ESKA Security, 2900 Highway 7, Concord, Ontario, Vaughan, ON (2026)

05/08/2026

A pe*******on test alone doesn’t make a company more secure.
The real value starts after the test — when findings turn into actions, priorities, and measurable security improvements.

Many organizations receive a 100-page pentest report and… archive it. But the real issue is not the number of vulnerabilities. It’s whether the business understands:
🔸 which risks are truly critical;
🔸 how real attack paths could be exploited;
🔸 what needs to be fixed first;
🔸 and whether remediation actually improved security.

A good pe*******on test is not just a list of CVEs — it’s a roadmap for reducing risk.
And a good pentest report is one that both security teams and management can understand and act on.

In our latest article, we explain:
— what should happen after a pentest;
— why many reports fail to deliver real value;
— how to turn testing results into actual security improvements.

Read more: https://www.eskasecurity.com/post/what-happens-after-a-pe*******on-test-from-report-to-real-security

05/01/2026

Most companies assume their SaaS apps are secure by default.
They’re not.

The infrastructure may be protected, but everything else is on you:
who has access, what permissions they hold, what apps are connected, and how your data is shared.

That’s exactly where attackers look.
Here’s what we see most often in SaaS environments:

🔸 Overprivileged accounts that were never reviewed
🔸 Inactive users with active access
🔸 Dozens of unused OAuth integrations with persistent permissions
🔸 MFA disabled “temporarily” — and never turned back on
🔸 Files shared externally with no expiration or control

The risk isn’t theoretical.
A single compromised Microsoft 365 or Google Workspace account can expose:
emails, documents, internal chats, integrations, essentially your entire business context.

And attackers don’t need sophisticated exploits.
They use:
🔸 misconfigurations
🔸 weak access controls
🔸 normal platform features that look like legitimate activity

That’s why SaaS breaches are so hard to detect and often go unnoticed for weeks.

If you want a quick reality check, start here:
🔸 Review all connected OAuth apps - remove inactive ones
🔸 Audit external file sharing (especially “anyone with the link”)
🔸 Check which accounts don’t have MFA enforced

Understand your actual exposure, you need a structured SaaS security review:
access, permissions, integrations, and configuration, not just infrastructure.

We broke this down in detail in the article https://www.eskasecurity.com/post/why-hackers-love-your-saas-apps-the-security-blind-spots-most-companies-miss
(what attackers actually do, where the biggest blind spots are, and how to fix them)

04/06/2026

ISO/IEC 42001 is the international standard for an Artificial Intelligence Management System (AIMS). It helps organizations build a structured approach to AI governance by defining rules, roles, controls, risk assessment, transparency, accountability, and continual improvement.

Why does ISO/IEC 42001 matter?
Certification helps companies that develop, implement, or use AI systems demonstrate to clients, partners, and auditors that their AI is managed within a clear and controlled framework, not in an ad hoc way.

The standard focuses on key areas such as governance and accountability, transparency, data protection, bias and fairness, security vulnerabilities, system monitoring, continual improvement.

This is especially important for organizations working with sensitive data, automated decision-making, or preparing to meet customer and regulatory requirements.

How to prepare for ISO/IEC 42001 certification?
From a practical perspective, preparation usually starts with four steps:

🔸 Identify where AI exists in your organization
Understand which systems, models, services, or internal processes actually use AI.

🔸 Assess risks and impacts
Evaluate not only business risks, but also the impact on customers, users, data, security, fairness, and compliance.

🔸 Build an AI governance system
Establish policies, roles and responsibilities, change control procedures, monitoring, documentation, internal reviews, and corrective actions.

🔸 Conduct a gap assessment before the audit
Identify what is missing against the standard’s requirements and close those gaps before the certification audit.

Read more in our new article https://www.eskasecurity.com/post/iso-iec-42001-explained-why-it-matters-for-responsible-ai-governance

At ESKA Security, our GRC team has the practical experience and relevant certifications needed to help organizations prepare for an ISO/IEC 42001 compliance audit with confidence.

