The vulnerability, tracked as CVE-2025-12735, allows attackers to execute arbitrary system commands through maliciously crafted input.

The expr-eval library is a JavaScript tool designed to parse and evaluate mathematical expressions safely, serving as a more secure alternative to JavaScript’s native eval() function.

With over 250 dependent packages, including oplangchain, a JavaScript implementation of the popular LangChain framework, this vulnerability has significant implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon University researchers discovered that attackers can define arbitrary functions within the parser’s context object, enabling the injection of malicious code that executes system-level commands.

This vulnerability achieves Total Technical Impact under the SSVC framework, meaning adversaries gain complete control over affected software behavior and can access all system information.

The flaw is particularly dangerous for generative AI systems and NLP applications. These systems often run in server environments with access to sensitive local resources and process user-supplied mathematical expressions.

Developers using expr-eval or expr-eval-fork should take immediate action by upgrading to the expr-eval-fork version 3.0.0, which includes comprehensive security patches.

The update introduces an allowlist of safe functions, mandatory registration for custom functions, and enhanced test cases to enforce security constraints.

The vulnerability was responsibly disclosed by security researcher Jangwoo Choe (UKO) and patched through GitHub Pull Request #288.

Organizations can use npm audit to automatically detect this vulnerability in their projects through the GitHub Security Advisory GHSA-jc85-fpwf-qm7x.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution appeared first on Cyber Security News.

The acquisition aims to help organizations secure their AI investments throughout the entire development and deployment lifecycle.

The integration of SPLX’s technology into Zscaler’s platform will enable organizations to shift left with AI asset discovery, automate red teaming, and implement robust governance tools.

Zscaler emphasized that while AI creates tremendous value, its potential can only be fully realized when properly secured.

Comprehensive AI Security Development

By combining SPLX’s advanced technology with Zscaler’s Zero Trust Exchange intelligence and native data protection, the company will secure the complete AI lifecycle on a single unified platform.

With AI infrastructure investments projected to exceed $250 billion by the end of 2025, companies are confronting a rapidly expanding attack surface and increasing shadow AI sprawl.

Continuously evolving models, agents, and large language models require ongoing discovery, risk assessment, and remediation to maintain security.

SPLX brings specialized expertise in AI red teaming, asset management, threat inspection, prompt hardening, and governance to Zscaler’s existing capabilities.

The enhanced platform will feature AI asset discovery that extends beyond public generative AI applications to include models, workflows, code repositories, and Model Context Protocol servers in both public and private deployments.

The solution includes automated AI red teaming with over 5,000 purpose-built attack simulations designed to identify risks and vulnerabilities from development through production, offering real-time remediation.

Additionally, the platform expands Zscaler’s current AI Runtime Guardrails to protect sensitive data and block malicious attacks between AI applications and large language models, including agentic workflows.

SPLX expressed excitement about joining forces with Zscaler to address the vast attack surface created by rapidly expanding AI infrastructure investments.

The partnership will deliver SPLX’s innovation through one of the world’s most trusted security platforms, securing AI innovation at the pace organizations are adopting it.

The acquisition strengthens Zscaler’s position as a trusted partner for organizations seeking to securely adopt AI technologies.

With comprehensive AI governance and compliance support, the enhanced platform enables organizations to shift from reactive defense to proactive protection of their valuable AI investments while meeting regulatory requirements and governance frameworks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Zscaler Acquires Enterprise AI Security Firm SPLX to Boost Zero Trust Exchange appeared first on Cyber Security News.

The attack, termed agent session smuggling, allows a malicious AI agent to inject covert instructions into established cross-agent communication sessions, effectively taking control of victim agents without user awareness or consent. This discovery highlights a critical vulnerability in multi-agent AI ecosystems that operate across organizational boundaries.

How Agent Session Smuggling Works

The attack targets systems using the Agent2Agent (A2A) protocol, an open standard designed to facilitate interoperable communication between AI agents regardless of vendor or architecture.

The A2A protocol stateful nature—its ability to remember recent interactions and maintain coherent conversations—becomes the attack’s enabling weakness.

Unlike previous threats that rely on tricking an agent with a single malicious input, agent session smuggling represents a fundamentally different threat model: a rogue AI agent can hold conversations, adapt its strategy and build false trust over multiple interactions.

The attack exploits a critical design assumption in many AI agent architectures: agents are typically designed to trust other collaborating agents by default.

Once a session is established between a client agent and a malicious remote agent, the attacker can stage progressive, adaptive attacks across multiple conversation turns. The injected instructions remain invisible to end users, who typically only see the final consolidated response from the client agent, making detection extraordinarily difficult in production environments.

Understanding the Attack Surface

Research demonstrates that agent session smuggling represents a threat class distinct from previously documented AI vulnerabilities. While straightforward attacks might attempt to manipulate a victim agent with a single deceptive email or document, a compromised agent serving as an intermediary becomes a far more dynamic adversary.

The attack’s feasibility stems from four key properties: stateful session management allowing context persistence, multi-turn interaction capabilities enabling progressive instruction injection, autonomous and adaptive reasoning powered by AI models, and invisibility to end users who never observe the smuggled interactions.

The distinction between the A2A protocol and the similar Model Context Protocol (MCP) proves important here. MCP primarily handles LLM-to-tool communication through a centralized integration model, operating in a largely stateless manner.

A2A, by contrast, emphasizes decentralized agent-to-agent orchestration with persistent state across collaborative workflows. This architectural difference means MCP’s static, deterministic nature limits the multi-turn attacks that make agent session smuggling particularly dangerous.

Real-World Attack Scenarios

Security researchers developed proof-of-concept demonstrations using a financial assistant as the client agent and a research assistant as the malicious remote agent.

