HOW FAST WILL AI–BASED NEW CYBERSECURITY TECH DISRUPT EXISTING VENDORS HIERARCHY ?
According to … Morgan Stanley expert Meta Marshall, the cybersecurity vendor market is at an inflection point, with frontier lab entrants poised to either accelerate growth or disrupt it. “The outcome depends largely on which market segments they can realistically compete in.The biggest exposure is in batch-based, lower-accuracy segments such as threat monitoring, where large language models can process alerts at scale.” This statement comes as a confirmation of the sharp drop in share prices of some large cybersecurity vendors one month ago.
Another reaction, by Awul Tiwary of EL DORADO investment funds : For large platform vendors this is a consolidation accelerant. PANW, CRWD, and other scaled players have the data, the customer base, and the integration surface to embed models like Mythos into real-time defense. Their moats just got deeper, not shallower. For startups the clock just sped up. Early-stage cyber companies with genuine AI-native architectures become more strategically valuable overnight. But those without differentiated IP face a harder path build-vs-buy math just tilted hard toward buy. For the M&A ecosystem expect more urgency. Acquirers will move faster to fill AI capability gaps, and founders with real defensibility will have more leverage. The talent and IP land grab in AI security is about to accelerate.”
Obviously, observers concur on the impact of new AI tools which could either replace or complete existing software, in particular in the Threat Detection and Response domain. Incumbent vendors have the expertise, and huge data sets, which new entrants may find difficult to challenge. On the other hand, new AI-based entrants have the agility and probably a lot of efficiency. In all cases, this means that the competition between vendors, which was relatively frozen, opens up again ! An opportunity for European vendors to catch up ?
Before letting readers weight this discussion, one should mention the latest version of ANTHROPIC’s CLAUDE AI system : CLAUDE MYTHOS. Though not officially launched, it seems that this system provides so far un matched capacities to detect defaults in an IT configuration … which can be either used by defenders to improve their cybersecurity system (again, possibly without the aid of large cyber providers) …or by hackers to exploit these defaults quicker and more efficiently than before …
MESSAGING SYSTEMS TARGETED BY STATE HACKERS
The French cyber crisis command center calls for vigilance as messaging systems, in particular for VIPs, are targeted by hackers reportedly linked to Russian services. Diverse techniques are in use, including ID stealing.
DATA LEAKS AGAIN AND AGAIN AT THE FRENCH NATIONAL EDUCATION IT SYSTEM
A recent infiltration of the COMPAS database has resulted in the leak of data regarding a number of National Education interns and teachers. Two months ago, it was the turn of France Education International, whose platform “GAEL” was hacked, exposing data of million persons applying for a degree in French language. And, a few days ago, an attack against the platform mesrdv.etudiant.gouv.fr , which gives students access to social and housing services, resulted in the exfiltration of more than 700 000 students’ files.
A few days after the most recent attacks, the Minister has announced a plan including the generalization of double authentication, and a better segmentation of the data.
AN ACCOUNT OF THE HEAD OF FBI ALLEGEDLY HACKED BY THE IRANIAN HACKERS GROUP HANDALA
Based on published content, the account could effectively be that of the FBI boss. According to some US sources, an account belonging to a responsible of the FBI has really been hacked, though the sources don’t confirm to whom precisely it belongs. A few days ago, the same FBI announced it had destroyed HANDALA’s website. This gang is also suspected to have provoked the disruption of the Health equipment company STRIKER.
ANOZRWAY PROPOSES A TOOL TO DETECT PHISHING MESSAGES
ANOZRWAY, a French cybersecurity vendor, provides VIP with a solution to know if they are exposed on the dark web. It has now added a new functionality to sort out phishing and normal messages. In case of doubt on a a SMS received late at night, an “ urgent message from a colleague”, a link that looks deceptively like a well-known site, its tool 𝗔𝗬 𝗦𝗲𝗹𝗳𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗮𝗽𝗽 now includes a feature to help detect phishing attempts!. User just needs to copy-paste the text of the WhatsApp message, SMS, email, etc., or attach a screenshot to check if the message is a phishing attempt or a legitimate message.
