<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.threads-in-node</title>
    <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/ct-p/microsoft-security-product</link>
    <description>rss.livelink.threads-in-node</description>
    <pubDate>Wed, 01 Jul 2026 07:27:15 GMT</pubDate>
    <dc:creator>microsoft-security-product</dc:creator>
    <dc:date>2026-07-01T07:27:15Z</dc:date>
    <item>
      <title>Introducing a unified alert experience for Microsoft Purview Insider Risk Management</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/introducing-a-unified-alert-experience-for-microsoft-purview/ba-p/4530714</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Modern insider risk investigations succeed or fail based on how quickly analysts can move from&amp;nbsp;signal to decision&amp;nbsp;with more context.&amp;nbsp;Too often, investigations&amp;nbsp;within Microsoft Purview&amp;nbsp;require&amp;nbsp;high switching costs&amp;nbsp;while analysts struggle with&amp;nbsp;disconnected&amp;nbsp;alert&amp;nbsp;views&amp;nbsp;and scattered case notes across workflows.&amp;nbsp;Every switch slows triage pulling&amp;nbsp;focus away from the risk&amp;nbsp;itself,&amp;nbsp;decreasing the&amp;nbsp;speed and confidence of investigations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;That’s&amp;nbsp;why&amp;nbsp;we’re&amp;nbsp;unifying the&amp;nbsp;Microsoft Purview&amp;nbsp;Insider Risk Management investigation experience&amp;nbsp;with three connected&amp;nbsp;improvements&amp;nbsp;— a unified alert queue, expanded user profile details, and notes across alerts and cases.&amp;nbsp;Analysts can&amp;nbsp;now&amp;nbsp;triage, understand context, and capture their work in&amp;nbsp;a streamlined investigation flow&amp;nbsp;to help enable&amp;nbsp;faster investigations and increase confidence.&amp;nbsp;Here’s&amp;nbsp;what’s&amp;nbsp;coming to public preview in July 2026:&lt;/SPAN&gt; &lt;/P&gt;
&lt;P&gt;&lt;STRONG style="color: rgb(30, 30, 30); font-size: 24px;"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 10" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;81d40c56-e640-5cda-82bb-83448542e906|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469777841,&amp;quot;Arial&amp;quot;,469777842,&amp;quot;Arial&amp;quot;,469777843,&amp;quot;Arial&amp;quot;,469777844,&amp;quot;Arial&amp;quot;,469769226,&amp;quot;Arial&amp;quot;,335551500,&amp;quot;12413967&amp;quot;,268442635,&amp;quot;28&amp;quot;,469775450,&amp;quot;heading 10&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading10&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;0&amp;quot;,469775498,&amp;quot;Normal&amp;quot;,469778324,&amp;quot;Normal&amp;quot;]}"&gt;1. One unified alert queue &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;inte&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;grati&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;ng &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;classic and agent workflows together&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:320,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;The most disruptive part of triage happens before analysts dig into any single alert:&amp;nbsp;understanding&amp;nbsp;what&amp;nbsp;alerts&amp;nbsp;require the most attention. Today,&amp;nbsp;that means toggling between the classic alert queue and the&amp;nbsp;Data Security Triage&amp;nbsp;Agent’s&amp;nbsp;insights.&amp;nbsp;We’re&amp;nbsp;now&amp;nbsp;bringing them together into a single, unified alerts list.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Instead of switching between two experiences, analysts get one page where they can:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Preview agent summaries, alert details, and user details directly&amp;nbsp;from&amp;nbsp;the alerts list,&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;reducing the need to&amp;nbsp;open each alert individually.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Filter&amp;nbsp;all classic&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;and&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;agent attributes on one page, including a new agent&amp;nbsp;categorization column and the ability to surface agent-triaged alerts that&amp;nbsp;need&amp;nbsp;attention.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;View and manage the agent directly from the alerts list.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Open or&amp;nbsp;act&amp;nbsp;on an alert&amp;nbsp;with the ability to stay within&amp;nbsp;the&amp;nbsp;queue.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;As part of this unification, alert spotlighting is being&amp;nbsp;retired,&amp;nbsp;and the toggle between agent and classic alerts is going away in favor of the single view. To give teams time to adjust, both the classic and new experiences will remain available for at least&amp;nbsp;60 days, with support for&amp;nbsp;both&amp;nbsp;currently planned&amp;nbsp;through&amp;nbsp;August 31, 2026.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Explore the unified alert queue&amp;nbsp;here&amp;nbsp;→&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://aka.ms/NewIRMAlertExperienceInProduct" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;New&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;IRM Alert&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt; Experience.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Launch details:&amp;nbsp;Public preview: July 2026&amp;nbsp;&amp;nbsp; |&amp;nbsp;&amp;nbsp; Roadmap ID:&amp;nbsp;&lt;A href="https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&amp;amp;searchterms=564621" target="_blank"&gt;564621&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:120,&amp;quot;335559739&amp;quot;:80,&amp;quot;335572083&amp;quot;:18,&amp;quot;335572084&amp;quot;:8,&amp;quot;335572085&amp;quot;:12413967,&amp;quot;469789810&amp;quot;:&amp;quot;single&amp;quot;}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;img&gt;&lt;SPAN data-contrast="none"&gt;Figure 1: The unified IRM alerts list, showing inline agent summaries, the new Categorization column, and combined classic and agent filtering on a single page.&lt;/SPAN&gt;&lt;/img&gt;
&lt;H4&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 10" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;81d40c56-e640-5cda-82bb-83448542e906|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469777841,&amp;quot;Arial&amp;quot;,469777842,&amp;quot;Arial&amp;quot;,469777843,&amp;quot;Arial&amp;quot;,469777844,&amp;quot;Arial&amp;quot;,469769226,&amp;quot;Arial&amp;quot;,335551500,&amp;quot;12413967&amp;quot;,268442635,&amp;quot;28&amp;quot;,469775450,&amp;quot;heading 10&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading10&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;0&amp;quot;,469775498,&amp;quot;Normal&amp;quot;,469778324,&amp;quot;Normal&amp;quot;]}"&gt;2. Expanded user profile details&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;to better understand&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;&amp;nbsp;user risk&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:320,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Once an alert has&amp;nbsp;been raised, the next question is about the person behind it:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Who are they, and how much risk does this really represent?&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;Answering that used to mean piecing context together from multiple places.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;The expanded user profile brings&amp;nbsp;context&amp;nbsp;into one unified view by:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Adding new signals from the user’s Entra profile&amp;nbsp;including&amp;nbsp;office location, employee type, department, and last working date.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Aggregating&amp;nbsp;key&amp;nbsp;insider&amp;nbsp;risk signals in one place&amp;nbsp;including&amp;nbsp;Entra profile details, past alert and case history, priority user group status, and policy inclusion.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;The result is a&amp;nbsp;fuller, more detailed&amp;nbsp;picture&amp;nbsp;of&amp;nbsp;users'&amp;nbsp;risk,&amp;nbsp;to&amp;nbsp;provide&amp;nbsp;investigators&amp;nbsp;with more context for&amp;nbsp;decisions&amp;nbsp;without leaving the alert.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;See expanded user profile details&amp;nbsp;here&amp;nbsp;→&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://aka.ms/NewIRMAlertExperienceInProduct" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;New IRM Alert Experience&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;Where to find it:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;On&amp;nbsp;the new&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Alerts (preview)&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;tab — click&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Alerts (preview)&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;in the left navigation, open an alert, scroll to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;User details&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;, and select&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;View user details&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;. Note: when pseudo-anonymization is enabled, user profile details will not appear, preserving privacy by design.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Launch details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Public preview: July 2026&amp;nbsp;&amp;nbsp; |&amp;nbsp;&amp;nbsp; Roadmap ID:&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&amp;amp;searchterms=564619" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;564619&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;img&gt;&lt;SPAN data-contrast="none"&gt;Figure 2: The unified user details view, combining Entra profile signals with aggregated Insider Risk history and status.&lt;/SPAN&gt;&lt;/img&gt;
&lt;H4&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 10" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;81d40c56-e640-5cda-82bb-83448542e906|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469777841,&amp;quot;Arial&amp;quot;,469777842,&amp;quot;Arial&amp;quot;,469777843,&amp;quot;Arial&amp;quot;,469777844,&amp;quot;Arial&amp;quot;,469769226,&amp;quot;Arial&amp;quot;,335551500,&amp;quot;12413967&amp;quot;,268442635,&amp;quot;28&amp;quot;,469775450,&amp;quot;heading 10&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading10&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;0&amp;quot;,469775498,&amp;quot;Normal&amp;quot;,469778324,&amp;quot;Normal&amp;quot;]}"&gt;3. Notes across alerts and cases keep context with the work&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Investigation context shouldn’t live in someone’s memory or a side document. Analysts and investigators can now add and view notes directly in alerts and cases within the Purview portal,&amp;nbsp;ensuring&amp;nbsp;the story of an investigation stays with the investigation.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Notes come in two forms:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="7" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;System-generated notes are applied automatically&amp;nbsp;on key changes&amp;nbsp;including&amp;nbsp;alert or case status, assigned user, alert or case closure, and case escalations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="8" data-aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;Analyst notes let investigators capture their own observations as they work&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;This gives teams continuity and a&amp;nbsp;clearer record of investigation activity&amp;nbsp;history without breaking stride.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;STRONG&gt;Where to find it:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;In&amp;nbsp;the Notes&amp;nbsp;tab within&amp;nbsp;the alert details&amp;nbsp;panel,&amp;nbsp;and within the Cases tab within a case.&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Start capturing notes across alerts and cases here→&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://aka.ms/NewIRMAlertExperienceInProduct" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;New IRM Alert Experience&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Launch details:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;Public preview: July 2026&amp;nbsp;&amp;nbsp; |&amp;nbsp;&amp;nbsp; Roadmap ID:&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&amp;amp;searchterms=564620" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;564620&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:120,&amp;quot;335559739&amp;quot;:80,&amp;quot;335572083&amp;quot;:18,&amp;quot;335572084&amp;quot;:8,&amp;quot;335572085&amp;quot;:12413967,&amp;quot;469789810&amp;quot;:&amp;quot;single&amp;quot;}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;img&gt;&lt;SPAN data-contrast="none"&gt;Figure 3: The Notes tab in the alert detail panel, showing both system-generated and analyst-added notes.&lt;/SPAN&gt;&lt;/img&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 10" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;81d40c56-e640-5cda-82bb-83448542e906|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469777841,&amp;quot;Arial&amp;quot;,469777842,&amp;quot;Arial&amp;quot;,469777843,&amp;quot;Arial&amp;quot;,469777844,&amp;quot;Arial&amp;quot;,469769226,&amp;quot;Arial&amp;quot;,335551500,&amp;quot;12413967&amp;quot;,268442635,&amp;quot;28&amp;quot;,469775450,&amp;quot;heading 10&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading10&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;0&amp;quot;,469775498,&amp;quot;Normal&amp;quot;,469778324,&amp;quot;Normal&amp;quot;]}"&gt;Ready to get started?&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;Try the unified&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;Insider Risk Management&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;experience today&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;:&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;A href="https://aka.ms/NewIRMAlertExperienceInProduct" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Click here to get started&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 10"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:320,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;PRE&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Privacy Statement:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt; &lt;BR /&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="none"&gt;Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335557856&amp;quot;:16777215}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 30 Jun 2026 19:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/introducing-a-unified-alert-experience-for-microsoft-purview/ba-p/4530714</guid>
      <dc:creator>MSlotwinski</dc:creator>
      <dc:date>2026-06-30T19:00:00Z</dc:date>
    </item>
    <item>
      <title>Understand your Sentinel tables at a glance: Monitor with table insights</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/understand-your-sentinel-tables-at-a-glance-monitor-with-table/ba-p/4530738</link>
      <description>&lt;H4&gt;&lt;STRONG&gt;What it is&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Table insights is a new panel on the Sentinel Tables page that gives you 30-day ingestion volume per tier, day-over-week fluctuations, the top 5 tables by volume, last-data-received per table, an estimated daily cost, and a volume anomaly indicator.&lt;/P&gt;
&lt;P&gt;Who benefits: SOC engineers chasing silent data connectors, platform owners chasing cost spikes, FinOps teams chasing chargeback clarity — all from the same screen.&lt;/P&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Why&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;these matter&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:280,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Every Sentinel customer I talk to has the same two recurring incidents.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:320}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="Quote"&gt;"A third-party data connector stopped sending data three days ago and nobody noticed until a hunt came up empty."&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559685&amp;quot;:360,&amp;quot;335559738&amp;quot;:120,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:320}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Both incidents share a root cause: until now, table-level health lived in a workbook you had to remember to open, a Usage KQL you had to remember to write, or a SentinelHealth alert someone had to remember to configure. In a workspace with 500+ tables and a mix of Microsoft 1st-party data connectors, third-party data connectors, custom logs, and data-lake tables, that's a lot of remembering.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:320}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Table insights flips the model. It puts the answer on the same page where you already manage tiers and retention, so the next time you open the Tables page to right-size a Lake-tier table, the data connector that went silent at 3 a.m. is already staring at you.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:320}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Try it today&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:280,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Open the Defender portal → &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft Sentinel → Configuration → Tables&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; and expand the &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Table insights&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; panel.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:320}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img&gt;Figure 1: Table insights panel&lt;/img&gt;
&lt;H4&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;What's&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt; new on the Tables page&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:280,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Ingestion volume per tier&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt; &lt;/STRONG&gt;- Analytics vs. Lake split for the last 30 days. The first time you see Lake tier exceeding Analytics, you'll know the data-lake migration is working.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Table ingestion fluctuations&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt; - tables whose last-24h volume differs from the same day last week beyond a threshold (default 10% and 1 MB).&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Top 5 tables by daily ingestion volume&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt; &lt;/STRONG&gt;- 30-day trend. The line that looks like a heart-rate monitor is the one your FinOps lead wants to talk about.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Last data received&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt; column &lt;/STRONG&gt;– time of recency per table.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="7" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Volume anomaly&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt; column&lt;/STRONG&gt; - signed percentage change versus baseline, right next to the table name.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="8" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Data sources&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt; – Click on table details to open side panels for data sources.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Who wins, and how&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:280,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Persona&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Pain today&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Win with Table insights&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;SOC engineer&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Detections silently degrade when a third-party data connector stops sending- you only notice when an incident is missed.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Spot the drop in "Last data received" or a -100% fluctuation before the next shift report.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Data Connector onboarding lead&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;"Did the new data connector light up?" takes a KQL query and a workbook hunt.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;One glance at the Tables page confirms the destination table, tier, and last-received timestamp.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;How &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;I'd&lt;/SPAN&gt; &lt;SPAN data-ccp-parastyle="heading 1"&gt;actually use&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt; it&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="9" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Baseline- &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Open the Tables page, filter by Tier = Analytics, sort by Avg. daily ingestion descending.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="10" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Triage silent data connectors&lt;STRONG&gt;-&lt;/STRONG&gt; &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Sort by Last data received ascending.&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="11" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Tier review&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;- For every table above a few GB/day with low SOC query usage, evaluate moving it to Auxiliary or Lake tier. The Est. daily ingestion cost column makes the business case for you.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="12" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Wire up alerts- &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Convert the fluctuations card into a scheduled analytics rule on SentinelHealth, so the next "-100%" row pages someone instead of waiting for the morning standup.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="13" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Share the screenshot- &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Drop the ingestion volume per tier card into your monthly business review.&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Honest caveats&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:280,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="14" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Fluctuations only compare the last 24h to the same day last week.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="15" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Cost numbers are estimates They're great for relative comparisons, not invoice forecasting.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="16" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Volume anomaly is most accurate on Analytics-tier tables today. Lake/Auxiliary anomalies will be catchup in features soon.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="17" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;The grid shows the table; for third-party data connectors you'll still cross-reference the Tables-to-connectors mapping page to find the upstream data connector.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="18" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Table insights is a visualization. If you want to be paged, build the SentinelHealth analytics rule.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Resources&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:280,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="19" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/manage-data-overview" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Manage data tiers and retention in Microsoft Sentinel&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="20" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Monitor the health of your Microsoft Sentinel data connectors&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="21" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Sentinel health tables reference (SentinelHealth)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="22" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sentinel-tables-connectors-reference" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Sentinel tables and associated connectors&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="23" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Transform or customize data at ingestion time&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="•" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="24" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Reduce costs for Microsoft Sentinel&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;•&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/data-lake/sentinel-data-lake-overview" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Sentinel data lake (overview)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:100,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 29 Jun 2026 17:48:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/understand-your-sentinel-tables-at-a-glance-monitor-with-table/ba-p/4530738</guid>
      <dc:creator>NikitaChhabra</dc:creator>
      <dc:date>2026-06-29T17:48:32Z</dc:date>
    </item>
    <item>
      <title>Ask Microsoft Anything: Microsoft Defender Attack Disruption</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-events/ask-microsoft-anything-microsoft-defender-attack-disruption/ec-p/4531369#M2597</link>
      <description>&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt; Learn more about attack disruption—Microsoft Defender’s built‑in, AI-powered capability that stops in‑progress attacks at machine speed by analyzing attacker intent, identifying compromised assets, and containing threats before they spread. Bring your questions and hear directly from product experts on real‑world scenarios and best practices.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What is an AMA?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;An 'Ask Microsoft Anything' (AMA) session is an opportunity for you to engage directly with Microsoft employees! This AMA will consist of a short presentation followed by taking questions on-camera from the comment section down below! Ask your questions/give your feedback and we will have our awesome Microsoft Subject Matter Experts engaging and responding directly in the video feed. We know this timeslot might not work for everyone, so feel free to ask your questions at any time leading up to the event and the experts will do their best to answer during the live hour. This page will stay up so come back and use it as a resource anytime. We hope you enjoy!&lt;/P&gt;</description>
