A

You're listening to the Cyberwire Network powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Researchers detail a years long Russian state sponsored cyber espionage campaign Israel's cyber chief warns against complacency Vulnerabilities affect products from Fortinet and Hitachi Energy. Studies show AI models are rapidly improving at offensive cyber tasks. Mitre expands its Defend Cybersecurity ontology to cover operational technology. Texas sues smart TV manufacturers alleging illegal surveillance a fraudulent gift card locks an Apple user out of their digital life. Our guest is Daron Davidson from Cyberproof Israel discussing agentic socks and agentic transformation of an MDR and fat racks. Crack the stacks. Foreign December 17, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. It's great as always to have you with us here today. Amazon's Threat Intelligence team has detailed a years long Russian state sponsored cyber espionage campaign targeting Western critical infrastructure from 2021 through 2025. Attributed with high confidence to Russia's GRU. The activity focused on energy companies, telecom operators, cloud and network infrastructure providers across North America, Europe and parts of the Middle East. The attackers primarily gained access by exploiting vulnerabilities and misconfigurations in cloud hosted network edge devices, including routers, VPNs and management appliances running on AWS. Over time, the campaign shifted from exploiting known software flaws to abusing misconfigurations, allowing quieter and more persistent access. Compromised devices were used to capture network traffic, steal credentials and move laterally into victim environments. Amazon says it has disrupted activity and notified affected customers, highlighting the ongoing risk to critical infrastructure from cloud and supply chain compromises. Israel and the United States face Cyber threats far more severe than those publicly reported, according to Major general Aviad Dagan, head of the Israel Defense Force's Cyber Defense Directorate. Dagan warned that while data breaches often dominate headlines, dozens of cyberattacks have had the potential to damage real world critical infrastructure. He said Israel must assume future cyberattacks will be significantly more destructive than those seen so far and cautioned against complacency despite Israel's strong cyber defenses. Emphasizing national security obligations, Dagan highlighted close cooperation with the United States, including long running joint cyber warfare exercises with US Cyber Command. He cited Iran's 2020 cyberattack on Israel's water system as a near disaster example, noting ongoing hostile activity from Iran, China and others. Alongside reported Israeli cyber responses targeting Iranian infrastructure. CISA has warned of active exploitation of two critical Fortinet authentication bypass vulnerabilities affecting multiple products. Both flaws allow unauthenticated attackers to bypass Forta Cloud single sign on using crafted SAML messages, potentially gaining full administrative control. Exploitation began just days after patches were released. CISA and Fortinet urge organizations to act immediately by isolating management interfaces, disabling Forta Cloud sso, and upgrading to the latest secure versions. Hitachi Energy has disclosed a critical blast radius vulnerability affecting legacy afs, AFR and AFF series products. The flaw stems from weaknesses in the RADIUS protocol that can allow response forgery attacks. Devices are only vulnerable if RADIUS is enabled and the Message Authenticator option is disabled. There is no patch. Hitachi Energy urges organizations to restore default RADIUS settings, verify Message Authenticator is enabled, and ensure affected systems are isolated from the Internet. Researchers and industry leaders warn that fully autonomous AI driven cyberattacks are moving from a distant possibility to an eventual certainty. Recent studies show AI models are rapidly improving at offensive cybertasks, even as today's systems still require human guidance. Executives from Anthropic and Google are set to testify before Congress on how AI is reshaping the cyber threat landscape, with Anthropic warning that AI could enable cyberattacks at unprecedented scale and sophistication. OpenAI has also cautioned that future frontier models may significantly lower the skill and time needed to launch attacks. Academic research, including a Stanford study where an AI agent outperformed most human bug hunters, underscores this trend. While safeguards remain, experts stress urgency in strengthening AI powered defenses and limiting adversarial access to advanced AI technology. MITRE has expanded its Defend Cybersecurity ontology to cover operational technology, creating a structured framework for defending cyber physical systems used in critical infrastructure. Industrial environments and defense operations. Operational technology, which includes controllers, sensors and actuators, directly manages physical processes and poses unique risks as systems become increasingly connected to networks and the cloud. The DEFEND for OT extension provides a shared knowledge model to help organizations understand adversary behaviors, identify essential observations and controls, and protect systems not designed for Internet exposure. Funded by the U.S. department of Defense and the National Security Agency, the framework adds OT specific artifacts, countermeasures and mappings to related resources. MITRE says the open Extensible Ontology will support cybersecurity operations, strategic decision making and collaboration across the global security community. Texas Attorney General Ken Paxton has sued five major smart TV manufacturers Samsung, lg, Sony, Hisense and tcl, alleging they illegally spy on consumers through automated content recognition technology. The lawsuits claim the TVs secretly capture screen data in near real time, track viewing habits across apps and connected devices, and transmit that data for targeted advertising without meaningful user consent. Texas argues the practice violates the state's Deceptive Trade Practices act and seeks significant civil penalties and court orders halting ACR data collection. During litigation, Paxton also raised national security concerns about Chinese based manufacturers Hisense and tcl, citing China's data laws. The complaints say consent mechanisms are misleading, opt out processes are intentionally difficult and consumers are unaware their televisions function as surveillance tools. A long time Apple user has described losing access to their entire Apple digital life after attempting to redeem a $5 Apple gift card, highlighting risks tied to gift card fraud and automated account protections. After the first code was rejected and reissued by a major retailer, Apple locked the account. The affected Apple ID, in use for roughly 25 years, held family photos, messages, purchases and device sync data, effectively disabling multiple devices and a linked developer account. Despite providing receipts, the user says Apple support offered no explanation and refused escalation, suggesting actions that could violate Apple's own policies. While Apple insiders suggest additional factors may be involved, the case underscores the fragility of digital ecosystems, the impact of false fraud flags and the importance of backups and cautious gift card purchases. Coming up after the break, Duron Davidson from Cyber Proof Israel discusses agentic socks and agentic transformation of an MDR and fat racks. Crack the stacks, stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale and it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

A

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Express, Explorer and Mustang Mach E available feature on equipped vehicles terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details.

B

Duron Davidson is General Manager and Managing Director of Security Operations at Cyberproof Israel. On today's sponsored Industry Voices segment we discuss agentic socks and agentic transformation of.

C

An MT Dr. Security operations centers for four years have had the very similar even say same pain points over years, starting from slow detections and response to analyst burnout, repetitive tasks in the alert fatigue. At some point of time we kind of came up with this idea or notion of security orchestration, automation and response systems that came out five, six, ten years ago and we started automating all of those predefined processes and tasks and we thought, and so did I, that that is going to solve all of my pain points, my difficulty in scaling security operations, operation SecOps operations and so on also would solve a lot of the inconsistencies in executions across teams and across personnel. Both of the on the L1 and L2 and L3 positions. And the last it did not. It did not because there were still complexities, it was still hard. Regardless of how much we were able to automate, even end to end automation, we still ended up having a lot of these alerts that were that needed manual investigation by analysts to make a decision. And this is where the Gentiq kind of came out and helped us solve a lot of those issues. So about a year ago we started investing a lot in building those those agents and when they say we it's not we as as as in cyber proof we see that across the board, all security operations centers, all MDR vendors and mainly the hyperscalers, the Microsoft of the world, the Google, Palo Alto, et cetera, they started providing the infrastructure that allowed us to really make this change towards energentic soc.

B

Well, for folks who aren't familiar with the whole notion of an Agentix SoC, how do you describe it?

C

So Agentic SoC, if I look towards 2027, that would be fully autonomous security operations center that will take care end to the security life cycle of an alert driven by AI. It will have an agent to agent autonomy that will seamlessly detect, investigate, triage, respond, and as new attacks would be coming out, it will automatically be able to detect when there are gaps and start closing the loop of those gaps in the MITRE framework, for example, automatically by just having a human verifying the actual new rule that is going to be implemented and that fully autonomous SOC will be able to provide services. But that's in the future. Today I think most organizations are around the semi autonomous SOCs, but in high level this is how I would envision it working.

B

And what kinds of agentic behaviors do you think are going to be the most impactful?

C

The holy grail is to get to that fully autonomous. Which means that we need to build the agents for our MDR that would replace our SoC, L1, L2, maybe even to some extent L3. Although I do believe that we always would need those experts being part of our security operations center. And therefore I don't really believe that we'll ever be able to remove the full manual SoC. There will always be a human in the loop. But to your question about which of the of the functions would would benefit most from becoming agentic? It's definitely the, the, the repetitive tasks of L1s and L2s as well as around threat intelligence. Everything to do with gathering threat intelligence, mapping those threat intelligence to specific TTPs, then understanding how those TTPs are being mapped to MITRE to understand is my organization really protected? Those are the things that would be impactful the most first and it would provide the highest value once, once they are fully agentized.

B

How do you suppose this is going to change the role of the analyst? Do you imagine that they'll trust the agentic outputs right away or might there be a learning curve to develop that confidence?

C

We already see the effect of agents being deployed in production and how analysts interact with those engines. The short answer? I believe that our analysts will become much more consultants to our customers rather than having to do a lot of the analytics work that they do today. And instead of doing that, they will become the trusted advisor that will help customers understand the output of the agentic analysis. So that's, that's one area. Another area, they will be the ones that will be developing New agents, they are the SMEs, they are the subject matter experts on threat intelligence, they are the subject matter experts on detection engineering, subject matter experts on a vulnerability management. And therefore they are the ones that can turn their knowledge into agents that can then help our customers. So they will eventually become the developers of these new agents. And then managing those agents or orchestrating those agents will become part of what the security operations center is responsible of being that the L3s or L2s. That's still to be seen.

B

What sort of safeguards are essential to prevent these agentic systems from overstepping their bounds or making unsafe assumptions, things like that.

