Research & Field Notes

On-Prem Red Team AI — engineering notes from the front line

Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.

CVE-2026-48172LiteSpeedShared Hosting
LiteSpeed cPanel CVE-2026-48172: when one tenant becomes root across every site you host
CVSS 10.0, actively exploited as a zero-day, added to CISA KEV on May 26 with a federal deadline of May 29. The shared-hosting blast radius is the real story — and quarterly pentest cycles cannot see it coming.
May 28, 2026·09:308 min read
NIS2Known VulnerabilitiesENISA Threat Landscape
NIS2's First Audit Deadline Is June 30. The 21.3% Known-CVE Gap Will Be the First Finding
On 30 June 2026 the first NIS2 compliance audit cycle closes. ENISA's 21.3% known-CVE intrusion rate stops being a slide and starts being an audit finding.
May 27, 2026·09:307 min read
Cisco SD-WANCVE-2026-20182UAT-8616
Cisco SD-WAN CVE-2026-20182: the downgrade-and-revert chain a quarterly pentest cannot catch
CVSS 10.0 auth bypass on Cisco Catalyst SD-WAN Controller, UAT-8616 active since 2023, and a downgrade-then-revert kill chain that erases the version trail point-in-time audits depend on.
May 26, 2026·09:308 min read
ClickFixWatering HoleTraffic Analysis
Ghost CMS, ClickFix and the Watering Hole That Wears Harvard's Hostname
CVE-2026-26980 turned 700+ Ghost CMS sites into ClickFix watering holes — Harvard, Oxford and DuckDuckGo among them. The host you trusted is now the distributor.
May 25, 2026·09:459 min read
EDRCISA KEVEndpoint Security
EDR as Attack Surface: Defender and Apex One Zero-Days in 48 Hours
In a 48h window CISA added Microsoft Defender and Trend Micro Apex One zero-days to KEV. When the endpoint security stack itself is the entry point, continuous external validation is the only check that holds.
May 24, 2026·09:358 min read
Dwell TimeHealthcareMTTD
Mandiant Says Dwell Time Is 14 Days. UNMC's Was 858.
The Mandiant M-Trends 2026 median dwell time is 14 days. The University of Nebraska Medical Center just disclosed an unauthorized-access window of 858 days. The gap is not a median problem — it's a detection-blind-spot problem the wire can fix and the host cannot.
May 23, 2026·09:306 min read
DORAIncident ReportingFinancial Services
DORA's 4-hour clock: classification is the new evidence problem
DORA enforcement turns active in 2026: 4 hours to file from the moment an incident is classified major. The hard part isn't the report — it's classifying in time.
May 22, 2026·09:157 min read
CISA KEVLegacy VulnerabilitiesConficker
Conficker and Aurora Are Still on CISA KEV: the 2026 Legacy Attack Surface in Numbers
CISA's May 20, 2026 KEV update added five CVEs from 2008-2010 — including the original Conficker and Aurora bugs — plus two new Microsoft Defender flaws. The legacy attack surface is still alive.
May 21, 2026·08:309 min read
Manufacturing RansomwareNIS2 EnforcementNitrogen Ransomware
Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete
West Pharmaceutical disclosed encryption-plus-exfiltration on 2026-05-07; Foxconn confirmed a Nitrogen ransomware breach on 2026-05-12. The post-incident audit question — what controls were active and provable — is no longer hypothetical.
May 19, 2026·08:308 min read

LiteSpeed cPanel CVE-2026-48172: when one tenant becomes root across every site you host

NIS2's First Audit Deadline Is June 30. The 21.3% Known-CVE Gap Will Be the First Finding

Cisco SD-WAN CVE-2026-20182: the downgrade-and-revert chain a quarterly pentest cannot catch

Ghost CMS, ClickFix and the Watering Hole That Wears Harvard's Hostname

EDR as Attack Surface: Defender and Apex One Zero-Days in 48 Hours

Mandiant Says Dwell Time Is 14 Days. UNMC's Was 858.

DORA's 4-hour clock: classification is the new evidence problem

Conficker and Aurora Are Still on CISA KEV: the 2026 Legacy Attack Surface in Numbers

Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete