Welcome reader to your CybersecurityHQ report

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

—

Get annual access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $299. Corporate plans are now available too.

Introducing the CISO Access Plan Unlock premium CybersecurityHQ insights at no cost, exclusively for CISOs. Reach out to me to claim your access.

CISO Weekly Tactical Brief: Shadow AI Doubles Yearly, Quantum Hits 1000-Qubits, Agent Payments Live

🎧 Dive deeper into this week’s key events on our AI-powered podcast

Shadow AI deployments double every 18 months with 60% of CISOs reporting complete blind spots, while Google's new Agent Payments Protocol (AP2) enables autonomous financial transactions. UK researchers achieve quantum computing on standard laptop chips as the 1000-qubit milestone falls, compressing post-quantum cryptography timelines to 12 months.

Microsoft and Cloudflare dismantled the RaccoonO365 phishing operation (338 domains), but maritime ransomware surged 40% and DevOps misconfigurations now account for 70% of successful breaches. The FTC opened a formal investigation into AI companions following congressional testimony linking chatbots to teen suicides. Jaguar Land Rover's cyberattack extends production shutdown through November with suppliers seeking government assistance.

Strategic Assessment

The convergence of ungoverned AI and accessible quantum computing fundamentally alters enterprise risk. With Gartner projecting $1.5T in enterprise AI spending while shadow deployments proliferate outside IT control, organizations face exponentially expanding attack surfaces. Add commodity quantum computing and you have a 12-month window to implement new defenses.

The human cost emerged starkly this week: Congressional testimony on AI-induced teen deaths triggered FTC action, signaling regulatory enforcement ahead. Meanwhile, CoreWeave's $6.3B Nvidia deal and Oracle-OpenAI's growing compute monopoly concentrate systemic risk in fewer hands.

Key Developments

AI Governance Crisis

• Shadow AI epidemic: Doubling every 18 months, invisible to 60% of security teams

• Autonomous transactions: Google AP2 allows agent-initiated payments

• Mental health probe: FTC investigates AI companions after suicide testimony

• Code autonomy: OpenAI GPT-5-Codex executes unsupervised in cloud

• Investment scale: $1.5T projected enterprise spending per Gartner

Quantum Breakthrough

• Silicon revolution: UK runs quantum on laptop chips, no exotic hardware needed

• 1000-qubit achieved: Scientists confirm quantum supremacy

• Timeline compression: PQC migration window shrinks to 12 months

• Infrastructure investment: NY commits $300M for Stony Brook quantum hub

Supply Chain Attacks

• NPM Worm Outbreak: Shai-Hulud self-replicating malware hits 187+ packages, steals and publishes developer credentials on GitHub

• CrowdStrike Compromised: Security vendor's 25 NPM packages briefly infected before removal

• Industrial impact: Jaguar Land Rover down through November

• Maritime targeting: 40% increase in shipping ransomware

• Configuration root cause: DevOps errors behind 70% of breaches

• Geographic spread: Columbia University, Kering luxury brands (Gucci, Saint Laurent, Balenciaga, etc.) confirmed breached

M&A and Funding

• CrowdStrike acquires Pangea: ~$260 million for AI security monitoring.

• Check Point acquires Lakera: Terms undisclosed, for AI security capabilities.

• SecurityScorecard acquires HyperComply: Announced September 15, acquisition closed earlier this month, focusing on AI-powered questionnaire automation to reduce vendor security work by 92%.

• Accenture acquires IAMConcepts: Toronto-based identity and access management firm, strengthening offerings for Canadian finance, utilities, and mining sectors.

Major Deals & IPO Activity

• Netskope IPO: Priced at $19/share, targeting $7.3 billion valuation, debuting Thursday on Nasdaq under "NTSK".

• TechD Cybersecurity Ltd IPO (India): Closed September 17 with 718.3x oversubscription and GMP of ₹195/share; focuses on endpoint detection for SMBs.

