark Reading) 

**Cisco finds open-weight AI models easy to exploit in long chats**   
The report, titled Death by a Thousand Prompts: Open Model Vulnerability Analysis, analyzed eight leading open-weight language models and found that multi-turn attacks, where an attacker engages the model across multiple conversational steps, were up to ten times more effective than one-shot attempts. (HackRead) 

**Nearly 30 alleged victims of Oracle EBS hack named on Cl0p ransomware site**   
The Cl0p website lists major organizations such as Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland. (SecurityWeek) 

**Kimsuky APT takes over South Korean Androids, abuses KakaoTalk**   
One of North Korea's formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack that exploits a feature in Google aimed at helping users find their devices. (Dark Reading) 

**Can’t get enough Talos? **

**The TTP: How Talos built an AI model into one of the internet's most abused layers**  
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking anything important (like the internet).

**The 2026 Snort Calendar is now available**   
Snorty will pose as a new mythical creature each month. To get your copy, fill out our short survey. Calendars will begin shipping in December 2025. U.S. shipping only, available while supplies last. 

**Talos Takes: How attackers use your own tools against you**   
From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, this quarter’s cases all point to a theme: attackers are getting very good at living off what’s already in your environment.

**Do robots dream of secure networking?**   
This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.

**Upcoming events where you can find Talos **

*   DeepSec IDSC (Nov. 18 – 21) Vienna, Austria 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_3\_Exe.exe    
Detection Name: Win.Dropper.Miner::95.sbx.tg 

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Example Filename: f\_003b6c.html    
Detection Name: W32.C0AD494457-95.SBX.TG

Viasat and the terrible, horrible, no good, very bad day

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Spark New
        
        Build and deploy intelligent apps
        
    *   GitHub Models New
        
        Manage and compare prompts
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    
    View all features
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-12762

**pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode**

Critical severity GitHub Reviewed Published Nov 13, 2025 to the GitHub Advisory Database • Updated Nov 13, 2025

**Package**

pip pgadmin4 (pip)

**Description**

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-12762
*   pgadmin-org/pgadmin4#9320
*   pgadmin-org/pgadmin4@1d39739

Published to the GitHub Advisory Database

Nov 13, 2025

Last updated

Nov 13, 2025

**EPSS score**

GHSA-w2p4-p4rh-qcm3: pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode

Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users' seed phrases.
The name of the extension is "Safery: Ethereum Wallet," with the threat actor describing it as a "secure wallet for managing Ethereum cryptocurrency with flexible settings." It was uploaded to the Chrome Web Store on

Browser Security / Threat Intelligence

Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users' seed phrases.

The name of the extension is "Safery: Ethereum Wallet," with the threat actor describing it as a "secure wallet for managing Ethereum cryptocurrency with flexible settings." It was uploaded to the Chrome Web Store on September 29, 2025, and was updated as recently as November 12. It's still available for download as of writing.

"Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet," Socket security researcher Kirill Boychenko said.

Specifically, the malware present within the browser add-on is designed to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses and then using micro-transactions to send 0.000001 SUI to those wallets from a hard-coded threat actor-controlled wallet.

The end goal of the malware is to smuggle the seed phrase inside normal looking blockchain transactions without the need for setting up a command-and-control (C2) server to receive the information. Once the transactions are complete, the threat actor can decode the recipient addresses to reconstruct the original seed phrase and ultimately drain assets from it.

"This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending micro-transactions to them from an attacker-controlled wallet, allowing the attacker to monitor the blockchain, decode the addresses back to seed phrases, and drain victims' funds," Koi Security notes in an analysis.

To counter the risk posed by the threat, users are advised to stick to trusted wallet extensions. Defenders are recommended to scan extensions for mnemonic encoders, synthetic address generators, and hard-coded seed phrases, as well as block those that write on the chain during wallet import or creation.

"This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it," Boychenko said. "Treat unexpected blockchain RPC calls from the browser as high signal, especially when the product claims to be single chain."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain

Q3 showed sharp growth in malware activity as Lumma AgentTesla and Xworm drove access and data theft forcing SOC teams toward quicker behavior checks

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings._

The third quarter of 2025 saw a concerning evolution in the malware landscape. The latest ANY.RUN Malware Trends quarterly report confirms a clear pattern: threat actors are prioritising fast monetisation and initial access operations.

