The Cyber Resilience Brief: A SafeBreach Podcast

Every CISO is asking it: now that frontier models like Claude Mythos and ChatGPT 5.5 have real offensive cyber capability, are zero days surging? Host Tova Dvorin and SafeBreach offensive engineer Adrian Culley dig into the mid-2026 data — GTIG, Mandiant M-Trends, Rapid7, AISI — and find the curve moved in shape, not volume. Inside: the two AI "firsts" (Big Sleep and a 2FA-bypass exploit), why commercial spyware explains the rebound, the negative-seven-day time-to-exploit, and why defender deployment is the real bottleneck. #cybersecurity #infosec #CISO #zeroday #AIsecurity #BAS #AEV #CTEM #SafeBreach #threatintel

Most enterprises assume their zero trust architecture covers their AI agents. It doesn't. Hosts Tova Dvorin and Adrian Culley break down why zero trust breaks against the Model Context Protocol (MCP) — and why "verified" no longer means "safe." They unpack trust decay, the WhatsApp and GitHub MCP exploits, rug-pull tool poisoning, CVE-2025-49596, and the rise of "zero standing trust," then close with three moves for CISOs this quarter: inventory your MCP estate, mandate authentication, and validate your controls.#cybersecurity #infosec #CISO #MCP #ZeroTrust #AgenticAI #AISecurity #BAS

When a tired EU diplomat clicks "connect" on an airport Wi-Fi portal, his briefing — and his government's secrets — end up in Chengdu. Hosts Tova Dvorin and Adrian Culley unpack Mustang Panda (APT27 / Bronze President), the Chinese threat group running the long con against NGOs, ASEAN ministries, and Tibetan and Uyghur activists. Inside: captive-portal Wi-Fi Pineapples that bypass MFA, PlugX side-loading through legitimate apps, and the USB worm that jumps air-gapped military networks.#cybersecurity #infosec #CISO #MustangPanda #APT27 #ChinaAPT #BAS #SafeBreach

China's cyber shadow has already reached your software. APT 41 — known as Double Dragon — isn't just stealing state secrets. They've pioneered a new generation of supply chain attacks, trojanizing the shared code libraries that thousands of organizations trust without question. And their latest splinter unit, UAT 7290, has been inside North American developer environments for over a year — not triggering anything, just watching, learning, and waiting to strike in a way that looks completely native.In this episode, Tova Dvorin and Adrian Culley expose the group that breaks every rule of traditional espionage: how the MSS built an elite hacker force by letting them run their own criminal enterprise on the side, how APT 41 turned the video gaming industry into a personal ATM worth millions, and why China's 2026 cybersecurity law has given these groups a 48-hour head start on every new exploit.

Are you still stuck on the vulnerability hamster wheel? In this episode of the Cyber Resilience Brief, host Tova Dvorin is joined by SafeBreach VP of Product Koby Bar and offensive security expert Adrian Culley to unpack a major shift in how enterprises approach proactive security — and to announce the launch of SafeBreach Helm, the AI validation layer built for Continuous Threat Exposure Management (CTEM).They break down all five pillars of CTEM — scoping, discovery, prioritization, validation, and mobilization — and explain exactly why most organizations stall before operationalizing any of them. You'll learn why nearly 40% of actionable exposures aren't CVEs at all, why CVSS scores without context are dangerous, and how an LLM-driven engine can turn 10,000 vulnerabilities into 12 surgical priorities — validated against your actual environment.Whether you're a CISO trying to prove security ROI, a security engineer drowning in alerts, or a practitioner exploring CTEM frameworks, this episode delivers the blueprint for moving from theoretical risk to proven, validated exposure management.Topics covered:What CTEM actually means and why the detect-and-patch model is brokenHow AI-powered scoping keeps pace with a dynamic attack surfaceWhy toxic combinations of misconfigs and identity risks outrank many high-CVSS CVEsAdversarial Exposure Validation (AEV): testing controls, not just checking boxesHow Helm bridges the IT/security communication gap to accelerate remediationLearn more about how SafeBreach supports CTEM: https://www.safebreach.com/solution-brief/ctem-by-safebreach/

