Decipher Security Podcast

It's a non-AI podcast! This week we dig into the new Gaslight macOS implant that tries to trick security researchers with some anti-forensics techniques, then we discuss the Operation Endgame takedown of some malware infrastructure, and finally we discuss a Cisco Catalyst SD-WAN bug that was exploited as a zero day.

Alex Pinto, one of the lead authors of the Verizon Data Breach Investigations Report, joins Dennis to talk about his organization's newest publication, the Breach Impact Study, which digs into the real world cost of breaches, both in dollars and in organizational impact. Spoiler: Breaches are expensive.Verizon BIS: https://www.verizon.com/business/resources/reports/2026-breach-impact-study-dbir.pdf

This week was blessedly free of any major supply chain compromises, so we start by talking about new research from Anthropic on the shrinking window between bug disclosure and exploitation, then we discuss the changing patch schedule for Cisco and how all of this is changing the prioritization process for security teams, and finally we discuss some upcoming episodes and our latest hacker movie podcast on The Conversation.LinksAnthropic research: https://decipher.sc/2026/06/10/anthropic-warns-of-llms-impact-on-already-shrinking-n-day-exploit-gap/Cisco patch change: https://blogs.cisco.com/security/strengthening-the-foundation-a-predictable-customer-focused-response-to-ai-accelerated-vulnerability-discoveryThe Vulnpocalypse: https://thevulnpocalypse.com/

Perhaps no film captures the paranoia and anxiety of the 1970s better than The Conversation, Francis Ford Copolla's masterpiece about reclusive surveillance expert Harry Caul, a man who it's safe to say has some demons. Decades before we all agreed to carry tracking and recording devices in our pockets, The Conversation shows us just how invasive and damaging technology can be.

We regret to inform you that there are more npm supply chain attacks this week, and a new variant of the Shai Hulud worm is involved. We also talk about the new analysis from Anthropic on a year of data relating to how attackers are using AI in their operations, and the continuing adventures of Microsoft's relationship with security researchers.

The recent Nightmare-Eclipse zero day drop and attendant drama has stirred up all kinds of trouble and unfortunately spurred Microsoft to publish a post scolding security researchers for not using the "proper channels" to disclose bugs, threatening legal action, and generally dredging up every hobby horse from the threadbare disclosure debate. LinksMSRC post: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosureDecipher story: https://decipher.sc/2026/05/28/the-past-is-always-present-in-vulnerability-disclosure/Expel event: https://info.expel.com/event-mythos-unhappy-hour.html

After being caught in one of the more notorious battles in modern American history, Matt Eversmann's military career has become the stuff of legend. The Battle of Mogadishu, immortalized in the book and movie Black Hawk Down, was a pivotal event in U.S. history and in the lives of Matt and his fellow soldiers. Now retired from the army and focusing on training the next generation of leaders, Matt joins Dennis Fisher to talk about his career, what he's learned from his failures and successes, and how vital resilience and perseverance are for success in any field. Matt's biography: https://thayerleadership.com/team-member/first-sergeant-matt-eversmann/

In the spring, a young attacker's fancy turns to supply chain compromises, and this season's crop includes the GitHub breach and the Grafana intrusion, which are connected and trace back to the TanStack supply chain attack and...TeamPCP. LinksGrafana attack: https://decipher.sc/2026/05/17/grafana-investigating-token-compromise-and-extortion-attempt/GitHub breach: https://decipher.sc/2026/05/20/github-confirms-internal-breach/

Finding a huge pile of bugs with Claude Mythos is great, but the logical next step is figuring out how many of those vulnerabilities are likely to be exploited in the near future. Jay Jacobs and Michael Roytman of Empirical Security join Dennis to talk about how the Exploit Prediction Scoring System can help teams make informed decisions and prioritize patching the most important vulnerabilities. Jay and Michael are pioneers in the data-driven security field and help steer the EPSS effort.