• CoreWeave-Nvidia Deal: $6.3 billion cloud computing capacity order announced Monday, with Nvidia obligated to purchase any unsold capacity through 2032.

Recent Funding Rounds

• Vega: $65 million in early-stage funding (seed + Series A) led by Accel, valued at $400 million.

• Koi Security: $48 million combined seed and Series A ($38M Series A + $10M seed) for endpoint security.

• WorkFusion: $45 million for AI agents for financial crime compliance.

• RegScale: $30M Series B (total >$50M) for AI-driven compliance monitoring platform; led by Washington Harbour Partners.

Geopolitical Shifts

• Sanctions Failure: EU sanctions on Russian bulletproof hoster Stark Industries failed; simply rebranded to "the.hosting" via Dutch shell companies

• Stark Persistence: Russian DDoS/malware infrastructure continues through WorkTitans BV, PQ Hosting Plus transfers

• EU-Israel: Tech imports face 20% tariff impact over Gaza operations

• Defense realignment: Saudi-Pakistan nuclear pact bypasses US

• Taiwan exposure: Semiconductor leaks to China up 30%

Critical Metrics

Board Priorities

1. Shadow AI discovery - Map all deployments within 72 hours

2. PQC migration - Begin quantum-resistant transition immediately

3. DevOps audit - Configuration review of all pipelines

4. Mental health controls - AI safety measures before regulation hits

5. Supply alternatives - Diversify beyond single points of failure

30-Day Roadmap

Immediate (72 hours)

• Deploy shadow AI scanning tools

• Patch iOS CVE-2025-43300

• Implement AP2 transaction controls

• Review DevOps configurations

Week 1

• Complete AI inventory with ownership mapping

• Launch quantum readiness assessment

• Analyze RaccoonO365 indicators

• Establish FTC compliance baseline

Weeks 2-4

• Design AI governance framework

• Contract quantum expertise

• Negotiate supply chain alternatives

• Prepare regulatory response plans

Risk Matrix

This Week's Timeline

• September 13: FTC opens AI companion investigation; CoreWeave-Nvidia deal

• September 14: UK quantum on silicon achieved; Google AP2 launches; Shai-Hulud worm begins spreading

• September 15: Shadow AI report shows 60% blindness; Stark Industries rebrands to evade sanctions

• September 16: RaccoonO365 takedown; JLR November extension; 187+ NPM packages infected

• September 17: Apple iOS emergency patch; CrowdStrike confirms package compromise

Analysis

The Shadow AI Problem Most organizations don't know what AI systems they're running. With deployments doubling outside IT oversight while billions flow into enterprise AI, the attack surface expands faster than security teams can map it. When these systems gain payment authority through AP2, ungoverned becomes ungovernable.

Quantum's New Economics Running quantum on commodity chips changes everything. The exotic hardware barrier that bought us time has fallen. Every organization assuming 3-5 years for quantum threats must compress planning to months. Start PQC migration now or accept that current encryption has an expiration date.

Configuration as Root Cause The revelation that DevOps misconfigurations drive 70% of breaches reframes security priorities. The Shai-Hulud NPM worm demonstrates this perfectly: stealing developer tokens to self-replicate across 187+ packages, even briefly compromising CrowdStrike's own packages. When attackers exploit basic errors and stolen credentials cascade through supply chains, one misconfiguration becomes ecosystem-wide compromise. Combined with autonomous code deployment, the attack surface expands exponentially.

Regulatory Reckoning Congressional testimony linking AI to teen deaths marks a watershed. The FTC investigation signals that AI deployment now carries potential criminal liability. Organizations deploying customer-facing AI must implement mental health safeguards immediately or face enforcement action.

Sanctions Theater The complete failure of EU sanctions against Russian bulletproof hoster Stark Industries Solutions exposes a critical vulnerability: threat infrastructure persists through simple rebranding. Despite May 2025 sanctions, Stark transferred assets to "the.hosting" via Dutch shell companies (WorkTitans BV, PQ Hosting Plus), maintaining DDoS and malware operations uninterrupted. When sanctioned Russian infrastructure connected to the 2008 Georgia cyberwar can rebrand in days, blocklist-based defenses become security theater. CISOs must shift to behavioral detection that doesn't rely on static indicators or attribution.

