Brief #109: Cloudflare 7.3 Tbps DDoS Record, Salesforce Config Risks, 6x Increase in Security Incidents

Happy Sunday!

I've was reading Cyentia report showing cyber incidents have increased sixfold over 15 years. It's staggering when you step back and realize we're not just dealing with more sophisticated attacks - we're dealing with exponentially more of them. The median loss jumping from $190K to $3 million tells the whole story about where we are as an industry.

In this week's brief:

• Cloudflare just mitigated a monster 7.3 Tbps DDoS attack - the largest on record
• New research reveals 60% of cybersecurity professionals are eyeing the exit door
• AI secrets are dominating code repository leaks, creating a whole new category of exposure

Industry News

Cloudflare Blocks Record-Breaking 7.3 Tbps DDoS Attack

• In mid-May 2025, Cloudflare autonomously mitigated the largest DDoS attack ever recorded at 7.3 Tbps, targeting a hosting provider client. The multivector attack delivered 37.4 terabytes in just 45 seconds and carpet-bombed over 21,000 destination ports.

• The attack was primarily UDP floods (99.996%) with traces of reflection and amplification attacks including QOTD, Echo, NTP, and Mirai. It originated from over 122,145 source IPs across 5,433 autonomous systems in 161 countries, with Brazil and Vietnam accounting for half the traffic.

• Cloudflare's global anycast network distributed the attack traffic across 477 data centers in 293 locations, enabling autonomous detection and mitigation through real-time fingerprinting without human intervention or service disruption.

Salesforce Industry Cloud Contains 20 Configuration Risks That Could Expose Customer Data

• AppOmni researchers discovered 20 insecure configurations in Salesforce Industry Cloud's low-code OmniStudio platform that could allow attackers to access encrypted customer information, session data, credentials, and business logic through misconfigurations.

• Salesforce issued five CVEs addressing critical vulnerabilities in FlexCards and Data Mappers components, including field-level security bypasses and unauthorized access to encrypted data, while leaving 15 other configuration risks for customers to mitigate.

• The vulnerabilities primarily affect low-code components that don't enforce access controls by default, allow external user execution of workflows, and contain caching mechanisms that can bypass security controls in enterprise deployments.

Over 46,000 Grafana Instances Exposed to Account Takeover Vulnerability

• More than 46,000 internet-facing Grafana instances remain unpatched against CVE-2025-4123, a client-side open redirect vulnerability that enables malicious plugin execution and account takeover attacks.

• The vulnerability allows attackers to hijack user sessions, change account credentials, and perform server-side request forgery (SSRF) attacks without requiring elevated privileges or authentication.

• Despite security patches being released on May 21, approximately 36% of the 128,864 publicly accessible Grafana instances continue running vulnerable versions, creating a significant attack surface for threat actors.

Leadership Insights

Cyentia IRIS 2025 Report Shows Sixfold Increase In Security Incidents Over 15 Years

• The annual probability of an organization experiencing a cyber event has almost quadrupled since 2008, with approximately 3,000 significant security incidents reported quarterly in 2024, compared to just 450 in 2008.

• Financial impacts have grown dramatically, with median losses increasing 15-fold from $190K to almost $3 million, while costs as a proportion of annual revenue have seen an 8-fold increase.

• Despite growing ransomware threats, system intrusion remains the most common incident type, with credential compromise continuing as the leading intrusion method (43-60% of all incidents).

8 Things CISOs Have Learned From Cyber Incidents

• Post-incident CISOs shift from defense to offense, developing an attack-minded perspective that focuses on understanding their attack surface better than adversaries and implementing robust response plans with clear roles and communication protocols.

• CISOs must verify backup systems are isolated, functioning, and clean as modern ransomware attacks specifically target backups first to disable restoration capabilities and force ransom payments.

• While cyber incidents temporarily increase executive attention and funding, this focus often diminishes over time, forcing CISOs to balance immediate security improvements with the reality of potential budget cuts once the crisis fades.

CISOs Struggle to Transition from Reactive to Proactive Threat Intelligence

• Despite 98% of organizations experiencing a cyberattack in the past year, only 44% report taking a proactive approach to threat intelligence – leaving most CISOs stuck in reactive postures that limit strategic planning and response capabilities.

• Traditional threats remain dominant, with malware, ransomware, and phishing continuing as primary concerns, though now enhanced by AI capabilities that accelerate attack sophistication and make detection more challenging.

• While 95% of CISOs agree that participating in threat intelligence sharing communities improves their preparedness, success requires embedding threat intelligence throughout security operations – something 60% of organizations have yet to fully achieve.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

CISOs Implement Retention Strategies as 60% of Cyber Professionals Consider Job Changes

• More than 60% of cybersecurity professionals are contemplating switching jobs within the next 12 months, with dissatisfaction with career progression emerging as a key driver for potential departures.

• Mid-career professionals with 6-10 years of experience represent the most critical talent gap, as they are embedded in good organizations but highly sought after for new roles requiring proven expertise.

• CISOs are implementing retention strategies including internal recruitment and training programs, certification support, mentorship initiatives, and regular career development conversations to build loyalty and reduce turnover.

