When security teams talk about attack surface, the conversation usually starts in familiar places. Servers, identity systems, VPN access, cloud workloads, maybe browsers. Those are visible. They show up in diagrams and asset inventories.
What gets less attention are the everyday tools people use to actually get work done.
PDF readers. Compression utilities. Remote access clients. Word processors. Spreadsheet tools. Email clients. Browsers. Screen sharing software. Update managers. The background software that quietly powers normal business activity.
Most organizations do not spend much time debating whether to deploy these. They are simply part of operating in a digital economy. Contracts arrive as PDFs. Finance works in spreadsheets. HR reviews resumes. IT supports users remotely. Executives live in email and browsers. These tools become part of the environment almost by default.
Advertisement
At Action1, where visibility into third-party software exposure across endpoints is a daily focus, these background tools consistently emerge as a defining part of the real-world attack surface.
That commonness is what makes them attractive targets from a threat actor’s perspective.
The value of being ordinary
From the outside, modern enterprises look different. Networks vary. Architectures change. Security stacks evolve. But, inside most environments, the same classes of applications appear again and again, and more often than not, the same software titles dominate the majority of installations.
It is difficult to function in modern business without an email client, document processing software, a browser, and tools for packaging, previewing, and sharing files. Using similar products is less about preference and more about compatibility.
Advertisement
Business depends on exchanging information in formats everyone else can use. Without those standards, we go back to the days of file-format wars, “I cannot open that, we use something else,” and lost time just trying to make data usable. That friction is why the industry standardized, and why the same major names still dominate.
Attackers pay attention to that.
Rather than predicting every custom application an organization might run, they look for overlap. If a vulnerability appears in a widely used PDF engine, spreadsheet parser, email preview component, or remote access utility, the chances it connects with something real are high. The exploit is aimed less at unique architecture and more at familiarity.
Most successful exploitation does not rely on exotic techniques. It relies on muscle memory. Users open PDFs, Word files, spreadsheets, and links all day long. Attackers are betting those actions feel routine enough that nobody hesitates.
Advertisement
That familiarity shapes how campaigns are built, and it should influence how defense strategies are planned.
Good thing Action1 does it for you, now on Linux too—alongside Windows, macOS, and third-party apps.
One platform. Zero infrastructure. Real-time visibility. Finally, patching that just works.
Many attacks historically looked like guesswork. An attacker might send a crafted email for Outlook, hoping the recipient uses Outlook. Or attach a weaponized spreadsheet, hoping Excel is present. Or send a malicious PDF, hoping the reader is vulnerable.
Advertisement
There is uncertainty in that approach. The exploit launches before the attacker truly knows what exists on the other end. This increases chances the attack will be detected before being effective, and it risks valuable exploit code to failure, where it may be detected, profiled, then henceforth scanned and detected.
What changes with common utilities is the probability curve.
Email clients, browsers, word processors, spreadsheets, PDF readers, and archive tools appear in most business environments because the work itself requires them. An attacker does not need perfect information to expect something compatible nearby.
Instead of treating exploitation as a one-off guess, attackers think in likelihood. They invest effort where overlap is largest. The more widespread the tool, the more attractive it becomes as an entry point.
Advertisement
That is why vulnerabilities in these utilities move quickly through exploit ecosystems. Once something works in a familiar toolchain, it scales. If one user relies on Outlook, Word, and Adobe, there is a good chance coworkers and business relations do as well for interoperability reasons.
Figure 1: Automated detection and remediation of critical vulnerabilities in third-party applications.
The standard business footprint in practice
These tools also travel together.
If an email clearly originated from Outlook, it already hints at part of the environment. Email workflows connect to document workflows. If Outlook is present, Word and Excel are often nearby.
Each utility reinforces the presence of others.
For attackers, that enables paths rather than isolated exploits. An issue in an email client connects to attachment handling, preview engines, document renderers, shared libraries, and integrations that tend to coexist on the same system.
Advertisement
Instead of targeting a single application, the attack surface starts to resemble the business footprint itself, the collection of tools people rely on every day.