03/30/2026

Startups and SMBs still see Governance, Risk, and Compliance (GRC) as a regulatory checkbox - something required, but not valuable. In reality, a well-structured GRC program delivers measurable business ROI.

🔸 Incident prevention
Regular risk assessments and properly implemented controls reduce the likelihood of cyber incidents and data breaches that can cost millions in downtime, recovery, and reputational damage.

🔸 Regulatory readiness
Automated compliance workflows and structured control evidence significantly reduce preparation time for SOC 2, ISO 27001, NIS2, while helping avoid penalties and last-minute stress before audits.

🔸 Business trust and faster deals
Strong governance and compliance maturity increase confidence among customers, investors and partners, often accelerating procurement and partnership decisions.

A business-aligned GRC framework helps startups and SMBs reduce risk exposure, demonstrate maturity to partners, and prepare for enterprise-level requirements.
When structured properly, compliance strengthens positioning instead of slowing growth.

Need help choosing the right approach for your company?
The ESKA Security team is ready to support you at every stage.

03/27/2026

TLPT (Threat-Led Pe*******on Testing) is a resilience-focused security assessment built around critical business functions, realistic threat intelligence, and the organization’s ability to detect and respond to a targeted attack. It typically includes defining critical functions and scope, building attack scenarios based on actual threats, running a controlled exercise in the live environment, and then reviewing detection, response, coordination, and remediation.

A traditional pentest is usually focused on a specific asset such as a web application, API, mobile app, external perimeter, or internal segment, with the goal of identifying technical weaknesses, validating exploitability, and providing remediation guidance. TLPT has a broader objective: it is built around realistic threat actors, business-critical functions, detection and response capabilities, and the organization’s overall resilience under attack. It also differs from red teaming alone, because red team activity is only one part of a wider, formalized process that includes threat intelligence, governance, reporting, and remediation.

TLPT is especially relevant now because cyber resilience has become a regulatory priority, particularly in the financial sector under DORA.

Read more in our new article https://www.eskasecurity.com/post/what-is-tlpt-threat-led-pe*******on-testing-explained

03/26/2026

A reported cyber incident involving AstraZeneca is drawing attention across the security community.

According to recent reports, the LAPSUS$ group claims to have breached the pharmaceutical giant and exfiltrated sensitive internal data, including credentials, tokens, source code, and employee-related information. At this stage, the incident remains unconfirmed by AstraZeneca, but the claim itself highlights an important reality for modern enterprises: even limited exposure of internal code, identities, or infrastructure details can create serious downstream risk.

For organizations in pharma, healthcare, and other high-value sectors, incidents like this are a reminder that cyber resilience is not only about protecting customer or patient data. It is also about securing intellectual property, development environments, internal access paths, cloud assets, and the people behind critical operations.

When threat actors gain visibility into internal systems, the consequences may include:
🔸 targeted phishing and social engineering
🔸 credential abuse and privilege escalation
🔸 supply chain exposure
🔸 operational disruption
🔸 increased extortion pressure

Whether this specific case is fully confirmed or not, the lesson is clear: proactive monitoring, strong access governance, secure development practices, and incident readiness are essential.

Cybersecurity maturity is no longer optional for organizations operating in innovation-driven industries.

03/20/2026

AI adoption is moving faster than internal controls in many companies.
That is why AI governance should start with a practical checklist, not abstract discussions. Below is a simple AI governance checklist that helps companies understand what must be in place to use AI responsibly, securely, and with clear accountability.

AI inventory
Create a register of all AI tools, use cases, owners, and data involved.

Risk classification
Group AI use cases by risk level and apply controls based on impact.

Clear ownership
Assign responsibility for approval, monitoring, review, and escalation.

AI policy
Define what is allowed, restricted, or prohibited across the company.

Data rules
Set clear limits for confidential, personal, and sensitive data in AI systems.

Vendor review
Assess third-party AI providers for security, privacy, transparency, and contractual safeguards.

Human oversight
Define where human review is required and who has authority to intervene.

