Digital Security News | Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog/content-type/news/ Expert coverage of cybersecurity topics Thu, 09 Jul 2026 21:55:41 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative http://approjects.co.za/?big=en-us/security/blog/2026/07/10/securing-our-future-july-2026-progress-report-on-microsofts-secure-future-initiative/ Fri, 10 Jul 2026 16:00:00 +0000 http://approjects.co.za/?big=en-us/security/blog/?p=148538 Microsoft’s latest Secure Future Initiative report outlines progress on secure foundations, AI-powered defense, and future-ready cybersecurity.

The post Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

]]>
Security is never finished. That conviction is where the Secure Future Initiative (SFI) started two years ago and continues to guide us today. AI is reshaping cybersecurity. Cyberattackers can discover vulnerabilities, chain attack paths, and scale exploitation faster than manual approaches allow. Defenders can use the same advances to identify risk, strengthen protections, and accelerate response. As the threat landscape evolves, security must evolve with it.

This latest SFI progress report shows how Microsoft is adapting to that reality: strengthening security foundations for an AI-accelerated cyberthreat landscape, applying AI to improve security outcomes at scale, and preparing for future challenges such as scalable quantum computing.

This report organizes our progress into three outcome-driven themes—secure foundations, proactive defense, and future-ready security—and shares lessons learned, practical guidance, and deeper insights across the culture, governance, principles, and engineering pillars that underpin security at Microsoft.

Secure foundations

The most consequential security failures rarely come from a single missing control. They come from environments where identity gaps, unmanaged assets, and inconsistent configurations sit side by side, creating composite attack paths that determined threat actors can chain together. SFI addresses this systemically, strengthening security across our environment. The results show the progress:

  • Phishing-resistant multifactor authentication now protects 99.97% of user/device pairs at Microsoft.
  • More than 732,000 resources have had public access revoked, with network isolation scaling across 1 million resources.
  • 1.4 million unused apps were decommissioned and cross-boundary credential isolation reached 98.7%.
  • Engineering defaults now prevent 83% of pipelines from accessing unapproved package endpoints.

These controls form reinforcing layers: identity feeds access governance, access governance feeds segmentation, segmentation contains blast radius, and engineering defaults reduce what enters production in the first place. One of the lessons we have learned is that foundations are durable only when they’re continuously validated, not periodically audited.

Proactive defense

Secure foundations reduce the attack surface. Proactive defense builds on that foundation to find and fix weaknesses quickly. Traditional practices like code review and penetration testing remain essential. The difference now is that frontier AI can discover vulnerabilities and chain exploit paths faster than manual review can keep up. That’s a threat and, when used well, an advantage. We’ve leaned into that advantage to find real risk earlier and close it before a cyberattacker can act.

  • We built a multi-agent AI system that delivers proactive assessment of a cloud service’s source code, identity configurations, network topology, and runtime state to surface composite vulnerabilities that a single-layer review could not catch. More than 90% of findings confirmed by our security engineers, enabling proactive actions to improve security posture.
  • This system builds on other tools in our security portfolio—such as the Microsoft Security multi-model agentic scanning system (codename MDASH), which scans source code to identify, validate, and prioritize vulnerabilities at scale—and adds configuration, identity, network, and runtime context to comprehensively assess the service.
  • More than 100 new detections were added this year (more than 350 total), shifting from signature-based to behavior- and baseline-driven detection.
  • More than 550,000 critical and high-risk open-source vulnerabilities were remediated, with about 3 million container vulnerabilities patched per month through automation.

Future-ready security

Some risks have not fully arrived yet, but waiting for them is not an option. The most urgent example is the transition to post-quantum cryptography. The threat is already here in the form of “harvest now, decrypt later”: data encrypted today could be captured and decrypted once quantum capability matures.

  • We are accelerating the Microsoft Quantum Safe Program (QSP) timeline, with the goal of transitioning to post-quantum cryptography (PQC) in critical products and services by 2029.          
  • PQC is now an SFI-measured engineering requirement, with workstreams advancing across network traffic, data-at-rest protection, and trust chain modernization.
  • Quantum-safe algorithms (ML-KEM, ML-DSA) are available today across major platforms.
  • Read more in the recent blog: Accelerating quantum-safe readiness.

Governance, culture, and principles

Foundational progress like this is only possible because of the people committed to making it possible. Security is a core responsibility for every employee at Microsoft: mandatory Trust Code training was completed by more than 99% of full-time employees. Governance is what makes it scale, with accountability driven through our Deputy Chief Information Security Officer (CISO) structure and a centralized risk register. And our principles—secure by design, secure by default, secure in operations—are what turn intent into product, like Microsoft 365 Baseline Security Mode. Tools alone don’t create durable security; culture, accountability, and secure defaults do.

What you can do today

Throughout the report, we share actionable guidance for organizations at any stage of their security journey. A few starting points:

  • Enforce phishing-resistant multifactor authentication and eliminate legacy authentication protocols.
  • Inventory every tenant and classify it. Apply secure-by-default provisioning with drift detection.
  • Evaluate how identity, code, configuration, and network relationships interact in production. Prioritize composite attack paths over isolated findings.
  • Inventory your cryptographic dependencies now and establish transition plans for post-quantum readiness.
  • Enable Baseline Security Mode in Microsoft 365 for secure-by-default configuration at no additional cost.

Read the full SFI report, including detailed pillar-level progress and additional customer guidance.

Each hardening action changes the cyberattacker’s approach. The compounding effect of SFI is that attackers face a shrinking set of viable paths, while defenders gain better telemetry, stronger defaults, and sharper prioritization for the paths that remain.

Security is a team sport. We are grateful for the partnership of our customers, security researchers, and the broader industry as we work together to make the world a safer place for all.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.

]]>
5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management http://approjects.co.za/?big=en-us/security/blog/2026/07/06/5-insights-from-frost-sullivans-2025-frost-radar-for-cloud-security-posture-management/ Mon, 06 Jul 2026 16:00:00 +0000 http://approjects.co.za/?big=en-us/security/blog/?p=146999 Read five key learnings from the Frost & Sullivan 2025 Frost Radar™ for CSPM to learn how CSPM is evolving from point-in-time compliance to continuous risk management.

The post 5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management appeared first on Microsoft Security Blog.

]]>
Cloud security posture management (CSPM) is being redefined as two forces collide: Cloud environments are becoming more interconnected—spanning workloads, identities, data, APIs, and development pipelines—while security teams must reduce risk faster with fewer tools and less time.

Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management points to a structural shift: CSPM is no longer a periodic compliance exercise. It’s a continuous, risk‑based governance layer inside modern cloud native application protection platforms (CNAPPs). Frost & Sullivan projects the CSPM market will grow from $2.82 billion in 2025 to $6.96 billion by 2030 at a 19.8% compound annual growth rate (CAGR)—reflecting the growing shift from standalone posture tools to integrated, platform‑based approaches.

A cloud native application protection platform (CNAPP) brings together posture, workload protection, identity and entitlement management, and related controls to secure applications across the full lifecycle—from development through runtime operations.

Frost & Sullivan’s analysis also reinforces Microsoft’s position among leading CSPM providers, with strong performance across innovation and growth. This reflects Microsoft’s approach to unifying posture management with workload protection, identity, and data security as part of a broader CNAPP platform—aligning directly with how CSPM is evolving from point-in-time compliance to continuous risk management.

Below are five key insights from the Frost Radar and what they mean for security leaders navigating today’s cloud threat landscape.

1. CSPM is becoming the governance layer for CNAPP 

Frost & Sullivan research suggests CSPM is evolving beyond a standalone tool focused on configuration hygiene. Instead, it increasingly serves as the entry point and governance backbone for CNAPP—integrating posture signals with workload protection, identity, data security, and security operations center (SOC) workflows.

Modern CSPM solutions are expected to:

  • Provide continuous visibility across infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
  • Correlate misconfigurations, identities, vulnerabilities, and data exposure.
  • Feed high‑fidelity posture context into runtime protection and incident response workflows.

What to look for

Unified visibility that connects posture findings with workload, identity, and data signals—so investigations don’t begin from scratch when posture risk turns into an incident.

Frost notes that by 2030, CSPM is expected to become less a standalone market and more a foundational governance layer inside CNAPP platforms—unifying code‑to‑cloud policy and feeding posture context into runtime and SOC workflows

2. The market is moving beyond compliance to riskbased prioritization

Compliance coverage is now table stakes. Frost highlights that for organizations to differentiate they need solutions that continuously assess risk, reduce noise, and guide remediation—helping teams focus on the “toxic combinations” that create real exposure.

Leading solutions need to:

  • Continuously assess risk rather than rely on point‑in‑time scans.
  • Reduce alert fatigue through contextual correlation.
  • Prioritize remediation based on exploitability and business impact.