Unlike a lot of founders in the industry, Sravish Sridhar hasn't spent his career in the security world. He comes from a background in distributed computing and advanced math, and is a successful entrepreneur who's now bringing that experience to bear at TrustCloud, where he's helping CISOs automate and streamline their compliance programs.

Few people (if any) have spent more time thinking about and working on the hard problems in security and software than Gary McGraw, and he also happens to have a PhD in cognitive science and computer science and has been studying neural nets and AI systems for 30+ years. Gary joins Dennis to talk about his team's new research into AI security benchmarks, measurement, and bringing a software security approach to LLMs and AI systems. LinksBIML report: https://berryvilleiml.com/results/no-security-meter-ai.pdf

Ari Redbord, Global Head of Policy at TRM Labs, talks about the insane background behind the $285 million Drift Protocol crypto heist, how law enforcement agencies are investigating ransomware-linked cryptocurrency wallets, and how effective sanctions are on cybercrime.

If we needed any more evidence that the internet was a mistake, this week provided it. We kick things off with a discussion of the Canvas breach that has affected thousands of schools worldwide, then we dig into the disclosure of two new vulnerabilities in Ivanti and Palo Alto Networks products that are actively exploited, and then we talk about a new branded Linux bug called Dirty Frag. Finally, we wrap up with some comic relief from the Everything App.LinksIvanti bug: https://decipher.sc/2026/05/07/ivanti-warns-of-exploited-epmm-flaw-cve-2026-6973/Palo Alto bug: https://decipher.sc/2026/05/06/845/Dirty Frag: https://decipher.sc/2026/05/07/new-dirty-frag-linux-bug-emerges/The viral tweet: https://x.com/DennisF/status/2050682024587845690

Will Dixon has seen the evolution of cybercrime as both a GCHQ intelligence officer and a private sector executive and analyst, and has seen the way these groups operate up close. He joins Dennis to talk about the ongoing threat from ransomware gangs, how organizations are managing their responses, and what he expects to come next.

JAGS joins Dennis Fisher to unpack the complex history of fast16, a highly targeted cyber espionage platform that goes back as far as 2005, many years before Stuxnet, and was deployed against targets in Iran. JAGS has been in the APT hunting game for a long time, and brings his historical perspective and context around the Shadow Brokers leak, Stuxnet ties, and how this discovery changes what we know about the use of these tools.LinksSentinelLabs report: https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/

The security news was out of hand this week, so we had to pick our spots. We start with the nasty cPanel/WHM vulnerability that affects tens of millions of domains in shared hosting environments, then we discuss the Copy Fail Linux bug and its effects before seguing into the delightful history of branded bugs, logos, and parodies. LinksBranded bugs and logos: https://io.netgarage.org/logo/

Ariana Mirian, cofounder of startup Beesafe, joins Dennis to talk about the mechanics of online romance and finance scams, how the scammers draw in victims over weeks or months, and why user awareness isn't the complete solution to the problem. LinksBeesafe AI: https://beesafe.ai/

This week we dig deep into the Vercel intrusion that emerged last weekend, how it happened, what the response was, and what the downstream effects may be for defenders. Then we talk about CISA's bizarre delayed response to the Axios npm compromise and what it signals about the agency's capabilities going forward.

It's been A WEEK. Security news never sleeps, and neither does AI, so Dennis and Lindsey dive into all of the storylines coming from the Claude Mythos and Project Glasswing announcements, how organizations will deal with the coming flood of CVEs and patches, NIST's decision to only enrich specific CVEs going forward, and what could possibly be next on the horizon.

Dennis sits down with Tom Ptacek of Fly.io, a veteran security researcher, founder, and observer of the vulnerability landscape, to talk about the recent wave of AI-assisted vulnerability discovery and exploit development, specifically from the use of frontier models such as Claude Mythos. Tom has strong opinions on what's coming and how human researchers and defenders need to respond. Tom's post: https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/

The internet is dark and full of terrors, but thanks to folks such as Andrew Northern, a principal security researcher at internet-mapping pioneer Censys, it doesn't have to be, Andrew joins Dennis to talk about the cybercrime ecosystem, getting his start in security on a tiny team with huge responsibilities, and the value of a strong mentor.