DFIR Professional Faces Career Uncertainty After Layoff From Incident Response Company

• A cybersecurity professional with 4+ years of experience progressed from technical support to SOC Analyst to DFIR Technical Examiner, before being caught in a round of company layoffs.

• After reaching a six-figure salary (Philippines-based) in their last position, the professional is struggling to find comparable employment and questioning whether to hold out for similar compensation or pivot to a different role.

• The post highlights common career challenges in cybersecurity, including the impact of false positive management in SOC roles and the significant knowledge expansion required when transitioning to incident response specializations.

Experienced Software Engineer Raises Questions About Ageism in Cybersecurity Industry

• A software engineer with 20 years of experience has observed ageism in tech environments, particularly in startups with younger workforce demographics, and is concerned about similar issues in cybersecurity.

• The individual, who previously worked as a Principal Engineer at a consultancy, is transitioning to cybersecurity while wanting to maintain technical roles rather than moving into management.

• The post raises questions about which organizations and cybersecurity roles might be more or less affected by age discrimination as experienced professionals transition into the security field.

AI & Security

Cloud Security Alliance Releases Guide for Red Teaming Agentic AI Systems

• The CSA document provides a comprehensive framework for red teaming Agentic AI systems across 12 critical vulnerability categories, addressing unique challenges posed by AI systems with planning, reasoning, and autonomous action capabilities.

• The guide emphasizes that Agentic AI introduces novel security issues beyond traditional GenAI models, including emergent behavior, unstructured communication, interpretability challenges, and significantly expanded attack surfaces.

• Red teaming methodologies include specific tests for authorization hijacking, human oversight failures, critical system interaction risks, and multiple other exploitation vectors unique to autonomous agents that make decisions with limited human oversight.

Novel Zero-Trust Identity Framework For Agentic AI Proposes Decentralized Authentication

• Researchers present a comprehensive framework for managing identity and access of AI agents, highlighting how traditional protocols like OAuth and SAML are inadequate for autonomous agents operating in Multi-Agent Systems (MAS).

• The proposed architecture employs Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), and Zero-Knowledge Proofs (ZKPs) to create rich, verifiable agent identities that include capabilities, provenance, and behavioral scope.

• Key innovations include an Agent Naming Service (ANS) for capability-aware discovery, fine-grained access control mechanisms, and a unified global session management layer that enables consistent revocation across heterogeneous agent communications.

AI-Related Secrets Dominate Public Code Repository Leaks

• Wiz Research found that AI-related secrets constitute a disproportionate majority of leaked credentials in public code repositories, with 4 out of the top 5 discovered secrets being AI-related.

• Python notebooks (.ipynb files) are the most leak-prone file type, containing exposed credentials through code snippets, execution outputs, and debug functions that reveal sensitive information.

• AI coding assistants frequently recommend hardcoding secrets in configuration files like mcp.json, while current secret scanning tools fail to detect many newer AI platform credentials from vendors like Perplexity, WeightsAndBiases, and Chinese AI platforms.

Market Updates

Tadaweb Raises €17.3M to Enhance OSINT Capabilities for Security Teams

• Luxembourg-based Tadaweb secured funding to scale its Small Data Operating System for publicly available information (PAI) and open-source intelligence (OSINT), reducing analysis time from "days to minutes."

• The platform combines technology with human intuition, focusing on transparency rather than being "another black box" AI solution, prioritizing keeping humans in control of intelligence gathering.

• Their SaaS solution is used by defense, national security, and cybersecurity organizations across Europe and the US, with OSINT estimated to account for 80-90% of information gathering by law enforcement and government entities.

Spanish Industrial Cybersecurity Startup Steryon Secures $1.1M Seed Funding

• Barcelona-based Steryon has raised €1 million ($1.1M) in seed funding co-led by 4Founders Capital and Abac Nest Ventures to develop their industrial cybersecurity risk management platform.

• Funds will be used to enhance technology development and expand both technical and commercial teams, with plans to scale deployment across industrial sectors both nationally and internationally.

• Steryon is one of only three Spanish startups selected for Google's "Google for Startups Growth Academy: AI for Cybersecurity" program, highlighting their innovative approach in the growing OT security market.

Hypernative Raises $40 Million Series B For Web3 Threat Prevention Platform

• Hypernative secured $40 million in Series B funding to expand their AI-based detection platform that protects over $100 billion in assets across 60+ blockchain networks, including recent additions of Solana and THORChain.

• The company launched Guardian, a real-time transaction security solution that prevents blind signing by simulating outcomes before approval, serving over 200 Web3 customers including Aptos, Ethereum, and ZKsync.

• Funding will support expansion into fraud prevention and wallet-level protection, following a year where Hypernative detected $2.2 billion in losses from hacks, exploits, and phishing – a 22% increase from the previous year.

Tools

Finite State Platform

A device security analysis platform that provides comprehensive vulnerability scanning, SBOM management, and supply chain security monitoring for connected devices and their components.

Reveelium UEBA

Reveelium UEBA is a French-developed User and Entity Behavior Analytics solution that uses artificial intelligence to detect abnormal behaviors and security threats by analyzing user and entity activities within an organization's network.

Conviso

A comprehensive application security platform combining specialized services and software tools to help organizations manage vulnerabilities throughout the software development lifecycle.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz