Field notes from the cyber frontline.
Threat research, compliance playbooks, and operator-grade guidance from the Maverc team.
What CMMC 2.0 Certification Actually Costs in 2026: A Realistic Breakdown
From a few thousand dollars for a Level 1 self-attestation to well over $250,000 for a Level 3 program, CMMC 2.0 costs land across a wide range. Here is how the spend actually distributes across preparation, assessment, and ongoing operations — and where defense contractors most often misjudge the budget.
Indirect Prompt Injection Is in the Wild — Just Not Very Good at It Yet
Google scanned a slice of the public web for prompt injection payloads aimed at AI assistants. Most of what they found is amateur hour, but the volume jumped 32 percent in three months and the curve is pointing up.
When the Defenders Switch Sides: Two Security Pros Sentenced for Moonlighting With BlackCat
A former incident response manager and a ransomware negotiator drew four-year federal sentences for using their day-job tradecraft to extort five US companies under the BlackCat/ALPHV banner. The case is a stress test for every insider risk program in the security industry.
The CMMC Readiness Gap: Why Small Manufacturers Keep Underestimating the Lift
Small and mid-sized manufacturers make up the majority of the DoD supply chain — and most are far less ready for a CMMC assessment than their self-scores suggest. Here is what the gap really looks like, and how to close it before contract awards turn on it.
When the Robot Babysitter Becomes the Tenant Admin: The Entra Agent ID Role Scope Bug
A scoping flaw in Microsoft's new Agent ID Administrator role let any holder claim ownership of arbitrary service principals — including ones wired to Global Admin. Microsoft has shipped a fix, but the underlying lesson about non-human identity sprawl is the part that should keep you up.
Beyond MFA: Why Adversary-in-the-Middle Phishing Is Eating Your Identity Stack
Push-based MFA was a decade-old patch on a broken model. Here's how AiTM toolkits like EvilProxy and Tycoon 2FA defeat it — and the phishing-resistant controls that actually stop them.
The CMMC Level 2 Readiness Checklist We Wish Every DIB Contractor Had
If you handle CUI, the C3PAO assessment is coming. Here's the 10-step readiness path Maverc walks every defense industrial base client through before the auditor shows up.
What a Modern OT Ransomware Attack Looks Like — And How to Survive One
From IT pivot to PLC shutdown, today's OT ransomware crews follow a repeatable playbook. Here is what we see in the field and the segmentation controls that contain the blast.
Penetration Test vs Vulnerability Scan: Stop Confusing Your Board
If your last 'pen test' was a Nessus report with a logo on the front page, you bought a scan. Here is the difference, and why it matters for risk decisions and audit evidence.
MTTD and MTTC Benchmarks: What Good Looks Like in 2026
Mean Time to Detect and Mean Time to Contain are the two numbers that decide whether a breach becomes a headline. Here are the targets we hold our SOC to — and how we hit them.
Can ITAR Be CUI? Why ITAR Could Be in Scope for Your CMMC Assessment
Many defense contractors mistakenly believe ITAR-controlled data sits outside the boundaries of CMMC Level 2 — but that assumption could cost you your certification.
What Does Effective Red Teaming Look Like?
Many organizations invest in penetration tests or red team exercises — yet walk away wondering why their security posture hasn't improved. The difference comes down to execution.
Scoping CUI for CMMC Level 2 Certification
Defining the scope of your CUI environment is the first and most critical step in preparing for CMMC Level 2. Get it right, and the rest of the program is achievable.
CMMC Compliance Series: The CMMC Shared Responsibility Matrix
The Shared Responsibility Matrix helps you define which cybersecurity tasks you own and which are handled by service providers like AWS or Microsoft Azure.
Maverc Technologies Secures Statewide Cyber Security Solutions Contract with the Florida Department of Management Services
Maverc Technologies secures State Term Contract No. 43230000-24-STC with the Florida Department of Management Services to provide cybersecurity solutions to state agencies.
Introducing Maverc's AI Penetration Testing Service: The Next Step in Securing Artificial Intelligence
AI systems introduce a new attack surface — model theft, prompt injection, training data poisoning, and adversarial inputs. Maverc's AI Penetration Testing service is purpose-built to find them.
CVE-2024-24919 — Zero-Day Vulnerability Exploiting Check Point Security Gateways
A high-severity information disclosure vulnerability in Check Point Security Gateways is being actively exploited. Here's what to do now.
Unveiling GrimResource: The Latest Microsoft Management Console Exploit for Initial Access and Evasion
GrimResource abuses Microsoft Management Console (MMC) files to execute arbitrary code with minimal detection. Here's how it works and how to defend against it.
Juniper Networks Addresses Critical Vulnerabilities in SRX Firewalls and EX Switches (CVE-2024-21591)
A critical RCE in Juniper SRX and EX devices (CVSS 9.8) lets unauthenticated attackers execute remote code via J-Web. Patch now.
Ransomware Exploits VMware ESXi Vulnerabilities
Ransomware crews keep returning to VMware ESXi for the same reason: one compromised hypervisor encrypts every VM at once. Here's the pattern and the defenses.
ConnectWise ScreenConnect Faces Attacks Following Critical Bugs — CVE-2024-1708 and CVE-2024-1709
Two critical flaws in ConnectWise ScreenConnect — including an authentication bypass — are under active exploitation by ransomware crews.
Recent Exploits Target Citrix and VMware Vulnerabilities
Citrix NetScaler and VMware vCenter flaws continue to drive initial access for ransomware crews. Here's the current exposure and what to do.
Agent Tesla Malware Evolves: A Persistent Threat Exploiting Multiple Vectors
A new Agent Tesla variant is being distributed through sophisticated phishing campaigns. Here's what's new and what to detect.
Critical ownCloud Vulnerability Exposes Admin Passwords — Actively Exploited by Hackers
CVE-2023-49103 (CVSS 10.0) in ownCloud's graphapi app exposes admin passwords, mail credentials, and license keys. Active exploitation in the wild.
Active Exploitation of Critical Security Flaws in F5's BIG-IP Software (CVE-2023-46747)
An unauthenticated attacker with network access to BIG-IP's management plane can execute arbitrary system commands. Restrict access and patch immediately.
New Research Uncovers the Most Targeted and Vulnerable Assets Are OT and Medical Devices
Medical devices lead in unpatched CVEs, and operational technology assets face the highest volume of cyber attacks. The data has implications for every CISO.
Precision Threat Intelligence Is Vital to Securing Industrial Control Systems and Operational Technology Environments
More than half a million new malware variants are discovered every day. Generic feeds don't help OT defenders — precision intelligence does.
Threat to Traders: WinRAR Zero-Day Vulnerability Exploited (CVE-2023-38831)
Hackers are exploiting a previously unknown WinRAR flaw to target traders and steal digital funds. Patch immediately.
Join Us at ICS Miami November 2nd–3rd
Maverc will be at ICSMiami 2023, joining cybersecurity executives and SMEs to discuss critical infrastructure threats, use cases, and solutions.
CMMC 2.1 Explained: How Is the Cybersecurity Maturity Model Certification Program Changing?
CMMC continues to evolve. Here's what the 2.1 updates mean for security compliance across government contracts and the defense industrial base.