When vulnerabilities appear in that footprint, they attract more attention because they fit naturally into how people already work.
Quiet signals and small leaks
Another part of the story is information people do not realize they share.
Documents often contain metadata. PDFs reference the engine that produced them. Spreadsheets carry formatting behavior tied to specific suites. Email headers expose client details. Browser traffic advertises user agents. File structures reveal habits and versions.
Advertisement
A single attachment, email, or shared document can quietly describe parts of the software stack behind it.
In isolation it does not look sensitive. Often it is not even visible. Over time it builds a picture of what tools are common, what standards they follow, and how files are processed.
What created it, what version, how recently, so when old software details show in current workflows, the software processing it is old. And old software often means years of exploit potential bottled up in one package. That is often what turns speculation into precision.
Those breadcrumbs help attackers shape payloads that align with what exists on the other side, increasing effectiveness while reducing noisy experimentation.
Advertisement
Why third-party software drifts
Most enterprises put real effort into operating system patching. Update pipelines are understood. Browsers update often. Mobile devices follow management policies. Systems start with baselines and are monitored.
Third-party utilities live differently.
Vendors ship different installers. Some auto-update. Some rely on users. Some get disabled by packaging systems. Some stay frozen because workflows depend on a version.
Over time, multiple builds of the same tool spread across endpoints. Some become stale. Some live for years with known vulnerabilities simply because they fell off the radar.
Advertisement
In Action1’s analysis of enterprise environments, it is common to find multiple versions of the same third-party application coexisting, some lagging years behind current security fixes. This fragmentation quietly accumulates exploit potential without triggering obvious alerts.
From a security view, that drift matters because attackers do not need new exploits. They benefit from whatever version still exists somewhere in the footprint. A five-year-old PDF reader quietly carries five years of cumulative exploit potential.
What feels like small technical debt widens the opportunity window for major exploitation.
Trust and everyday behavior
There is also a human side to these tools.
Advertisement
Email, documents, browsers, and archives feel like infrastructure. People trust them like desks and keyboards. Opening a PDF does not feel like running code. Previewing an email does not feel like execution. Extracting a file feels routine.
By the time behavior looks unusual, the initial interaction already happened in a place people rarely question. These actions occur thousands of times a day, which makes tracing a compromise back to a document, email, or user extremely difficult.
Figure 2: Secure, scalable patch management across Windows, macOS, and third-party apps, with compliance reporting and 200 forever-free endpoints.
Looking at the footprint, not just the platform
For leadership teams, the value here is perspective, not fear.
Security strategies often start with the platform layer, operating systems, networks, identity, cloud infrastructure. Those matter, but they do not tell the full story of how work actually happens.
Work happens in email clients, spreadsheets, PDFs, browsers, archive tools, and remote sessions. That is where files open, previews render, links get clicked, and data moves between people.
Advertisement
That makes them predictable.
That is why third-party patching often carries more risk weight than expected. The operating system may be tightly managed, while the tools on top quietly define real exposure.
Looking at the footprint is less about assuming weakness and more about understanding where everyday work intersects with real security concerns.
A quieter way to think about patching
Third-party patching often feels operational rather than strategic. Yet these utilities sit at the intersection of people, files, and execution.
Advertisement
They are ordinary, and that is exactly why they matter.
Not because every organization looks the same, but because they look similar enough that attackers design around that similarity.
When teams examine environments, the focus is usually infrastructure. There is also value in asking what the standard business suite looks like across endpoints, how it evolves, and how consistently it stays current.
Which tools are actually needed? Which are simply part of a default deploy? Which stay installed even when unused? Which stop getting updated because nobody notices them?
Advertisement
This is why, in practice, teams working with platforms like Action1 consistently see third-party patching deliver a greater reduction in real-world risk than many more visible security controls. Exploitation rarely hinges on a single overlooked vulnerability. It is enabled by years of accumulated drift across third-party applications that quietly fall out of date while remaining embedded in everyday workflows.