It's been quite a week in security news, and Dennis and Lindsey dig into the continued effects of the axios supply chain attack, the incredibly fast adoption of AI tools for vulnerability research and what that means for software makers and defenders, and what the future holds for vulnerability research and exploit development.Security Theater in Austin: https://material.security/theater-2026#theater-live-event

Dennis and Lindsey dig into what we know do far about the supply chain attack on the axios NPM package, including how the attacker gained access to the maintainer's account, the window of exposure for the malicious packages, the behavior of the RAT that's installed on victims' machines, and what the downstream effects may be. LinksHuntress post: https://www.huntress.com/blog/supply-chain-compromise-axios-npm-packageSocket analysis: https://socket.dev/blog/axios-npm-package-compromised

Fresh off the plane from RSA, Dennis fills Lindsey in on everything she missed (and didn't miss) at this year's conference (0:23), from the insanity of the expo floor (4:06) to the appearance of a line of synchronized robots or spacemen or something (8:18), to some very interesting conversations about the hyper speed of AI malware development and what's coming next for defenders (27:25).

With the RSA Conference on the horizon, Dennis and Lindsey are here with a preview of the conference's more interesting sessions and keynotes, a discussion of the recent and ancient history of the conference, and a quick game: Is this a security vendor or a prescription drug name?

Sure, space pirate is a cool title, but what about space hacker? Way cooler! With the imminent release of Project Hail Mary, Wendy Nather joins Dennis Fisher to dig into the nutrient-rich narrative soil that produced a modern classic that truly epitomizes the hacker ethos. We are the greatest podcasters on Mars!

This week's news includes a reappearance by an old favorite, APT28, aka Fancy Bear, which is back with some nasty new implants and tools it is deploying against targets in Ukraine (2:10), and we also have another law enforcement disruption of a residential proxy network, this one known as SocksEscort, which had victims all over the globe (7:45). Lastly, we talk about some of the upcoming episodes, including a new hacker movie podcast and our RSA preview that's coming next week. LinksAPT28 reappears: https://decipher.sc/2026/03/10/apt28-reemerges-with-modern-espionage-arsenal-code-tied-to-2010s-operations/SocksEscort takedown: https://decipher.sc/2026/03/12/us-europol-crack-down-on-socksescort-residential-proxy-network/

The process of developing and deploying exploits is a complex and controversial one and it's often a black box to outside observers. To help shine a light on how this all works, Caitlin Condon of VulnCheck joins Dennis Fisher for a deep dive into the zero day exploit landscape, what goes into exploit development, and what actually qualifies as a functional exploit.

Every day is zero day, and this week we talked about the new Google Threat Intelligence Group report on the zero day exploit landscape in 2025 (2:22) and who's exploiting what, then we discuss Microsoft's disruption of the Tycoon 2FA cybercrime operation (9:51), and finally we talk about the KEVology report from runZero and our new podcast with Tod Beardsley (13:25).

Tod Beardsley, VP of security research at runZero and former KEV section chief at CISA, joins Dennis Fisher to talk about the evolution of the Known Exploited Vulnerabilities catalog, how much value defenders should place on a specific bug being in the KEV, and his new KEVology report that breaks down all of the data in the KEV and sifts through it for specific insights for defenders.

This week Lindsey rejoins Dennis to talk about the attacks targeting a zero day in Cisco's Catalyst SD-WAN Controller (2:17), Google's disruption of a China-linked cyber espionage campaign targeting telecom infrastructure (6:30), and the new cyber developments on everyone's favorite tech show, The Pitt (13:13)!