      <pubDate>Fri, 26 Jun 2026 17:06:45 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-events/ask-microsoft-anything-microsoft-defender-attack-disruption/ec-p/4531369#M2597</guid>
      <dc:creator>Trevor_Rusher</dc:creator>
      <dc:date>2026-06-26T17:06:45Z</dc:date>
    </item>
    <item>
      <title>The state of MCP security in 2026</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/the-state-of-mcp-security-in-2026/ba-p/4531327</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Co-Author: &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="220710" data-lia-user-login="ShalabhPradhan" class="lia-mention lia-mention-user"&gt;ShalabhPradhan​&lt;/a&gt;&lt;BR /&gt;&lt;BR /&gt;A year&amp;nbsp;ago&amp;nbsp;we published&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/understanding-and-mitigating-security-risks-in-mcp-implementations/4404667" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Understanding and mitigating security risks in MCP implementations&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The core idea still holds: the moment a model can choose and call tools, it stops being a question-and-answer box and becomes software that acts. Anything that acts has a trust boundary, and tool descriptions, schemas, outputs, and credentials all sit inside it.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;What has changed is scale. The Model Context Protocol has gone from a promising idea to the way agents connect to tools, data, and systems. Enterprises have stopped experimenting and started shipping into production. This post is a checkpoint: the main risks as they stand now, which of them have moved, and what good security looks like for each.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 20" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;741782aa-652f-563c-bdc7-8d2b1b3f555d|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469775450,&amp;quot;heading 20&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading20&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335551500,&amp;quot;8870446&amp;quot;,268442635,&amp;quot;30&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;1&amp;quot;,469777841,&amp;quot;Segoe UI&amp;quot;,469777842,&amp;quot;Segoe UI&amp;quot;,469777843,&amp;quot;Segoe UI&amp;quot;,469777844,&amp;quot;Segoe UI&amp;quot;,469769226,&amp;quot;Segoe UI&amp;quot;]}"&gt;A specification that keeps moving&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;MCP is still evolving quickly, and the spec is revised on a regular&amp;nbsp;cadence. The latest&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;release candidate&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; raises the security baseline in ways worth knowing. &lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Requests now carry what they need, so a gateway can inspect and&amp;nbsp;enforce on&amp;nbsp;every call rather than trust a hidden session. Identity checks between clients and servers are tighter. And a new MCP Apps capability lets a server ship&amp;nbsp;interactive&amp;nbsp;UI that the host&amp;nbsp;renders&amp;nbsp;inside a sandbox.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The protocol deliberately does not enforce security for you. It defines how clients and servers talk, and the rest is your responsibility. Treat "we reviewed MCP last year" as out of date, and revisit your assumptions with each release.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 20" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;741782aa-652f-563c-bdc7-8d2b1b3f555d|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469775450,&amp;quot;heading 20&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading20&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335551500,&amp;quot;8870446&amp;quot;,268442635,&amp;quot;30&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;1&amp;quot;,469777841,&amp;quot;Segoe UI&amp;quot;,469777842,&amp;quot;Segoe UI&amp;quot;,469777843,&amp;quot;Segoe UI&amp;quot;,469777844,&amp;quot;Segoe UI&amp;quot;,469769226,&amp;quot;Segoe UI&amp;quot;]}"&gt;The main risks in 2026&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Some of these are the risks we flagged last year. Some have shifted, and authorization in particular has been reworked. Each entry below covers the same three things: what the risk is, what happens if it is exploited, and the controls that help most.&lt;/SPAN&gt;&lt;/P&gt;
&lt;img&gt;Figure 1: MCP Security Overview&lt;/img&gt;
&lt;H5&gt;&lt;STRONG&gt;1. Prompt injection and tool poisoning&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What it is:&lt;/STRONG&gt; An agent treats everything in its context as trustworthy: tool descriptions, parameter schemas, and the data tools return. Anyone who can plant instructions in any of those can steer the agent. Tool poisoning is the sharp edge, malicious instructions hidden in a tool's description or schema that the model reads and the user usually does not.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What could happen:&lt;/STRONG&gt; The agent follows the attacker's instructions instead of the user's. It might exfiltrate data through a tool call that looks legitimate, call the wrong tool, or take an action nobody approved.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:120,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Controls:&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt; Treat tool descriptions and outputs as untrusted input, and inspect the full schema before you approve a server. Put the tool list through a human approval step, and show the full tool call rather than a friendly summary. Keep sensitive servers isolated from general-purpose ones so a poisoned tool cannot reach across without further safeguards.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 30"&gt;2. Authorization and the confused deputy&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What it is:&lt;/STRONG&gt; This is where the protocol moved most. MCP servers are now treated as OAuth 2.0 resource servers, and the guidance has settled on OAuth 2.1, PKCE, and tokens bound to a specific audience. The risk it targets is the confused deputy: a server acting with its own broad privileges on behalf of a user who does not have them, or a proxy that can be tricked into handing an attacker a valid authorization code.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What could happen:&lt;/STRONG&gt; An attacker uses the server's privileges to reach data or actions the user was never entitled to, sometimes without the user approving anything.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Controls:&lt;/STRONG&gt; Adopt the current authorization model: OAuth 2.1 with PKCE, per-client consent, strict redirect-URI matching, and audience-bound tokens, so a token issued for one server cannot be replayed against another. Put an identity-aware gateway in front of every server and reject any call that does not carry a valid, audience-bound token&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/azure/api-management/validate-azure-ad-token-policy" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure API Management can validate Microsoft Entra tokens&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; and check issuer, audience, and expiry before the request reaches a tool.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 2: Confused Deputy Problem&lt;/img&gt;
&lt;H5&gt;&lt;STRONG style="color: rgb(30, 30, 30);"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 30"&gt;3. Over-broad access and credential aggregation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What it is:&lt;/STRONG&gt; A single MCP server often holds credentials for several systems at once, and asks for wider scopes than it needs, such as full mailbox access where read-only would do.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:120,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What could happen:&lt;/STRONG&gt; One compromised server, or one leaked token, becomes a breach path of every system it touches. Wide scope means a wide blast radius.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Controls:&lt;/STRONG&gt; Apply least privilege, per resource: scoped, narrow OAuth scopes over wildcards; short-lived tokens over long-lived secrets. Give every agent an identity you can govern, like&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/entra/agent-id/what-is-microsoft-entra-agent-id" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Entra Agent ID&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;,&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; so you can apply policy to a whole class of agents or shut them down in one operation.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;4. Supply chain and rug pulls&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What it is:&lt;/STRONG&gt; An MCP server is never just the server. It is the server, its dependencies, and the infrastructure it runs on, and each of those is a way in. A typo squatted package, a compromised dependency, or a change of ownership behind the same URL can all turn a trusted server hostile. Also, known as a 'rug pull' attack where a server behaves while it is being reviewed, earns approval, then changes once agents and workflows already depend on it.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:120,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What could happen:&lt;/STRONG&gt; The server you approved is no longer the server you run. An ordinary tool call starts leaking its arguments, rewriting a response, or exfiltrating a token, and nothing about the request looks different from the thousands before it.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Controls:&lt;/STRONG&gt; Approval cannot be a one-time event. Build a &lt;A href="https://www.microsoft.com/en-us/securityengineering/sdl/practices/secure-by-design" target="_blank"&gt;Secure By Design&lt;/A&gt; Registry and register every server in a design-time catalog so you have a known-good baseline, pin tool definitions and alert on drift so you have a tripwire for rug pulls, and route everything through a gateway that re-checks identity and policy on every call.&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/azure/api-center/overview" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure API Center&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; inventories your APIs and MCP servers, and the &lt;/SPAN&gt;&lt;A href="https://microsoft.github.io/mcp-azure-security-guide/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;OWASP MCP Top 10 mapped to Azure controls&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; lines the risks up against what you already run.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P data-ccp-border-bottom="0.6666666666666666px solid #c9c9c9" data-ccp-padding-bottom="10.666666666666666px"&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 3: Supply Chain- Rug Pull. The approved dependency remains trusted even after ownership, version, or behavior changes.&lt;/img&gt;
&lt;DIV class="lia-align-left"&gt;
&lt;H5 data-ccp-border-top="0.6666666666666666px solid #c9c9c9" data-ccp-padding-top="10.666666666666666px"&gt;&lt;STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30); text-align: left;"&gt;5. Shadow MCP&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What it is:&lt;/STRONG&gt; This is shadow IT for the AI era. A developer stands up a server to unblock a demo or get some work done quickly, a team wires an agent to whatever endpoint is handy, and nobody registers or verifies it.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What could happen:&lt;/STRONG&gt; &amp;nbsp;You cannot govern, patch, or revoke what you cannot see, and ungoverned servers are where supply chain problems tend to hide.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Controls:&lt;/STRONG&gt; Start with visibility, of what exists, and a runtime gateway that everything routes through. The&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/entra/global-secure-access/how-to-view-model-context-protocol-logging" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;GSA AI Gateway&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;helps you surface the unregistered, shadow servers you&amp;nbsp;didn't&amp;nbsp;know were running.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;6. Command injection and sandbox escape&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What it is:&lt;/STRONG&gt; Many MCP servers run locally and talk over standard input/output, spawning subprocesses and touching the file system. If a server passes unsanitized input into a shell or a file path, you have command injection or path traversal, and that has been one of the largest classes of MCP vulnerabilities reported this year.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;What could happen:&lt;/STRONG&gt; Arbitrary code runs on the host, or a server reaches files and credentials well outside what it should, in the worst cases with no user approval at all.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Controls:&lt;/STRONG&gt; Sandbox local servers in containers with only the file-system and network access they need, and block outbound traffic by default. Validate and sanitize every input and output, and never pass raw shell commands or unsanitized paths. Keep servers and SDKs patched, because this class of bug is being fixed in the field constantly.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 20" data-ccp-parastyle-defn="{&amp;quot;ObjectId&amp;quot;:&amp;quot;741782aa-652f-563c-bdc7-8d2b1b3f555d|1&amp;quot;,&amp;quot;ClassId&amp;quot;:1073872969,&amp;quot;Properties&amp;quot;:[469775450,&amp;quot;heading 20&amp;quot;,201340122,&amp;quot;2&amp;quot;,134234082,&amp;quot;true&amp;quot;,134233614,&amp;quot;true&amp;quot;,469778129,&amp;quot;heading20&amp;quot;,335572020,&amp;quot;1&amp;quot;,134224900,&amp;quot;true&amp;quot;,335551500,&amp;quot;8870446&amp;quot;,268442635,&amp;quot;30&amp;quot;,335559739,&amp;quot;140&amp;quot;,335559738,&amp;quot;320&amp;quot;,335560102,&amp;quot;1&amp;quot;,469777841,&amp;quot;Segoe UI&amp;quot;,469777842,&amp;quot;Segoe UI&amp;quot;,469777843,&amp;quot;Segoe UI&amp;quot;,469777844,&amp;quot;Segoe UI&amp;quot;,469769226,&amp;quot;Segoe UI&amp;quot;]}"&gt;Wrapping up&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:320,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;MCP has not changed what good security looks like, only where you need to apply it. The risks that matter most now sit at the supply chain, in identity, and in servers nobody verified, and the controls that address them are ones you already know: strong identity, least privilege, a gateway in front of every server, sandboxing for local servers, and an alert when an approved tool changes. The spec continues to keep improving, but it still leaves the security decisions to you.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;If you would like to help improve the protocol, you can contribute to the specification&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://github.com/modelcontextprotocol/modelcontextprotocol/issues" target="_blank"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;here&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In the next part, we'll get practical: a hands-on guide to implementing these controls in depth, with the patterns and configurations you can put to work.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;With thanks to &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="538161" data-lia-user-login="Sarah_Young" class="lia-mention lia-mention-user"&gt;Sarah_Young​&lt;/a&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;for their inputs and collaboration on this post.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:160,&amp;quot;335559740&amp;quot;:276}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 16:43:45 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/the-state-of-mcp-security-in-2026/ba-p/4531327</guid>
      <dc:creator>JiteshThakur</dc:creator>
      <dc:date>2026-06-30T16:43:45Z</dc:date>
    </item>
    <item>
      <title>Security Community Spotlight: Sathish Veerapandian</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/security-community-spotlight-sathish-veerapandian/ba-p/4530697</link>
      <description>&lt;P&gt;&lt;SPAN class="lia-text-color-21"&gt;Meet Sathish Veerapandian: security architect, community collaborator, published author, and cycling enthusiast with a knack for turning real-world customer challenges into product-shaping feedback. From influencing phishing-resistant authentication and malware scanning improvements to helping organizations navigate Microsoft Purview, AI governance, and hybrid work, Sathish brings the best kind of energy to the Microsoft Security Community: curious, practical, generous, and always ready to help others move forward.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN class="lia-text-color-21"&gt;What do you find most rewarding about being a member of the Microsoft Security Community?&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;I find it most rewarding to be part of a community where knowledge sharing directly contributes to stronger, real world security outcomes. The Microsoft Security Community brings together practitioners, MVPs, engineers, and product teams, creating a space where collaboration leads to practical solutions, continuous learning, and meaningful impact. Being able to share experiences, learn from others, and help shape the direction of Microsoft Security technologies is what makes this community truly valuable to me.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;I have tested and provided feedback on a wide range of products via the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://aka.ms/SpotlightSecAdvisors" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Security Advisors&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; program. Some examples include extending FIDO support for on-premises environments; improving Microsoft Defender for Storage malware scanning with Sentinel integration, cost estimation, delta scanning, and scheduled scans; streamlining Microsoft Purview DSPM for AI onboarding and Insider Risk visibility; and strengthening Predictive Shielding by turning risk insights into preventive Conditional Access controls.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Overall, these examples reflect how I collaborate:&amp;nbsp;identifying&amp;nbsp;real-world gaps during implementation and operations, translating them into clear product feedback, and contributing in ways that help Microsoft engineering and the broader community.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Could you share something&amp;nbsp;you’re&amp;nbsp;proud of or a project&amp;nbsp;you’ve&amp;nbsp;completed?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;One project I’m particularly proud of is co-authoring the book&amp;nbsp;&lt;/SPAN&gt;&lt;EM&gt;&lt;SPAN data-contrast="auto"&gt;Reimagine Remote Working with Microsoft Teams&lt;/SPAN&gt;&lt;/EM&gt;&lt;SPAN data-contrast="auto"&gt; with my community colleagues during the COVID pandemic. At that time, we saw a significant increase in questions from organizations on how to effectively utilize Microsoft Teams to enable efficient and productive remote work. Recognizing this need, we took the initiative to bring together our collective experience and authored the book as a team. Our main goal was to help organizations improve their collaboration. We came together as a team and shared our real-world experience. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335557856&amp;quot;:16777215,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:278}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Authoring this book also motivated my colleagues to become more interested in the Microsoft MVP Program and contributing to the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/category/microsoft-security" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Tech Community forums&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;,&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;which helped a lot of people.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335557856&amp;quot;:16777215,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:278}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://www.packtpub.com/en-us/product/reimagine-remote-working-with-microsoft-teams-9781801811019" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Reimagine Remote Working with Microsoft Teams&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;is&amp;nbsp;available for public purchase and has been used by IT professionals, team leaders, and organizations looking to strengthen their hybrid&amp;nbsp;work strategy. A copy of the book&amp;nbsp;was&amp;nbsp;also archived in the Microsoft Corporate Library in Redmond, which is a personal milestone and an honor as an MVP.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:false,&amp;quot;134233118&amp;quot;:false,&amp;quot;201341983&amp;quot;:0,&amp;quot;335551550&amp;quot;:1,&amp;quot;335551620&amp;quot;:1,&amp;quot;335557856&amp;quot;:16777215,&amp;quot;335559685&amp;quot;:0,&amp;quot;335559737&amp;quot;:0,&amp;quot;335559738&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:278}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&amp;nbsp;&lt;BR /&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;What does your ideal community experience look like?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;My ideal community experience continues to be one where practitioners, MVPs, and product teams collaborate closely to share real- world insights, solve challenges together, and help shape the future of Microsoft Security. &lt;STRONG&gt;I value environments where knowledge flows openly, where hands- on learning is encouraged, and where community members can contribute through content, discussions, and events that have a meaningful impact on others.&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&amp;nbsp;&lt;BR /&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;How long have you been working with Microsoft Security Products?&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;My Microsoft Security journey began over a decade ago in the on- premises era, working with technologies such as Forefront, TMG, Exchange security, and Antispam solutions. Those early years gave me a deep foundation in securing Microsoft workloads at the infrastructure and perimeter level, long before cloud adoption became mainstream.&amp;nbsp;&amp;nbsp;As the industry shifted, I transitioned into the cloud security space, embracing Microsoft 365 and Azure security capabilities. This evolution led me to focus on data protection, identity, and modern collaboration security, eventually specializing in Microsoft Purview, Copilot DLP, Insider Risk, and Information Protection.&lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;What features or products have provided the most impact?&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The Microsoft Security products that have had the most impact&amp;nbsp;for&amp;nbsp;me are the ones that&lt;STRONG&gt; directly improve security outcomes while staying deployable at scale&lt;/STRONG&gt;. The most impactful areas have been:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;1)&amp;nbsp; &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/entra/architecture/auth-passwordless" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Entra ID – FIDO / Passwordless&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;(including on-prem considerations)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Impact:&lt;/STRONG&gt; Enabling phishing-resistant authentication in a way that works for real enterprise environments (including hybrid setups).&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Essential capability:&lt;/STRONG&gt; FIDO/passwordless&amp;nbsp;support that can extend into on-prem realities, so customers are not blocked by architecture constraints.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;2)&amp;nbsp; &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/on-demand-malware-scanning" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Defender for Storage – On-demand Malware Scanning&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Impact: &lt;/STRONG&gt;Improving security assurance for storage data, especially during high-risk operational events like large-scale migrations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;Essential capabilities: More effective delta scanning and the ability to run scheduled or on-demand scans aligned to migration windows and operational needs.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;3) &amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/purview/dspm-for-ai?tabs=m365" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Purview – DSPM for AI&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Impact: &lt;/STRONG&gt;Supporting governance and security posture for AI-related data usage, with an experience that enables customers to adopt quickly.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Essential capability:&lt;/STRONG&gt; A smoother enablement/onboarding experience so the subscription/capability can be activated reliably and used without friction.&lt;/SPAN&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;4)&amp;nbsp; &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/shield-predict-threats-manage" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Predictive Shielding + Conditional Access (preventive controls)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Impact: &lt;/STRONG&gt;Turning risk insight into preventive action by applying controls through Conditional Access.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Essential capability:&lt;/STRONG&gt; Preventive enforcement that helps stop risky access/behavior earlier rather than only&amp;nbsp;detecting after&amp;nbsp;the fact.&lt;/SPAN&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5 class=""&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;What advice do you have for others who would like to get involved in the Microsoft Community?&lt;/SPAN&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P class=""&gt;&lt;SPAN data-contrast="auto"&gt;My advice is to simply start by sharing what you know. You don’t need to be an expert to contribute just be willing to help others, document your learnings, and stay curious. The Microsoft Community grows through collaboration, and even small contributions like answering questions, writing a short post, or sharing a demo can make a real impact. Engage consistently, connect with others who share your interests, and focus on adding value. Over time, those small steps build into meaningful involvement, strong relationships, and opportunities you never expected.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Tell us more about you, including where to find you!&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Outside of technology,&amp;nbsp;I’m&amp;nbsp;very passionate&amp;nbsp;about cycling. I run a local cycling community in Almere called the Almere Cycling Club, where we focus on improving the health and fitness of people through regular group rides and community activities.&amp;nbsp;It’s&amp;nbsp;something I&amp;nbsp;truly enjoy&amp;nbsp;because it brings people together, encourages a healthier lifestyle, and creates a positive impact&amp;nbsp;in&amp;nbsp;the place where I live.&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;&lt;SPAN data-contrast="auto"&gt;Here’s where you can connect with me online:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559685&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;134224900&amp;quot;:true,&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;YouTube: &lt;/SPAN&gt;&lt;A href="https://www.youtube.com/@devopsinfo391/video" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;DevOpsInfo 391&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;134224900&amp;quot;:true,&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;LinkedIn:&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.linkedin.com/in/sathish-veerapandian-526a4226/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Sashtish Veerapandian&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;134224900&amp;quot;:true,&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Website: https://ezcloudinfo.com&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;134224900&amp;quot;:true,&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Purview Community Lightning Talk:&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://youtu.be/-SWX3R2ECPA?si=hUDnf0_-lWZOegoP" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;From Zero to First Signal: Insider Risk Management Prerequisites That Actually Matter&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN class="lia-text-color-21"&gt;Sathish’s story is a reminder that strong communities are built by people who show up with curiosity, generosity, and a willingness to turn real-world experience into shared progress. Whether&amp;nbsp;he’s&amp;nbsp;helping shape Microsoft Security products, guiding organizations through modern security challenges, or bringing people together through cycling, Sathish leads with purpose and impact-&amp;nbsp;and the Microsoft Security Community is stronger because of it.&amp;nbsp;&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;HR style="border: none; border-top: 2px solid #bfbfbf; margin: 20px 0;" /&gt;