C

I would divide it into two of these areas. One around the unsafe assumptions and the second the boundaries around what data they're allowed to see use utilize in order to make their decisions. So on the first one, if we. This is kind of what these are kind of the best practices that we have put in place today. Any agent that we are deploying has or inherits the least privileged access of either the analyst that is executing it, or the environment that it is executed on, or the specific applications that it is allowed to use. This way we're making sure that we do not, or we never basically confuse or misuse data from different customers or even different analysts, or even different subject matter experts from, from different teams within the same. Within the same agent or within the same execution of an agent, each of them is kind of working separately and processing that the data separately. We also have human in the loop that is verifying the output of those agents depending on how critical it is and how real time it is. We made the decision of whether this human in the loop will be in between passing the information between agents. So during the runtime or the execution time, or some of it is just oversight. After the agent had completed its work and we are verifying in hindsight whether there are any issues.

B

What's your advice for organizations who are just getting started here? They're considering their own agentic transformation journey. How should they begin?

C

I would start with making sure that you recruited the right team that knows how to architect, develop and secure the work of these, of the agents that you're planning. And I'm not talking only about security agents or agents that's supposed to be part of your security operations or IT management, but also for your own business operations. Some of the things that we had to build basically for sake of our customers that wanted our help in building these kind of agents, is an environment that would allow us to test different models for different business applications and for different, for different needs. And this is kind of the second recommendation. Make sure that you're able to, that you build a complex environment that would allow you the flexibility of testing different models. One, it will save a lot of money down the road because different models have different costing schemas and secondly, because they really provide different results and for different tasks. We see that we need different types of AI models. So that really helps us. Another option is just find someone that have already built these kind of agents and consult. When we started, we actually consulted quite a lot with organizations that have already built a complex, complex systems because we wanted to try and succeed already on the first run, by the way, we didn't. It took time until we build agents that can, that can have the right agent to agent communication. And that's before building mcp, that's before having our own databases that our agents can use and so on. So it was a very complex, lengthy process. So get a team that have already done that before.

B

Can you give us some examples of the types of agents that you're seeing success with the things that are functioning within the soc?

C

Yes, of course. So we need to understand that within the Security Operations center we have both agents that are dedicated only to the SOC operations as well as agents that were built as part of our MVR MSSP across different functions that are then being taken advantage of by our orchestrator or our MDR agent. Whether it's the threat profiler that is part of our CTI threat intelligence family of agent that builds threat profiles using threat intelligence data sources, prioritizes relevant campaigns, actors and techniques and that itself can then be used by the gap guard who is mapping basically to Miter all of these ttps, trying to understand whether there are any gaps in detection. It can also be used by the threat hunting that can aggregate all of this data and build automatically or even gather from open source different rules that can be then deployed back into the siem. The use case management or detection engineering that can automatically find gaps within MITRE and already suggest new rules and so on. All of these agents that were built separately but with clear vision of how agentic SOC should be working down the line are being orchestrated by an MDR agent. And from what I see in the market, this is kind of the approach that many in the market believe in. That MDR source or agentic socks down the line would allow different customers to deploy different use cases and start controlling their budget based on the specific use cases that are relevant for their security controls. For their crown jewels rather than always having the same MDR service. Kind of fits all. And it's not a cookie cutter. Every business needs their own type of mdr. In the past we had to build cookie cutters because that was the only way to sell. Today we can offer customers, and customers are expecting to have a much more flexible agentic service.

B

That's Duron Davidson from Cyberproof Israel.

A

So good, so good, so good. Score holiday gifts Everyone wants for way less at your Nordstrom Rack store. Save on Ugg, Nike, Rag and Bone, Vince Frame, Kurt Geiger, London and more.

B

Because there's always something new.

C

I'm giving all the gifts this year with that extra 5% off when I.

A

Use my Nordstrom credit card. Santa hood join the NordicLub at Nordstrom Rack to unlock our best deals. It's easy. Big gifts, big perks. That's why you rack this message may be shocking to many millennials. If you are one, you might want to sit down. Right now, loads of people are searching the following on low rise jeans, halter top, velour tracksuit, puka shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop, where taste recognizes taste.

B

And finally, for a hopeful moment, it seemed possible that the AI boom might be solved with a wrench, some fresh paint, and and a reassuring pat on the server rack. After all, data centers have been around for decades. Surely they could just be upgraded. Experts, unfortunately, have met this optimism with laughter of the professional, deeply tired variety. The issue is not software, it's gravity. AI racks now tip the scales at up to 5,000 pounds, roughly equivalent to parking a compact car where a filing cabinet used to be. Floors crack, elevators groan and doorways revolt. These racks are crammed with GPUs, memory, liquid cooling systems, and power delivery hardware that legacy data centers were never designed to tolerate. As AI gulps down compute, big tech keeps building bigger facilities, while older data centers quietly carry on storing ordinary non AI data. The future is shiny and heavy. The past still needs a place to sit, And that's the Cyber Wire. For links to all the of today's stories, check out our daily briefing at TheCyberWire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show. Please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Co Carruth. Our CyberWire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.