DANGEROUS MALWARE EXPOSED
The FBI has detected a dangerous malware campaign. The danger is evaluated so high that the FBI has published a Post to warn users. On our side, we have checked with one of the mentioned ecosystems, which has confirmed the attack. Here is the FBI PR:
Trivy, one of the most widely used open-source vulnerability scanners, has been compromised as part of an active software supply chain campaign that is still expanding. The threat actor – TeamPCP – exploited a misconfiguration in Trivy’s GitHub Actions environment in late February, stealing a privileged access token. The attacker retained access and published malicious releases of Trivy on March 19.
The campaign moved fast from there: in five days, TeamPCP used stolen credentials to cross five ecosystems: GitHub Actions, Docker Hub, npm, OpenVSX, and as of today, PyPI, where they backdoored LiteLLM, an AI proxy library with over 95 million monthly downloads. The malware harvests cloud credentials, SSH keys, Kubernetes secrets, database passwords, API tokens, crypto wallets, and environment config files. In Kubernetes environments, it deploys privileged pods to every node for lateral movement.
Given the volume of stolen credentials across likely thousands of downstream environments, expect an increase in breach disclosures, follow-on intrusions, and extortion attempts in the coming weeks. TeamPCP is deliberately targeting security tools that run with elevated privileges by design. Compromising them gives the attacker access to some of the most sensitive environments in the organization, because security tools are typically granted broad access by design.
ERRATUM
In our recent Mapping, we rightly mentioned POINTSHARP, a Swedish-German vendor. However we showed two lines, possibly giving the impression that two different companies share the same name, while there is only one, with presence in Sweden and in Germany. Moreover, besides its original focus on Identity & Access Management, Pointsharp is also active on Email Security, Fraud prevention and Secure communication.
DATA PROTECTION AND CYBERSECURITY ACT
In a recent publication, the French ANSSI has commented on the fact that cloud services security certification no longer includes the assessment of immunity against data transfer caused by the application of extraterritorial jurisdiction. ANSSI says that this issue, as it is broader than cybersecurity, will be treated in the revision of the EU Cybersecurity Act, which will among others clarify issues related to the supply chain. In presenting the work on this revision, the EU Commission services say :”A shared European approach to cybersecurity is essential for protecting Europe’s overall security. The proposal will enhance the cybersecurity resilience of Europe’s critical infrastructures by setting up a horizontal framework for trusted ICT supply chain security. This will allow the EU and Member States to act together to address strategic risks of undue foreign interference and critical dependencies in critical ICT supply chains with targeted and proportionate measures. It will also ensure that operators of electronic communications networks do not rely on high-risk suppliers for their critical assets.” So let’s see if the risks linked to lack of immunity against extraterritorial jurisdiction will be rightly exposed in the future proposal.
WHICH REPORTING OF CYBERSECURITY INCIDENTS IN THE EU ?
The Digital Omnibus a legislative initiative that amends several existing EU digital rules to harmonise requirements and reduce the regulatory burden in digital governance – proposes the implementation of a Single-Entry Point (SEP) mechanism, to report a cybersecurity incident. SEP aims to streamline compliance by allowing companies to fulfil multiple mandatory reporting obligations under various EU laws through a unified process.
However, six member States including Italy, France, Germany, Spain, Netherlands and Sweden, criticize this option. They argue centralization risks creating a “honeypot” for hostile actors and could complicate, not simplify, compliance for businesses. In fact, the real reason seems to be that most incidents affect companies operating in a single country, for which a national structure such as CERT or CSIRT is a more efficient and quick reporting line. The opponents also suggest resorting to an ENISA-managed website which would direct reports to the national entity, while allowing for coordination.