The number of threats investigated in ANY.RUN’s Sandbox grew by 21.6% since Q2, compared to 9.8% growth between Q1 and Q2.

Malicious verdicts increased by 18%. The sandbox extracted 32.8% more IOCs than in Q2, respectively enriching threat data available via Threat Intelligence Lookup and TI Feeds.

****The Three Top Threats SOC Teams Must Watch****

Three malware families dominate the threat landscape due to their ability to quickly monetise stolen data and establish remote control:

**Malware Family**

**Q3 Sandbox detections**

**Type**

**Primary Objective**

Lumma

9,664

Stealer

Remote access, payload delivery, and file manipulation

AgentTesla

5,337

Stealer/RAT

Keylogging, clipboard/email creds, data exfiltration.

Xworm

5,085

RAT

Remote access, payload delivery, file manipulation

Top malware families by ANY.RUN’s Sandbox detections in Q3

Analysts must adapt by reducing triage time, switching from signature-based detection to behaviour-based detection, and enriching indicators with real-time threat context.

****1\. Lumma Stealer – Credential Monetisation at Scale****

Lumma Stealer is currently the most active and prevalent malware family observed in the report. It specialises in stealing sensitive data from endpoints, focusing on browser-stored credentials, cryptocurrency wallets, form autofill data, saved credit cards, and session cookies. Lumma is particularly aggressive in industries such as finance and commerce in Europe and North America, where the stolen data has the highest monetary value.

For organisations, a single Lumma infection can result in corporate account compromise, lateral movement through SaaS access, and asset theft without triggering traditional ransomware alarms.

Lumma’s operators consistently update their infrastructure, rotating malicious domains and other C2 inventory. Threat Intelligence Lookup allows analysts to extract IOCs from the most recent sandbox sessions where Lumma samples were detonated and fuel detection and response systems. threatName:”Lumma” and domainName:””

Recently detected Lumma domains found via TI Lookup

****Where ANY.RUN’s Threat Intelligence Lookup Fits In****

TI Lookup is a real-time threat investigation platform that enriches indicators with context, not just reputation scores. It aggregates fresh IOCs, IOAs, and behaviour patterns (IOBs) directly from malware detonations performed in ANY.RUN’s Interactive Sandbox, powered by data contributed by more than 15,000 enterprise SOCs and security teams across multiple industries.

This gives analysts access to threat intelligence captured from real attacks happening right now, not stale feeds or public blocklists.

Besides the context, it enables analysts to reduce triage time, raise detection accuracy, and retain confidence in their decisions. For business, the key objectives gained are analyst efficiency and better judgment, faster MTTR, and measurable ROI.

In short, TI Lookup turns threat intelligence into operational efficiency: less time spent investigating means more time preventing breaches.

****2\. AgentTesla – activity doubled quarter-over-quarter****

AgentTesla is a widely distributed credential stealer and remote access tool (RAT) with a multilayered set of functions, including keylogging, clipboard monitoring, credential extraction from browsers and email clients, and exfiltration via SMTP or HTTP.

The malware has recently seen a sharp increase in activity, doubling quarter-to-quarter. It is particularly common in industries with large numbers of external communications, transportation, logistics, and education. Its operational simplicity and low barrier to entry make it popular among less sophisticated cybercriminal groups.

Use Threat Intelligence Lookup to instantly check network artefacts and spot AgentTesla in your network.

domainName:”mail.funworld.co.id”

Domain proven to be associated with AgentTesla campaigns via TI Lookup

Explore the linked sandbox sessions to observe AgentTesla’s attack chain and behaviour patterns:

View analysis

AgentTesla detonation in ANY.RUN’s Sandbox

****3\. Xworm (RAT) – modular, covert, highly scalable****

Xworm is a flexible, modular remote access Trojan, is often used as the first foothold in an intrusion, where it serves as a launcher for other malware, including stealers and ransomware. After execution, Xworm enables remote command execution, file manipulation, keylogging, surveillance, and exfiltration. It supports multiple communication channels, including C2 tunnelling through legitimate cloud services, which complicates detection.

Xworm infections are especially dangerous for organisations because the malware acts as a bridge to full compromise. The malware actively targets manufacturing, tourism, and healthcare: industries where business disruption can have immediate operational consequences.

