How to evaluate NGFW products to strengthen cybersecurity

Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Thu, 19 Feb 2026 05:38:08 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>For years, organizations have relied on traditional firewalls as their first and best line of defense against unauthorized access to their systems. The threat landscape, however, has changed dramatically. Hybrid working models, SaaS platforms and cloud data have blurred the network edge to the point where there is no single perimeter for SecOps to defend.</p> <p>As cyberattacks grow <a href="https://www.techtarget.com/whatis/34-Cybersecurity-Statistics-to-Lose-Sleep-Over-in-2020">more persistent and sophisticated</a> and identity becomes the new perimeter, organizations require additional measures to protect company assets. <a href="https://www.techtarget.com/searchsecurity/definition/next-generation-firewall-NGFW">Next-generation firewalls</a> have become a go-to tool for network security, combining traditional firewall capabilities with advanced hardware, software and cloud-based features to detect and block modern cyberattacks.</p> <p>Whether replacing an existing firewall or securing an expanding network infrastructure, CISOs and their teams must carefully evaluate NGFW products to find the one that best fits their organization's cybersecurity posture. Having the right NGFW for an organization's specific needs can reduce the frequency, severity and cost of cybersecurity incidents.</p> <section class="section main-article-chapter" data-menu-title="How to evaluate NGFW vendors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to evaluate NGFW vendors</h2> <p>While it's natural to focus on the features and functions of NGFW products, CISOs should also evaluate the product vendors. Vetting these vendors and ensuring their efficacy can help avoid mistakes that delay or even derail the evaluation process.</p> <p>Approach the vetting process as when making any major purchase. For example, learn how easy it is to work with the vendor. Gauge its reputation, technical support and trustworthiness by reading online reviews. Take into account how long the vendor has been selling NGFW products. Ask if it is actively developing new products and features or only maintaining existing technology. Also, ask whether the vendor developed the NGFW products or if the technology was acquired through a company merger or acquisition.</p> <p>An organization's relationship with the chosen vendor will last long after the contract is signed, so select one with which it is comfortable working.</p> </section> <section class="section main-article-chapter" data-menu-title="NGFW product features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>NGFW product features</h2> <p>Each organization will have its own unique set of security needs and priorities. With NGFWs containing a range of advanced product features, CISOs have much to consider.</p> <h3>Detection and response</h3> <p>The main objective of an NGFW is to detect and respond to threats. It is key to select an NGFW that can identify and understand the applications and protocols in use at the organization. It is also important that the NGFW analyzes the nature of communication, stops malicious and unwanted traffic, and logs and generates alerts for the cybersecurity team.</p> <p>Most security teams will require an NGFW that uses <a href="https://www.techtarget.com/whatis/definition/threat-intelligence-feed">threat intelligence feeds</a> to detect malicious and suspicious activity. The latest NGFWs integrate AI to improve speed and accuracy when detecting and responding to attacks and other policy violations.</p> <h3>Management and maintenance</h3> <p>To reduce complexity, look for an NGFW array accessible through a single interface to manage, maintain, monitor and report all encrypted and unencrypted network traffic. Ensure it supports and can enforce highly customizable rule sets and other configuration settings. Administrators should be able to tune detection capabilities to reduce both false positives and false negatives, and roll back configuration changes if problems occur. Ideally, select an NGFW that enforces <a href="https://www.techtarget.com/whatis/feature/History-and-evolution-of-zero-trust-security">zero-trust architecture</a> principles.</p> <h3>Integration</h3> <p>CISOs should select an NGFW that integrates and interoperates with other <a href="https://www.techtarget.com/searchsecurity/The-ultimate-guide-to-cybersecurity-planning-for-businesses">enterprise cybersecurity technologies</a> used by the organization, including network-based, host-based, and cloud-based products and services. The NGFW will need to ingest automated threat intelligence feeds from any source with updates in near-real-time.</p> </section> <section class="section main-article-chapter" data-menu-title="Additional NGFW selection criteria"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Additional NGFW selection criteria</h2> <p>Selecting an NGFW involves more than vendor and feature scrutiny. Evaluators should also ask these questions for additional selection criteria.</p> <h3>Product health</h3> <ul class="default-list"> <li>How long has the product -- and any predecessor models -- been in widespread use?</li> <li>Will this product be replaced or retired soon?</li> <li>How often does the product require updates?</li> <li>Are updates disruptive to operations?</li> <li>What do third-party evaluations and verified user reviews indicate about the product's performance, reliability, resilience and scalability over time?</li> </ul> <h3>Product use experience</h3> <ul class="default-list"> <li>Is the product easy to deploy, configure and use?</li> <li>How steep is the learning curve for the product's most advanced features?</li> <li>How strong are the product's technical support, documentation and knowledge bases?</li> <li>What hardware, licensing and subscription requirements are standard versus add-on?</li> </ul> <h3>Technology innovation</h3> <ul class="default-list"> <li>Does the product support forward-looking technologies, such as <a href="https://www.techtarget.com/searchsecurity/feature/How-to-prepare-for-post-quantum-computing-security">post-quantum cryptography</a>?</li> <li>What upgrades and innovations have been announced?</li> <li>What capabilities does the organization already have and what new ones might it need?</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Budget considerations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Budget considerations</h2> <p>No security operation can overlook the budget. NGFW budgeting can be surprisingly complicated due to the multitude of deployment models, on-premises hardware appliances, on-premises software installed on commodity hardware, <a href="https://www.techtarget.com/searchcloudcomputing/opinion/Decipher-the-true-meaning-of-cloud-native">cloud-native software</a>, virtual software and cloud-based services. Naturally, the budget will differ for a deployment involving on-premises hardware appliances versus a SaaS-based deployment.</p> <p>When it comes to pricing, remember that vendors often offer multiple models across hardware and cloud-based services.</p> <p>Also note that not all major NGFW products are the same. Each vendor's hardware, licensing and subscription requirements are unique, so costs will add up differently. In addition, vendors might try to upsell features the organization already has or does not need. Consider these features carefully.</p> <p>Selecting an NGFW is a high-stakes decision that will have a long-term impact on an organization's security. CISOs who do their homework and ask the hard questions can choose a platform that meets the evolving security needs of their operation.</p> <table cellpadding="0" cellspacing="0" border="0" style="width: 863px;"> <tbody> <tr style="height: 14.25pt;"> <td style="width: 861.667px;"> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> </td> </tr> </tbody> </table> <div> <div> <div language="JavaScript" id="_com_1"> <p></p> </div> </div> </div> </section> Next-generation firewalls are critical tools in today's evolving threat landscape. Learn how to evaluate and select an NGFW that will bolster your company's cybersecurity posture. https://cdn.ttgtmedia.com/rms/onlineimages/disaster_recovery_a106896575.jpg https://www.techtarget.com/searchsecurity/tip/How-to-evaluate-NGFW-products-to-strengthen-cybersecurity Wed, 18 Feb 2026 12:23:00 GMT How to evaluate NGFW products to strengthen cybersecurity <p>Mike is just like any other eager new employee when he receives an urgent email from his boss. In the email, she explains that she's at dinner with an important client and forgot her corporate credit card. She needs to pay for the meal now, without delay. She instructs Mike to send her his company-issued credit card information and explains that she'll approve the expense the next day.</p> <p>While a message like this might raise a red flag, the email certainly seems to be from his supervisor and, after all, Mike wants to show that he’s a team player.</p> <p>This scenario demonstrates why business email compromise, or <a href="https://www.techtarget.com/whatis/definition/business-email-compromise-BEC-man-in-the-email-attack">BEC</a>, is<i> s</i>uch a serious threat. The tactic is nefarious for prompting action due to its urgency and the psychology of workplace hierarchy. More complex than traditional <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">phishing campaigns</a>, BEC attacks are highly targeted and difficult to detect. These threats exploit the core vehicle for modern business communication and corporate trust: email.</p> <p>A thorn in the side of SecOps teams for years, BEC attacks are growing increasingly common as they prove to be lucrative schemes for both independent and <a href="https://www.techtarget.com/searchsecurity/feature/What-executives-must-know-about-nation-state-threat-actors">state-sponsored cybercriminals</a>. With education, vigilance and the right security measures, however, BEC is a highly preventable type of cyberattack.</p> <section class="section main-article-chapter" data-menu-title="What is business email compromise?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is business email compromise?</h2> <p>BEC is a coordinated cyberattack that specifically targets organizations by exploiting email communications to employees through impersonation and social engineering. The objective of BEC is to trick employees into transferring money, sharing confidential information or permitting system access to cybercriminals. Unlike more generalized phishing schemes, BEC relies on psychology and workplace norms to deceive the email recipients.</p> <p>At its core, BEC involves attackers impersonating company executives, authority figures, colleagues and business stakeholders within the organization, and communicating through company email access or by spoofing legitimate business email accounts. The sender requests wire transfers, payroll changes, payment arrangements, passwords or other confidential data. BEC is effective because the messages are unexpected, appeal to our professionalism, and carry the added weight of urgency and legitimacy.</p> </section> <section class="section main-article-chapter" data-menu-title="BEC attack threat severity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>BEC attack threat severity</h2> <p>Most organizations consider BEC a high-severity <a href="https://www.techtarget.com/searchsecurity/feature/10-types-of-security-incidents-and-how-to-handle-them">security threat</a> due to its complexity, difficulty in detection and potential for financial loss. The FBI's "Internet Crime Report 2024" <a target="_blank" href="https://www.ic3.gov/AnnualReport/Reports/" rel="noopener">recorded</a> more than 21,000 BEC incidents, resulting in almost $2.8 billion in losses.</p> <p>Tasked with responding to BEC incidents and assessing business impact, security teams must align internal severity levels with the potential financial and operational implications of a successful attack. Despite BEC incidents being at high- to critical-severity levels, lower-level exploits can also pose a significant risk to the organization. The following chart highlights BEC attack scenarios and their effect on the organization.</p> <p><iframe title="" aria-label="Table" id="datawrapper-chart-wiplt" src="https://datawrapper.dwcdn.net/wiplt/1/" scrolling="no" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="556" data-external="1"></iframe></p> <p> <script type="text/javascript">window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}});</script> </p> </section> <section class="section main-article-chapter" data-menu-title="How BEC attacks operate"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How BEC attacks operate</h2> <p>Because they are highly targeted and specific to each victim, BEC attack methods vary. However, the criminals behind these cyberattacks display some common tactics. The attack stages seen in many BEC incidents include the following:</p> <ul class="default-list"> <li><b>Reconnaissance. </b>Attackers research the organization to identify executives, finance staff, vendors, payment patterns, ongoing projects and more. Much of the information is publicly available or for sale on the dark web as a result of a prior breach. Cybercriminals use this information to craft bespoke messages to targeted users that look routine and expected.</li> <li><b>Initial account compromise or spoofing.</b> Attackers either <a href="https://www.techtarget.com/searchsecurity/definition/email-spoofing">spoof</a> a trusted email address with a nearly identical domain -- for example joe@techarget.com instead of joe@techtarget.com -- or compromise a real email account using stolen credentials or other phishing methods. If a legitimate account is compromised, the threat actors often idle in the background to observe user behavior. This permits them to learn the tone, messaging, approval chains, invoice cycles and other account behavior, enabling them to mimic a legitimate employee.</li> <li><b>Social engineering.</b> After the attackers gather enough information to impersonate a legitimate email user, the manipulation phase begins. BEC attackers send a convincing email that requests urgent action -- for example, an instruction to pay a vendor invoice, send gift cards, share banking details or anything else that fools the receiver into acting.</li> <li><b>Successful attack execution. </b>After the successful BEC incident, attackers transfer the funds or data to their own accounts, then cover their tracks by deleting evidence, restoring email rules or moving stolen funds or data among multiple accounts.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to prevent BEC attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to prevent BEC attacks</h2> <p>While BEC is infamous for its ability to fool employees, organizations can take the following steps to identify BEC attacks before they cause losses:</p> <ul class="default-list"> <li><b>Strengthen email security.</b> Deploy secure gateways and filters to detect spoofing, malware and suspicious links or attachments before they reach users.</li> <li><b>Implement email security protocols.</b> Use Sender Policy Framework (SPF), DomainKeys Identified Mail (<a href="https://www.techtarget.com/searchsecurity/definition/DomainKeys-Identified-Mail-DKIM">DKIM</a>) and Domain-based Message Authentication, Reporting and Conformance (<a href="https://www.techtarget.com/searchsecurity/definition/Domain-based-Message-Authentication-Reporting-and-Conformance-DMARC">DMARC</a>) to prevent domain spoofing.</li> <li><b>Fortify user access protections.</b> Use <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a> and other role-based access controls to protect user email accounts against unauthorized access. Require users to create strong, unique passwords.</li> <li><b>Manage access controls and accounts.</b> Apply <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">least‑privilege</a> and timely account deprovisioning.</li> <li><b>Disable automatic email forwarding.</b> Disabling automatic forwards to external email addresses helps prevent data exfiltration in the event of a compromised account.</li> <li><b>Monitor email and financial activity.</b> Look for anomalies, such as logins from unusual locations, off‑hours wire requests or sudden changes to vendor details.</li> <li><b>Conduct ongoing awareness training for end users and security teams.</b> Educate employees on BEC and how to spot it. Keep security teams up to date with the latest phishing campaigns and BEC tactics to help them identify real-world attacks.</li> </ul> <p>Let’s get back to Mike, our eager new employee. With rigorous cybersecurity measures in place, he will probably never even receive the email containing a hidden BEC attack. However, even if he does, awareness training has given him the tools to identify the threat, confirm the request (by some other means than email) and alert IT to the attempt. What better way to impress the new boss than by avoiding a costly BEC attack?</p> <p><i>Amanda Scheldt is a security content writer and former security research practitioner.</i></p> </section> Business email compromise feeds on professional email norms -- and exploits emotions such as fear or urgency. Learn what BEC is, how it works and how to prevent it. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g1320502708.jpg https://www.techtarget.com/searchsecurity/tip/CISOs-guide-How-to-prevent-business-email-compromise Fri, 13 Feb 2026 14:54:00 GMT CISO's guide: How to prevent business email compromise <p>Enterprises are increasingly in a race against time to address vulnerabilities before attackers exploit them.</p> <p>The bad guys are getting faster, and <a href="https://www.techtarget.com/searchenterprisedesktop/definition/patch-management">patch management</a> isn't keeping up. Threat intelligence services provider Flashpoint found the average time to exploit -- the period between a vulnerability's disclosure and its weaponization in the wild -- plummeted from 745 days in 2020 to just 44 days in 2025. Worryingly, according to Statista research, organizations put off patching critical vulnerabilities for an average of 165 days last year.</p> <p>The speed with which attackers now barrel through soft spots in enterprise defenses makes this week's featured news articles all the more urgent. Rather than routine maintenance activities, patching critical zero days and retiring insecure devices are increasingly high-stakes defense sprints.</p> <section class="section main-article-chapter" data-menu-title="Not a drill: Microsoft patches 6 zero days under active exploitation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Not a drill: Microsoft patches 6 zero days under active exploitation</h2> <p>Microsoft's latest security update includes patches for six actively exploited zero days and five additional CVEs the provider said malicious actors are relatively likely to exploit. Three of the zero days involve security feature bypass flaws in various Microsoft products, enabling attackers to circumvent built-in defensive controls. The February update addressed 59 flaws in total.</p> <p>Microsoft emphasized the importance of applying these patches promptly to protect systems from potential exploitation. This update highlights the growing sophistication of cyberthreats and the need for organizations to maintain <a href="https://www.techtarget.com/searchsecurity/tip/5-enterprise-patch-management-best-practices">strong patch management practices</a> to safeguard their infrastructure.</p> <p><a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days" rel="noopener"><i>Read the full article by Jai Vijayan on Dark Reading</i></a>.</p> </section> <section class="section main-article-chapter" data-menu-title="CISA orders federal agencies to remove unsupported edge devices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CISA orders federal agencies to remove unsupported edge devices</h2> <p>CISA has issued a binding operational directive requiring federal agencies to stop using unsupported network edge devices, such as firewalls and routers, within a year. CISA said end-of-support (EOS) devices pose a substantial and constant "imminent threat."</p> <p>Agencies must update outdated devices, report their usage and decommission those with expired support. Within 24 months, processes must be established to track and remove unsupported devices before their EOS dates.</p> <p>While the directive targets federal agencies, CISA encourages broader adoption by local governments and businesses. Despite limited enforcement power, CISA will collaborate with the White House to monitor compliance and provide support.</p> <p><a target="_blank" href="https://www.cybersecuritydive.com/news/cisa-edge-devices-binding-operational-directive/811539/" rel="noopener"><i>Read the full article by Eric Gellar on Cybersecurity Dive</i></a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Attack on Poland's energy grid prompts warning to U.S. critical infrastructure operators"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Attack on Poland's energy grid prompts warning to U.S. critical infrastructure operators</h2> <p>A recent cyberattack on Poland's energy grid, attributed to Russian hacker groups Berserk Bear and Sandworm, underscores the dangers posed by vulnerable edge devices in operational technology (OT) environments. CISA warned U.S. critical infrastructure operators to take note.</p> <p>In the December 2025 attack, malicious hackers exploited internet-facing FortiGate devices with reused passwords, enabling them to access a variety of OT devices with default passwords. The attackers were then able to deploy <a href="https://www.techtarget.com/searchsecurity/tip/How-to-mitigate-wiper-malware">wiper malware</a>, corrupt firmware and disrupt system operations. While renewable energy systems continued production, operators lost control and monitoring capabilities.</p> <p>In an advisory, CISA emphasized the need for <a href="https://www.techtarget.com/searchsecurity/tip/What-CISOs-need-to-know-to-build-an-OT-cybersecurity-program">OT asset operators</a> to implement stronger cybersecurity measures, including changing default passwords and enabling firmware verification on OT devices. The incident also highlights the urgent need for critical infrastructure operators to enhance defenses against cyberthreats.</p> <p><a target="_blank" href="https://www.cybersecuritydive.com/news/cisa-critical-infrastructure-warning-poland-energy-hack/811819/" rel="noopener"><i>Read the full story by Eric Geller on Cybersecurity Dive</i></a>.</p> <p><b>Editor's note:</b> <i>An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Alissa Irei is senior site editor of Informa TechTarget Security.</i></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/visuals/German/article/windows-keyboard-microsoft.jpg https://www.techtarget.com/searchsecurity/news/366639010/News-brief-6-Microsoft-zero-days-and-a-warning-from-CISA Fri, 13 Feb 2026 13:31:00 GMT News brief: 6 Microsoft zero days and a warning from CISA <p>Cybersecurity leaders should capitalize on AI mania in the enterprise to address longstanding security problems, urged Arizona State University CISO Lester Godsey.</p> <p>"Executive management is all [in on] AI," Godsey said during a recent session at CactusCon, an annual cybersecurity conference in Mesa, Ariz. "I would encourage you to be shameless in leveraging this moment in time."</p> <p>AI, with its game-changing capabilities and executive support, presents major technical and strategic opportunities for CISOs. At ASU, for example, Godsey's team is using AI to improve <a href="https://www.techtarget.com/searchsecurity/tip/How-to-write-a-data-classification-policy-with-template">data classification</a>, data loss prevention (DLP) and identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>). In turn, those improvements and adaptations are key to strong security and governance for the university's in-house AI platform, which supports more than 60 <a href="https://www.techtarget.com/whatis/feature/12-of-the-best-large-language-models">large language models</a> and serves the largest student body in the U.S.</p> <section class="section main-article-chapter" data-menu-title="At ASU, AI for data classification -- and data classification for AI security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>At ASU, AI for data classification -- and data classification for AI security</h2> <p>Organizations looking to adapt their cybersecurity programs to meet new AI needs -- and solve longstanding security problems in the process -- might consider starting with data security, Godsey said. With some tweaking, existing data classification, <a href="https://www.techtarget.com/searchsecurity/opinion/DLP-in-the-GenAI-Era-Shadow-data-and-DLP-product-churn">DLP</a> and IAM strategies can readily adapt to new AI security and governance use cases, he added.</p> <p>ASU, for example, had an existing data security program, but -- like many large organizations -- it also had a decades-long struggle with data sprawl. Godsey said his team recently ran a proof-of-concept test using AI to automate the classification of unstructured data. It yielded high-fidelity outputs.</p> <p>"The result is that we'll finally be able to leverage DLP," Godsey said. "The technology has been around for over 20 years, arguably, but we'll actually be able to use it now thanks to AI."</p> <p>In turn, an optimized data security program enables ASU to properly secure and govern its AI systems, according to Godsey. By employing the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>, for example, the security team can block both human and <a target="_blank" href="https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risks-securing-nhi" rel="noopener">nonhuman users from accessing assets</a> they don't need to perform their defined roles.</p> <p>"One of my biggest fears is agentic AI by default," Godsey said, adding that an overprivileged, rogue AI agent could wreak havoc on an enterprise -- posting sensitive data to public channels, for example. "Especially when AI starts doing more and more on its own, you need those guardrails in place, and you need to double- and triple-check them."</p> <p>In this case, the problem is also part of the solution: ASU has created a custom <a href="https://www.techtarget.com/searchsecurity/tip/What-agentic-AI-means-for-cybersecurity">cybersecurity AI agent</a> whose sole purpose is to ensure that other AI agents operate within secure parameters. It alerts human operators if it finds other agents deviating too far from acceptable set behavior.</p> <p>Godsey said his team also plans to use AI to further strengthen ASU's <a href="https://www.techtarget.com/searchsecurity/definition/cybersecurity-asset-management-CSAM">asset management</a>, shadow IT discovery and API security strategies.</p> <p><i>Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity.</i></p> </section> All eyes in the C-suite are on AI, and Arizona State University's CISO is seizing the moment. Learn how AI is solving problems that cybersecurity has been flagging for years. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a264431831.jpg https://www.techtarget.com/searchsecurity/feature/ASUs-CISO-AI-craze-is-a-strategic-opportunity-for-security Thu, 12 Feb 2026 23:50:00 GMT ASU's CISO: AI craze is a strategic opportunity for security <p>Incident response plans enable organizations to quickly and efficiently handle cyberattacks. The lack of such a plan increases the likelihood that an attack will cause significant operational damage to IT systems, networks and data.</p> <p>When developing an effective incident response strategy, a framework is essential. Industry frameworks can help an organization formulate an effective incident response initiative or update its existing initiatives.</p> <section class="section main-article-chapter" data-menu-title="What are frameworks and why are they important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are frameworks and why are they important?</h2> <p>An incident response framework is the foundation for building an incident response program. An ideal framework provides structure and guidance for addressing all incident response activities.</p> <p>For existing incident response programs, frameworks can ensure teams address relevant issues, such as staffing, administration, response playbooks, awareness and training, testing and resource identification.</p> <p>CISOs and cybersecurity teams responsible for developing a new incident plan and associated activities will quickly recognize the benefits of using a framework, especially when ensuring all the right boxes are checked.</p> <p>Properly used, a framework can be adapted into a variety of formal documents, including incident response programs, policies and individual plans. Organizations required to demonstrate compliance with both domestic and international standards and regulations should use specific frameworks when developing incident response programs and plans. From legal, operational and audit perspectives, using frameworks helps demonstrate compliance with these important requirements.</p> </section> <section class="section main-article-chapter" data-menu-title="Key elements of an IR framework"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key elements of an IR framework</h2> <p>Regardless of its source, an incident framework should include at least five specific components. Each standard and framework has its own nomenclature for these components, which generally follows the five-Rs structure.</p> <h3>Research</h3> <p>Before a cyberattack occurs, security teams should carefully examine all elements of the organization's IT infrastructure. A risk analysis determines which elements of the business are <a href="https://www.techtarget.com/searchsecurity/feature/How-to-fix-the-top-5-cybersecurity-vulnerabilities">most susceptible to attack</a>, the <a href="https://www.techtarget.com/searchsecurity/feature/10-types-of-security-incidents-and-how-to-handle-them">types of security events</a> most likely to occur and the effects those events would have on the business.</p> <p>The research phase includes a review of measures to prepare for and respond to an actual attack. These include preparing policies and plans, deploying cybersecurity systems and software, training <a href="https://www.techtarget.com/searchsecurity/definition/incident-response-team">incident response teams</a>, performing threat hunting and penetration testing, patching software and testing cybersecurity plans.</p> <h3>Recognition</h3> <p>This stage occurs when an incident is identified. It could be an alert from an intrusion prevention or detection system, a firewall or an antimalware program, among others. Once an alert has sounded, the next stage is launched.</p> <h3>Response</h3> <p>In this stage,<b> </b>cybersecurity teams identify the nature and source of the threat, isolate it, analyze its potential impacts and decide the most appropriate response.</p> <h3>Resolution</h3> <p>In this stage, <a href="https://www.techtarget.com/searchsecurity/feature/How-to-become-an-incident-responder-Requirements-and-more">incident responders</a> eliminate the threat or mitigate its severity so it no longer disrupts business operations. This is especially important in <a href="https://www.techtarget.com/searchsecurity/tip/How-to-recover-from-a-ransomware-attack">ransomware incident response</a>, where a rapid resolution might save the organization thousands or even millions of dollars in costs associated with recovering compromised systems, networks, files and databases.</p> <h3>Recap</h3> <p>Once the event has been resolved, it is essential to document how the incident response team handled the event from initial awareness to final resolution. Assessing what worked and what did not enables teams to identify areas for improvement in the incident process and to refine the incident response framework and incident response plan.</p> </section> <section class="section main-article-chapter" data-menu-title="Incident response standards and frameworks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Incident response standards and frameworks</h2> <p>There are several well-known incident response standards and frameworks. Some have their roots in government service, while others were developed for the private sector. Each approach can help develop an incident framework for enterprise cybersecurity requirements.