&lt;H4&gt;Learn and Engage with the Microsoft Security Community&amp;nbsp;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Visit the&lt;A class="lia-external-url" href="https://aka.ms/securitycommunity" target="_blank" rel="noopener"&gt; Microsoft Security Community&lt;/A&gt; home.&lt;/LI&gt;
&lt;LI&gt;Log in and follow this &lt;A href="https://aka.ms/bpblog" target="_blank" rel="noopener"&gt;Microsoft Security Community Blog&lt;/A&gt;.&lt;/LI&gt;
&lt;UL&gt;
&lt;LI&gt;Follow = Click the heart in the upper right when you're logged in 🤍&lt;A href="https://aka.ms/MVPMDOvideo" target="_blank" rel="noopener"&gt;.&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;LI&gt;Subscribe to the &lt;A class="lia-external-url" href="https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRykv0w7KoL5Jj4AzbOLp7XxUQzBNR1lWOFFNR1lHTEhaQUlGTzZIUzY1RC4u" target="_blank" rel="noopener"&gt;Security Community Email List&lt;/A&gt;&amp;nbsp;and be notified of upcoming events, product feedback surveys, and more.&lt;/LI&gt;
&lt;LI&gt;Get early access to Microsoft Security products and provide feedback to engineers by joining the&amp;nbsp;&lt;A href="https://aka.ms/bpadvisors" target="_blank" rel="noopener"&gt;Microsoft Security Advisors.&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Join the &lt;A style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://aka.ms/pbseclinkedin" target="_blank" rel="noopener"&gt;Microsoft Security Community LinkedIn Group&amp;nbsp;&lt;/A&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt;and follow the&amp;nbsp;&lt;/SPAN&gt;&lt;A style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://aka.ms/pbentralinkedin" target="_blank" rel="noopener"&gt;Microsoft Entra Community on LinkedIn&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 25 Jun 2026 15:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/security-community-spotlight-sathish-veerapandian/ba-p/4530697</guid>
      <dc:creator>RenWoods</dc:creator>
      <dc:date>2026-06-25T15:00:00Z</dc:date>
    </item>
    <item>
      <title>How Karambit.AI and Microsoft Bring Software Authenticity to 14 Billion Files Per Month</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/how-karambit-ai-and-microsoft-bring-software-authenticity-to-14/ba-p/4528606</link>
      <description>&lt;H3&gt;&lt;STRONG&gt;The Problem: Static Analysis Without Context&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Traditional static analysis treats every file as an island. Scan a binary, match against known signatures, flag what you recognize. The approach is well-understood and increasingly insufficient against modern threats.&lt;/P&gt;
&lt;P&gt;The fundamental limitation is the absence of &lt;STRONG&gt;context&lt;/STRONG&gt;. Without it, a packer is just a packer. A network call is just a network call. An obfuscation routine is just an obfuscation routine. Whether that behavior is normal or anomalous, whether it belongs in &lt;EM&gt;this&lt;/EM&gt; software, in &lt;EM&gt;this&lt;/EM&gt; ecosystem, performing &lt;EM&gt;this&lt;/EM&gt; function, is invisible to tools that evaluate files in isolation.&lt;/P&gt;
&lt;P&gt;Attackers exploit this gap. They hide malicious behavior inside legitimate software patterns, evolve their techniques between versions, and distribute intent across multiple components so that no single artifact triggers a detection in a context-free scan.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Context-Aware Behavior Analysis&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Context-aware analysis inverts the model. Instead of asking "is this file bad?" it asks: &lt;STRONG&gt;"is this file behaving the way it should, given everything we know about this ecosystem?"&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This requires building and maintaining behavioral context across multiple dimensions:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Ecosystem-level behavioral baselines&lt;/STRONG&gt;: Understanding what behaviors are normal across the entire corpus and which should never appear. In a trusted software ecosystem, obfuscated or packed content is itself an anomaly worth enforcing policy against, regardless of whether the underlying payload is known-malicious.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Behavioral chains with low false-positive rates&lt;/STRONG&gt;: Individual API calls and instructions are ambiguous in isolation. Context-aware analysis identifies &lt;EM&gt;chains&lt;/EM&gt; of behaviors, sequences where data staging feeds into exfiltration, or where privilege escalation is followed by persistence mechanisms, that reveal intent with high confidence.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Cross-file and cross-instance correlation&lt;/STRONG&gt;: Behaviors observed in one file are evaluated against patterns seen across millions of other files and scan instances. Shared behavioral fingerprints reveal family relationships, evolutionary lineage, and coordinated campaigns that single-file analysis cannot surface.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Historical behavioral deltas&lt;/STRONG&gt;: What changed between version N and version N+1? New behaviors in an update, especially behaviors that don't correspond to documented changes, are flagged not because they match a signature, but because they deviate from the established behavioral profile.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The result: dramatically higher detection confidence, lower false-positive rates, and the ability to enforce behavioral policy at the ecosystem level.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Case Study: Packer_Dictator, Behavioral Detection Under Adversary Adaptation&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Adversaries must change their Tactics, Techniques, and Procedures (TTPs) over time. When a detection capability catches them, they adapt to evade it. This is expected behavior and it is precisely why &lt;STRONG&gt;general detections at the behavior level&lt;/STRONG&gt; are more durable than signature-based approaches. Behavioral patterns are fundamentally harder for adversaries to change without breaking their own tooling.&lt;/P&gt;
&lt;P&gt;The packer family tracked as &lt;STRONG&gt;packer_dictator&lt;/STRONG&gt; illustrates this dynamic clearly.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Initial Detection: Obvious Indicators&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Early variants of packer_dictator used conspicuous binary section names: authoritarian and politically-themed strings that made identification straightforward for anyone examining the PE headers. These were low-hanging indicators, but Karambit.AI's detection wasn't built on them. The system flagged these samples based on their &lt;STRONG&gt;behavioral profile&lt;/STRONG&gt;: the entropy characteristics of their packed sections, the structure of their unpacker initialization routines, and the other patterns used to unpack and execute hidden payloads.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Adversary Adaptation: Surface Changes, Persistent Behavior&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;As detections rolled out, the users of this packer had to adapted. The obvious section names disappeared, replaced by more benign alternatives: .upx0, standard "unpacked" section names, and other strings designed to blend in with legitimate software.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;But the underlying behavior didn't change because it &lt;EM&gt;couldn't&lt;/EM&gt;, not without fundamentally rearchitecting the packer itself.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Entropy Analysis: Seeing Through Surface Changes&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Sliding-window entropy analysis reveals why surface-level changes are insufficient to evade behavioral detection. The entropy profiles of packer_dictator samples, even after the section name changes, maintain a characteristic signature:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 1: fancontroller.sys sample entropy sliding window&lt;/img&gt;&lt;img&gt;Figure 2: packer_dictator sample entropy sliding window&lt;/img&gt;
&lt;P&gt;Both profiles exhibit the same structural pattern: a low-entropy region corresponding to the unpacker stub, followed by a sharp transition to a high-entropy plateau spanning the packed payload. This entropy profile is indicative of hidden behaviors, content that has been deliberately obscured, though not necessarily malicious content on its own. The profile shape, transition points, and entropy floor/ceiling ratios form a behavioral fingerprint that persists across variants regardless of metadata changes.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Unpacker Initialization: Common Structure Enables Generalized Detection&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;At the disassembly level, packer_dictator variants share a common unpacker initialization sequence that enables generalized analysis across the family. Examining the entry-point code of two samples reveals the structural similarity:&lt;/P&gt;
&lt;img&gt;Figure 3: Sample 1 disassembly&lt;/img&gt;&lt;img&gt;Figure 4: Sample 2 disassembly&lt;/img&gt;
&lt;P&gt;Both samples exhibit a characteristic pattern:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Register preservation&lt;/STRONG&gt;: PUSH R9/PUSH R11 followed by PUSHFQ to save register state and flags before the unpack routine modifies them.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Immediate constant loading&lt;/STRONG&gt;: Large immediate values loaded into registers (MOV R9, 0x689f8c87eebd998c / MOV R11, 0x6592b8afc22b0736) that serve as decryption keys or XOR masks for the unpacking routine.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Arithmetic flag manipulation&lt;/STRONG&gt;: Sequences of TEST, NEG, OR, CMP, NOT, and SETNS instructions that compute control flow decisions based on the loaded constants — a form of opaque predicate that obscures the true branch target.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Stack-based payload resolution&lt;/STRONG&gt;: MOV instructions referencing [RSP + local_120] / [RSP + 0x8] with additional immediate constants written to the stack, setting up parameters for the decompression/decryption loop.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The structural template is consistent even as the specific constants, register assignments, and opaque predicate formulations change between variants. This is what makes behavioral detection durable: the adversary can rotate constants and rename sections, but the &lt;EM&gt;computational structure&lt;/EM&gt; required to unpack the payload is constrained by the packer's architecture.&lt;/P&gt;
&lt;P&gt;By generalizing detection to this structural level, Karambit.AI's engine identifies new packer_dictator variants, and structurally related packer families, without requiring signature updates for each iteration. And this is only one example of the resilience of Karambit.AI’s resilience in the face of constantly advancing adversaries.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;From Karambyte to Karambiner: Engineering for Billions&lt;/STRONG&gt;&lt;/H3&gt;
&lt;H4&gt;&lt;STRONG&gt;Karambyte: Building the Context&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Karambyte was Karambit.AI's original analysis engine, purpose-built for deep behavioral extraction from compiled binaries. Its core function was to extract behavioral context, disassemble control flow, API call chains, entropy profiles, packer identification, behavioral intent classification, and store it for comparison and reference.&lt;/P&gt;
&lt;P&gt;Karambyte proved the model. It demonstrated that context-aware behavioral analysis could identify threats that traditional static analysis missed, by building rich behavioral profiles and comparing them across software versions and file populations. The system extracted context and maintained it internally, enabling the cross-file and cross-version correlation that drove detections like packer_dictator.&lt;/P&gt;
&lt;P&gt;But Karambyte's architecture, extracting &lt;EM&gt;and&lt;/EM&gt; storing context within the same system, created a scaling constraint. As adoption grew and the target moved from hundreds of thousands to billions of files per month, the tight coupling between analysis and context storage became the bottleneck.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Karambiner: Externalizing Context for Scale&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Karambiner re-architected the relationship between analysis and context. Rather than each analysis instance maintaining its own behavioral context store, Karambiner &lt;STRONG&gt;externalized the context layer&lt;/STRONG&gt; into a dedicated reference that can then be customized for the specific organizational context.&lt;/P&gt;
&lt;P&gt;This separation enabled three critical capabilities at scale:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Horizontal analysis throughput&lt;/STRONG&gt;: Analysis scales independently of the context store. Adding processing capacity doesn't require replicating the full behavioral knowledge base.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Context enrichment&lt;/STRONG&gt;: Behavioral context extracted from collective scans can be used in the massively scalable analysis engine.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Ecosystem-wide policy enforcement&lt;/STRONG&gt;: With externalized behavioral context, the system can enforce policies across a large-scale ecosystem, such as blocking all obfuscated or packed content.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The move from Karambyte to Karambiner was the architectural shift that made scanning of 14 billion files per month possible: a configurable depth of behavioral analysis, with context that scales to the size of the ecosystem rather than the capacity of individual analysis nodes.&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;The Result: Software Behavior Analysis in Microsoft's Pipeline&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Today, Karambiner is integrated into Microsoft's operational pipeline for build/release and plays a critical role in performing context-aware behavioral analysis across billions of files monthly.&lt;/P&gt;
&lt;P&gt;The operational impact:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Ecosystem-level behavioral policy enforcement&lt;/STRONG&gt;: Obfuscated and packed content that has no legitimate reason to exist in the ecosystem is blocked by policy, informed by the scaled behavioral analysis.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Durable detection under adversary adaptation&lt;/STRONG&gt;: The packer_dictator lineage demonstrates that behavioral detection survives TTP changes that defeat signature-based approaches. Adversaries can change section names, rotate constants, and vary metadata, but the structural behaviors required to execute their payloads remain detectable.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Low false-positive rates at scale&lt;/STRONG&gt;: Because detection decisions are driven by behavioral understanding and optimizing for scale, the system maintains precision even at 14 billion files per month.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Understanding AI capabilities&lt;/STRONG&gt;: Behavior analysis can include understanding of where and how AI is used in an ecosystem.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Deep understanding of the software going to production:&lt;/STRONG&gt; Developers don't always know what components and behaviors make it to the production software, behavior analysis has allowed us to catch unexpected components developers didn’t realize were going to deployment.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;&lt;STRONG&gt;What's Next&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;The partnership between Karambit.AI and Microsoft demonstrates that context-aware behavior analysis operates on a massive scale in production. As software supply chain attacks grow more sophisticated and adversaries continue evolving their TTPs and the use of AI agents to develop code, the ability to understand &lt;EM&gt;what software actually does&lt;/EM&gt;, in context, across billions of files, is foundational infrastructure.&lt;/P&gt;
&lt;P&gt;Software authenticity isn't about checking a signature or trusting a certificate. It's about confirming that every binary does what it should, and nothing more.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Karambit.AI is the software authenticity platform, ensuring software does only what the developer intended — nothing more. Learn more at &lt;/EM&gt;&lt;A href="https://karambit.ai/" target="_blank" rel="noopener"&gt;&lt;EM&gt;karambit.ai&lt;/EM&gt;&lt;/A&gt;&lt;EM&gt;.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jun 2026 20:30:26 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/how-karambit-ai-and-microsoft-bring-software-authenticity-to-14/ba-p/4528606</guid>
      <dc:creator>AlecCheung</dc:creator>
      <dc:date>2026-06-24T20:30:26Z</dc:date>
    </item>
    <item>
      <title>Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-events/securing-data-and-access-in-the-era-of-ai-with-microsoft-entra/ec-p/4529488#M2580</link>
      <description>&lt;P&gt;As organizations move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage has become mission critical.&lt;BR /&gt;&lt;BR /&gt;In this series, Microsoft experts will show how Microsoft Entra and Microsoft Purview help you:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Protect sensitive data across networks, apps, and AI interactions&lt;/LI&gt;
&lt;LI&gt;Govern access for users, applications, and AI agents&lt;/LI&gt;
&lt;LI&gt;Reduce risk while enabling innovation at scale&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Whether you're shaping your security strategy or implementing controls, you’ll walk away with the guidance you need to secure data and access to AI as one unified strategy.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 100.038%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr class="lia-background-color-custom-225b62" style="height: 40px;"&gt;&lt;td class="lia-vertical-align-middle"&gt;
&lt;P style="margin-left: 8px; margin-bottom: 0px;"&gt;&lt;SPAN style="color: #ffffff;"&gt;DATE&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-middle" style="height: 40px;"&gt;
&lt;P style="margin-left: 8px; margin-bottom: 0px;"&gt;&lt;SPAN style="color: #ffffff;"&gt;TIME (PDT)&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-middle" style="height: 40px;"&gt;
&lt;P style="margin-left: 8px; margin-bottom: 0px;"&gt;&lt;SPAN style="color: #ffffff;"&gt;TOPIC&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 20px;"&gt;&lt;td&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;July 21&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-center" style="height: 20px;"&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;9:00 AM&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-center" style="height: 20px;"&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-occasion" href="https://techcommunity.microsoft.com/event/microsoft-security-events/secure-the-age-of-ai-redefining-trust-data-and-access/4529480" target="_blank" rel="noopener" data-lia-auto-title="Secure the age of AI: Redefining trust, data and access" data-lia-auto-title-active="0"&gt;Secure the age of AI: Redefining trust, data and access&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 20px;"&gt;&lt;td&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;July 22&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-center" style="height: 20px;"&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;9:00 AM&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-center" style="height: 20px;"&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-occasion" href="https://techcommunity.microsoft.com/event/microsoft-security-events/data-and-identity-controls-for-the-browser-and-network/4529481" target="_blank" rel="noopener" data-lia-auto-title="Data and identity controls for the browser and network" data-lia-auto-title-active="0"&gt;Data and identity controls for the browser and network&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr style="height: 20px;"&gt;&lt;td&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;July 23&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-center" style="height: 20px;"&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;9:00 AM&lt;/P&gt;
&lt;/td&gt;&lt;td class="lia-align-left lia-vertical-align-center" style="height: 20px;"&gt;
&lt;P style="font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px; margin-left: 8px; margin-bottom: 0px;"&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-occasion" href="https://techcommunity.microsoft.com/event/microsoft-security-events/unlock-ai-agents-without-sacrificing-security/4529484" target="_blank" rel="noopener" data-lia-auto-title="Unlock AI agents without sacrificing security" data-lia-auto-title-active="0"&gt;Unlock AI agents without sacrificing security&lt;/A&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 10.4847%" /&gt;&lt;col style="width: 14.505%" /&gt;&lt;col style="width: 74.9743%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 22px; color: #333333;"&gt;How do I participate?&lt;/H2&gt;
&lt;P&gt;Select the sessions you are interested in, then select &lt;SPAN class="lia-text-color-11"&gt;&lt;STRONG&gt;Add to Calendar&lt;/STRONG&gt;&lt;/SPAN&gt; to save the date and/or the&amp;nbsp;&lt;SPAN class="lia-text-color-11"&gt;&lt;STRONG&gt;Attend &lt;/STRONG&gt;&lt;/SPAN&gt;button to save your spot, receive event reminders, and participate in the Q&amp;amp;A. &lt;BR /&gt;&lt;BR /&gt;Not able to attend live? This session will be recorded and available on demand shortly after airing.&lt;BR /&gt;&lt;BR /&gt;&lt;EM&gt;Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 19 Jun 2026 13:32:18 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-events/securing-data-and-access-in-the-era-of-ai-with-microsoft-entra/ec-p/4529488#M2580</guid>
      <dc:creator>Heather_Poulsen</dc:creator>
      <dc:date>2026-06-19T13:32:18Z</dc:date>
    </item>
    <item>
      <title>Unlock AI agents without sacrificing security</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-events/unlock-ai-agents-without-sacrificing-security/ec-p/4529484#M2579</link>
      <description>&lt;P&gt;AI agents are reaching into mailboxes, files, line-of-business apps, and the open web on behalf of your users—and the business wants more of them, faster. To scale agents safely, your security teams need to be able to verify each agent, govern what it can access, and enforce clear boundaries across every interaction.&lt;BR /&gt;&lt;BR /&gt;Learn how Microsoft Entra helps you discover shadow AI agents, govern agent permissions, keep BYOD and endpoint-based agents in scope, and apply Conditional Access to AI prompts and responses. Then see how Microsoft Purview provides visibility into agent activity, strengthens runtime data protection, helps detect agentic risk, and supports auditability across local agents developed on GitHub Copilot CLI, Claude Code, OpenAI Codex, and OpenClaw. Walk away with practical ways to unlock AI agents while keeping access and data protection aligned with your enterprise security needs.&lt;/P&gt;
&lt;H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 22px; color: #333333;"&gt;How do I participate?&lt;/H2&gt;
&lt;P&gt;Select &lt;SPAN class="lia-text-color-20"&gt;&lt;STRONG&gt;Add to Calendar&lt;/STRONG&gt;&lt;/SPAN&gt; to save the date, then click the &lt;STRONG&gt;&lt;SPAN class="lia-text-color-20"&gt;Attend&lt;/SPAN&gt; &lt;/STRONG&gt;button to save your spot, receive event reminders, and participate in the Q&amp;amp;A. Not able to attend live? This session will be recorded and available on demand shortly after airing.&lt;BR /&gt;&lt;BR /&gt;&lt;EM&gt;Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table class="lia-background-color-22 lia-border-color-custom-0078d4 lia-border-style-solid" border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td class="lia-border-color-custom-0066cc lia-border-style-dotted"&gt;
&lt;P style="margin: 10px; line-height: 140%; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px;"&gt;This session is part of &lt;STRONG&gt;&lt;A href="https://aka.ms/SecuringDataAndAccess" target="_blank" rel="noopener"&gt;&lt;SPAN class="lia-text-color-11"&gt;Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview&lt;/SPAN&gt;&lt;/A&gt;&lt;/STRONG&gt;. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;</description>