Those conditions exist long before an exploit is written or deployed. They shape the practical attack surface by defining which software actually executes, which files get opened, and which actions feel routine enough to avoid scrutiny.
Third-party software is not adjacent to the platform — it is part of how the platform operates, and it is often where exposure concentrates when everything else appears well-managed.
Action1is a founder-led company, brought to you by the original minds behind Netwrix. At the time of this writing, it is one of the fastest-growing private software companies in the US because organizations are recognizing that OS and third-party patching can no longer be treated as a secondary task.
Advertisement
Addressing modern risk requires continuous visibility into third-party software and the ability to remediate vulnerable applications across endpoints quickly and consistently. When teams evaluate modern patch management solutions, Action1 increasingly represents the option designed around that reality.
Before LaGuardia and JFK, New York City had Floyd Bennett Field, its first dedicated airport. From the moment it opened in 1931, it served as the location in Brooklyn for modern aviation to get off the ground (literally and figuratively). Eventually, the aforementioned LaGuardia Airport was built in 1939 and became the global hub for travel that it is today. That didn’t mean the Floyd Bennett Field no longer served a purpose, however.
Floyd Bennett Field was purchased by the United States Navy in 1941 as World War II kicked into high gear in Europe. Even before the United States formally entered the war after the attacks on Pearl Harbor in December 1941, the U.S. Navy was using the space to train ground crews. Later, the Navy flew anti-submarine patrols from Floyd Bennett to protect American and British ships that were crossing the Atlantic. This old airport was also home to aircraft like the PBY Catalina seaplane that were hugely instrumental to the Allied war effort.
The Catalina was essentially a flying gunboat and patrol platform with four total machine guns and the ability to carry upwards of four bombs totaling 4,000 pounds for taking out German U-boats. That kind of firepower flying out of a convenient location like New York City was instrumental to the Allies in the early stages of the war.
Advertisement
Floyd Bennet Field’s role in WW2 and beyond
While patrols were ongoing in the North Atlantic, Floyd Bennett Field was also instrumental to carrier operations in the Pacific theater. A number of aircraft manufacturers had factories in New York City, including Grumman. This company was responsible for making planes like the F6F Hellcat, one of the top World War II fighter aircraft. The Hellcat pummeled the Imperial Japanese Navy, scoring a total of 5,155 air “kills” over the span of just two years. Hellcats were flown and tested at Floyd Bennett Field and then transferred to the West Coast for deployment to carrier groups.
Advertisement
Just being the home of the PBY Catalina and F6F Hellcat would cement the airport’s place in U.S. Navy history. However, it also served as the first ever testing and training ground for the then-bleeding edge helicopter in 1943. After the war, operations at the park slowed down, and it was closed entirely as a military airport in 1971. It is now preserved as part of the National Park Service.
The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country’s Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks.
In a flash alert issued on Friday, the FBI says Telegram is being used as command-and-control (C2) infrastructure by malware targeting journalists criticizing the Iranian government, Iranian dissidents, and various other oppositional groups worldwide.
The bureau linked these attacks to the Iranian-linked and pro-Palestinian Handala hacktivist group (also known as Handala Hack Team, Hatef, Hamsa) and the Iranian state-sponsored Homeland Justice threat group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC).
In these attacks, the Iranian hackers are using social engineering to infect targets’ devices with Windows malware that enables them to exfiltrate screenshots or files from compromised computers.
Advertisement
“Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity,” the bureau said.
“This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.”
Iranian malware attacks abusing Telegram (FBI)
This warning was published one day after the FBI seized four domains (handala-redwanted[.]to, handala-hack[.]to, justicehomeland[.]org, and karmabelow80[.]org).
The websites available via the seized clearnet domains were used by the Handala and Homeland Justice threat groups, and a third threat actor tracked as Karma Below, during their attacks and to leak sensitive documents and data stolen in cyberattacks targeting victims in the United States and around the world.
These actions follow Handala’s cyberattack on U.S. medical giant Stryker, in which they factory reset approximately 80,000 devices (including employees’ personal computers and mobile devices managed by the company) using the Microsoft Intune wipe command after compromising a Windows domain administrator account and creating a new Global Administrator account.