</p> <h3>ISO/IEC 27035 series</h3> <p>The ISO/IEC 27035 series has three parts:</p> <ul class="default-list"> <li><a target="_blank" href="https://www.iso.org/standard/78973.html" rel="noopener">ISO/IEC 27035-1</a> introduces incident management principles.</li> <li><a target="_blank" href="https://www.iso.org/standard/78974.html" rel="noopener">ISO/IEC 27035-2</a> focuses on incident management preparation and planning.</li> <li><a target="_blank" href="https://www.iso.org/standard/74033.html" rel="noopener">ISO/IEC 27035-3</a> describes how to respond to cybersecurity incidents.</li> </ul> <p>The series breaks the incident response process into the following five phases:</p> <ul class="default-list"> <li><b>Planning and preparation.</b> Establish an incident management policy and create an incident response team.</li> <li><b>Detection and reporting.</b> Set up the processes, procedures and technologies required to detect and report the incident.</li> <li><b>Assessment and decision.</b> Create processes and procedures, and establish incident descriptions and criteria.</li> <li><b>Response to incidents.</b> Establish controls to prevent, respond to and recover from incidents.</li> <li><b>Lessons learned.</b> Learn from security incidents to improve overall incident management.</li> </ul> <p>Collectively, the series provides a comprehensive framework for incident response and incident management.</p> <p>"<a target="_blank" href="https://webstore.ansi.org/standards/iso/iso223202018" rel="noopener">ISO 22320:2018</a> Security and resilience -- Emergency management -- Guidelines for incident management" closely mirrors ISO 27035. It can serve as a standalone framework or as a complement to ISO 27035.</p> <h3>NIST incident response framework</h3> <p><a target="_blank" href="https://csrc.nist.gov/pubs/sp/800/61/r3/final" rel="noopener">NIST Special Publication 800-61</a> Rev. 3 was updated in April 2025 to reflect the modern incident response landscape and align with the NIST Cybersecurity Framework 2.0.</p> <p>The updated guidance identifies the incident response lifecycle in three sections:</p> <ul class="default-list"> <li><b>Preparation.</b> NIST wrote that this phase is not part of incident response itself but part of the broader ongoing risk management process. It includes risk assessment and analysis, policy creation, system monitoring and the implementation of security tools and technologies.</li> <li><b>Incident response.</b> This stage involves detecting, responding to and recovering from a cybersecurity event.</li> <li><b>Lessons learned.</b> This step involves gathering feedback from all activities in all steps to identify improvements and adjust policies, processes and plans.</li> </ul> <h3>SANS incident response framework</h3> <p>SANS Institute, a private cybersecurity training, certification and research organization, published an incident response framework that has the following phases:</p> <ul class="default-list"> <li><b>Preparation.</b> Review and codify security policies, perform a risk assessment, identify sensitive assets, define critical security incidents and build an incident response team.</li> <li><b>Identification.</b> Monitor IT systems, detect deviations from normal operations and determine whether they represent real security incidents. If an incident is discovered, collect additional evidence, establish its type and severity, and document everything.</li> <li><b>Containment.</b> Perform short-term containment, and then focus on long-term containment, which involves temporary fixes to enable systems to be used in production while rebuilding clean systems.</li> <li><b>Eradication.</b> Remove malware from affected systems, identify the root cause of the attack and take action to prevent similar attacks.</li> <li><b>Recovery.</b> Bring affected production systems back online cautiously to prevent further attacks. Test, verify and monitor affected systems to ensure they return to normal operation.</li> <li><b>Lessons learned.</b> Compile all relevant information about the incident and identify lessons that will help with future incident response activities.</li> </ul> <h3>CERT Incident Management Capability</h3> <p>Developed by Carnegie Mellon University's Software Engineering Institute and used by the U.S. Department of Homeland Security and U.S. Computer Emergency Readiness Team, the CERT incident management assessment addresses a broad spectrum of cybersecurity event response activities. Its incident response phases include the following:</p> <ul class="default-list"> <li><b>Prepare. </b>Establish a formal incident function, set up roles and responsibilities, develop procedures for incident response, and identify tools and key relationships for managing incident responses.</li> <li><b>Protect. </b>Establish measures to identify potential risks, threats and vulnerabilities; deploy upgrades, modifications and enhancements to security infrastructure assets, including firewalls, intrusion detection systems and antivirus; and develop a patch management process.</li> <li><b>Detect. </b>Balance proactive actions, such as monitoring and analysis, with reactive actions, such as event data gathering, to determine the nature of a suspicious activity.</li> <li><b>Respond. </b>Analyze the anomaly, launch mitigation and remediation activities, initiate event notification and begin post-event follow-up to determine how well the response activities performed.</li> <li><b>Sustain.</b> Maintain effective incident response activities, including program funding, training of response teams, reviewing and updating of controls, and post-event reviews to identify ways of improving incident response procedures.</li> </ul> <h3>Additional incident response frameworks</h3> <p>Consider the following incident response guidance:</p> <ul class="default-list"> <li>IEEE has research, guidance and frameworks, but no formal standards.</li> <li>IETF has standards and best practices for computer security incident response teams.</li> <li>The EU Agency for Cybersecurity developed incident response frameworks that are published via guidance documents, including "Good Practice Guide for Incident Management."</li> <li>"NIST SP 800-53 Rev. 3: Security and Privacy Controls for Information Systems and Organizations" is a key information security standard that includes requirements for incident response.</li> <li>Mitre ATT&CK is a knowledge base of cybersecurity threat activities that can contribute to the creation of an incident response framework with guidance on incident detection, analysis and reporting.</li> <li>CISA has operational procedures and playbooks for planning and conducting cybersecurity vulnerability and incident response activities.</li> <li>CISA established the National Cyber Incident Response Plan, a public sector-focused framework providing guidance on responding to cyberattacks.</li> <li>"ISO 27001: Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements" is the global standard for information security management systems and aligns with ISO 27035 for incident response activities.</li> <li>The U.S. Incident Command System presents a structured approach to incident response and management. It is designed to enable collaboration among various federal, state and local government agencies.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to create an incident response framework"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to create an incident response framework</h2> <p>Organizations that already have an incident response framework in place should compare it to the standards and frameworks outlined above to ensure it aligns with good-practice guidance. Review and update the framework periodically to ensure it remains aligned with the standards.</p> <p>When developing an in-house incident response framework, consider the following steps:</p> <ul class="default-list"> <li>Examine existing cybersecurity documentation, including policies, procedures, plans and reports.</li> <li>Establish a project plan and team to develop the framework.</li> <li>Gather and review existing frameworks. Select the document(s) that best fits the organization's requirements.</li> <li>If the framework is part of an enterprise cybersecurity initiative that needs to demonstrate compliance with a standard or regulation, use a framework that aligns with that standard or regulation.</li> <li>Prepare an initial draft framework for review.</li> <li>Carefully review the draft framework to ensure it aligns with existing cybersecurity policies, procedures and compliance requirements.</li> <li>Secure approval from senior management.</li> <li>Disseminate the framework to members of the cybersecurity team and the security operations center team.</li> </ul> <p>Once the framework has been completed and approved, formulate incident response program documents based on the framework. Review and update existing incident response activities if necessary.</p> <p>In situations where a formal incident response program needs to be developed, use the framework to do the following:</p> <ul class="default-list"> <li>Initiate the incident response program.</li> <li>Create incident response policies and processes.</li> <li>Identify, secure and train <a href="https://www.techtarget.com/searchsecurity/feature/How-to-build-an-incident-response-team-for-your-organization">incident response team members</a>.</li> <li>Adopt tools and resources for incident response activities.</li> <li>Deploy systems for incident identification, event logging and tracking, and event response and reporting.</li> <li>Launch activities for threat hunting, pen testing and other forensic activities.</li> <li>Regularly patch critical software.</li> <li>Schedule and conduct incident response exercises and tests.</li> <li>Include incident response activities in weekly IT staff meetings.</li> <li>Establish a continuous improvement activity for incident response.</li> </ul> <p>Whether an organization develops its own homegrown framework or uses one or more of the documents mentioned here, be sure it addresses domestic and international compliance requirements.</p> <p>Most current standards and frameworks share a basic structure. Carefully review them to find one that best meets the organization's incident response requirements.</p> <p>Also note that while frameworks help, it is the <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">approved incident response plan</a> that an organization uses to protect itself from cyberattacks.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.</i></p> <p> </p> </section> Frameworks provide the structure for an effective incident response program. Here's where to turn for guidance on what to include. https://cdn.ttgtmedia.com/rms/onlineimages/check_g1205300933.jpg https://www.techtarget.com/searchsecurity/tip/Incident-response-frameworks-for-enterprise-security-teams Thu, 12 Feb 2026 09:00:00 GMT How to build an incident response framework <p paraeid="{c5710b6e-dc97-4ab0-979a-93ab83745677}{25}" paraid="736753854"><span xml:lang="EN-US" data-contrast="auto">The tradeoff between embracing innovation and protecting the organization is one of the most daunting decisions security leaders face. With AI emerging as such a powerful utility for both threat actors and cybersecurity defenders, organizations must balance AI's benefits with risk exposure. This balancing act grows increasingly difficult as AI adoption accelerates across security operations centers, cloud deployments and threat management scenarios.</span><span data-ccp-props="{}"> </span></p> <div> <p paraeid="{c5710b6e-dc97-4ab0-979a-93ab83745677}{157}" paraid="537643016"><span xml:lang="EN-US" data-contrast="auto">CISOs and IT leaders require practical, risk-based approaches to evaluating AI's role as the technology continues to evolve and integrate into cybersecurity operations.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h2 paraeid="{c5710b6e-dc97-4ab0-979a-93ab83745677}{197}" paraid="2131074244" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">AI is a CISO decision</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{c5710b6e-dc97-4ab0-979a-93ab83745677}{203}" paraid="358350450"><span xml:lang="EN-US" data-contrast="auto">While AI remains an inescapable buzzword, its context has shifted from an experimental technology to a </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchenterpriseai/feature/6-key-benefits-of-AI-for-business"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">core component of operational success</span></span></a><span xml:lang="EN-US" data-contrast="auto">.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{4}" paraid="87891195"><span xml:lang="EN-US" data-contrast="auto">AI-driven security introduces two competing truths that CISOs and security leaders must address. On the one hand, it can scale defenses, reduce analyst fatigue and enable faster incident response. On the other hand, it expands the </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/whatis/definition/attack-surface"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">attack surface</span></span></a><span xml:lang="EN-US" data-contrast="auto">, introduces new failure modes, and raises governance and compliance questions. Reconciling these two outcomes requires executive oversight, clear accountability and a risk-based approach to managing AI adoption. Decisions affect risk posture, regulatory exposure and operational resilience. As such, CISOs are stewards of both AI security and responsible AI use.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h2 paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{72}" paraid="344816177" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">AI security risks</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{82}" paraid="311776598"><span xml:lang="EN-US" data-contrast="auto">AI introduces the following distinct, practical risks that security leaders must understand before deploying at scale:</span><span data-ccp-props="{}"> </span></p> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{106}" paraid="1754107514"><strong><span xml:lang="EN-US" data-contrast="auto">Model and data risks.</span></strong><span xml:lang="EN-US" data-contrast="auto"> These include </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchenterpriseai/answer/How-bad-is-generative-AI-data-leakage-and-how-can-you-stop-it"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">training data leakage</span></span></a><span xml:lang="EN-US" data-contrast="auto">, model theft, insecure configurations, </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/How-data-poisoning-attacks-work"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">data poisoning</span></span></a><span xml:lang="EN-US" data-contrast="auto"> and </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">prompt injection</span></span></a><span xml:lang="EN-US" data-contrast="auto">.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{147}" paraid="429907495"><strong><span xml:lang="EN-US" data-contrast="auto">Operational risks.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Over-reliance on AI outputs, automation without validation, </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchenterpriseai/tip/How-to-identify-and-manage-AI-model-drift"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">model drift</span></span></a><span xml:lang="EN-US" data-contrast="auto">, inadequate monitoring and </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/Shadow-AI-How-CISOs-can-regain-control-in-2026"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">shadow AI</span></span></a><span xml:lang="EN-US" data-contrast="auto">.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{181}" paraid="622475383"><strong><span xml:lang="EN-US" data-contrast="auto">Adversarial threats.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Malicious actors use AI to develop malware, </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">scale phishing attacks</span></span></a><span xml:lang="EN-US" data-contrast="auto">, create </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/Prepare-for-deepfake-phishing-attacks-in-the-enterprise"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">deepfakes</span></span></a><span xml:lang="EN-US" data-contrast="auto">, enhance social engineering attacks and automate vulnerability discovery.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="4" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{221}" paraid="2046094551"><strong><span xml:lang="EN-US" data-contrast="auto">Governance and compliance risks.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Lack of explainability, auditability and regulatory alignment, as well as data residency, </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchenterpriseai/tip/How-to-navigate-data-sovereignty-for-AI-compliance"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">data sovereignty</span></span></a><span xml:lang="EN-US" data-contrast="auto"> and privacy concerns.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="5" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{017756ba-2439-462d-afd4-4cc8619c3953}{249}" paraid="1143929978"><strong><span xml:lang="EN-US" data-contrast="auto">Third-party and supply chain risks.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Vendor models, misconfigurations, black-box systems and shared infrastructure.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <h2 paraeid="{50d84ea4-a89b-489e-9760-fab4a4bfc04e}{9}" paraid="1572806065"><span xml:lang="EN-US" data-contrast="auto">The benefits of AI for security teams</span><span data-ccp-props="{}"> </span></h2> </div> <div> <p paraeid="{50d84ea4-a89b-489e-9760-fab4a4bfc04e}{143}" paraid="132311831"><span xml:lang="EN-US" data-contrast="auto">AI delivers the most value for cybersecurity teams when it augments human expertise rather than replacing it. The strongest cybersecurity AI use cases typically center on scale, speed and pattern recognition -- areas where humans struggle to keep up with the volume and complexity of modern environments.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h3 paraeid="{50d84ea4-a89b-489e-9760-fab4a4bfc04e}{179}" paraid="33671025" aria-level="3" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Threat detection and alert triage</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":40,"335559739":0}"> </span></h3> </div> <div> <p paraeid="{50d84ea4-a89b-489e-9760-fab4a4bfc04e}{187}" paraid="1279771082"><span xml:lang="EN-US" data-contrast="auto">AI analyzes vast amounts of data in real time, performing pattern recognition at scale and reducing noise. It </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/feature/How-AI-driven-SOC-tech-eased-alert-fatigue-Case-study"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">enhances alert triage</span></span></a><span xml:lang="EN-US" data-contrast="auto"> by prioritizing and categorizing alerts by severity, helping reduce false positives and speed incident response.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h3 paraeid="{50d84ea4-a89b-489e-9760-fab4a4bfc04e}{219}" paraid="669586494" aria-level="3" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Security operations augmentation</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":40,"335559739":0}"> </span></h3> </div> <div> <p paraeid="{50d84ea4-a89b-489e-9760-fab4a4bfc04e}{228}" paraid="890104295"><span xml:lang="EN-US" data-contrast="auto">AI </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchcio/feature/How-DXC-Technology-uses-agentic-AI-in-the-SOC"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">automates manual and repetitive tasks</span></span></a><span xml:lang="EN-US" data-contrast="auto">, including log analysis, investigation support, case summarization, vulnerability scanning and incident reporting, enabling SOC members to focus on more pressing matters and strategic decision-making.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h3 paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{11}" paraid="1419062110" aria-level="3" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Threat intelligence</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":40,"335559739":0}"> </span></h3> </div> <div> <p paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{18}" paraid="1831133178"><span xml:lang="EN-US" data-contrast="auto">AI </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/How-AI-is-reshaping-threat-intelligence"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">analyzes threat data at scale</span></span></a><span xml:lang="EN-US" data-contrast="auto">, identifies patterns, correlates indicators, summarizes campaigns and enables faster context building. It also assists with the integration of real-time insights into security systems for proactive defense.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h3 paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{38}" paraid="1099046078" aria-level="3" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Vulnerability management</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":40,"335559739":0}"> </span></h3> </div> <div> <p paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{45}" paraid="1107092745"><span xml:lang="EN-US" data-contrast="auto">AI </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/How-AI-will-transform-vulnerability-management-for-the-better"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">automates vulnerability identification and prioritization</span></span></a><span xml:lang="EN-US" data-contrast="auto"> based on asset context and exploitability. It also mitigates risk by fixing vulnerabilities, implementing controls to prevent their exploitation and notifying security teams of the issues.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h3 paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{77}" paraid="111951291" aria-level="3" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Identity and access security</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":40,"335559739":0}"> </span></h3> </div> <div> <p paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{84}" paraid="900759887"><span xml:lang="EN-US" data-contrast="auto">AI enhances anomaly detection in authentication and access behaviors, helping prevent unauthorized access and potential breaches. It can also help streamline user authentication.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h3 paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{96}" paraid="1755064141" aria-level="3" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 3">Security engineering and automation</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":40,"335559739":0}"> </span></h3> </div> <div> <div> <p paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{103}" paraid="6220878"><span xml:lang="EN-US" data-contrast="auto">AI enables </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/feature/How-AI-threat-detection-is-transforming-enterprise-cybersecurity"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">advanced threat detection</span></span></a><span xml:lang="EN-US" data-contrast="auto">, real-time monitoring and predictive analytics. AI also streamlines processes such as policy generation, rule tuning and playbook assistance, as well as compliance checks and system updates, reducing human error and enhancing overall efficiency.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h2 paraeid="{5d43dbeb-56f6-42c9-8d2d-0123976c2e4b}{138}" paraid="1356277500" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">Finding the right security use cases for AI</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{939ac8cb-ac4e-4902-913e-fcfc64013ecd}{3}" paraid="1761567659"><span xml:lang="EN-US" data-contrast="auto">Not every security process benefits from AI. Applying it indiscriminately can introduce unnecessary risk and expense. CISOs and their teams should evaluate each potential use case using a structured, risk-based approach.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{939ac8cb-ac4e-4902-913e-fcfc64013ecd}{31}" paraid="681538550"><strong><span xml:lang="EN-US" data-contrast="auto">Step one: Problem clarity.</span></strong><span xml:lang="EN-US" data-contrast="auto"> AI performs best with well-defined, measurable and repeatable objectives. Prioritizing alerts or summarizing incidents are great examples. AI tends not to suit use cases with ambiguous problems.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{939ac8cb-ac4e-4902-913e-fcfc64013ecd}{45}" paraid="1106536358"><strong><span xml:lang="EN-US" data-contrast="auto">Step two: Evaluate risk.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Assess AI security risk tolerance and impact when the model produces an incorrect or misleading result. Use cases that emphasize automated access revocation or system isolation require stronger controls and human validation. CISOs and security teams should explicitly define scenarios in which analysts will review, approve or override AI recommendations. This practice maintains human-in-the-loop requirements and preserves accountability.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{939ac8cb-ac4e-4902-913e-fcfc64013ecd}{127}" paraid="1480140932"><strong><span xml:lang="EN-US" data-contrast="auto">Step three: Plan for success.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Evaluate data sensitivity and maturity to ensure AI is applied where it strengthens security. Teams must understand the data AI consumes, where it is processed and whether the results are proven in production.</span></p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Evaluating AI security use cases</h3> <p>Use the following evaluation points to identify viable use cases for AI in security operations:</p> <ul class="default-list"> <li>Problem clarity. Is the security problem well-defined and measurable?</li> <li>Risk tolerance. What happens if the AI is wrong?</li> <li>Human-in-the-loop requirements. Where do humans validate, approve or override?</li> <li>Data sensitivity. What data is exposed to the model, and where does it reside?</li> <li>Use case maturity. Proven capability versus experimental feature.</li> <li>Fallback paths. Can operations continue if AI is unavailable?</li> </ul> </div> </div> <h2 paraeid="{939ac8cb-ac4e-4902-913e-fcfc64013ecd}{127}" paraid="1480140932"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">How to deploy AI in security operations</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> </div> <div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{32}" paraid="844738903"><span xml:lang="EN-US" data-contrast="auto">Deploying any high-impact security control requires deliberate planning and rigor, and AI-driven security is no different. Without clear guardrails and planning, AI can introduce new risks even as it addresses other concerns.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{38}" paraid="905257641"><span xml:lang="EN-US" data-contrast="auto">Security leaders must define who is responsible for AI systems and how those systems can be used. Well-established </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-AI-acceptable-use-policy-plus-template"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">usage policies</span></span></a><span xml:lang="EN-US" data-contrast="auto">, approval workflows and documentation help prevent uncontrolled use. Create clear data security, retention and deletion policies to reduce the risk of unintended exposure.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{72}" paraid="406810338"><span xml:lang="EN-US" data-contrast="auto">Controlling access and managing explainability are essential because they help teams understand why a model produced a given recommendation. Finally, continuous monitoring ensures compliance and effectiveness.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{92}" paraid="1418568832"><span xml:lang="EN-US" data-contrast="auto">Best practices for deployment include the following:</span><span data-ccp-props="{}"> </span></p> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{102}" paraid="672371175"><strong><span xml:lang="EN-US" data-contrast="auto">Governance first.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Establish a culture that includes clear ownership, usage policies and approval workflows.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{118}" paraid="468504886"><strong><span xml:lang="EN-US" data-contrast="auto">Data controls.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Build controls to minimize data exposure and enforce retention policies.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{130}" paraid="1232062691"><strong><span xml:lang="EN-US" data-contrast="auto">Access management.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Create strong identity controls for AI tools and APIs.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="4" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{142}" paraid="215739698"><strong><span xml:lang="EN-US" data-contrast="auto">Transparency and explainability.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Require explainable outputs for high-impact decisions.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="5" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{156}" paraid="1013703930"><strong><span xml:lang="EN-US" data-contrast="auto">Testing and validation.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Actively test for prompt injection and other AI abuses.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="6" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{168}" paraid="1014549132"><strong><span xml:lang="EN-US" data-contrast="auto">Vendor risk management.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Understand and validate training data sources, hosting models and update paths.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="7" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="6" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{180}" paraid="570799345"><strong><span xml:lang="EN-US" data-contrast="auto">Logging and monitoring.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Treat AI systems like any other critical security control by auditing results.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{192}" paraid="1341867606"><span xml:lang="EN-US" data-contrast="auto">Remember, AI is not a static tool. It requires constant checks and updates to ensure it is deployed in ways that strengthen the organization's overall security posture.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h2 paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{220}" paraid="1975918934" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">Practical adoption and operating models</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{238}" paraid="1291446045"><span xml:lang="EN-US" data-contrast="auto">Successfully adopting AI in cybersecurity is less about individual tools and more about how organizations integrate it into daily security operations over time. Incremental adoption guided by risk and impact assessments is usually the safest and most effective path.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{d137e9e9-6e37-4622-9b35-1b6bb55beb17}{252}" paraid="1946640671"><span xml:lang="EN-US" data-contrast="auto">Start with low-risk, high-reward use cases, such as analysis and summarization. Gradually expand into assistive automation rather than autonomous action. Maintain human accountability for decisions that affect access or compliance, and reassess risk as AI models evolve and regulations change. In every step, ensure that AI security initiatives align with </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchcio/definition/enterprise-risk-management"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">enterprise risk management</span></span></a><span xml:lang="EN-US" data-contrast="auto">.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{75209168-3cda-4ee2-938d-6bcf67c3c641}{64}" paraid="1512432362"><span xml:lang="EN-US" data-contrast="auto">Maintaining balance requires continuous review. Models evolve, threat actors adapt and regulatory requirements change. Regularly reviewing AI performance, risk exposure and business impact helps ensure its rewards outweigh its risks.