      <pubDate>Fri, 19 Jun 2026 13:06:45 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-events/unlock-ai-agents-without-sacrificing-security/ec-p/4529484#M2579</guid>
      <dc:creator>Heather_Poulsen</dc:creator>
      <dc:date>2026-06-19T13:06:45Z</dc:date>
    </item>
    <item>
      <title>Data and identity controls for the browser and network</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-events/data-and-identity-controls-for-the-browser-and-network/ec-p/4529481#M2578</link>
      <description>&lt;P&gt;Sensitive data doesn't stay still. It moves through browsers, SaaS apps, generative AI tools, and prompts; often beyond the visibility of traditional controls. In this session, see how Microsoft Entra and Purview bring real-time visibility and control to sensitive data in motion across the network. You’ll learn how integrated data security and secure access controls can help reduce leakage risk, support responsible AI adoption, and enable modern work without slowing the business down.&lt;/P&gt;
&lt;H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 22px; color: #333333;"&gt;How do I participate?&lt;/H2&gt;
&lt;P&gt;Select &lt;SPAN class="lia-text-color-20"&gt;&lt;STRONG&gt;Add to Calendar&lt;/STRONG&gt;&lt;/SPAN&gt; to save the date, then click the &lt;STRONG&gt;&lt;SPAN class="lia-text-color-20"&gt;Attend&lt;/SPAN&gt; &lt;/STRONG&gt;button to save your spot, receive event reminders, and participate in the Q&amp;amp;A. Not able to attend live? This session will be recorded and available on demand shortly after airing.&lt;BR /&gt;&lt;BR /&gt;&lt;EM&gt;Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table class="lia-background-color-22 lia-border-color-custom-0078d4 lia-border-style-solid" border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td class="lia-border-color-custom-0066cc lia-border-style-dotted"&gt;
&lt;P style="margin: 10px; line-height: 140%; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px;"&gt;This session is part of &lt;STRONG&gt;&lt;A href="https://aka.ms/SecuringDataAndAccess" target="_blank" rel="noopener"&gt;&lt;SPAN class="lia-text-color-11"&gt;Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview&lt;/SPAN&gt;&lt;/A&gt;&lt;/STRONG&gt;. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;</description>
      <pubDate>Fri, 19 Jun 2026 13:07:40 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-events/data-and-identity-controls-for-the-browser-and-network/ec-p/4529481#M2578</guid>
      <dc:creator>Heather_Poulsen</dc:creator>
      <dc:date>2026-06-19T13:07:40Z</dc:date>
    </item>
    <item>
      <title>Secure the age of AI: Redefining trust, data and access</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-events/secure-the-age-of-ai-redefining-trust-data-and-access/ec-p/4529480#M2577</link>
      <description>&lt;P&gt;There is no question that AI is transforming the enterprise: changing how data moves, how decisions are made, and how risk takes shape. As agents access, interpret, and act on sensitive data, unmanaged AI use expands and traditional boundaries blur.&lt;BR /&gt;&lt;BR /&gt;Kicking off our series on Securing Data and Access in the Era of AI, Microsoft Entra VP of Product Sinead O’Donovan and Microsoft Purview GM of Product Maithili Dandige explain why legacy security models fall short in the age of AI—and why you need a strategy that brings together identity, access, and data protection. Want to adopt and enable AI innovation with greater control and confidence? Join us to learn how leading organizations are securing access, protecting data, and establishing trust for the next generation of AI-powered work.&lt;/P&gt;
&lt;H2 style="margin-top: 36px; margin-bottom: 20px; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 600; font-size: 22px; color: #333333;"&gt;How do I participate?&lt;/H2&gt;
&lt;P&gt;Select &lt;SPAN class="lia-text-color-20"&gt;&lt;STRONG&gt;Add to Calendar&lt;/STRONG&gt;&lt;/SPAN&gt; to save the date, then click the &lt;STRONG&gt;&lt;SPAN class="lia-text-color-20"&gt;Attend&lt;/SPAN&gt; &lt;/STRONG&gt;button to save your spot, receive event reminders, and participate in the Q&amp;amp;A. Not able to attend live? This session will be recorded and available on demand shortly after airing.&lt;BR /&gt;&lt;BR /&gt;&lt;EM&gt;Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table class="lia-background-color-22 lia-border-color-custom-0078d4 lia-border-style-solid" border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td class="lia-border-color-custom-0066cc lia-border-style-dotted"&gt;
&lt;P style="margin: 10px; line-height: 140%; font-family: 'Segoe UI', Segoe, Tahoma, Geneva, sans-serif; font-weight: 400; font-size: 16px;"&gt;This session is part of &lt;STRONG&gt;&lt;A href="https://aka.ms/SecuringDataAndAccess" target="_blank" rel="noopener"&gt;&lt;SPAN class="lia-text-color-11"&gt;Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview&lt;/SPAN&gt;&lt;/A&gt;&lt;/STRONG&gt;. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 100.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;</description>
      <pubDate>Fri, 19 Jun 2026 13:08:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-events/secure-the-age-of-ai-redefining-trust-data-and-access/ec-p/4529480#M2577</guid>
      <dc:creator>Heather_Poulsen</dc:creator>
      <dc:date>2026-06-19T13:08:32Z</dc:date>
    </item>
    <item>
      <title>Microsoft Leads a New Era of Software Supply Chain Transparency</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/microsoft-leads-a-new-era-of-software-supply-chain-transparency/ba-p/4528369</link>
      <description>&lt;P&gt;Today, Microsoft announces the general availability of Microsoft’s Signing Transparency (MST)&amp;nbsp;– a first-of-its-kind capability that brings unprecedented visibility and trust to our software supply chain. With this release, Microsoft is&amp;nbsp;leading the industry&amp;nbsp;by recording the build of critical cloud services into a publicly readable and verifiable&amp;nbsp;&lt;A href="https://datatracker.ietf.org/group/scitt/documents/" target="_blank" rel="noopener"&gt;SCITT&lt;/A&gt; standard (Supply Chain Integrity, Transparency, and Trust) &lt;SPAN data-teams="true"&gt;compliant blockchain ledger&lt;/SPAN&gt;. This means every production software build for in scope services like Azure Attestation and Azure Managed HSM (Hardware Security Module), Azure confidential ledger, Microsoft Signing Transparency itself (and others over time) – is now logged in an immutable, tamper-evident record. Only builds that are in the MST ledger are deployed to production; this gives customers confidence that the supply chain for these critical services can be audited at anytime.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Notably, the MST ledger is fully&amp;nbsp;&lt;A href="https://github.com/microsoft/scitt-ccf-ledger" target="_blank" rel="noopener"&gt;open source&lt;/A&gt;&amp;nbsp;and built to align with the emerging IETF&amp;nbsp;&lt;A href="https://datatracker.ietf.org/group/scitt/documents/" target="_blank" rel="noopener"&gt;SCITT&lt;/A&gt;&amp;nbsp;standard. By embracing SCITT’s principles and open protocols, Microsoft ensures that MST not only secures our own ecosystem but also contributes to a broader industry movement toward standardized supply chain transparency. The open-source MST ledger serves as a&amp;nbsp;verifiable trust anchor&amp;nbsp;that any organization or researcher can inspect, audit, or even integrate with their own tooling. MST itself meets the highest levels of transparency, backed by a tamper-proof confidential ledger, open-source, and&amp;nbsp;&lt;A href="https://www.ioactive.com/wp-content/uploads/2025/10/Microsoft-Signing-Transparency-Service-Security-Assessment-IOActive-Public-Facing-Report.pdf" target="_blank" rel="noopener"&gt;independently verified&lt;/A&gt;. Specifically,&amp;nbsp;we are&amp;nbsp;making the foundation of our trust model transparent and accessible to everyone – reinforcing that&amp;nbsp;trust must be earned through proof, not just promises.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This launch marks a major milestone in our commitment to&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview" target="_blank" rel="noopener"&gt;Zero Trust&lt;/A&gt;&amp;nbsp;principles, extending “never trust, always verify” all the way into the build itself. Building on a public preview introduced late last&amp;nbsp;year,&amp;nbsp;MST’s general availability delivers verifiable transparency at the software level. It transforms traditional code signing with an additive trust layer that is accessible via an open verification model. Every new software update is accompanied by a publicly auditable proof of integrity, enabling security teams to proactively confirm that each update is authentic and unaltered.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;To help organizations get the most out of this capability,&amp;nbsp;we are&amp;nbsp;also introducing a free tool to explore the contents –&amp;nbsp;&lt;A class="lia-external-url" href="http://aka.ms/ledgerexplorer" target="_blank" rel="noopener"&gt;Ledger Explorer&amp;nbsp;&lt;/A&gt;– an offline tool that allows security teams to examine MST ledger entries, verify cryptographic proofs, and even&amp;nbsp;validate&amp;nbsp;the ledger’s integrity independently. This tool, combined with MST’s open design, ensures that&amp;nbsp;every Microsoft customer – and the broader community – can hold us accountable&amp;nbsp;in real time for the software we run on their behalf.&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;Key Benefits of Microsoft’s Signing Transparency (MST)&lt;/STRONG&gt;&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Verified Code Integrity&lt;/STRONG&gt;&amp;nbsp;– Every software release is cryptographically logged in MST’s ledgers. This makes each build&amp;nbsp;&lt;STRONG&gt;tamper-evident and traceable&lt;/STRONG&gt;. If an attacker&amp;nbsp;attempts&amp;nbsp;to inject malicious code or sign an unauthorized update, it will be evident through the well-defined validation step built into the SCITT standard. Organizations gain the&amp;nbsp;assurance that&amp;nbsp;code&amp;nbsp;integrity can be independently confirmed&amp;nbsp;at any time.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Independent Verification &amp;amp; Zero Trust&lt;/STRONG&gt;&amp;nbsp;– MST enables customers and auditors to&amp;nbsp;verify software authenticity on their own, without having to solely rely on vendor attestations. For each update, Microsoft provides a transparency “receipt” (proof of logging) that you can use to prove the update was officially published and unaltered. This fosters a&amp;nbsp;&lt;EM&gt;“don’t just trust, verify”&lt;/EM&gt;&amp;nbsp;approach, empowering security teams to double-check everything running in their environment aligns with what Microsoft intended.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Audit-Trail &amp;amp; Compliance&lt;/STRONG&gt;&amp;nbsp;– The transparency ledger creates a&amp;nbsp;permanent, auditable timeline&amp;nbsp;of code deployments. Every entry is a record of&amp;nbsp;&lt;EM&gt;what&lt;/EM&gt;&amp;nbsp;was released and&amp;nbsp;&lt;EM&gt;when&lt;/EM&gt;, backed by cryptographic&amp;nbsp;proofs. This simplifies compliance reporting and accelerates forensic analysis.&amp;nbsp;In the event of&amp;nbsp;an incident, you can quickly audit the ledger to see if any unexpected code was introduced. For highly regulated industries,&amp;nbsp;MST offers concrete evidence of software integrity&amp;nbsp;and policy compliance over time.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Leadership &amp;amp; Open Standards&lt;/STRONG&gt;&amp;nbsp;– We are&amp;nbsp;delivering real transparency now, encouraging a future where all critical software is released with verifiable integrity. MST’s&amp;nbsp;open source&amp;nbsp;implementation and&amp;nbsp;SCITT-compliant&amp;nbsp;design exemplify our commitment to openness and collaboration. We believe widespread adoption of these standards will&amp;nbsp;strengthen supply chain security for everyone, making trust verification a universal practice.&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;&lt;STRONG&gt;Next Steps&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P&gt;Microsoft’s Signing Transparency is more than a new security feature and shapes the advances in trust technology. As threats grow more sophisticated, we must evolve the way we assure our customers about the software they depend on. With MST now generally available, we are leading by example: proving that it is possible to open up the traditionally opaque process of software deployment and turn it into a source of strength and trust, i.e., empowering each person with verifiable transparency.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We invite the industry to join us on this journey and get started by&amp;nbsp;&lt;A href="https://aka.ms/mst-docs" target="_blank" rel="noopener"&gt;reading the documentation&lt;/A&gt;&amp;nbsp;and&amp;nbsp;&lt;A href="https://aka.ms/ledgerexplorer" target="_blank" rel="noopener"&gt;exploring Ledger Explorer today&lt;/A&gt;! Together, by embracing transparency and open standards, we can turn “trust but verify” from a slogan into an everyday reality for digital infrastructure.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jun 2026 18:01:03 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/microsoft-leads-a-new-era-of-software-supply-chain-transparency/ba-p/4528369</guid>
      <dc:creator>ShubhraS</dc:creator>
      <dc:date>2026-06-22T18:01:03Z</dc:date>
    </item>
    <item>
      <title>New Exchange Online Mailbox Auditing Signal: Visibility into IPM to Non-IPM Copy Activity</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/new-exchange-online-mailbox-auditing-signal-visibility-into-ipm/ba-p/4526914</link>
      <description>&lt;H4&gt;&lt;STRONG&gt;Background: IPM vs. Non-IPM Subtree&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Every Exchange Online mailbox is organized into two parts:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;IPM subtree (Interpersonal Message subtree)&lt;/STRONG&gt;&amp;nbsp;— the visible, user-facing part of a mailbox, designed for messages exchanged between human recipients. This includes Inbox, Sent Items, Deleted Items, Calendar, Contacts, Tasks, Notes, and any custom folders a user creates. Exchange mailbox auditing has always focused on activity within this area.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Non-IPM subtree&lt;/STRONG&gt;&amp;nbsp;— a hidden folder structure used by Exchange and Microsoft services for system-level storage, such as the Recoverable Items folder. Users cannot see or directly interact with this area from most mail clients (like Outlook).&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;For more details, see&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/ipm-subtree" target="_blank" rel="noopener"&gt;IPM Subtree | Microsoft Learn&lt;/A&gt;.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;The Audit Gap This Addresses&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;A known audit evasion technique involves copying mail items from a user's visible IPM folders into a hidden folder in the non-IPM subtree and then accessing the data from there for exfiltration. This technique has been observed in security investigations against Exchange Online.&lt;/P&gt;
&lt;P&gt;This worked as an evasion method because:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Copy operations are not enabled for auditing by default&lt;/LI&gt;
&lt;LI&gt;Activity in the non-IPM subtree was not audited&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;By staging data in the non-IPM subtree before exfiltration, this activity previously left no trace in the mailbox audit log.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;What's New&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Exchange Online now logs a&amp;nbsp;MailItemsAccessed&amp;nbsp;event whenever a mail item is copied from the IPM subtree to the non-IPM subtree.&lt;/P&gt;
&lt;P&gt;A new&amp;nbsp;AccessType&amp;nbsp;value —&amp;nbsp;CopyFromIPM&amp;nbsp;— has been introduced to distinguish these records from existing&amp;nbsp; MailItemsAccessed&amp;nbsp;events, making them straightforward to query for:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 45%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AccessType&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Bind&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Existing — individual item access&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Sync&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Existing — bulk sync access&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;CopyFromIPM&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;New&amp;nbsp;- &amp;nbsp;an item in the IPM subtree was accessed to copy its content to the non-IPM subtree&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 39.7665%" /&gt;&lt;col style="width: 60.1648%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;How to Query for These Records&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Use the following PowerShell command to search for&amp;nbsp;CopyFromIPM&amp;nbsp;activity in your tenant:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;Search-UnifiedAuditLog -StartDate 4/1/2026 -EndDate 4/15/2026 -FreeText "CopyFromIPM"&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;&lt;STRONG&gt;Understanding the CopyFromIPM Audit Record&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;When a CopyFromIPM event is logged, it is recorded as a MailItemsAccessed operation in the Unified Audit Log. Each record captures an individual mail item that was copied from the IPM subtree to the non-IPM subtree during the operation. When an entire folder is copied, the ItemId that is captured is the Id of the folder; individual records are not captured for each item in the folder.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Feedback&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;If you have any feedback about this change, you can reach out to &lt;A href="mailto:exchangemailboxaudit-support@microsoft.com" target="_blank" rel="noopener"&gt;ExchangeMailboxAudit-Support&lt;/A&gt; group. We are always happy to hear from you and assist in any way we can.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jun 2026 15:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/new-exchange-online-mailbox-auditing-signal-visibility-into-ipm/ba-p/4526914</guid>
      <dc:creator>NehaArora1</dc:creator>
      <dc:date>2026-06-10T15:00:00Z</dc:date>
    </item>
    <item>
      <title>Level up your Azure Network Security Skills with our Upcoming Webinar Series</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/level-up-your-azure-network-security-skills-with-our-upcoming/ba-p/4525584</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As network and application-layer threats continue to evolve, security and infrastructure teams need more than product knowledge. They need practical, scenario-driven guidance they can apply to real workloads. To support that, the Azure Network Security team is hosting a series of upcoming technical webinars covering the capabilities our customers rely on every day:&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs?tabs=drs21" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Web Application Firewall (WAF),&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt; &lt;A href="https://learn.microsoft.com/en-us/azure/firewall/firewall-copilot" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Firewall,&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt; &lt;A href="https://learn.microsoft.com/en-us/azure/ddos-protection/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure DDoS Protection&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; and &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/bastion/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Bastion&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Each session is focused on demos, the latest enhancements, and the design and operational decisions you face when securing modern Azure environments. Whether you are protecting customer-facing web applications, hardening east-west and egress traffic, or securing remote administrative access at scale, there is a session in this lineup for you.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These webinars are ideal for Security Architects and Engineers, Network and Infrastructure teams, SOC Analysts, Cloud Platform Owners, Partner Technical Consultants, and any practitioner responsible for the security posture of workloads running on Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Below is the schedule of the upcoming live deliveries.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Upcoming Events &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H3&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Azure WAF Layer 7 DDoS defense in practice&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Date and time: Thursday, June 18, 2026, at 8am PST&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://securitycommunity.microsoft.com/VirtualEvents/Webinar-Details/?id=1776dc8f-c353-f111-bec7-000d3a58d82a" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;View event details and join&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As web applications become primary targets for sophisticated application-layer attacks, Azure Web Application Firewall continues to evolve to meet the needs of modern application security teams facing volumetric and targeted application-layer threats. In this webinar, we will explore how Azure WAF enables a layered, adaptive approach to application-layer DDoS mitigation, helping organizations detect and block malicious request patterns through intelligent inspection, control traffic flow to prevent resource exhaustion from abusive sources, progressively challenge suspicious clients to verify legitimacy without disrupting real users, and combine multiple defense mechanisms into a cohesive mitigation strategy that adapts to evolving attack techniques. Whether you're securing customer-facing web apps or business-critical services, this session will equip you with practical approaches to building resilient application-layer defenses on Azure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;Azure Firewall IDPS Detections and Sentinel Integration&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Date and time: Thursday, July 9, 2026, at 8am PST&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://securitycommunity.microsoft.com/VirtualEvents/Webinar-Details/?id=125d3fb9-c653-f111-bec6-000d3a5bf7ee" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;View event details and join&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As network threats grow in complexity, organizations need visibility that extends beyond simple traffic filtering into intelligent detection and unified investigation workflows. Azure Firewall's Intrusion Detection and Prevention capabilities continue to evolve to meet the needs of modern security operations teams facing advanced lateral movement, exploitation attempts, and command-and-control activity. In this webinar, we will explore how Azure Firewall identifies malicious network patterns in real time, how detection signals flow seamlessly into Microsoft Sentinel to enrich the broader security narrative, and how security teams can correlate firewall intelligence with other data sources to accelerate threat hunting, streamline incident response, and build a more connected and actionable view of their network security posture.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;What's New in Azure Bastion&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Date and time: Thursday, July 23, 2026, at 8am PST&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://securitycommunity.microsoft.com/VirtualEvents/Webinar-Details/?id=3a4e6d94-ca53-f111-bec6-6045bd06ff19" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;View event details and join&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Secure remote access to cloud workloads remains a critical requirement as organizations scale their Azure environments and adapt to evolving operational demands. Azure Bastion continues to evolve to meet the needs of modern infrastructure teams seeking seamless, browser-based connectivity without exposing virtual machines to the public internet. In this webinar, we'll explore the latest enhancements to Azure Bastion covering new capabilities that improve connectivity options, streamline the administrative experience, expand protocol and session support, and strengthen the overall security posture of remote access workflows. Whether you're managing a handful of VMs or operating at enterprise scale, this session will bring you up to speed on what's new and how these improvements can simplify and secure your day-to-day operations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;What's New in Azure Firewall&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Date and time: Thursday, August 6, 2026, at 8am PST&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://securitycommunity.microsoft.com/VirtualEvents/Webinar-Details/?id=96d39a8e-bc5e-f111-a826-6045bd023cfc" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;View event details and join&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As network architectures grow more distributed and threat landscapes more dynamic, organizations need a cloud-native firewall that keeps pace with both modern workload patterns and adversary techniques. Azure Firewall continues to evolve to meet the needs of network and security teams managing hybrid environments, multi-region deployments, and increasingly complex east-west and north-south traffic flows. In this webinar, we will explore the latest enhancements to Azure Firewall covering new policy and rule management capabilities, improvements that expand protocol and traffic inspection coverage, and deeper integrations across the Azure security ecosystem to streamline operations. Whether you are standardizing perimeter protection across a global Azure footprint or modernizing segmentation for business-critical workloads, this session will bring you up to speed on what is new and how these improvements can simplify and strengthen your day-to-day network security operations.