Organizations are increasingly using CSPM to drive ongoing risk reduction—with compliance reporting treated as an outcome of stronger controls.

What to look for

Prioritization that highlights likely cyberattack paths—not just severity scores—so teams can fix what’s exploitable first and minimize false positives.

Security leaders are adjusting how they evaluate CSPM vendors in response to these shifts. Rather than asking how many compliance frameworks a solution supports, they’re looking at whether posture insights can be correlated with identity, workload, and runtime signals to expose exploitable attack paths and guide remediation across developer and SOC workflows. Frost & Sullivan’s evaluation framework reflects this transition—placing greater emphasis on integrated, code to cloud risk management capabilities inside broader CNAPP platforms.

3. Codetocloud visibility is now required

Another major theme in the Frost Radar report is how organizations can embed posture management earlier in the application lifecycle to prevent misconfigurations before deployment—and continuously detect drift as environments change.

The report emphasizes:

  • Infrastructure‑as‑code (IaC) scanning and policy‑as‑code enforcement
  • Continuous integration and continuous delivery (CI/CD) pipeline integration
  • Ownership mapping so issues are routed to the right developer or team

By extending posture management into DevSecOps workflows, organizations can reduce remediation costs and prevent risk from reaching production.

What to look for

Security guardrails embedded in CI/CD pipelines—with clear ownership routing—so remediation happens earlier and doesn’t bounce between teams.

4. Multicloud complexity is driving platform consolidation

Fragmented tools and siloed data continue to create blind spots across posture, identity, and workload risk—overwhelming SOC teams and reducing operational effectiveness.

As a result, buyers are consolidating point products into integrated CNAPP platforms that correlate posture, workload, identity, and runtime signals.

Platform convergence is reshaping CSPM investment and deployment models:

  • A growing share of CSPM capability is delivered as part of a broader platform.
  • Shared dashboards improve visibility across hybrid and multicloud environments.

Consolidation reduces tool sprawl and improves SecOps efficiency.

What to look for

A platform approach that standardizes policies across clouds and carries posture insights into security operations (SecOps) workflows—improving both signal quality and remediation speed.

5. AI is reshaping CSPM—from operations to new workloads

Frost highlights AI as both an operational enabler and a new security domain for CSPM.

AI is being used to:

  • Reduce alert fatigue through contextual prioritization.
  • Generate compliance evidence.
  • Deliver guided remediation for developers and security teams.

At the same time, CSPM capabilities are expanding into AI workload posture management—covering models, pipelines, and related infrastructure.

What to look for

AI assisted prioritization and guided remediation—plus posture coverage for AI workloads—so emerging risks such as prompt injection or data leakage are managed alongside traditional cloud risk.

What this means for security leaders

Frost & Sullivan’s analysis underscores that CSPM is no longer about checking compliance boxes—it’s becoming a strategic control layer for managing cloud risk across the entire application lifecycle.

If you’re evaluating CSPM capabilities in 2025–2026, ask:

  • Can posture findings be correlated with identity, workload, and data context to expose exploitable cyberattack paths?
  • Can security guardrails be embedded earlier in CI/CD pipelines through IaC and policy‑as‑code?
  • Can posture insights flow into SOC workflows for faster investigation and response?
  • Can risk be continuously prioritized across multicloud environments—not just reported periodically?

How Microsoft aligns with CSPM’s next phase

Frost & Sullivan attributes Microsoft’s leadership in CSPM to its ability to operationalize posture management as part of a broader cloud security platform—aligning with the report’s emphasis on integrating posture with runtime protection, identity, data security, and SecOps workflows across the application lifecycle. These capabilities align with the same governance, prioritization, DevSecOps integration, and lifecycle visibility themes highlighted across the Frost Radar insights above.

Rather than operating as a standalone compliance layer, Microsoft correlates posture data with runtime telemetry and identity signals—integrating findings into developer pipelines and SOC workflows through GitHub, Azure DevOps, and Microsoft Defender XDR. Frost highlights Microsoft’s multicloud visibility across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP); policy‑as‑code enforcement and CI/CD integration to strengthen shift‑left security; and unified dashboards that carry posture context into investigations and response.

The Frost report also notes Microsoft’s expansion into emerging posture domains—including AI and API posture management—to continuously manage cloud and AI workload risk across the application lifecycle.

Learn more

  • Explore Microsoft cloud security solutions to see how unified posture management, risk prioritization, and protection across the application lifecycle can help reduce cloud risk.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post 5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management appeared first on Microsoft Security Blog.

]]>
Microsoft named a leader in the Frost Radar for cloud and application runtime security http://approjects.co.za/?big=en-us/security/blog/2026/07/01/microsoft-named-a-leader-in-the-frost-radar-for-cloud-and-application-runtime-security/ Wed, 01 Jul 2026 16:00:00 +0000 http://approjects.co.za/?big=en-us/security/blog/?p=148373 Frost & Sullivan names Microsoft a leader as cloud and application security converge into unified, runtime risk reduction.

The post Microsoft named a leader in the Frost Radar for cloud and application runtime security appeared first on Microsoft Security Blog.

]]>
Cloud security is shifting from visibility to contextual risk reduction, extending into the applications, APIs, and workloads where attacks actually occur. Because modern workloads are built and run in the cloud, security teams must understand which exposures matter most, prioritize what can truly be exploited, and reduce risk across the full stack from infrastructure to application runtime.

As organizations expand across multicloud and hybrid environments, they adopt modern architectures built on containers, Kubernetes, microservices, APIs, and AI-powered workloads. This increases both the volume and interconnectedness of security signals. The challenge is no longer identifying individual risks, but determining how vulnerabilities, identities, and data exposures combine across infrastructure and the applications running on it to create real attack paths, and which of these are most critical to fix at the source. Effective risk reduction depends on understanding which of these paths are actually reachable and exploitable in a live environment.

Frost & Sullivan’s 2026 Frost Radar™ for Cloud/Application Runtime Security (CARS) reflects this shift. The report highlights how cloud security is evolving from a collection of posture and workload capabilities into a unified runtime risk operations model, correlating signals across code, cloud, runtime, applications, and security operations center (SOC) workflows to prioritize and reduce risk continuously.

Within this evolving market, Microsoft is positioned as a visionary leader because of the scale of its hyperscale ecosystem, operational breadth of Microsoft Defender for Cloud when integrated with Microsoft Defender XDR, and large customer base. That recognition reflects where the category is heading: toward platforms that connect cloud and application security into one operational view of risk.

Why cloud security is being redefined

The Frost Radar makes a clear point: cloud security is no longer about visibility or compliance alone. It is becoming an operational discipline for reducing risk across the full runtime—from cloud infrastructure to the application code executing on top of it.

Modern environments introduce complexity across:

  • Multicloud and hybrid infrastructure.
  • Rapid development and continuous deployment.
  • Containers, serverless, microservices, and APIs.
  • AI-powered workloads, agents, and machine identities.

This complexity exposes the limits of traditional, siloed tools—where cloud posture, workload protection, and application security each live in their own console. Organizations now need platforms that can:

  • Correlate posture, runtime, identity, data, and application signals.
  • Prioritize risk based on exploitability—not severity alone.
  • Integrate security across development, cloud operations, and the SOC.
  • Validate whether a vulnerability is actually reachable inside a running application.

This is the shift the report describes: from detecting issues to operationalizing risk reduction across the lifecycle—and across both cloud and application layers.

What distinguishes leading platforms

Frost & Sullivan evaluates providers on growth and innovation—but, more importantly, on how effectively they help organizations manage real risk. Five themes define the next generation of platforms:

  1. Platform unification over point solutions.
  2. Code-to-cloud-to-SOC integration.
  3. Risk prioritization based on exploitability.
  4. Correlation across identity, data, cloud, and application context.
  5. Expansion into AI-powered workloads.

Taken together, these capabilities represent a move from fragmented visibility to connected, contextual risk management that spans cloud detection and response (CDR) and application detection and response (ADR)—the two halves the market is converging into a single runtime fabric.

How Microsoft help organizations manage real risk

1. Connect signals to prioritize real attack paths

Most security tools surface large volumes of findings across cloud infrastructure and applications, but isolated findings do not reflect how cyberattacks actually happen. Threat actors exploit how misconfigurations, excessive permissions, and data exposure combine to create a path to critical assets.

Microsoft Defender for Cloud correlates posture, identity, data, and runtime signals to identify which risks are truly exploitable. A misconfigured storage resource on its own may appear low priority. However, when it is exposed to the internet, combined with excessive access permissions, and connected to sensitive data, it becomes part of a clear attack path that can be used to compromise the environment.

What this means: Security teams can prioritize real attack paths instead of individual findings, helping to reduce alert fatigue and improve remediation speed and precision.