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h2 paraeid="{75209168-3cda-4ee2-938d-6bcf67c3c641}{70}" paraid="2055143475" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">The CISO's role in responsible AI adoption</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{75209168-3cda-4ee2-938d-6bcf67c3c641}{76}" paraid="961084801"><span xml:lang="EN-US" data-contrast="auto">As AI becomes embedded across security tools and processes, the </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/The-CISO-evolution-From-security-gatekeeper-to-strategic-leader"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">CISO's role</span></span></a><span xml:lang="EN-US" data-contrast="auto"> extends beyond technical oversight into strategic leadership and forward thinking. These IT leaders are uniquely positioned to balance innovation with risk. They translate AI capabilities into outcomes that align with business objectives, regulatory compliance and organizational risk tolerance.</span><span data-ccp-props="{}"> </span></p> </div> </div> <div> <p paraeid="{75209168-3cda-4ee2-938d-6bcf67c3c641}{118}" paraid="693106799"><span xml:lang="EN-US" data-contrast="auto">CISOs are also responsible for establishing clear guardrails for AI use, defining accountability for AI-driven decisions and ensuring transparency across operations. Adoption requires collaboration with legal, privacy, compliance and IT operations teams to address data protection and auditability.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{75209168-3cda-4ee2-938d-6bcf67c3c641}{202}" paraid="1038944468"><span xml:lang="EN-US" data-contrast="auto">Finally, CISOs must communicate with executive leadership and the board to explain both the value and limitations of AI, framing it as an enabler of resilience rather than a replacement for human judgment.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{75209168-3cda-4ee2-938d-6bcf67c3c641}{212}" paraid="536381423"><span xml:lang="EN-US" data-contrast="auto">AI-driven security tools can improve security outcomes, affecting results across the organization. The transition to AI requires thoughtful adoption, discipline and clarity. When CISOs and their teams do it right, they can ensure AI strengthens security posture without becoming its next source of risk.</span></p> <p><em>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</em></p> </div> AI represents a powerful new tool for cybersecurity professionals, but the technology is not without risk. Discover what CISOs need to know when deciding how to use AI. https://cdn.ttgtmedia.com/rms/onlineimages/ai_g1182183209.jpg https://www.techtarget.com/searchsecurity/feature/How-CISOs-can-balance-AI-innovation-and-security-risk Thu, 12 Feb 2026 00:00:00 GMT How CISOs can balance AI innovation and security risk <p>Contact centers sit at the intersection of customer experience, brand trust and operational efficiency. As customer expectations rise and AI becomes embedded in service operations, the challenges facing contact centers have grown more complex -- and more consequential.</p> <p>Customer service has moved beyond single-channel support, with contact centers now expected to manage interactions across voice and digital channels while maintaining consistency, context and speed. Contact centers have <a href="https://www.techtarget.com/searchcustomerexperience/feature/Call-center-vs-contact-center-Whats-the-difference">evolved beyond mere call-handling hubs</a> into sophisticated, multichannel engagement centers that play a vital role in shaping customer experiences. With the advent of digital transformation, contact centers now integrate various communication platforms, including phone calls, email, chat, social media and video conferencing.</p> <p>The commercial landscape for businesses and customers is rapidly changing, <a href="https://www.techtarget.com/searchcustomerexperience/feature/Important-contact-center-AI-features-and-their-benefits">driven by technological advancements</a>, evolving customer expectations and the increasing importance of personalized service. Enterprises are under pressure to deliver consistent, high-quality customer interactions over different modes of communication, while managing costs and maintaining operational efficiency.</p> <p>Customer interactions now span multiple channels, yet customers expect consistent context, personalization and responsiveness regardless of how they engage. This complex environment necessitates a strategic approach to managing contact centers, addressing inherent challenges and <a href="https://www.techtarget.com/searchcustomerexperience/How-to-choose-a-contact-center-software-system">using technology to enhance customer service capabilities</a>.</p> <section class="section main-article-chapter" data-menu-title="Key contact center challenges and remedies"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Key contact center challenges and remedies</h2> <p>Providing different modes of interaction is among the many challenges for modern contact centers. Other issues include agent attrition, increased customer expectations, ever-growing customer queues, generalization of content, barriers to understanding and security.</p> <h3>1. Meeting customer expectations</h3> <p>Customers expect quick, personalized and seamless interactions across all channels. They also expect an interaction in one channel to be consistent with the experience they've had in other channels. They increasingly demand high levels of service and are less tolerant of delays, repeating their information and impersonal responses.</p> <p>Advanced CRM systems and AI-driven analytics can help understand, contextualize and anticipate customer needs, <a href="https://www.techtarget.com/searchcustomerexperience/tip/How-to-comprehensively-personalize-the-customer-experience">enabling more personalized and consistent interactions</a>. Regularly updating service protocols to align with customer feedback is equally important.</p> <p>Meeting these expectations increasingly depends on how well organizations unify customer data and govern AI-assisted interactions across channels, not just on agent performance alone.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/addressing_the_demands_of_todays_complex_contact_centers-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/addressing_the_demands_of_todays_complex_contact_centers-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/addressing_the_demands_of_todays_complex_contact_centers-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/addressing_the_demands_of_todays_complex_contact_centers-f.png 1280w" alt="Contact center challenges and remedies" height="487" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>For every challenge confronting contact centers, there's a remedy. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>2. High contact volumes and longer wait times</h3> <p>Managing the high volumes of customer contacts, especially during peak times, can lead to long wait times and customer dissatisfaction. When customers call into contact centers of certain businesses, the first response they might typically get is a recording, "We're currently experiencing high call volumes" -- at least during normal business hours. This kind of experience, exacerbated by limited staffing and inefficient call routing, frustrates customers.</p> <p>Implementing intelligent call routing and queuing systems can optimize resource allocation and reduce wait times. Most new systems <a href="https://www.techtarget.com/searchcustomerexperience/tip/How-to-manage-remote-call-center-agents">enable contact center agents to work from home</a>, which increases the flexibility of companies deploying agents globally. Self-service options, such as chatbots and automated responses, can reduce contact volumes, but they also raise expectations for the quality and efficiency of the interactions that reach live agents.</p> <p>Chatbots can handle routine types of interactions, like password resets, quick orders and simple questions, but complex situations that require empathy and understanding are still best left to humans. Improvements in machine learning and AI can also help mitigate high contact volumes and wait times and provide customers with other ways to resolve their queries independently.</p> <h3>3. Personalization shortfalls and content generification</h3> <p>Generic responses and interactions usually fail to meet customer expectations for personalized service. This lack of personalization inevitably results in decreased customer satisfaction and loyalty.</p> <p>Using <a href="https://www.techtarget.com/searchcustomerexperience/tip/Customer-interaction-analytics-spurs-better-business-results">customer data and analytics to tailor interactions</a> and recommendations can improve personalization, but doing so effectively requires strong data governance and consistent context across channels. Training call center agents to express empathy and use customer information effectively during their interactions is especially important. New large language models can improve the quality of agent responses by combining the specifics of customer data with best practices in knowledge bases.</p> <h3>4. Language barriers</h3> <p>Contact centers often serve a diverse, global customer base. Language barriers can impede effective communication, leading to misunderstandings and frustration. Any enterprise that aspires to be global must deal with this issue. Even companies that see themselves as local will become global when they put their presence on the web.</p> <p>Hiring multilingual agents and providing language training can bridge communication gaps. Additionally, real-time translation services and AI-powered language tools have come a long way and can facilitate smoother interactions.</p> <h3>5. Agent attrition</h3> <p>High turnover rates among contact center agents <a href="https://www.techtarget.com/searchcustomerexperience/tip/Why-contact-centers-have-high-turnover-and-how-to-combat-it">pose a significant challenge</a>. Increased job openings and competition for talent in good economies can only make this problem worse. Attrition is usually costly, impacting operational efficiency and the quality of customer interactions. Factors contributing to high attrition include job stress, lack of career advancement opportunities and inadequate compensation.</p> <p>In many environments, tool sprawl and cognitive overload also contribute to burnout, making technology simplification as important as compensation and career development.</p> <p>Good customer service is vital to retention and brand loyalty. <a href="https://www.techtarget.com/searchcustomerexperience/tip/Best-practices-for-call-center-agent-training-programs">Implementing comprehensive training programs</a>, offering competitive salaries and creating clear career progression paths can help reduce attrition. Providing a supportive work environment and recognizing agent contributions also play a crucial role in retaining talent. Technology has made it possible for more agents to work remotely, enabling companies to find the best qualified representatives wherever they're located.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/average_call_center_agent_salaries-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/average_call_center_agent_salaries-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/average_call_center_agent_salaries-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/average_call_center_agent_salaries-f.png 1280w" alt="Contact center agent salaries in the U.S." height="403" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Contact center agents in some regions demand higher than average salaries. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3> 6. Lack of subject matter expertise</h3> <p>Agents often face complex queries requiring specialized knowledge. As the "first line of defense" in resolving customer inquiries, it's often difficult, if not impossible, for contact center agents to achieve mastery or even appear to be knowledgeable in all aspects of company products. The result could be incorrect or inadequate information conveyed to the customer.</p> <p><a href="https://www.techtarget.com/searchcustomerexperience/answer/5-ways-to-improve-call-center-agent-performance">Continuous training and access to a centralized knowledge base</a> can empower remote work agents with the necessary information to handle complex queries effectively. Encouraging collaboration and knowledge sharing among agents can also enhance overall understanding.</p> <h3>7. Quantitative and qualitative performance metrics</h3> <p><a href="https://www.techtarget.com/searchcustomerexperience/tip/Top-7-call-center-agent-performance-metrics-to-track">Accurately measuring and analyzing contact center performance</a> is essential for continuous improvement. Traditional metrics often don't fully capture the quality of customer interactions or agent performance since measuring customer satisfaction can often be subjective.</p> <p>Adopting a comprehensive set of KPIs that include quantitative <i>and</i> qualitative metrics can provide a more accurate picture of performance. Incorporating customer feedback and sentiment analysis into performance reviews can also provide valuable insights and a more holistic view of contact center effectiveness.</p> <h3>8. Data access vs. protection</h3> <p>Contact centers store and handle sensitive customer information, making data security a foundational requirement for customer trust rather than a secondary compliance concern. As the types and frequency of interactions increase, breaches are becoming more frequent and consequential, leading to significant financial and reputational damage. More sophisticated deep fakes are rendering voice recognition ineffective as a method of customer verification.</p> <p><a href="https://www.techtarget.com/searchcustomerexperience/tip/Call-center-security-best-practices-to-protect-customer-data">Implementing comprehensive cybersecurity measures</a>, including encryption, multifactor authentication, and regular security audits, safeguard customer data. Sensitive customer data can be better protected through advanced security protocols, security tools such as system scanners with <a href="https://www.techtarget.com/searchcustomerexperience/tip/How-to-train-agents-on-call-center-fraud-detection">data loss prevention, and fraud detection</a>. Most companies need to adopt zero trust architectures and principles, and agents need to be trained on data protection protocols. It should be standard practice to have a culture of security awareness, including periodic companywide security training.</p> <p>Across these challenges, AI increasingly acts as both a solution and a source of new complexity, raising the bar for data quality, governance and trust in contact center operations.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/crm-contact_centers.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/crm-contact_centers_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/crm-contact_centers_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/crm-contact_centers.jpg 1280w" alt="Multifunctional contact centers" height="288" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Contact centers are evolving into complex facilities that meet business and customer needs. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Build on flexibility, scalability and humanity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Build on flexibility, scalability and humanity</h2> <p>Addressing contact center challenges requires more than incremental tooling changes. As customer expectations rise and AI reshapes service interactions, contact centers must balance efficiency with empathy, automation with oversight, and data access with security. Organizations that approach these challenges strategically -- rather than tactically -- are better positioned to turn their contact centers into long-term assets rather than ongoing cost centers.</p> <p><b>Editor's note:</b><i> This article has been updated to reflect the changing nature of modern contact center challenges.</i></p> <p><i>Jerald Murphy is senior vice president of research and consulting at Nemertes Research. He has more than three decades of technology experience, including neural networking research, integrated circuit design, computer programming, global data center designing and CEO of a managed services company.</i></p> </section> Modern contact centers face persistent challenges around customer expectations, staffing and data access. Addressing them requires more than incremental operational fixes. https://cdn.ttgtmedia.com/rms/onlineimages/chatbot_g1250576636.jpg https://www.techtarget.com/searchcustomerexperience/tip/Contact-center-challenges-and-how-to-overcome-them Wed, 11 Feb 2026 00:00:00 GMT 8 contact center challenges and how to address them <p>Manufacturing remained ransomware operators' most-targeted sector heading into 2026, according to analysis by threat researchers at cybersecurity services provider NordStellar. Other top targets by industry include IT firms, professional services providers and construction companies.</p> <p>Note, however, that -- as for-profit businesses -- ransomware gangs constantly adapt to shifting market conditions, victimizing any organizations they see as both relatively vulnerable and likely to pay. With that caveat in mind, what follows are the 10 industries that ransomware operators most frequently targeted in 2025, according to NordStellar's <a target="_blank" href="https://nordstellar.com/blog/ransomware-statistics/" rel="noopener">research</a>.</p> <section class="section main-article-chapter" data-menu-title="1. Manufacturing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Manufacturing</h2> <p>NordStellar found nearly one in five attacks in 2025 targeted a manufacturing company, with 1,156 ransomware incidents in this sector -- a 32% year-over-year increase.</p> <p>A recent ransomware attack on Jaguar Land Rover brought the luxury automaker's manufacturing activities to a halt for more than a month. U.K. experts have called it the most financially damaging cyberattack in national history, <a target="_blank" href="https://www.cybersecuritydive.com/news/jaguar-land-rover-attack-british-economy-25-billion/803491/" rel="noopener">costing the British economy $2.5 billion</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Information technology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Information technology</h2> <p>The IT sector currently ranks second, accounting for 8.7% of ransomware incidents. In July 2025, for example, technology firm <a target="_blank" href="https://www.cybersecuritydive.com/news/ingram-micro-restores-global-operations-hack/752708/" rel="noopener">Ingram Micro suffered a ransomware attack</a> that disrupted normal operations for several days. The SafePay ransomware group claimed responsibility.</p> <p>In a high-profile incident in 2021, the REvil gang targeted Taiwan-based PC manufacturer Acer and demanded one of the largest ransoms on record -- $50 million. Whether the company paid the ransom is unknown.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Professional, scientific and technical services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Professional, scientific and technical services</h2> <p>Professional, scientific and technical services providers were also frequently in ransomware operators' crosshairs in recent months, making up 8.2% of attacks.</p> <p>In August 2025, <a target="_blank" href="https://www.cybersecuritydive.com/news/inotiv-confirm-cyberattack-data-theft/807277/" rel="noopener">ransomware disrupted operations at Inotiv</a>, a pharmaceutical and biotechnology services firm. The <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/extortion-gangs-join-forces-ransomware-cartel" rel="noopener">Qilin ransomware gang</a> claimed responsibility for the incident, in which attackers stole the personal data of roughly 9,500 people.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Construction and property"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Construction and property</h2> <p>NordStellar researchers found 7.4% of ransomware attacks in 2025 targeted organizations in the construction and property sector.</p> <p>In early 2024, <a target="_blank" href="https://www.cybersecuritydive.com/news/loandepot-ransomware-exposes-17M-people/705169/" rel="noopener">ransomware operators hit mortgage lender LoanDepot</a>, stealing the sensitive personal information of 16.6 million customers. The company later said that it incurred <a target="_blank" href="https://www.cybersecuritydive.com/news/loandepot-net-loss-cyber-settlement-q2/723838/" rel="noopener">more than $41 million in attack-related expenses</a> in the first half of that year.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Healthcare"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Healthcare</h2> <p>Medical providers' high-stakes work and widespread security vulnerabilities make them a perennial target of cybercriminals. In 2025, 5.7% of ransomware attacks targeted healthcare organizations, NordStellar researchers found.</p> <p>Ransomware incidents in this sector can be deadly. An <a href="https://www.techtarget.com/searchsecurity/news/252489993/Potential-ransomware-related-death-still-under-investigation">attack on a hospital in Düsseldorf, Germany</a>, once forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient died, although prosecutors later <a target="_blank" href="https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/" rel="noopener">concluded</a> the attack and subsequent delay did not play a role. Regardless, research strongly suggests <a href="https://www.techtarget.com/searchsecurity/feature/Studies-show-ransomware-has-already-caused-patient-deaths">ransomware attacks have already contributed to unnecessary deaths</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Financial services"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Financial services</h2> <p>One in 20 ransomware attacks in 2025 targeted the financial services industry. A major ransomware attack on this sector could have widespread, catastrophic effects on the economy and society at large. New York's Department of Financial Services has warned it could trigger "the next great financial crisis" by crippling key organizations and eroding consumer confidence.</p> <p>In 2019, the REvil ransomware gang hit foreign exchange bureau Travelex, disrupting operations in dozens of countries and leaving banks and travelers without access to funds for more than a week. The incident, along with the COVID-19 pandemic, left the company in dire financial straits, resulting in <a href="https://www.computerweekly.com/news/252487346/Cyber-attack-combined-with-Covid-19-puts-Travelex-into-administration">1,300 job cuts and insolvency administration</a> proceedings.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Transportation, logistics, supply chain and storage"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Transportation, logistics, supply chain and storage</h2> <p>Ransomware incidents in the transportation, logistics, supply chain and storage sectors accounted for 4.9% of attacks last year. Cybercriminals have long viewed organizations in the logistics sector as attractive ransomware targets. Almost a decade ago, for example, a still-infamous <a href="https://www.techtarget.com/searchsecurity/news/450424681/NotPetya-ransomware-impact-costs-Maersk-hundreds-of-millions">NotPetya attack cost Danish shipping giant Maersk</a> up to $300 million in lost revenue.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Legal"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Legal</h2> <p>The legal services sector was also among the 10 most targeted industries in recent months, accounting for 4.7% of all attacks, according to the NordStellar report. Major law firms are attractive ransomware targets, as many possess highly sensitive data and are likely to have financial resources to pay large ransom demands. Criminals might also victimize smaller legal firms with outdated or lackluster cybersecurity programs that make their networks relatively easy to access.</p> <p>In February 2021, major law firm <a target="_blank" href="https://www.darkreading.com/threat-intelligence/law-firm-for-ford-pfizer-exxon-discloses-ransomware-attack" rel="noopener">Campbell Conroy & O'Neil said ransomware operators had accessed</a> and encrypted system data that included sensitive personal information such as Social Security numbers and financial information. The trial attorneys have represented numerous Fortune 500 companies, including Boeing, FedEx, Home Depot and Johnson & Johnson.</p> <p>The previous year, a <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/a-list-celebrity-law-firm-confirms-cyberattack" rel="noopener">ransomware attack hit prominent entertainment firm</a> Grubman Shire Meiselas & Sacks, which has represented celebrity clients such as Lady Gaga and Madonna.</p> </section> <section class="section main-article-chapter" data-menu-title="9. Retail"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Retail</h2> <p>The retail sector also accounted for 4.7% of attacks in 2025, tying with legal. Sophos researchers found that exploited vulnerabilities have been the most common root cause of ransomware attacks in this sector for the past three years.</p> <p>Several major British retailers sustained high-profile ransomware attacks in 2025, including Marks & Spencer. The incident resulted in stolen customer data and caused online and in-store operational disruptions, with the <a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/marks-spencer-400m-loss-after-cyberattack" rel="noopener">retail giant later estimating costs of up to $402 million</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Education"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Education</h2> <p>According to NordStellar, educational organizations were targets in 3.6% of ransomware attacks. In positive news, Sophos researchers found that median ransom demands and payments in this sector both fell sharply in 2025. And while roughly half of education victims made ransom payments, the proportion of the initial demands paid also fell year over year.</p> <p>In 2022, 157-year-old Lincoln College became the first American college to <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/lincoln-college-set-to-shutter-after-crippling-cyberattack" rel="noopener">attribute its permanent closure in part to a ransomware attack</a>. The school also pointed to the COVID-19 pandemic as a contributing factor. More recent targets include <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/texas-tech-medical-data-breach" rel="noopener">Texas Tech University's Health Sciences Centers</a>, the Colorado Department of Higher Education and Bunker Hill Community College in Boston.</p> </section> <section class="section main-article-chapter" data-menu-title="Other industries"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Other industries</h2> <p>The total number of ransomware attacks is on the rise, with NordStellar researchers finding evidence on the dark web of 9,251 incidents in 2025 -- up 45% over the previous year. Organizations from industries not mentioned above were targets in 27.8% of these attacks, underscoring an important core truth: No company, regardless of size or sector, is immune.</p> <p><i>Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity site.</i></p> </section> In any given year, certain industries seem to make more attractive targets for ransomware groups. But no single sector shoulders all -- or even most -- of the risk. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g943330284.jpg https://www.techtarget.com/searchsecurity/feature/Top-10-ransomware-targets-in-2021-and-beyond Tue, 10 Feb 2026 18:15:00 GMT Top 10 ransomware targets by industry <p>Incident responders detect, identify and contain cyberattacks to minimize damage on business operations. To effectively do this and be valuable members of the <a href="https://www.techtarget.com/searchsecurity/definition/incident-response-team">incident response team</a>, security professionals must know how to analyze logs, assemble and use an arsenal of security tools and processes, conduct threat hunting exercises, and <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">prepare and test incident response plans</a>  and playbooks.</p> <p>Further, incident responders require an understanding of active threat groups and their techniques, tactics and procedures. Incident responders also need strong knowledge of cybersecurity and networking principles, especially regarding <a href="https://www.techtarget.com/searchnetworking/tip/An-introduction-to-cloud-network-architecture">common cloud architectures</a>.</p> <p>To bolster career progression and cybersecurity skills, incident responders should determine how best to learn and then demonstrate their knowledge. Many security professionals do this by earning an incident response certification.</p> <p>This article discusses incident response certifications and cybersecurity certifications to consider if interested in an incident response-specific role. While the certifications focus on incident response, cybersecurity professionals can apply them toward other industry careers, including penetration tester, <a href="https://www.techtarget.com/searchsecurity/definition/computer-forensics">digital forensics</a> investigator and cybersecurity engineer.</p> <section class="section main-article-chapter" data-menu-title="EC-Council Certified Incident Handler (ECIH)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>EC-Council Certified Incident Handler (ECIH)</h2> <p>Many incident response newcomers start by looking at EC-Council's ECIH. The ECIH <a target="_blank" href="https://www.eccouncil.org/train-certify/ec-council-certified-incident-handler-ecih/" rel="noopener">program</a> teaches candidates how to quickly detect, contain and respond to incidents, as well as address post-breach issues. The ECIH course is split into 10 modules with hands-on labs:</p> <ol type="1" start="1" class="default-list"> <li>Introduction to incident handling and response.</li> <li>Incident handling and response process.</li> <li>First response.</li> <li>Handling and responding to malware incidents.</li> <li>Handling and responding to email security incidents.</li> <li>Handling and responding to network security incidents.</li> <li>Handling and responding to web application security incidents.</li> <li>Handling and responding to cloud security incidents.</li> <li>Handling and responding to insider threats.</li> <li>Handling and responding to endpoint security incidents.</li> </ol> <p>The ECIH course is available for self-study or as a three-day class, online or at an EC-Council Accredited Training Center.</p> <p>While the certification is widely recognized in the industry, some industry professionals deem it too basic. Many experienced incident responders recommend that new cybersecurity professionals should consider more challenging incident response certificates instead. Further, EC-Council's reputation has been questioned due to past plagiarism incidents and data breaches.</p> <p>The ECIH exam, consisting of 100 multiple-choice questions to be completed within three hours, requires a 70% passing score. Candidates must have a prerequisite three years of cybersecurity experience. After passing, certification holders must renew ECIH every three years.</p> </section> <section class="section main-article-chapter" data-menu-title="GIAC Certified Incident Handler (GCIH)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>GIAC Certified Incident Handler (GCIH)</h2> <p>Global Information Assurance Certification's GCIH <a target="_blank" href="https://www.giac.org/certifications/certified-incident-handler-gcih/" rel="noopener">course</a> offers some of the broadest incident response coverage. The certification, based on the six-day SANS Institute SEC504: Hacker Tools, Techniques and Incident Handling course, has a reputation of providing actionable and useful real-world knowledge. It focuses on incident response from the attacker's perspective to help defenders understand how to best react.</p> <p><a target="_blank" href="https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/" rel="noopener">SEC504</a> covers dynamic incident response, on-premises and cloud-defense strategies, and cybersecurity attack identification. The course includes hands-on exercises and labs with a variety of tools, such as <a href="https://www.techtarget.com/searchsecurity/tutorial/How-to-use-Hashcat-to-recover-passwords">Hashcat</a>, Nmap, Legba and Metasploit, and closes with a capture-the-flag event. The course is available in person, live online and on demand. The course was updated in 2025 with advice and labs covering AI topics, such as how to use AI to help write incident response procedures and labs covering AI <a href="https://www.techtarget.com/searchsecurity/post/Prompt-injection-attacks-From-pranks-to-security-threats">prompt-injection attacks</a>.