Writing from Sekura on autonomous penetration testing, agents, and security in dynamic environments.
Sekura maps every confirmed pentest finding to SOC 2, ISO 27001, PCI DSS, and 11 other frameworks automatically. Audit prep stops being an annual scramble and becomes a direct output of the security work you already do.
In May 2026, an attacker accessed a third-party support platform used by Evertec, a NYSE fintech, to reach debit card numbers and transaction records of Banco Popular de Puerto Rico customers.
A step by step look at what runs when you invoke npx sekura@latest init: registry fetch, signature check, IDE detection, OAuth, keychain storage, and GitHub Actions wiring.
Attackers fed Meta's AI support flow an AI-generated face video built from a target's own profile photos, passed identity verification, swapped the email, and reset the password. No CVE. No backend breach. High-profile Instagram accounts gone.
ShinyHunters queried 7-Eleven's unauthenticated Salesforce Experience Cloud portal to steal 185,000 franchise applicants' records, including Social Security numbers and driver's license data.
Annual pentests cost $30k to $150k per engagement and run once a year. Continuous coverage changes the math. A spreadsheet-grade comparison of cost per verified finding.
ShinyHunters used a vishing call to compromise one employee's Microsoft Entra account and bulk-export 13 million Spectrum customer records from Salesforce. No CVE. No scanner would have caught it.
TeamPCP used a trojanized Nx Console VS Code extension to steal GitHub employee credentials and exfiltrate roughly 3,800 internal repositories in May 2026.
ShinyHunters exploited a trust boundary flaw in Instructure's Free-for-Teacher program, exposing 275 million student and staff records across nearly 9,000 Canvas institutions before Instructure paid a ransom.
ShinyHunters compromised Salesforce credentials through social engineering in April 2026, exposing 2.1 million Amtrak customer records. No CVE. No code flaw. Scanners had no visibility into the attack path.
A basic IDOR flaw in France's national identity portal gave one attacker access to 11.7 million citizens' records. What dynamic probing of the API would have surfaced.
AI-integrated apps carry prompt injection, jailbreak, and data exfil vulnerabilities that static scanners miss. Concrete payloads Sekura uses to probe LLM endpoints, grounded in real CVEs and the OWASP LLM Top 10.
Harvest-now-decrypt-later attacks are active today. Here is what a crypto agility audit actually surfaces, and why waiting for NIST finalisation is the wrong anchor.
ShinyHunters used one compromised employee account to extract names, addresses, and government IDs for 5.9 million Carnival Corporation customers. A look at what application-layer security testing would have surfaced.
Single-vulnerability scanners miss the attacks that matter most. Real attackers chain low-severity findings into critical exploits. Here is how exploit-chain analysis finds paths that no scanner sees.
ShinyHunters exploited misconfigured Salesforce Experience Cloud guest user permissions at Hallmark Cards in March 2026, leaking 1.7 million customer records after an April 2 extortion deadline passed.
A technical walkthrough of Sekura's seven-phase multi-agent pipeline: SAST, recon, dynamic probing, exploit synthesis, chain analysis, post-quantum review, and reporting, with examples of what each phase produces.
Vulnerability scanners are cheap to license. The real cost is the engineering hours spent validating, prioritizing, and dismissing their output. Here is how to measure it.
CVSS scores tell you what might be exploitable. Sekura tells you what is. Here is why the proof bar matters more than the severity score, and what changes when you enforce it.