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;What's New in Azure Web Application Firewall&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Date and time: Thursday, August 27, 2026, at 8am PST&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;A href="https://securitycommunity.microsoft.com/VirtualEvents/Webinar-Details/?id=541a5162-4655-f111-bec7-000d3a5ad9f6" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;View event details and join&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Web applications remain primary entry points for attackers, and organizations need a Web Application Firewall that adapts as quickly as the threats targeting their workloads. Azure Web Application Firewall continues to evolve to meet the needs of modern application security teams defending against an expanding mix of OWASP-class attacks, automated abuse, and business logic threats across diverse hosting models. In this webinar, we will explore the latest enhancements to Azure WAF. We will cover new detection and rule capabilities that improve protection accuracy, tuning and exclusion improvements that reduce false positives without weakening coverage, and expanded visibility and analytics that accelerate investigation. Whether you are securing customer-facing web apps or managing WAF policies at scale, this session will bring you up to speed on what's new and how these improvements can simplify and strengthen your application protection strategy&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Past Recordings:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;View additional past webinars from &lt;/SPAN&gt;&lt;A href="https://www.youtube.com/playlist?list=PLmAptfqzxVEVh3-ecmlrdQJ3XAay97KNb" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Network Security &lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;on Microsoft Security Community&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt; YouTube&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;Stay connected with the Azure Network Security community&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Influence product feedback and join the &lt;/SPAN&gt;&lt;A href="https://www.youtube.com/playlist?list=PLmAptfqzxVEVh3-ecmlrdQJ3XAay97KNb" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Threat Protection Advisors Program&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Stay up-to-date and fo&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;llow the &lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Network Security Blog | Microsoft Community Hub&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Engage with &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;p&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;eers&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;, &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;ask and answer questions &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;in the &lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/category/azure-network-security/discussions/azurenetworksecurity" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Azure Network Security discussion board&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;---&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Learn and Engage with the Microsoft Security Community &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:1440,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Courier New&amp;quot;,&amp;quot;469769242&amp;quot;:[9675],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;o&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="2"&gt;&lt;SPAN data-contrast="auto"&gt;Log in and follow this &lt;/SPAN&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/category/microsoft-security-product/blog/microsoft-security-blog?action=follow" target="_blank" rel="noopener" data-lia-auto-title="Microsoft Security Community Blog" data-lia-auto-title-active="0"&gt;Microsoft Security Community Blog&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; and post/ interact in the &lt;/SPAN&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-category" href="https://techcommunity.microsoft.com/category/microsoft-security?action=follow" target="_blank" rel="noopener" data-lia-auto-title="Microsoft Security Community discussion spaces" data-lia-auto-title-active="0"&gt;Microsoft Security Community discussion spaces&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:1440,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Courier New&amp;quot;,&amp;quot;469769242&amp;quot;:[9675],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;o&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="2"&gt;&lt;SPAN style="font-style: var(--lia-blog-font-style); font-family: var(--lia-blog-font-family); font-size: var(--lia-bs-font-size-base);" data-contrast="auto"&gt;Follow = Click the heart in the upper right when you're logged in&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN style="font-style: var(--lia-blog-font-style); font-family: var(--lia-blog-font-family); font-size: var(--lia-bs-font-size-base);" data-contrast="auto"&gt;🤍&lt;/SPAN&gt;&lt;SPAN style="font-style: var(--lia-blog-font-style); font-family: var(--lia-blog-font-family); font-size: var(--lia-bs-font-size-base);" data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:1440,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Courier New&amp;quot;,&amp;quot;469769242&amp;quot;:[9675],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;o&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="2"&gt;&lt;SPAN data-contrast="auto"&gt;Join the &lt;/SPAN&gt;&lt;A href="https://aka.ms/AAycdmn" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Security Community&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; and be notified of upcoming events, product feedback surveys, and more.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:1440,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Courier New&amp;quot;,&amp;quot;469769242&amp;quot;:[9675],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;o&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="2"&gt;&lt;SPAN data-contrast="auto"&gt;Get early access to Microsoft Security products and provide feedback to engineers by joining the &lt;/SPAN&gt;&lt;A href="https://aka.ms/AAyclfq" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Security Advisors.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:1440,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Courier New&amp;quot;,&amp;quot;469769242&amp;quot;:[9675],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;o&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="2"&gt;&lt;SPAN data-contrast="auto"&gt;Learn about the &lt;/SPAN&gt;&lt;A href="https://aka.ms/MVPMDOvideo" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft MVP Program.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="o" data-font="Courier New" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:1440,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Courier New&amp;quot;,&amp;quot;469769242&amp;quot;:[9675],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;o&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="2"&gt;&lt;SPAN data-contrast="auto"&gt;Join the &lt;/SPAN&gt;&lt;A href="https://aka.ms/AAyclgu" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Security Community LinkedIn&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; and the &lt;/SPAN&gt;&lt;A href="https://www.linkedin.com/company/microsoft-entra/posts/?feedView=all" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Entra Community LinkedIn&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 11 Jun 2026 18:09:16 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/level-up-your-azure-network-security-skills-with-our-upcoming/ba-p/4525584</guid>
      <dc:creator>andrewmathu</dc:creator>
      <dc:date>2026-06-11T18:09:16Z</dc:date>
    </item>
    <item>
      <title>June 4 - Secure Boot AMA</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/june-4-secure-boot-ama/m-p/4525226#M9991</link>
      <description>&lt;img /&gt;
&lt;P&gt;Microsoft is updating the Secure Boot certificates originally issued in 2011 to ensure Windows devices continue to verify trusted boot software. These older certificates begin expiring in June 2026. Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Whether you are already working through Secure Boot certificate updates across your estate, or aren't sure where to start, you can get answers to your questions and helpful insights at the next Secure Boot AMA on 8:00 a.m. PDT June 4, 2026. Can't attend live? No problem. Post your questions in advance.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Visit &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-occasion" href="https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---june-2026/4522056" target="_blank" rel="noopener" data-lia-auto-title="https://aka.ms/AMA/SecureBoot" data-lia-auto-title-active="0"&gt;https://aka.ms/AMA/SecureBoot&lt;/A&gt; to save the date and post your questions.&lt;BR /&gt;&lt;BR /&gt;For detailed, step-by-step guidance, see the following resources:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/securebootplaybook" target="_blank" rel="noopener"&gt;Secure Boot Playbook for Windows client&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/SecureBootForServer" target="_blank" rel="noopener"&gt;Secure Boot playbook for Windows Server&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-for-windows-365-71839dd8-2832-44ed-9c60-57c04f99a645" target="_blank" rel="noopener"&gt;Secure Boot Certificate Updates for Windows 365&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-for-azure-virtual-desktop-06a8a1bc-2510-4ead-9bea-3698e1d6b1db" target="_blank" rel="noopener"&gt;Secure Boot Certificate Updates for Azure Virtual Desktop&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Wed, 03 Jun 2026 17:23:06 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/june-4-secure-boot-ama/m-p/4525226#M9991</guid>
      <dc:creator>Heather_Poulsen</dc:creator>
      <dc:date>2026-06-03T17:23:06Z</dc:date>
    </item>
    <item>
      <title>Securing the new risk surface: local agents, claws, and open runtimes</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/securing-the-new-risk-surface-local-agents-claws-and-open/ba-p/4524602</link>
      <description>&lt;P&gt;The next wave of AI is more than just powerful models. We’re now seeing intelligent agents that run locally on our devices, interacting directly with sensitive data, apps, and systems. Some operate persistently: monitoring, planning, and executing tasks over time instead of just responding to one-off prompts. We call these more sustained, autonomous processes “claws.” Together, local agents and claws are changing how work gets done. They also introduce a new risk surface for organizations: these agents often run with deep access and minimal oversight on endpoints, meaning a single misstep or malicious input could lead to misuse of data, unintended system changes, or other real-world impacts.&lt;/P&gt;
&lt;H2&gt;A new class of risk: when agents run locally&lt;/H2&gt;
&lt;P&gt;Enterprise security teams already understand the risks introduced by AI agents in cloud services and managed platforms. Local agents introduce a different, and in many ways more acute, risk profile.&lt;/P&gt;
&lt;P&gt;When agents run locally on endpoints, &lt;STRONG&gt;&lt;EM&gt;they operate inside the user’s trust boundary&lt;/EM&gt;&lt;/STRONG&gt;. They inherit the device context, user credentials, local files, cached tokens, browser sessions, and developer tools already present on that machine. Unlike centrally managed cloud agents, local agents can be created, modified, and executed with little to no centralized oversight, often outside established onboarding and governance workflows.&lt;/P&gt;
&lt;P&gt;This creates a distinct risk scenario:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;High privilege by proximity&lt;/STRONG&gt; – Local agents often run under a user’s full identity and permissions, with direct access to sensitive data and systems the user can reach.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reduced visibility &lt;/STRONG&gt;– Security teams may not know which agents are running locally, how they are configured, or what external services they communicate with.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Immediate impact&lt;/STRONG&gt; – A single malicious input, compromised dependency, or unsafe configuration can translate directly into data exposure, destructive system changes, or unauthorized external communication, at endpoint speed.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The risk is not theoretical. As recent incidents have shown, a locally running agent with overly broad permissions can issue destructive commands, leak sensitive data, or propagate errors faster than traditional software controls can react&lt;A href="#community--1-_ftn1" target="_blank" rel="noopener" name="_ftnref1"&gt;[1]&lt;/A&gt;. &lt;STRONG&gt;&lt;EM&gt;Existing endpoint and application security models were not designed for autonomous systems making decisions continuously on user devices.&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;To reduce this risk, security must extend beyond application boundaries and into the agent operating environment. Organizations need visibility into local agents, control over where and how they run, and enforcement of policy as agents act, before unsafe behavior can cause harm.&lt;/P&gt;
&lt;H2&gt;A secure agent operating environment&lt;/H2&gt;
&lt;P&gt;Microsoft’s approach to agent security is already well established: secure agents&amp;nbsp;as systems, not individual tools, with consistent visibility, control, and enforcement across identity, data, network, and runtime.&amp;nbsp;&lt;STRONG&gt;Today’s announcements build on that foundation by extending the same agent security model to local agents running on endpoints.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Local agents introduce a different operating reality. They run on user devices, inherit local context, and act with direct proximity to sensitive data, credentials, and tools. Securing them requires bringing endpoint‑level agents into the same control framework CISOs already rely on, without fragmenting governance or creating new blind spots.&lt;/P&gt;
&lt;P&gt;To do this, Microsoft extends the Agent 365 control plane to local agents, delivering outcomes security leaders expect:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Observe&lt;/STRONG&gt;: Gain a unified view of known local agents across the enterprise to identify what is running, where, and with what access, reducing blind spots before risk materializes.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Secure&lt;/STRONG&gt;: Contain agent activity and help enforce controls in real time to block unsafe behavior, prevent unauthorized access, and stop sensitive data loss before impact.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Govern&lt;/STRONG&gt;: Apply consistent policy and audit across the agent lifecycle to help ensure accountability, enforce standards, and maintain control as agent behavior evolves over time.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;By extending Microsoft Agent 365 to the endpoint, local agents and claws can now operate under the same standards of oversight as cloud‑based agents. This reduces risk while enabling organizations to confidently adopt local, autonomous agents as part of their enterprise AI strategy.&lt;/P&gt;
&lt;H2&gt;Observe: discover and understand local agents&lt;/H2&gt;
&lt;P&gt;The first step in reducing risk is always visibility. Local agents often emerge and operate outside traditional IT oversight, what we call “shadow AI”. If security teams can’t see these agents, they can’t manage or protect them. Therefore, true observability into local agent presence and behavior is critical: organizations need an updated inventory of known local agents, where they’re running, and what they can access. With that knowledge, CISOs and their teams can assess exposure and take informed action.&lt;/P&gt;
&lt;P&gt;Today, Microsoft is introducing agent observability for &lt;A href="https://aka.ms/agenticendpointsecurity" target="_blank" rel="noopener"&gt;20+ local AI agents&lt;/A&gt; running on managed Windows and MacOS devices as first-class security assets. Together, these signals roll up into a unified agent inventory that is surfaced through the security and admin experiences teams already use, so IT, security, and identity teams can see and assess potential local agent risk in the context of their existing workflows.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Agent 365 Agent Registry (including Shadow AI)&lt;/STRONG&gt; provides a system of record for local agents that have been brought under governance, while also surfacing unmanaged or unsanctioned local agents detected on managed endpoints. Together, these capabilities give security teams visibility into both known local agents and previously unknown agent activity, using existing endpoint security signals. Teams can assess risk, decide whether to block execution, or bring local agents under governance as part of an end-to-end control workflow&lt;STRONG&gt;. &lt;/STRONG&gt;Public preview coming later in June. &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/05/01/microsoft-agent-365-now-generally-available-expands-capabilities-and-integrations/" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Shadow AI detection in the Microsoft 365 admin center, showing unmanaged agents and their publishers across the tenant.&lt;/EM&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Defender &lt;/STRONG&gt;now&lt;STRONG&gt; &lt;/STRONG&gt;discovers and profiles supported local AI agents on eligible Microsoft Defender onboarded devices. It surfaces each agent’s configuration, such as any associated Model Context Protocol (MCP) servers, and maps it to the device and user identity under which it runs. This approach gives security teams a clear picture of potential exposure for supported agents: what it can reach and what it is entitled to access, making it easier to identify potentially risky combinations, such as auto-approval of agents running with elevated permissions on devices that contain sensitive data, and investigate using the same endpoint telemetry security teams already use in Defender. Now in public preview. &lt;A href="https://aka.ms/Build2026/SecuringLocalAgents" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Purview &lt;/STRONG&gt;extends observability into the data layer by showing how agents interact with sensitive information across the environment. It helps identify potential exposure paths where data could be overshared, leaked, or used in ways that increase risk. This insight gives organizations the context they need to help reduce data security and compliance risk as part of broader agent governance. Now in public preview.&lt;STRONG&gt; &lt;/STRONG&gt;&lt;A href="https://aka.ms/PurviewforDevelopers" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Entra &lt;/STRONG&gt;extends its Secure Access Service Edge (SASE) architecture to local agents, bringing identity‑aware, network‑level visibility to agents running on Windows and MacOS devices. By correlating network signals with Defender endpoint telemetry, security teams can see which local agents communicate externally, how they are configured, and which resources they are permitted to reach versus what they actually access. This elevates local agent network behavior into first‑class security insight, helping teams identify previously unknown or unmanaged agents and assess risk quickly. These insights surface through the Agent 365 experience, enabling faster, more confident decisions about local agent exposure. Now in public preview. &lt;A href="http://aka.ms/gsabuild2026" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Together, these capabilities help organizations with a unified, updated view of known local agent activity and potential risks, helping to minimize blind spots at the endpoint. But visibility alone does not reduce risk. To do that, organizations must also control how local agents behave—both where they run and what they do in real time.&lt;/P&gt;
&lt;H2&gt;Secure: contain and enforce local agent actions&lt;/H2&gt;
&lt;P&gt;As the earlier example illustrates, the risk is not just that local agents exist, but that they act autonomously. A single decision can translate directly into real‑world impact, accessing data, executing code, or modifying systems at machine speed.&lt;/P&gt;
&lt;P&gt;Reducing this risk requires two layers of protection. First, organizations must control where agents run and what they can access by design. Second, they must enforce controls as agents act, helping to stop unsafe behavior in real time. Microsoft delivers both through OS‑level containment and runtime enforcement.&lt;/P&gt;
&lt;H3&gt;Execution environment: control agent behavior by design&lt;/H3&gt;
&lt;P&gt;Containment helps organizations bound what agents can access and do, preventing dynamic behavior from turning into unintended impact. Today, we’re announcing execution‑environment controls that define where local agents run and what they can access, limiting exposure by design.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Windows 365 for Agents&lt;/STRONG&gt; provides Cloud PCs that enable AI agents to execute multi-step workflows across software, including opening apps, navigating interfaces, entering inputs, and processing data. Today, we are making Windows 365 for Agents generally available within Agent 365, enabling Agent builders to build computer-using agents for a variety of enterprise use cases. Now generally available within Agent 365. &lt;A href="https://learn.microsoft.com/en-us/windows-365/agents/" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Execution Containers (MXC)&lt;/STRONG&gt; helps to contain agent impact without limiting productivity gains. MXC is a cross-platform, policy-driven execution layer for agents across Windows and WSL. Developers declare what an agent can access — like files and networking related policies — and MXC enforces those boundaries at runtime. Windows delivers a composable sandbox through MXC—a single SDK and policy model that maps to the right isolation construct for any agent workload, from fast process isolation (adopted by GitHub Copilot CLI) to micro-VMs, Linux containers, and cloud instances via Windows 365. Session isolation separates the agent's execution from the user's desktop, clipboard, UI, and input devices, and critically, binds the agent to a strong user identity — mitigating UI spoofing, input injection, and cross-session data leakage. Agent 365 layers Entra and Intune policy on top so IT can govern containment centrally while developers choose the guardrail weight their workload demands. Now available in early preview. &lt;A href="https://blogs.windows.com/windowsdeveloper/?p=57808" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;OS-enforced Agent Identity and enterprise manageability on Windows&lt;/STRONG&gt;: beyond containment, every agent activity must be attributable and governed. Windows assigns agents a local ID or a cloud provisioned identity backed by Entra and attributes all activity from the container to that identity, so you can clearly differentiate human from agent. Native Windows integration with Agent 365 provides a common foundation for observability, security and governance, including native Intune integration to set policies that gate the agent runtime execution and control how agents run. Defender, Entra, Intune and Purview will provide runtime protections for evolving threats across access, sensitive data, malicious prompts, and risky behavior so security and IT teams can prevent enterprise risk. &lt;A href="https://blogs.windows.com/windowsdeveloper/?p=57808" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;Runtime: enforce controls as agents act&lt;/H3&gt;
&lt;P&gt;If the execution environment defines where agents are allowed to operate, runtime enforcement governs what they are allowed to do. This is the moment an agent accesses sensitive data, invokes tools, or takes action under a user’s identity, and where real‑time controls matter most.&lt;/P&gt;
&lt;P&gt;Today, we are announcing runtime controls across identity, data, and threat protection for Claude Code and GitHub Copilot CLI, with OpenClaw and OpenAI Codex support coming in late June.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Defender &lt;/STRONG&gt;adds runtime protection for supported local AI agents on Windows, helping to detect unsafe or malicious behavior inline across prompts, tool calls, and responses. Based on policy, Defender can help block or audit agent actions and raise alerts with agent context, enabling investigation using the same telemetry and hunting workflows security teams already use.&amp;nbsp; Now in public preview. &lt;A href="https://aka.ms/Build2026/SecuringLocalAgents" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Microsoft Defender enforcement of policies during a local agent interaction with a potential threat&lt;/EM&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Purview&lt;/STRONG&gt;&lt;STRONG&gt; &lt;/STRONG&gt;extends enforcement of Data Loss Prevention policies to local agent interactions, preventing sensitive data leakage and exfiltration as agents execute tasks, call tools, or generate outputs. These controls help reduce AI-driven data risks while maintaining productivity and providing visibility into recurring risky behaviors across agent sessions. Now in public preview.&lt;STRONG&gt; &lt;/STRONG&gt;&lt;A href="https://aka.ms/PurviewforDevelopers" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Microsoft Purview enforcement of Data Loss Prevention policies during a local agent interaction with sensitive data&lt;/EM&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Entra &lt;/STRONG&gt;extends the Secure Access Service Edge (SASE) model to local agents by enforcing network-based security controls at runtime, as agents act. Security teams can apply agent-specific network policies directly to agent traffic—separate from user traffic—to restrict web access to authorized destinations, control file transfers, and limit connections to trusted services. Enforced inline during execution, these controls help reduce the risk of data exfiltration, unauthorized access, and communication with untrusted systems, while maintaining consistent, policy‑driven control over local agent behavior. Now in public preview. &lt;A href="http://aka.ms/gsabuild2026" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Learn more&lt;/STRONG&gt;&lt;/A&gt;&lt;STRONG&gt;.&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Together with environment-level containment, these controls help to secure not just where agents run, but how they act.&lt;/P&gt;
&lt;H2&gt;Govern: sustain control with policy and audit&lt;/H2&gt;
&lt;P&gt;As agents become persistent systems operating over time, risk extends beyond individual actions to sustained and evolving behavior. Without governance, organizations lose visibility into how agents evolve, what they access, and whether their actions remain aligned with policy. Sustaining trust in local agents requires continuous oversight, accountability, and lifecycle control.&lt;/P&gt;