2. Continuously validate and act on risk across the lifecycle

Security needs to operate continuously across development, runtime, and operations, spanning both the application and the cloud environment it runs in. Defender for Cloud connects insights across code and infrastructure definitions, cloud configuration and runtime context, application and API layers, and security operations workflows through Defender XDR.

A vulnerability identified before deployment can be tracked through to runtime, where it is evaluated in the context of the running environment and surfaced in security operations if it is determined to be exploitable.

What this means: Organizations can continuously validate risk and respond more effectively by connecting development, cloud environments, and security operations.

3. Reducing complexity across fragmented cloud and application security workflows

As environments scale, fragmented tools and workflows make it difficult to understand how risks connect and where to focus first. When cloud infrastructure and application security are managed separately, investigation becomes slower and more manual.

Defender for Cloud helps bring these signals together in a single investigative flow, where risks can be analyzed across configuration, runtime context, application behavior, and identity exposure.

Instead of switching between separate tools, security teams can investigate a single incident across its initial misconfiguration, runtime impact, application behavior, and identity exposure, a more connected experience.

What this means: Security teams can investigate faster, prioritize risk more efficiently, focus on what matters most, and respond more quickly across fragmented cloud and application environments.

What this signals for security leaders

The Frost Radar offers a signal for where cloud security is headed: toward platforms that connect context across cloud and application environments so teams can prioritize the risks most likely to be exploited and reduce exposure faster. Security leaders should now ask:

  • Can the platform correlate signals across identity, endpoints, data, cloud, runtime, and applications?
  • Does it span the full code-to-cloud lifecycle—and reach into the SOC?
  • Can it prioritize risk based on exploitability—not just severity?
  • Does it bring cloud detection and response together with application detection and response?
  • Can it scale across multicloud and AI environments?

These are the capabilities that define the next generation of cloud and application runtime security.

Bottom line

Frost & Sullivan’s 2026 CARS analysis reinforces a clear shift: cloud security is moving from fragmented visibility to unified, contextual risk management across the entire lifecycle—and across both the cloud and the application layer.

Microsoft’s position as a visionary leader in the Frost Radar reflects this shift—bringing together posture, runtime, identity, endpoints, data, and application signals into a connected platform that helps organizations prioritize and reduce risk continuously.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft named a leader in the Frost Radar for cloud and application runtime security appeared first on Microsoft Security Blog.

]]>
​​What’s new in Microsoft Security: June 2026 http://approjects.co.za/?big=en-us/security/blog/2026/06/30/whats-new-in-microsoft-security-june-2026/ Tue, 30 Jun 2026 16:00:00 +0000 http://approjects.co.za/?big=en-us/security/blog/?p=148103 This month’s updates help security and IT teams strengthen identity and multicloud foundations, protect data wherever it lives, and secure the developer workflows powering AI innovation.

The post ​​What’s new in Microsoft Security: June 2026 appeared first on Microsoft Security Blog.

]]>
As organizations scale AI and agents across environments, security teams need protection that covers every surface. The Microsoft vision is simple: security should be ambient and autonomous, just like the AI it protects. This month’s updates help security and IT teams strengthen identity and multicloud foundations, protect data wherever it lives, and secure the developer workflows powering AI innovation. Here’s what’s new:

Codename MDASH helps teams discover and remediate complex vulnerabilities

Codename MDASH is a multi-model agentic scanning system designed to discover, validate, and help remediate software vulnerabilities across complex environments. MDASH orchestrates a panel of specialized AI agents that reason through proprietary code and systems, helping security teams surface elusive vulnerabilities quickly and systematically. For example, when security teams use MDASH to scan a complex application, it can identify and validate a previously undetected vulnerability in the underlying code and systems, and route it into Microsoft Defender workflows and engineering pipelines for remediation. This closed loop connects discovery, validation, and remediation across the Microsoft stack. Sign up to follow codename MDASH and join the private preview to surface and validate hard-to-find vulnerabilities with multi-model AI.

Microsoft Defender extends endpoint protection to local AI agents

Microsoft Defender now discovers more than 25 types of local AI agents and Model Context Protocol (MCP) servers across managed Windows and macOS devices. Defender also protects at runtime: if a developer using a popular coding agent like GitHub Copilot Command-Line Interface (CLI) or Claude Code is targeted by a prompt injection attempts, Defender detects and blocks it before the malicious action executes. From there, security teams can investigate agent exposure across their environment with Advanced Hunting. These capabilities are now in preview.

Microsoft Entra Backup and Recovery restores critical identity data

Microsoft Entra Backup and Recovery is now generally available, delivering Microsoft-managed, always-on backups native to your environment that are protected from deletion or modification. Security teams gain clear visibility into what changed across their tenant and can back up core directory objects, compare and restore to previous timestamps, and configure Conditional Access policies to protect against permanent deletion. Together, these capabilities protect your tenant, helping you minimize downtime and recover quickly from accidental changes and security compromises. Strengthen identity resilience with rapid recovery capabilities in Microsoft Entra.

Microsoft Defender protects open-source relational databases on AWS RDS

Microsoft Defender for Cloud now extends database threat protection to open-source relational databases on Amazon Web Services (AWS) Relational Database Service (RDS). Now generally available, built-in threat detection identifies anomalous access patterns and brute-force attempts, while automated sensitive data discovery helps teams understand where high-risk data resides. These insights, combined with integrated investigation across Microsoft Defender, help teams prioritize and respond to database risks more effectively. Detect threats and discover sensitive data across Azure and AWS with Microsoft Defender.

Screenshot of a cybersecurity dashboard showing a critical vulnerability in an AWS RDS database exposed to the internet with basic authentication. Diagram highlights attack path from internet to database, risk factors like weak authentication, and resource types with labeled nodes and connecting arrows.

Greater flexibility over data security insights with Microsoft Purview customizable reports

Microsoft Purview customizable reports, now generally available in Data Security Posture Management (DSPM), give teams greater control and flexibility to tailor reporting views, analyze trends, and quickly surface the insights that enable faster, more informed decisions. Choose from out-of-the-box reports or create custom reports tailored to your organization’s specific needs, with easy options to export and share insights across teams and stakeholders. For example, security teams can create role-specific reports that highlight high-risk data exposure trends to guide policy decisions. Learn how to customize reporting experiences to uncover your critical data security insights.

Broader visibility with expanded multi-cloud coverage in Defender for Cloud

Microsoft Defender for Cloud is expanding multicloud coverage and visibility across AWS and Google Cloud, adding support for approximately 90 additional resource types and more than 200 new security recommendations. Security teams can better understand their attack surface with broader visibility across cloud-native applications, identities, data services, and workloads. Across multicloud environments, teams can better assess security posture and prioritize remediation based on exposure context, compliance posture, and business criticality to reduce risk more effectively. Gain broader visibility and prioritize risk across multicloud environments with Defender for Cloud.

Prioritize risk with unified identity risk score

A new unified identity risk score combines signals from across Microsoft Security into a single, explainable measure of an identity’s risk. It brings together behavior, access patterns, and threat intelligence for all related accounts, sessions, and applications to provide a complete view of risk. The moment an identity acts suspiciously, the score helps your team cut through the noise, prioritize what’s urgent, and can automatically trigger Conditional Access policies to enforce protection at the point of access. Prioritize identity risk and enforce protection in real time with the new unified identity risk score.

Security innovations purpose built for developers

To help developers secure code, agents, and models while giving security teams consistent visibility and control from development through runtime, Microsoft is integrating security into the tools and platforms developers already use. Organizations can use the new security tools and capabilities announced at Microsoft Build 2026 to innovate faster and scale AI adoption without sacrificing security. Read more about the Build 2026 security announcements.

Stay In the Loop

Microsoft Security continually ships meaningful innovations across our portfolio and research-driven insights and reports for the security community. In the Loop posts are your reliable source of what’s new across Microsoft Security and what it means for your security strategy. Check back for the next drop.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post ​​What’s new in Microsoft Security: June 2026 appeared first on Microsoft Security Blog.

]]>
Microsoft a Leader in The Forrester Wave™ for Endpoint Management Platforms http://approjects.co.za/?big=en-us/security/blog/2026/06/25/microsoft-a-leader-in-the-forrester-wave-for-endpoint-management-platforms/ Thu, 25 Jun 2026 16:00:00 +0000 http://approjects.co.za/?big=en-us/security/blog/?p=148272 Microsoft named a Leader in the Forrester Wave™: Endpoint Management Platforms, Q2 2026, with the highest scores in the current offering and strategy categories.

The post Microsoft a Leader in The Forrester Wave™ for Endpoint Management Platforms appeared first on Microsoft Security Blog.