The first scenario involved sensitive information leakage, where the malicious agent issued seemingly harmless clarification questions that gradually tricked the financial assistant into disclosing its internal system configuration, chat history, tool schemas and even prior user conversations.

The user asks the financial assistant to retrieve the investment portfolio and profile, followed by a request for a briefing on AI market news.

Crucially, these intermediate exchanges would remain completely invisible in production chatbot interfaces—developers would only see them through specialized developer tools.

The second scenario demonstrated unauthorized tool invocation capabilities. The research assistant manipulated the financial assistant into executing unauthorized stock purchase operations without user knowledge or approval.

By injecting hidden instructions between legitimate requests and responses, the attacker successfully completed high-impact actions that should have required explicit user confirmation. These proofs-of-concept illustrate how agent session smuggling can escalate from information exfiltration to direct unauthorized actions affecting user assets.

Defending against agent session smuggling requires a comprehensive security architecture addressing multiple attack surfaces. The most critical defense involves enforcing out-of-band confirmation for sensitive actions through human-in-the-loop approval mechanisms.

When agents receive instructions for high-impact operations, execution should pause and trigger confirmation prompts through separate static interfaces or push notifications—channels the AI model cannot influence.

Implementation of context-grounding techniques can algorithmically enforce conversational integrity by validating that remote agent instructions remain semantically aligned with the original user request’s intent.

Significant deviations should trigger automatic session termination. Additionally, secure agent communication requires cryptographic validation of agent identity and capabilities through signed AgentCards before session establishment, establishing verifiable trust foundations and creating tamper-evident interaction records.

Organizations should also expose client agent activity directly to end users through real-time activity dashboards, tool execution logs and visual indicators of remote instructions. By making invisible interactions visible, organizations significantly improve detection rates and user awareness of potentially suspicious agent behavior.

Critical Implications for AI Security

While researchers have not yet observed agent session smuggling attacks in production environments, the technique’s low barrier to execution makes it a realistic near-term threat.

An adversary needs only convince a victim agent to connect to a malicious peer, after which covert instructions can be injected transparently. As multi-agent AI ecosystems expand globally and become more interconnected, their increased interoperability opens new attack surfaces that traditional security approaches cannot adequately address.

The fundamental challenge stems from the inherent architectural tension between enabling useful agent collaboration and maintaining security boundaries.

Organizations deploying multi-agent systems across trust boundaries must abandon assumptions of inherent trustworthiness and implement orchestration frameworks with comprehensive layered safeguards specifically designed to contain risks from adaptive, AI-powered adversaries.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

The post Agent Session Smuggling: How Malicious AI Hijacks Victim Agents appeared first on Cyber Security News.

Recent research from MIT Sloan and Safe Security reveals a shocking statistic: 80% of ransomware attacks now utilize artificial intelligence.

This represents a fundamental shift from traditional malware operations to autonomous, adaptive threats that can evolve in real-time to bypass conventional security measures.

Organizations worldwide are facing a new category of ransomware that doesn’t just encrypt files; it learns, adapts, and maximizes damage through intelligent decision-making processes.

Autonomous Ransomware Operations

The first confirmed AI-powered ransomware, dubbed PromptLock, emerged in August 2025 when researchers at ESET discovered samples on VirusTotal.

Created as a proof-of-concept by New York University’s Tandon School of Engineering, PromptLock demonstrates how large language models can orchestrate complete ransomware campaigns autonomously.

Unlike traditional ransomware that relies on pre-written code, PromptLock uses natural language prompts to generate malicious Lua scripts dynamically, making each attack unique and difficult to detect.

The malware operates by connecting to freely available language models through APIs, allowing it to analyze file systems, determine which data to exfiltrate or encrypt, and even craft personalized ransom notes.

This approach reduces the malware’s footprint while maintaining sophisticated functionality a technique that could revolutionize how cybercriminals develop and deploy attacks.

Beyond academic research, actual threat actors are already weaponizing AI for ransomware operations. FunkSec, a ransomware group that emerged in late 2024, exemplifies this trend.

Despite appearing to lack advanced technical expertise, FunkSec rapidly scaled its operations using AI-assisted malware development, targeting over 120 organizations across government, defense, technology, and education sectors.

FunkSec’s approach demonstrates how AI lowers the barrier to entry for cybercriminals. The group uses artificial intelligence to generate malware code, create detailed code comments, and automate attack processes.

Their ransomware, FunkLocker, exhibits coding patterns consistent with “AI snippet” generation, resulting in inconsistent but rapidly evolving malware variants.

This represents a paradigm shift where technical inexperience no longer prevents groups from launching sophisticated attacks.

The BlackMatter ransomware family also incorporates AI-driven encryption strategies and real-time analysis of victim defenses to evade traditional endpoint detection systems.

These groups demonstrate that AI-powered ransomware has moved beyond theoretical concepts to active deployment in cybercriminal operations.

Capabilities Of AI-Enhanced Attacks

AI fundamentally transforms every phase of ransomware operations through several key capabilities.

Enhanced reconnaissance allows malware to autonomously scan security perimeters, identify vulnerabilities, and select precise exploitation tools. This eliminates the need for human operators during initial phases, enabling attacks to spread rapidly across IT environments.

Adaptive encryption techniques represent another revolutionary advancement. AI-powered ransomware can analyze system resources and data types to modify encryption algorithms dynamically, making decryption more complex.

The malware can prioritize high-value targets by analyzing document content using Natural Language Processing before encryption, ensuring maximum strategic impact.

Evasive tactics powered by machine learning enable ransomware to continuously modify its code and behavior patterns. This polymorphic capability makes signature-based detection methods ineffective, as the malware presents different fingerprints with each execution.