Advertisement
Last week, the FBI also warned that Russian intelligence-linked threat actors are targeting Signal and WhatsApp users in phishing campaigns that have already compromised thousands of accounts.
“The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists,” said the FBI in a public service announcement issued after Dutch and French cybersecurity authorities described similar account-hijacking operations.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
In what’s probably the culmination of Apple’s 50th anniversary celebrations, maybe we’ll get to see Tim Cook dance again at a large-scale party now being planned at Apple Park.
Apple Park is to host an elaborate 50th anniversary party
The anniversary celebrations were started by Tim Cook writing an open letter about Apple’s five decades, and since then events have followed in New York, China, South Korea, France, and Thailand. More are expected in the UK, Canada, and Australia, but probably the biggest one will be at Apple Park. According to Bloomberg, Apple is planning what’s described as “an elaborate 50th birthday party” at its Cupertino, California headquarters. There are no further details in the article, and not even confirmed dates, but there is supposition that John Ternus will be center stage as the most likely next CEO of the company. Continue Reading on AppleInsider | Discuss on our Forums
Xiaomi has been out of the laptop game for a few years, but the Book Pro 14 (2026) completely outperforms their previous offerings with cutting-edge technology that manages to deliver everyday comfort and a serious punch in an impressively small chassis, rivaling Apple’s MacBook Air.
The Book Pro 14 weighs a sleek 1.08kg and is only slightly thicker than 15mm, making it easy to sneak into your luggage without drawing notice. The entire design revolves around a single huge piece of die-cast magnesium alloy that acts as the main frame, which is then encased in a carbon fiber bottom panel and a titanium support beneath the keyboard. The idea behind all of this was to minimize weight while yet having a structure robust enough to withstand being bunged in a travel bag, and there are a variety of color possibilities, including blue, grey, pink, and white, which is a nice change from the usual bland neutrals.
SPEED OF LIGHTNESS — MacBook Air with the M4 chip lets you blaze through work and play. With Apple Intelligence,* up to 18 hours of battery life…
SUPERCHARGED BY M4 — The Apple M4 chip brings even more speed and fluidity to everything you do, like working between multiple apps, editing videos…
BUILT FOR APPLE INTELLIGENCE — Apple Intelligence is the personal intelligence system that helps you write, express yourself, and get things done…
The screen is 14.6 inches and features an OLED panel with a resolution of 3,120 x 2,080, which is refreshed 120 times per second. Oh, and it’s touch-sensitive and bright enough to see in almost any setting. Overall, it provides a really fluid experience whether you’re seeing documents or watching videos, and the colors appear accurate for creators.
Advertisement
Intel basically provides the CPUs, and there are a few solid options to select from, ranging from the Core Ultra 5 325 to the Core Ultra X7 358H, which has an incredible 16 cores. Meanwhile, the top models have 32GB of RAM and 1TB of storage, with an internal slot for adding another drive for a total of 4TB.
Power management is handled by a huge 10,000 square millimetre vapor chamber, which works in tandem with dual fans and three independent airflow channels to keep the whole thing nice and cool even when running solely on battery power. The battery has an amazing 72WH capacity, and estimations range from 19.8 hours of mixed use to 12 hours of uninterrupted video playback or over 16 hours of online meetings. It’s also easy to recharge; simply plug in a 100w charger and you’re ready to go.
When it comes to connectivity, we’ve got the essentials without the extras: a single standard USB-A connector adjacent to an HDMI port, two USB-C ports (one of which supports Thunderbolt), and a 3.5mm socket to meet all of your audio demands. The keyboard boasts 1.3mm of key travel and LEDs to help you work late at night or in low-light conditions. The touchpad is a reasonable size at 129 square cm and responds to pressure in a way that allows you to employ a few extra gestures for shortcuts and other purposes. To sweeten the deal, Xiaomi has included a few features that should make life easier, such as seamless file copying between devices and the ability to read documents on whatever tablet or phone you own without having to worry about it.