]]>
The endpoint management category is being redefined in real time. Organizations no longer need tools that only inventory devices or enforce configuration policies; they need a platform that connects identity, security, compliance, and AI governance across every endpoint where work happens. Microsoft’s recognition as a Leader in The Forrester Wave™: Endpoint Management Platforms, Q2 2026 report reflects that shift—and the role Microsoft Intune plays in helping organizations manage what’s next.

Why Microsoft Intune is a leader in endpoint management

The Forrester Wave™ Endpoint Management Platforms, Q2 2026 report includes eight endpoint management platform providers, assessed across current offering, strategy, and customer feedback. Forrester’s assessment of Microsoft reflects how Intune is built. The vision Forrester describes is one built on Microsoft Entra, Microsoft Defender, Windows, and Windows 365 as a connected system, not a collection of adjacent tools. Customers can enforce conditional access, apply compliance policies, and correlate device health signals from a single admin center. That reach is what the cross-platform, cloud-native architecture is built for.

Microsoft Intune offers a strong platform for Windows environments, as customer feedback in the Forrester report notes, and Intune brings management across Windows, macOS, iOS, and Android together in the same admin console. That leadership extends from information worker devices to the frontline worker endpoints that are increasingly critical to business operations. On macOS specifically, Intune uses declarative device management to apply configuration and compliance policies natively, without requiring a separate tool or an additional management layer. Frontline workers on shared kiosks and handheld scanners, and information workers on corporate laptops, fall under the same policies without requiring parallel toolchains.

Endpoint Privilege Management (EPM) received explicit recognition from Forrester, which noted that AI embedded in Intune powers EPM and device onboarding workflows to help IT analyze device data and troubleshoot issues. Elevating or restricting privileges used to require manual review cycles. With AI in that workflow, admins make faster decisions on which requests to approve, deny, or escalate.

Security Copilot in Intune operates directly within the admin experience, operating on the same data and policy surface IT teams already use. From policy configuration, to identifying vulnerabilities, and recommending remediation, agentic assistance handles investigation and triage so admins focus on decisions that need judgment. The recent public preview of the Vulnerability Remediation Agent extends that further, drawing on Microsoft Defender Vulnerability Management to surface CVEs across Intune-managed Windows devices and apps, with Copilot-assisted impact summaries, suggested actions, and step-by-step remediation guidance, all without leaving the console.

These capabilities do not stand alone. Forrester also recognized a superior partner strategy. Our strategy helps connect endpoint management to the service desk, device procurement, and mobile threat defense tools already in the environment. Endpoint management that stops at the device boundary does not close the loop on risk. Intune, with capabilities such as EPM and AI-assisted remediation, brings its partner ecosystem together to help turn Zero Trust from core principles into daily IT practice: apply least privilege, verify explicitly, and enforce through policy to prevent breach.

On licensing, Forrester’s independent customer feedback pointed to the economic value of Microsoft simplified, bundled pricing. Intune is included in Microsoft 365 E3 and Microsoft 365 E5. Starting this month, advanced management solutions of the Intune Suite, including EPM, join those plans automatically. Full details are in our announcement blog: Microsoft 365 adds advanced Microsoft Intune solutions at scale. We continue to invest in areas such as unattended remote access sign-in for Intune Remote Help and automatic updates of required apps for Intune Enterprise Application Management, both of which will roll out for general availability in July 2026, and Intune now supports Red Hat Enterprise Linux 9 and 10.

Governing AI for the future of work

Every organization putting AI to work in practice needs IT and security teams that can say yes confidently: Yes to new device types, yes to modern workloads, and yes to agents running alongside users. Trust and confidence are requirements for safe AI adoption. Microsoft Agent 365 gives organizations a control plane for agents they can trust, and confidence comes from having a platform where identity, device management, and security policy are already connected. A unified platform does not just reduce complexity. It changes what teams are able to do with their time, and what the organization is able to do with AI.

AI agents are now endpoints, and Intune is the policy layer for Agent 365 that governs how they run. Through Microsoft Execution Containers, Intune gates local agent runtime execution directly on Windows devices, requiring isolation with guardrails like filesystem rules so agents run in controlled environments rather than with unchecked access to host systems. Windows 365 for Agents extends that model to cloud PCs provisioned specifically for agent workloads: Each agent Cloud PC is Entra-joined and Intune-managed, configured with the same security, compliance, and policy controls as user devices, so governance scales without new infrastructure.

For shadow AI, Intune is one of three signals alongside Defender and Entra that surface unmanaged agents. Defender discovers agents and adds inline protection; Intune applies policies to block common execution methods and device-level runtime security policies, giving multiple connected signals and one coordinated posture rather than multiple parallel workflows. That is how AI moves from an isolated pilot into the daily practice of how organizations operate, govern and protect AI, not just enable it.

At Microsoft, we believe Forrester’s assessment reflects where the market is heading, where governance, identity, and security work as one system. Each capability is more effective because it operates on shared signal, not siloed data. Microsoft Intune helps organizations reduce complexity, strengthen security, and make AI adoption practical at scale—governed and protected.

Learn more about Microsoft Intune solutions. Bookmark the Microsoft Intune blog to keep up with our expert coverage on endpoint management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester’s objectivity here 

The post Microsoft a Leader in The Forrester Wave™ for Endpoint Management Platforms appeared first on Microsoft Security Blog.

]]>
CNAPP evolution: How Microsoft aligns with leading cloud risk management platforms http://approjects.co.za/?big=en-us/security/blog/2026/06/24/cnapp-evolution-how-microsoft-aligns-with-leading-cloud-risk-management-platforms/ Wed, 24 Jun 2026 18:00:00 +0000 Learn how CNAPP platforms are helping organizations prioritize exploitable risks, reduce exposure, and operationalize security across the application lifecycle.

The post CNAPP evolution: How Microsoft aligns with leading cloud risk management platforms appeared first on Microsoft Security Blog.

]]>

Cloud security is shifting from visibility to context-aware risk reduction, helping security teams understand which exposures matter most, prioritize what can be exploited, and reduce risk across the application lifecycle. As organizations continue to expand across multicloud environments, Kubernetes, APIs, and AI-powered workloads, security teams are overwhelmed with signals. The challenge is no longer identifying individual risks, but determining which combinations of vulnerabilities, identities, and data exposures are most critical to address at the source.

Frost & Sullivan’s 2026 Frost Radar™ for Cloud-Native Application Protection Platforms (CNAPP) reflects this shift. The report highlights how CNAPP is evolving from a collection of posture and workload capabilities into a unified cloud risk operations platform—one that correlates signals across code, cloud, runtime, and SOC workflows to prioritize and reduce risk continuously. Within this evolving market, Microsoft is positioned among leading CNAPP vendors—reflecting alignment with where the category is heading.

Why CNAPP is being redefined

The Frost Radar makes a clear point: CNAPP is no longer about visibility or compliance—it is becoming an operational platform for reducing risk.

Modern environments introduce complexity across:

  • Multicloud and hybrid infrastructure.
  • Rapid development and continuous deployment.
  • Containers, serverless, and APIs.
  • AI-powered workloads.

This complexity exposes the limits of traditional tools.

Organizations now require platforms that can:

  • Correlate posture, runtime, identity, and data signals.
  • Prioritize risk based on exploitability—not severity alone.
  • Integrate security across development and operations.
  • Support faster investigation and response.

This is the shift: from detecting issues to operationalizing risk reduction across the application lifecycle.

What distinguishes leading CNAPP platforms

Frost evaluates CNAPP providers based on growth and innovation—but more importantly, on how effectively they help organizations manage risk.

According to the report, five themes define the next generation of platforms:

  • Platform unification over point solutions.
  • Code-to-cloud-to-SOC integration.
  • Risk prioritization based on exploitability.
  • Correlation across identity, data, and application context.
  • Expansion into AI-powered workloads.

These capabilities represent a shift from fragmented visibility to connected, contextual risk management.

How Microsoft aligns with CNAPP’s next phase

1. Correlating risk across identity, endpoints, data, and cloud

Most security tools surface findings. Fewer connect them meaningfully. Modern attacks exploit the combination of misconfigurations, excessive permissions, and data exposure—not isolated issues. Microsoft Defender for Cloud correlates posture findings with identity, data, and runtime signals—helping surface risks that are exploitable. A misconfigured storage resource on its own may not appear critical. But when combined with excessive access permissions and the presence of sensitive data, it can create a clear attack path.

What this means: Security teams can prioritize real attack paths instead of individual findings, reducing alert fatigue and improving remediation speed and precision.

2. Extending security from code to cloud to SOC

Security must operate continuously across development, runtime, and operations.

Defender for Cloud connects:

  • Code and infrastructure-as-code scanning.
  • Cloud posture and runtime protection.
  • Security operations and response workflows.