AI also enables malware to track user presence and activate during off-hours to maximize damage while minimizing detection opportunities.

The financial consequences of AI-powered ransomware attacks far exceed traditional threats. The average cost of ransomware attacks has increased by 574% over six years, reaching $5.13 million per incident in 2024. For 2025, experts estimate costs will range between $5.5-6 million per attack, representing a 7-17% increase.

Small businesses face particularly severe consequences, with 60% of attacked companies closing permanently within six months.

The combination of immediate costs, customer abandonment, increased insurance premiums, and regulatory penalties creates a cascade of financial destruction that many organizations cannot survive.

A recent case study of an AI-powered ransomware attack on an Indian healthcare provider illustrates the comprehensive nature of these threats.

The attack used AI-driven network mapping to identify critical systems like Electronic Health Records, employed adaptive encryption techniques that accelerated when defensive measures were detected, and utilized polymorphic code to avoid signature-based detection.

Defense Strategies

Organizations must adopt multi-layered, AI-enhanced defense strategies to combat these evolving threats.

Zero-trust architecture becomes critical, as AI can analyze behavior patterns in real-time to dynamically adjust access permissions based on risk signals. This approach limits lateral movement even when endpoints are compromised.

AI-powered behavioral analysis offers significant defensive advantages, reducing cyberattack success rates by 73% while predicting 85% of data breaches before they occur.

These systems excel at detecting anomalies that indicate ransomware activity, such as unusual file access patterns or network communications.

Deception technologies can trap AI attackers by deploying honeypots and decoy assets that mimic high-value systems.

When AI-driven ransomware probes these environments, defenders can study attack patterns and develop countermeasures without risking production systems.

Implementation of immutable backup systems with air-gapped storage becomes essential, as AI ransomware often searches for and disables backup systems before encryption.

Organizations should also deploy adversarial AI that feeds misleading data to attacker reconnaissance algorithms, increasing the likelihood of model failure.

The emergence of AI-powered ransomware represents an inflection point in cybersecurity. Organizations can no longer rely on traditional defensive measures against threats that learn, adapt, and evolve autonomously.

As demonstrated by current statistics and real-world attacks, the time for proactive preparation is now before AI-powered ransomware brings down your organization’s critical operations.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post AI-Powered Ransomware Is the Emerging Threat That Could Bring Down Your Organization appeared first on Cyber Security News.

Traditional penetration testing, which focuses on network and application vulnerabilities, is insufficient to secure AI systems.

AI penetration testing involves adversarial machine learning, prompt injection, and data poisoning to identify and exploit weaknesses unique to AI models and the infrastructure they run on.

In 2025, these services are crucial for ensuring the security, reliability, and ethical use of AI.

Why We Choose AI Penetration Testing

AI systems are vulnerable to a new class of attacks that can corrupt their data, manipulate their behavior, or exfiltrate sensitive information.

Attack vectors like prompt injection, where malicious input is crafted to bypass safety filters, or model poisoning, where training data is manipulated to introduce backdoors, are not addressed by conventional security tools.

AI penetration testing provides a proactive way to discover these vulnerabilities and build resilient, trustworthy AI systems, protecting against financial, reputational, and regulatory risks.

How We Choose It

To compile this list, we evaluated each company based on three key criteria:

Experience & Expertise (E-E): We focused on companies with deep research capabilities in AI security, a track record of discovering novel AI vulnerabilities, and teams composed of both security experts and data scientists.

Authoritativeness & Trustworthiness (A-T): We considered their market leadership, their contributions to AI security frameworks like OWASP, and the trust they have earned from enterprise clients.

Feature-Richness: We assessed the breadth and depth of their service offerings, looking for capabilities in:

Adversarial AI Testing: The ability to test for vulnerabilities like data poisoning and evasion attacks.

LLM Red Teaming: Specialized testing for Large Language Models (LLMs) to find prompt injection and data exfiltration flaws.

“Shift-Left” Integration: The ability to integrate security into the AI development lifecycle (MLSecOps).

Comprehensive Coverage: Testing for vulnerabilities in the entire AI stack, from data to model to application.

Comparison Of Key Features (2025)

Company	Adversarial AI Testing	LLM Red Teaming	Shift-Left Integration	Comprehensive Coverage
CalypsoAI	Yes	Yes	Yes	Yes
HiddenLayer	Yes	Yes	Yes	Yes
Mindgard	Yes	Yes	Yes	Yes
Lakera	Yes	Yes	Yes	Yes
Protect AI	Yes	Yes	Yes	Yes
Robust Intelligence	Yes	Yes	Yes	Yes
Prompt Security	No	Yes	No	No
Penligent	Yes	Yes	No	Yes
HackerOne	Yes	Yes	Yes	Yes
Trail of Bits	Yes	Yes	Yes	Yes

1. CalypsoAI

CalypsoAI is a market leader in AI security, with a platform built to test and defend against attacks on AI models.

Its flagship product, the Inference Red-Team solution, automates the discovery of vulnerabilities through real-world attack simulations.

The company’s expertise is highlighted by its CalypsoAI Security Leaderboard, which ranks major AI models on their security performance, providing a transparent, data-driven view of risk.

Why You Want to Buy It:

CalypsoAI offers a unique, automated red-teaming capability that identifies hidden weaknesses and provides a quantifiable security score for AI models.

This allows organizations to build governance and compliance into their AI systems from the very beginning.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Automated red-teaming for real-world attack simulations.
LLM Red Teaming	Yes	Specializes in testing for vulnerabilities in GenAI and agents.
Shift-Left Integration	Yes	Integrates into the SDLC for continuous security testing.
Comprehensive Coverage	Yes	Secures the full AI lifecycle, from development to production.