</p> <p>The GCIH exam paired with the SANS training course can be costly. Test-takers could talk to their employers to allocate a training budget.</p> <p>A viable alternative is the <a target="_blank" href="https://www.giac.org/certifications/certified-intrusion-analyst-gcia/" rel="noopener">GIAC Certified Intrusion Analyst</a> (GCIA) certification, based on the six-day SANS SEC503: Networking Monitoring and Threat Detection In-Depth course. More network-focused and technical, the GCIA exam is considered more difficult than the GCIH exam.</p> <p>Another related certification is <a target="_blank" href="https://www.giac.org/certifications/certified-forensic-analyst-gcfa/" rel="noopener">GIAC Certified Forensic Analyst</a> (GCFA), based on the six-day SANS FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics course. GCFA is considered even more difficult than the GCIH exam.</p> <p>GCIH covers the following six areas:</p> <ol class="default-list"> <li>Incident response and cyber investigations.</li> <li>Scanning and enumeration attacks.</li> <li>Password attacks and exploit frameworks.</li> <li>Web application attacks.</li> <li>Post-exploitation and AI attacks.</li> <li>Capture-the-flag event.</li> </ol> <p>The four-hour, web-based proctored exam consists of 106 questions. Candidates must score 69% to pass. The GCIH practitioner exam costs $999 for the first attempt and $899 for retakes. The exam costs $999 for the first attempt and $899 for retakes. The SEC504 course costs an additional $8,780 and can be completed in-person or as a virtual, self-paced course with four months of access. Certificate renewal, which must be done every four years, costs $499. Practice exams are available for $399.</p> </section> <section class="section main-article-chapter" data-menu-title="CREST Registered Intrusion Analyst (CRIA)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CREST Registered Intrusion Analyst (CRIA)</h2> <p>Council for Registered Ethical Security Testers (CREST), best known for its pen testing certifications, offers the CRIA incident response certification. This intermediate-level <a target="_blank" href="https://www.crest-approved.org/skills-certifications-careers/crest-registered-intrusion-analyst/" rel="noopener">certificate</a> provides candidates with a high level of incident response education and is a useful certificate for incident responders to aim for early in their careers.</p> <p>The exam tests candidates on their knowledge and skills of network and host intrusions and reverse-engineering malware, with modules that include the following:</p> <ul type="disc" class="default-list"> <li>Incident chronology, including timestamp analysis.</li> <li>Record keeping, interim reporting and final results.</li> <li>IP protocols, including application layer protocols and how they're used by malware.</li> <li>Common classes of tools, including intrusion analysis and reverse-engineering tools.</li> <li>Host analysis techniques.</li> <li>Beaconing.</li> <li>Command-and-control channels and exfiltration of data.</li> <li>Data sources and network log sources, such as proxy, firewall and VPN logs.</li> <li>Windows and application file system essentials and structures.</li> <li>Behavioral analysis.</li> </ul> <p>To take the CRIA exam, candidates must obtain the entry-level CREST Practitioner Intrusion Analyst certification and have three years or 6,000 hours of relevant professional experience.</p> <p>The 2.5-hour exam consists of 150 multiple-choice, open-book questions and a practical assessment. Candidates must take the exam at a CREST exam center, and achieve a score of at least 60% to pass. Pricing varies by location. In the U.K., the exam costs £600.</p> </section> <section class="section main-article-chapter" data-menu-title="CompTIA Cybersecurity Analyst (CySA+)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CompTIA Cybersecurity Analyst (CySA+)</h2> <p>CompTIA has a good reputation, and its certifications can enhance employability. The intermediate-level <a target="_blank" href="https://www.comptia.org/certifications/cybersecurity-analyst" rel="noopener">CySA+</a> enables incident responders to demonstrate knowledge of interpreting logs to discern whether security incidents represent real threats, and it ensures a fundamental understanding of network and cybersecurity principles. CompTIA updated the exam in 2024 to include cloud technologies and web applications, and it is next due for a refresh in 2026.</p> <p>CySA+ helps ensure candidates have the skills to detect malicious incidents, understand threat intelligence and threat management, respond to cybersecurity incidents, conduct incident response attacks and create post-incident reports.</p> <p>The exam is split into the following four domains:</p> <ol type="1" start="1" class="default-list"> <li><b>Security operations (33%).</b> Candidates demonstrate knowledge of system and network architecture, such as logs, file structures, system processes, cloud vs. hybrid vs. on-premises architecture, <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero trust</a>, encryption, data protection, and identity and access management.</li> <li><b>Vulnerability management (30%).</b> Candidates implement vulnerability management for asset discovery, critical infrastructure and <a href="https://www.techtarget.com/searchsecurity/tip/Incident-response-frameworks-for-enterprise-security-teams">industry frameworks</a>. For a given scenario, they need to handle scanning methods, analyze output from different tools, determine vulnerability prioritization and recommend how to mitigate different exploits.</li> <li><b>Incident response and management (20%).</b> Candidates demonstrate knowledge of attack methodology frameworks, such as cyber kill chains, <a href="https://www.techtarget.com/searchsecurity/definition/MITRE-ATTCK-framework">Mitre ATT&CK</a> and OWASP. Candidates receive a scenario and perform incident response, explaining how to handle the incident management lifecycle.</li> <li><b>Reporting and communication (17%).</b> Candidates cover how to create an incident response report and communicate an event to legal counsel, customers, media and law enforcement.</li> </ol> <p>CompTIA recommends candidates have four years of professional incident response or security operations center (<a href="https://www.techtarget.com/searchsecurity/definition/Security-Operations-Center-SOC">SOC</a>) analyst experience, as well as Network+ or Security+ certification.</p> <p>The CySA+ exam, which can be taken online or in person, consists of up to 85 multiple-choice and performance-based questions. Candidates have 165 minutes to complete the exam and must score at least 750 out of 900 to pass. The exam costs $425, or $474 with a retake included. Access to training labs is available for between $169 and $610, depending on the level of content needed.</p> <p>To renew, certification holders must earn 60 continuing education units every three years.</p> </section> <section class="section main-article-chapter" data-menu-title="Offsec OSDA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Offsec OSDA</h2> <p>The <a target="_blank" href="https://www.offsec.com/courses/soc-200/" rel="noopener">Offensive Security OSDA</a>, obtained via the SOC-200 Security Operations and Defensive Analysis course, covers incident response and other skills integral to working in a SOC. The course is appropriate for someone with up to two years' experience as an incident responder or SOC analyst, but it might be too basic for those with more experience. It covers the following modules:</p> <ul class="default-list"> <li>Foundations of SOC operations.</li> <li>Threat detection and analysis.</li> <li>Vulnerability and risk management.</li> <li>Endpoint and network defense.</li> </ul> <ul class="default-list"> <li>Access control and privilege management.</li> </ul> <p>The course is delivered via videos, labs and exercises. It costs $1,749 for three months of lab access and a single exam attempt or $2,199 for 12 months of access and two exam attempts. The exam is a proctored 24-hour, lab-based assessment, consisting of 10 phases with multiple attacker actions that must be detected, understood and documented. The exam is known to be grueling, with some candidates awake for the entire 24-hour period.</p> </section> <section class="section main-article-chapter" data-menu-title="Additional security certifications for incident responders"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Additional security certifications for incident responders</h2> <p>A variety of <a href="https://www.techtarget.com/searchsecurity/tip/10-cybersecurity-certifications-to-boost-your-career-in-2021">cybersecurity certifications</a> that are not specific to incident response can help cybersecurity professionals along their career path, including the following:</p> <ul type="disc" class="default-list"> <li>ISC2 Certified Information Systems Security Professional (<a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Security-Professional">CISSP</a>).</li> <li>ISACA Certified Information Security Manager (<a href="https://www.techtarget.com/searchsecurity/definition/certified-information-security-manager-CISM">CISM</a>).</li> <li>ISACA Certified Information Systems Auditor (<a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Auditor-CISA">CISA</a>).</li> </ul> <p><b>Editor's note:</b> <i>This article was updated in 2026 to revise exam details and to improve the reader experience.</i></p> <p><i>Rob Shapland is an ethical hacker specializing in cloud security, social engineering and cybersecurity training for companies worldwide.</i></p> </section> Cybersecurity professionals pursuing an incident response track should consider the following certifications to bolster their knowledge and advance their careers. https://cdn.ttgtmedia.com/rms/onlineimages/certification_g1137341920.jpg https://www.techtarget.com/searchsecurity/tip/Top-incident-response-certifications-to-consider Tue, 10 Feb 2026 12:30:00 GMT Top incident response certifications to consider in 2026 <p>Modern network environments demand a cohesive and <a href="https://www.techtarget.com/searchsecurity/The-ultimate-guide-to-cybersecurity-planning-for-businesses">comprehensive security posture</a> as attack surfaces expand and hybrid environments become more complex.</p> <p>Endpoint detection and response, security information and event management and security orchestration, automation and response are three essential tools that help ensure enterprise resilience. Let's discuss EDR, SIEM and SOAR, examining the strategic importance of integrating the three security tools, as well as looking at common use cases, implementation, maintenance routines and challenges.</p> <section class="section main-article-chapter" data-menu-title="A quick primer on EDR, SIEM and SOAR"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A quick primer on EDR, SIEM and SOAR</h2> <p>Before delving into the strategic value and real-world use cases of these three technologies, it's worth reviewing what they do.</p> <h3>EDR</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/endpoint-detection-and-response-EDR">EDR</a> tools focus on endpoint devices, including servers, workstations, laptops and similar components. Their goal is to detect, investigate and remediate malicious activity. EDR tools <a href="https://www.techtarget.com/searchsecurity/feature/How-EDR-systems-detect-malicious-activity">use agents</a> to watch processes, isolate hosts, quarantine files and take other actions as needed.</p> <h3>SIEM</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM">SIEM</a> systems ingest and correlate log files and events from endpoints, network devices, applications, identity providers and other components. They work with cloud and on-premises resources to centralize alerting, archiving and analytics for security data, aiding investigations, threat hunting and demonstrating compliance.</p> <h3>SOAR</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/SOAR">SOAR</a> tools tie everything -- SIEM, EDR, ticketing, etc. -- together to automate incident response workflows using playbooks. This reduces manual efforts, speeds responses, establishes containment and implements remediation.</p> <p>Playbook functionality might include blocking IPs, disabling accounts, opening tickets and enriching alerts and indicators of compromise.</p> </section> <section class="section main-article-chapter" data-menu-title="The strategic value of integrating security tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The strategic value of integrating security tools</h2> <p>Integrating security tools and establishing automated responses yields strategic value to the organization. Today's <a href="https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams">security threats</a> require quick identification and remediation. These interlaced layers of security give precisely that.</p> <p>Integrated security tools improve visibility and eliminate gaps at endpoints, on networks and in cloud environments. This visibility illuminates threats and vulnerabilities -- after all, you can't fix what you don't know about.</p> <p>Yet, improving identification is only one facet of visibility. Better visibility also reduces the number of false positives -- and subsequent <a href="https://www.techtarget.com/whatis/definition/alert-fatigue">alert fatigue</a> -- generated by logging services, local event viewers, users and other services. Integrated security tools help correlate and collate alerts, ensuring accurate and timely information.</p> <p>The result is strategic benefits any IT leader can appreciate. These include reduced risk exposure, improved resilience, improved compliance and greater operational efficiency.</p> </section> <section class="section main-article-chapter" data-menu-title="Real-world use cases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Real-world use cases</h2> <p>SOAR, building on SIEM and EDR, helps organizations sidestep serious security concerns. Consider the following:</p> <ul class="default-list"> <li><b>Insider threats.</b> Cross-tool enrichments enable quicker identification, context and responses.</li> <li><b>Cloud workload protection.</b> Cross-platform, unified visibility and automated responses across on-premises and cloud environments ensure resilience.</li> <li><b>Ransomware identification, protection and containment.</b> Automated endpoint isolation triggered by correlated SIEM alerts and SOAR playbooks provides immediate responses.</li> <li><b>Threat hunting.</b> Enriched alerts, correlated telemetry, improved data access and automated responses aid in threat detection.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Architecture and key integration considerations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Architecture and key integration considerations</h2> <p>What's the best way for IT leaders to think about an integrated security landscape? There are many considerations, but most come down to the following three concepts:</p> <p>Begin by understanding the core architectural model. First, EDR tools feed information into the SIEM system. Next, the SIEM system correlates events and builds context. Finally, the <a href="https://www.techtarget.com/searchsecurity/tip/Top-6-SOAR-uses-cases-to-implement-in-enterprise-SOCs">SOAR tool automates responses</a>. Understanding this flow is critical to visualizing, understanding and working with integrated security tools.</p> <p>The flow is driven by various tool capabilities and structures, including the following:</p> <ul class="default-list"> <li><b>Recognize data pipelines and data normalization.</b> Ensures consistent data formats and fields and streamlines ingestion.</li> <li><b>Expect API-driven interoperability.</b> Use tools with extensive integration capabilities.</li> <li><b>Plan for scalability and storage while reducing latency.</b> Recognize future growth and the integration of new on-premises and cloud systems. Ensure tools can grow effectively without communication bottlenecks.</li> <li><b>Establish governance and access controls</b>. Modern deployments <a href="https://www.techtarget.com/searchdatamanagement/tip/Data-governance-challenges-that-can-sink-data-operations">require governance</a> and integration with compliance and authentication and authorization utilities.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Implementation and ongoing maintenance guidance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Implementation and ongoing maintenance guidance</h2> <p>Establishing a solid deployment plan improves the likelihood of success for almost any project. Use the following practices to guide the implementation:</p> <ul class="default-list"> <li>Phase the rollout by starting with a limited set of high-value automations and high-risk endpoints.</li> <li>Stress the importance of continuous tuning to correlate results, optimize rules, provide enrichment resources and generate effective playbooks.</li> <li>Emphasize governance from the start, including routine audits, recognition of evolving threats, change management and oversight.</li> <li>Schedule regular playbook reviews to ensure no extra steps exist and no necessary steps are skipped.</li> <li>Establish metrics to measure value, such as reduced response times, improved automation and greater analyst efficiency.</li> <li>Create a cross-team documentation repository and keep it current and maintained.</li> </ul> <p>Security tool integration using EDR, SIEM and SOAR technologies is a continuous improvement deployment that benefits from regular attention. It's an ongoing cycle of tuning, improvement and optimization that evolves as threats change.</p> </section> <section class="section main-article-chapter" data-menu-title="Anticipating common challenges"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Anticipating common challenges</h2> <p>Any major technology implementation presents its own unique challenges. Use the following considerations to help avoid these issues before they derail your project:</p> <ul class="default-list"> <li><b>Identify IT and security team skills gaps.</b> Address the need for training, collaboration and role clarity within the ITOps and SecOps groups.</li> <li><b>Prepare for alert overload in the early phases.</b> Set expectations for <a href="https://www.techtarget.com/searchsecurity/tip/Why-security-alert-fatigue-matters-and-how-to-address-it">high numbers of alerts</a> until the system is tuned.</li> <li><b>Establish change management.</b> Establish change management governance, including stakeholder and communication loops to ensure adoption, clarity and consistency.</li> <li><b>Be aware of integration complexity.</b> Use open standards to ensure easy connectivity and integration.</li> <li><b>Recognize vendor lock-in risks.</b> Pay close attention to vendor lock-in concerns, including proprietary data formats and limited communication and integration options among vendors.</li> </ul> <p>Other challenges center on the specific tools themselves. For example, EDR tools might see coverage gaps or agent sprawl. They could also register false positives until security teams implement and complete regular tuning cycles. Also, be aware of multi-platform support issues, especially for less common OSes.</p> <p>SIEM systems might struggle early on with alert overload, log volume and cost management, based on scale. Establishing data normalization is essential for SIEM systems.</p> <p>SOAR tools require good integration among diverse tools, which is a tricky balance to achieve. Workflow design might be challenging early in the project, too.</p> <p>All of these challenges necessitate skilled administrators. It takes time for them to learn the tools and achieve good results.</p> <p>Design an effective EDR, SIEM and SOAR integration as a strategic imperative rather than merely as a technical upgrade. By taking this approach, the organization's security posture can gain an advantage in speed, risk reduction, response time and resilience.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to InformaTechTarget, The New Stack and CompTIA Blogs.</i></p> </section> Understand the architecture, implementation, and maintenance of EDR, SIEM, and SOAR tools to optimize security workflows and ensure resilience. https://cdn.ttgtmedia.com/rms/onlineimages/collab_a235437333.jpg https://www.techtarget.com/searchsecurity/tip/A-leaders-guide-to-integrating-EDR-SIEM-and-SOAR Mon, 09 Feb 2026 14:31:00 GMT A leader's guide to integrating EDR, SIEM and SOAR <p>TikTok is no longer set to be banned in the United States.</p> <p><a href="https://www.techtarget.com/whatis/definition/TikTok">TikTok</a> has been under fire in the U.S. for years while raising questions about data access laws. The platform's parent company -- ByteDance -- must divest of its U.S. operation or lose its American user base, a group of more than 170 million.</p> <p data-end="2671" data-start="2381">However, on Jan. 22, 2026, TikTok USDS Joint Venture LLC was <a href="https://usdsjv.tiktok.com/TikTok-USDS-Joint-Venture-LLC-Established" target="_blank" rel="noopener">officially established</a>. The new entity was created to bring TikTok into compliance with President Donald Trump's executive order, with ByteDance retaining a minority ownership stake of less than 20% in TikTok's U.S. operations.</p> <p data-end="3005" data-start="2678">The remaining ownership is held by a group of U.S. and allied investors, led by Oracle, private equity firm Silver Lake, and investment firm MGX, each holding approximately 15%. The rest comprises existing ByteDance investors and other firms, including the Dell Family Office, Vastmere and Alpha Wave Partners.</p> <p>The new venture largely resolves the U.S. government's efforts to ban TikTok. Under the terms of the agreement, ByteDance's access to U.S. user data is restricted, and its ability to influence TikTok's U.S. recommendation systems is limited and subject to oversight. Oracle is responsible for data hosting, auditing and compliance with national security requirements.</p> <p>A bill passed in early 2024 originally slated the TikTok ban for January 2025. On Jan. 18, just hours before midnight, the platform went dark, messaging users to inform them the app was banned. Approximately 12 hours later, service was restored, thanks to a new executive order from President Donald Trump, signed Jan. 20, 2025, that gave TikTok an extra 75 days to comply with the law. On  April 4, 2025, <span data-teams="true">Trump signed another executive order delaying the ban an additional 75 days before the TikTok ban was set to begin. And again on June 17, 2025, Trump announced plans to extend the TikTok deadline a third time by another 90 days.</span></p> <p>On June 29, 2025, Trump told the media that he had a group of "very wealthy" investors ready to buy TikTok. To do so, the purchase also needs to be approved by China's leader, Xi Jingpin. Trump said he intended to discuss the sale with China, and The Information separately <a href="http://theinformation.com/articles/tiktok-building-new-version-app-ahead-expected-u-s-sale" target="_blank" rel="noopener">reported</a> that TikTok was developing a second app for its U.S. user base, known internally as M2, set to be released on Sept. 5, 2025.</p> <p>TikTok became available for download again via the Apple App Store and Google Play Store on Feb. 13, 2025. Still, many users were searching for <a href="https://www.techtarget.com/whatis/feature/TikTok-alternatives-to-check-out">TikTok alternatives</a> in the face of uncertainty.</p> <section class="section main-article-chapter" data-menu-title="What was the TikTok ban bill?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What was the TikTok ban bill?</h2> <p>The U.S. House of Representatives passed legislation March 13, 2024, requiring Chinese company ByteDance to sell off the social media app within six months or be banned from U.S. stores and websites. The ban would have forced Apple and Google to remove TikTok from their app stores, and service providers to block the browser version of the app in the United States.</p> <p>The bill -- known as the Protecting Americans from Foreign Adversary Controlled Applications Act (H.R. 7521) -- passed the House by a 325-65 vote with overwhelming support from both Republican and Democratic lawmakers. That standalone bill was not voted on by the U.S. Senate. The bill defines TikTok -- and other technology controlled by parent company ByteDance -- as a "Foreign Adversary Controlled Application."</p> <p>The House of Representatives tried again a month later with some additional modifications, when on April 20, 2024, it voted on a foreign aid package (H.R. 815) for Ukraine, Taiwan and Israel, that also included the TikTok provisions. That bill once again had bipartisan support, passing the House with a 360-58 vote. The U.S. Senate voted and passed the bill on April 23, in a 79-18 vote with bipartisan support.</p> <p>Former President Joe Biden then signed National Security Act, 2024 into law on April 24, 2024, which included the TikTok divest or ban bill.</p> <p>Under the terms of the bill signed by Biden, ByteDance had nine months to divest itself of TikTok and find new ownership for the social media company. The new owners needed to be based in the U.S. or an allied country. The president could extend the time by an additional 90 days if a deal was in progress at the end of the nine-month period. The nine-month deadline ended Jan. 19, 2025.</p> <p>On Jan. 20, 2025, upon inauguration, President Donald Trump signed an executive order postponing the enforcement of the ban for 75 days, giving the administration more time to pursue a resolution.</p> <p>Trump favored a TikTok ban in his first term but later opposed a ban in the 2024 race for the White House.</p> <p>TikTok pushed back against the initial rounds of voting in Congress, rolling out a $2.1 million advertising campaign featuring U.S. users discussing how the app has helped them and their businesses. Reflecting the political nature of the ban, TikTok focused its ads on U.S. battleground states with tough 2024 Senate races to try to convince incumbents to block the House of Representatives ban.</p> <p>In a <a href="https://newsroom.tiktok.com/en-us/statement-on-enactment-of-the-tiktok-ban-april-24-2024">statement</a> issued by TikTok after the bill was signed, the company claimed the law was unconstitutional, and later challenged the law in court. The challenge was <a href="https://www.computerweekly.com/news/366616902/US-TikTok-ban-imminent-after-appeal-fails">not successful.</a></p> <p>In a <a href="https://newsroom.tiktok.com/en-us/statement-on-enactment-of-the-tiktok-ban-april-24-2024">statement</a> issued by TikTok after the bill was signed, the company claimed the law was unconstitutional, and later challenged the law in court. The challenge was <a href="https://www.computerweekly.com/news/366616902/US-TikTok-ban-imminent-after-appeal-fails">not successful</a>.</p> <p>TikTok claimed more than 170 million Americans used the app, and nearly 5 million businesses had used it to start and grow their companies.</p> </section> <section class="section main-article-chapter" data-menu-title="TikTok ban timeline: How it happened and what comes next?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>TikTok ban timeline: How it happened and what comes next?</h2> <p>TikTok was under fire for many years. Here's a look at the TikTok saga:</p> <ul class="default-list"> <li><b>September 2020.</b> The first Trump Administration attempted to <a href="https://www.techtarget.com/searchcio/opinion/Trumps-dangerous-US-TikTok-ban">use its emergency power to block the application</a>.</li> <li><b>January 2023.</b> TikTok proposed a $1.5 billion plan called <a href="https://www.lawfaremedia.org/article/what-happened-to-tiktok-s-project-texas">Project Texas</a> to move all U.S. data to the United States to allay privacy and security concerns. That plan, which transferred data to Oracle's cloud and set up a U.S. subsidiary to manage it, failed to sway Congress when it voted on its ban.</li> <li><b>February 2023.</b> The Biden Administration banned TikTok on devices used by federal employees.</li> <li><b>March 2023.</b> The FBI and U.S. Department of Justice launched an investigation into allegations that TikTok spied on American journalists. Chew <a href="https://www.techtarget.com/searchcio/news/365533953/US-policymakers-press-TikTok-CEO-on-Chinas-data-access">appeared before the House Energy and Commerce Committee</a> to defend the application. His testimony touched on TikTok's consumer privacy and data security policies, the platform's mental health impact and security concerns about the platform's parent company, ByteDance.</li> <li><b>March 2024.</b> U.S. House of Representatives passes legislation requiring ByteDance to sell TikTok or be banned in U.S. app stores and websites. It then moved to the Senate, where it was never voted on.</li> <li><b>April 2024.</b> Both the U.S. House of Representatives and <a href="https://www.computerweekly.com/news/366581999/TikTok-ban-sails-through-US-Senate">Senate</a> pass a foreign aid package, which included the TikTok legislation. Days later, Biden signed the bill into law.</li> <li><b>May 2024.</b> TikTok files a lawsuit with the U.S. Court of Appeals in Washington, D.C., alleging the law is unconstitutional because it stifles free speech. The suit also alleged an unlawful taking of private property. Eight content creators also sued the U.S. government, alleging the law violates the First Amendment right to free speech.</li> <li><b>December 2024.</b> A federal appeals court unanimously upholds the TikTok ban regulation, rebuffing TikTok's complaint that the law is unconstitutional.</li> <li><b>January 2025</b> <ul type="circle" class="default-list"> <li><b>Jan 17.</b> The U.S. Supreme Court <a href="https://www.computerweekly.com/news/366618201/US-Supreme-Court-upholds-TikTok-ban">upholds the federal law</a> that would ban TikTok, pending a sell-off, and planned to ban the app on Jan. 19.</li> <li><b>Jan 18.</b> TikTok shuts off service for U.S. users, who were met with a message in the app stating, "A law banning TikTok has been enacted in the U.S. Unfortunately that means you can't use TikTok right now." The app was also removed from app stores.</li> <li><b>Jan 19.</b> Trump issues an executive order enabling TikTok to continue serving U.S. users, delaying enforcement of the ban for an additional 75 days, until April 4, 2025.</li> </ul> </li> <li><span data-teams="true"><strong>April 4, 2025. </strong>Trump signed an executive order delaying the ban by another 75 days, exactly one day before the TikTok ban was set to go into effect. In a post on Truth Social, Trump announced that his administration is working "very hard on a deal to SAVE TIKTOK" and that this extension period will be used to confirm a sale of TikTok's U.S. operations to a U.S. company."</span></li> <li><b>June 29, 2025. </b>Trump announced in an interview aired on Fox News that he had a group of investors ready to buy TikTok, but China would need to approve the purchase.</li> <li><b>July 6, 2025. </b>It was reported that TikTok will develop a secondary app for its U.S. audience, known internally as M2, which will be available on Sept. 5, 2025. Eventually, all U.S. users will need to download the new app to be able to access TikTok content.<span data-teams="true"></span></li> <li><strong>Jan. 22, 2026.</strong> TikTok finalized a deal to restructure its U.S. operations into a new, majority American-owned joint venture to avoid a nationwide ban. </li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What does this deal mean for users?"> <h2 class="section-title"><i class="icon" data-icon="1"></i><span style="font-size: 26px;">What does this deal mean for users?</span></h2> <p>TikTok is still available in the U.S. It is expected to operate largely as it did previously. According to TikTok's news release, TikTok will operate under "defined safeguards that protect national security through comprehensive data protections, algorithm security, content moderation, and software assurances for U.S. users." Compliance and oversight will remain ongoing.</p> </section> <section class="section main-article-chapter" data-menu-title="Why did the U.S. want to ban TikTok?"