Implementation Guide

Budget Planning

Shadow AI Discovery & Governance

• Initial discovery tools: 0.5-1% of security budget

• Ongoing governance platform: 2-3% of IT budget annually

• Resource requirement: 2-3 FTEs or managed service

Quantum Migration

• Assessment and planning: 0.2-0.3% of IT budget

• Implementation (multi-year): 5-8% of security budget annually

• Consider: Most vendors still developing true PQC solutions

DevOps Security

• Configuration scanning tools: 1-2% of DevOps budget

• Training and process change: 3-5% of development budget

• Resource requirement: Embed security in DevOps teams (1:8 ratio)

Success Metrics (30-Day Targets)

• Shadow AI: 80% of departments surveyed, 60% of systems discovered

• Quantum: Completed crypto inventory, vendor shortlist created

• DevOps: 100% of pipelines scanned, critical configs remediated

• Compliance: AI usage policy drafted, mental health controls defined

Industry Adjustments

Financial Services

• Priority: AP2 payment controls and transaction monitoring

• Regulatory: Prepare for SEC/FINRA AI guidance

• Timeline: Accelerate quantum migration (customer data exposure)

Healthcare

• Priority: AI companion mental health protocols

• Regulatory: HIPAA implications for AI-patient interactions

• Timeline: Immediate FDA compliance review for AI tools

Manufacturing

• Priority: OT/IT segmentation before quantum threat

• Supply Chain: Build 3-month inventory buffers

• Timeline: JLR scenario planning takes precedence

Retail/E-commerce

• Priority: Customer-facing AI safety controls

• Data Protection: PCI compliance with AI payment systems

• Timeline: Holiday season prep with reduced supply chain

Executive One-Pager

The Ask

Board approval for emergency security investments totaling 8-10% increase in security budget to address existential threats from ungoverned AI and quantum computing.

The Threat (3 Numbers That Matter)

• 60%: Shadow AI invisible to security teams, doubling yearly

• 12 months: Quantum computers on laptop chips make encryption breakable

• 70%: Successful attacks from basic configuration errors

The Impact

• Jaguar: 3-month shutdown from single attack

• FTC: Criminal liability for AI without safety controls

• Supply Chain: 40% increase in maritime attacks

Required Actions (This Week)

1. Approve shadow AI discovery initiative (0.5% of security budget)

2. Authorize quantum assessment (0.2% of IT budget)

3. Mandate DevOps security integration (policy change, not just tools)

Success Criteria (30 Days)

• Map 80% of AI deployments

• Complete encryption inventory

• Remediate critical DevOps configurations

• Draft AI safety protocols

The Choice

Act this week to maintain competitive position, or accept that ungoverned AI and quantum threats will determine company fate. Market leaders are already moving.

CISO Toolkit

Practical First Steps

1. Shadow AI Discovery: Start with email surveys to department heads, cloud billing analysis, and network traffic inspection for AI API calls

2. Quantum Readiness: Run cryptographic discovery tools, identify systems using RSA/ECC

3. DevOps Audit: Review GitHub/GitLab for exposed secrets, infrastructure-as-code misconfigurations

Tool Categories (Existing Capabilities)

Shadow AI Detection

• CASB platforms: Monitor SaaS AI usage (Microsoft Defender, Zscaler)

• CSPM tools: Detect AI services in cloud environments

• Network analysis: DPI for AI API traffic patterns

• Browser security: Track web-based AI tool access

Configuration Management

• CSPM/CNAPP: Cloud misconfigurations (established category)

• Secrets scanning: Git repository analysis tools

• IaC security: Terraform/CloudFormation policy engines

• Container security: Kubernetes configuration validation

AI Governance (Emerging)