Best For: Enterprises that need a purpose-built platform to test and secure mission-critical AI applications and agents against advanced, automated attacks.

Try CalypsoAI here → CalypsoAI Official Website

2. HiddenLayer

HiddenLayer is a specialized AI security company focused on MLSecOps, the practice of integrating security into machine learning operations.

Its platform provides a robust detection and response capability by monitoring models at runtime.

HiddenLayer’s AI threat landscape reports and research demonstrate a deep understanding of evolving threats, including adversarial attacks and data poisoning, making it a key player in the space.

Why You Want to Buy It:

HiddenLayer provides a critical layer of defense for live AI systems. Its platform can detect and respond to attacks that bypass pre-deployment testing, ensuring the integrity and security of models once they are in production.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Specializes in detecting adversarial attacks.
LLM Red Teaming	Yes	Provides red-teaming services for generative AI.
Shift-Left Integration	Yes	Part of the MLSecOps workflow.
Comprehensive Coverage	Yes	Protects AI systems from development to production.

Best For: Organizations with mature ML teams that need a dedicated platform to monitor and protect AI models at runtime against adversarial attacks.

Try HiddenLayer here → HiddenLayer Official Website

3. Mindgard

Mindgard is a leader in AI Security Testing, a category recognized by Gartner as an emerging innovation.

Founded in a leading UK university lab, the company’s platform, DAST-AI, is designed to find AI-specific vulnerabilities that traditional AppSec tools miss.

Mindgard’s expertise is built on over a decade of rigorous AI security research and a vast threat intelligence database of attack scenarios.

Why You Want to Buy It:

Mindgard offers a solution that is built from the ground up to address the unique challenges of AI security.

Its DAST-AI platform reduces testing times from months to minutes, enabling security teams to continuously identify and mitigate risks throughout the AI lifecycle.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	DAST-AI identifies AI-specific runtime vulnerabilities.
LLM Red Teaming	Yes	Specializes in testing LLMs and agentic AI.
Shift-Left Integration	Yes	Integrates seamlessly into existing CI/CD pipelines.
Comprehensive Coverage	Yes	Covers a wide range of AI models, including image and audio.

Best For: Forward-looking security teams that need a dedicated, purpose-built platform for offensive security testing of AI systems, from chatbots to complex agents.

Try Mindgard here → Mindgard Official Website

4. Lakera

Lakera offers a comprehensive platform for securing GenAI applications. Its solution is divided into two parts: Lakera Red, for automated red teaming during development, and Lakera Guard, for real-time runtime protection.

The company’s contributions to the OWASP Top 10 for LLMs (2025) and the AI Vulnerability Scoring System demonstrate its deep involvement in shaping the industry’s security standards.

Why You Want to Buy It:

Lakera provides an end-to-end security solution for GenAI, ensuring that vulnerabilities are uncovered before deployment and that live applications are protected against real-time threats like prompt injection and data leakage.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Lakera Red simulates real-world attacks.
LLM Red Teaming	Yes	Automated and continuous LLM testing.
Shift-Left Integration	Yes	Integrates with development workflows.
Comprehensive Coverage	Yes	Covers development and runtime stages.

Best For: Organizations that need to secure GenAI applications with a two-pronged approach: proactive testing during development and robust protection at runtime.

Try Lakera here → Lakera Official Website

5. Protect AI

Protect AI is a key player in AI security, offering a comprehensive platform to discover, manage, and protect against AI-specific security risks.

Its solutions focus on securing the entire AI development lifecycle, from model scanning to GenAI runtime security and posture management.

The company’s expertise has led to its recent acquisition by Palo Alto Networks, which will integrate Protect AI’s capabilities into its Prisma Cloud platform.

Why You Want to Buy It:

Protect AI’s platform provides end-to-end security for AI systems, helping businesses meet enterprise requirements for model scanning, risk assessment, and posture management, ensuring they can deploy AI with confidence.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Specializes in AI-specific security risks.
LLM Red Teaming	Yes	Covers GenAI runtime security.
Shift-Left Integration	Yes	Secures the AI development lifecycle.
Comprehensive Coverage	Yes	End-to-end security from development to runtime.

Best For: Organizations that want an enterprise-grade AI security solution with a strong focus on securing the entire AI development and deployment lifecycle.

Try Protect AI here → Protect AI Official Website

6. Robust Intelligence

Robust Intelligence is an AI security and red-teaming company that specializes in making AI models resilient and trustworthy.

Their services are designed to address the unique fallibility of generative AI systems, which can be vulnerable to prompt injection, data leaks, and model manipulation.

The company’s approach is similar to traditional security audits, but with a specific focus on the unique vulnerabilities of AI.

Why You Want to Buy It:

Robust Intelligence provides a highly specialized and methodical approach to AI security, adopting an attacker’s perspective to uncover hidden vulnerabilities.

This is essential for organizations deploying AI in sensitive sectors like finance and healthcare.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Expert-led AI red-teaming.
LLM Red Teaming	Yes	Specializes in testing generative AI.
Shift-Left Integration	Yes	Tests are integrated into the SDLC.
Comprehensive Coverage	Yes	Audits the entire AI system, from data to model.

Best For: Organizations that need a dedicated team to conduct in-depth, expert-led AI red-teaming and security audits.

Try Robust Intelligence here → Robust Intelligence Official Website

7. Prompt Security

Prompt Security is an AI security firm that specializes in the unique challenges posed by Large Language Models. Their services focus on AI red-teaming to identify vulnerabilities in homegrown AI applications.

The company’s insights and predictions for 2025 highlight the rapid evolution of the security landscape, with AI-powered malware and new attack vectors becoming a critical concern.