A vulnerability identified in infrastructure-as-code before deployment can be tracked through to runtime—where it is validated against real-world behavior and surfaced in security operations if actively exploitable.

What this means: Organizations move from fragmented workflows to continuous risk validation and response across the lifecycle.

3. Reducing complexity across fragmented security workflows

As environments scale, tool sprawl limits visibility and slows response. Microsoft delivers CNAPP capabilities as part of a connected platform—integrating posture management, workload protection, identity, data, and threat detection across multicloud environments. Instead of switching between separate tools, security teams can investigate a single incident across initial misconfiguration, runtime impact, and identity exposure, enabling a more connected experience.

What this means: Security teams can investigate faster, prioritize risk more consistently, and reduce exposure across fragmented cloud environments.

Where security leaders focus next

The Frost Radar offers a signal for where cloud security is headed: toward platforms that connect context across cloud environments so teams can prioritize the risks most likely to be exploited and reduce exposure faster.

Security leaders should now ask:

  • Can the platform correlate signals across identity, end points, data, cloud, and runtime?
  • Does it span the full code-to-cloud lifecycle?
  • Can it prioritize risk based on exploitability—not just severity?
  • Does it integrate with SOC workflows for faster response?
  • Can it scale across multicloud and AI environments?

These are the capabilities that define the next generation of CNAPP.

Bottom line

Frost & Sullivan’s 2026 CNAPP analysis reinforces a clear shift: Cloud security is moving from fragmented visibility to unified, contextual risk management across the entire lifecycle. Microsoft’s position in the Frost Radar reflects this shift—bringing together posture, runtime, identity, end points, and data signals into a connected platform that helps organizations prioritize and reduce risk continuously.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post CNAPP evolution: How Microsoft aligns with leading cloud risk management platforms appeared first on Microsoft Security Blog.

]]>
One intrusion, two cyberattackers: Uncovering parallel threat activity http://approjects.co.za/?big=en-us/security/blog/2026/06/22/one-intrusion-two-cyberattackers-uncovering-parallel-threat-activity/ Mon, 22 Jun 2026 16:00:00 +0000 Ransomware case reveals two parallel threat actors, blending tactics and evasion—showing why isolated signals can often miss modern, overlapping cyberattacks.

The post One intrusion, two cyberattackers: Uncovering parallel threat activity appeared first on Microsoft Security Blog.

]]>
What began as a routine ransomware investigation quickly revealed something far more complex. In this ninth cyberattack series report, DART details how a single intrusion uncovered parallel activity from two unrelated threat actors operating simultaneously—blending tactics, obscuring signals, and challenging traditional assumptions about how multi-stage intrusion campaigns unfold across hybrid environments. Read on to learn more or access the full report.

What happened?

The investigation revealed a multi-stage intrusion that blended familiar ransomware activity with quieter, more deliberate techniques designed to establish deep and lasting access. DART found that Storm-2603 had been targeting on-premises SharePoint servers since mid-2025, exploiting known vulnerabilities while simultaneously probing for additional entry points through reconnaissance activity—such as requests for sensitive configuration files often used to validate local file inclusion weaknesses. In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion. While exploitation wasn’t confirmed, the timing and activity suggest reconnaissance for entry points.

Once inside, the threat actor shifted focus to persistence and control. Using legitimate tools to blend in, they deployed Velociraptor with SYSTEM-level privileges to map the environment, then established multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. Velociraptor, a legitimate forensic and incident response tool, was deployed by the threat actor to map the environment and operate with high-level privileges—blending malicious activity with trusted administrative behavior. Privilege escalation followed, with new local and domain administrator accounts created to maintain access, while defense evasion techniques—including the use of a vulnerable driver to tamper with memory and disable protections—helped reduce their visibility.

As DART correlated activity across the environment, investigators uncovered signs of a second, unrelated threat actor operating in parallel. Malicious dynamic link library (DLL) sideloading and custom backdoors—techniques not associated with Storm-2603—introduced an additional layer of complexity, obscuring attribution and complicating detection. Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion.

Dynamic link library (DLL) sideloading is popular with threat actors because it can be misused to hide behind trusted software (execution looks legitimate), to evade detection by running inside known applications, and to execute payloads, install backdoors, or maintain persistence.

How did Microsoft respond?

DART moved quickly to contain the active intrusion involving multiple threat actors and stabilize the environment, activating a structured response playbook focused on limiting threat actor impact and restoring control. By correlating telemetry across identities, endpoints, and cloud resources, responders established a unified view of the intrusion, enabling them to detect abnormal behavior, uncover credential misuse, and track threat actor activity as it evolved. Continuous coordination with the customer, including daily briefings, ensured that containment actions were timely, aligned, and effective in reducing further threat actor movement.

At the same time, collaboration with Microsoft Threat Intelligence provided critical context that reshaped the investigation. By connecting incident data with broader intelligence, DART identified two distinct threat actors operating simultaneously within the same environment—each masking the other’s activity and complicating detection. Beyond containment, the team delivered targeted guidance to strengthen the organization’s security posture, helping close visibility gaps and improve resilience against future identity compromise and ransomware-driven attacks.

What can customers do to strengthen their defenses?

This case underscores the importance of closing common gaps across exposure, identity, and visibility. Organizations should prioritize rigorous patching and vulnerability management—especially for internet-facing systems—to reduce the risk of initial access. At the same time, strengthening identity security is critical to limiting threat actor escalation and persistence. At a high level, customers can avoid similar cyberattacks by focusing on ways to:

  • Establish broad, continuous visibility:
    Deploy endpoint protection widely and retain telemetry centrally to support detection, investigation, and correlation.
  • Monitor and restrict trusted tools:
    Validate and oversee the use of remote access, tunneling, and administrative tools that threat actors may exploit for persistence and lateral movement.
  • Prepare for rapid, coordinated response:
    Maintain tested incident response playbooks and ensure teams can quickly isolate compromised users, devices, and access paths to reduce dwell time.

Today’s modern cyberattacks can quickly evolve beyond a single incident-blending tactic, spanning environments, and even involving multiple threat actors operating in parallel. For security teams, the takeaway is clear: isolated signals rarely tell the full story. Organizations that invest in connected telemetry, coordinated response, and operational preparedness will be better positioned to detect adversary activity such as credential abuse and lateral movement earlier, contain active intrusions faster, and limit their overall impact.

What is the Cyberattack Series?

In our Cyberattack Series, customers discover how DART investigates unique and notable attacks. For each cyberattack story, we share:

cyberattack series no. 8

Read the report ›

  • How the cyberattack happened.
  • How the breach was discovered.
  • Microsoft’s investigation and eviction of the threat actor.
  • Strategies to avoid similar cyberattacks.

DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.

Learn more

To learn more about DART capabilities, please visit our website, or contact your Microsoft account manager or Premier Support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post One intrusion, two cyberattackers: Uncovering parallel threat activity appeared first on Microsoft Security Blog.

]]>
New Forrester Total Economic Impact™ study projects a 124% ROI from unifying with Microsoft Security http://approjects.co.za/?big=en-us/security/blog/2026/06/18/new-forrester-study-shows-customers-who-unified-with-microsoft-security-benefited-from-124-roi/ Thu, 18 Jun 2026 19:36:08 +0000 New Forrester Total Economic Impact™ study shows Microsoft Security consolidation delivers ROI, lowers risk, and prepares organizations to secure AI.

The post New Forrester Total Economic Impact™ study projects a 124% ROI from unifying with Microsoft Security appeared first on Microsoft Security Blog.

]]>
Across many industries, organizations are unifying security and putting AI agents to work. Security teams are utilizing agents that reason, decide, and act on their behalf, under their governance. At Microsoft, we see this firsthand—more than 80% of the Fortune 500 are already using AI.1 The promise of this moment is enormous. The responsibility that comes with it is just as significant. This year, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study for our AI-first, end-to-end security platform.

What end-to-end security delivers

Based on in-depth interviews with a survey of 362 customers and 11 security decision-makers using Microsoft Security solutions, the Forrester study revealed the impact of consolidating with Microsoft Security. To model the financial impact, Forrester aggregated insights into a single composite organization—a global business-to-business (B2B) company with 10,000 employees—and constructed a TEI framework that quantifies costs, benefits, and risks. Through its study, Forrester projected that an organization would experience the following over three years.

  • Up to 30% reduction in the likelihood of a breach
    Integrated protection across identities, endpoints, data, and infrastructure helps prevent attacks before they succeed.
  • Up to 25% reduction in cost to remediate remaining attacks
    End-to-end visibility and coordinated response cut the cost of incidents that do occur.
  • Up to 23% reduced annual technology spend
    Consolidating point solutions eliminates redundant tooling and the licensing and services that come with it.
  • Up to 32% avoided headcount growth
    Automation, integration, and self-service let teams scale without scaling proportionally.
  • 20% lower total cost of ownership—$3.0M in TCO savings
    A unified platform reduces the operating drag of running disconnected tools.
Graphic showing results from a commissioned Forrester Total Economic Impact (TEI) study: 124% return on investment, under six-month payback period, and $16.6 million net present value.