• DLP extensions: Starting to detect AI data flows

• API security gateways: Can monitor AI service calls

• SIEM correlation: AI usage pattern detection emerging

• Note: Purpose-built AI governance platforms still maturing

Staffing Reality

• Quantum expertise: Extremely limited, consider consortium approach

• AI governance: Leverage existing GRC team with AI training

• DevOps security: Embed security champions, don't create silos

Common Pitfalls to Avoid

• Don't buy tools before understanding scope

• Don't assume cloud providers handle quantum migration

• Don't treat AI governance as purely technical issue

• Don't wait for perfect vendor solutions that don't exist yet

• Don't rely on blocklists when threats rebrand (Stark Industries lesson)

Quick Wins (This Week)

1. Cost-free discovery: Query finance for all AI-related invoices/subscriptions

2. Instant visibility: Check SSO logs for AI service authentications

3. NPM security audit: Review all JavaScript dependencies for Shai-Hulud indicators, rotate NPM tokens immediately

4. DevOps baseline: Run TruffleHog or secrets scanning on your top 10 repositories

5. Board preparation: Document known AI use cases before shadow discovery surprises you

Vendor Reality Check

• Quantum: Most "quantum-ready" claims are roadmap, not reality

• AI Governance: Platforms exist but require heavy customization

• Shadow AI: No single tool catches everything; layer multiple approaches

• DevOps Security: Tools find problems faster than teams can fix them

Why This Week Matters

The difference between September 17 and September 24 isn't just seven days. It's the gap between leading and reacting. Shadow AI doubles every 18 months, but discovery takes weeks. Quantum computers now run on laptop chips, but migration takes years. DevOps misconfigurations cause 70% of breaches, but cultural change takes quarters.

Three events this week created a closing window:

1. Google AP2 went live: AI agents can now spend money

2. UK proved quantum on silicon: The hardware barrier disappeared

3. FTC opened investigations: Regulatory enforcement began

Organizations starting shadow AI discovery this week will complete it before Q4 planning. Those starting quantum assessment now will have budgets approved before the talent shortage peaks. Those embedding DevOps security today will prevent next quarter's breach.

The window for deliberation has closed. Organizations acting this week shape their future. Those waiting for clarity will be shaped by events.

Top Targeted Sectors & Attack Trends

Threat Highlights:

• Government/Public: State-sponsored campaigns intensifying.

• Healthcare: Ransomware activity sustained — sector remains a prime target.

• Financial Services: Breach disclosures declined — watch for delayed reporting.

• Technology & Cloud: Still #1 target, but incidents dropped ~10%.

• Industrial/Manufacturing: Stable targeting, supply chain exposure persists.

• Ransomware: Concentrated on healthcare and government.

• Exploits/Vulnerabilities: Slight decline, but remain the leading attack vector.

• Phishing/Social Engineering: Stable levels, with retail and consumer brands impacted.

4-Week Threat Momentum

Critical Accelerations

Three Mega-Trends

1. Venture Capital Quantum Bet

• IQM unicorn ($320M) → PsiQuantum ($1B) → Quantinuum ($600M) in 14 days

• $2B+ signals commercialization, not research

• 1000-qubit processors achieved

2. Cyber-Kinetic Convergence

• Week 1: Russia probes infrastructure

• Week 2: Xi-Putin-Modi summit coordination

• Week 3: NATO shoots Russian drones

• Impact: Data centers now military targets

3. The 18-Month Horizon Multiple metrics converge on 18-month cycles:

• Quantum threat materialization

• AI deployment doubling rate

• Shadow AI discovery gaps

• Maximum viable planning window

Emerging Cross-Week Patterns

Trust Inversion: Security tools (password managers, DFIR platforms) becoming primary attack vectors

Manufacturing Focus: Patient, state-like targeting of industrial base (Jaguar 3-month shutdown)

AI Asymmetry: Criminals achieve immediate ROI while 95% of enterprise projects fail

Consolidation Rush: $3B+ in security M&A as market acknowledges point solution failure

Strategic Implications

• Patch capacity: 3x normal now permanent requirement

• Planning horizon: Quarterly cycles obsolete; 18 months maximum

• Defensive lag: 18-24 months behind offensive AI

• Talent crisis: Quantum expertise shortage imminent

The past three weeks mark an inflection point where quantum funding, kinetic warfare, and AI weaponization converged, ending incremental security. Only architectural transformation remains viable.

