Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-20088

**Mattermost fails to properly validate post props**

Moderate severity GitHub Reviewed Published Jan 15, 2025 to the GitHub Advisory Database • Updated Jan 15, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.2.0, < 10.2.1

\>= 10.1.0, <= 10.1.3

\>= 10.0.0, <= 10.0.3

\>= 9.11.0, <= 9.11.5

< 8.0.0-20241127161322-25ff7a3779a5

**Patched versions**

10.2.1

10.1.4

10.0.4

9.11.6

8.0.0-20241127161322-25ff7a3779a5

Published to the GitHub Advisory Database

Jan 15, 2025

Last updated

Jan 15, 2025

GHSA-45v9-w9fh-33j6: Mattermost fails to properly validate post props

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-21088

**Mattermost Incorrect Type Conversion or Cast**

Moderate severity GitHub Reviewed Published Jan 15, 2025 to the GitHub Advisory Database • Updated Jan 15, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.2.0, < 10.2.1

\>= 10.1.0, <= 10.1.3

\>= 10.0.0, <= 10.0.3

\>= 9.11.0, <= 9.11.5

< 8.0.0-20241127161322-25ff7a3779a5

**Patched versions**

10.2.1

10.1.4

10.0.4

9.11.6

8.0.0-20241127161322-25ff7a3779a5

Published to the GitHub Advisory Database

Jan 15, 2025

Last updated

Jan 15, 2025

GHSA-8j3q-gc9x-7972: Mattermost Incorrect Type Conversion or Cast

BeyondTrust has patched all cloud instances of the vulnerability and has released patches for self-hosted versions.

Source: ktdesign via Adobe Stock

NEWS BRIEF

The Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog.

The medium-severity security bug was found as a part of BeyondTrust's Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. Silk Typhoon, a Chinese hacking group, was reportedly responsible for the December 2024 cyberattack, in which threat actors were able to gain credentials to Treasury workstations through the third-party vendor and then steal data. On Dec. 18, BeyondTrust reported identifying BT24-11 within its self-hosted and cloud Remote Support and Privileged Remote Access products, after reporting BT24-10 just two days prior.

On Jan. 6, in its latest update, BeyondTrust reported that its forensic investigation is nearly complete and that all software-as-a-service instances of BeyondTrust Remote Support have been fully patched with no new identified victims.

"All cloud instances have been patched for this vulnerability," BeyondTrust stated in the update. "We have also released a patch for self-hosted versions."

CISA stated that the vulnerability "can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user." That would allow a remote attacker to execute underlying operating system commands.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

Source: VS148 via Shutterstock

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

"Currently we know about two different campaigns that have been targeting different objectives," says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

**A Tale of Two Campaigns**

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension "GPT 4 Summary with OpenAI," which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the "AI Assistant – ChatGPT and Gemini for Chrome" extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

"As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while," Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a "safe" version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, "probably with intention to sell this data," Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It's unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting "a synchronized campaign," says Bugcrowd founder Casey John Ellis.

"This also suggests centralized control over the hijacked developer accounts and a common threat actor," he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

**Extensions as Low-Hanging Fruit for Attackers**

Cyberhaven's internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don't have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

"Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can," Johansen says. "They also have less scrutiny to install than traditional desktop software, even in enterprises."

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it's a no-brainer for attackers.

"Controlling an extension gives an adversary a powerful vantage point for all browser activities," concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is "actually a very convenient way for attackers to spread malicious code," Assaraf adds. "You only need to fool one person, one developer, and you get access to hundreds of thousands of machines," he says.

People often forget they've installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

**Closing the Browser Security Gap**

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization's security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex's Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Extension Poisoning Campaign Highlights Gaps in Browser Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

Cybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google.
"The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jérôme Segura, senior director of

Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware.
"The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat

Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99

Ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

Matias Madou, Co-Founder & CTO, Secure Code Warrior

January 15, 2025

5 Min Read

Source: Nils Ackermann via Alamy Stock Vector

COMMENTARY

The advent of artificial intelligence (AI) coding tools undoubtedly signifies a new chapter in modern software development. With 63% of organizations currently piloting or deploying AI coding assistants into their development workflows, the genie is well and truly out of the bottle, and the industry must now make careful moves to integrate it as safely and efficiently as possible.

The OWASP Foundation has long been a champion of secure coding best practices, providing extensive coverage on how developers can best defend their codebases from exploitable vulnerabilities. Its recent update to the OWASP Top 10 for Large Language Model (LLM) Applications reveals the emerging and most potent threats perpetuated by AI-generated code and generative AI (GenAI) applications, and this is an essential starting point for understanding and mitigating the threats likely to rear their ugly heads. 

We must focus on integrating solid, foundational controls around developer risk management if we want to see more secure, higher quality software in the future, not to mention make a dent in the flurry of global guidelines that demand applications are released that are secure by design.

**The Perilous Crossover Between AI-Generated Code and Software Supply Chain Security**

Prompt Injection's ranking as the No. 1 entry on the latest OWASP Top 10 was unsurprising, given its function as a direct natural language command telling the software what to do (for better or worse). However, Supply Chain Vulnerabilities, which have a much more significant impact at the enterprise level, came in at No. 3. 

OWASP's advice mentions several attack vectors comprising this category of vulnerability, elements such as implementing pretrained models that are also precompromised with backdoors, malware and poisoned data, or vulnerable LoRA adapters that, ironically, are used to increase efficiency, but can, in turn, compromise the base LLM. These present potentially grave, widespread exploitable issues that can permeate the whole supply chain in which they are used.

Sadly, many developers are not skill- and process-enabled enough to navigate these problems safely, and this is even more apparent when assessing AI-generated code for business logic flaws. While not specifically listed as a category, as is apparent in OWASP’s Top 10 Web Application Security Risks, this is partly covered in No. 6, Excessive Agency. Often, a developer will vastly overprivilege the LLM for it to operate more seamlessly, especially in testing environments, or misinterpret how real users will interact with the software, leaving it vulnerable to exploitable logic bugs. These, too, affect supply chain applications and, overall, require a developer to apply critical thinking and threat modeling principles to overcome them. Unchecked AI tool use, or adding AI-powered layers to existing codebases, adds to the overall complexity and is a significant area of developer-driven risk.

**Data Exposure Is a Serious Concern Requiring Serious Awareness**

Sensitive Information Disclosure is second on the new list, but it should be a chief concern for enterprise security leaders and development managers. As OWASP points out, this vector can affect both the LLM itself and its application context, leading to personally identifiable information (PII) exposure, and disclosure of proprietary algorithms and business data.

The nature of how the technology operates can mean that exposing this data is as simple as using cunning prompts rather than actively "hacking" a code-level vulnerability, and "the grandma exploit" is a prime example of sensitive data being exposed due to lax security controls over executable prompts. Here, ChatGPT was duped into revealing the recipe for napalm when prompted to assume the role of a grandmother reading a bedtime story. A similar technique was also used to extract Windows 11 keys. 

Part of the reason this is made possible is through poorly configured model outputs that can expose proprietary training data, which can then be leveraged in inversion attacks to eventually circumvent the security controls. This is a high-risk area for those who are feeding training data into their own LLMs, and the use of the technology requires companywide, role-based security awareness upskilling. The developers building the platform must be well-versed in input validation and data sanitization (as in, these skills are verified and assessed before they can commit code), and every end user must be trained to avoid feeding sensitive data that can be spat out at a later date.

While this may seem trivial on a small scale, at the government or enterprise level, with the potential for tens of thousands of employees to inadvertently participate in exposing sensitive data, it's a significant expansion of an already unwieldy attack surface that must be addressed.

**Are You Paying Attention to Retrieval-Augmented Generation (RAG)?**

Perhaps the most notable new entry in the 2025 list is featured at No. 8, Vector and Embedding Weaknesses. With enterprise LLM applications often utilizing RAG technology as part of the software architecture, this is a vulnerability category to which the industry must pay close attention.