&lt;P&gt;Today, we’re announcing governance controls that keep local agent activity accountable over time through policy and audit.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Intune&lt;/STRONG&gt; helps control how agents run on managed devices by applying endpoint policies that reduce device-level risk. It enables teams to help block OpenClaw on Windows and apply security policies for runtime protection, now in public preview. With MXC as well as &lt;A href="https://aka.ms/W365Build26Blog" target="_blank" rel="noopener"&gt;Windows 365 for Agents&lt;/A&gt;, administrators can use Intune to configure the environments for managed agents running locally and on Cloud PCs. This helps organizations apply controls across deployment models, prevent unauthorized agent activity, and maintain real-time governance over execution.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;In the Microsoft Intune admin center, an IT professional can apply policies to configure agents like OpenClaw to run in MXC and manage what they can access. &lt;/EM&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft Purview&lt;/STRONG&gt; provides a comprehensive audit record of agent activity over time, capturing how local agents access, use, and interact with sensitive data. These audit logs support investigation, compliance reporting, and accountability, helping to ensure agent actions are traceable and defensible long after execution. Now in public preview for supported agents. &lt;A href="https://aka.ms/PurviewforDevelopers" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Together, these governance capabilities help to ensure that local agent activity is not only controlled in the moment, but&amp;nbsp;managed consistently over time, with visibility and accountability for every action. This enables organizations to move beyond limited AI pilots to&amp;nbsp;trusted, auditable, enterprise‑scale adoption&amp;nbsp;of agentic AI.&lt;/P&gt;
&lt;H2&gt;From unmanaged claws to secure and governed agents&lt;/H2&gt;
&lt;P&gt;The result of extending visibility, runtime enforcement, and governance across the agent operating environment is a shift from unmanaged local agents and claws to a secure, enterprise‑ready system. Each layer of Microsoft’s security stack plays a clear role:&lt;/P&gt;
&lt;P&gt;Agent 365 provides the unified control plane now for local agents that includes:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Microsoft Defender to detect and block unsafe actions&lt;/LI&gt;
&lt;LI&gt;Microsoft Purview to provide data protection and compliance&lt;/LI&gt;
&lt;LI&gt;Microsoft Entra to enforce network access controls&lt;/LI&gt;
&lt;LI&gt;Microsoft Intune governs execution through device policy&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;And Microsoft Windows enforces execution boundaries at the platform layer&lt;/P&gt;
&lt;P&gt;Together, these layers form a defense‑in‑depth model that helps to close gaps across the local agent lifecycle.&lt;/P&gt;
&lt;H2&gt;Enabling agentic AI with confidence&lt;/H2&gt;
&lt;P&gt;Local agents and claws introduce a new class of enterprise risk, as autonomous systems operate continuously across identities, data, and systems. They break assumptions that traditional security models rely on.&lt;/P&gt;
&lt;P&gt;Microsoft addresses this shift by securing the agent operating environment itself—helping organizations identify known agents through unified observability, help secure agent actions via real-time enforcement of policies, and govern agent interactions over time through consistent policy and audit.&lt;/P&gt;
&lt;P&gt;AI adoption is accelerating faster than the governance structures organizations have in place to manage it. Extending proven security principles to local agents and claws is how that gap gets closed.&lt;/P&gt;
&lt;P&gt;Learn more: &lt;A href="https://aka.ms/securityforAI" target="_blank" rel="noopener"&gt;aka.ms/securityforAI&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;A href="#community--1-_ftnref1" target="_blank" rel="noopener" name="_ftn1"&gt;[1]&lt;/A&gt; &lt;A href="https://cybernews.com/ai-news/claude-ai-deletes-car-rental-database/" target="_blank" rel="noopener"&gt;Claude AI agent wipes firm’s database in 9 seconds | Cybernews&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 17:15:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/securing-the-new-risk-surface-local-agents-claws-and-open/ba-p/4524602</guid>
      <dc:creator>Herain_Oberoi</dc:creator>
      <dc:date>2026-06-02T17:15:00Z</dc:date>
    </item>
    <item>
      <title>Microsoft Purview enables developers with strong data security across AI apps and agents</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/microsoft-purview-enables-developers-with-strong-data-security/ba-p/4524626</link>
      <description>&lt;P&gt;Today, developers are at the center of a new wave of innovation—building AI applications and agents that are deeply connected to enterprise data. But with this opportunity comes a new and complex set of security challenges. AI systems operate across cloud platforms, third-party services, and even local and on-premises development environments, interacting dynamically with sensitive data such as customer records, financial information, and intellectual property. Traditional security approaches weren’t designed for this level of scale, autonomy, or fluid data movement—leaving developers to navigate fragmented tools, unclear policies, and the risk of unintentionally exposing sensitive information.&lt;/P&gt;
&lt;P&gt;At the same time, expectations are rising. Organizations need to ensure that AI applications and agents are compliant, auditable, and secure by default on an enterprise-level—not retrofitted after deployment. But for developers, adding security often means additional complexity, custom integrations, and slower time to market. This tension between speed and control has become one of the biggest barriers to moving AI from experimentation into production.&lt;/P&gt;
&lt;P&gt;Microsoft Purview is designed to help with this challenge by embedding data security and compliance controls across the development cycle. Purview provides a consistent way to govern how data is accessed, used, and shared—without requiring developers to become security experts. The result is a simpler path to building AI systems that are secure, compliant, and enterprise-ready by design.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Extending data security and compliance to local agents and claws&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Local and endpoint agents, built in platforms such as GitHub Copilot CLI and OpenClaw, introduce a new class of data security challenges as they operate outside traditional control planes and directly on user machines. Unlike cloud systems, these agents can access local files, credentials, terminals, and enterprise apps simultaneously—often moving data across tools and environments. This expands data risks, from sensitive data being unintentionally stored, copied, or shared, to API keys and tokens being exposed, and autonomous workflows triggering data movement without explicit user intent. At the same time, many existing security controls were designed for browser or cloud-based activity, leaving a growing blind spot at the endpoint where agents are increasingly running. The result is a widening gap between how developers build agents to operate locally in the users machines, and how organizations can detect, govern, and protect the data those agents interact with.&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://aka.ms/Build2026/SecureLocalAgents" target="_blank" rel="noopener"&gt;Microsoft Security and Windows&lt;/A&gt; are integrating management and security capabilities directly into the local agents’ development workflow, enabling security as an architectural guarantee rather than an implementation choice.&lt;/P&gt;
&lt;P&gt;At Build, we are thrilled to be &lt;STRONG&gt;extending Purview visibility and protection capabilities to local agents developed on GitHub Copilot CLI, Claude Code, OpenAI Codex, and OpenClaw &lt;/STRONG&gt;-&lt;STRONG&gt; &lt;/STRONG&gt;in Public Preview. Unlike traditional cloud applications, these agents operate closer to the data and often create new risks for data exposure. Purview addresses this challenge across all types of agent interactions with a clear, simplified set of scenarios:&lt;/P&gt;
&lt;P&gt;▪ &lt;U&gt;Observability&lt;/U&gt;: Visibility on Purview Data Security Posture Management (DSPM) across agent inventory, as well as into how local agents interact with sensitive data—across prompts, responses, and actions.&lt;/P&gt;
&lt;P&gt;▪ &lt;U&gt;Runtime data protection&lt;/U&gt;: Purview Data Loss Prevention (DLP) controls enforced directly into the agent execution flow, inspecting prompts and tool calls in real time to prevent sensitive data exfiltration.&lt;/P&gt;
&lt;P&gt;▪ &lt;U&gt;Agentic risk detection&lt;/U&gt;: Risky or anomalous agent behaviors detected through Insider Risk Management (IRM) signals, helping teams detect unsafe interactions early.&lt;/P&gt;
&lt;P&gt;▪ &lt;U&gt;Audit&lt;/U&gt;: Comprehensive, end-to-end logging of all local agent interactions—capturing prompts, responses, data access, and actions for data context.&lt;/P&gt;
&lt;P&gt;For example, a developer is using a local coding agent to generate code and accidentally includes sensitive credentials in a prompt. AI observability in DSPM surfaces the interaction and shows what data the agent accessed. DLP detects the sensitive data in real time and blocks it from being sent or processed (or sensitive files from being accessed and exfiltrated). At the same time, agentic risk detection flags the session as high risk based on the behavior pattern. All of this activity is captured in audit logs, enabling the security team to investigate and take action quickly.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Data protection policy blocks agent interaction with sensitive data&lt;/EM&gt;&lt;/img&gt;
&lt;P&gt;Developers and security teams gain visibility into agent activity and data interactions, while policies prevent sensitive data leakage. This ensures consistent security outcomes across both cloud and endpoint environments, without disrupting developer workflows.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Strengthening visibility and controls for Foundry agents&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Foundry gives developers a central place to build and manage AI agents, but it also creates a need for data security context directly in that workflow—especially as prompts, model interactions, and downstream actions increasingly involve sensitive enterprise data.&lt;/P&gt;
&lt;P&gt;At Build, we are excited to announce the expansion of the Foundry integration with Purview. This includes&amp;nbsp;&lt;STRONG&gt;Purview DLP runtime controls for prompt processing in Foundry&lt;/STRONG&gt;,&lt;STRONG&gt; &lt;/STRONG&gt;in Public Preview. As agents and applications built on Foundry increasingly interact with sensitive data, Purview ensures those interactions are governed by trusted controls, identifying Sensitive Information Types (SITs) in real time to detect and protect confidential data embedded in prompts. For example, if a user includes customer PII or financial data in a prompt, Purview can automatically identify the sensitive content and block that prompt from being processed by the model. This ensures that all Foundry apps and agents, regardless of how they’re built or deployed, inherit consistent data protection – allowing organizations to reduce risk of inadvertent data exposure, centralize compliance enforcement across AI workloads, and confidently scale AI adoption knowing sensitive data is protected by design.&lt;/P&gt;
&lt;P&gt;We’re also building up on the &lt;A href="https://aka.ms/PurviewforAgents" target="_blank" rel="noopener"&gt;Purview coverage for Foundry shared at the last Microsoft Ignite&lt;/A&gt; by announcing &lt;STRONG&gt;Purview insights embedded directly into the Foundry Control Plane&lt;/STRONG&gt;,&lt;STRONG&gt; &lt;/STRONG&gt;in General Availability, bringing rich data security context to the plane where developers already work. Purview surfaces crucial signals—such as SITs detected in the agentic interactions, % of agentic interactions involving sensitive data, and spread of high-risk users — so Foundry admins can know how AI apps and agents are built in their environment. This shift enables developers to make faster, better decisions in the moment, reducing rework and closing security gaps early on.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Purview Audit embedded in the Foundry Control Plane&lt;/EM&gt;&lt;/img&gt;
&lt;P&gt;For customers, the value is clear: stronger security by design and at enterprise scale, accelerated development cycles, and reduced risk of data leaks or compliance issues—without slowing down innovation.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Innovating for developers everywhere, at the pace of AI growth&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Microsoft is also expanding Purview’s reach across the broader developer ecosystem. New integrations help organizations apply consistent oversight to AI tools and platforms developers already use, without adding separate compliance workflows.&lt;BR /&gt;&lt;BR /&gt;GitHub Copilot is a critical productivity layer for developers, accelerating how code is written and shipped—making it equally important that developer interactions with GitHub Copilot are governed and secured with the same rigor as enterprise data. &lt;STRONG&gt;Microsoft Purview now extends data governance and compliance capabilities to GitHub Copilot interactions&lt;/STRONG&gt;, in Public Preview, enabling GitHub Enterprise customers with Entra SSO to stream audit logs directly into Purview. This brings centralized visibility for AI activity, allowing security and compliance teams to analyze GitHub Copilot agent session activity alongside other AI workloads. With this native integration into GitHub workflows, Purview audits Copilot activity across repositories, pull requests, and developer sessions—ensuring AI-generated code aligns with enterprise data policies, compliance requirements, and secure development standards.&lt;/P&gt;
&lt;P&gt;By integrating Purview into existing workflows, organizations can govern GitHub AI usage without building parallel pipelines—reducing complexity while ensuring consistent compliance coverage across their entire data estate.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Purview capabilities configured directly into the GitHub Copilot experience&lt;/EM&gt;&lt;/img&gt;
&lt;P&gt;Today’s AI agents aren’t built in just one ecosystem—they span custom apps, third-party platforms, and open-source frameworks. Without consistent controls, this creates blind spots where sensitive data can be exposed outside enterprise guardrails. That’s why extending Purview protection beyond Microsoft environments is critical: it ensures developers can apply the same data security, DLP policies, and compliance controls to any agent, anywhere—so innovation can scale without increasing risk.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Developers already use Microsoft Purview APIs to embed data protection into enterprise workflows. Today, we’re&amp;nbsp;introducing the&lt;STRONG&gt; Microsoft Purview SDK for .NET — a simple, drop-in toolkit that brings Purview capabilities directly into any application&lt;/STRONG&gt;, in Public Preview. Instead of weeks spent wiring APIs, authentication, and error handling, developers can add content scanning, DLP checks, and sensitivity labeling in just a few lines of code. The SDK handles the heavy lifting — including auth, retries, caching, and telemetry — so teams can focus on building experiences.&lt;/P&gt;
&lt;P&gt;For AI apps and agents built outside of the Microsoft AI platforms, SDK adds built-in support and can evaluate prompts and responses in real time against DLP and content policies — helping prevent data exposure at runtime without custom logic.&lt;/P&gt;
&lt;P&gt;Designed for both real-time and asynchronous patterns, and for authenticated or anonymous flows, the SDK also feeds activity back into Purview to give security teams centralized visibility and control. The bottom line is- the Microsoft Purview SDK enables developers to build AI apps and agents that are secure and compliant by default — cutting integration time from weeks to days while ensuring data protection scales with AI. The SDK will be available in public preview within the next month.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Together, these announcements represent a significant step forward in how developers build secure AI systems. Microsoft Purview is no longer just a data security and compliance solution—it is a first-class layer of the development process by protecting data across AI applications and agents, and enables a bridge between developers and security teams. As AI becomes more agentic, distributed, and deeply connected to enterprise data, the need for built-in security will only grow. With Purview, developers no longer must choose between speed and security—they can build both into every application from the start&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Getting connected with Microsoft Purview and learn more&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Learn more about Microsoft Purview on our&amp;nbsp;&lt;A href="https://www.microsoft.com/en-us/security/business/microsoft-purview" target="_blank" rel="noopener"&gt;website&lt;/A&gt;&amp;nbsp;and&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/purview/" target="_blank" rel="noopener"&gt;Microsoft Learn&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;Explore&lt;A class="lia-external-url" href="https://www.microsoft.com/en-us/microsoft-agent-365?msockid=0cae18635970673804700df9585d6659" target="_blank"&gt; Agent 365&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/PurviewTrial" target="_blank" rel="noopener"&gt;Try Microsoft Purview data security&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;Learn more about &lt;A href="Microsoft%20Purview%20Developer%20Platform%20Documentation%20-%20purview-sdk%20|%20Microsoft%20Learn" target="_blank" rel="noopener"&gt;Microsoft Purview SDK&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 17:14:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/microsoft-purview-enables-developers-with-strong-data-security/ba-p/4524626</guid>
      <dc:creator>Nathalia_Borges</dc:creator>
      <dc:date>2026-06-02T17:14:32Z</dc:date>
    </item>
    <item>
      <title>New Windows Features to Secure Today’s Data in a Post-Quantum World</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/new-windows-features-to-secure-today-s-data-in-a-post-quantum/ba-p/4523370</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Quantum&amp;nbsp;safety&amp;nbsp;is&amp;nbsp;a staged transition across customer environments.&amp;nbsp;Windows is enabling this progression by&amp;nbsp;extending&amp;nbsp;quantum-safe&amp;nbsp;support beyond&amp;nbsp;algorithms and APIs, into the protocols and platform components that&amp;nbsp;organizations use&amp;nbsp;the most.&amp;nbsp;This foundation empowers customers to build, validate, pilot, and ultimately deploy quantum-safe applications, systems, and infrastructure at scale.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft’s earlier announcements introduced&amp;nbsp;PQC&amp;nbsp;support&amp;nbsp;in&amp;nbsp;the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsofts-quantum-resistant-cryptography-is-here/4238780" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;core cryptographic building blocks&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;outlined&amp;nbsp;the broader&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/security/blog/2025/08/20/quantum-safe-security-progress-towards-next-generation-cryptography/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Quantum Safe Program&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;,&amp;nbsp;including the need for&amp;nbsp;crypto-agility, standards alignment, and a practical migration path.&amp;nbsp;Microsoft delivered&amp;nbsp;a key milestone&amp;nbsp;last November&amp;nbsp;by&amp;nbsp;making&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/post-quantum-cryptography-apis-now-generally-available-on-microsoft-platforms/4469093" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;PQC algorithms generally available&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;on Windows 11 and Windows Server 2025.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Now,&amp;nbsp;we’re&amp;nbsp;bringing&amp;nbsp;quantum-safe capabilities to where&amp;nbsp;they&amp;nbsp;are used: adding&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;PQ&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;TLS&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;hybrid key&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;exchange&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;to&amp;nbsp;the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows-server/security/tls/tls-ssl-schannel-ssp-overview" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows Transport Layer Security (TLS) stack&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, enabling composite PQC algorithms in&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows cryptography APIs&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/win32/seccrypto/using-certificates" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;certificate functions&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;,&amp;nbsp;and bringing the ability to&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/post-quantum-cryptography-overview#pqc-algorithms-supported-in-ad-cs" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;generate PQ certificates via Active Directory Certificate Services (ADCS)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;Together, these advances help organizations address long-lived data risks now and begin preparing for the broader transition across authentication, certificates, device protection, and management workflows.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These updates are part of a broader&amp;nbsp;transition: bringing quantum-safe security into the systems and workflows&amp;nbsp;on which&amp;nbsp;organizations already rely.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;PQ&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;TLS&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;hybrid key exchange&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;comes to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Windows&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The Windows TLS stack is a&amp;nbsp;core&amp;nbsp;component for secure&amp;nbsp;communication&amp;nbsp;across the platform. Adding&amp;nbsp;PQ&amp;nbsp;TLS&amp;nbsp;hybrid key exchange&amp;nbsp;brings&amp;nbsp;quantum-safe protection to&amp;nbsp;real&amp;nbsp;data-in-transit&amp;nbsp;scenarios that already run on&amp;nbsp;Windows.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Hybrid key exchange combines classical&amp;nbsp;and&amp;nbsp;post-quantum algorithms, allowing&amp;nbsp;organizations&amp;nbsp;to&amp;nbsp;begin mitigating&amp;nbsp;HNDL&amp;nbsp;risks. This is especially important for data that must remain confidential for years,&amp;nbsp;as&amp;nbsp;adversaries can capture encrypted traffic today and attempt to decrypt it in the future when quantum computing becomes practical.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This reflects Microsoft’s ongoing work in standards development and broader platform&amp;nbsp;investments,&amp;nbsp;including&amp;nbsp;the core cryptographic library&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://github.com/microsoft/SymCrypt" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;SymCrypt&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, Windows cryptography APIs,&amp;nbsp;and certificate handling.&amp;nbsp;TLS&amp;nbsp;PQ&amp;nbsp;hybrid key exchange&amp;nbsp;is&amp;nbsp;available&amp;nbsp;now in&amp;nbsp;preview&amp;nbsp;through&amp;nbsp;the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://blogs.windows.com/windows-insider/2026/05/14/announcing-new-release-preview-builds-for-14-may-2026/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows Insider Program&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and will become generally available on Windows 11 and Windows Server 2025 in the coming months.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These new&amp;nbsp;quantum safe key exchange options&amp;nbsp;can be configured the same way as&amp;nbsp;existing&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;TLS&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;curves&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;(&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;the&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;cla&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ssical encryption groups already in&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;use today)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;IT administrators can enable them using familiar Windows management tools: Group Policy for domain-joined enterprise environments, Mobile Device Management (MDM) for modern device management platforms such as Intune, or&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/powershell/module/tls/?view=windowsserver2025-ps" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;TLS PowerShell cmdlets&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;(scripted configuration commands) for manual or automated setup. The following hybrid combinations — each pairing a classical algorithm with the post-quantum NIST&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.203.pdf" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ML-KEM&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;algorithm to protect against both current and future threats — are available:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;X25519_MLKEM768 — combines the widely-used X25519 classical algorithm with ML-KEM&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;SecP256r1_MLKEM768 — combines the NIST P-256 elliptic curve with ML-KEM&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;SecP384r1_MLKEM1024 — combines the NIST P-384 elliptic curve with ML-KEM at a higher security level&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In practical terms, bringing&amp;nbsp;this capability&amp;nbsp;to&amp;nbsp;Windows enables&amp;nbsp;security teams and application owners&amp;nbsp;to evaluate&amp;nbsp;real,&amp;nbsp;Windows-native deployments and begin planning&amp;nbsp;the&amp;nbsp;policy&amp;nbsp;and&amp;nbsp;configuration updates needed for quantum-safe readiness. It provides a direct path to start&amp;nbsp;testing&amp;nbsp;in familiar Windows environments, without&amp;nbsp;relying only on specialized preview stacks.&amp;nbsp;Our&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-supported-groups-in-windows-11-24h2-and-later" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;T&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;LS&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;supported groups&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; page describes the PQ TLS hybrid key exchange groups available and how to enable them in your environment.