Why You Want to Buy It:

Prompt Security offers highly focused expertise in LLM security, providing a direct solution for a major new attack vector. Their specialization ensures a deep understanding of the unique vulnerabilities that exist within LLM-based applications.

Feature	Yes/No	Specification
Adversarial AI Testing	No	Focus is primarily on prompt injection.
LLM Red Teaming	Yes	Specializes in LLM and agentic AI.
Shift-Left Integration	No	Focus is on testing, not full SDLC integration.
Comprehensive Coverage	No	Highly focused on LLMs.

Best For: Organizations whose primary concern is the security of their large language models and the risks associated with prompt injection and data exfiltration.

Try Prompt Security here → Prompt Security Official Website

8. Penligent

Penligent specializes in AI penetration testing services, offering a blend of automated and manual testing to identify and mitigate vulnerabilities specific to AI systems.

Their expertise lies in a structured, comprehensive methodology that includes architecture reviews and simulations of various attack types.

Why You Want to Buy It:

For companies that prefer a service-based approach to security, Penligent provides a deep, expert-led audit of their AI systems.

Their team of specialists offers tailored assessments and actionable remediation plans, ensuring a proactive defense. They are a reliable choice for a thorough, one-time or recurring security audit.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Simulates attacks such as prompt injection and sensitive data handling analysis.
LLM Red Teaming	Yes	Expertise in testing and auditing LLM applications for vulnerabilities.
Shift-Left Integration	No	Offers project-based audits rather than continuous integration into development pipelines.
Comprehensive Coverage	Yes	Provides a detailed report and mitigation plan for identified vulnerabilities.

Best For: Organizations that need a one-off, in-depth security audit or a continuous advisory service from a team of seasoned AI security experts.

Try Penligent here → Penligent Official Website

9. HackerOne

While best known for its bug bounty platform, HackerOne has become a key player in AI security by offering a managed service for AI red teaming.

The company leverages its vast community of security researchers to find and fix AI vulnerabilities, including prompt injection, data leakage, and training data poisoning.

Their platform provides a streamlined workflow for managing findings and collaborating with researchers.

Why You Want to Buy It:

HackerOne’s platform provides a scalable and efficient way to conduct AI red teaming. By tapping into a global network of specialists, organizations can get a comprehensive test for a wide range of AI vulnerabilities in less time.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Leverages a community of security researchers.
LLM Red Teaming	Yes	Offers managed services for LLM testing.
Shift-Left Integration	Yes	Provides a platform for vulnerability management.
Comprehensive Coverage	Yes	Covers both AI and traditional application security.

Best For: Companies that want to leverage the power of a crowdsourced community of elite hackers to find AI-specific vulnerabilities.

Try HackerOne here → HackerOne Official Website

10. Trail Of Bits

Trail of Bits is a highly respected cybersecurity firm known for its deep technical expertise and research-driven approach. The company has a strong reputation for securing some of the world’s most critical systems, including blockchain and AI.

Its AI security services combine high-end research with a real-world attacker mentality to find and fix fundamental vulnerabilities in AI models and the infrastructure they rely on.

Why You Want to Buy It:

Trail of Bits’s expertise goes beyond standard testing. They are not just finding vulnerabilities; they are fixing the underlying software and architecture.

Their ability to uncover critical flaws in hardened systems makes them a trusted partner for securing high-value AI assets.

Feature	Yes/No	Specification
Adversarial AI Testing	Yes	Research-driven and highly technical.
LLM Red Teaming	Yes	Conducts in-depth security assessments.
Shift-Left Integration	Yes	Supports secure software development.
Comprehensive Coverage	Yes	Specializes in securing the entire AI stack.

Best For: Organizations that need a deep, technical security assessment from a firm with a world-class reputation for research and ethical hacking.

Try Trail of Bits here → Trail of Bits Official Website

Conclusion

As AI becomes more integrated into our digital infrastructure, AI penetration testing is rapidly becoming an essential component of a robust security strategy.

The companies on this list represent the top tier of a new and growing industry, combining cutting-edge research with practical, real-world testing.

Companies like CalypsoAI, Mindgard, and Lakera stand out for their purpose-built, automated platforms that are specifically designed to address the unique threats to AI systems.

Meanwhile, established players like HackerOne and Trail of Bits are leveraging their existing expertise and reputation to provide world-class AI security services.

The right choice depends on your organization’s needs: whether you need a specialized platform for continuous testing, an expert-led assessment for a mission-critical model, or a scalable, crowdsourced solution.

All of these providers, however, offer the necessary expertise to protect your AI investments from the next generation of cyber threats.

The post Top 10 Best AI Penetration Testing Companies in 2025 appeared first on Cyber Security News.

The company’s Managed Detection and Response (MDR) service recently uncovered a campaign where threat actors leveraged Simplified AI, a popular marketing platform, to steal Microsoft 365 credentials from US-based organizations.

The attack, discovered in July 2025, successfully compromised at least one US investment firm before being detected and contained.

While the campaign is no longer active, security experts warn it represents a dangerous evolution in cybercrime tactics that could affect organizations across all industries.

Weaponizing Trusted AI Platforms

“Threat actors are no longer relying on suspicious servers or cheap lookalike domains,” the Cato Networks report states.

“Instead, they abuse the reputation and infrastructure of trusted AI platforms that employees already rely on, allowing them to bypass defenses and slip into organizations under the cover of legitimacy.”

The sophisticated attack began with emails impersonating executives from a global pharmaceutical distributor, complete with authentic company logos and executive names verified through LinkedIn.

The emails contained password-protected PDF attachments designed to evade automated security scanners that cannot inspect encrypted files.