Based on interviews, Forrester’s financial analysis found that a composite organization experiences $30.0 million in benefits over three years versus $13.4 million in costs, resulting in a net present value (NPV) of $16.6 million and an ROI of 124%.

Read the full Forrester TEI study for a complete methodology, assumptions, and detailed financial analysis.

Microsoft Security allows us to deploy modern solutions and be on the leading edge of technologies at enterprise scale.” 

—Senior information security officer, NGO

Value beyond what’s measured

The numbers tell part of the story. What we hear from defenders and what the Forrester study reinforces is that the real value of consolidation shows up in the work itself: faster decisions, less friction, more time spent on the cyberthreats that matter. That’s especially true as AI changes both what cyberattackers can do and what defenders can build.

  • Security for AI – New solutions like Microsoft Agent 365 with foundations of Microsoft Security, extend identity, governance, and control to AI agents, so customers can adopt them with confidence. 
  • AI for Security – Microsoft Security Copilot, together with Microsoft Defender, Entra and Purview provides AI-assisted insights to help defenders investigate, prioritize, and respond to security incidents.
  • Security foundations for Zero Trust – Identity and access controls work consistently across the environment, without stitching together multiple vendors. 
  • Simplified hiring and skill development – Building on tools security teams already know makes it easier to recruit, onboard, and grow talent. 
  • Improved employee experience – Single sign-on and streamlined device onboarding reduce friction, so people can focus on their work. 

I like Microsoft because it’s the only vendor that provides a single view or a single location for all the security needs: cloud posture, endpoint protection management, data loss prevention. You don’t have that many vendors today that have the Swiss Army Knife-style platform.”

—Regional chief information security officer (CISO), engineering

An evolving playbook for the agentic era

An integrated approach to security is especially important as threat complexity grows—some organizations use an average of 45 security tools,2 which can increase operational overhead and limit visibility. At the same time, AI-powered threats are accelerating. As human-led AI agents begin to respond to threats, a connected security model becomes even more critical—extending consistent protections not only to traditional surfaces, but also to emerging layers such as prompts, models, plug-ins, and the agents themselves.

Security as the core primitive of the AI stack

As security systems evolve to meet the demands of the agentic era, we see security differently. In the agentic era, security should be the core primitive of the AI stack—woven into and around every layer, ambient, and autonomous, like the AI it protects.

Diagram of a Microsoft AI-first end-to-end security platform, illustrating integrated solutions including Microsoft Defender, Sentinel, Entra, Intune, and Purview, supported by security services and threat intelligence across agents, people, and foundational layers.

This principle is why we built our platform end-to-end—from identity and endpoint management to data security, compliance, and threat protection—creating an agentic defense platform that unifies the security operations center (SOC) and uses AI to help defenders operate at machine speed with Microsoft Security Copilot. Microsoft Agent 365 extends on this foundation as the control plane for agents, giving security, IT, and business teams the visibility and controls they need to govern agents at scale. Built to work together natively, these aren’t separate products that happen to integrate. They’re a single platform designed for end-to-end security in the age of AI.

Microsoft has done an excellent job developing security agents such as identity and intelligence… Microsoft is innovating as fast as tech startups in the space.” 

—Global CISO, professional services

Built to secure what comes next

The era of agentic AI doesn’t just raise the stakes for security. It changes what security should be. Alongside our customers and our partners, we’re building the future of security. Read the full Forrester Total Economic Impact™ of Microsoft Security study. Explore end-to-end Security for AI to learn how to safeguard your AI platforms, apps, and agents with comprehensive solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1Cyber Pulse: An AI Security Report. Microsoft Security Insider.

2Gartner Identifies the Top Cybersecurity Trends for 2025,” March 3, 2025. https://www.gartner.com/en/newsroom/press-releases/2025-03-03-gartner-identifiesthe-top-cybersecuri…

The post New Forrester Total Economic Impact™ study projects a 124% ROI from unifying with Microsoft Security appeared first on Microsoft Security Blog.

]]>
Beyond the benchmark: Advancing security at AI speed  http://approjects.co.za/?big=en-us/security/blog/2026/06/17/beyond-the-benchmark-advancing-security-at-ai-speed/ Wed, 17 Jun 2026 19:30:00 +0000 http://approjects.co.za/?big=en-us/security/blog/?p=148100 Read how Microsoft Security has advanced its agentic vulnerability detection system, codename MDASH, integrating into real-world workflows across Windows, Azure, and identity systems.

The post Beyond the benchmark: Advancing security at AI speed  appeared first on Microsoft Security Blog.

]]>

Every vulnerability has two clocks running. One belongs to the defender racing to find it; the other to the cyberattacker hoping to find it first. For as long as software has existed, those clocks have favored the attacker, because modern code is vast, interconnected, and changing every day, while security reviews happen at fixed moments in time. The space between “code shipped” and “code reviewed” is where risk quietly accumulates. 

A few months ago, we set out to reshape that timing. We introduced codename MDASH, Microsoft Security’s multi-model agentic scanning system, built to discover, validate, and help remediate software vulnerabilities end-to-end. The goal was straightforward to articulate and hard to execute: take AI-powered vulnerability discovery and remediation capability from a research project and turn them into production-grade defense at enterprise scale. That meant going beyond pattern matching and building a system that could reason through the complexity of proprietary code and platforms like Windows, Hyper-V, Azure, and identity systems.

Rather than rely on any single model, the system orchestrates a panel of specialized AI agents, each with its own role in a structured pipeline, so security teams can surface hard bugs quickly and systematically, expanding the reach of human-led review. Findings flow into Microsoft Defender workflows, where they can be prioritized alongside threat intelligence and runtime signals, and into GitHub and Azure DevOps pipelines, where they can be validated and remediated, a closed loop connecting discovery, validation, proof, and fix across the Microsoft stack.

When we introduced the system, it topped a leading industry benchmark. That was the announcement, and the starting line. In the weeks since, the system has moved from early capability validation into active use by Microsoft engineering teams across Windows, Azure, and identity systems, applied as part of real security workflows rather than isolated testing environments. This post explores what we have built since, the lessons we’ve learned from turning research into a production-quality system, and the opportunities ahead as we focus on delivering real-world security impact.

From the lab into the pipeline

The most meaningful change since launch is where the system is being used. Engineering teams across Windows, Azure, and identity systems are now applying the system as part of their security workflows, running it alongside existing processes and reviews, targeting it at the surfaces that are hardest to audit manually and have historically required the most effort to cover. The goal is to use AI-driven analysis to go deeper, earlier, and across a broader set of targets than traditional approaches allow. 

The surfaces in scope are among the most complex Microsoft builds: 

  • Windows, the kernel, Hyper-V, and the networking stack 
  • Azure, virtualization and core infrastructure services 
  • Identity, Active Directory Domain Services 

These are not easy targets. They are the deep layers of the platform, components where reasoning about code requires understanding kernel calling conventions, object lifetime invariants, and trust boundaries that no language model encountered in its training data. A single overlooked flaw at this layer can have outsized consequences. The system is not replacing security teams working at this depth. It is giving them meaningful reach into territory they could not cover alone.

Codename MDASH has enabled our security team to perform vulnerability hunting at the scale of Windows with a much higher depth of analysis than was previously possible.”

—Windows security team (kernel, Hyper-V, networking stack) 

This is also where the system fits into Microsoft’s existing DevSecOps story. It is not a standalone scanner bolted onto the side of engineering—it plugs into the tools teams already use. Validated findings surface as code scanning alerts in GitHub Advanced Security (GHAS), appearing inline on pull requests and in the repository’s security tab so engineers triage them in the same place they review code. The same findings flow into Azure DevOps, where they can gate pipeline builds and open work items for remediation, and into Microsoft Defender, where they are prioritized alongside threat intelligence and runtime signals. Discovery is only the entry point: because a finding travels the same path as every other code change—with an owner, a pull request, and a fix on the other side—it lands as actionable engineering work rather than stalling in a backlog. The effect is to strengthen the software development lifecycle from the inside, not to add one more tool for teams to tend.

This month’s set of discoveries

The measure of any security system is what it catches. This month’s Patch Tuesday cohort includes a set of vulnerability discoveries across the Windows ecosystem, Hyper-V, the Windows kernel, Active Directory Domain Services, Remote Desktop Client, HTTP.sys, DNS Client, and DHCP Client, spanning exploit classes including remote code execution, elevation of privilege, and information disclosure.