Prices in China start around 8,500 yuan, which equates to approximately $1,234 for the entry-level model with 24GB of memory and 1TB of storage. The higher-spec models with faster processors and more memory cost around 10,500 yuan. Sales began in China on March 21st, and if you were lucky, you might have gotten one of the early deals that were available.
Salesforce acquired Clockwise’s workers, but not the company itself
Clockwise customers advised to migrate to Reclaim
Agentforce annual recurring revenue up 169%
Clockwise CEO Matt Martin has announced via a LinkedIn post that Salesforce will be hiring the startup’s team as part of its broader Agentforce push.
Because Salesforce is acquiring the workers and not the company, Clockwise has confirmed it will be shutting down from March 27, 2026, leaving customers having to find an alternative.
Martin confirmed that all customer data would be deleted, meaning that Salesforce won’t have access to Clockwise’s database, and that unused subscriptions will be refunded.
Article continues below
Advertisement
Clockwise closes down as Salesforce acquires workers, not company
“We believe this move will allow us to have even greater impact,” Martin wrote, explaining the founding team’s success and experience. “We will be bringing our deep expertise building reliable, agentic software to the Agentic Enterprise.”
The 10-year-old company has served major customers, like Uber, Netflix and Atlassian, during its time in market, but now users are being directed to rival app Reclaim in light of the near-immediate shutdown. Reclaim will be matching Clockwise’s prices to make the transition less painful.
Advertisement
“They’re joining my charter to build Agent Interoperability and Orchestration within Agentforce,” Clockwise co-founder Gary Lerhaupt wrote in a separate LinkedIn post. Lerhaupt joined the Agentforce team as Product Architecture VP a little over a year ago after around eight years at Clockwise. Martin also spent over two years at Saleforce between 2014 and 2016 before departing to create Clockwise.
Although Salesforce has not commented on how the new recruits might drive Agentforce forward, we can at least expect immense growth. The Agentforce business grew 169% in terms of annual recurring revenue, now accounting for $800 million. Total company revenue for the most recent full year stood at $41.5 billion, up 10% year-over-year.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The team from Auger accepts the Startup of the Year trophy at the 2025 GeekWire Awards. (GeekWire File Photo / Dan DeLong)
Boot up the robot trophies, it’s time to vote for the finalists for the 2026 GeekWire Awards!
This is your chance to help us honor the top innovators and entrepreneurs in Pacific Northwest tech — from Startup of the Year to Next Tech Titan, from Young Entrepreneur of the Year to CEO of the Year, and much more.
With 50 finalists across 10 categories, the annual GeekWire Awards are a much-anticipated and hotly-contested affair, hosted live from the Showbox SoDo in Seattle on May 7.
Cast your ballot here or in the embedded form at the bottom. Voting runs through April 10.
The event will feature a VIP reception, sit-down dinner and fun entertainment mixed in. Tickets go fast, and a limited number of half-table and full-table sponsorships are available, so contact events@geekwire.com to reserve a spot for your team today.
Over the next few weeks, we’ll feature the finalists in special GeekWire editorial posts on each category.
Advertisement
Now in its 18th year, the GeekWire Awards is a premier event for the Seattle tech community, bringing together hundreds of geeks to celebrate innovation and the entrepreneurial spirit. Past winners have included Auth0, Tableau, Smartsheet, Rover, Remitly, Swype, Redfin, Zulily, The Black Boardroom Initiative, University of Washington computer scientist Ed Lazowska, Technology Access Foundation and many others.
(function(t,e,s,n){var o,a,c;t.SMCX=t.SMCX||[],e.getElementById(n)||(o=e.getElementsByTagName(s),a=o[o.length-1],c=e.createElement(s),c.type=”text/javascript”,c.async=!0,c.id=n,c.src=”https://widget.surveymonkey.com/collect/website/js/tRaiETqnLgj758hTBazgd5M58tggxeII7bOlSeQcq8A_2FgMSV6oauwlPEL4WBj_2Fnb.js”,a.parentNode.insertBefore(c,a))})(window,document,”script”,”smcx-sdk”); Create your own user feedback survey
GrapheneOS is doubling down on privacy at a time when most platforms are moving the other way. The security-focused Android alternative says it won’t require personal information from users, even as governments tighten identity and data collection rules.