The phishing campaign employed a multi-layered approach that exploited both social engineering and technical evasion tactics:

1. Initial Contact: Victims received emails appearing to be from pharmaceutical company executives, with passwords for attached PDFs conveniently included in the message body.
2. PDF Lure: The documents displayed legitimate company branding and contained links directing users to Simplified AI’s platform at app.simplified.com.
3. Trusted Redirect: Users were taken to what appeared to be a legitimate Simplified AI page, displaying the impersonated company’s name alongside Microsoft 365 imagery.
4. Credential Harvest: The final step redirected victims to a convincing fake Microsoft 365 login portal designed to steal enterprise credentials.

The attack highlights how cybercriminals are adapting to the rapid adoption of AI tools in corporate environments.

AI marketing platforms like Simplified AI have become commonplace in enterprises, with IT departments routinely whitelisting their domains and allowing employee access.

“For CISOs and IT leaders, approving such services often seems straightforward: allow access, whitelist the domain, and enable the marketing team to innovate,” the report notes.

“But what if the very same platform is leveraged by threat actors to steal from you?”

This incident reflects broader concerns about “shadow AI” usage in enterprises, where employees increasingly rely on AI tools without proper security oversight.

The attackers’ use of established platforms makes detection significantly more challenging for traditional security measures.

Mitigations

Security experts recommend several protective measures:

• Implementing multi-factor authentication on all critical services
• Training employees to carefully handle password-protected attachments
• Monitoring all AI platform usage, including unauthorized applications
• Maintaining continuous inspection of AI traffic rather than implicitly trusting it
• Deploying advanced threat detection capabilities that can identify suspicious behavior patterns

The attack serves as a wake-up call for organizations to reassess their approach to AI platform security, treating AI traffic with the same scrutiny applied to unknown domains while balancing security needs with business innovation requirements.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Hackers Use AI Platforms to Steal Microsoft 365 Credentials in Phishing Campaign appeared first on Cyber Security News.

Scammers are manipulating the platform’s advertising system and its generative AI, Grok, to bypass security measures and amplify harmful domains. This technique turns X’s own tools into unwilling accomplices in a widespread malvertising scheme.

According to GuardioSecurity researcher Nati Tal, the attack begins with malware promoting “video card” posts, which often use explicit or sensational “adult” content to lure users.

While X’s policies aim to combat malvertising by disallowing links in promoted content, these attackers have found a critical loophole.

The malicious link is not placed in the main body of the post but is instead embedded in the small “From:” field located beneath the video player.

X’s automated security scans seem to miss this area. As a result, posts can spread widely and get anywhere from 100,000 to over 5 million paid impressions.

The second stage of the attack leverages the platform’s AI assistant, Grok. Curious users, seeing the often anonymous and intriguing videos, frequently turn to Grok to ask for the source.

In its effort to provide a helpful answer, the AI scans the post for information and extracts the domain name from the “From:” field.

Grok then presents this malicious link directly to the user in its reply. For instance, when asked about a video’s origin, Grok has been observed responding with links to suspicious domains, Nati Tal said.

This process effectively “Grokks” the malicious link, not only delivering it to inquisitive users but also amplifying its visibility and perceived legitimacy.

By having the platform’s own AI reference the domain, the scammers may benefit from enhanced SEO and a strengthened reputation for their harmful sites, making them seem more trustworthy to unsuspecting users.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Hackers Leverage X’s Grok AI To Amplify Malicious Links Via Promoted Posts appeared first on Cyber Security News.

These AI-enhanced attacks have become more convincing and harder to detect, making them particularly dangerous for students, parents, and educational institutions.

The integration of machine learning algorithms, natural language processing, and deepfake technology has revolutionized the landscape of educational cybercrime, creating unprecedented challenges for cybersecurity professionals.

5 Common Back-to-School Online Scams

The evolution of AI technology has enabled cybercriminals to automate and enhance traditional scam techniques with alarming efficiency.

These attacks now demonstrate human-like communication patterns, personalized targeting capabilities, and sophisticated social engineering techniques that were previously impossible to execute at scale.

1. AI-Generated Fake Scholarship and Financial Aid Offers

Cybercriminals use large language models to create convincing scholarship applications and financial aid notifications. These AI-powered systems can generate personalized content that matches a student’s academic profile, using information scraped from social media platforms and educational databases.

The scams often feature realistic institutional branding, proper grammar, and persuasive language that traditional automated systems couldn’t achieve.

Technical indicators include inconsistent sender domains, requests for unusual personal information like Social Security numbers or bank routing numbers, and urgent deadlines that pressure victims into hasty decisions.

Real-world examples include the “National Student Excellence Foundation” scam that affected over 15,000 students in 2024, using GPT-based content generation to create individualized scholarship offers.

2. Deepfake Voice and Video Calls

AI-powered voice synthesis and video deepfake technology enable scammers to impersonate school administrators, financial aid officers, or professors during phone calls or video conferences.

These attacks use only a few seconds of authentic audio or video samples, often obtained from publicly available institutional content, to create convincing impersonations.

The technical process involves neural network models trained on voice patterns and facial features, creating real-time audio and video synthesis. Detection methods include analyzing audio artifacts, inconsistent lip-sync patterns, and unusual background elements. A notable case involved scammers impersonating a university president to authorize fraudulent tuition payments, affecting 47 families.

3. Automated Social Media Manipulation

AI chatbots and automated social media accounts create fake tutoring services, study groups, and educational communities to harvest personal information and distribute malware.

These systems use natural language processing to maintain convincing conversations and build trust with potential victims over extended periods.