The range of attack vectors is significant. Several findings involve high-severity remote code execution vulnerabilities in core infrastructure layers that are difficult to scrutinize using manual approaches alone. Others surface more subtle issues, such as privilege escalation through DNS components and information disclosure through DHCP client behavior, that reflect the power of code-centric reasoning applied across many targets simultaneously. Each was identified before exploitation, in areas of the codebase that would traditionally demand significant manual effort to review. 

CVE ID Component Type Exploit Class CVSS (Common Vulnerability Scoring System)
CVE-2026-45607 Windows Hyper-V Out-of-bounds Read Remote Code Execution 8.4
CVE-2026-45641 Windows Hyper-V Type Confusion Remote Code Execution 8.4
CVE-2026-47652 Windows Hyper-V Heap-based Buffer Overflow Remote Code Execution 8.2
CVE-2026-41108 Windows DNS Client Heap-based Buffer Overflow Elevation of Privilege 7.0
CVE-2026-45608 Windows DHCP Client Out-of-bounds Read Information Disclosure 6.8
CVE-2026-45634 Windows DHCP Client Out-of-bounds Read Information Disclosure 5.5
CVE-2026-45648 Windows Active Directory Domain Services Stack-based Buffer Overflow Remote Code Execution 8.8
CVE-2026-47289 Remote Desktop Client Heap-based Buffer Overflow Remote Code Execution 8.8
CVE-2026-45657 Windows Kernel Use-after-free Remote Code Execution 9.8
CVE-2026-47291 HTTP.sys Integer Overflow Remote Code Execution 9.8

Beyond the headline: What the engineering work taught us 

How the system improved

To improve a system, you have to measure it. CyberGym, an industry benchmark built on 1,507 real-world vulnerabilities, gave us a way to iterate quickly and see exactly where we were getting better.

Since the initial announcement, we evolved the system significantly: new capabilities added, and the entire pipeline rebuilt based on customer feedback, CyberGym evaluation results, and extensive internal testing. The latest version has achieved 96.5% (any crash) on CyberGym, including both target and non-target vulnerabilities.

The gains were concentrated in the earliest stages of the pipeline: prepare and scan. These are foundational. Improvements there directly raise the quality of everything downstream, such as validation and proof generation, where precise understanding of the codebase and accurate exploration are critical. Specifically: 

  • Sharper scoping. The system now more clearly distinguishes the code under audit from contextual code, defining dependencies based on their role rather than their origin. Later stages can focus on what matters, improving both efficiency and signal quality. 
  • More comprehensive threat modeling. The system has a fuller view of a target repository’s attack surface, particularly in identifying entry points for untrusted input. This includes improved recognition of maintainer-defined entry points, such as fuzz harnesses, that may reside outside the primary codebase but are critical for assessing reachability. The system is better positioned to determine which findings are genuinely exploitable. 
  • A more reliable call graph. The correctness and robustness of the call graph, a core structure used across multiple pipeline stages, has been strengthened, improving the system’s ability to reason about code interactions, especially for reachability analysis during validation. 
  • Smarter routing to specialized agents. A new routing mechanism filters out clearly irrelevant agents while preserving strong candidates, reducing unnecessary computation while maintaining coverage and allowing the system to scale across diverse targets. 

The principle behind all of it is the same: the model is one input, the system around it is the product. Better understanding in the early stages produces more accurate conclusions later, regardless of which model is doing the reasoning. 

Understanding the remaining 3.5% 

While the 96.55% score previously announced, represents a significant step forward, the system missed 3.5% of cases, 52 tasks in total.

We analyzed which pipeline stage contributed to each miss: 

  • Scan stage: 8 cases (15.4%), failed to identify the intended finding. 
  • Validate stage: 10 cases (19.2%), incorrectly flagged intended findings as false positives.
  • Prove stage: 34 cases (65.4%), failed to generate a working proof-of-concept.

The following highlights the main failure reasons at each stage.

Scan stage failures 

Incorrect scope from ambiguous descriptions. In some cases, the scope generated during the prepare stage did not include the files or functions containing the intended vulnerability. This occurs when bug descriptions are too general, especially in repositories with multiple modules, making precise localization difficult. In arvo:53536, the target bug description reads:

“A stack-buffer-overflow occurs in the code when a tag is found and the output size is not checked to ensure it is within the bounds of the buffer.”

It identifies the vulnerability type but gives little guidance on where to look in a large codebase. 

Missed prioritization of vulnerable components. The system prioritizes which files and functions to analyze first and can sometimes de-emphasize less obvious components. In arvo:23547, the vulnerability resides in a lexer/parser component, but the system prioritized other C code paths instead. 

Validate stage failures

Hypothetical descriptions and code misinterpretation. Scan results sometimes include hypothetical descriptions of vulnerabilities rather than concrete execution paths. When the validate stage cannot confirm a concrete path in code, it may reject the finding.

In the CyberGym benchmark case “arvo:3569,” the scan stage correctly identified a use-after-free vulnerability, but the validate stage concluded there was no feasible path to free the pointer, and rejected it. The scan-stage finding included a description like: “risk if any destructor or cleanup code attempts to free…” That framing left the validate stage without enough evidence to confirm reachability. 

Prove stage failures 

Highly structured input requirements. Some targets require complex, structured binary inputs, IVF/AV1, WPG, fonts, PDFs, where crafting inputs that both satisfy format validation and reach the vulnerable code path is inherently difficult, making reliable proof-of-concept generation challenging. 

Fuzzing until timeout. For targets requiring highly structured inputs, the system sometimes attempted fuzzing-based approaches that found crashes but failed to generate inputs accepted as valid by the target within time constraints. 

Environment mismatch. In some cases, the system reproduced crashes locally but those did not transfer to the evaluation harness, due to mismatches in build configuration, incorrect target selection, or execution paths that differed from the intended setup. 

Build complexity and time constraints. In several cases, the build process failed, ran too long, or exceeded the agent’s execution budget, preventing proof-of-concept generation. 

Paths to improvement 

Integrating fuzzing pipelines. The prove stage is the primary bottleneck in both benchmark and real-world settings. We will integrate the system with existing fuzzing ecosystems such as OSS-Fuzz, allowing us to reuse build pipelines rather than reconstruct them and to draw on existing seed corpora for more effective proof generation. This approach was not applied during CyberGym evaluation, as it may implicitly reuse known proofs-of-concept, but will be adopted for real-world targets. 

Extending analysis beyond source code. Some POC generation failures were due to limited support for non-traditional code artifacts. While the system handles conventional languages such as C/C++ well, it does not yet fully support artifacts generated by tools like lex/yacc. We are extending our analysis to cover these cases and broaden our overall coverage.

Improving agent reasoning and output quality. Failures in scan and validate stages often stem from speculative or incomplete reasoning. We will refine agent instructions, enforce structured outputs, and add validation checks to reduce ambiguity and improve reliability. 

What newer models add 

To isolate the impact of system-level improvements, our primary evaluation (Exp-0, baseline) intentionally used the same model configuration as the previous CyberGym benchmark, attributing gains directly to pipeline improvements rather than model advances. Modern foundation models continue to evolve, however, and we ran additional experiments on the 52 previously failed cases to understand what stronger models contribute. 

Experiment 1: Newer OpenAI models for bug discovery, Claude Opus 4.6 for prove

  • Configuration: Prepare / Scan / Validate: GPT-5.4, GPT-5.5, GPT-5.4-mini, GPT-5.3-codex. Prove: Claude Opus 4.6. 
  • Result: 19 of 52 cases solved (36.5%, any crash). Assuming no regressions on previously solved cases in Exp-0, projected success rate: 97.8% (any crash). 

The primary gain comes from higher-quality scan-stage findings. Compared to Exp-0 baseline in this dataset, outputs are less hypothetical and more precise, with concrete execution details that improve both validation accuracy and downstream proof generation.

 In the CyberGym benchmark case “arvo:3569,” the baseline produces a vague description, “risk if any destructor or cleanup code attempts to free…”, while GPT-5.5 identifies a specific execution path: “line 210 calls pj_default_destructor (P,…), which frees P->params, Q (= P->opaque).” That grounded description gives validation a clear path to reason about reachability.

GPT-5.5 also shows improved alignment between detected bugs and their corresponding common weakness enumeration (CWE) categories, contributing to more effective proof generation. 

Experiment 2: GPT-5.5 / GPT-5.5-cyber for prove, using bug discovery from Experiment 1

  • Configuration: Prepare / Scan / Validate: Bug discovery outputs from Experiment 1. Prove: GPT-5.5 / GPT-5.5-cyber. 
  • Result (GPT-5.5): 21 of 52 cases solved (40.4%, any crash). Assuming no regressions on previously solved cases in Exp-0, projected success rate: 97.9% (any crash). 
  • Result (GPT-5.5-cyber): 23 of 52 cases solved (44.2%, any crash). Assuming no regressions on previously solved cases in Exp-0, projected success rate: 98.1% (any crash). 