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Composite PQC algorithms&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;in&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Windows cryptography APIs&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Windows cryptography APIs are&amp;nbsp;adding&amp;nbsp;support&amp;nbsp;for&amp;nbsp;composite&amp;nbsp;ML-KEM and composite&amp;nbsp;ML-DSA, where&amp;nbsp;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.203.pdf" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ML&lt;/SPAN&gt;&lt;/SPAN&gt;‑&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;KEM&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;(Module-Lattice Key Encapsulation Mechanism)&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ML&lt;/SPAN&gt;&lt;/SPAN&gt;‑&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;DSA&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; (Module-Lattice Digital Signature Algorithm) are NIST approved PQ algorithms for key exchange and digital signatures respectively. Composite approaches are important for transition because they allow cryptographic operations to incorporate both classical and post-quantum components.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Composite algorithms provide defense in depth by requiring an adversary to break all components to compromise protected data. When implemented natively, they abstract away the complexity of securely combining multiple algorithms, reducing the risk of incorrect integrations and strengthening resilience against weaknesses in individual schemes. This work follows the IETF drafts for &lt;/SPAN&gt;&lt;A href="https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;composite ML-DSA&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-kem/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;composite ML-KEM&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, to&amp;nbsp;combine&amp;nbsp;the traditional digital signature algorithm&amp;nbsp;ECDSA with ML-DSA and&amp;nbsp;traditional key exchange algorithm&amp;nbsp;ECDHE with ML-KEM.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For developers, platform engineers, and security architects, this means Windows-native APIs are moving&amp;nbsp;beyond foundational primitives toward the real-world certificate and signing patterns required in production environments. Composite support&amp;nbsp;enables&amp;nbsp;organizations&amp;nbsp;to&amp;nbsp;prototype new certificate profiles, evaluate trust chain impacts, and&amp;nbsp;prepare for scenarios&amp;nbsp;as&amp;nbsp;relying parties,&amp;nbsp;issuing systems,&amp;nbsp;and&amp;nbsp;policy controls&amp;nbsp;adopt&amp;nbsp;post-quantum capabilities at different speeds.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These capabilities are&amp;nbsp;in&amp;nbsp;Windows Insider Preview&amp;nbsp;for&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;C&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ryptography&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;&amp;nbsp;API Next Generation&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/win32/seccrypto/using-certificates" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;certificate functions&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and will become generally available on Windows 11 and Windows Server 2025 in the coming months.&amp;nbsp;Visit our&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;crypto developers&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;page to&amp;nbsp;learn more and get started.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;PQ&amp;nbsp;Certificates&amp;nbsp;come to&amp;nbsp;ADCS&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Active Directory Certificate Services (ADCS) support for&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/windows-server/identity/ad-cs/ml-dsa-overview" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;issuance of ML&lt;/SPAN&gt;&lt;/SPAN&gt;‑&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;DSA certificates&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;in Windows Server 2025&amp;nbsp;is now generally available&amp;nbsp;as of May 2026,&amp;nbsp;bringing PQC support into enterprise&amp;nbsp;public key infrastructure (PKI). ML&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;DSA enables quantum&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;resistant signing operations across Certification Authorities (CAs) and Online Certificate Status Protocol (OCSP) Responders, providing a practical way to evaluate post&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;quantum certificate issuance and trust validation workflows.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;ADCS supports three ML&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;DSA parameter sets (ML&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;DSA&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;44, ML&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;DSA&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;65, ML&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;DSA&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;87), allowing organizations to balance security strength with key and signature size&amp;nbsp;for&amp;nbsp;scenarios&amp;nbsp;like&amp;nbsp;code signing and&amp;nbsp;TLS&amp;nbsp;certificates. PQC support requires&amp;nbsp;newly deployed CAs&amp;nbsp;(as existing CAs cannot be upgraded in place), so organizations can introduce a parallel CA hierarchy alongside existing infrastructure to test and validate deployments without disrupting production workloads.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Additional post&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;quantum capabilities, including ML&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;KEM and composite algorithm support, are planned later this year to expand beyond signing scenarios and enable broader certificate interoperability.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;What this means for security teams and developers&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For many organizations, these announcements&amp;nbsp;provide a&amp;nbsp;clear starting point&amp;nbsp;to adopt&amp;nbsp;quantum-safe cryptography.&amp;nbsp;The&amp;nbsp;Windows&amp;nbsp;platform now enables&amp;nbsp;early&amp;nbsp;validation and integration of PQC capabilities across applications&amp;nbsp;and infrastructure.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The most effective migrations will be phased.&amp;nbsp;Organizations should start by&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/security/blog/2026/04/16/building-your-cryptographic-inventory-a-customer-strategy-for-cryptographic-posture-management/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;inventorying where public-key cryptography&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;is used,&amp;nbsp;prioritizing systems that protect sensitive data with long confidentiality lifetimes, and testing hybrid and&amp;nbsp;composite approaches in non-production environments.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Security teams can&amp;nbsp;start by&amp;nbsp;identifying&amp;nbsp;where&amp;nbsp;long-lived data is&amp;nbsp;at&amp;nbsp;risk, such&amp;nbsp;as&amp;nbsp;document repositories (e.g.,&amp;nbsp;SharePoint),&amp;nbsp;email archives, database systems, and backup or archival storage (including device and cloud backups),&amp;nbsp;and&amp;nbsp;prioritizing the systems that depend on&amp;nbsp;TLS and certificate-based trust.&amp;nbsp;They can then&amp;nbsp;map which applications rely on Windows cryptographic interfaces. Developers can test new algorithm support in controlled environments.&amp;nbsp;IT administrators&amp;nbsp;can prepare for the operational changes&amp;nbsp;required&amp;nbsp;for&amp;nbsp;quantum-safe migration, including&amp;nbsp;across certificates, device policy, performance validation, interoperability testing, and cryptographic inventory management.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The goal is not only to adopt new algorithms, but to build crypto-agility into processes so future transitions are easier to manage.&amp;nbsp;These latest Windows capabilities&amp;nbsp;make it easier&amp;nbsp;for that work to begin in a more practical, standards-aligned way.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Looking ahead: the next wave of quantum-safe&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;&amp;nbsp;capabilities&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;in Windows&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These announcements mark early but important steps in bringing&amp;nbsp;quantum-safe capabilities into the Windows scenarios organizations depend on most. Beyond foundational cryptography&amp;nbsp;and&amp;nbsp;PQ&amp;nbsp;hybrid key&amp;nbsp;exchange,&amp;nbsp;that&amp;nbsp;roadmap extends&amp;nbsp;across certificate lifecycle workflows,&amp;nbsp;networking&amp;nbsp;protections such as&amp;nbsp;IPsec and Wi-Fi,&amp;nbsp;authentication&amp;nbsp;scenarios including TLS and Kerberos, passwordless experiences&amp;nbsp;like&amp;nbsp;Windows Hello and passkeys,&amp;nbsp;and&amp;nbsp;platform protections&amp;nbsp;that&amp;nbsp;rely on trusted&amp;nbsp;keys, certificates, and recovery flows.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This future direction includes&amp;nbsp;additional capabilities&amp;nbsp;like composite&amp;nbsp;PQ support in&amp;nbsp;ADCS,&amp;nbsp;which will be central to enterprise certificate enrollment and issuance, as well as&amp;nbsp;BitLocker,&amp;nbsp;software signing, and firmware signing.&amp;nbsp;Customers&amp;nbsp;will&amp;nbsp;see progress in some of these areas&amp;nbsp;this year,&amp;nbsp;with additional advancements planned for&amp;nbsp;2027.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Across&amp;nbsp;these&amp;nbsp;investments, the&amp;nbsp;goal remains consistent: to help&amp;nbsp;customers move from algorithm availability&amp;nbsp;to&amp;nbsp;deployable, manageable, enterprise-ready,&amp;nbsp;and&amp;nbsp;quantum-safe solutions.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4 aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Preparing now for the transition ahead&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The transition to quantum&amp;nbsp;safety will&amp;nbsp;take time, testing, and close coordination across standards bodies, platform providers, software developers, and enterprise security teams. But momentum matters.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;By expanding Windows support from foundational post-quantum primitives to real protocol and certificate scenarios, Microsoft is helping make that transition more practical. TLS&amp;nbsp;PQ&amp;nbsp;hybrid key exchange in&amp;nbsp;the Windows TLS&amp;nbsp;stack, composite&amp;nbsp;PQC algorithms in Windows cryptography APIs, and PQC&amp;nbsp;capabilities in ADCS&amp;nbsp;represent important next steps in turning quantum-safe readiness into deployable capability.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As the roadmap continues to unfold across certificates, authentication, and platform protection, the best time for organizations to begin preparing is now.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5 aria-level="2"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Securing&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;today. Preparing for what’s next.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:240,&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Security in Windows is built into the platform -&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;continuously&amp;nbsp;maintained and&amp;nbsp;designed to&amp;nbsp;evolve as threats change&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:2,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;&lt;SPAN data-contrast="none"&gt;Learn more in the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows/security/book/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows Security book&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt; and &lt;/SPAN&gt;&lt;A href="https://aka.ms/ws2025securitybook" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows Server Security book&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt; or explore&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/windows/business" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows 11&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt;, &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/windows-server/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Windows Server&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt;, and &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/windows/business/devices/copilot-plus-pcs" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Copilot+ PCs&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt;. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;&lt;SPAN data-contrast="none"&gt;For broader solutions, visit the&amp;nbsp; &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Security site&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, follow the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Security blog&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, or connect with&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Security&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt;&amp;nbsp;on LinkedIn&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;@MSFTSecurity&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="none"&gt;. &lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;  &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:240}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 16:30:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/new-windows-features-to-secure-today-s-data-in-a-post-quantum/ba-p/4523370</guid>
      <dc:creator>AabhaThipsay</dc:creator>
      <dc:date>2026-06-02T16:30:00Z</dc:date>
    </item>
    <item>
      <title>Share Your Use Case in a Lighting Talk</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/share-your-use-case-in-a-lighting-talk/ba-p/4524579</link>
      <description>&lt;H5&gt;&lt;SPAN class="lia-text-color-15"&gt;&lt;STRONG&gt;Microsoft Security Store Lightning Talks&amp;nbsp;&lt;/STRONG&gt;are high‑energy, community-led mini sessions&lt;/SPAN&gt; spotlighting real users like you who are putting &lt;A class="lia-external-url" href="https://securitystore.microsoft.com/" target="_blank" rel="noopener"&gt;Microsoft Security Store&lt;/A&gt; agents and solutions to work, driving measurable impact through faster workflows, smarter automation, and stronger security outcomes.&amp;nbsp;&lt;/H5&gt;
&lt;P&gt;Selected sessions will be recorded and curated into a single can’t‑miss public virtual event, with speakers live in chat to answer questions and help attendees translate ideas into action. After the event, each speaker receives a dedicated Microsoft Security Community YouTube link for their segment, ready to share and keep up the community momentum.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Any user of agents of solutions from the &lt;A class="lia-external-url" href="https://securitystore.microsoft.com/" target="_blank" rel="noopener"&gt;Microsoft Security Store&lt;/A&gt; are welcome to submit a session; multiple submissions are welcome:&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/MSScfp" target="_blank" rel="noopener"&gt;aka.ms/MSScfp&lt;/A&gt; | Due June 4&lt;SUP&gt;th&lt;BR /&gt;&lt;/SUP&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;See examples of Microsoft Security Community Lightning Talks&amp;nbsp;&lt;A class="lia-external-url" href="https://youtube.com/playlist?list=PLmAptfqzxVEX8BJp9n0ojZTM1pCCDJnOw&amp;amp;si=zZ_WYf6-wdl-FxEJ" target="_blank" rel="noopener"&gt;here&lt;/A&gt;&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Sessions must be no longer than 10 minutes long and session submissions/descriptions can be 1-3 sentences.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;More information on the requirements and timeline can be found within the&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/MSScfp" target="_blank" rel="noopener"&gt;submission form&lt;/A&gt;.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Event date: July 30th.
&lt;UL&gt;
&lt;LI&gt;Interested in registering for the event? Watch&amp;nbsp;&lt;A class="lia-external-url" href="https://securitycommunity.microsoft.com/VirtualEvents/" target="_blank" rel="noopener"&gt;this event space&lt;/A&gt; &lt;EM&gt;and&lt;/EM&gt; follow this blog post - yes, the one you're reading! Sign in (upper right corner) then click the heart to follow and be alerted on updates.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Have questions? Feel free to post in the comments below. Need help? Let us know by sending &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2764958" data-lia-user-login="RenWoods" class="lia-mention lia-mention-user"&gt;RenWoods​&lt;/a&gt; a direct message.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Professional speaking experience is not required in this community-focused event. Microsoft employees are not eligible to present.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;A class="lia-external-url" href="https://aka.ms/MSScfp" target="_blank" rel="noopener"&gt;Submit &lt;/A&gt;your Microsoft Security Store Lightning Talk today!&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;HR style="border: none; border-top: 2px solid #bfbfbf; margin: 20px 0;" /&gt;
&lt;H6&gt;Learn and Engage with the Microsoft Security Community&lt;/H6&gt;
&lt;UL&gt;
&lt;LI&gt;Log in and follow this&amp;nbsp;&lt;A href="https://techcommunity.microsoft.com/category/microsoft-security-product/blog/microsoft-security-blog" target="_blank" rel="noopener"&gt;Microsoft Security Community Blog&lt;/A&gt;&amp;nbsp;and post/ interact in the&amp;nbsp;&lt;A href="https://techcommunity.microsoft.com/category/microsoft-security" target="_blank" rel="noopener" data-lia-auto-title="Microsoft Security Community discussion spaces" data-lia-auto-title-active="0"&gt;Microsoft Security Community discussion spaces&lt;/A&gt;.
&lt;UL&gt;
&lt;LI&gt;Follow = Click the heart in the upper right when you're logged in 🤍&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Join the &lt;A href="https://aka.ms/AAycdmn" target="_blank" rel="noopener"&gt;Microsoft Security Community&lt;/A&gt;&amp;nbsp;and be notified of upcoming events, product feedback surveys, and more.&lt;/LI&gt;
&lt;LI&gt;Get early access to Microsoft Security products and provide feedback to engineers by joining the&amp;nbsp;&lt;A href="https://aka.ms/AAyclfq" target="_blank" rel="noopener"&gt;Microsoft Security Advisors.&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;Learn about the&amp;nbsp;&lt;A href="https://aka.ms/MVPMDOvideo" target="_blank" rel="noopener"&gt;Microsoft MVP Program.&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Join the&amp;nbsp;&lt;A href="https://aka.ms/AAyclgu" target="_blank" rel="noopener"&gt;Microsoft Security Community LinkedIn&lt;/A&gt;&amp;nbsp;and the&amp;nbsp;&lt;A href="https://www.linkedin.com/company/microsoft-entra/posts/?feedView=all" target="_blank" rel="noopener"&gt;Microsoft Entra Community LinkedIn&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 01 Jun 2026 19:38:07 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/share-your-use-case-in-a-lighting-talk/ba-p/4524579</guid>
      <dc:creator>RenWoods</dc:creator>
      <dc:date>2026-06-01T19:38:07Z</dc:date>
    </item>
    <item>
      <title>Why “Data in Switzerland” Is Not Enough</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/why-data-in-switzerland-is-not-enough/m-p/4524300#M9987</link>
      <description>&lt;P&gt;&lt;EM&gt;Moving from Residency to Control in Microsoft 365&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Every conversation about data sovereignty in regulated industries tends to start the same way:&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;“We use Multi-Geo. The data stays in Switzerland.”&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;It’s the right starting point. &lt;A href="https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-multi-geo" target="_blank" rel="noopener"&gt;Microsoft 365 Multi-Geo&lt;/A&gt; allows organizations to place selected workloads - SharePoint sites, OneDrive accounts, Teams data, or Exchange mailboxes - into specific regions, including Switzerland, while maintaining a single global tenant. This makes it possible to align sensitive data with regulatory or customer requirements without fragmenting the overall environment.&lt;/P&gt;&lt;P&gt;But it only answers one question:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Where is the data stored?&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;It does not answer who accessed the data, from where, under which conditions, or what happened after access. That is where the real problem begins.&lt;/P&gt;&lt;H2&gt;A scenario that happens every day&lt;/H2&gt;&lt;P&gt;A Swiss engineering firm stores sensitive project documentation in Switzerland using Multi-Geo. An external contractor - working from an unmanaged device outside Switzerland - is granted access to review a file. The document opens. The data is now on a screen in an unknown location, on a device with no compliance posture, in a session with no restrictions.&lt;/P&gt;&lt;P&gt;From the platform’s perspective, residency was enforced. From a sovereignty perspective, control was lost the moment access was granted without conditions.&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;EM&gt;The file never left Switzerland. But sovereignty did.&lt;/EM&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;img /&gt;&lt;H2&gt;Residency is static. Control is not.&lt;/H2&gt;&lt;P&gt;The moment a document is opened, storage location stops being the relevant boundary. The file is no longer just “in Switzerland.” It moves instantly across endpoints and browsers, collaboration tools like Teams, external users and partners, and increasingly AI-driven contexts.&lt;/P&gt;&lt;P&gt;The infrastructure remains unchanged. The data does not. From the platform’s perspective, everything is working as designed - access was granted, residency was enforced - and control was lost.&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;SPAN class="lia-text-color-8"&gt;&lt;STRONG&gt;&lt;EM&gt;Most “data in Switzerland” strategies fail at exactly this moment: when the data is used.&lt;/EM&gt;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;H2&gt;The&amp;nbsp;&lt;STRONG&gt;shift:&lt;/STRONG&gt; from location to conditions&lt;/H2&gt;&lt;P&gt;If data sovereignty is the goal, the question must change. Not “Where is the data stored?” but:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;Under which conditions can data be accessed and used?&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;This shift fundamentally changes the architecture. Control must be applied across three distinct layers - and all three must be connected.&lt;/P&gt;&lt;H2&gt;&lt;STRONG&gt;Layer 1: &lt;/STRONG&gt;Access is conditional, not static&lt;/H2&gt;&lt;P&gt;Conditional Access extends control beyond authentication and turns it into continuous evaluation. Access decisions can depend on:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Device compliance&lt;/LI&gt;&lt;LI&gt;Location (geo-restriction)&lt;/LI&gt;&lt;LI&gt;Identity and risk signals&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;STRONG&gt;Multi-Geo&lt;/STRONG&gt; ensures data is placed correctly. &lt;STRONG&gt;Conditional Access&lt;/STRONG&gt; ensures it is reachable only under defined conditions. The two must work together - residency without access governance is an incomplete control.&lt;/P&gt;&lt;H2&gt;&lt;STRONG&gt;Layer 2: &lt;/STRONG&gt;The session is the real risk surface&lt;/H2&gt;&lt;P&gt;Even with strict access controls, risk remains. A session is an exposure surface by design. During an active session, data is viewed, copied, shared, processed by applications, and connected to AI prompts.&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;EM&gt;The gap does not appear at storage or authentication. It appears during active usage - inside the session. This is the layer most architectures do not explicitly address.&lt;/EM&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;P&gt;Controls must extend into the session itself: limiting data transfer and replication, restricting interaction patterns, and enforcing policies in real time. Access is no longer a one-time event. It becomes continuously governed.&lt;/P&gt;&lt;P&gt;This becomes even more critical as AI assistants consume content across SharePoint, Teams, Exchange, and other Microsoft 365 services. The question is no longer only where the source document resides - but whether the AI interaction itself is governed by the same access and protection controls as direct access.&lt;/P&gt;&lt;H2&gt;&lt;STRONG&gt;Layer 3:&lt;/STRONG&gt; The document becomes the control point&lt;/H2&gt;&lt;P&gt;The most durable control does not sit in the network or in the session. It sits in the data itself.&lt;/P&gt;&lt;P&gt;In regulated industries, organizations often arrive at this architecture having first evaluated sovereign or national encryption solutions. The decision to rely on native Microsoft 365 Purview encryption rather than a separate layer comes down to integration: AES-256 protection operating natively at file, user, and SharePoint level - including geo-based access restrictions - without an additional system to maintain.&lt;/P&gt;&lt;P&gt;When protection is applied directly to the document through Microsoft Purview:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Sensitivity labels define classification - automatically assigned based on content&lt;/LI&gt;&lt;LI&gt;Encryption enforces access - AES-256, bound to the file itself&lt;/LI&gt;&lt;LI&gt;IRM controls usage - view, copy, print, share, and presentation rights&lt;/LI&gt;&lt;LI&gt;DLP governs movement across services - preventing data from leaving defined boundaries&lt;/LI&gt;&lt;LI&gt;Dynamic watermarking tracks exposure - applied on open, view, or print&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;At that point, access is enforced by the file, usage restrictions travel with it, and control persists regardless of location.&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;SPAN class="lia-text-color-11"&gt;&lt;STRONG&gt;&lt;EM&gt;The document becomes the perimeter.&lt;/EM&gt;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;H2&gt;Platform control: limiting provider access&lt;/H2&gt;&lt;P&gt;One dimension often overlooked in sovereignty discussions is platform access itself. Even a perfectly configured tenant is only as sovereign as the controls placed on the operator.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Customer Lockbox&lt;/STRONG&gt; ensures that even Microsoft support cannot access customer data without explicit, logged, time-bound approval. Every access request is visible, auditable, and subject to customer veto.&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;EM&gt;Data control applies not only to users - but also to the platform operating the service.&lt;/EM&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;H2&gt;Enforcement requires an integrated architecture&lt;/H2&gt;&lt;P&gt;Most organizations already have the required capabilities: Multi-Geo, Conditional Access, session control, Purview (labels, encryption, DLP, IRM), and monitoring. The issue is not capability. It is fragmentation.&lt;/P&gt;&lt;P&gt;In practice, fragmentation looks like this: residency is configured in one project, Conditional Access policies are managed by a different team, and Purview labels were applied during a compliance initiative that never connected to the access layer. The tools exist. The signals do not flow between them.&lt;/P&gt;&lt;P&gt;When designed as a single architecture:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Data is placed intentionally - residency aligned to regulatory requirements&lt;/LI&gt;&lt;LI&gt;Access is governed by context - device, location, and identity evaluated continuously&lt;/LI&gt;&lt;LI&gt;Usage is controlled dynamically - session-level restrictions enforced in real time&lt;/LI&gt;&lt;LI&gt;Protection is embedded in the document - encryption and IRM travel with the file&lt;/LI&gt;&lt;LI&gt;Signals are connected across the platform - monitoring feeds access policy, not just audit logs&lt;/LI&gt;&lt;/UL&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;“Data in Switzerland” becomes not just a statement - but an enforceable system property.&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;&lt;H2&gt;Closing thought&lt;/H2&gt;&lt;P&gt;Placing data in Switzerland is the right first step. Multi-Geo makes it possible, even in global environments. But residency alone is not control.&lt;/P&gt;&lt;P&gt;Data residency answers where information is stored. Data sovereignty requires proving who can access it, under which conditions, and what controls remain in place after access is granted.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;In Microsoft 365, sovereignty is no longer defined by geography alone. It is defined by the ability to enforce control wherever the data travels.&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 17:52:25 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/why-data-in-switzerland-is-not-enough/m-p/4524300#M9987</guid>