Pre-launch assessment
Review accuracy, bias, privacy, security, and business impact before deployment.

Monitoring
Track performance, incidents, complaints, model changes, and control effectiveness after launch.

Employee training
Ensure staff understand how to use AI safely and validate outputs properly.

Incident response
Prepare a process for handling AI-related failures, misuse, or unexpected outcomes.

Fallback plan
Make sure the business can stop or replace an AI use case when needed.

Regular review
Update governance controls as tools, risks, and regulations evolve.

The goal
AI governance should work as an operating model, not just as a policy document.

03/19/2026

The rapid adoption of artificial intelligence across business operations is no longer solely a technological matter. It has become a domain of governance, risk management, and regulatory compliance.

Organizations deploying AI systems are increasingly expected to demonstrate not only performance, but also control, transparency, and accountability. This has led to the emergence of a structured ecosystem of regulatory acts, international standards, and practical frameworks.

Below are the key pillars shaping AI governance today.

EU AI Act
The EU AI Act represents the first comprehensive regulatory framework for artificial intelligence at a supranational level. It establishes a risk-based classification model, distinguishing between minimal, limited, high, and unacceptable risk systems.

For high-risk AI systems, organizations must implement:
🔸 strict data governance practices
🔸 transparency and documentation requirements
🔸 human oversight mechanisms
🔸 continuous monitoring and compliance controls

The regulation applies not only to EU-based companies but also to any organization whose AI systems impact EU citizens or markets.

ISO/IEC 42001 AI Management System
ISO/IEC 42001 introduces a formalized approach to managing artificial intelligence through an AI Management System (AIMS).

Aligned with established ISO standards such as ISO/IEC 27001, it enables organizations to:
🔸 define AI governance structures
🔸 implement risk management processes
🔸 control the AI lifecycle
🔸 ensure ethical and regulatory alignment

Importantly, ISO 42001 supports certification, providing external validation of an organization’s AI governance maturity.

NIST AI Risk Management Framework (AI RMF)
The NIST AI RMF provides a structured methodology for identifying, assessing, and managing AI-related risks. It is widely adopted as a best-practice framework, particularly in environments without strict regulatory enforcement.

It is built around four core functions:
🔸 Govern: establishing oversight, policies, and accountability
🔸 Map: identifying risks and system context
🔸 Measure: evaluating performance, reliability, and impact
🔸 Manage: implementing risk mitigation and controls

The framework emphasizes trustworthiness, including safety, fairness, and explainability.

Google Secure AI Framework (SAIF)
Google’s Secure AI Framework (SAIF) focuses on the engineering and security aspects of AI systems. It extends traditional cybersecurity principles into the AI domain.

Key areas include:
🔸 protection against adversarial attacks
🔸 securing training and inference pipelines
🔸 safeguarding data integrity and confidentiality
🔸 continuous monitoring and incident response

SAIF is particularly relevant for organizations building and operating AI systems in production environments.

03/19/2026

The Digital Operational Resilience Act (DORA) introduces a new standard for how financial organizations in the EU must approach ICT risk and operational resilience. Unlike traditional regulatory frameworks, DORA does not focus solely on policies or controls. It requires organizations to demonstrate that their operations can remain stable and recover effectively in the event of disruptions.

In practical terms, this means that financial companies must ensure the ability to:
🔸 maintain critical services during cyber incidents or system failures,
🔸 detect and respond to disruptions in a timely manner,
🔸 restore operations without significant impact on business continuity.

A key element of DORA is ICT risk management, which extends beyond technical security measures. It requires a structured and continuous approach to managing risks across systems, processes, and third-party dependencies.

An effective ICT risk management approach covers the following areas:
🔸 maintaining visibility over all ICT assets and services,
🔸 understanding dependencies between systems and vendors,
🔸 implementing monitoring and detection capabilities,
🔸 establishing formal incident response processes,
🔸 ensuring tested recovery and continuity mechanisms.

Particular attention is given to third-party risk, as many financial institutions rely on external providers for critical services. DORA makes it clear that outsourcing does not transfer responsibility, and organizations must retain full accountability for risks introduced by vendors.

