Commentary
The Commentary Desk
The Commentary Desk says what everyone on the team is thinking but nobody put in the ticket. Covers bad tools, vendor nonsense, and the gap between what a product page promises and what the rollout actually looks like. Dry, direct, and not interested in being diplomatic about it.
What this desk covers Critique and analysis of vendor patterns, framework guides, and the gap between security writing and operations. See the beat →
26 articles
-
Analysis · May 13, 2026
Daybreak shipped without a single number of its own
OpenAI announced an end-to-end vulnerability detection and patching platform on May 12, then borrowed every performance figure from its predecessors. The borrowed figures don't help its case.
-
Analysis · May 11, 2026
Cisco is now telling you the patch doesn't clean the box
Cisco's April 23 PSIRT advisory says the ArcaneDoor implant survives upgrading to the September 2025 fixes for CVE-2025-20333 and CVE-2025-20362. Reimage, do not patch.
-
Analysis · May 11, 2026
The CVSS 4.3 that APT28 was already using
Microsoft shipped the fix for CVE-2026-32202 without an exploitation flag while Russian state actors had a five-month head start. Vendor-tag triage missed it. The federal deadline is tomorrow.
-
Analysis · May 10, 2026
Array Networks patched in a week and forgot to build a security program
CVE-2023-28461 is a CVSS 9.8 auth bypass on an SSL VPN that Earth Kasha was already exploiting. The fix shipped fast. The disclosure infrastructure around it doesn't exist.
-
Analysis · May 10, 2026
Zyxel patched CVE-2024-11667 in September. They named it in November
The fix shipped on September 3, 2024. The CVE assignment came eleven weeks later, after Helldown was already in production networks. The customers who patched on time still got compromised.
-
Analysis · May 10, 2026
SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak
SimpleHelp shipped a fix in seven days from full disclosure. Then they posted it to a forum. Ransomware affiliates have been pulling hashed admin credentials out of unpatched servers ever since.
-
Analysis · May 8, 2026
Five critical Fortinet CVEs in 28 months is not a streak of bad luck
Three heap overflows, two auth bypasses, all pre-auth, all ransomware-linked. The pattern in FortiOS and FortiProxy is structural, and patching alone has not been enough to remove attacker access.
-
Analysis · May 8, 2026
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
Analysis · May 8, 2026
Ivanti Connect Secure: the perimeter that keeps breaking
Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path. The pledge bought goodwill. The code did not change.
-
Analysis · May 4, 2026
Three hours was the good outcome: npm's trust model and the Axios compromise
A DPRK threat actor backdoored two Axios versions on npm. Socket flagged the malicious dependency in six minutes. Nothing stopped the downstream publish fifteen minutes later. The system worked exactly as designed.
-
Analysis · May 3, 2026
50 CVEs in 18 months is not a growing pain. It's a design choice the industry keeps making.
MCP went from unknown to default AI integration in under two years. The vulnerability count, the OWASP Top 10, and the simultaneous client failures tell a story about what happens when adoption is the only metric.
-
Analysis · May 3, 2026
Spirit Airlines is dead. Its attack surface isn't.
The security story isn't that an airline went bankrupt. It's what happens to 132 APIs, years of customer PII, and a cloud footprint when a company dies overnight and nobody is left to decommission it.
-
Analysis · May 1, 2026
The security work that landed on ops
Cloud shared responsibility, compliance mandates, and insecure defaults have quietly moved security execution onto ops teams that were never staffed for it.
-
Analysis · May 1, 2026
People problems wearing a server badge
The sysadmin job was sold as infrastructure. The actual job is diplomacy, and the burnout numbers show it.
-
Analysis · May 1, 2026
Microsoft: the Patch Day cinematic universe
Licensing, patches, email blocking, Copilot, Recall, Windows replacement. Every subplot lands on the same sysadmin's desk.
-
Analysis · May 1, 2026
The feedback loop is broken
Executives keep making the same categories of bad IT decisions because the consequences land on operators, not decision-makers. The pattern is structural, not accidental.
-
Analysis · May 1, 2026
Your security vendor's AI isn't making you safer. It's making you tired.
76% of cybersecurity professionals say the AI landscape is overwhelmed by overpromotion. The operational cost of that fatigue is starting to show up in the places that matter.
-
Analysis · May 1, 2026
The most dangerous sentence in a code comment is 'this should never happen'
From Therac-25 to CrowdStrike, the same pattern keeps producing catastrophic failures: an engineer reasons that a condition is impossible, skips the guard, and the system outgrows the assumption.
-
Analysis · May 1, 2026
The same LDAP injection, in two firewalls, in the same month
OPNsense shipped a textbook LDAP filter injection that hid for eleven years. WatchGuard disclosed the same class of flaw weeks later. The pattern is not coincidence.
-
Analysis · May 1, 2026
The Vercel breach is the Heroku/Travis CI playbook, rerun through an AI tool
A compromised OAuth token at a small AI productivity company gave attackers a path into Vercel's internal systems. The structural pattern is four years old. AI tools are making it worse.
-
Analysis · May 1, 2026
Anthropic's MCP gives every downstream app unauthenticated RCE, and they called it expected behavior
The Model Context Protocol's STDIO transport passes user input directly into subprocess execution with no sanitization. OX Security found 14+ CVEs across the ecosystem. Anthropic declined to patch.
-
Analysis · May 1, 2026
Windows Defender is the attack surface now, and two of the three exploits don't have patches
Three tools dropped in April turn Defender's own privileged operations into privilege escalation and detection evasion. Microsoft patched one. The other two work on fully patched systems.
-
Field Note · Apr 29, 2026
Best practices for patch prioritization in a hybrid environment: start with business impact
Severity scores tell you which CVE is nastiest. Business impact tells you which one matters.
-
Analysis · Apr 28, 2026
What patching looks like when you support the whole mess: endpoints, M365, identity, browsers, VPN, and line-of-business tools
Patching isn't Windows Updates anymore. A tour of the six surfaces a real shop patches every week.
-
Field Note · Apr 28, 2026
Patch now, patch later, ignore for now: the triage model real IT teams actually need
A three-bucket triage model for sysadmins who don't own a vulnerability scanner and aren't going to buy one.
-
Analysis · Apr 28, 2026
Why most patch summaries fail the people who actually have to do the work
Vendor advisories are written for completeness. They're not written for the operator triaging a CISA KEV ticket before lunch.