The EU Cyber Resilience Act (CRA) is set to transform cybersecurity—from a best practice into a legal requirement. But what does that actually mean for security teams, product leaders, and CISOs?In this episode of The Cyber Resilience Brief, host Tova Dvorin and cybersecurity expert Adrian Culley break down the CRA in plain terms—and explain why the shift to continuous security validation is unavoidable.You’ll learn:What the CRA means by “products with digital elements (PDEs)”—and why almost everyone is in scopeThe real obligations manufacturers, importers, and distributors must meetHow CRA connects to DORA and TIBER—and why this is just the beginning of a broader regulatory waveWhy point-in-time testing is officially obsoleteHow BAS, CART, and Adversarial Exposure Validation (AEV) enable continuous compliance and real resilienceWith enforcement deadlines approaching and significant penalties on the horizon, the message is clear: If your security testing isn’t continuous, it’s not CRA-ready.Whether you're selling into the EU or building digital products anywhere in the world, this episode will help you understand what’s coming—and how to stay ahead of it.Listen now to learn how to shift from reactive security to continuous cyber resilience.Read more about EUCRA in our blog: https://www.safebreach.com/blog/eu-cyber-resilience-act-readiness/

In this episode of the Cyber Resilience Brief, we shift from chaotic cybercriminals to the calculated world of Russian nation-state threat actors—breaking down the three agencies that dominate Russia’s cyber operations: the GRU, SVR, and FSB.What many organizations mistakenly treat as a single “Russian threat” is actually a complex ecosystem of competing intelligence agencies—each with distinct goals, tactics, and operational philosophies.The GRU (military intelligence) acts as the sledgehammer, driving destructive campaigns like NotPetya and operating groups such as Fancy Bear and Sandworm.The SVR (foreign intelligence service) is the scalpel, specializing in stealth, long-term espionage, and persistent access through groups like Cozy Bear.The FSB (domestic security) plays a unique role—bridging the gap between nation-state operations and the cybercriminal underground, recruiting and leveraging hackers to extend its reach.We also explore how FSB-linked actors use advanced social engineering and persona development, how their tactics compare to groups like Scattered Spider, and why this convergence of espionage and cybercrime poses a growing risk to organizations worldwide.Understanding these distinctions is critical for accurate threat attribution, effective defense strategies, and cyber resilience planning.🎧 In this episode, you’ll learn:The key differences between GRU, SVR, and FSB cyber operationsHow Russian intelligence agencies compete—and why that mattersThe role of cybercriminal groups in nation-state campaignsEmerging risks from the blending of high-volume attacks and targeted espionage🔐 Whether you’re a CISO, security practitioner, or cyber threat intelligence professional, this episode will help you better understand—and defend against—modern Russian cyber threats.

The U.S. just made its boldest move in cybersecurity in decades.In this episode of the Cyber Resilience Brief, Tova Dvorin and Adrian break down President Trump’s 2026 Cyber Strategy—and why it signals a massive shift from reactive defense to proactive, offensive cybersecurity.What does this mean for CISOs, security leaders, and the private sector?We unpack the strategy’s most critical pillars, including:Why “checklist compliance” is officially deadThe rise of offensive cybersecurity and adversary disruptionHow AI and agentic systems are reshaping cyber defenseThe growing mandate for Continuous Threat Exposure Management (CTEM)What Zero Trust and post-quantum cryptography really require in practiceWhy critical infrastructure and supply chains are now front and centerHow this strategy pulls the boardroom into cybersecurity accountabilityThis isn’t regulation—it’s a call to action. And for organizations that fail to validate their defenses continuously, the risks have never been higher.If you’re a CISO, security practitioner, or executive, this episode will help you understand what’s coming—and how to prepare.Read the full blog here: https://www.safebreach.com/blog/the-2026-white-house-cyber-strategy/

June 2025 marked a turning point in cyber warfare.In this episode of The Cyber Resilience Brief, Tova Dvorin and offensive engineer Adrian Cully break down the cyber escalation that followed Operation Rising Lion — what some analysts now describe as Iran’s 12 days of cyber war.As missiles struck Iranian strategic targets, coordinated hacktivist groups like Cyber Avengers and Handala launched psychological operations, mass SMS spoofing campaigns, and attacks targeting operational technology (OT) systems — including Unitronics PLCs used in water and industrial facilities worldwide.The impact quickly spread beyond the Middle East. U.S. water utilities were targeted, supply chain vulnerabilities were exploited, and retaliatory cyberattacks struck financial infrastructure.In this episode, we explore:How hybrid warfare is collapsing the gap between physical and cyber attacksThe rise of state-linked hacktivist groupsWhy OT and critical infrastructure are increasingly global targetsHow adversaries exploit the IT/OT bridge to reach industrial systemsWhat security leaders must learn from the June 2025 escalationCyber conflict is no longer a secondary theater — it’s where escalation begins.