> <h2 class="section-title"><i class="icon" data-icon="1"></i><span style="font-size: 26px;">Why did the U.S. want to ban TikTok?</span></h2> <p>The United States wanted to ban the application for several reasons, but mainly due to national security concerns. U.S. lawmakers were concerned ByteDance might leak U.S. user data to the Chinese government if forced to. TikTok was classified as a Foreign Adversary Controlled Application under the law.</p> <p>"Today, the CCP's [Chinese Communist Party's] laws require Chinese companies like ByteDance to spy on their behalf," Committee Chair Rep. Cathy McMorris Rodgers, R-Wash., said during a hearing on TikTok's national security risks.</p> <p>TikTok released a transparency report where it discloses formal legal requests for user data. The biannual information request report showed how many requests were made in each country. According to the latest report, requests for information by law enforcement reached an all-time high in the first half of 2024, with 13,166 total requests around the globe.</p> <p>While data and national security concerns were the primary driving force behind the TikTok ban, U.S. lawmakers raised a number of other issues with the app, including the following:</p> <ul type="disc" class="default-list"> <li><b>Addictiveness.</b> While TikTok's addictiveness is a concern, it has employed a feature that tells users to leave the application after 60 minutes.</li> <li><b>Misinformation.</b> TikTok claims it does not allow misinformation as part of its community guidelines and actively works to remove it. It also does not accept political ads.</li> <li><b>Children's safety.</b> There are many concerns over children abusing or misusing the application. However, TikTok has made efforts to protect children on the app, providing a different user experience for U.S. users under 13. For example, the platform prevented them from going viral and using the private messaging feature.</li> <li><b>Mental health.</b> Content that promotes eating disorders, tobacco use or suicide has been a concern. However, TikTok -- like most social media companies -- has a <a href="https://www.techtarget.com/whatis/feature/Content-moderation-guidelines-to-consider">content moderation</a> policy and aims to remove all violating content.</li> <li><b>Selling data.</b> Gathering and selling data that TikTok doesn't need to make a profit is a concern. TikTok has claimed that it does not sell data to <a href="https://www.techtarget.com/whatis/definition/data-broker-information-broker">data brokers</a>.</li> <li><b>Data security.</b> Data leaks are a concern. Data leaks are a risk with any online service and common with social media. TikTok -- and other social media platforms -- use data access protocols to protect and organize data into categories of sensitivity.</li> </ul> <p>Even before the federal ban, the U.S. prohibited the application on federal and public sector employees' phones and on state employees' phones in more than half of U.S. states. Several states have also sued TikTok. The first state to sue the company was Indiana, on claims that the application serves users inappropriate content and violates consumer protection laws in its data collection practices. Another lawsuit came from Arkansas, which sued TikTok, ByteDance and Facebook's parent company, Meta, over claims that the companies violate the Deceptive Trade Practices Act.</p> <p>Montana was the first U.S. state to pass legislation banning TikTok on all personal devices. The bill was to go into effect in January 2024, but a federal judge blocked the ban in November 2023, saying it violated the First Amendment. The law, though it did not come into effect, would have prevented the app from operating within the state and fined app stores that hosted TikTok within state lines up to $10,000 per day.</p> <p>Several universities have also banned the app on their networks.</p> </section> <section class="section main-article-chapter" data-menu-title="What countries is TikTok banned in?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What countries is TikTok banned in?</h2> <p>The United States is not the only country that has full or partial TikTok bans in place. Partial bans are usually limited to government or public sector employees. Full bans apply to all citizens.</p> <p>Some countries have full bans on TikTok, including Afghanistan, India, Iran, Kyrgyzstan, Nepal and Somalia.</p> <p>Regions that have enacted partial bans include the following:</p> <ul type="disc" class="default-list"> <li>Australia -- on all government devices.</li> <li>Belgium -- on federal government work devices.</li> <li>Canada -- on government-issued devices.</li> <li>Denmark -- on Defense Ministry staff devices.</li> <li>European Union -- on Parliament, Commission and EU Council staff devices.</li> <li><a href="https://www.computerweekly.com/news/365534070/France-latest-to-ban-TikTok-on-government-devices">France</a> -- on professional phones of civil servants.</li> <li>Latvia -- on work devices at the Latvian Ministry of Foreign Affairs.</li> <li>New Zealand -- on government lawmakers' work devices.</li> <li>Norway -- on government work devices.</li> <li>Taiwan -- on government devices.</li> <li>United Kingdom -- on government devices.</li> </ul> <p>Other countries have banned TikTok in the past and have since rescinded the bans. Two examples are Indonesia and Pakistan, which both banned the application temporarily due to explicit content.</p> </section> <section class="section main-article-chapter" data-menu-title="What types of data does TikTok collect?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What types of data does TikTok collect?</h2> <p>One point of contention is the safety of TikTok's <a href="https://www.techtarget.com/whatis/definition/recommendation-engine">recommendation engine</a>. The recommendation engine uses behavioral data to determine the user's interests and feed them relevant content. Some data that TikTok uses to do this is the following:</p> <ul class="default-list"> <li>How long a user stays on a page.</li> <li>If a user shares a video.</li> <li>If a user swipes away from a video.</li> <li>If a user comments on a video.</li> <li>If a user likes a video.</li> <li>Basic login information, such as name, age, phone number and email address.</li> <li>Location data.</li> <li>IP address.</li> <li>Biometric data.</li> </ul> <p>Dispersion mechanisms are used to keep the user from seeing repetitive content. TikTok's data collection protocols are available in full on its <a href="https://www.tiktok.com/legal/page/us/privacy-policy/en" target="_blank" rel="noopener">privacy policy</a> page.</p> <p>Some TikTok divestment deals in discussion exclude TikTok's proprietary algorithms, which has played a large role in the previous success of the app.</p> </section> <section class="section main-article-chapter" data-menu-title="Challenges of banning TikTok"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of banning TikTok</h2> <p>Notably, TikTok challenged the legality of the bill to no avail.  </p> <p>Another challenge of banning TikTok was alienating young users politically. TikTok's user base skews young. To ban access to the app would have negatively influenced a lot of young voters and consumers who enjoy the app. In the leadup to the ban, many <a href="https://www.computerweekly.com/news/366618058/Users-protest-flee-TikTok-as-clock-ticks-on-US-ban">users migrated</a> to another Chinese-owned platform with similar functionality -- RedNote -- partially out of necessity and partially in protest of the ban.</p> <p>Many SMBs also <a href="https://www.techtarget.com/whatis/feature/7-ways-to-use-TikTok-for-business">rely on the platform</a> for their business model. And many multinational corporations have their own TikTok accounts and rely on the platform for some portion of business. Over the course of the ban's saga, there have been petitions to save the app and protests against the ban, with support from lawmakers as well.</p> <p>One challenge in the event of a sell-off would have been for the new owners to maintain TikTok's popularity. A change in ownership might have created a change in functionality that drove users away, even if the app remained available. TikTok would also still have had to contend with the data privacy and security concerns that all social media platforms face, regardless of their ownership. Social media companies -- such as Meta and Twitter -- that also collect user data are <a href="https://www.techtarget.com/whatis/feature/6-common-social-media-privacy-issues">vulnerable to breaches and privacy concerns</a>, and are to a degree are under the control of their operating country's government.</p> <p>The investigation into TikTok has reinvigorated a larger conversation about data privacy on all social platforms, and has sparked calls for <a href="https://www.techtarget.com/searchcio/news/252523519/TikTok-data-privacy-issues-prompt-need-for-social-media-plan">data privacy law reform</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="TikTok vs. Douyin"> <h2 class="section-title"><i class="icon" data-icon="1"></i>TikTok vs. Douyin</h2> <p>Both TikTok and Douyin are owned by ByteDance.</p> <p>While TikTok is not available in mainland China, Douyin is a short-form video app often portrayed as the Chinese version of TikTok. Douyin must comply with Chinese media laws, and a Chinese phone number is required to download It. TikTok is available in many countries worldwide and is subject to the laws of the countries in which it operates.</p> <p>Douyin has more features than TikTok. For example, Douyin has hotel booking and e-payment features in the application. It also offers full-length movies, in addition to standard short-form video. Douyin preceded TikTok. Douyin was launched in 2016, whereas TikTok was launched in 2017.</p> <p>The TikTok ban could have affected ByteDance's other applications in the U.S. The company offers several apps in U.S. app stores, such as the video editing app CapCut. ByteDance's newer app Lemon8 -- a health, fitness and wellness app -- could have been subject to the ban. RedNote, another Chinese-owned TikTok alternative, might also ran into trouble in the event of a ban.</p> <p></p> </section> The United States government took aim at the viral video-sharing application TikTok. However, a new deal has been reached to make the majority of the platform U.S.-owned. https://cdn.ttgtmedia.com/rms/onlineimages/telecommunications_g1220129100.jpg https://www.techtarget.com/whatis/feature/TikTok-bans-explained-Everything-you-need-to-know Mon, 09 Feb 2026 09:00:00 GMT TikTok bans explained: What happened and the final outcome <p>The deployment of AI for business use cases has become a major enterprise priority. But to reap AI's potentially game-changing productivity and innovation benefits, organizations must connect large language models to their internal data and services. Enter Model Context Protocol (MCP) servers, which act as middlemen or bridges between LLMs and corporate tools.</p> <p>Anthropic created the MCP open standard in late 2024 without native role restrictions or access controls, leaving security up to users. In the rush to realize agentic AI's business value, many organizations have deployed MCP servers without proper safeguards. In one recent analysis, researchers found <a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/2000-mcp-servers-security" rel="noopener">nearly 2,000 MCP servers with no security controls</a>, exposing AI systems and corporate data to the open web.</p> <p>What makes MCP servers useful for businesses also makes them attractive targets for attackers: They have access to important, often sensitive, digital assets and enable privileged actions. It is therefore critical for CISOs and their teams to implement appropriate security measures -- policies, practices and controls -- to block unauthorized access, defend against arbitrary command execution, prevent data loss and ensure compliance.</p> <section class="section main-article-chapter" data-menu-title="MCP server security best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>MCP server security best practices</h2> <p>Effective cybersecurity always requires the right combination of human intelligence, defined processes and technology controls. Protecting MCP servers is no different. Consider the following best practices.</p> <h3>Implement a zero-trust strategy</h3> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Because MCP servers often have access to treasure troves of private corporate data, they should be subject to zero-trust policies. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Because MCP servers often have access to treasure troves of private corporate data, they should be subject to <a href="https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it">zero-trust policies</a>. CISOs must enforce the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>, allowing only authenticated and authorized entities to communicate with MCP servers. <a href="https://www.techtarget.com/searchsecurity/tip/How-to-write-a-data-classification-policy-with-template">Data classification</a>; fine-grained, <a href="https://www.techtarget.com/searchsecurity/tip/Benefits-and-challenges-of-zero-standing-privileges">just-in-time permissions policies</a>; continuous monitoring; and strong governance help ensure that access is limited to only human users, AI agents, devices and workloads that need it, and only when they need it.</p> <h3>Maintain AI audit trails</h3> <p>Organizations need to maintain audit trails of all AI activity, both for compliance and ongoing threat detection. Doing so is especially important when working with high-value data and in critical operating environments. <a href="https://www.techtarget.com/searchsecurity/definition/privileged-access-management-PAM">Privileged access management</a> with dynamic credential provisioning can help prevent data theft while also ensuring detailed logs of human and nonhuman user activity.</p> <h3>Manage, monitor and isolate MCP servers</h3> <p>Enterprise security teams must continuously assess MCP server vulnerabilities by reviewing configurations, capabilities and access permissions and hardening against threats such as <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work">prompt injection</a>.</p> <p>Consider platforms that provide contextual security intelligence at the <a href="https://www.techtarget.com/searchenterpriseai/tip/What-is-AI-orchestration-How-it-works-and-why-it-matters">AI orchestration</a> layer to help security practitioners better engineer environments for risk management and compliance purposes. Enterprises can also containerize and sandbox MCP servers to minimize damage if they are compromised.</p> <p>Inarguably, the most important factor in establishing solid MCP server security remains the human element. As MCP server technology and security standards continue to emerge and evolve, enterprises will need seasoned teams that can bring their foundational experience and judgement to bear.</p> <p><i>Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.</i></p> </section> Model Context Protocol servers act as bridges between AI models and enterprise resources. But they can also give threat actors the keys to the castle if not secured. https://cdn.ttgtmedia.com/rms/onlineimages/iot_g871472636.jpg https://www.techtarget.com/searchsecurity/tip/Secure-MCP-servers-to-safeguard-AI-and-corporate-data Fri, 06 Feb 2026 18:00:00 GMT Secure MCP servers to safeguard AI and corporate data <div> <div> <p paraeid="{391f7bcb-7164-4bda-b387-679b7c275a0e}{29}" paraid="781871645"><span xml:lang="EN-US" data-contrast="auto">As more organizations move to public cloud environments, they're finding that their attack surfaces are no longer fixed perimeters but instead a constantly shifting collection of services, identities, APIs and configurations. Traditional security tools, built for more static environments, are ill-equipped to manage that level of dynamic change across products and platforms. For security teams, it's a serious problem that can leave them without the resources they need to identify, prevent and mitigate threats from actors who are more than ready to exploit any vulnerability.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{391f7bcb-7164-4bda-b387-679b7c275a0e}{157}" paraid="348131403"><span xml:lang="EN-US" data-contrast="auto">Many enterprise security teams are looking to cloud attack surface management as a more appealing alternative to their traditional or legacy tools. Cloud ASM extends the principles of traditional </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/tip/What-is-attack-surface-management-and-why-is-it-necessary"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">attack surface management</span></span></a><span xml:lang="EN-US" data-contrast="auto"> to cloud-native environments, helping security teams discover, monitor and secure everything exposed -- intentionally or otherwise -- across SaaS and IaaS environments.</span><span data-ccp-props="{}"> </span></p> </div> <div> <h2 paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{48}" paraid="1037967307" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">The nuts and bolts</span><span data-ccp-parastyle="heading 2"> of cloud ASM</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{59}" paraid="224803218"><span xml:lang="EN-US" data-contrast="auto">Cloud ASM platforms focus on discovering, analyzing and minimizing cloud-exposed assets accessible from the internet or other cloud tenants. Cloud ASM works by correlating cloud provider APIs, DNS records, access policies, IP ranges, SaaS integrations and identity relationships to map an organization's cloud footprint. Unlike older external scanners that look only from the outside in, cloud ASM correlates external visibility and cloud-internal telemetry to build a full inventory of what an attacker could exploit.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{91}" paraid="1187590141"><span xml:lang="EN-US" data-contrast="auto">Modern cloud ASM uses automation, graph-based analysis and sometimes </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/feature/How-AI-threat-detection-is-transforming-enterprise-cybersecurity"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">AI-driven anomaly detection</span></span></a><span xml:lang="EN-US" data-contrast="auto"> to keep the attack surface up to date as environments grow or change.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{121}" paraid="879148986"><span xml:lang="EN-US" data-contrast="auto">The strongest cloud ASM platforms include the following key capabilities:</span><span data-ccp-props="{}"> </span></p> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{133}" paraid="274468795"><strong><span xml:lang="EN-US" data-contrast="auto">Continuous cloud asset discovery.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Automated identification of public endpoints, APIs, storage services, VMs, serverless functions, identity objects and associated metadata.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{169}" paraid="1687716008"><span xml:lang="EN-US" data-contrast="auto"><strong>External exposure mapping.</strong></span><span xml:lang="EN-US" data-contrast="auto"> A display of what an attacker sees on the internet, including public endpoints, open ports, leaked DNS entries, certificate mappings and cloud-specific exposures, such as public </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchaws/definition/Amazon-Simple-Storage-Service-Amazon-S3"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">S3 buckets</span></span></a><span xml:lang="EN-US" data-contrast="auto"> or anonymous identity and access management roles.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="9" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{7d217d4a-89cb-4fd8-a54f-9058a33826bf}{237}" paraid="1220321803"><strong><span xml:lang="EN-US" data-contrast="auto">Misconfiguration detection.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Reporting on risky or noncompliant settings based on frameworks, such as CIS and NIST, or vendor best practices.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="3" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{18}" paraid="1390773319"><span xml:lang="EN-US" data-contrast="auto"><strong>Identity and access surface visibility.</strong></span><span xml:lang="EN-US" data-contrast="auto"> Mapping roles, trust relationships, permissions and overly permissive policies that create privilege escalation paths. </span><span xml:lang="EN-US" data-contrast="auto">SaaS and third-party integration awareness.</span><span xml:lang="EN-US" data-contrast="auto"> Tracking </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchapparchitecture/definition/OAuth"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">OAuth</span></span></a><span xml:lang="EN-US" data-contrast="auto"> relationships, service principals, API keys and cross-cloud trust boundaries.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="1" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{106}" paraid="1286509582"><strong><span xml:lang="EN-US" data-contrast="auto">Risk prioritization.</span></strong><span xml:lang="EN-US" data-contrast="auto"> Ranked exposure listings based on exploitability, blast radius and business impact.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> </div> <div> <div> <h2 paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{141}" paraid="1540765088" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">The difference between traditional and cloud ASM</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{160}" paraid="958532932"><span xml:lang="EN-US" data-contrast="auto">While all ASM platforms share many core functions, there are some unique differences specific to cloud environments. For instance, traditional ASM focuses on exposed public assets and external perimeter assets, such as domains, certificates, IP addresses and internet-facing services. These platforms help security and operations teams better understand what online services an attacker could potentially reach.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{184}" paraid="54500655"><span xml:lang="EN-US" data-contrast="auto">Cloud ASM goes further, finding exposed cloud misconfigurations, privileges, APIs, SaaS connections and identities, even when they aren't tied to a dedicated server or traditional IP address. Cloud ASM can help teams answer the following vital questions about the organization's security footprint:</span><span data-ccp-props="{}"> </span></p> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="7" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{218}" paraid="149361965"><span xml:lang="EN-US" data-contrast="auto">What cloud services are externally exposed?</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="7" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{228}" paraid="104212606"><span xml:lang="EN-US" data-contrast="auto">What internal cloud identities create lateral movement risk?</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="7" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{238}" paraid="1243237044"><span xml:lang="EN-US" data-contrast="auto">Which APIs, SaaS integrations or serverless functions expand the organization's attack surface?</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="4" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="7" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{f6751325-96a1-49fe-8428-1de2af93485a}{254}" paraid="263187371"><span xml:lang="EN-US" data-contrast="auto">What cloud-native misconfigurations could make the organization vulnerable?</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <h2 paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{15}" paraid="1875329663" aria-level="2" role="heading"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-parastyle="heading 2">Who needs cloud ASM?</span></span><span data-ccp-props="{"134245418":true,"134245529":true,"335559738":200,"335559739":0}"> </span></h2> </div> <div> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{22}" paraid="1208962115"><span xml:lang="EN-US" data-contrast="auto">Organizations with complex </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchcloudcomputing/feature/7-key-characteristics-of-cloud-computing"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">cloud environments</span></span></a><span xml:lang="EN-US" data-contrast="auto"> -- especially financial, healthcare or rapidly scaling technology firms -- can benefit from cloud ASM. The platform replaces guesswork with continuous, evidence-based visibility.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{66}" paraid="1193787346"><span xml:lang="EN-US" data-contrast="auto">Cloud ASM is ideal for organizations lacking strong central cloud governance -- i.e., those with a shadow cloud problem -- helping with cloud discovery and faster risk assessment and remediation. It is also beneficial for companies with cloud-centric vulnerability management gaps and limited cloud visibility. Enterprises experiencing growth in SaaS integrations, OAuth and other federated connections, and cross-cloud identities can also strengthen security postures with cloud ASM. Multi-cloud deployments with workloads and other assets in more than one provider environment is another promising use case.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{140}" paraid="1368365746"><span xml:lang="EN-US" data-contrast="auto">Organizations evaluating cloud ASM should be aware of its pros and cons. Benefits for enterprises include:</span><span data-ccp-props="{}"> </span></p> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="10" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{154}" paraid="1466432152"><span xml:lang="EN-US" data-contrast="auto">Reduced cloud misconfigurations, the top cause for cloud breaches.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="10" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{160}" paraid="423386787"><span xml:lang="EN-US" data-contrast="auto">Rapid discovery of shadow cloud deployments, such as unsanctioned workloads created by developers.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="10" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{166}" paraid="1728765393"><span xml:lang="EN-US" data-contrast="auto">Better compliance posture, especially for SOC 2, </span><a rel="noreferrer noopener" target="_blank" href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-compliance-Payment-Card-Industry-Data-Security-Standard-compliance"><span xml:lang="EN-US" data-contrast="none"><span data-ccp-charstyle="Hyperlink">PCI DSS</span></span></a><span xml:lang="EN-US" data-contrast="auto"> and FFIEC-aligned institutions.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="4" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="10" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{180}" paraid="1376119409"><span xml:lang="EN-US" data-contrast="auto">Improved incident response readiness through identification of what's exposed.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="5" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="10" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{192}" paraid="1222015711"><span xml:lang="EN-US" data-contrast="auto">Lower likelihood of exposure, particularly for credentials, endpoints and storage nodes.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{200}" paraid="50658718"><span xml:lang="EN-US" data-contrast="auto">Also consider the following potential headaches:</span><span data-ccp-props="{}"> </span></p> </div> </div> <div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="8" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{214}" paraid="309386825"><span xml:lang="EN-US" data-contrast="auto">Alert fatigue if the platform lacks strong event or alerting prioritization models.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="8" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{228}" paraid="1801383618"><span xml:lang="EN-US" data-contrast="auto">The additional effort involved with having multiple cloud providers and SaaS ecosystems.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="8" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{234}" paraid="346967766"><span xml:lang="EN-US" data-contrast="auto">The complexity of integrating a high volume of service accounts and trust relationships.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <ul style="list-style-type: disc;" role="list" class="default-list"> <li role="listitem" data-aria-level="1" data-aria-posinset="4" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-listid="8" data-font="Symbol" data-leveltext="" aria-setsize="-1"> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{240}" paraid="1225866092"><span xml:lang="EN-US" data-contrast="auto">Organizational friction arising from ASM findings spanning security, DevOps and cloud engineering teams.</span><span data-ccp-props="{}"> </span></p> </li> </ul> </div> <div> <p paraeid="{ba8ca99a-e909-4c53-a2e4-b07f34dc7985}{246}" paraid="632655916"><span xml:lang="EN-US" data-contrast="auto">With cloud environments changing by the minute and attackers quick to exploit even the smallest misstep, security teams can no longer afford blind spots or delayed visibility. Cloud ASM provides the continuous insight needed to understand what's exposed, why it matters and how to reduce risk before it becomes a breach. While adoption comes with operational challenges, the cost of inaction is far greater. For organizations operating at cloud scale, cloud ASM can be a foundational capability for maintaining control, resilience and trust in an increasingly dynamic threat landscape.</span><span data-ccp-props="{}"> </span></p> </div> <div> <p paraeid="{b7a1799b-c4bf-4d5e-98d5-d3e0237e9d82}{43}" paraid="82603438"><em><span xml:lang="EN-US" data-contrast="auto">Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.</span></em></p> </div> </div> Cloud environments constantly change, expanding attack surfaces beyond traditional tools. Cloud ASM delivers continuous visibility to identify exposures, misconfigurations and risk. https://cdn.ttgtmedia.com/rms/onlineimages/cloud_g1251263502.jpg https://www.techtarget.com/searchsecurity/tip/Why-organizations-need-cloud-attack-surface-management Fri, 06 Feb 2026 16:02:00 GMT Why organizations need cloud attack surface management <p>Like the best-laid plans of mice and men, even the best-intentioned cybersecurity <a href="https://www.techtarget.com/searchsecurity/definition/incident-response">incident response</a> plans can go awry. When they do, the consequences can be ugly, as many organizations have discovered in recent years.</p> <p>A 2025 survey of 1,700 IT and engineering professionals by New Relic reported that high-impact IT outages now carry a median cost of $2 million per hour -- roughly $33,000 every minute -- and result in annual losses averaging $76 million per organization. The longer an incident drags on, the greater the damage. IBM's "Cost of a Data Breach Report 2025" <a target="_blank" href="https://www.ibm.com/reports/data-breach" rel="noopener">found</a> that breaches contained within 200 days averaged $3.87 million in losses, compared with $5.01 million when detection and response took longer.</p> <p>Cost is not the only issue. Organizations can also face prolonged downtime, regulatory penalties and reputational damage from long-tailed incidents.</p> <p>When incident response plans fail or don't work as intended, the reasons can be complex and varied. Causes range from gaps in team coordination, unanticipated system failures, inadequate threat intelligence and attackers exploiting previously unknown vulnerabilities.</p> <p>Security analysts pointed to several likely culprits for incident response plan failures.</p> <section class="section main-article-chapter" data-menu-title="Complex or vague plans"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Complex or vague plans</h2> <p>Poorly written plans with incomplete problem cases and responses can stymie incident response efforts. So, too, can overly detailed checklists that don't fit reality or high-level fluff with no actionable steps.</p> <p>"Some plans I've seen become overly technical and are out of date the moment they're completed," said Daniel Kennedy, an analyst at S&P Global Market Intelligence. "Some start to read like a legal policy document and, thus, the people who have to execute steps in the plan don't understand what they're supposed to do."