In a recent public post, the team said the OS will remain usable without accounts or ID checks worldwide. That decision comes with a clear tradeoff. If local laws demand verification, access in those regions could disappear instead of the platform changing its approach
That puts GrapheneOS on a direct collision path with a broader push toward verified online services. While most companies adapt quietly to stay compliant, this project is choosing to stay outside that system entirely.
No ID means no compromise
The position itself isn’t new, but the clarity is. Access to GrapheneOS and its services won’t depend on signing up or proving your identity, regardless of where you are
Advertisement
GrapheneOS will remain usable by anyone around the world without requiring personal information, identification or an account. GrapheneOS and our services will remain available internationally. If GrapheneOS devices can’t be sold in a region due to their regulations, so be it.
Instead of tailoring rules for each market, the platform keeps a single global standard. If a government requires identity checks to distribute or use it, support in that region stops there.
That approach is rooted in how the OS is built. GrapheneOS strips out unnecessary data exposure wherever possible, including avoiding centralized accounts that can tie activity to a person. Adding identity requirements would break that model at a fundamental level.
Why this stance stands out
There’s a practical downside to that consistency. In regions where stricter rules take effect, users could lose access to GrapheneOS devices or updates tied to the platform
Advertisement
The limitations go further than availability. Hardware support is deliberately narrow, limited to devices that meet strict security requirements. Broader compatibility options are avoided because they weaken protections. Even setup reflects that thinking, with preloaded devices offered to reduce exposure to standard Android installs
YouTube
That tradeoff is hard to ignore. You get stronger privacy guarantees, but you give up flexibility in devices and access.
What happens next
GrapheneOS is still trying to grow without loosening its rules. A long-term partnership with Motorola aims to bring official support to more devices starting in 2027, which could improve availability without lowering its standards
Expansion will stay selective. Devices that don’t meet its requirements won’t be supported, even if that slows adoption.
The project’s funding model also plays a role. It runs entirely on donations, now enough to support a full-time team. That independence gives it room to hold this line while others bend under regulatory or commercial pressure.
Advertisement
If you’re thinking about switching, the value is straightforward. You get a mobile OS that avoids identity checks entirely, but depending on where you live, access could become harder to maintain over time.
Looking for the most recent regular Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle and Strands puzzles.
Today’s Connections: Sports Edition is a tough one. Let’s hope you know a lot about a certain NBA player. If you’re struggling with today’s puzzle but still want to solve it, read on for hints and the answers.
Connections: Sports Edition is published by The Athletic, the subscription-based sports journalism site owned by The Times. It doesn’t appear in the NYT Games app, but it does in The Athletic’s own app. Or you can play it for free online.
Hints for today’s Connections: Sports Edition groups
Here are four hints for the groupings in today’s Connections: Sports Edition puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.
Yellow group hint: Somebody has to win!
Advertisement
Green group hint: Gridiron strategy.
Blue group hint: Certain bird.
Purple group hint: A hoops star.
Answers for today’s Connections: Sports Edition groups
Yellow group: Used to break a tie.
Advertisement
Green group: Offensive formations in football.
Blue group: Cardinals.
Purple group: Associated with Shai Gilgeous-Alexander.
One of the coolest things about old hi-fi hardware is that it often came with flickety needles that danced with the audio level. You can still buy these if you want, or you can simulate the same look on a screen, as [mircemk] demonstrates.
It isn’t [mircemk]’s first rodeo in this regard. An earlier project involved creating simulated VU meters on round displays, but they were somewhat limited. Using the Adafruit GFX library on an ESP32 netted a working setup, but it was jerky and very jagged and digital-looking. It was more akin to a fake needle display running on an 8-bit computer than something that looked like a real vintage VU meter.