It's a light news week, but we have some fun content for you! This week, we talk about our latest hacker movie episode--STAR WARS--which is up on the site and all of our feeds now (0:25), then we dig into a nasty hard-coded. credential bug in Dell RecoverPoint for Virtual Machines that Chinese threat actors are exploiting (4:20), and then we move on to an active campaign targeting two vulnerabilities in Ivanti EPMM that is hitting organizations across the U.S., Canada, and other countries (08:33). Finally, we talk a little about an interesting cybersecurity plot line on HBO's show The Pitt (12:15). Spoiler warning: If you're not caught up on this show, there's a minor spoiler, but nothing you haven't really seen in the previews. Support the show

STAR WARS isn't just one of the more successful and iconic movies of all time and the basis for a worldwide sci-fi empire, it's also a true hacker story. Wade Baker and Rich Mogull, two Star Wars scholars, join Dennis Fisher to break down the Empire's pathetic perimeter defenses, R2D2's arc as a wily hacker, and how the movie hinges on a data breach.Support the show

This week was a cornucopia of zero days. We talk about the six (!) actively exploited vulnerabilities that Microsoft patched this week in its February update (2:46), then we discuss the one that Apple fixed in iOS 26.3, a vulnerability that has been used in what the company calls an "extremely sophisticated attack" against a few individuals (7:24). That's a clear indication that the vulnerability has likely been used in operations involving commercial spyware vendors. Finally, we give a little love to the long lost TV show CSI: Cyber, which starred James Van Der Beek, and the cameo that two famous hackers had on one episode (12:40). The old Threatpost CSI: Cyber running chat discussionSupport the show

Attackers are moving faster and faster every day, and the challenge of keeping pace is a daunting one. But it's not impossible. watchTowr's Ryan Dewhurst joins Dennis Fisher to talk about how the "magic" of computers first captured his imagination when he was young, how defenders can learn  from attackers' tactics and adapt, and how the AI revolution is accelerating vulnerability disclosure and exploitation.Support the show

This week we talk about the new CISA Binding Operational Directive that sets a deadline for removing end of support edge security devices from federal government networks (1:15), then we discuss the new research from Silent Push on the new variant of the SystemBC botnet (6:45), and finally we have a movie recommendation for you: Joybubbles, the fascinating new documentary about phone phreaker Joe Engressia Jr.Support the show

It was a busy week in the cybers! Today we start with the targeted exploitation of another Fortinet vulnerability (CVE-2026-24858) that enables simple authentication bypass (1:15), then we discuss Google's disruption of a large residential proxy network called IPIDEA that has been abused by hundreds of threat actors (5:40), then we talk about the continued attacks on an older WinRAR bug by both cybercrime and APT groups (10:11). Finally, we shout out some of our favorite fellow creators in security community: the Three Buddy Problem podcast, John Hammond, and Matt Johansen. Support the show

This week, we talk about how Microsoft disrupted a long-running, large-scale cybercrime-as-a-service platform called RedVDS that has been active since 2019 and was used in high-volume phishing and BEC scams (1:00), then we discuss the research from Cisco Talos on another (!) Chinese APT called UAT-8837 that is targeting critical infrastructure organizations in North America (6:06), and finally there's the clever new StackWarp vulnerability in AMD processors that was disclosed this week (9:44).RedVDS takedownCisco Talos reportStackWarpSupport the show

Jeremiah Grossman and Robert Hansen, two of the more influential and accomplished leaders and entrepreneurs in the cybersecurity community, have seen and done it all in their careers. From their roles as the driving forces behind pioneering web appsec firm WhiteHat Security to building out enterprise security programs to breaking large portions of the web (on purpose), Jeremiah and Robert have unique viewpoints on what works and what doesn't. Now, they're building something new, Root Evidence, a vulnerability management platform backed by data from actual breaches and designed to help security teams prioritize fixing the bugs that actually matter.Support the show

The new year is here! And so are the attacks. The first full week of 2026 brought us new research from Cisco Talos on a China-nexus APT group called UAT-7290 that is expanding its targeting and serving as an initial access group as well as a cyber espionage team (3:02). There is also some great data from GreyNoise on the attack volume from actors trying to exploit the React2Shell vulnerability from December (8:26). The volume is holding steady at more than 300,000 sessions per day, which is...high.Talos report: https://blog.talosintelligence.com/uat-7290/GreyNoise report: https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-farSupport the show