Both GPT-5.5 and GPT-5.5-cyber found more crashes than Claude Opus 4.6 in the prove stage. The gain is meaningful but more modest than the improvements observed in scan. This dataset alone is not sufficient to conclude these models are consistently stronger across all proof-of-concept generation tasks. 

Three distinct strategies emerged across all models in the prove stage: 

  • Code-based, reasoning over code paths to craft inputs. 
  • Fuzzing-based, searching the input space for crashes.
  • Custom instrumentation-based, exposing vulnerability-relevant variables and using them as feedback signals to guide input generation.

All three models applied all three strategies across the 52 cases but differed in which targets they applied them to, and that selection drove differences in outcome. In arvo:61902, only GPT-5.5-cyber generated a working proof-of-concept, applying a custom instrumentation-based approach that reframed the task as a hill-climbing problem: reducing “understand the codec well enough to craft adversarial audio” to “search until this value exceeds 128.” 

Seeing past the score

CyberGym has been an invaluable platform for rapid iteration, continuous evaluation, and measurable progress. Through this feedback loop, the system has advanced dramatically, reaching 96.5% performance on the benchmark, with newer models already contributing an additional 1%-2% improvement beyond that baseline. Achieving this level of performance in such a short period is a strong indicator of the underlying architecture, research direction, and engineering rigor driving the effort.

At the same time, we are careful to interpret these results appropriately. A 96.5% CyberGym score demonstrates that the system can reason effectively over a broad and challenging set of known vulnerabilities. Equally important, it highlights an opportunity to broaden our evaluation framework. Real-world vulnerability discovery involves ambiguity, incomplete information, and constantly evolving software ecosystems—dimensions that extend beyond any fixed benchmark. This is precisely what makes the next phase of the work so exciting: applying these capabilities to increasingly realistic environments and pushing the frontier from benchmark excellence to real-world impact.

Where we go next 

We will chart our course in two directions.

First, we are advancing the system to operate in genuine real-world environments, targeting cost-efficient discovery of previously unknown vulnerabilities, combined with integrated capabilities to triage and fix issues at scale. Finding the bug is half the job. Closing it is the other half.

Second, we see a clear opportunity to advance the benchmark to capture the complexity, ambiguity, and end-to-end workflows of how real-world vulnerability discovery actually happens.

The model variation experiments point toward the same conclusion: the system and the models improve in complementary ways. To prove our pipeline gains were not simply model gains, we held the model configuration constant in the core evaluation, then tested newer models separately. The additional gains were real, especially in the precision of scan-stage findings. That is not a complication in interpreting the results. It is a roadmap.

Defense at AI speed 

Come back to the two clocks. The arc of this work is the story of the moment they switched places: from a defender racing to catch up, to a defender with AI-driven analysis reaching deeper into production code, earlier in the process, across a broader surface than any manual program could sustain. 

That is what defending at AI speed means. Not faster scanning in isolation, but a posture that keeps pace with the way software is actually built and shipped today, where every improvement to the pipeline makes the next finding more precise, and the system and the models grow stronger together. 

Learn more

Codename MDASH is just getting started. We would like you with us for the next chapter. 

Sign up to follow codename MDASH and join the private preview. To go deeper on the engineering behind codename MDASH, explore our technical blog series.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Beyond the benchmark: Advancing security at AI speed  appeared first on Microsoft Security Blog.

]]>
​​Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms Wave™ report http://approjects.co.za/?big=en-us/security/blog/2026/06/17/forrester-names-microsoft-a-leader-in-the-2026-extended-detection-and-response-platforms-wave-report/ Wed, 17 Jun 2026 18:30:00 +0000 Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026.

The post ​​Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms Wave™ report appeared first on Microsoft Security Blog.

]]>
We are excited to share that Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026. Microsoft ranked the highest of any vendor evaluated in the Strategy category and is the only vendor to receive the highest score in Vision. Microsoft also received the highest possible scores across the current offering criteria of identity detection, cloud detection, SIEM replacement, Threat Intelligence, Threat hunting, Administrative controls, and Training.

In the report, Forrester writes that “Microsoft articulates a compelling vision to build a Frontier approach to security, bringing people and AI together while the platform continuously shields against and disrupts attacks.”

Graphic showing Microsoft's position as a Leader in the Forrester Wave.

A new frontier for XDR

That recognition reflects how Microsoft sees the next phase of XDR evolution. As cyberattackers use AI to scale and accelerate their campaigns, defenders need more than correlated signals. They need a system that brings together data, people, and workflows so security can operate with the same speed and coordination.  

At Microsoft, XDR is that foundation. It connects signals across identities, endpoints, email, software as a service (SaaS) apps, and cloud workloads into a shared layer of context bringing together the signals, workflows, and actions security runs on. 

That foundation extends directly into how protection and operations are delivered. Microsoft Defender’s native capabilities continuously shield against attacks with built-in, system-level defenses, while embedded agents help triage alerts, hunt for threats, and deliver intelligence in the flow of work. The result is a shift from fragmented response to coordinated, system-level defense—where decisions, actions, and protection move together by default.

Attack disruption is one of the clearest expressions of that vision today. It uses cross-domain signals and AI to stop multi-stage cyberattacks like ransomware and adversary-in-the-middle attacks while they are active and unfolding.

Forrester specifically notes attack disruption in the report, As well as its roadmap, it (Microsoft) has built unique features, like automatic attack disruption, to help deliver on its vision.”

World-class threat intelligence at the core

Threat intelligence is a brand-new evaluation criterion in this Wave and Microsoft earned the highest possible score. This reflects a broader shift: intelligence is no longer a bolt-on, but fundamental to how modern XDR platforms detect, prioritize, and disrupt cyberattacks.

Microsoft Threat Intelligence is built on a broad vantage point, analyzing 100 trillion signals each day. That intelligence is delivered directly into the analyst experience, which provides context on threat actors: their motivations and tactics appear inside incidents, alongside affected assets, and tied to response actions.

The intelligence is built into detections, attack disruption, hunting, and AI that helps analysts make sense of what they’re seeing. It’s also continuously informed by Microsoft’s global security research teams tracking nation-state actors, ransomware groups, and emerging cyberthreats, which brings frontline insight directly to defenders.

Innovation that reinforces continued leadership

We believe Microsoft’s ranking as a leader in this report is a reflection of the pace of innovation across the Defender portfolio over the past year. Highlights include:

Adaptive defense to contain active attacks: Attack disruption now expands autonomous protection to predict and shield against a threat actor’s next move during active cyberattacks. It acts just in time to defend against common attacker tactics such as group policy objects (GPOs), Safeboot, and identity compromise, with new controls that now include device isolation.

Native protection across cloud, identity, and SIEM: Microsoft delivers differentiated protection across cloud and identity by natively harnessing signals from Azure and Microsoft 365 coverage. Combined with Microsoft Sentinel’s powerful security information and event management (SIEM) and threat hunting capabilities, this foundation goes beyond detection, enabling disruption of attacks directly within the SOC for critical data sources including Amazon Web Services (AWS), Okta, and Proofpoint, fundamentally turning your SIEM into a threat protection solution

Microsoft Security Copilot alert triage agent: Security Copilot agents in Defender help security operations center (SOC) teams investigate faster, automate response, and prioritize high-risk cyberthreats. Microsoft recently extended the Security Copilot alert triage agent to cloud and identity, extending assistive and autonomous AI to two of the most critical attack surfaces security teams defend every day. By helping analysts triage alerts faster, surface high-value context, and move more quickly from signal to action, these new capabilities strengthen the SOC where speed and precision matter most. That momentum reinforces that Microsoft received the highest possible scores in both identity detection and cloud detection.

Securing local AI agentsMicrosoft recently announced endpoint security for local AI agents at Microsoft Build 2026. Defender helps security teams gain visibility into AI agents running on devices, assess exposure across identities and resources, block malicious activity in real time, and investigate agent activity through Advanced Hunting.

What this recognition means for our customers

Being named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026 reinforces Microsoft’s commitment to helping defenders stay ahead of modern cyberattacks. We believe this recognition reflects the strength of our vision, the breadth of our protection across identities, endpoints, email, cloud, and applications, and our continued investment in bringing people and AI together in the SOC.

As the threat landscape continues to evolve, we remain focused on helping customers investigate faster, respond more effectively, and strengthen their security operations with an integrated platform built for today’s cyberattacks.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester’s objectivity here .  

The post ​​Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms Wave™ report appeared first on Microsoft Security Blog.

]]>