CrowdSecWisdom #18
OffSec insights for CISOs
Welcome to the 18th edition of CrowdSecWisdom from YesWeHack – curating offensive security insights from our own blog and elsewhere for CISOs, security teams and security-conscious devs. 🛡️🧠
Offensive security goes beyond just finding vulnerabilities. Prioritising and remediating them across an expanding attack surface is essential if teams are to stay ahead of attackers operating with increasing speed, precision and scale. That’s why YesWeHack has officially evolved into an Offensive Security and Exposure Management platform – designed to help teams tackle alert fatigue and focus on mitigating real-world risk. As we announced yesterday, this evolution is underpinned by a continuous four-step cycle:
🗺️ Map → Continuously monitor your evolving attack surface
🧪 Test → Build and manage multilayered testing strategies
🛠️ Fix → Prioritise and remediate based on real-world risk
📋 Comply → Maintain continuous assurance and demonstrate your security posture
The platform brings together four core solutions, including two recent additions. Autonomous Pentest combines comprehensive asset discovery with ongoing exposure validation to secure your attack surface against actively exploited vulnerabilities, misconfigurations and subdomain takeover risks. Continuous Pentesting, meanwhile, also offers asset discovery and automated security checks for active threats, supported by in-depth manual testing for vulnerabilities across your various assets. 🔍
Real-world risks, faster fixes
Prioritising vulnerabilities based on real-world risk is key to our model, with findings priority-scored by severity, exploitability and asset criticality. It's helpful if analysts who understand the technical implications of such evaluations can convey them in business-friendly language that lands in the boardroom, as this Help Net Security video on ‘the art of making technical risk make sense to executives’ points out. 🧠
Risk-based prioritisation and manual validation that eliminates false positives together shorten time-to-fix, especially for the most urgent vulnerabilities. In-the-wild evidence continues to reinforce this need. A recent Flashpoint report highlights how autonomous systems are substantially lowering the barrier to entry for attackers, enabling exploitation within hours rather than days. Cisco Talos has similarly observed faster exploitation timelines, citing December's ‘React2Shell’ (CVE-2025-55182), the maximum-severity RCE, as a case in point. Incidentally, YesWeHack crafted an automated checkpoint that detected this CVE within 24 hours of its disclosure in December 2025 – and exploitable instances of the flaw were validated on customer assets within minutes. ⏱️
Bug Bounteous
While we moved beyond being a pure Bug Bounty platform some time ago, crowdsourced security testing delivered by our 130,000-plus testers is still central to our vision for mitigating modern threats. Another record-breaking year for Google’s Bug Bounty Program attests to the effectiveness of this continuous, scalable and in-depth form of testing. The fourth and final cornerstone of YesWeHack’s model, by the way, is vulnerability management, which unifies workflows to aggregate and manage findings from external sources. 🐞
Bullish but cautious on AI
When deploying AI, we will always keep humans in the loop, focus on real use cases and give customers full control over adoption. Our careful approach appears to reflect wider industry sentiment. A recent Splunk report found CISOs optimistic about AI’s productivity gains but cautious about risk and liability. “The data paints a picture of autonomous agents sifting through endless alerts and logs, freeing up human analysts to focus on critical thinking and strategic analysis,” it says. “Crucially, CISOs expect AI agents to boost their security teams’ efficiency and accuracy, not replace analysts outright. In fact, a resounding 60% of CISOs disagree with the statement “agentic AI will replace some level 1 security team functions.” 🧠
CVE funding fears persist
AI is also exacerbating challenges for the CVE Program and National Vulnerability Database (NVD). According to Cybersecurity Dive, the National Institute of Standards and Technology (NIST) cannot keep up with the deluge of new CVEs – doubtless increased by AI – that they’re tasked with analysing and enriching with further information. That work is “very labour-intensive” and “not scalable to the amount of CVEs that we’re getting in there. We’re fighting a losing battle,” said Jon Boyens, the acting chief of NIST’s Computer Security Division. At RSAC 2026, experts expressed concern about the CVE Program’s over-reliance on federal money after the near-lapse of its funding last year. Their disquiet had apparently not been allayed by CISA acting executive assistant director for cybersecurity’s subsequent claim that “there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse”. 💰
Recommended by LinkedIn
One upshot of the 2025 funding crisis was the emergence of a European rival to the CVE Program. The European Union (which incidentally is running multiple Bug Bounty Programs with YesWeHack) recently launched the Global CVE Allocation System (GCVE). However, some experts are concerned that it could fragment vulnerability coordination efforts, as reported by Dark Reading. 🇪🇺
The need for a well-resourced CVE Program has arguably never been clearer, with the number of new vulnerabilities soaring year-on-year over the past decade. Now FIRST has forecast another record CVE surge in 2026. With security researchers warning that most won’t translate into real-world attacks, CSO advises CISOs to “double down on prioritisation” and “expect more noise, not more attackers” because “disclosure is accelerating faster than exploitation”. 📈
Combatting AI slop
After a popular open-source data transfer tool called time on its Bug Bounty Program over frustrations with AI slop reports, we’d like to flag our own efforts to combat the problem. Namely, we now have a ‘program spamming and AI slop’ violation in our platform code of conduct, violations of which can result in a platform ban. Our triage team also offers a layer of validation to remove AI slop and other ‘noise’ for fully managed programs. 🧹
Well we’ve done our own prioritisation, of the most significant offsec stories, but we’ve spotting some other items of interest to close out this month’s edition:
🔐 Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines – Carly Page, The Register
🔐 Why cyber defenders need to be ready for frontier AI – Paul J & Alan Steer, UK National Cyber Security Centre
🔐 Google: The quantum apocalypse is coming sooner than we thought – Maria Korolov, CSO
🔐 Global security testing market to grow 24.6% CAGR by 2031 – MarketsandMarkets on PR Newswire
🔐 APIs are the new perimeter: Here’s how CISOs are securing them – Bill Doerrfeld on CSO
🤘 Meet the YesWeHack Team 🤘
We’ll finish up, as usual, with our events schedule. If you happen to be in the countries or regions in question, then we hope you’ll consider coming to see us at the following events. We’ll happily answer questions about, or show you a demo of, our Offensive Security and Exposure Management platform:
📍 FutureCon | Minneapolis, US | 9 April
📍 IN.SE.CON 2026 | Poznań, Poland | 15-16 April
📍 Next IT Security | Amsterdam, Netherlands | 16 April
📍 Boston Official Cybersecurity Summit | Boston, US | 6 May
PS. Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.