Regulatory Radar

Immediate Action Required

Active Compliance Changes

New This Week - Crypto & AI Shifts

Immediate Effect:

• SEC Spot Crypto ETF Rules: New listing standards greenlight crypto ETFs, boosting institutional access amid market structure push.

• UK FCA Crypto Exemptions: Regulator proposes waiving certain integrity and conduct rules for crypto firms to foster innovation.

• Senator Cruz AI Sandbox Bill: Introduces regulatory waivers for AI testing, aiming to accelerate U.S. innovation without stifling growth.

• NIST AI Security Overlays Webinar: Insights from Sept 16 session guide AI risk controls integration into federal systems.

Emerging Requirements

Expected Within 30 Days:

• Crypto Market Structure Legislation: House pushes for CLARITY Act passage by Sept 30, clarifying SEC/CFTC roles.

• NIST Software Update Controls Revision: Finalized guidance strengthens patch management amid rising supply chain risks.

• State AI Legislation Wave: Multiple bills in 2025 session target AI ethics and bias mitigation for public sector use.

• Cyber Safe Harbor Expansions: RIMS outlines 2025 measures for incident response to qualify for legal protections.

Critical Comment Periods:

• Cybersecurity Program Renewals: Congress seeks input on extending key laws before Sept 30 expiration; focus on funding and scope.

• Trump Admin AI Action Plan: Mid-year updates invite stakeholder views on federal AI deployment frameworks by Oct 15.

• Global Crypto Harmonization: SEC/CFTC joint statement feedback due Oct 1 on surveillance and privacy in crypto markets.

• EU DORA Implementation: Phased rollout for financial sector cyber resilience; comments on AI intersections by Oct 10.

Regulatory Velocity Increase

Pattern Recognition:

• Tight NIST Windows: Back-to-back comment periods (Sept 21 for CSF/SP 800-53) indicate accelerated federal cyber standardization.

• Crypto Thaw: Shift from enforcement to enabling (ETFs, exemptions) signals maturation toward integrated financial systems.

• AI Sandbox Momentum: U.S. bills like Cruz's emphasize testing over bans, contrasting EU's prescriptive approach.

• State-Federal Overlap: Ohio mandates and national renewals highlight decentralized enforcement challenges.

Action Priority:

Prioritize NIST Sept 21 submissions to influence core cyber frameworks shaping enterprise resilience. With crypto integration accelerating and AI sandboxes emerging, allocate resources for cross-domain audits—quantum threats and physical-cyber hybrids loom, demanding agile compliance teams to navigate this multi-front regulatory surge.

CybersecurityHQ: This Week’s Reports Based on Technical Research and Academic Papers

→ Free

1. The compliance certificate illusion 👉 Read the report

→ Pro subscriber-only

1. Managing BYOD identity at scale: Fortune 500 benchmarks and insights 👉 Read the report

2. Cross-jurisdictional legal holds in investigations: A strategic guide for CISOs 👉 Read the report

3. Tiered data loss prevention (DLP) enforcement models 👉 Read the report

4. Risk management frameworks for hypergrowth organizations 👉 Read the report

And more inside - check out the full list here.

Cybersecurity Stocks

Market Intelligence

The cybersecurity sector posted solid weekly gains averaging +1.20% through September 17, 2025. This was fueled by AI integration tailwinds and upbeat IT services momentum.

However, drags from U.S.-China chip export jitters hammered semis-exposed plays like Broadcom (-6.33%).

Top performers were led by Fastly (+17.26%), surging on fresh CEO Kip Compton's appointment and optimism for its edge computing pivot.