Technical characteristics include inconsistent posting patterns, generic profile images generated by AI, and responses that don’t align with previous conversation context. The attacks often involve credential harvesting through fake login portals for educational platforms.

4. AI-Enhanced Phishing Website Generation

Machine learning algorithms automatically generate convincing replicas of legitimate educational websites, including student portals, library systems, and course management platforms.

These sites adapt their content based on the victim’s browser characteristics and location, making them particularly effective.

The technical implementation involves web scraping legitimate sites, AI-powered content modification, and dynamic URL generation to avoid detection by security filters. These sites often use typosquatting domains and SSL certificates to appear legitimate.

5. Intelligent Textbook and Supply Scams

AI systems analyze market trends and student needs to create fake online stores selling textbooks and school supplies at attractive prices. These platforms use machine learning to optimize their conversion rates and avoid detection by adjusting their tactics based on user interactions.

Phishing Emails Disguised as School Communication

AI-powered phishing campaigns targeting educational institutions have become increasingly sophisticated, utilizing natural language generation models to create authentic-looking communications that bypass traditional email security filters.

Modern AI-generated phishing emails demonstrate several technical characteristics that distinguish them from traditional automated attacks. These messages show improved grammar, contextual relevance, and personalization that traditional rule-based systems cannot achieve.

The emails often incorporate real institutional information, current events, and personalized details gathered through social media reconnaissance.

Technical analysis reveals that these emails frequently use legitimate-looking sender addresses through email spoofing techniques, combined with AI-generated content that matches the institution’s communication style.

The attack vectors typically involve credential harvesting through fake login portals, malware distribution via infected attachments, or social engineering to extract sensitive personal information.

Real-world examples include the “COVID-19 Testing Requirements” phishing campaign that targeted over 200 universities in 2024, using GPT-based content generation to create institution-specific messages about mandatory testing procedures.

The emails contained links to credential harvesting sites designed to steal student login credentials for later use in account takeover attacks.

Detection strategies involve analyzing email headers for inconsistencies, checking sender reputation through DNS lookups, and examining linguistic patterns that may indicate AI generation.

Advanced email security solutions now incorporate machine learning models specifically trained to detect AI-generated content by identifying subtle patterns in text generation that human writers typically don’t exhibit.

Social Media & Messaging App Scams

Social media platforms and messaging applications have become primary attack vectors for AI-powered scams targeting students, leveraging the trust and informal communication patterns typical of these platforms.

AI chatbots deployed on platforms like Instagram, TikTok, and Discord can maintain convincing conversations for extended periods, building relationships with potential victims before executing their scams.

These systems use personality modeling and conversation history analysis to create consistent personas that appear genuine to unsuspecting students.

Technical implementation involves natural language processing models fine-tuned on social media communication patterns, automated profile generation using AI-created images and biographical information, and sentiment analysis to optimize engagement strategies.

The bots often promote fake educational services, fraudulent job opportunities, or financial scams specifically targeting students’ limited budgets and academic pressures.

Prevention and Mitigation Strategies

Educational institutions should implement comprehensive cybersecurity awareness programs focusing on AI-powered threats, deploy advanced email security solutions with AI detection capabilities, and establish clear protocols for verifying financial communications.

Students must be trained to recognize signs of AI-generated content, verify all financial offers through official institutional channels, and use multi-factor authentication on all educational accounts.

Technical countermeasures include implementing DMARC policies to prevent email spoofing, using behavioral analysis tools to detect unusual account activity, and deploying AI-powered security solutions that can identify and block sophisticated phishing attempts.

Regular security audits and incident response planning are essential for maintaining robust defense against these evolving threats.

The rise of AI-powered scams targeting the education sector represents a significant evolution in cybercriminal tactics, requiring equally sophisticated defensive strategies and increased awareness among all stakeholders in the educational ecosystem.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post 5 Common Back-to-School Online Scams Powered Using AI and How to Avoid Them appeared first on Cyber Security News.

By providing integration, management, and real-time monitoring of models, MCP servers enable enterprises to defend against sophisticated, AI-powered cyberattacks.

This article explores MCP server integration and usage, its core workings, the new standards it establishes for AI-driven cyber defense, and the key protocols and standards that ensure its interoperability and security.

MCP Server Integration and Usage

Organizations deploy MCP servers to unify disparate AI model endpoints, data sources, and security tools under a single control plane. Typical integration points include:

1. AI Model Registries
   • Connects to versioned repositories (e.g., MLflow, Azure ML) via RESTful APIs to fetch model metadata and artifacts.
   • Ensures only approved model versions are deployed to production environments.

MCP server architecture integrating AI-driven cyber defense components.

2. Data Ingestion Pipelines
   • Interfaces with streaming platforms (e.g., Kafka, Pulsar) and batch storage (e.g., S3, HDFS) through gRPC and HTTP(S).
   • Tags data with provenance metadata for traceability and audit compliance.
     
3. Security Information and Event Management (SIEM) Systems
   • Pushes real-time AI inference logs and alert events via syslog or AMQP to SIEM tools like Splunk or QRadar.
   • Correlates AI-predicted threat indicators with traditional firewall and IDS alerts, reducing false positives by up to 45%.
     
4. Endpoint Protection Platforms
   • Deploys lightweight agents on servers and endpoints with WebSocket or MQTT communication channels.
   • Receives real-time anomaly scores and dynamic policy updates to quarantine suspicious processes.
     
5. Orchestration & Container Platforms
   • Integrates with Kubernetes operators and Helm charts for auto-scaling inference pods.
   • Implements admission controllers that prevent deployment of tampered or backdoored models using cryptographic signatures.

How Does MCP Work?