RAG is essential for model performance enhancement, often acting as the "glue" that provides contextual cues between pre-trained models and external knowledge sources. This is made possible by implementing vectors and embeddings, but if they are not implemented securely they can lead to disastrous data exposure, or pave the way for serious data poisoning and embedding inversion attacks. 

A comprehensive understanding of both core business logic and least-privilege access control should be considered a security skills baseline for developers working on internal models. However, realistically, the best-case scenario would involve utilizing the highest-performing, security-skilled developers and their AppSec counterparts to perform comprehensive threat modeling and ensure sufficient logging and monitoring.

As with all LLM technology, while this is a fascinating emerging space, it should be crafted and used with a high level of security knowledge and care. This list is a powerful, up-to-date foundation for the current threat landscape, but the environment will inevitably grow and change quickly. The way in which developers create applications is sure to be augmented in the next few years, but ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

**About the Author**

Co-Founder & CTO, Secure Code Warrior

Matias Madou is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company, Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences, including RSA Conference, Black Hat, DEF CON, BSIMM, OWASP AppSec, and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

OWASP's New LLM Top 10 Shows Emerging AI Threats

Silver Spring, United States / Maryland, 15th January 2025, CyberNewsWire

**Silver Spring, United States / Maryland, January 15th, 2025, CyberNewsWire**

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for NHIcon 2025, a virtual event dedicated to advancing non-human identity security, streaming live on Jan. 28 and headlined by industry luminary Kevin Mandia.

NHIcon 2025 is co-presented by Aembit and Veza, alongside industry partners Identity Defined Security Alliance and Cloud Security Alliance. 

Bringing together diverse viewpoints from the cybersecurity and DevSecOps communities, NHIcon 2025 will provide technical insights and practical guidance to address the challenges of securing non-human identities, such as service accounts, AI agents, and other software workloads.

The widespread adoption of cloud technologies, the growth of APIs and microservices, and the increasing scale of machine-to-machine communications have made securing non-human identities more challenging. Traditional identity management practices and tools often fail to provide adequate visibility and control, leaving critical security gaps that elevate breach risk.

As non-human identities become central to modern infrastructure, securing them has become a top priority for enterprises worldwide, with Gartner® naming machine identity management a top security trend for 2025.

> “My vision for NHIcon is that it gives organizations the opportunity to rethink – or even begin to explore for the first time – their approach to non-human identity security,” said David Goldschlag, CEO and co-founder of Aembit. “This unique event is designed to provide clear, actionable takeaways, a deeper understanding of how to secure the identities that power enterprise innovation, and the justification for prioritizing it.”

NHIcon 2025 will provide an experiential platform for interactive learning and meaningful collaboration. Attendees can openly engage with speakers, connect with a global community of identity security professionals, and uncover cutting-edge strategies for securing non-human identities in today’s fast-evolving environments.

Mandiant Founder Mandia, co-founder of Ballistic Ventures and one of the world’s most recognizable security voices, will share his perspective on the year ahead, focusing on identity security and the growing role of AI in threat landscapes.

The agenda also includes:

*   A keynote from Talha Tariq, chief security officer at HashiCorp, on zero-trust principles for non-human identities.
*   Heather Flanagan, executive director of IDPro, discusses modernizing identity standards.
*   Software Architect Victor Ronin leading a technical session titled From Hardcoded to Hardened: The 7 Stages of Non-Human Identity Maturity.
*   Ed Amoroso, CEO of TAG Cyber, shares experience in securing non-human identities in complex environments.
*   A panel featuring security leaders from Twilio, Grafana Labs, and SoFi addressing business and compliance risks tied to non-human identities.

Registration for NHIcon 2025 is free and open at NHIcon.com.

**About Aembit**

Aembit is the leading provider of workload identity and access management solutions, designed to secure non-human identities like applications, AI agents, and service accounts across on-premises, SaaS, cloud, and partner environments. Aembit’s no-code platform enables organizations to enforce access policies in real time, ensuring the security and integrity of critical infrastructure. Users can visit aembit.io and follow us on LinkedIn.

