I just came across the Zero Day Clock, and I love it. Everyone should go there, see the stats, see the trends, and figure out what that means for your ongoing and future patch management plans.

Malwarebytes warns that a phishing campaign is using Google Calendar invites to send phony renewal notices for Malwarebytes subscriptions. The calendar invites contain a phone number that will connect the user with a scammer.

AI isn’t just another technology wave—it’s a force multiplier for both innovation and risk. In a recent webinar featuring insights from Bryan Palma and guest speaker Jinan Budge, Vice President and Research Director at Forrester, one message came through clearly: the rise of AI and AI agents is fundamentally reshaping the human risk landscape—and security leaders need to move fast to keep up.

The number of publicly reported unique vulnerabilities has risen year after year.

There was a brief decrease and stabilization in 2015 – 2016, but those are the only years in the over two decades (1999 – on) I have been following vulnerability metrics. Other than that, it has been up, up, up.

I need to confess something. A few days ago whilst vibe coding at 2am (which can end up burning through tokens like they are going out of fashion) I accidentally pasted my API key directly into a Claude chat instead of the terminal window I had open.

On March 9th, Codewall.ai disclosed how it had hacked McKinsey & Company’s AI platform called Lilli, a purpose-built system for 43,000+ employees to analyze documents, chat, and access decades of proprietary research. The researchers unleashed an AI agent which quickly scanned 200 endpoints, identified 22 that did not require authentication, and one that wrote user search queries into a database including non-parameterized JSON keys which were concatenated directly into SQL.

The old rules for spotting a phishing email are changing. Remember looking for bad grammar and clumsy spelling? Thanks to AI, hackers’ emails are increasingly polished and hard to spot. But a new poll from KnowBe4 reveals the modern worker’s most reliable alarm bell for a cyberattack isn’t a typo; it’s a sense of manufactured urgency.