</p> <p>The key, according to Kennedy, is to <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-incident-response-playbook">develop incident response plans</a> that work under pressure by clearly defining who does what. Plans must be technical enough to guide actions, but clear enough that responders understand their roles. Getting stakeholder input and senior leadership buy-in during planning, though difficult, pays off when an actual incident occurs.</p> </section> <section class="section main-article-chapter" data-menu-title="Unclear roles and responsibilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Unclear roles and responsibilities</h2> <p>Bad things can happen when no one knows who's in charge or what they're supposed to do during an incident.</p> <p>Successful plans establish explicit decision-making hierarchies with preauthorized response actions that don't require real-time approval, said Mari DeGrazia, certified SANS instructor and director of incident response at IDX.</p> <p>"Teams know exactly who can authorize network isolation, system shutdowns or external communications without waiting for executive approval during critical moments," she said. "This includes having things like presigned legal agreements with forensics firms, clear spending authorities for emergency resources and documented escalation triggers that automatically activate additional response capabilities."</p> <p>Kennedy added, "A common problem occurs when senior managers without clearly defined incident response roles insert themselves into active incident response, overriding established procedures and previously agreed-upon response steps. That person usually has enough organizational power to start people doing other things, or can demand people stop to answer their questions, but hasn't invested enough time in knowing the plan that was carefully written in calm seas."</p> <p>Though often well-meaning, such interference can derail an entire response process.</p> <p>"Having a very senior resource, even C-level, be involved with and approve the carefully written planning steps can overcome this issue," Kennedy said.</p> </section> <section class="section main-article-chapter" data-menu-title="Inadequate tooling and access"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inadequate tooling and access</h2> <p>Incident response plan failures can also occur when responders lack the necessary tools, credentials or permissions for critical systems -- especially when even a few seconds can make a big difference.</p> <p>"Incident response plans frequently assume access to tools and technologies that may not be properly configured, maintained or accessible during an actual incident," said Elvia Finalle, an analyst at Omdia, a division of Informa TechTarget. "This includes backup systems that haven't been tested, monitoring tools with gaps in coverage or communication systems that become unavailable during the incident."</p> <p>Another assumption is that the incident response plan is the only plan that needs to be implemented during incident response, Finalle said. To minimize disruption, organizations should also have backup systems and have a safe way for operations to continue as normal while the original environment is restored.</p> <p>Third-party MSPs and providers can also pose issues. "They aren't always responsive when you need them, or companies discover they don't have the proper service-level agreement for emergency response," DeGrazia said. For example, some MSPs charge significantly more to assist during an incident and after hours, which can be an unpleasant surprise in an already stressful situation.</p> </section> <section class="section main-article-chapter" data-menu-title="Rigid and inflexible plans"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Rigid and inflexible plans</h2> <p>Most incident response plans are written assuming ideal conditions, Finalle pointed out. In these plans, <a href="https://www.techtarget.com/searchsecurity/tip/CERT-vs-CSIRT-vs-SOC-Whats-the-difference">key personnel are always available</a>, systems work as expected and external resources respond immediately. Real life tends to be a lot messier and unpredictable.</p> <p>"Reality delivers the opposite," Finalle said. "Incidents typically occur during weekends, holidays or when key team members are unavailable. Critical systems fail to respond as documented, backup communication channels don't work and external forensic firms are already engaged with other clients."</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Plans for incident response need to be consistently revised and upgraded as hacking mechanisms change, especially in the AI area. </figure> <figcaption> <strong>Elvia Finalle, Analyst, Omdia</strong> </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>While incident response plans assume a controlled environment, breaches create chaos and responders quickly discover that nothing works as intended.</p> <p>Incident response plans are structured around methodical, step-by-step processes with time for analysis and deliberation, DeGrazia said. Actual incidents compress decision-making timeframes to minutes rather than hours, while simultaneously overwhelming responders with information from multiple sources.</p> <p>"Teams find themselves making critical containment decisions with incomplete information while managing dozens of parallel activities -- a cognitive load that most plans fail to anticipate or prepare teams to handle," she said.</p> <p>The unexpected unavailability of a key individual can create another curveball, DeGrazia pointed out. "Vacations, sick leave or simply being unreachable can bring response efforts to a halt if knowledge isn't documented and distributed," she said. Or it could be the longer-than-planned time required to restore from backups, or sudden bandwidth constraints, failed restorations or storage bottlenecks.</p> <p>"Companies test their backups, but they rarely test restoring everything at once under pressure," DeGrazia added.</p> </section> <section class="section main-article-chapter" data-menu-title="Never-tested response plans"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Never-tested response plans</h2> <p>If incident response plans sit on shelves gathering dust, there's a high likelihood they will not work as intended during an actual emergency. Similarly, an incident response plan based on old architecture or a plan that doesn't account for cloud environments, remote workforces or recent system changes is not going to be much help.</p> <p>"Plans for incident response need to be consistently revised and upgraded as hacking mechanisms change, especially in the AI area," Finalle explained.</p> <p>Plans that hold up under pressure are built on extensive, realistic training that creates muscle memory for response teams. Organizations with resilient plans conduct <a href="https://www.techtarget.com/searchsecurity/tip/Explaining-cybersecurity-tabletop-vs-live-fire-exercises">monthly tabletop exercises</a>, quarterly simulations with real system isolation and annual full-scale incident drills that include stress testing communication channels and decision-making processes.</p> <p>"This repetitive practice ensures that when adrenaline kicks in during a real incident, teams automatically execute procedures without hesitation or confusion," she said.</p> <p>Yet, many companies don't hold <a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-incident-response-tabletop-exercises">meaningful tabletop exercises</a>, Kennedy said. And, when they do, senior management -- the people who will play key roles during an actual incident -- are often not involved in the tabletop walkthrough.</p> <p>"Their entire purpose is to identify shortcomings in the plan in a simulated environment," he added. "The variables that arise during an actual response always throw a curveball at you, and thus plans must address the big steps but be flexible enough to allow for on-the-spot decision making and escalations."</p> </section> <section class="section main-article-chapter" data-menu-title="Lack of cross-functional input"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lack of cross-functional input</h2> <p>Effective incident response depends on a coordinated, cross-functional effort across the organization. While IT and security operations lead threat detection, containment and remediation, incident response extends far beyond technical measures. For example, legal teams ensure breach notification and compliance requirements are met, communications and PR manage internal and external messaging, and business leaders assess operational impact. HR could also be involved if insider activity or employee data is implicated.</p> <p>"One of the most common reasons incident response plans fail is the lack of cross-functional input during their development," Finalle said. "Plans are often created in silos -- typically by the security team -- without proper input from legal, IT infrastructure, the help desk or other key stakeholders."</p> <p>This result? Plans that don't reflect the realities or constraints of those teams, which can lead to response failures during a real incident.</p> <p>A lack of awareness also exacerbates the situation. "The security team might know a plan exists, but others in the organization don't," Finalle said. "If the people who are supposed to execute the plan aren't familiar with it -- or don't even know it exists -- it's unlikely to be effective."</p> </section> <section class="section main-article-chapter" data-menu-title="Ignoring the human element"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ignoring the human element</h2> <p>A sudden cybersecurity event forces incident response teams to make high-impact decisions under intense pressure and tight time constraints. In the heat of the moment, this might cause risk aversion. "People may hesitate to act because they don't want to be held responsible for making the wrong call," DeGrazia said.</p> <p>The time of an incident can also affect response. For example, if an attack occurs after hours or over the weekend, response might be delayed. Organizations that require long hours from responders on top of their normal work obligations also risk burnout and avoidable mistakes.</p> <p>Organizational culture also impacts the effectiveness of incident response, said Andrew Braunberg, an analyst at Omdia. For example, an organization's risk appetite and risk threshold significantly affect funding, and culture can alter incident response team structure -- for example, whether the team is an integral part of the security operations center or is a standalone team.</p> <p>To prevent human error, it is critical to have a clear incident response plan, Braunberg said, and to ensure team members receive the proper training on it. Training also includes <a href="https://www.techtarget.com/searchsecurity/tip/Incident-response-How-to-implement-a-communication-plan">clearly communicating the plan</a> and testing the team, as well as the plan. This should include penetration testing, tabletop exercises and red, purple and blue teaming, he added.</p> <p>If an incident response plan can't be executed amid a real-world intrusion, it is of little use. In the end, its value lies in its ability to bring order and calm so teams can react when the pressure is on and the stakes are high.</p> <p><i>Jaikumar Vijayan is a freelance technology journalist with more than 20 years of award-winning experience in IT trade journalism, specializing in information security, data privacy and cybersecurity topics.</i></p> </section> Incident response plans can fall apart when faced with real-world security events. Learn about the gaps that can lead to failure and how to avoid them. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/feature/Top-reasons-incident-response-plans-fail Thu, 05 Feb 2026 13:22:00 GMT Top 7 reasons incident response plans fail <p>Contact center software has existed since the dawn of digital contact centers decades ago. But, in recent years, the contact center software industry has changed significantly.</p> <p>New technologies, such as generative AI, have spawned powerful and innovative contact center features. Hyperscalers, too, like Microsoft and Amazon, have entered the space, hoping to use their command of adjacent markets to claim a slice of the contact center software ecosystem.</p> <p>All these developments prompt a re-evaluation of <a href="https://www.techtarget.com/searchcustomerexperience/feature/The-ultimate-guide-to-contact-center-modernization">modern contact center platform options</a>. Below, we identify the leading contact center platforms and summarize their key features and drawbacks so businesses can make informed decisions when evaluating these products.</p> <p>In developing this list, we examined research and independent user reviews from leading analyst firms and buyer intelligence platforms. Based on this analysis, we created an unranked list of the top 19 contact center platforms. The list is in alphabetical order.</p> <p>The software providers range from new players to more established vendors. While they all deliver <a href="https://www.techtarget.com/searchcustomerexperience/How-to-choose-a-contact-center-software-system">core contact center software capabilities</a>, they vary in areas like major features, pricing, AI capabilities, scalability and integrations.</p> <section class="section main-article-chapter" data-menu-title="1. 8x8"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. 8x8</h2> <p>Founded in 1987, 8x8 has built up its contact center platform over many years, largely through acquisitions. What began as a basic voice calling tool has evolved into a full-fledged platform for multi-channel customer interaction.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Analytics.</b> Detailed analytics and reporting provide real-time feedback on customer interactions.</li> <li><b>Intelligent call routing.</b> Interactive voice response and customized call routing help to personalize the <a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-experience-CX">customer experience</a> (CX).</li> <li><b>Extensive CRM integration.</b> Integrations with popular CRM platforms make it easy to use CRM data during customer interactions.</li> </ul> <h3>Scalability</h3> <p>8x8's cloud-based hosting model allows the platform's software to scale easily. Flexible licensing also helps enable scalability from a purchasing standpoint.</p> <h3>Integrations</h3> <p>8x8 integrates by default with major CRM and communications platforms like Salesforce, HubSpot and Microsoft Teams. An API enables custom integrations.</p> <h3>Pricing</h3> <p>Pricing varies widely depending on feature selection, and 8x8 offers custom quotes rather than publishing pricing details publicly. As a baseline, however, pricing generally starts around $20 per user per month, although it can extend above $100 per user per month for feature-rich plans.</p> <p>8x8 is most notable for its affordable pricing for basic plans and easy integration with external platforms.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Amazon Connect"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Amazon Connect</h2> <p>Introduced in 2017, Amazon Connect offers a centralized hub from which <a href="https://www.techtarget.com/searchcustomerexperience/answer/5-ways-to-improve-call-center-agent-performance?Offer=ab_MeteredFormCopyEoc_var3">contact center agents</a> can engage with customers across multiple channels, including voice, chat and messaging. It also integrates with other Amazon products and services. In 2023, Amazon Connect incorporated several AI-based capabilities, such as support for creating virtual assistants.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Centralized interface.</b> Contact center agents can handle interactions via voice, chat, email and text through a centralized channel.</li> <li><b>No-code flow builder.</b> To configure workflows for different types of interactions or customer needs, businesses can use a visual workflow builder.</li> <li><b>AI-driven automation.</b> Partly via integrations with other Amazon services -- such as Lex, which powers AI chatbots -- Amazon Connect enables the automation of some interactions using AI. For example, users can use Amazon Q in Connect to deploy GenAI chatbots. AI features can also automatically route requests to agents.</li> </ul> <h3>Scalability</h3> <p>As a platform hosted across multiple regions in the AWS cloud, Connect is a highly scalable and <a href="https://www.techtarget.com/searchcloudcomputing/tip/Compare-high-availability-vs-fault-tolerance-in-AWS?Offer=ab_MeteredFormCopyEoc_var3">fault-tolerant service</a>. It can support a virtually unlimited volume of agents or interactions.</p> <h3>Integrations</h3> <p>Connect integrates most closely with other services within the Amazon cloud. However, it supports limited integrations with external platforms, such as Salesforce and Zendesk, which businesses can use to look up or import data during customer interactions.</p> <h3>Pricing</h3> <p>Connect pricing is based mostly on volume usage. It starts at around $0.018 per minute for voice calls and $0.004 per chat message. Additional fees apply for using optional features, like Amazon Q.</p> <p>Amazon Connect is most notable for hyperscale-level scalability and availability, as well as tight integration with other Amazon services.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/ai_sharpens_contact_center_features_and_actions-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/ai_sharpens_contact_center_features_and_actions-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/ai_sharpens_contact_center_features_and_actions-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/ai_sharpens_contact_center_features_and_actions-f.png 1280w" alt="Integrating AI in contact center software" height="355" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>AI and generative AI integration is remaking contact center software. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="3. Avaya"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Avaya</h2> <p>Traditionally, Avaya focused its contact center software on <a href="https://www.techtarget.com/searchcustomerexperience/tip/On-premises-vs-cloud-contact-center-Whats-the-difference">on-premises hosting models</a>. However, it has expanded into cloud-based options that support public and private cloud deployments. Avaya provides all the core capabilities that businesses expect from a modern contact center platform as well as certain innovative features like AI-based virtual assistants.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Flexible deployment options.</b> Avaya offers on-premises and cloud-based contact center products. The on-prem offering may be an advantage for organizations that, due to <a href="https://www.techtarget.com/searchcustomerexperience/tip/Call-center-compliance-checklist-for-hybrid-workforces">compliance or privacy concerns</a>, can't or don't want to store contact center data on third-party infrastructure.</li> <li><b>Process optimization.</b> Native features assist with the optimization of tasks such as scheduling and agent training.</li> <li><b>Real-time reporting.</b> Continuous analytics further assist with the identification of opportunities to optimize.</li> </ul> <h3>Scalability</h3> <p>While the scalability of Avaya's on-premises offering is limited by the scope of the host infrastructure, its cloud-based platform can scale virtually without limit.</p> <h3>Integrations</h3> <p>Avaya integrates with popular CRM platforms like Salesforce, ServiceNow and Microsoft Dynamics 365. Custom integrations are available through an API.</p> <h3>Pricing</h3> <p>The cost of Avaya starts at $20 per user per month for the Core plan. The highest-cost plan is priced at $35 per user per month. These prices reflect a 20% discount for a yearly contractual commitment.</p> <p>Avaya is most notable for its on-premises deployment option and competitive pricing.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Cisco Contact Center"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Cisco Contact Center</h2> <p>Although Cisco is best known for its networking and communications tools, it has also invested significantly in the contact center space. Its Contact Center product employs Webex, a meeting and collaboration application, as the foundation for omnichannel customer interactions.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Security.</b> Cisco Contact Center goes <a href="https://www.techtarget.com/searchcustomerexperience/tip/Call-center-security-best-practices-to-protect-customer-data">above and beyond in the security realm</a>, offering advanced capabilities like endpoint hardening and data masking.</li> <li><b>Enterprise scalability.</b> While the product can work for small businesses, it's designed especially for large-scale, enterprise-grade communications.</li> <li><b>Customer sentiment analysis.</b> The platform uses AI to assess customer reactions to interactions.</li> </ul> <h3>Scalability</h3> <p>Cisco Contact Center scales especially well for large enterprises.</p> <h3>Integrations</h3> <p>Cisco Contact Center integrates tightly with other Cisco tools, particularly the Webex and Jabber communication apps. In fact, to some extent, the contact center service depends on these integrations with other Cisco tools. Integrations are also available for major CRM and IT ticketing platforms.</p> <h3>Pricing</h3> <p>Cisco doesn't publish pricing details for its contact center service, and costs vary depending on features and usage. As a rough baseline, expect to pay anywhere in the range of $30 to $200 per user per month.</p> <p>Cisco Contact Center is most notable for its security features and enterprise-grade scalability.</p> </section> <section class="section main-article-chapter" data-menu-title="5. CloudTalk"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. CloudTalk</h2> <p>CloudTalk is most notable for its heavy focus on <a target="_blank" href="https://www.cloudtalk.io/blog/call-center-analytics-guide/" rel="noopener">automation and analytics features</a> designed to streamline contact center performance and increase operations efficiency. It also offers innovative AI-powered features, such as topic extraction, which automatically monitors conversational topics.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Agent collaboration.</b> In addition to supporting multi-channel customer engagement, CloudTalk offers native features for agent collaboration, like internal call conferencing and shared workspaces.</li> <li><b>Advanced analytics.</b> CloudTalk offers particularly detailed reporting on engagement metrics and agent performance.</li> <li><b>Extensive integrations.</b> The platform provides a broad range of integrations that include major CRM platforms and communication and automation tools like Slack and Zapier.</li> </ul> <h3>Scalability</h3> <p>As a cloud-based offering, CloudTalk works well at virtually any scale. Flexible pricing terms also enable easy scalability.</p> <h3>Integrations</h3> <p>As noted above, CloudTalk integrates out-of-the-box with a particularly wide range of external platforms. It also provides an API for custom integrations.</p> <h3>Pricing</h3> <p>CloudTalk pricing starts around $25 per user per month. The most feature-rich plan costs about $50 per user per month.</p> <p>CloudTalk is notable for its advanced analytics and broad integrations.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Content Guru"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Content Guru</h2> <p>Launched in 2005, Content Guru offers a contact center and <a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-engagement">customer engagement</a> service tailored for verticals that require high availability and security, like government and finance. Although the service can be and is used by all types of businesses.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI-powered automation.</b> Content Guru makes extensive use of AI to automate tasks like call routing. It also supports AI-powered virtual agents.</li> <li><b>Workforce management.</b> Native capabilities assist with scheduling contact center agents and managing workflows.</li> <li><b>Video call support.</b> Supports customer engagement via video as well as more conventional channels, such as voice and text.</li> </ul> <h3>Scalability</h3> <p>Cloud-based deployment enables easy scalability up and down.</p> <h3>Integrations</h3> <p>Content Guru integrates with major CRM platforms out-of-the-box, and an API is available for developing custom integrations.</p> <h3>Pricing</h3> <p>Content Guru pricing varies based on total agent count, type and feature availability. It starts at $22 per digital-only agent per month. Voice agents cost at least $70 per month.</p> <p>Content Guru is most notable for AI-powered automation and workflow optimization capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Dialpad"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Dialpad</h2> <p>Dialpad initially focused on providing internal communications software for businesses and added contact center software capabilities in 2018. Dialpad is most notable for its extensive investment in AI-based capabilities, such as AI-driven voice analysis and call summaries, as well as AI-powered <a href="https://www.techtarget.com/searchcustomerexperience/definition/virtual-agent">virtual agents</a>.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI capabilities.</b> Dialpad makes especially extensive use of AI to provide capabilities like real-time transcription and sentiment analysis.</li> <li><b>Collaboration.</b> Built-in chat, file sharing and other collaboration tools help agents communicate.</li> <li><b>Broad integrations.</b> Dialpad integrates with external productivity and collaboration platforms like Google Workspace and Microsoft Teams in addition to CRM tools.</li> </ul> <h3>Scalability</h3> <p>Cloud-based deployment and multiple pricing plans make Dialpad easy to scale for businesses of virtually all sizes.</p> <h3>Integrations</h3> <p>As mentioned, Dialpad is notable for integrating with popular CRM platforms, like Salesforce and Zendesk, and productivity and collaboration suites, like Google Workspace and Microsoft Teams. Customers can also build custom workflows.</p> <h3>Pricing</h3> <p>Dialpad pricing starts at $15 per user per month for the Standard plan. The Pro plan is $25 per user per month. An Enterprise plan is also available.</p> <p>Dialpad is most notable for advanced AI features, extensive integrations and competitive entry-level pricing.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Five9"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Five9</h2> <p>Five9 provides a fully cloud-based call and contact center platform. It also places special emphasis on transparency and security for businesses concerned with <a href="https://www.techtarget.com/searchcustomerexperience/answer/How-do-companies-protect-customer-data">protecting sensitive customer data</a> or meeting strict compliance mandates related to customer calls.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Dynamic routing.</b> Five9 offers a particularly powerful routing tool that can route calls based on a variety of factors, such as priority level, agent expertise and geographical location.</li> <li><b>Workforce management.</b> Built-in capabilities, including forecasting and automated scheduling, assist with agent workforce management.</li> <li><b>AI capabilities.</b> Five9 includes advanced AI features such as speech recognition and predictive dialing.</li> </ul> <h3>Scalability</h3> <p>Five9 is highly scalable because of its cloud-based deployment model and its flexible pricing terms and plans, which cater to a wide range of business sizes.</p> <h3>Integrations</h3> <p>Five9 integrates with CRM platforms as well as popular IT management suites, like ServiceNow.</p> <h3>Pricing</h3> <p>Five9 doesn't publish full pricing details of all its plans, but its most basic plan starts at $119 per user per month. Its Core plan, which has more features, is $159 per user per month.</p> <p>Five9 is most notable for especially efficient and flexible call routing capabilities and advanced AI features.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/basic_contact_center_business_goals-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/basic_contact_center_business_goals-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/basic_contact_center_business_goals-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/basic_contact_center_business_goals-f.png 1280w" alt="Business goals for contact center software" height="260" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Today's contact center software must satisfy several business goals. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="9. Genesys"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Genesys</h2> <p>Founded in 1990, Genesys has spent decades building a feature-rich contact center and customer engagement platform. The company caters especially to medium-size and large businesses.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>On-premises option.</b> An on-premises deployment option is available, as well as a <a href="https://www.techtarget.com/searchcloudcomputing/tip/Evaluate-on-premises-vs-cloud-computing-pros-and-cons">cloud-based offering</a>.</li> <li><b>Virtual agents.</b> AI capabilities include virtual agents.</li> <li><b>Collaboration.</b> Internal screen sharing and conferencing capabilities help agents collaborate.</li> </ul> <h3>Scalability</h3> <p>Genesys can operate on any scale, but it focuses especially on deployments for midsize and enterprise customers.</p> <h3>Integrations</h3> <p>Out-of-the-box integrations focus mostly on CRM platforms. An API is available for custom integrations.</p> <h3>Pricing</h3> <p>Costs start at $75 per user per month and range up to $240 per user per month.</p> <p>Genesys is most notable for its on-premises deployment option and extensive collaboration capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Google Cloud Contact Center as a Service"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Google Cloud Contact Center as a Service</h2> <p>Google Cloud Contact Center as a Service (CCaaS) -- also referred to as Google's Contact Center AI Platform (CCAI Platform) -- is among the newer cloud-based contact center products and is focused on AI capabilities such as virtual agents. Behind the scenes, however, Google's contact center offering is powered largely by UJET, an independent contact center platform known for its analytics features and <a href="https://www.techtarget.com/searchcustomerexperience/tip/Contact-center-back-end-integrations-drive-revenue-growth">integration with CRM systems</a>.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI capabilities.</b> Advanced AI capabilities include chatbots and virtual agents.</li> <li><b>Speech recognition.</b> AI also enables real-time speech transcription and sentiment analysis.</li> <li><b>Google Cloud integrations.</b> Google's contact center integrates tightly with other Google Cloud services.</li> </ul> <h3>Scalability</h3> <p>Although designed especially for large enterprise customers, Google Cloud's CCaaS can also support smaller teams.</p> <h3>Integrations</h3> <p>The contact center integrates most seamlessly with other Google Cloud products and services, as well as popular CRMs like Salesforce. An API is available for developing custom integrations.</p> <h3>Pricing</h3> <p>Pricing is mostly a pay-as-you-go model and starts at around $0.06 per chat session and $0.05 per voice minute. Some capabilities cost extra, like Conversational Insights, which provides engagement analytics.</p> <p>The CCAI Platform is most notable for its close integration with Google Cloud services and enterprise-grade scalability.</p> </section> <section class="section main-article-chapter" data-menu-title="11. Microsoft Dynamics 365 Contact Center"> <h2 class="section-title"><i class="icon" data-icon="1"></i>11. Microsoft Dynamics 365 Contact Center</h2> <p>Microsoft developed the Microsoft Dynamics contact center platform in-house and released it in July 2024. Microsoft emphasizes self-service on a customer-preferred channel as well as <a href="https://www.techtarget.com/searchcustomerexperience/tip/Best-practices-for-call-center-monitoring">monitoring and reporting features to improve operational efficiency</a>.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Workforce management.