In this episode of The Cyber Resilience Brief, we break down the modern reality of Iranian cyber warfare and industrial espionage. Host Tova Dvorin and offensive security engineer Adrian Culley analyze the tactics, techniques, and procedures (TTPs) of APT33, OilRig (APT34), and MuddyWater — three of the most active Iranian state-sponsored threat actors targeting energy, aviation, manufacturing, government, and critical infrastructure.From intellectual property theft and aerospace breaches to DNS tunneling, living-off-the-land techniques, cloud-based command-and-control (C2), and wiper malware, we unpack how these groups evolved into stealthy, high-end cyber espionage operators.You’ll also learn how adversarial exposure validation (AEV), breach and attack simulation (BAS), and continuous automated red teaming (CART) help security leaders validate defenses against real-world nation-state threats.If you're a CISO, security architect, threat intelligence analyst, or cyber resilience leader, this episode delivers actionable insight into defending against advanced persistent threats (APTs).Subscribe for expert analysis on cyber resilience, exposure management, and defending against state-sponsored cyber attacks.

In this special bonus episode of The Cyber Resilience Brief, host Tova Dvorin is joined by SafeBreach threat research expert Adrian Culley to examine DynoWiper, a destructive nation-state wiper malware observed targeting Poland’s energy sector.First detected in late December 2025, DynoWiper has been linked to attacks on Polish wind farms and combined heat and power (CHP) plants, signaling a shift away from financially motivated ransomware toward pure disruption of critical infrastructure.The episode explores:How DynoWiper operates without command-and-control infrastructureWhy attribution points to Russian state-linked actors, including FSB Centre 16 (Static Tundra) and GRU Unit 7445 (Sandworm)Why traditional, point-in-time security testing fails against internally staged attacksHow Continuous Threat Exposure Management (CTEM) and Adversarial Exposure Validation (AEV) help organizations identify and close exposure gaps before destructive payloads are deployedWhile activity has been observed in Poland, the tactics discussed are highly relevant to energy and critical infrastructure operators worldwide.Cyber resilience isn’t a one-time achievement — it’s a continuous process of validation.

Episode 2 of 6 – Iran’s Cyber Program ExplainedIn Iran’s Cyber Shadow War: IRGC, MOIS, and the Battle for Control, we continue our deep-dive into Iran’s cyber operations by exposing the internal power struggle driving its most dangerous digital attacks.Iran does not operate a single, unified cyber command. Instead, two rival organizations—the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS)—run competing cyber missions with very different goals, tactics, and tradecraft. One favors loud, destructive attacks designed to intimidate and disrupt. The other specializes in quiet cyber espionage, long-term access, and intelligence collection.In this episode, we break down how this rivalry fuels Iranian state-sponsored cyber activity, why both agencies often target the same victims, and how their competition creates real risk for Western governments, critical infrastructure, energy, finance, and private enterprises. We also explore Iran’s use of contractor-based hacking groups, providing speed, innovation, and plausible deniability—while making attribution and defense significantly harder.For CISOs and security teams, this episode explains what Iran’s divided cyber command means for detection, dwell time, and continuous adversarial exposure validation—and why defenders must be prepared for both stealthy intrusions and sudden, destructive attacks.🎧 In this episode:• Iran’s cyber shadow war explained• IRGC vs. MOIS: rivalry, missions, and tactics• State-sponsored hacking and contractor ecosystems• Cyber espionage vs. cyber disruption• What Iran’s internal competition means for defendersThis is Episode 2 of a 6-part series unpacking how Iran builds, deploys, and evolves its cyber power—and what organizations must do to stay ahead.

The EU’s NIS2 Directive is reshaping the global cybersecurity landscape with sweeping requirements for essential and important entities, strict reporting obligations, and substantial penalties for non-compliance. In this episode of Cyber Resilience Brief, host Tova Dvorin is joined by Adrian Culley, Senior Sales Engineer at SafeBreach and EU/UK regulatory expert, to unpack what NIS2 means for organizations worldwide. We explore: How NIS2 builds on DORA and connects to the upcoming Cyber Resilience Act Key sectors impacted, from critical infrastructure to digital providers Executive accountability, supply chain security, and audit requirements Why Breach and Attack Simulation (BAS) is a powerful enabler for NIS2 compliance and continuous cyber resilience Whether you operate inside the EU or engage with regulated industries abroad, NIS2 compliance is becoming a business-critical issue. Tune in to understand the directive’s global impact—and how to turn regulation into a resilience advantage. For more information on NIS2, check out our blog: NIS2: A Blueprint for Cyber Resilience