[mircemk] didn’t give up and figured the ESP32 microcontroller and GC9A01 round display could surely deliver better results. The trick was to leverage the LVGL graphics library instead, along with the Squarelinestudio UI editor. The library was able to display far richer graphics that look like an actual vintage VU meter, even appearing glowing and backlit like the real thing. The moving needle animates far more smoothly as well, pulsing with the music in a way that feels far more realistic compared to the earlier attempt.
Advertisement
It’s nice to see this simple project revisited and so boldly improved just a year later. If you’re looking to implement real-looking gauges while retaining the flexibility of a small LCD screen, you might like to try the LVGL library for yourself. With that said, sometimes you just can’t beat the real analog gauges themselves. Video after the break.
AI agents are quickly becoming the cybersecurity industry’s favorite promise.
In theory, they can triage alerts, investigate incidents, and respond to threats – acting as force multipliers for overstretched SOC teams.
In practice, many security leaders are discovering that agents are failing.
Advertisement
Article continues below
Jamie Moles
Senior Technical Manager at ExtraHop.
Not because these agents are incapable, but because they lack the data and context to understand activity across the network and respond appropriately.
Autonomy is compelling, but without the right data, it’s less useful automation and more hopeful guesswork that is quietly creating a visibility gap at the heart of the agentic SOC.
Advertisement
The context problem
Most AI agents rely on the same fragmented telemetry stacks that analysts have struggled with for years. Endpoint logs in one tool, cloud signals in another, identity data elsewhere, and network traffic often underused or ignored. Each source tells part of the story, but none provide the full picture no matter what dashboard you favor.
When context is missing, agents struggle to reason about what’s normal and what’s malicious. False positives can multiply, investigations can stall, and automated responses can disrupt legitimate business activity.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Practical AI use cases illustrate both the promise and the challenge: agents can automatically isolate compromised endpoints after detecting unusual login patterns, or flag anomalous lateral movement that would take analysts hours to investigate manually.
Advertisement
Yet these same agents can misfire if the underlying telemetry is incomplete, triggering unnecessary quarantines or failing to detect stealthy sophisticated threats.
At its core, this isn’t a problem with the AI, but with the information available to it. AI can only act on what it knows. And in many SOCs, it simply doesn’t know enough.
Advertisement
Building a foundation for autonomy
Before organizations push further into automation, they need to address a more fundamental issue: the quality and completeness of their telemetry. Autonomous decision-making requires a constant stream of high-fidelity, trustworthy data – the kind that can be correlated across users, devices, applications, and workloads.
Many practitioners are returning to the foundational principle that the network remains one of the most reliable sources of truth in modern environments. While endpoints can be tampered with and logs siloed, network activity is unavoidable to attackers. It captures what actually happened – who talked to what, when, and how.
Modern environments demand even more context. Security teams also need visibility into identities behind actions and the behavior of cloud-native and Kubernetes workloads that now power critical business applications.
Advertisement
How context enables effective AI
When these layers – network, identity, and cloud – are unified, agents can operate with clarity. Instead of guessing, they can query rich telemetry directly, enrich alerts automatically, and make deterministic decisions about whether something truly represents risk.
In an effective agentic SOC, AI doesn’t replace analysts or blindly trigger responses. It does, though, handle the heavy lifting, correlating signals, surfacing the most relevant evidence, and resolving straightforward incidents so humans can focus on complex threats.
But this only works if the underlying data is complete, structured, and accessible. Put simply, better algorithms can’t compensate for poor visibility.
Advertisement
The path forward
As enterprises race to adopt AI-driven defenses, it’s tempting to treat agents as a shortcut to cybersecurity maturity. In reality, they amplify whatever foundation already exists – good or bad.
Organizations with strong telemetry and contextual insights see meaningful gains. Those without it simply automate their blind spots.
The future SOC will absolutely include AI agents. But autonomy needs to start with making sure the system has something trustworthy to see.
AI or not, in cybersecurity, your intelligence is only as powerful as the context behind it.
You must be logged in to post a comment Login