There may not be any computers in Home Alone, but few movie characters embody the old-school hacker ethos like Kevin McCallister does. Resourceful, clever, determined, and creative, Kevin uses all of the tools and talents at his disposal to repel a pair of relentless adversaries. Merry Christmas ya filthy animals!Support the show

As we ease into the holidays, the security news doesn't stop coming. This week we discuss the research from AWS threat intelligence on Russian adversaries targeting a variety of network edge devices for opportunistic exploitation, then we break down attacks by a Chinese threat actor that target a new zero day in Cisco's AsyncOS, and finally we discuss the continued exploitation of the React2Shell vulnerability. Support the show

Pete Baker and Zoe Lindsey join Dennis Fisher on the roof of Nakatomi Plaza to discuss one of the great action classics* and a beloved movie in the hacker community: Die Hard. Yippee ki-yay! *NOT a Christmas movieSupport the show

This week gave us the gift of some more React Server Components vulnerabilities  and further exploitation of the previously disclosed bugs by a variety of threat groups. There were also a long list of vulnerabilities disclosed by Microsoft, Adobe, and others, which we discuss in the context of how difficult vulnerability management is right now. Finally, we discuss CISA's warning about continued Russian targeting of US critical infrastructure.GreyNoise report: https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf?_ga=2.212724369.466870115.1765553789-1325891860.1765553788Support the show

Coming from a military family, Erin Whitmore was prepared for a career of service. But her path took her not into the military, but the intelligence community, first in the private sector supporting the DIA and NGA, and later as a cybersecurty program manager in the Office of the Director of National Intelligence. She eventually joined CIA as an operations officer and served in locations around the world before moving back to the private sector where she now focuses on executive risk and strategic intelligence at CYPFER. Erin joins Dennis Fisher to talk about her unique path and how it's prepared her for today's threats and the nascent AI revolution.Support the show

Dennis and Lindsey react (!) to the React2Shell vulnerability disclosure and the quick exploitation of it by Chinese threat actors, then discuss the continues intrusions into critical infrastructure by the Salt Typhoon actors and this week's congressional hearing on telecom network security. Finally, we talk about some upcoming hacker movie episodes, including Die Hard and maybe Home Alone!Support the show

Jeff Gothelf, a renowned author and product strategist and co-founder of Sense and Respond Learning, joins Dennis to discuss the need to design products with users in mind, how critical thinking can help teams succeed, and what the AI revolution means for security teams and other groups.Support the show

It's an acronym-filled, government-only bonanza this week! We discuss the DoJ sanctioning Russian bulletproof hosting provider Media Land (0:53), the SEC dropping its enforcement action against SolarWinds and its CISO (13:25), and the FCC reversing course on a longstanding security rule for telecom providers (26:00).Support the show

Dennis is joined by Rich Mogull, chief analyst at the Cloud Security Alliance, cloud security trainer, and all around good guy to talk about the Cloudflare outage, why the internet is now just six companies, and what, if anything, organizations can do to improve their resilience in the current environment. Support the show

This week was a bit of a throwback to olden times, with the disclosure by Amazon threat intelligence of  zero days in Cisco and Citrix products that were exploited by an unnamed APT, and Google using legal action to disrupt the Lighthouse phishing service operation. We dig into those two stories, plus we discuss the challenge of trying to quantify the financial and other effects of a major cyber attack. Related stories:https://decipher.sc/2025/11/12/apt-targets-cisco-and-citrix-zero-days/https://decipher.sc/2025/11/14/marks-and-spencers-profit-drop-the-financial-toll-of-cyberattacks/https://decipher.sc/2025/11/12/google-wants-to-snuff-out-lighthouse-phishing-kit/https://censys.com/blog/highway-robbery-2-0Support the show