**Contact**

**Chief Marketing Officer**  
**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Tel Aviv, Israel, 15th January 2025, CyberNewsWire

**Tel Aviv, Israel, January 15th, 2025, CyberNewsWire**

Sweet Security, a leader in cloud runtime detection and response, today announced the launch of its groundbreaking patent-pending Large Language Model (LLM)-powered cloud detection engine. This innovation enhances Sweet’s unified detection and response solution, enabling it to reduce cloud detection noise to an unprecedented 0.04%. Sweet uses advanced AI to help security teams navigate complex and dynamic environments with improved precision and confidence.

**Detection of Unknown Unknowns**

The introduction of Sweet’s patent-pending LLM technology transforms its ability to identify previously undetectable threats. By evaluating cloud variables and anomalies in real-time – and adapting the findings to the nuances of the particular cloud environment – Sweet’s cloud detection engine is capable of uncovering zero-day attacks and “unknown unknowns” — threats that have not been introduced or published to the world. This eliminates the need to predefine what constitutes abnormal or malicious behavior and streamlines the differentiation between unusual activity and actual attacks.

**Fast Validation/Vindication of Findings Through Incident Labels**

Sweet’s patent-pending LLM-powered cloud detection engine excels at distinguishing between “weird” but benign anomalous activity and genuine threats. Each incident is labeled as either “malicious,” “suspicious,” or “bad practice,” indicating whether the anomaly is indicative of an attack and requires further attention from SecOps or is an unusual but legitimate activity that needs to be reviewed by DevOps. Security teams can eliminate false positives, streamline workflows, and focus their attention where it matters most. The result is unparalleled operational efficiency and reduced alert fatigue.

**Actionability at Scale**

To ensure maximum usability, the new capability delivers actionable insights through:

●       Immediate mapping of “danger zones” in the environment through an intuitive heat map

●       Clear incident labeling, providing context and clarity for security analysts

●       Identification of relevant problem owners within the organization, streamlining incident response

This approach improves response times while promoting collaboration and accountability across teams.

**Scaling Application Detection and Response (ADR)**

In dynamic cloud environments, Sweet’s patent-pending LLM-powered cloud detection engine enables scalable Application Detection and Response (ADR). It does so by cross-correlating potential attack patterns with extensive application data to identify the ‘smoking gun’—those elusive signals in the data that are indicative of an attack. This capability brings clarity and precision to applications where the sheer volume of data would overwhelm rule-based approaches.

**Increased Certainty for Security Teams**

With the introduction of this capability, Sweet continues to deliver on its mission to provide clarity and control for cloud environments. By reducing noise, enhancing detection accuracy, and empowering actionable insights, Sweet increases certainty within security teams, enabling them to operate with confidence in even the most complex cloud landscapes.

> “This new capability is a game-changer for cloud security,” said Dror Kashti, CEO of Sweet Security. “By harnessing the power of LLMs, we’re not only reducing detection noise to near-zero levels but also providing security teams with the tools they need to act swiftly and decisively. This is a major leap forward in our commitment to delivering unparalleled detection and response for the cloud.”

Sweet Security is dedicated to protecting customer privacy and adheres to strict privacy standards by processing data securely and responsibly.

**About Sweet Security**

Sweet Security is the leading provider of Cloud Native Detection and Response solutions. Powered by comprehensive runtime insights and behavioral analytics, Sweet’s unified platform correlates data across application, workload, and cloud infrastructure to deliver best-of-breed real-time detections, as well as vulnerability management, identity threat management, and runtime CSPM. By analyzing baseline behaviors across different entities and utilizing its LLM-powered detection engine, Sweet reduces cloud detection noise to 0.04%, helping organizations hit a benchmark of 2-5 min MTTR for all incidents. Privately funded, Sweet is backed by Evolution Equity Partners, Munich Re Ventures, Glilot Capital Partners, CyberArk Ventures, and an elite group of angel investors.

For more information, users can visit http://sweet.security.

**Contact**

**VP of Marketing**  
**Noa Glumcher**  
**Sweet Security**  
**\[email protected\]**

Latest News