</b> Built-in tools assist with agent scheduling and performance assessment.</li> <li><b>Microsoft integrations.</b> Dynamics 365 Contact Center connects to other Microsoft tools and platforms, like Teams, Outlook and Power BI.</li> <li><b>AI features.</b> Dynamics 365 Contact Center uses GenAI services hosted on the Microsoft Azure cloud to enable virtual agents and chatbots.</li> </ul> <h3>Scalability</h3> <p>As a hyperscale-based service, Dynamics 365 offers immense scalability from an infrastructure perspective. That said, its pricing models are flexible enough to accommodate the needs of smaller teams as well.</p> <h3>Integrations</h3> <p>The contact center service integrates most tightly with other Microsoft products, as well as popular CRM platforms. Custom integrations are possible through an API.</p> <h3>Pricing</h3> <p>Costs begin at $95 per user per month. A free trial is also available.</p> <p>Dynamics 365 Contact Center is most notable for integration with other Microsoft products, which facilitates integrating contact center capabilities into broader Microsoft software suites.</p> </section> <section class="section main-article-chapter" data-menu-title="12. Nextiva"> <h2 class="section-title"><i class="icon" data-icon="1"></i>12. Nextiva</h2> <p>Nextiva offers all the key features that businesses need to operate an effective contact center, such as<a href="https://www.techtarget.com/whatis/definition/skill-based-routing-SBR"> skills-based call routing</a> and advanced call management. Nextiva has invested in AI-based capabilities and places special emphasis on platform reliability and a fast response to service requests from its customers.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Intelligent call routing.</b> Nextiva provides highly flexible and efficient call routing capabilities based on criteria defined by users.</li> <li><b>AI capabilities.</b> The platform uses AI to generate call summaries. An AI answering feature is also available.</li> <li><b>High availability.</b> Nextiva's platform is cloud-based, and the company focuses on achieving particularly high availability through a multi-site hosting model.</li> </ul> <h3>Scalability</h3> <p>Multi-site hosting and flexible pricing plans enable a high degree of scalability.</p> <h3>Integrations</h3> <p>Nextiva connects to major CRM platforms. An API supports custom integrations.</p> <h3>Pricing</h3> <p>Costs start at $15 per user per month, and increase to $75 per user per month for more features geared toward small businesses. Larger enterprise plans are also available.</p> <p>Nextiva is most notable for reliability and affordable entry-level pricing.</p> </section> <section class="section main-article-chapter" data-menu-title="13. NiCE CXone Mpower"> <h2 class="section-title"><i class="icon" data-icon="1"></i>13. NiCE CXone Mpower</h2> <p>Launched in 2024, CXone Mpower from NiCE is one of the newest contact center platforms on our list. The company promotes CXone Mpower as a "CX-aware" service because it uses AI to inject <a target="_blank" href="https://www.linkedin.com/pulse/transform-customer-experiences-real-time-using-contextual-goyal-hlw8c/" rel="noopener">context into customer interactions</a>.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI integrations.</b> The platform makes extensive use of AI to help optimize workflows and generate context for customer integrations.</li> <li><b>Chatbots and virtual agents.</b> AI also supports chatbots and virtual agents within CXone Mpower.</li> <li><b>Scalability.</b> The platform is particularly notable for its ability to cater to customers of all types and sizes, from small businesses to large enterprises.</li> </ul> <h3>Scalability</h3> <p>As noted above, CXone Mpower is an especially scalable service due to its cloud-based hosting model and the ease of accommodating increased customers or communication channels.</p> <h3>Integrations</h3> <p>Core integrations support major CRM platforms. Custom integrations are possible through an API.</p> <h3>Pricing</h3> <p>Costs range from $110 to $249 per user per month.</p> <p>NiCE CXone Mpower is most notable for AI-enhanced efficiency capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="14. RingCentral"> <h2 class="section-title"><i class="icon" data-icon="1"></i>14. RingCentral</h2> <p>Founded in 1999, RingCentral originally specialized in on-premises phone connectivity. Since then, it has expanded into a broad set of business communication and collaboration services, including a contact center platform. </p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Mobile app for agents.</b> A mobile app allows agents to engage with customers from virtually any location.</li> <li><b>Collaboration.</b> Internal video calling, team messaging and file sharing help agents collaborate.</li> <li><b>Analytics.</b> RingCentral supports both real-time and historical reporting on agent performance and service levels.</li> </ul> <h3>Scalability</h3> <p>A cloud-based deployment model enables a high degree of scalability.</p> <h3>Integrations</h3> <p>RingCentral integrates with major CRM platforms as well as certain business productivity suites, such as Google Workspace.</p> <h3>Pricing</h3> <p>RingCentral's RingCX product features a Standard plan at $65 per user per month. The Professional plan is $95 per user per month, and the Elite plan is $145 per user per month. An enterprise package is also available.</p> <p>RingCentral is most notable for its agent <a href="https://www.techtarget.com/searchcustomerexperience/tip/7-reasons-why-businesses-need-mobile-apps">mobile app option</a>, collaboration features and scalability.</p> </section> <section class="section main-article-chapter" data-menu-title="15. Salesforce Service Cloud Contact Center"> <h2 class="section-title"><i class="icon" data-icon="1"></i>15. Salesforce Service Cloud Contact Center</h2> <p>Although Salesforce is best known for CRM, its Service Cloud platform includes a contact center offering to pull customer data into contact center engagements and tightly integrate with the Salesforce product ecosystem.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI features.</b> Using Salesforce's Einstein AI tools, Service Cloud uses AI to automate tasks like routing.</li> <li><b>Custom chatbots.</b> Businesses can also use Einstein AI to configure custom AI chatbots to serve as virtual agents.</li> <li><b>Knowledge management.</b> Built-in knowledge management capabilities aim to accelerate the rate at which agents can solve customer requests.</li> </ul> <h3>Scalability</h3> <p>Service Cloud can support businesses of all sizes, but it's geared especially toward large, enterprise-scale customers.</p> <h3>Integrations</h3> <p>Salesforce contact center integrates most tightly with other Salesforce products but also provides core integration with certain third-party platforms, such as Zendesk and HubSpot.</p> <h3>Pricing</h3> <p>Salesforce offers one pricing plan, at $150 per user per month, for its contact center software.</p> <p>The Salesforce contact center is most notable for enterprise-grade scalability and extensive Salesforce integrations.</p> </section> <section class="section main-article-chapter" data-menu-title="16. Talkdesk"> <h2 class="section-title"><i class="icon" data-icon="1"></i>16. Talkdesk</h2> <p>Talkdesk promotes its CX automation via its AI multi-agent workflows and AI-first <a href="https://www.techtarget.com/searchcustomerexperience/tip/5-customer-journey-phases-for-businesses-to-understand">customer journey</a>. Talkdesk also emphasizes its capabilities across several vertical industries. The product -- dubbed Customer Experience Automation, or CXA -- is known for its ease of use, intuitive interface and call routing capabilities.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>Virtual agents.</b> Talkdesk offers GenAI-powered virtual agents to automate customer interactions.</li> <li><b>No-code workflow management.</b> A visual interface enables workflow configuration and modifications.</li> <li><b>Hybrid cloud deployment option.</b> While Talkdesk can't run fully on-premises, a hybrid deployment model is available that allows businesses to route communications through on-prem telephony infrastructure, which can be advantageous from a privacy and compliance standpoint.</li> </ul> <h3>Scalability</h3> <p>A flexible deployment architecture enables a high degree of scalability, making Talkdesk appropriate for small businesses and large enterprises.</p> <h3>Integrations</h3> <p>Integrations focus mostly on CRM platforms, but Google Workspace is also supported, and a custom integration API is available.</p> <h3>Pricing</h3> <p>Costs range from $85 to $225 per user per month.</p> <p>Talkdesk is most notable for its feature-rich virtual agents and hybrid deployment option.</p> </section> <section class="section main-article-chapter" data-menu-title="17. Vonage Contact Center"> <h2 class="section-title"><i class="icon" data-icon="1"></i>17. Vonage Contact Center</h2> <p>Vonage Contact Center's natively built features, including AI-powered virtual assistants, rely on integrations with external platforms, particularly Salesforce, to power some of its capabilities and access customer data. Vonage also emphasizes <a target="_blank" href="https://www.vonage.com/resources/articles/video-contact-center/" rel="noopener">video-based customer engagement</a>.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI-based sentiment analysis.</b> Vonage uses AI to evaluate customer interactions across multiple channels, including voice, text and social media.</li> <li><b>Virtual agents.</b> AI also powers virtual agents, which businesses can configure to perform a range of custom tasks.</li> <li><b>Business continuity.</b> Vonage offers business continuity and disaster recovery features, such as emergency call routing options.</li> </ul> <h3>Scalability</h3> <p>Cloud-based deployment provides a high degree of scalability.</p> <h3>Integrations</h3> <p>Integrations focus mostly on CRM platforms, with an API available for custom integrations.</p> <h3>Pricing</h3> <p>Vonage does not list pricing information on its website specifically for its contact center plans, which include a Priority plan, Premium plan and add-on options. It offers volume-based API pricing with rates at $0.00809 per SMS and $0.01446 per minute for voice calls. Additional capabilities, like anti-fraud features and customer identification, cost extra.</p> <p>Vonage is most notable for omnichannel sentiment analysis, affordable volume-based pricing and business continuity features.</p> </section> <section class="section main-article-chapter" data-menu-title="18. Zendesk Contact Center"> <h2 class="section-title"><i class="icon" data-icon="1"></i>18. Zendesk Contact Center</h2> <p>Although primarily a CRM platform, Zendesk also provides a dedicated contact center offering. The company first entered the call center space in 2011, but it completed a major overhaul of its customer communications and engagement platform in 2025, which now features cutting-edge AI capabilities.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI-powered automation.</b> Zendesk contact center makes extensive use of AI to automate virtually all core tasks, from routing to agent response.</li> <li><b>Chatbots.</b> AI-powered chatbots can perform custom tasks.</li> <li><b>Knowledge management.</b> Native knowledge management tools assist agents in finding the information they need to address customer requests.</li> </ul> <h3>Scalability</h3> <p>Zendesk contact center can support businesses of all sizes, but it caters especially to midsize and enterprise organizations.</p> <h3>Integrations</h3> <p>Core integrations support other Zendesk products and other popular CRMs, including Salesforce and HubSpot, as well as communications platforms like Slack.</p> <h3>Pricing</h3> <p>Price plans start at $19 per user per month. The Suite Enterprise plan is $169 per user per month for enterprise-grade capabilities. Other plans are priced at $55 and $115 per user per month.</p> <p>Zendesk is most notable for its AI capabilities and a broad set of pricing options.</p> </section> <section class="section main-article-chapter" data-menu-title="19. Zoom Contact Center"> <h2 class="section-title"><i class="icon" data-icon="1"></i>19. Zoom Contact Center</h2> <p>Best known for its teleconferencing software, Zoom launched a contact center platform originally called Video Engagement Center and rebranded as Zoom Contact Center. The platform offers all core contact center software features with a focus on video-based customer meetings, while supporting other communications media over multiple channels.</p> <h3>Key features</h3> <ul type="disc" class="default-list"> <li><b>AI agent assist.</b> AI capabilities help guide human agents by suggesting actions and providing information during customer interactions.</li> <li><b>Virtual agents.</b> Fully independent, AI-powered agents are also available for engaging customers.</li> <li><b>Video support.</b> Zoom Contact Center supports customer engagement via video as well as more traditional channels.</li> </ul> <h3>Scalability</h3> <p>Zoom Contact Center provides a high degree of scalability due to its cloud-based deployment model, although its pricing plans are geared mainly toward midsize and larger organizations.</p> <h3>Integrations</h3> <p>Zoom Contact Center integrates with popular CRM platforms as well as other Zoom software.</p> <h3>Pricing</h3> <p>Pricing ranges from $69 to $149 per user per month.</p> <p>Zoom is most notable for its video calling support and AI capabilities that can assist human agents as well as power autonomous virtual agents.</p> <p>Clearly, the contact center market is crowded with many options for contact center buyers and C-suite decision-makers. Many of the platforms have similar and overlapping features, especially around AI capabilities, integrations with adjacent products and scalability performance. Contact center buyers need to evaluate these platforms carefully to find the right one for their organization.</p> <p><b>Editor's note:</b> <i>This article was updated to reflect recent developments in contact center platforms and the market in general.</i></p> <p><i>Chris Tozzi is an adjunct research adviser at IDC as well as an adviser for Fixate IO and a professor of IT and society at a polytechnic university in upstate New York.</i></p> </section> By now, many contact center software providers offer similar features. But large and small enterprises should consider some key differences among vendors. https://cdn.ttgtmedia.com/rms/onlineimages/chatbot_g1206801125.jpg https://www.techtarget.com/searchcustomerexperience/tip/Top-10-contact-center-platforms Thu, 05 Feb 2026 12:00:00 GMT Top 19 contact center platforms of 2026 <p>Cybersecurity teams must be mindful at all times of the current threats their organization faces. While it's impossible to thwart every threat, stopping as many as possible and quickly detecting when they occur are both critical for reducing damage.</p> <p>It is important to note that many cybersecurity incidents involve multiple types of threats. In a nutshell, a <i>security threat</i> is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization. A <i>security event</i> refers to an occurrence during which company data or its network might have been exposed. An event that results in a data or network breach is called a <i>security incident</i>.</p> <p>Here are 10 types of threats that cybersecurity teams should focus on.</p> <section class="section main-article-chapter" data-menu-title="1. Supply chain attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Supply chain attacks</h2> <p>Supply chain attacks are challenging to identify because they usually involve a breach or other cybersecurity compromise affecting a trusted third party, such as a supplier, partner, contractor, vendor or service provider. In this attack, the third party does not realize it has been compromised and therefore spreads the threat to its customers, partners and vendors.</p> <p>For example, a vendor's software might accidentally be infected with malware during manufacturing, or bad actors might add malicious code that steals sensitive data from organizations using a service provider's offering. Another form of supply chain attack involves counterfeit products and legitimate products that have been tampered with after manufacturing and packaging.</p> <h3>How to prevent supply chain attacks</h3> <p>To prevent supply chain attacks, only work with trusted third-party vendors, service providers, partners and contractors. Perform <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-third-party-risk-assessment-framework">third-party risk assessments</a>, conduct continuous vendor monitoring and keep an accurate inventory of all third parties and their dependencies.</p> <p>In addition, only purchase technology products and services from reputable manufacturers and vendors. Examine any physical technology purchases for anything suspicious, especially on product packaging or the product surface itself.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Distributed denial-of-service attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Distributed denial-of-service attacks</h2> <p><a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS</a> attacks occur when thousands or millions of compromised devices simultaneously overwhelm a server, network or other target. The compromised devices are typically part of a botnet, enabling attackers to easily coordinate all devices in performing DDoS attacks. The goal of a DDoS attack is to disrupt the target's operations, preventing legitimate use of resources.</p> <h3>How to prevent DDoS attacks</h3> <p>Preventing DDoS attacks is a unique challenge. No matter how much capacity enterprise systems and networks have, a large DDoS attack can still clog them.</p> <p>Options for mitigating DDoS attacks include the following:</p> <ul type="disc" class="default-list"> <li>Partner with an MSP or other third party that specializes in DDoS attack monitoring and mitigation.</li> <li>Deploy and configure network security devices in front of systems and networks to <a href="https://www.techtarget.com/searchsecurity/feature/Implement-API-rate-limiting-to-reduce-attack-surfaces">enforce rate limiting</a> and stop traffic from known botnets.</li> <li>Design the organization's important applications with resilience in mind, such as duplicating key resources on other networks so that a DDoS attack against one network will not completely disrupt applications.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="3. Social engineering and phishing attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Social engineering and phishing attacks</h2> <p>Social engineering comes in many forms, from someone pretending to be a delivery person in order to access a secure area to someone sending phishing emails, texts or other forms of messaging to deceive the recipient.</p> <p>The goal of phishing, the most popular form of social engineering, is to get the recipient to divulge credentials, bank information or other sensitive data, or to install malware on the recipient's device.</p> <h3>How to prevent social engineering and phishing attacks</h3> <p>Some social engineering and phishing attacks can be stopped only by the intended victims. This requires that individual users be trained on <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">how to identify attacks</a> and what to do if an attack occurs. For example, they'll need to scrutinize links and email attachments for anything suspicious.</p> <p>Many phishing attacks can be stopped through automated means, such as antispam and antimalware technologies, that are frequently updated with the latest threat intelligence. Some phishing attacks exploit software vulnerabilities, so keep all devices' software patched and up to date.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Attacks through look-alike content"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Attacks through look-alike content</h2> <p>Attackers often craft websites, social media accounts, advertisements and other online content to look just like the real thing. When visited, that content <a href="https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them">installs malware on users' computers</a>. Known as <i>drive-by download attacks</i>, users have no idea that anything bad has happened.</p> <h3>How to prevent attacks through look-alike content</h3> <p>Educate users on how to verify that URLs, social media accounts and other content are legitimate to prevent these attacks. Tell users not to click on advertisements from work devices.</p> <p>To stay on top of the latest threats, consider subscribing to near-real-time <a href="https://www.techtarget.com/searchsecurity/tip/Top-open-source-and-commercial-threat-intelligence-feeds">threat intelligence feeds</a>. These can be consumed by an organization's cybersecurity technologies to quickly stop access to look-alike content once others detect and report it. Organizations should also keep software patched and up to date to minimize the risk of malicious content exploiting vulnerabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Misinformation and disinformation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Misinformation and disinformation</h2> <p>Misinformation is incorrect information, while disinformation is intentional misinformation designed to trick people -- another form of social engineering. Whether information is accidentally or intentionally wrong, the effect is the same: it convinces people that false statements are true and often triggers them to act on those false statements.</p> <p>Misinformation and disinformation come in many forms. AI technologies are <a href="https://www.techtarget.com/searchsecurity/tip/Real-world-AI-voice-cloning-attack-A-red-teaming-case-study">now widely used to create deepfake audio and video</a> that often can't be distinguished from the real thing. Websites, emails and other content might also provide false instructions to users on how to improve security or functionality on their work computers. Rumors about the organization itself could also surface inside or outside the business.</p> <h3>How to prevent misinformation and disinformation</h3> <p>Misinformation and disinformation are often difficult to detect through automated means. Instead, rely on regularly scheduled <a href="https://www.techtarget.com/searchsecurity/definition/security-awareness-training">security awareness training</a> to teach employees how to spot misinformation and disinformation. Educate them on how to verify information pertaining to both internal and external matters. Also, provide a website where members of the public can verify the legitimacy of communications they receive from the organization, and provide a mechanism for the public to report misinformation and disinformation involving the organization.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Credential compromise and account takeover"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Credential compromise and account takeover</h2> <p>Passwords, ID badges and other credentials are obvious targets for attackers. Passwords can be acquired in many ways, including social engineering and phishing, watching someone enter a password on their phone, guessing a password -- known as <i>brute-force attacking</i> -- or reusing a previously compromised password that the person used for multiple accounts.</p> <p>Possessing a password enables an attacker, in many cases, to access and control the user account. This is known as an <i>account takeover</i>.</p> <h3>How to prevent credential compromise and account takeover</h3> <p>Avoid relying only on passwords for user authentication. Requiring MFA and switching from passwords to <a href="https://www.techtarget.com/searchsecurity/definition/passwordless-authentication">passwordless authentication</a> are two effective alternatives. If passwords are required, teach employees <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-strong-passphrase-with-examples">how to create strong passphrases</a>, which are a more secure alternative to passwords.</p> <p>In addition, train users on how to safeguard their credentials and what to do if they think one of their credentials has been compromised. Another helpful measure is to use cybersecurity technologies that monitor authentication attempts. Use these tools to identify anomalies, such as the same user connecting to email from different geographic locations at the same time, which could indicate someone masquerading as the user.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Ransomware"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Ransomware</h2> <p>Ransomware uses encryption to make computers or files inaccessible or extortion to get victims to pay a ransom to get their stolen data back. While most ransomware attacks result from phishing or other forms of social engineering, some ransomware campaigns target exploitable software vulnerabilities.</p> <h3>How to prevent ransomware</h3> <p>Train users to avoid social engineering attacks, and teach them <a href="https://www.techtarget.com/searchsecurity/tip/How-to-effectively-respond-to-a-ransomware-attack">what to do if a ransomware infection occurs</a>. Seconds can make a difference between a single computer being infected and an infection spreading throughout an organization.</p> <p>To minimize vulnerabilities that ransomware can exploit, organizations should keep all software current with the latest patches and updates. It's also critical to use antimalware technologies that detect and stop ransomware, along with cyberthreat intelligence feeds that provide near-real-time updates on the latest ransomware threats.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Persistence threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Persistence threats</h2> <p>Persistence refers to an attacker's ability to gain and then maintain access to a system without being detected. Known as <i>advanced persistent threats</i> (<a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">APTs</a>), attackers can persist unnoticed in compromised systems for days, weeks or months. During this time, they could access and exfiltrate sensitive data, compromise additional systems and monitor conditions until they are ready to launch a more devastating attack.</p> <h3>How to prevent persistence</h3> <p>Use firewalls and other network security tools, along with threat intelligence feeds, to block access to and from known malicious domains, IP addresses and websites. This denies APTs by disrupting the command-and-control channels they rely upon.</p> <p>Monitor network traffic to look for signs of unauthorized access to internal systems. Use antimalware and antiphishing technologies to detect and stop attacks in transit. Also, scan the organization's devices regularly for signs of bots, exploit kits and other attack tools. Act swiftly whenever any such unauthorized tools are detected.</p> </section> <section class="section main-article-chapter" data-menu-title="9. Insider threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Insider threats</h2> <p>An insider threat is when an employee, contractor or other person within an organization misuses their technology privileges in ways that violate and harm the organization's cybersecurity. For example, an employee emailing sensitive data to external email addresses for the purposes of selling the data. A more complex example is two employees in different roles colluding to steal from the organization.</p> <h3>How to prevent insider threats</h3> <p>Follow the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a> to ensure each user has the minimal access needed to do their job. Train all users, including contractors and vendors, on acceptable use policies and the potential consequences of violating them. Monitor all user activity for signs of suspicious behavior. Promptly investigate potentially malicious behavior.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Accidental data leaks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Accidental data leaks</h2> <p>Accidental data leaks occur when an organization's sensitive data is inadvertently made available to unauthorized parties or systems. Examples include choosing the wrong recipient for an email, uploading the wrong file to a website or shared storage, or posting data for public access that has not yet been approved for release.</p> <p>Data leaks can also occur when old or broken technologies are disposed of without first sanitizing or physically destroying their data storage. Printouts are also mechanisms for data leaks.</p> <h3>How to prevent accidental data leaks</h3> <p>Teach users to double-check recipients, attachments and other components of emails and other messages before sending them. Use <a href="https://www.techtarget.com/searchsecurity/tip/Top-7-data-loss-prevention-tools">data loss prevention technologies</a> to examine outbound emails and other applications for potential signs of data leaks. Carefully control physical access to printed sensitive data so that printouts are not left unattended and are shredded when no longer needed.</p> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> <p> </p> </section> Know thine enemy -- and the common security threats that can bring an unprepared organization to its knees. Learn what these threats are and how to prevent them. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams Thu, 05 Feb 2026 09:00:00 GMT 10 types of information security threats for IT teams <p>Cybersecurity threat intelligence feeds play an important role in security. They detail current attacks and their sources. These characteristics, better known as <a href="https://www.techtarget.com/searchsecurity/definition/Indicators-of-Compromise-IOC">indicators of compromise</a>, include, among other factors, IP addresses, domain names, URLs, email addresses, malware file hashes and filenames.</p> <p>Security teams use this information to improve how quickly and accurately they can <a href="https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-how-to-prevent-them">detect potential attacks</a> and to better estimate the severity of an incursion. This helps prioritize the organization's response strategy -- especially automated responses.</p> <p>A wide variety of cybersecurity tools -- among them firewalls, SIEM, security orchestration, automation and response and endpoint detection and response technologies -- consume machine-readable threat intelligence feeds. Organizations also use integrated threat intelligence platforms that bring together multiple feeds to provide machine-readable data that is prioritized, actionable and accurate.</p> <p>Let's take a closer look at cybersecurity threat intelligence feeds and highlight some leading options -- both open source and commercial.</p> <section class="section main-article-chapter" data-menu-title="Criteria for feed evaluation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Criteria for feed evaluation</h2> <p>Every threat intelligence feed is different. While some feeds contain similar information, other feeds contain much different data or only target specialized subsets, such as <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">phishing-related</a> data. As CISOs and their security teams evaluate potential feeds for their organization, consider the following:</p> <ul class="default-list"> <li>How current is the feed? How often is it updated? How often is outdated information expunged?</li> <li>How detailed is the information in the feed? For example, is it just IP addresses, or does it also indicate the types of activity associated with each IP address? Generally, it's better to have more detailed information available.</li> <li>How accurate is the feed in terms of false positives? And how comprehensive is the feed? These two questions might be impossible to answer precisely, but it should be possible to get a general sense for how it compares to other feeds by speaking to other organizations already using them.</li> <li>How credible is the feed? What sources does the feed use? What verification or vetting is done on the information submitted to the feed maintainer?</li> <li>How relevant is the information in the feed to the organization? For example, some feeds are particular to a sector or a geographic location.