Another important change is governance. Responsibility for ICT risk management is assigned to management, making resilience a business-level concern rather than only a technical function.

In many organizations, the main challenge is not the absence of controls, but the lack of integration between them. DORA addresses this by requiring a consistent and functioning system rather than isolated measures.

For companies working with the EU financial sector, this regulation should be seen as a framework for building stable and resilient operations, not only as a compliance requirement.

A more detailed explanation of DORA requirements and practical preparation steps is available in our article https://www.eskasecurity.com/post/what-is-dora-eu-and-how-financial-companies-can-prepare-for-ict-risk-management-requirements

03/11/2026

Pe*******on testing typically follows three main approaches: Black-box, Gray-box, and White-box. The choice depends on your objectives, the information available, and the level of threat simulation you want to achieve.

🔸 Black-box
Testing without prior knowledge of the system. The pentester acts as an external attacker and searches for vulnerabilities the same way a real threat actor would.

Pros: high level of realism; valuable for assessing the external attack surface; unbiased results.
Cons: limited visibility; internal vulnerabilities may remain undiscovered; may require more time.

🔸 Gray-box
Testing with partial access or basic information about the system (for example, a user account). This approach helps evaluate what an attacker could do after gaining initial access.

Pros: balanced approach; simulates insider threats or advanced external attacks; efficient use of time and resources.
Cons: depending on the level of access provided, deeper system issues may remain uncovered.

🔸 White-box
Testing with full access to system information — architecture, configurations, or source code. This allows for a deep analysis and the identification of complex vulnerabilities.

Pros: deepest level of coverage; ideal for detecting logical flaws, misconfigurations, and insider-threat scenarios.
Cons: requires more preparation and highly skilled testers; may lack the realism of an external attack scenario.

It is important to determine the appropriate approach in advance. Different *******ontesting models serve different objectives and can produce different outcomes in terms of findings and the depth of security assessment.

03/03/2026

In 2026, phishing is no longer about “bad emails with typos.”
AI has changed the rules: attacks are faster, cleaner, and increasingly multi-channel (email + chat + SMS + QR + voice).

In our new article https://www.eskasecurity.com/post/ai-phishing-vs-traditional-phishing-how-the-rules-changed-and-how-to-protect-your-business, we break down AI phishing vs traditional phishing and what businesses must do to stay resilient.

Key takeaways:

🔸 AI industrialized social engineering: better personalization, tone matching, multilingual targeting, and rapid iteration.

🔸 Phishing isn’t only credential theft anymore: many campaigns aim for session/token theft (AiTM) to bypass MFA.

🔸 OAuth consent phishing is mainstream: attackers can gain access without stealing a password—just by tricking users into granting permissions.

🔸 Domain spoofing and “trust wrapping” got smarter: abuse of routing complexity, misconfigurations, and legitimate file-sharing links.

🔸 Multi-channel is the default: email sets context, chat adds pressure, a call seals urgency.

🔸 Vendor impersonation / BEC remains one of the most expensive outcomes: invoices, payment changes, and executive fraud.

What actually works in 2026:

Phishing-resistant authentication (passkeys/WebAuthn) where possible

Identity-first controls (conditional access, device posture, session/token governance)

Strong SPF/DKIM/DMARC enforcement and monitoring

OAuth app governance and permission hygiene

Payment process hardening (out-of-band verification, dual approvals)

Modern training based on real scenarios, not “spot the typo”

Full article: https://www.eskasecurity.com/post/ai-phishing-vs-traditional-phishing-how-the-rules-changed-and-how-to-protect-your-business

If you want to validate your real-world readiness (not assumptions):
Phishing Simulation and Cybersecurity Awareness Training.

ESKA Security

05/08/2026

05/01/2026

04/06/2026

03/30/2026

03/27/2026

03/26/2026

03/20/2026

03/19/2026

03/19/2026

03/11/2026

03/03/2026

Address

Website

Alerts

Shortcuts

Share

Category