Xworm samples added and analysed by sandbox users from Colombia

****To sum up:****

*   Lumma steals access.
*   AgentTesla steals communications.
*   Xworm turns those stolen credentials into full control of the environment.

****Conclusion****

As Q4 2025 unfolds, Lumma Stealer, AgentTesla, and Xworm RAT will continue to evolve, adopting new evasion techniques and targeting mechanisms to bypass traditional defences.

For SOC analysts, the challenge isn’t just detecting these threats: it’s responding fast enough to minimise impact. The difference between a contained incident and a major breach often comes down to how quickly you can identify what you’re dealing with and implement the right countermeasures.

ANY.RUN’s Threat Intelligence Lookup bridges this critical gap, transforming unknown indicators into actionable intelligence within seconds. By combining comprehensive threat data with interactive analysis capabilities, it empowers your team to move from reactive detection to proactive defence.

The threat landscape will only grow more complex. Ensure your SOC has the intelligence infrastructure to stay one step ahead.

Stop paying for data without context – get visibility that drives decisions.  
Choose your plan for intel sourced from 15K+ real SOCs

Top 3 Malware Families in Q4: How to Keep Your SOC Ready

Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us.
But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every

ThreatsDay Bulletin: Cisco 0-Days, AI Bug Bounties, Crypto Heists, State-Linked Leaks and 20 More Stories

New York, New York, 13th November 2025, CyberNewsWire

**New York, New York, November 13th, 2025, CyberNewsWire**

BreachLock, a global leader in offensive security, just announced a powerful new integration with Vanta, the leading AI-powered trust management platform, enabling organizations to push security validation evidence directly into compliance workflows with a single click. 

This integration bridges the gap between continuous security testing and compliance by allowing mutual customers to connect the BreachLock Unified Platform to their Vanta environment. Users can automatically send security evidence from the BreachLock Unified Platform, including penetration testing reports, adversarial exposure validation (AEV) results, attack surface management (ASM) results, and more, into the appropriate Vanta control folders, eliminating manual uploads and user errors while significantly reducing audit preparation time. 

> Commenting on the addition of this integration, BreachLock Founder & CEO expressed, “Our clients shouldn’t have to waste time manually transferring evidence between BreachLock and Vanta,” adding, “This integration ensures that our mutual customers’ security findings are always audit-ready and aligned with frameworks like SOC 2 and ISO 27001 within their Vanta environments, effortlessly.” 

> “At Vanta, our mission is to support companies regardless of their tech stack,” said Chris Morris, Staff Product Manager at Vanta. “We’re excited for BreachLock’s integration and to support our mutual customers!” 

The BreachLock Unified Platform supports modern Continuous Threat Exposure Management (CTEM) programs by unifying all CTEM-aligned tools and solutions modern security teams need, including both autonomous and human-led Penetration Testing as a Service (PTaaS), Adversarial Exposure Validation (AEV) for autonomous red teaming, and Attack Surface Management (ASM). This unified approach enables organizations to continuously discover, validate, and remediate exposures across their entire internal and external environments, including web, API, network, mobile, cloud assets, and more. 

With the new BreachLock x Vanta integration, organizations can maintain always-current compliance evidence across all attack surfaces, supporting continuous security and compliance alignment. 

**Key Benefits of the Integration Include** 

*   One-click evidence transfers from BreachLock to Vanta. 
*   Automatic alignment with SOC 2, ISO 27001, and other controls. 
*   Reduced manual effort and fewer errors during audit preparation. 
*   Continuous compliance support through CTEM and automated testing. 

Setting up the integration is simple; users connect to Vanta directly from the BreachLock Platform and authorize BreachLock within Vanta, following a quick step-by-step setup process outlined in a recent blog post on the integration. 

This collaboration between BreachLock and Vanta marks a significant step forward in unifying offensive security and compliance workflows, helping organizations stay not only secure but audit-ready year-round. 

**About BreachLock**

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries. 