At its core, an MCP server comprises the following components:

MCP servers are driving the emergence of a new standard in cybersecurity characterized by:

1. Unified Threat Intelligence
   Centralized model inference data and traditional IDS/IPS alerts fuse to create a single threat graph. This standardization enables threat hunters to leverage AI-predicted indicators alongside signature-based detections.
   
2. Automated Mitigation Workflows
   By codifying responses in policy-as-code, MCP servers automatically orchestrate containment actions—such as network segmentation or notebook environment isolation—reducing mean time to respond (MTTR) from hours to minutes.
   
3. Continuous Model Assurance
   Continuous integration pipelines incorporate model fuzz testing, adversarial robustness evaluation (e.g., PGD attacks), and explainability audits (using LIME or SHAP). The results feed back into the MCP policy engine to automatically retract or retrain vulnerable models.
   
4. Collaborative Defense Mesh
   Through standardized APIs and event schemas (STIX/TAXII for threat intel sharing, CEF for log exchange), multiple MCP servers across partner organizations can share anonymized attack patterns in real time, forging a collective defense mesh.
   

Protocols and Standards

New Standard Powers AI-Driven Cyber Defense

MCP servers are driving the emergence of a new standard in cybersecurity characterized by:

Collaborative Defense Mesh
Through standardized APIs and event schemas (STIX/TAXII for threat intel sharing, CEF for log exchange), multiple MCP servers across partner organizations can share anonymized attack patterns in real time, forging a collective defense mesh

Unified Threat Intelligence
Centralized model inference data and traditional IDS/IPS alerts fuse to create a single threat graph. This standardization enables threat hunters to leverage AI-predicted indicators alongside signature-based detections.

Automated Mitigation Workflows
By codifying responses in policy-as-code, MCP servers automatically orchestrate containment actions—such as network segmentation or notebook environment isolation—reducing mean time to respond (MTTR) from hours to minutes.

Continuous Model Assurance
Continuous integration pipelines incorporate model fuzz testing, adversarial robustness evaluation (e.g., PGD attacks), and explainability audits (using LIME or SHAP). The results feed back into the MCP policy engine to automatically retract or retrain vulnerable models.

Real-World Attack Examples

1. Model Poisoning in Financial Fraud Detection
   A threat actor injected malicious transactions into the training data pipeline of a bank’s fraud-detection model. The MCP server’s telemetry engine detected a sudden drift in feature distributions (transaction amounts spiked) and automatically quarantined the suspect data stream, preventing fraudulent model retraining.
   
2. Adversarial Evasion in Email Filtering
   Attackers crafted phishing emails with adversarial payloads that evaded signature-based filters. The MCP inference router applied adversarial detection policies—triggered by a spike in L0-norm perturbations—and rerouted suspicious messages to a sandbox for dynamic analysis, blocking over 98% of novel phishing attempts.
   
3. Backdoor Activation in Autonomous Systems
   A compromised third-party vision model contained a backdoor that triggered misclassification under specific pixel patterns. The MCP policy engine’s explainability module flagged unexpected Shapley value distributions, retracting the model before deployment and forcing a retraining cycle with increased regularization and sanitization.

By centralizing AI model governance, enforcing dynamic security policies, and integrating with existing cybersecurity frameworks, MCP servers establish a robust, AI-driven defense posture that adapts in real time to evolving threats. Their adoption marks a pivotal shift toward automated, data-driven resilience in modern enterprise security.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post What is MCP Server – How it is Powering AI-Driven Cyber Defense appeared first on Cyber Security News.

This release marks a significant evolution from its predecessors, offering a suite of models tailored for different tasks and complexities.

At the core of GPT-5 is a novel architecture featuring two primary models: gpt-5-main and gpt-5-thinking. The gpt-5-main model, the successor to GPT-4o, is engineered for speed and efficiency, handling the majority of user queries.

For more challenging problems that demand deeper reasoning, the system seamlessly shifts to gpt-5-thinking, the successor to OpenAI’s o3 model.

• GPT‑4o → gpt-5-main
• GPT‑4o-mini → gpt-5-main-mini
• OpenAI o3 → gpt-5-thinking
• OpenAI o4-mini → gpt-5-thinking-mini
• GPT‑4.1-nano → gpt-5-thinking-nano
• OpenAI o3 Pro → gpt-5-thinking-pro

This dynamic allocation is managed by a real-time router that intelligently analyzes the context of a conversation, its complexity, and any specific user instructions, such as prompting the AI to “think hard about this.”

The router continuously learns and refines its decision-making based on user interactions, including which model users switch to and the preference rates for responses, ensuring it becomes more efficient over time. To manage high demand, smaller “mini” versions of each model are deployed to handle queries once usage limits are reached.

The new GPT-5 family extends beyond these core models, offering specialized versions for developers and advanced users. The API provides direct access to gpt-5-thinking, its mini counterpart, and an even faster gpt-5-thinking-nano version.

For ChatGPT users seeking maximum power, gpt-5-thinking-pro is available, leveraging parallel computing for enhanced performance.

Beyond architectural upgrades, GPT-5 boasts significant performance enhancements. OpenAI has made notable strides in reducing hallucinations, improving the model’s ability to follow complex instructions, and minimizing sycophantic or overly agreeable responses.

Performance has been specifically upgraded in three of ChatGPT’s most common use cases: writing, coding, and health, reads the release notes.

With these advanced capabilities come heightened safety measures. All GPT-5 models are trained with “safe-completions,” a new approach to prevent the generation of disallowed content.

Acknowledging its power, OpenAI has proactively classified the gpt-5-thinking model as “High capability” in the biological and chemical domains under its Preparedness Framework.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial

The post ChatGPT-5 Released: What’s New With the Next-Generation AI Agent appeared first on Cyber Security News.