This was followed by CrowdStrike (+4.86%) ahead of its Investor Day spotlighting ARR growth, and Infosys (+4.12%) buoyed by a blowout quarterly EPS beat lifting cybersecurity consulting prospects.

CrowdStrike's +30.20% YTD underscores endpoint fortitude.

Laggards included Gen Digital (-2.02%) and Akamai (-1.19%), hit by rotations out of mature segments.

Meanwhile, YTD frontrunners Cloudflare (+98.63%) and Zscaler (+49.90%) exemplified cloud security's breakout amid escalating threats, lifting the group's overall +8.7% year-to-date advance.

Forward, zero-trust and AI synergies remain compelling, offset by Q3 earnings volatility and Netskope IPO ripples.

Target pullbacks in standouts like CRWD for buys, cementing the sector's edge in a Fed-easing backdrop.

Cyber Intel Brief: Key Insights from Leading Security Podcasts

This is what you missed in this week’s Cyber Intel Report sourced from top cybersecurity podcasts and webinars, if you haven’t upgraded your membership: 

Cybersecurity faces quantum countdown as financial encryption vulnerabilities threaten $10B daily trades while ransomware actors double holiday attacks causing $100M+ weekly manufacturing shutdowns, NPM "Shai-Hulud" worm self-replicates across supply chains impacting CrowdStrike packages, AI "dragon's head" phenomenon spawns 5 new vulns per fix with enterprises seeing 500 daily intrusion attempts, and EU CRA mandates drive 20-30% compliance costs amid US NDAA cyber budget cuts creating $50M response gaps.

↳ 48→24 Hour MTTD reduces breach costs 30% through EDR prioritization over acronym debates while micro-segmentation addresses flat network architectures

↳ Quantum Migration targets 50% post-quantum cryptography by Q1 2026 as RC4 Kerberos vulnerabilities enable offline credential cracking today

↳ Holiday Hardening implements weekend shutdown protocols blocking RDP/SMB outbound with data exfiltration alerts at >200 files/hour achieving <1% incident rates

↳ Geopolitical Reality shows China's IP theft integration yielding $30B+ R&D advantages while domestic actors escalate from retail to critical infrastructure

And more insights in this week’s full CISO briefing.

Interesting Read

Quantum Computing Breakthrough: Startup Runs Qubits on Standard Chips

UK-based startup Quantum Motion has achieved a milestone in quantum computing by running qubits directly on standard semiconductor chips, the same kind used in today’s consumer electronics. Unlike traditional quantum systems that require exotic superconducting circuits or ion traps, Quantum Motion leverages conventional CMOS technology, making quantum systems cheaper, more scalable, and easier to integrate with existing infrastructure.

The company demonstrated stable qubit operations at cryogenic temperatures using off-the-shelf chips fabricated by TSMC. This approach could accelerate quantum computing’s transition from research labs into data centers, enabling practical deployments at a fraction of current costs. By tapping into existing semiconductor supply chains, the firm sidesteps many of the manufacturing bottlenecks plaguing other quantum efforts.

CISO implications:

For security leaders, this development signals that the quantum disruption timeline may accelerate faster than previously expected. Key considerations include:

• Reevaluating cryptographic roadmaps: Standard-chip quantum designs could shorten the time to break today’s encryption, making post-quantum cryptography adoption more urgent.

• Vendor dependency and risk: Widespread use of CMOS-based qubits means quantum supply chains will overlap heavily with existing semiconductor dependencies, introducing new concentration risks.

• Strategic foresight: CISOs should engage boards and risk committees on accelerated quantum scenarios, aligning budgets and strategy with NIST’s post-quantum standards rollout.

Quantum Motion’s achievement shows that quantum security challenges may not be decades away, they could emerge much sooner.

→ Read more at Tom’s Hardware ↗

Fresh From the Field: Security Resources You Can Use

Social Media Highlights

Stay safe, stay secure.

The CybersecurityHQ Team