Threat Briefing
Everything on this page is real — no simulation. Actively exploited vulnerabilities from CISA, recently disclosed breaches, live internet attack trends, and analyst commentary, each linked to its original source. If a data source is unreachable, its section says so; nothing here is ever invented.
Recently disclosed breaches source: Have I Been Pwned ·
Newly added to the HIBP catalog — note that disclosure often lags the breach itself by months. Click a breach to see the full entry and check whether your own email appears in it.
Internet attack activity sources: Cloudflare Radar, SANS ISC ·
Two independent vantage points on the same internet: application-layer attacks observed across Cloudflare's network, and what the SANS Internet Storm Center's volunteer sensor network sees hitting exposed ports.
Attack volume — last 30 days
Top origins — 24h (Radar)
Most-attacked ports (ISC)
Actively exploited vulnerabilities source: CISA KEV catalog + FIRST.org EPSS ·
The complete catalog of vulnerabilities with confirmed in-the-wild exploitation. If you run any of this software, the due date is CISA's patch deadline for US federal agencies — a good benchmark for everyone. EPSS estimates the probability of exploitation in the next 30 days.
| CVE | Vendor / Product | Vulnerability | EPSS | Added | Patch due |
|---|---|---|---|---|---|
| Loading the full catalog… | |||||
Analyst commentary source: SANS ISC handler diaries ·
Short, practical write-ups from working incident handlers — what they're seeing on real sensors and networks right now.
Learn the vocabulary
The terms this page (and the security news) assume you know.
- CVE
- A unique ID for a publicly known software vulnerability (e.g. CVE-2026-12345), assigned by the CVE Program so everyone can talk about the same flaw.
- KEV
- CISA's Known Exploited Vulnerabilities catalog — the subset of CVEs with confirmed real-world exploitation. If it's in KEV, attackers are actively using it.
- EPSS
- Exploit Prediction Scoring System — a data-driven estimate (0–100%) of how likely a vulnerability is to be exploited in the next 30 days. Useful for prioritizing patches.
- CVSS
- A severity score (0–10) describing how bad a vulnerability could be if exploited. Severity and likelihood are different questions — that's why EPSS exists too.
- IoC
- Indicator of Compromise — an artifact (IP address, domain, file hash) associated with malicious activity, used to detect or block it.
- Defanged
- A hostile address written so it can't be clicked accidentally: hxxp instead of http, [.] instead of dots. You'll see this wherever IoCs are shared responsibly.
- Infocon
- SANS ISC's overall internet threat level (green / yellow / orange / red), raised when a widespread, disruptive threat is in progress.
- Ransomware
- Malware that encrypts (and usually steals) data, demanding payment. KEV entries flagged "ransomware" are known entry points for these campaigns.
- C2
- Command and control — the infrastructure attackers use to direct compromised machines. Blocking known C2 addresses cuts malware off from its operator.
- Layer-7 attack
- An attack aimed at the application itself (web requests, logins, APIs) rather than raw network flooding — harder to distinguish from legitimate traffic.
- Data breach
- An incident where protected data is exposed or stolen. "Breach date" is when it happened; "disclosed" is when the world found out — often much later.
- Patch deadline
- KEV entries carry a date by which US federal agencies must remediate. It doubles as a sensible urgency signal for any organization.