</li> <li>How usable is the feed's format? Does it follow a standard, such as Structured Threat Information eXpression (<a href="https://www.techtarget.com/searchsecurity/definition/STIX-Structured-Threat-Information-eXpression">STIX</a>) or Open Indicators of Compromise (OpenIOC)?</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Examples of open source feeds"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of open source feeds</h2> <p>Open source feeds, also known as OSINT, are typically compiled from security researchers, service providers and other operational personnel who observe attack activity and voluntarily document and report it.</p> <p>Open source feeds have their role, but they lack the financial and organizational resources of commercial feeds. As a result, many security teams use both open source and commercial feeds to improve their attack detection accuracy and speed.</p> <h3>abuse.ch</h3> <p><a target="_blank" href="https://abuse.ch" rel="noopener">Abuse.ch</a> is a community effort in partnership with Spamhaus, a nonprofit internet security organization, that encompasses a reported 15,000 security researchers. It hosts several separate databases and repositories with attack-related information. These include the following:</p> <ul class="default-list"> <li>MalwareBazaar, a sample of malware. Teams use MalwareBazaar's API to import information on the latest malware threats into their detection technologies.</li> <li>SSL Blacklist, which lists SSL certificates associated with botnets.</li> <li>ThreatFox, which offers an API through which teams can browse or access malware IOCs.</li> <li>URLhaus, which contains URLs used for distributing malware. The URLs can be browsed or fed into organizational systems from an API.</li> </ul> <h3>LevelBlue's Open Threat Exchange</h3> <p><a target="_blank" href="https://otx.alienvault.com/" rel="noopener">LevelBlue's OTX</a>, which succeeded AlienVault, is available for free with a basic registration. It claims a user base of more than 200,000 and a database of more than 20 million IOCs, submitted every day.</p> <p>Teams can integrate LevelBlue's OTX feed with their security technologies through an API, STIX, TAXII, and an SDK. LevelBlue also fosters discussion and sharing of threat data and related observations among OTX users.</p> <h3>The Shadowserver Foundation</h3> <p><a target="_blank" href="https://www.shadowserver.org/" rel="noopener">The Shadowserver Foundation</a> is a nonprofit organization that collects data on malware, IP addresses, SSL certificates and other IOCs. This data is shared with thousands of verified network owners every day through <a target="_blank" href="https://www.shadowserver.org/what-we-do/network-reporting/" rel="noopener">reports</a>. Teams can also use APIs to process the reports as a machine-readable threat intelligence feed.</p> </section> <section class="section main-article-chapter" data-menu-title="Examples of commercial feeds"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of commercial feeds</h2> <p>Vendors of commercial cybersecurity threat intelligence feeds charge subscription fees. The primary advantage of commercial feeds over open source feeds is the dedicated human and automated resources that commercial feed vendors have for analyzing and enriching IOC data.</p> <h3>CrowdStrike Falcon Adversary Intelligence</h3> <p><a target="_blank" href="https://www.crowdstrike.com/en-us/platform/threat-intelligence/adversary-intelligence/" rel="noopener">CrowdStrike Falcon Adversary Intelligence</a> provides a variety of threat intelligence-related features that can be integrated with a company's existing detection technologies. Capabilities include a sandbox for evaluating malware, dark web activity monitoring and an IOC threat intelligence feed.</p> <p>Premium features include YARA and Snort detection rule support and access to threat hunting libraries and special threat reports.</p> <h3>ESET's Global Threat Intelligence</h3> <p><a target="_blank" href="https://www.eset.com/us/business/services/threat-intelligence/" rel="noopener">ESET's Global Threat Intelligence</a> features many real-time IOC feeds in JSON and STIX formats. Feeds include the following:</p> <ul class="default-list"> <li><b>Malicious data feed.</b> Malware samples and IOCs.</li> <li><b>Ransomware feed.</b> Ransomware and ransomware family IOCs.</li> <li><b>Botnet feed.</b> Botnet IOCs with subfeeds for the botnet participants, the command-and-control structure and the botnet targets.</li> <li><b>APT IOC.</b> Advanced persistent threat IOCs.</li> <li><b>Domain feed, URL feed and IP feed.</b></li> </ul> <p>Additional feeds pertain to particular types of threats, including Android infostealers and other Android threats, scam URLs, crypto scams, malicious email attachments, phishing URLs, SMS phishing domains and SMS scams.</p> <h3>FalconFeeds.io</h3> <p><a target="_blank" href="https://falconfeeds.io/threat-intelligence-pipeline" rel="noopener">FalconFeeds.io</a> brings together dark web, deep web and open web intelligence. Teams can integrate the feed with their detection technologies through an API. It has three subscription tiers:</p> <ul class="default-list"> <li><b>Researcher.</b> Gives an individual researcher access to a subset of the full features for 14 days.</li> <li><b>Business.</b> Provides year-round, API-based feed access for an organization, along with a variety of integration and alerting capabilities.</li> <li><b>Enterprise.</b> Expands on the Business tier by adding webhook integration and increasing the number of credits for API access.</li> </ul> <h3>GreyNoise</h3> <p>GreyNoise provides <a target="_blank" href="https://www.greynoise.io/products/block-pricing" rel="noopener">real-time IP address blocklists</a> for firewalls and other network infrastructure and network security technologies to ingest and use. It includes a set of predefined blocklists for addresses attacking several security vendors and their products, addresses sending traffic from certain countries, all addresses recently generating suspicious network traffic and addresses observed exploiting vulnerabilities or participating in botnets.</p> <p>Two options are available. GreyNoise Block is intended for smaller organizations; the full GreyNoise platform is geared to larger ones.</p> <h3>OpenPhish</h3> <p>OpenPhish specializes in phishing IOC threat intelligence data. It offers <a target="_blank" href="https://openphish.com/phishing_feeds.html" rel="noopener">three tiers</a>. The Community tier is free, but is only updated twice daily and contains only a subset of phishing URLs. The Premium and Platinum tiers offer comprehensive phishing URLs, phishing IP addresses, SSL metadata and permission for organizations to reuse the data for commercial purposes.</p> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> </section> Cybersecurity threat intelligence feeds provide critical data on attacks, including IPs, domains and malware hashes, helping teams detect and respond to threats effectively. https://cdn.ttgtmedia.com/rms/onlineimages/ai_g1183318665.jpg https://www.techtarget.com/searchsecurity/tip/Top-open-source-and-commercial-threat-intelligence-feeds Wed, 04 Feb 2026 13:28:00 GMT Top open source and commercial threat intelligence feeds <p>The ever-evolving threat landscape looks particularly ominous to security executives scanning the 2026 horizon.</p> <p>CISOs and their teams are bracing for more sophisticated, challenging and targeted <a href="https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now">AI-enabled cyberattacks</a>. They're anticipating more geopolitically motivated attacks. And they're seeing their organizations' attack surfaces grow in size and complexity, making them harder to defend.</p> <p>Against that backdrop, CEOs <a target="_blank" href="https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf" rel="noopener">told</a> the World Economic Forum for its "Global Cybersecurity Outlook 2026" January report that they were most concerned about <a href="https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous">cyber-enabled fraud and phishing</a> and AI vulnerabilities, while CISOs reported being most concerned with ransomware attacks and supply chain disruptions.</p> <p>These worries are prompting a 2026 security technologies spending boom as organizations work to reinforce their defenses. Precedence Research, for example, reported that the global cybersecurity market will hit $339.96 billion in 2026, a 12% increase from 2025. By 2034, security spending will eclipse $875 billion, more than double 2026 expenditures, the company said.</p> <p>The projected increase in spending is attributed to several factors, including existing and evolving threats, data privacy regulations, digital transformation, data breaches, privacy issues and more.</p> <p>So, which technologies will help CISOs and their teams counter these challenges and defend their networks? Security practitioners require a range of technologies to get the job done in 2026, including the following.</p> <section class="section main-article-chapter" data-menu-title="1. AI-enabled security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. AI-enabled security</h2> <p>AI<b>-</b>based security tools are viewed as the only way enterprises can keep pace with bad actors using AI to craft attacks.</p> <p>"AI is being used effectively as a defense tool, and that's going to be useful to improve the resiliency of the organization," said Katrina Rosseini, a cybersecurity expert whose professional roles include serving as executive board chair for the Civilian Reserve Information Sharing and Analysis Center.</p> <p>Many enterprise security products already boast machine learning, behavioral analytics and first-gen AI, but vendors are now using more powerful AI capabilities to further improve the accuracy and skillfulness of their products. For example, AI capabilities are now found in numerous enterprise security products and platforms, including <a href="https://www.techtarget.com/searchsecurity/feature/How-AI-threat-detection-is-transforming-enterprise-cybersecurity">threat detection tools</a>, endpoint protection software, vulnerability management software, and security orchestration, automation and response (SOAR) platforms.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Identity and access management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Identity and access management</h2> <p><a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a> has become an even more critical technology in today's security environment, according to Damon McDougald, global security services lead at professional services firm Accenture.</p> <p>IAM helps enterprises verify that only authorized users -- both human and machine -- can access systems and resources. "IAM is going to be a cornerstone of security as organizations move into the agentic AI realities of today and tomorrow," he said.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Continuous monitoring and remediation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Continuous monitoring and remediation</h2> <p>Cyberattacks never stop, and the amount of time between an attacker's infiltration and exploitation continues to shrink. That makes point-in-time scans and tests -- checks at specific times to take a snapshot of the environment at that moment -- increasingly invaluable, said Kris Lovejoy, global head of strategy at Kyndryl, an IT infrastructure services provider. Organizations, she said, need tools that continuously monitor, diagnose and remediate so cybersecurity teams can "create a cycle between identifying problems and implementing solutions that gets a lot shorter."</p> <p>This tech capability is found in various types of security software and systems, including endpoint detection and response (EDR), cloud-native application protection platforms, vulnerability management software, third-party risk management software and external attack surface management software.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Threat intelligence platforms"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Threat intelligence platforms</h2> <p>Demand for threat intelligence platforms -- which comb through various sources to collect, analyze, and operationalize data on known and emerging threats -- is rising as enterprises struggle with an increasing number of adversary tactics and alert volumes.</p> <p>These platforms turn raw data coming from numerous feeds into actionable insights that security teams can use to proactively detect and identify malicious activity with greater speed and precision.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Unified intelligence platforms"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Unified intelligence platforms</h2> <p>Similar to threat intelligence platforms, unified intelligence platforms collect and aggregate data from disparate sources, including ERPs, CRMs and endpoint devices, to provide security teams with a single, real-time view of operations. These tools also have data management, analytics and AI capabilities that support security teams as they review, prioritize and act on generated information.</p> <p>According to Virginia Romero, global delivery lead of incident response at cybersecurity and intelligence firm S-RM, the technology helps security teams "understand the IT environment holistically" and eliminate blind spots that attackers can more readily exploit.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Quantum-safe protocols and post-quantum cryptography"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Quantum-safe protocols and post-quantum cryptography</h2> <p>Quantum computing might not be here yet, but CISOs need to prepare now by adopting <a href="https://www.techtarget.com/searchsecurity/feature/How-to-prepare-for-post-quantum-computing-security">quantum-safe protocols and post-quantum cryptography</a>, said Josh Schmidt, a partner in the advisory practice at professional services firm BPM. Post-quantum cryptography will be required to protect data from quantum computers able to break today's widely used encryption methods.</p> <p>"There are quantum-safe protocols and algorithms that have been developed and need to be put in place," he said. "Starting now and over the next three to four years, organizations need to be implementing these technologies so when quantum arrives, they don't have a problem."</p> </section> <section class="section main-article-chapter" data-menu-title="7. Secure access service edge"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Secure access service edge</h2> <p><a href="https://www.techtarget.com/searchnetworking/definition/Secure-Access-Service-Edge-SASE">SASE</a> is a cloud-based architecture that unifies a variety of network and cloud-native security technologies into a single cloud service.</p> <p>Organizations can no longer rely on legacy defenses, such as firewalls, to secure their perimeters. That's because organizations no longer have a perimeter in this hyperconnected era. Yet, they still need defenses along their edge. That's where SASE comes in.</p> <p>According to tech company Xalient, the SASE market will more than triple by 2033, growing to $33.54 billion from $9.27 billion in 2025.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Products that enable zero trust"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Products that enable zero trust</h2> <p><a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">Zero trust</a> is what the name implies: The approach denies trust to entities trying to access systems or data until they prove who or what they claim to be and that they are doing the work they're authorized to do.</p> <p>"We're going to see a lot more focus on architecting and engineering zero-trust principles in our network and identity frameworks so that we have better overall defense against AI-automated attacks," Kyndryl's Lovejoy said.</p> </section> <section class="section main-article-chapter" data-menu-title="9. Shadow AI detection tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Shadow AI detection tools</h2> <p>Shadow AI can -- and often does -- expose protected and sensitive data. That's a significant concern, especially because eight out of 10 workers already use unauthorized AI tools, according to a <a target="_blank" href="https://content.upguard.com/hubfs/resources/The-State-Of-Shadow-AI-Report-2025.pdf" rel="noopener">survey</a> from security company UpGuard.</p> <p>The use of unsanctioned AI products might help employees get work done, but it also increases risk. These risks make <a href="https://www.techtarget.com/searchsecurity/tip/Shadow-AI-poses-new-generation-of-threats-to-enterprise-IT">shadow AI detection</a> tools a must, said BPM's Schmidt.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Longstanding foundational security capabilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Longstanding foundational security capabilities</h2> <p>CISOs and their teams must be flawless at the fundamentals even as new security tools come to market, new threats emerge and new best practices take hold.</p> <p>Legacy tools will continue to play a key role, Lovejoy said. Among them are vulnerability and patch management, SOAR, SIEM and EDR. Even with the rollout of advanced security technologies in 2026, she said, "the reality is that security still has to be great at security basics."</p> <p><i>Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.</i></p> </section> Discover the top security technologies for 2026, from AI-enabled tools to quantum-safe protocols, as CISOs brace for evolving cyberthreats and attack surfaces. https://cdn.ttgtmedia.com/rms/onlineimages/security_a218339023.jpg https://www.techtarget.com/searchsecurity/feature/Must-have-security-technologies Mon, 02 Feb 2026 17:54:00 GMT 10 must-have security technologies in 2026 <p>In 2019, CISO Omar Khawaja set out to transform the compliance-driven security culture at Highmark Health -- a nonprofit healthcare company based in Pittsburgh -- to one focused on business outcomes and risk.</p> <p>Khawaja turned to the <a href="https://www.techtarget.com/searchsecurity/tip/Using-the-FAIR-model-to-quantify-cyber-risk">Factor Analysis of Information Risk</a> (FAIR) methodology, a mathematics-based framework for <a href="https://www.techtarget.com/searchSecurity/tip/What-is-cyber-risk-quantification-CRQ-How-to-get-it-right">cyber-risk quantification (CRQ)</a> developed by the nonprofit FAIR Institute. Users run data through the model's mathematical algorithms to calculate the potential financial implications of specific risk scenarios. Executives can then use that information to make decisions, such as prioritizing threat remediations and determining whether security controls are justified.</p> <p>FAIR struck Khawaja as the "Goldilocks of risk frameworks" -- substantive without being overengineered, overly complex or too academic. "It was practical, and it gave us [at Highmark] a common language on risk," he said.</p> <section class="section main-article-chapter" data-menu-title="From gut instinct to data-driven decisions at Highmark Health"> <h2 class="section-title"><i class="icon" data-icon="1"></i>From gut instinct to data-driven decisions at Highmark Health</h2> <p>After securing stakeholder support and identifying and gathering necessary data inputs, Khawaja's team used a spreadsheet to calculate and track financial loss exposures across specific risk scenarios. The model enabled him to make data-driven decisions rather than relying on instinct.</p> <p>"In many organizations, security decisions are made from the CISO's gut, which is honed by years or decades of experience," said Khawaja, now field CISO at Databricks, a data intelligence services provider, and a FAIR Institute board member. "FAIR gives us a more sophisticated view: 'Here's what may likely happen, and we'll show you all the math and analysis behind it.'"</p> <p>That was especially helpful when determining if a business initiative was worth pursuing, he added. "We'd calculate the cyber-risk on a yearly basis. If the risk is less than the [anticipated return], then it's a good idea."</p> <p>FAIR analyses also informed security tool buying decisions and helped Khawaja <a href="https://www.techtarget.com/searchsecurity/tip/How-to-craft-cyber-risk-statements-that-work-with-examples">translate cyber-risk issues into terms</a> that top executives understood. "We could actually have a conversation, which the business really appreciates and respects," he said.  </p> <p>Finally, in eliminating the qualitative labels security teams have traditionally ascribed to risk -- e.g., red, yellow and green or high, medium and low -- FAIR also enabled Highmark's team to evaluate risk at scale. "It reduced the time and effort needed to make decisions," Khawaja said. "It made us more efficient and effective, and it reduced the pain."</p> </section> <section class="section main-article-chapter" data-menu-title="Hurdles to FAIR adoption"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Hurdles to FAIR adoption</h2> <p><a href="https://www.techtarget.com/searchsecurity/tip/Cyber-risk-quantification-challenges-and-tools-that-can-help">Quantifying cyber-risk is not without its challenges</a>, however. Khawaja said it took him and his team time to learn FAIR and to persuade the organization that it was a valuable tool.</p> <p>"You find a lot of friction happens when onboarding FAIR," said Jack Freund, head of technology risk at Acrisure, a member of the <a target="_blank" href="https://www.isaca.org/resources/it-risk" rel="noopener">ISACA IT Risk Committee</a> and co-author of the book,<i> Measuring and Managing Information Risk: A FAIR Approach.</i> Adoption, he added, requires significant education, training and data gathering, plus some understanding of statistics and a willingness to consider probabilistic -- rather than deterministic -- answers.</p> <p>"There is a skills and training hump that people have to get over," agreed Ryan Patrick, executive vice president at HITRUST, which provides information risk management and compliance assessments and certifications. "It also takes a cultural change, and like anything else in business, if senior leadership isn't making this a priority or driving the change, then it's doomed to failure."</p> </section> <section class="section main-article-chapter" data-menu-title="Slowly and steadily scaling CRQ at Netflix"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Slowly and steadily scaling CRQ at Netflix</h2> <p>When Tony Martin-Vegue launched FAIR at Netflix, where he was an information security risk engineer from 2019 to 2025, he had the advantage of strong executive support. Senior managers were unhappy that the data-driven streaming giant still relied on qualitative measurements -- red, yellow or green -- when it came to <a href="https://www.techtarget.com/searchsecurity/tip/Enterprise-risk-management-should-inform-cyber-risk-strategies">cyber-risk</a>.  </p> <p>"When you have such a huge company and so many technical risks, bucketing into three categories doesn't really help you," said Martin-Vegue, now a security risk consultant and the author of <i>Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification</i>. "The C-suite wanted better decision-making capabilities."</p> <p>Despite having buy-in from Netflix's senior leadership, Martin-Vegue started slowly, aiming to ease the organization into CRQ. His team began with a single risk assessment, using a spreadsheet and the FAIR model for measurements, analysis and quantification.</p> <p>"You can't walk in and say 'We're using FAIR now.' It's too much of a leap to ask people to do that," Martin-Vegue said. But, he added, by the time they had completed 15 assessments, everyone on the information security team understood how to consume cyber-risk data and interpret FAIR results.</p> <p>The gradual rollout generated organic internal demand, as security and business leaders witnessed the benefits of having a rigorous, data-driven CRQ program to inform decision-making.</p> <p>Netflix's FAIR program expanded accordingly, said Martin-Vegue, with additional investments in staff and technology. Risk analysis became continuous, reflecting ongoing changes in business conditions, the IT environment, the threat landscape and security controls. Ultimately, CRQ became embedded across Netflix's daily security operations, as well as board-level governance and <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-budget-justification-A-guide-for-CISOs">budgeting decisions</a>.</p> <p><i>Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.</i></p> </section> Show me the money: In these case studies, learn how the FAIR model helped a nonprofit healthcare company and a streaming giant quantify cyber-risk in financial terms. https://cdn.ttgtmedia.com/rms/onlineimages/maze_g1289937803.jpg https://www.techtarget.com/searchsecurity/feature/Quantifying-cyber-risk-at-Netflix-Highmark-Health-Case-studies Fri, 30 Jan 2026 23:30:00 GMT Quantifying cyber-risk at Netflix, Highmark Health: Case studies <p>More than 48,000 Common Vulnerabilities and Exposures were tracked in the CVE database in 2025, up approximately 20% from 2024 and 66% from 2023. If these trends continue, the number of CVEs in 2026 could reach anywhere from 57,600 to 79,680.</p> <p>According to research from penetration testing services provider DeepStrike, attackers in 2025 exploited 28% of vulnerabilities within one day of their CVE disclosure. For context, it took an average of 30 days in 2020.</p> <p>Granted, not all CVEs are high severity, and not all will be exploitable -- or <a href="https://www.techtarget.com/searchsecurity/tip/5-enterprise-patch-management-best-practices">require patching</a> -- in every organization. It is still important for security and IT teams to stay abreast of new vulnerabilities -- especially critical ones -- including those highlighted in this week's featured news.</p> <section class="section main-article-chapter" data-menu-title="More critical vulnerabilities in n8n workflow automation platform exposed"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More critical vulnerabilities in n8n workflow automation platform exposed</h2> <p>Researchers at JFrog have identified two critical vulnerabilities in n8n, a <a href="https://www.techtarget.com/searchapparchitecture/opinion/Low-code-tool-n8n-bridges-gap-between-AI-models-and-business">popular low-code workflow automation platform</a> used to integrate large language models into business processes. The news comes on the heels of a separate critical vulnerability that <a target="_blank" href="https://www.cybersecuritydive.com/news/critical-vulnerability-n8n-automation-platform/809360/" rel="noopener">Cyera researchers found in late 2025</a>.</p> <p>The flaws, CVE-2026-1470 (severity 9.9) and CVE-2026-0863 (severity 8.5), enable attackers to bypass security controls, execute arbitrary code and gain full control over n8n services, and access credentials, API keys and other sensitive data.</p> <p>These vulnerabilities affect both cloud and unpatched self-hosted deployments. Organizations are urged to update to patched versions and implement strong security measures.</p> <p><a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/critical-flaws-n8n-compromise-customer-security" rel="noopener"><i>Read the full article by Jai Vijayan on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Critical Fortinet FortiCloud single sign-on vulnerability exploited"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Critical Fortinet FortiCloud single sign-on vulnerability exploited</h2> <p>Federal authorities and researchers are warning about CVE-2026-24858, a critical vulnerability in Fortinet FortiCloud SSO that enables attackers with registered devices and accounts to access other users' devices.</p> <p>Exploitation involves malicious activities, such as altering firewall configurations, creating unauthorized accounts and enabling VPN access for persistence.</p> <p>Previous patches for related flaws -- CVE-2025-59718 and CVE-2025-59719 -- do not protect against the current vulnerability.</p> <p>Fortinet disabled FortiCloud SSO temporarily and advised users to upgrade to secure versions. Arctic Wolf researchers observed automated attacks involving rapid configuration changes and data exfiltration. Shadowserver reported 10,000 vulnerable instances, emphasizing the urgency for users to patch and secure affected systems.</p> <p><a target="_blank" href="https://www.cybersecuritydive.com/news/cisa-researchers-warn-forticloud-flaw-attack/810861/" rel="noopener"><i>Read the full article by David Jones on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="WinRAR vulnerability exploited by threat actors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>WinRAR vulnerability exploited by threat actors</h2> <p>Threat actors, including state-sponsored groups, are actively exploiting CVE-2025-8088, a high-severity path traversal vulnerability in file-archiving software WinRAR, despite a patch released in July 2025.</p> <p>The flaw enables attackers to execute arbitrary code via malicious archive files, posing significant risks to SMBs and professionals handling compressed files.</p> <p>WinRAR's widespread use and lack of regular updates make it an attractive target for attackers. Exploitation involves hiding malicious payloads in Alternate Data Streams within archives, enabling persistence on systems. Google and security experts have urged users to update WinRAR immediately to mitigate risks and reduce exposure to ongoing targeted attacks.</p> <p><a target="_blank" href="https://www.darkreading.com/application-security/months-after-patch-winrar-bug-poised-smbs-hardest" rel="noopener"><i>Read the full article by Alexander Culafi on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Critical Telnet vulnerability exploited by threat actors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Critical Telnet vulnerability exploited by threat actors</h2> <p>A critical authentication bypass flaw in the GNU InetUtils telnetd server, tracked as CVE-2026-24061, has resurfaced as a major threat, affecting hundreds of thousands of telnet servers globally. Despite being addressed in version 2.8 of InetUtils, the flaw, introduced in 2015, remains easy to exploit, granting attackers full device control.</p> <p><a href="https://www.techtarget.com/searchnetworking/definition/Telnet">Telnet</a>, an outdated and insecure protocol, is still widely used in legacy systems and IoT devices, with an estimated 800,000 instances exposed worldwide. Experts warned of delayed patch rollouts and recommended disabling telnet servers, restricting access and segmenting high-risk devices to mitigate risks.</p> <p><a target="_blank" href="https://www.darkreading.com/ics-ot-security/critical-telnet-server-flaw-forgotten-attack-surface" rel="noopener"><i>Read the full article by Rob Wright on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Microsoft patches actively exploited Office zero-day vulnerability"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Microsoft patches actively exploited Office zero-day vulnerability</h2> <p>Microsoft has released an emergency patch for CVE-2026-21509, a zero-day vulnerability in Microsoft Office and Microsoft 365 that attackers are actively exploiting. Rated CVSS 7.8, the flaw enables attackers to bypass security controls and execute arbitrary code, potentially compromising system confidentiality, integrity and availability.</p> <p>Exploitation requires user interaction, such as opening a malicious Office file. CISA has mandated federal agencies to patch the vulnerability by February 16. While Office 2021 users are protected, Office 2016 and 2019 users must install updates. Experts warned that the flaw is likely being used in advanced, targeted attacks, and emphasized the importance of immediate patching.</p> <p><a target="_blank" href="https://www.darkreading.com/vulnerabilities-threats/microsoft-rushes-emergency-patch-office-zero-day" rel="noopener"><i>Read the full article by Jai Vijayan on Dark Reading</i></a><i>.</i></p> <p><b>Editor's note:</b> <i>An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><em>Sharon Shea is executive editor of TechTarget Security.</em></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/rms/onlineimages/code_g1133924836.jpg https://www.techtarget.com/searchsecurity/news/366638312/News-brief-Patch-critical-and-high-severity-vulnerabilities-now Fri, 30 Jan 2026 17:15:00 GMT News brief: Patch critical and high-severity vulnerabilities now Search Security Resources and Information from TechTarget 60 webmaster@techtarget.com