2026 MSP Threat Report Summary

The era of the “break-in” is over. Attackers are now leveraging valid credentials and session tokens to bypass traditional perimeters. The latest telemetry from Guardz highlights a shift toward quiet, identity-driven campaigns.

89%
SMBs with confirmed credential compromise
2,000%
Spike in Google Workspace OAuth abuse
25:1
Non-human to human identity ratio
 

The Evolution of Stealth: BEC 3.0

Attackers are moving away from loud malware and toward “living-off-the-land” techniques. By monitoring legitimate email threads for weeks, adversaries use AI-generated voice and context-aware messaging to authorize fraudulent transactions without ever triggering a security flag.

 

RMM: The New Command & Control

RMM tool abuse now accounts for 26.2% of all endpoint threats. By exploiting legitimate tools like ScreenConnect and NinjaRMM, attackers create encrypted channels that are indistinguishable from authorized MSP traffic.

 

Immediate Operational Priorities

  • Phishing-Resistant MFA: Standardize on FIDO2/Passkeys to prevent session hijacking.
  • OAuth Governance: Audit application grants and enforce admin-level approval requirements.
  • Behavioral Monitoring: Monitor inbox rules and non-human identity patterns in real-time.
  • Kill Legacy Auth: Disable outdated protocols via Conditional Access to prevent MFA bypass.

Download the full 2026 State of MSP Threat Report

Healthcare Guide: HIPAA-Compliant Remote Access

In an era where healthcare professionals work across diverse locations, the traditional network perimeter has dissolved. Protecting electronic Protected Health Information (ePHI) requires more than just a password; it requires a comprehensive Zero Trust strategy.

Market Insight: In 2025, the average cost of a healthcare data breach rose to $7.42 million, marking the 14th consecutive year the industry has held the highest breach costs.

The Core Compliance Framework

Administrative

Managing the human element: risk assessments, incident response plans, and continuous training.

Physical

Hardening the environment: Device encryption and secure workstation management.

Technical

The digital vault: Multi-factor authentication (MFA) and AES-256 bit data encryption.

The Business Associate Agreement (BAA)

Compliance is a shared mandate. Before any vendor handles patient data, a BAA must be executed. This contract ensures that third-party partners implement the same rigorous security standards as the provider. Organizations like NordLayer offer a HIPAA BAA to streamline this legal and technical requirement.

Strategic Implementation

  • Zero Trust Network Access (ZTNA): Verifies every connection attempt based on user identity, device health, and context.
  • Principle of Least Privilege: Grants users access only to the specific clinical systems required for their role.
  • Continuous Auditing: Maintains immutable logs of all remote sessions to ensure audit readiness for the HIPAA Security Rule.

Penta Security Achieves Triple Recognition at 2026 Globee Awards

CVE-2026-3854: GitHub Enterprise Server RCE

Risk Impact: Successful exploitation allows for complete system compromise. Immediate patching is required.

Required Updates

BranchPatch Version
3.14.x3.14.25+
3.15.x3.15.20+
3.16.x3.16.16+
3.17.x3.17.13+
3.18.x3.18.7+
3.19.x3.19.4+

 

Network Hunting

Use the following query in your runZero Software Inventory to locate all GHES installations:

vendor:=GitHub AND product:="Enterprise%"

Post-Mortem: Defeating Conversational Phishing

Phishing has evolved. Today’s most dangerous attacks don’t use malware—they use social engineering. By mimicking the tone of professional security researchers, attackers are attempting to hack your sense of responsibility rather than your network.

The Core Lesson: Security tools are designed to surface risk, but human intuition is required to validate it. Defense-in-depth is only effective when technology and training act in concert.

 

The Anatomy of the Attack

The threat actor utilized a classic “responsible disclosure” lure. By addressing our leadership directly and requesting to report a “critical vulnerability,” they manufactured a professional obligation that encouraged us to engage. Crucially, the email contained no malicious links or attachments—it was designed purely to initiate a conversation.

 

The Defense Strategy

We avoided compromise through a two-layered defense:

  • Layer 1 (Technical): Our email filter correctly applied a “First-time sender” yellow warning banner, serving as the initial trigger for caution.
  • Layer 2 (Human): A security-trained team member utilized the five-minute verification rule: researching the sender’s digital footprint, the authenticity of the consultancy, and cross-referencing industry patterns.

 

Building a Culture of Readiness

To defend against modern social engineering, security awareness must shift from static presentations to dynamic, ongoing habits:

  • Continuous Training: Replace annual presentations with regular, short-burst sessions on emerging threats.
  • Real-World Simulations: Test your team with spoofed meeting invites and urgent alerts to build operational instincts.
  • Inclusivity: Executive and administrative staff are prime targets; ensure your program covers them comprehensively.

The attackers are patient and professional. Your best defense is not a better spam filter, but the disciplined pause before hitting Reply.

ESET introduces Cloud Workload Protection for ESET PROTECT customers

 

ESET launches Cloud Workload Protection and AI enhancements for ESET PROTECT customers

Protect your cloud infrastructure across AWS, Azure, and GCP with AI-powered, multilayered security. ESET’s Cloud Workload Protection prevents malware, blocks threats early, and reduces downtime to keep workloads secure and available.