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

**Contact**

**Senior Marketing Executive**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

BreachLock and Vanta Bridge the Gap Between Continuous Security Testing and Compliance with New Integration

Singapore, Singapore, 13th November 2025, CyberNewsWire

**Singapore, Singapore, November 13th, 2025, CyberNewsWire**

**Recognition we believe underscores global customer trust and proven product excellence for security teams evaluating NDR solutions**

**ThreatBook**, a global leader in threat intelligence-based cybersecurity solutions, today announced that for its **Threat Detection Platform (TDP)**, it has been recognized as a **Strong Performer** in the 2025 Gartner Peer Insights Voice of the Customer for Network Detection and Response (NDR).

This marks the **third consecutive year** that ThreatBook has received this distinction, which we believe underscores consistent customer satisfaction, product innovation, and operational excellence.

> According to Gartner: “‘Voice of the Customer’ is a document that synthesizes Gartner Peer Insights reviews into insights for buyers of technology and services. This aggregated peer perspective, along with the individual detailed reviews, is complementary to Gartner expert research and can play a key role in your buying process. Peers are verified reviewers of a technology product or service, who not only rate the offering, but also provide valuable feedback to consider before making a purchase decision.”

> “We’re thrilled to be recognized again as a Strong Performer in the Gartner Peer Insights ‘Voice of the Customer’ for NDR,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook. “Our mission is to empower security teams with visibility and precision, especially in the Asia-Pacific region where attacks are becoming more sophisticated and targeted. We believe, this recognition reflects our customers’ trust in ThreatBook TDP’s ability to deliver real detection accuracy and operational resilience.”

**Recognition Driven by Real-World Customer Feedback**

To be included in the report, vendors must meet stringent inclusion criteria and are positioned within four quadrants based on user interest, product experience, and overall satisfaction — covering areas such as product capabilities, support, and delivery.

According to the research: “in the network detection and response market, Gartner Peer Insights published 1,263 reviews and ratings during the consideration period,” with 11 vendors ultimately meeting the inclusion standards. ThreatBook is among the few vendors recognized as a Strong Performer for three consecutive years. **ThreatBook was among the few vendors to meet the full inclusion criteria and achieved 100% of customers willing to recommend ThreatBook TDP, based on 43 overall verified reviews submitted as of Aug 2025.**

Enterprise users from finance, manufacturing, energy, services, and retail sectors across Asia-Pacific, North America, the Middle East, and Europe contributed feedback that rated ThreatBook TDP highly in overall product experience, detection precision, and operational efficiency.

**TDP: Industry Leading Intelligence-Driven Detection and Response**

As the market leader in China’s threat intelligence sector (iResearch, 2024 China Threat Intelligence Industry Development Report), ThreatBook integrates high-fidelity threat intelligence into its detection and response solutions.

ThreatBook TDP is a full-traffic, intelligence-driven NDR platform designed to provide visibility, context, and actionability at scale.

**Key strengths include:**

l **High-Precision Detection** – Built on ThreatBook’s proprietary global and APAC threat intelligence, TDP achieves industry-leading detection accuracy for targeted and advanced attacks.

l **Operational Readiness** – Automatically maps enterprise attack surfaces and reconstructs attack chains from an adversarial perspective for proactive defense.

l **Closed-Loop Response** – Integrates with a broad ecosystem of security tools, supporting automated blocking and orchestration with 99% effectiveness.

l **User-Focused Experience** – Offers an intuitive interface and multi-dimensional analytics to enhance SOC efficiency and decision-making.

**Proven Across Industries and Regions**

Today, ThreatBook TDP is deployed in thousands of leading enterprises across critical industries including finance, energy, power, internet, and smart manufacturing.

It has become a core detection and response system for enterprise and government SOCs, helping them achieve visibility, precision, and proactive defense in dynamic threat environments.

Full review:

https://www.gartner.com/reviews/market/network-detection-and-response/vendor/threatbook/product/threatbook-tdp-ndr/review/view/6146934

Full Review: https://www.gartner.com/reviews/market/network-detection-and-response/vendor/threatbook/product/threatbook-tdp-ndr/review/view/6145510

Gartner, Voice of the Customer for Network Detection and Response, 30 October 2025

\* Disclaimer: GARTNER and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, visit www.threatbook.io or follow us on LinkedIn.

**Contact**

**Belmont Communications**  
**ThreatBook**  
**\[email protected\]**

ThreatBook Peer-Recognized as a Strong Performer in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response — for the Third Consecutive Year

Tag

#intel