On-Prem Red Team AI — engineering notes from the front line
Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.
- CVE-2026-48172LiteSpeedShared Hosting
LiteSpeed cPanel CVE-2026-48172: when one tenant becomes root across every site you host
CVSS 10.0, actively exploited as a zero-day, added to CISA KEV on May 26 with a federal deadline of May 29. The shared-hosting blast radius is the real story — and quarterly pentest cycles cannot see it coming.
8 min read - NIS2Known VulnerabilitiesENISA Threat Landscape
NIS2's First Audit Deadline Is June 30. The 21.3% Known-CVE Gap Will Be the First Finding
On 30 June 2026 the first NIS2 compliance audit cycle closes. ENISA's 21.3% known-CVE intrusion rate stops being a slide and starts being an audit finding.
7 min read - Cisco SD-WANCVE-2026-20182UAT-8616
Cisco SD-WAN CVE-2026-20182: the downgrade-and-revert chain a quarterly pentest cannot catch
CVSS 10.0 auth bypass on Cisco Catalyst SD-WAN Controller, UAT-8616 active since 2023, and a downgrade-then-revert kill chain that erases the version trail point-in-time audits depend on.
8 min read - ClickFixWatering HoleTraffic Analysis
Ghost CMS, ClickFix and the Watering Hole That Wears Harvard's Hostname
CVE-2026-26980 turned 700+ Ghost CMS sites into ClickFix watering holes — Harvard, Oxford and DuckDuckGo among them. The host you trusted is now the distributor.
9 min read - EDRCISA KEVEndpoint Security
EDR as Attack Surface: Defender and Apex One Zero-Days in 48 Hours
In a 48h window CISA added Microsoft Defender and Trend Micro Apex One zero-days to KEV. When the endpoint security stack itself is the entry point, continuous external validation is the only check that holds.
8 min read - Dwell TimeHealthcareMTTD
Mandiant Says Dwell Time Is 14 Days. UNMC's Was 858.
The Mandiant M-Trends 2026 median dwell time is 14 days. The University of Nebraska Medical Center just disclosed an unauthorized-access window of 858 days. The gap is not a median problem — it's a detection-blind-spot problem the wire can fix and the host cannot.
6 min read - DORAIncident ReportingFinancial Services
DORA's 4-hour clock: classification is the new evidence problem
DORA enforcement turns active in 2026: 4 hours to file from the moment an incident is classified major. The hard part isn't the report — it's classifying in time.
7 min read - CISA KEVLegacy VulnerabilitiesConficker
Conficker and Aurora Are Still on CISA KEV: the 2026 Legacy Attack Surface in Numbers
CISA's May 20, 2026 KEV update added five CVEs from 2008-2010 — including the original Conficker and Aurora bugs — plus two new Microsoft Defender flaws. The legacy attack surface is still alive.
9 min read - Manufacturing RansomwareNIS2 EnforcementNitrogen Ransomware
Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete
West Pharmaceutical disclosed encryption-plus-exfiltration on 2026-05-07; Foxconn confirmed a Nitrogen ransomware breach on 2026-05-12. The post-incident audit question — what controls were active and provable — is no longer hypothetical.
8 min read - Supply ChainSLSA ProvenanceCI/CD Security
Signed Is Not Safe: When SLSA Provenance Ships Malware
Mini Shai-Hulud pushed npm packages carrying valid SLSA Build Level 3 provenance and Sigstore signatures. Supply-chain trust just broke a layer deeper — and runtime traffic is the last line that still sees it.
8 min read - Exfiltration-Only RansomwareTraffic AnalysisCritical Infrastructure
Exfiltration-Only Ransomware: Why Wire-Speed Traffic ML Is Now the Last Line of Defense
Q1 2026 ransomware operators are skipping encryption and going straight to data theft. The new kill chain is silent unless you can spot exfiltration as it happens — at wire speed, on your network, not in tomorrow's SIEM digest.
5 min read - AI RansomwareCritical InfrastructureGenerative Pentest
Generative Pentest vs AI Ransomware: A Defense Playbook for the 2026 Threat Landscape
AI-augmented ransomware, state-aligned wipers, and live-fire attacks on European utilities have reshaped what \"adequate defense\" means in 2026. This is the engineering case for continuous, generative penetration testing — and how to deploy it without giving up data sovereignty.
7 min read - Red Team AIPentestOperations
AI vs. Human Red Teamer: Where Autonomy Actually Pays
Honest take from a team that builds both AI and human-led red team campaigns. We split the offensive security workflow into eight phases and look at exactly where an AI agent beats a senior pentester, where it doesn't, and where the right answer is hybrid.
5 min read - NIS2DORACompliance
NIS2, DORA and the End of the Annual Pentest
NIS2 and DORA both push the same uncomfortable idea: security testing must be continuous and evidence-backed. Annual pentests no longer satisfy auditors. We map the regulatory requirements to a continuous AI pentest model and explain what an audit looks like when evidence is generated automatically.
4 min read - Red Team AIOn-PremiseArchitecture
Red Team AI: Why On-Prem Beats Cloud for Enterprise Pentesting
Cloud-hosted AI pentest tools force you to ship your attack surface to a third party. We argue that on-prem AI red teams are the only viable path for regulated industries — and explain the architecture that makes it possible on a single appliance.
4 min read