It feeds VM data into the ESET PROTECT XDR platform for improved visibility and control. Unlike many competitors, this capability is included at no extra cost for ESET PROTECT customers (excluding Entry), making advanced cloud security more accessible and cost-effective.

LEARN MORE

Explore ESET Cloud Workload Protection benefits

Block Targeted Attacks

ESET leverages global threat intelligence to prioritize and block new threats before widespread delivery.

Managed from a Unified Console

Managed from a Unified Console

Manage all ESET cloud VMs, endpoints, and mobile devices through the unified ESET PROTECT console.

Block Targeted Attacks

ESET leverages global threat intelligence to prioritize and block new threats before widespread delivery.

Ransomware Shield & Remediation

Adds ransomware protection with automated rollback and seamless file restoration from secure backups.

Advanced Multilayered Technology

Decades-built AI-powered ESET technology delivers award-winning detection engine and globally trusted protection core.

Seamless Integration

Activate security on cloud VMs in clicks via ESET PROTECT integrations with AWS, Azure, GCP.

Extended Visibility and XDR

Cloud telemetry feeds ESET PROTECT XDR, enabling admins to control, automate response, and hunt threats.

ESET Cloud Workload Protection

Protect your cloud virtual machines (VMs) from advanced cyber-threats

REQUEST A DEMO
MAKE AN ENQUIRY

Penta Security: 2026 Globee Award Triple Win

2025-12-09  Real-time log encryption is now essential because logs contain sensitive data and serve as blueprints for sophisticated attackers like APTs and ransomware groups. Following incidents like the Salesforce third-party breach, organizations must treat logs as critical assets requiring protection from the moment they’re created. This proactive approach, exemplified by solutions like Penta Security’s D.AMO, neutralizes damage if storage is compromised and enhances threat detection by preventing attackers from analyzing unencrypted system architecture and account patterns.

Continue reading

Security Bulletin: Citrix Hypervisor Vulnerabilities

URGENT: On April 24, 2026, researchers identified 89 vulnerabilities in XAPI. No patches are currently available. A full system rebuild is advised due to the foundational nature of these flaws.

Vulnerability Overview

The latest audit reveals 89 flaws across the XAPI codebase (dating back to 2006). These allow authenticated vm-admin users to execute cross-hypervisor lateral movement and storage protocol injection without triggering security alerts.

Severity Distribution:

  • 5 Critical
  • 28 High
  • 46 Medium
  • 10 Low

Network Discovery (runZero)

Use these queries to inventory your hypervisor environment:

Locate XAPI-affected assets:
os:="Citrix XenServer"

Locate legacy Citrix/XenServer assets:
(product:citrix and type:hypervisor) or product:xenserver

Legacy Vulnerability Reminders

Ensure your environment is also audited for previous disclosures, including CVE-2024-45817 (Deadlock risk) and CVE-2022-24805/9 (SNMP service crashes). Limit management interface access to reduce your attack surface until architectural rebuilds can be performed.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

HPE Aruba & GREYCORTEX Mendel Integration Demo

The Outcome: In a live-fire simulation, the integrated HPE CX10000 and GREYCORTEX Mendel solution detected and neutralized an Nmap port scan in under two minutes, requiring zero manual analyst intervention.
 
 

The Integration Workflow

1. Telemetry Ingestion: The CX10000 collects deep flow data and relays it to the Mendel intelligence engine.
2. Behavioral Detection: Mendel recognizes malicious scan patterns in real-time.
3. Automated Response: Mendel triggers a script to update switch security policies immediately.
4. Host Isolation: The attacker is blocked from the network, containing the threat.
 
 

Technical Significance

Featured on HPE Aruba’s Airheads Broadcasting, this demonstration highlights how deep network telemetry can be transformed into actionable, automated security policy. By bridging the gap between infrastructure hardware and security analytics, organizations can significantly reduce the “mean time to respond” (MTTR).

Watch the Full Technical Demo

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Shadow AI Strategy for MSPs

Strategic Insight: MSPs must stop viewing Shadow AI as a single category. It is a distributed condition spanning five control planes. A governance model that ignores any one of these surfaces is structurally incomplete.

 

The Five Surfaces of Risk

SurfaceDescription
Shadow EndpointLocal AI tools (Claude, Ollama) interacting with endpoint data.
Shadow IdentityHigh-frequency usage of AI tools by specific, high-risk user roles.
Shadow InfrastructureOutbound API calls & egress to external inference endpoints.
Shadow OAuthDurable tokens with broad access to M365/GWS resources.
Shadow AgentAutonomous agents/workflows operating as non-human entities.

 

Operational Recommendations

  • Consent Inventory: Implement fleet-wide, continuous inventory of all OAuth grants.
  • The 2-Minute Audit: If you cannot trace an AI alert to a raw log event within 120 seconds, your detection is noise.
  • Documentation as Defense: Enumerating the absence of AI tools is a defensible artifact for cyber insurance and audits.