      <dc:creator>AladinH</dc:creator>
      <dc:date>2026-06-02T17:52:25Z</dc:date>
    </item>
    <item>
      <title>The Fileless Paradox: How My 33-Day-Old Research Became Today's Ransomware Reality</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-community/the-fileless-paradox-how-my-33-day-old-research-became-today-s/m-p/4524086#M9984</link>
      <description>&lt;P&gt;&lt;STRONG&gt;33 Days Before BARADAI Emerged&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;🔴 Before You Read: What Is This Article About?&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;This is the first article I have published on Microsoft Tech Community, and this is not a standard threat report.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is the story of being right before anyone believed it — and of a ransomware family called BARADAI that proved it.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;On April 5, 2026, I published a technical research article documenting, in detail, a fileless malware architecture that operated entirely in RAM using steganography and Windows Registry persistence. When I shared it on social media, the reactions were immediate and brutal:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;“A fileless payload cannot be persistent. If it leaves no trace on disk, it cannot survive a reboot.”&lt;/P&gt;&lt;P&gt;“This technique is entirely theoretical. No real threat actor would ever use this in production.”&lt;/P&gt;&lt;P&gt;“You cannot have persistence without leaving traces. Pick one.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;And the most absurd ones:&lt;/P&gt;&lt;P&gt;“Stop writing articles with AI.”&lt;/P&gt;&lt;P&gt;“This level of technical detail is unrealistic — did AI generate this?”&lt;/P&gt;&lt;P&gt;“Forensic artifacts cannot be erased. What kind of technique is this?”&lt;/P&gt;&lt;P&gt;At that moment, I could not prove myself. I had a working proof-of-concept. I had built the architecture myself. The technical logic was sound. But I did not yet have a real-world threat actor using it in production.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;33 days later, BARADAI appeared.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;And it used the exact same playbook I had written.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This article is the first volume of the “We Saw It Coming” series. In this series, I correlate my independent research with emerging real-world threats, document technical overlaps, and provide actionable detection and defense guidance for Microsoft environments.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Right now, I am actively trying to reverse and decrypt BARADAI. I do not yet have a definitive solution. But I am publishing this journey because my goal is to finalize a solution by collecting additional logs and intelligence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;📌 Table of&amp;nbsp;Contents&lt;/P&gt;&lt;P&gt;The Moment Nobody Believed&lt;/P&gt;&lt;P&gt;33 Days Later: Meet BARADAI&lt;/P&gt;&lt;P&gt;The B-Family: Shared Infrastructure Ecosystem&lt;/P&gt;&lt;P&gt;Side-by-Side: Technical Overlap Analysis&lt;/P&gt;&lt;P&gt;Deep Dive: The Fileless Paradox — How Both Architectures Work&lt;/P&gt;&lt;P&gt;The PAIDMEMES Anomaly: Forensic Residue Inside BARADAI&lt;/P&gt;&lt;P&gt;My Technique vs BARADAI: Shared Technical Patterns&lt;/P&gt;&lt;P&gt;Microsoft Sentinel Detection Rules (KQL)&lt;/P&gt;&lt;P&gt;MITRE ATT&amp;amp;CK Mapping&lt;/P&gt;&lt;P&gt;Decryption Research and My Current Approaches&lt;/P&gt;&lt;P&gt;Defensive Recommendations&lt;/P&gt;&lt;P&gt;Sources and References&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;1. The Moment Nobody&amp;nbsp;Believed&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;April 5, 2026 — A Research Paper, a Community, and&amp;nbsp;Silence&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;On April 5, 2026, I published a detailed technical research article on Medium titled:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;“STEGOMALWARE — PNG Persistence Through Steganography and Windows Registry”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The article documented a complete attack architecture that I designed and tested from scratch in a controlled laboratory environment.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;My core thesis was this: A fileless malware strain can achieve persistent, reboot-resilient execution without ever writing a malicious executable to disk — by hiding its payload inside the pixels of a PNG image using LSB steganography and leveraging the Windows Registry for persistence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I demonstrated this by building a keylogger. The architecture had four defining characteristics:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Feature 1 — Fileless Execution (RAM-Only)&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The malicious payload never touches disk as an executable file. Instead, a small, “clean-looking” loader script extracts hidden code from the pixel data of a PNG image and executes it directly in RAM.&lt;/P&gt;&lt;P&gt;No .exe, no .py, no .dll on disk. Traditional antivirus file-scanning mechanisms are effectively blind to this.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Feature 2 — Registry-Based Persistence&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Contrary to critics claiming that fileless malware cannot survive reboots, the loader writes itself into the Windows Registry Run key:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This means that every time Windows starts, the loader executes again, extracts the payload from the PNG, and runs it back in memory. The malware lives in the Registry — not on disk.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Feature 3 — Process Masquerading&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I compiled the loader under the name svchost.exe and assigned it a Windows service icon.&lt;/P&gt;&lt;P&gt;When viewed in Task Manager, it appeared indistinguishable from a legitimate Windows system process.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Feature 4 — Self-Repair (Self-Integrity Check)&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The loader continuously validated both its Registry entry and its file copy.&lt;/P&gt;&lt;P&gt;If an antivirus product deleted the file or removed the Registry entry, the loader detected the modification and restored itself during the next execution cycle.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Feature 5 — Intelligent Data Collection&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The keylogger I built automatically embedded collected data into the pixels of a PNG image every 10 characters or every 30 seconds — whichever occurred first.&lt;/P&gt;&lt;P&gt;After each cycle, it reset itself, cleared temporary memory artifacts, and initiated a fresh collection loop.&lt;/P&gt;&lt;P&gt;This architectural design enabled the malware to remain undetected on a system for months.&lt;/P&gt;&lt;P&gt;Because there was no ever-growing log file on disk — the data was continuously transferred into images.&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;The Reactions&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The reactions I received when sharing this research did not surprise me, but they disappointed me.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Technical objections:&lt;/P&gt;&lt;P&gt;“Fileless malware, by definition, cannot survive reboots. No disk means no persistence.”&lt;/P&gt;&lt;P&gt;“Forensic evidence cannot be erased. This makes no technical sense.”&lt;/P&gt;&lt;P&gt;“If you are writing to the Registry, then it is not truly fileless.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Personal attacks:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;“Stop writing with AI.”&lt;/P&gt;&lt;P&gt;“If you can perform technical analysis this detailed, why has nobody heard of you before?”&lt;/P&gt;&lt;P&gt;“Copied from AI — even the formatting looks AI-generated.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This feedback revealed two things:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;First, people fundamentally misunderstood the concept of fileless malware — they were confusing “fileless execution” with “leaving absolutely no traces anywhere.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The Registry is not a traditional file in the conventional sense, yet it remains a persistent storage mechanism resilient across reboots.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Second, it demonstrated how easily independent researchers are dismissed. Research not published by a major corporation or university was automatically labeled “AI-generated” or “theoretical.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;At that moment, I could not prove myself.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;33 days later, BARADAI proved me right.&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;2. 33 Days Later: Meet&amp;nbsp;BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;May 5–8, 2026 — A New Threat&amp;nbsp;Surfaces&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;On May 5, 2026, researchers at PCrisk documented a new ransomware sample submitted to VirusTtl.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;On the same day, CYFIRMA’s underground forum monitoring team flagged it in their threat intelligence feeds.&lt;/P&gt;&lt;P&gt;By May 8, CYFIRMA’s Weekly Intelligence Report had published the first structured analysis.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The threat was named BARADAI — derived from the extension it appends to encrypted files:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="lia-text-color-21"&gt;.BARADAI&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;--------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;What Is&amp;nbsp;BARADAI?&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;BARADAI is a Windows ransomware variant belonging to the MedusaLocker family.&lt;/P&gt;&lt;P&gt;MedusaLocker has been active since late 2019 and remains one of the most prolific and long-lived ransomware-as-a-service (RaaS) operations in the threat landscape. BARADAI is a specific variant of the MedusaLocker v3 architecture — sometimes tracked in threat intelligence repositories as “BabyLockerKZ.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Detection names across major security&amp;nbsp;vendors:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Microsoft Defender:&amp;nbsp; Ransom:Win64/MedusaLocker.MZT!MTB&lt;/P&gt;&lt;P&gt;ESET: Win64/Filecoder.MedusaLocker.A&lt;/P&gt;&lt;P&gt;Avast: Win64:MalwareX-gen [Ransom]&lt;/P&gt;&lt;P&gt;Kaspersky: HEUR:Trojan-Ransom.Win32.Generic&lt;/P&gt;&lt;P&gt;------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;How Does It Operate?&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI follows a double-extortion model.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Silent Phase (Reconnaissance)&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;After initial access, BARADAI does not immediately begin encryption.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Instead, it performs systematic reconnaissance:&lt;/P&gt;&lt;P&gt;-Enumerates running processes&lt;/P&gt;&lt;P&gt;-Maps network topology&lt;/P&gt;&lt;P&gt;-Collects browser-stored credentials&lt;/P&gt;&lt;P&gt;-Harvests session cookies and SSL certificates&lt;/P&gt;&lt;P&gt;-Captures desktop screenshots&lt;/P&gt;&lt;P&gt;-Exfiltrates collected data to attacker-controlled C2 infrastructure&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Encryption Phase&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;After exfiltration is complete, BARADAI activates its cryptographic payload:&lt;/P&gt;&lt;P&gt;-AES-256-CBC for file content encryption&lt;/P&gt;&lt;P&gt;-RSA-4096 for key protection&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Extortion Phase&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;A ransom note (read_to_decrypt_files.html or WHATS_HAPPEND.txt) is dropped into every encrypted directory.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Victims are given a 72-hour deadline.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If payment is not made before expiration, stolen data is published on the group’s Data Leak Site (DLS).&lt;/P&gt;&lt;P&gt;-------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Confirmed Targeting as of May&amp;nbsp;2026&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Geographies&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;-United States&lt;/P&gt;&lt;P&gt;-Brazil&lt;/P&gt;&lt;P&gt;-France&lt;/P&gt;&lt;P&gt;-Australia&lt;/P&gt;&lt;P&gt;-Italy&lt;/P&gt;&lt;P&gt;-Israel&lt;/P&gt;&lt;P&gt;-Malaysia&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Sectors&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;-Education&lt;/P&gt;&lt;P&gt;-Manufacturing&lt;/P&gt;&lt;P&gt;-Engineering&lt;/P&gt;&lt;P&gt;-Retail&lt;/P&gt;&lt;P&gt;-Logistics&lt;/P&gt;&lt;P&gt;-NGOs&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Ransom Demand&amp;nbsp;Range&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;-USD $10,000 — $80,000 per incident (CYFIRMA, May 2026)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;3. The B-Family: Shared Infrastructure Ecosystem&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;One of the most important findings that emerged during my analysis was this:&lt;/P&gt;&lt;P&gt;BARADAI is not operating alone.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Threat intelligence monitoring identified a cluster of MedusaLocker variants sharing:&lt;/P&gt;&lt;P&gt;-The same naming conventions&lt;/P&gt;&lt;P&gt;-Similar code architecture&lt;/P&gt;&lt;P&gt;-And most critically — the same Tor-based infrastructure&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I named this cluster: &lt;STRONG&gt;“The B-Family”&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;---------------------------------------------&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Evidence of Shared Infrastructure&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The strongest evidence of coordination inside the B-Family is not behavioral similarity — it is shared infrastructure.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;BARADAI’s ransom note lists the following Tor hidden service for victim negotiations:&lt;/P&gt;&lt;P&gt;&lt;U&gt;t33zoj4qwv455fog7qnb2azi5xcdxkixughmmduzbw2rtdgryqfbh6id.onion&lt;/U&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is identical to the Tor address listed as the Data Leak Site and file leak server for BAVACAI — independently verified by ransomware.live, which identified the server running NGINX 1.24.0.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;PCrisk’s BARADAI documentation also includes screenshots of the leak site using the filename prefix:&lt;/P&gt;&lt;P&gt;&lt;U&gt;bavacai-&lt;/U&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is structural evidence confirming that the same backend infrastructure serves both variants.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;What This&amp;nbsp;Means&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The B-Family is not a collection of copycat operations.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It is a single operation — or a tightly coordinated RaaS affiliate ecosystem — using different “brand names” per campaign in order to complicate attribution, tracking, and law enforcement disruption.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-----------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Known Victims (BAVACAI DLS — Shared&amp;nbsp;Backend)&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;As of May 8, 2026, the BAVACAI DLS listed 16 victims — all published simultaneously on May 5.&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;4. Side-by-Side: Technical Overlap&amp;nbsp;Analysis&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This section is the core of the article.&lt;/P&gt;&lt;P&gt;The table below correlates the exact techniques documented in my April 5, 2026 research with the verified BARADAI behaviors documented by CYFIRMA, PCrisk, and the broader MedusaLocker analysis corpus.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;img /&gt;&lt;P&gt;The conclusion is direct and unavoidable:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The architecture I built, tested, documented, and published in a controlled laboratory environment on April 5, 2026 — the same architecture the community dismissed as “theoretical,” “AI-generated,” and “impossible” — was operationalized by a real threat actor 33 days later.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;--------------------------------------------------------&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;5. Deep Dive: The Fileless&amp;nbsp;Paradox&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Let us settle the debate permanently.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;The Misconception: “Fileless Malware Cannot Be Persistent”&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The argument I repeatedly encountered was this:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;U&gt;“If malware does not leave files on disk, it cannot survive a reboot because RAM is volatile.”&lt;/U&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Technically correct. Strategically incomplete.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It is true that RAM-resident code disappears when the system powers off. However, persistence does not require the malicious payload itself to reside on disk.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It requires a mechanism that re-executes the payload after reboot. Those are two different things.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;--------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;SPAN class="lia-text-color-21"&gt;The Architecture: How It Actually&amp;nbsp;Works&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;┌──────────────────────────────────────────────────────────┐&lt;/P&gt;&lt;P&gt;│ ATTACK ARCHITECTURE │&lt;/P&gt;&lt;P&gt;│ │&lt;/P&gt;&lt;P&gt;│ DISK (minimal footprint): │&lt;/P&gt;&lt;P&gt;│ ┌──────────────────────────────────────────────────┐ │&lt;/P&gt;&lt;P&gt;│ │ loader.exe (masquerading as svchost.exe) │ │&lt;/P&gt;&lt;P&gt;│ │ cover_image.png (contains hidden payload) │ │&lt;/P&gt;&lt;P&gt;│ └──────────────────────────────────────────────────┘ │&lt;/P&gt;&lt;P&gt;│ │ │&lt;/P&gt;&lt;P&gt;│ REGISTRY (persistence): │ │&lt;/P&gt;&lt;P&gt;│ ┌──────────────────────────────────────────────────┐ │&lt;/P&gt;&lt;P&gt;│ │ HKCU\...\Run\WindowsUpdateService │ │&lt;/P&gt;&lt;P&gt;│ │ → points to loader.exe │ │&lt;/P&gt;&lt;P&gt;│ └──────────────────────────────────────────────────┘ │&lt;/P&gt;&lt;P&gt;│ │ │&lt;/P&gt;&lt;P&gt;│ ON EVERY BOOT: │ │&lt;/P&gt;&lt;P&gt;│ Registry triggers → loader.exe executes → │&lt;/P&gt;&lt;P&gt;│ Reads PNG pixels → extracts payload → │&lt;/P&gt;&lt;P&gt;│ Loads into RAM → executes │&lt;/P&gt;&lt;P&gt;│ (No malicious .exe is ever written to disk) │&lt;/P&gt;&lt;P&gt;│ │&lt;/P&gt;&lt;P&gt;│ RAM (execution): │&lt;/P&gt;&lt;P&gt;│ ┌──────────────────────────────────────────────────┐ │&lt;/P&gt;&lt;P&gt;│ │ Keylogger / RAT / Ransomware module │ │&lt;/P&gt;&lt;P&gt;│ │ Executes entirely in memory │ │&lt;/P&gt;&lt;P&gt;│ │ Invisible to disk-based AV scanning │ │&lt;/P&gt;&lt;P&gt;│ └──────────────────────────────────────────────────┘ │&lt;/P&gt;&lt;P&gt;└──────────────────────────────────────────────────────────┘&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Only the loader exists on disk — and the loader itself is a small, legitimate-looking executable without a malicious signature.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The malicious payload lives in:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-The pixel data of the PNG image (steganographically encoded)&lt;/P&gt;&lt;P&gt;-RAM (during active execution)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The Registry provides the trigger mechanism — not the payload itself.&lt;/P&gt;&lt;P&gt;That was the exact distinction critics failed to understand.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Why It Evades Traditional Detection&lt;/STRONG&gt;&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;BARADAI’s Implementation&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI uses the same logical architecture at larger scale.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The MedusaLocker v3 binary:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- Achieves persistence via Registry Run Key:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-Executes core ransomware logic in memory without writing recoverable payload components to disk&lt;/P&gt;&lt;P&gt;-Uses Parent PID Spoofing (T1134.004) to appear as a child process of explorer.exe or svchost.exe&lt;/P&gt;&lt;P&gt;-Restores itself through persistence mechanisms if binaries are deleted&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;6. The PAIDMEMES Anomaly: Forensic Residue Inside BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;One of BARADAI’s most distinctive — and frankly bizarre — technical characteristics is its configuration and key storage mechanism.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Unlike most ransomware variants that attempt to keep all cryptographic material exclusively in volatile memory, BARADAI writes directly into the Windows Registry under an extremely unusual hive:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\SOFTWARE\PAIDMEMES\PUBLIC&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\SOFTWARE\PAIDMEMES\PRIVATE&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- HKCU\SOFTWARE\PAIDMEMES\PUBLIC&lt;/P&gt;&lt;P&gt;stores the Base64-encoded RSA public key extracted from the malware configuration.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- HKCU\SOFTWARE\PAIDMEMES\PRIVATE&lt;/P&gt;&lt;P&gt;stores encrypted runtime state and configuration parameters required for persistence across multiple execution instances.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Why This Matters&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The PAIDMEMES Registry hive is not random — it serves a specific operational purpose.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;When BARADAI is launched with the -network flag (instructing it to encrypt network shares), it spawns a secondary instance of itself as a non-elevated process.&lt;/P&gt;&lt;P&gt;By storing cryptographic keys and configuration inside the Registry, that secondary instance — even without administrative privileges — can access everything necessary to continue the attack.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;These two Registry artifacts represent your highest-confidence BARADAI detection signals:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\SOFTWARE\PAIDMEMES&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;(Key creation = active infection)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\...\Run\BabyLockerKZ&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;(Persistence = infection survived reboot)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;7. My Technique vs BARADAI: Detailed Technical Similarities&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Now let us go deeper technically and explain why I believe I am one of the people closest to understanding BARADAI.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;7.1 Payload Concealment: LSB Steganography&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;My Technique&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I replaced the least significant bits (LSB) of RGB channels in PNG pixels with Base64-encoded keylogger payload bits.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;A 1/255 modification inside an 8-bit value is visually imperceptible to the human eye.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;In BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The stegomalware technique forms the core of payload transportation.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The same LSB logic applies:&lt;/P&gt;&lt;P&gt;-No visible image corruption&lt;/P&gt;&lt;P&gt;-No signature-based scanner triggers&lt;/P&gt;&lt;P&gt;-Payload blended into image “noise”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Shared Point&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Mathematically, it is the same approach. The only difference is scale:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I concealed a keylogger. BARADAI conceals a ransomware module.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;--------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;7.2 Fileless + Registry: The “Impossible” Combination&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;My Technique&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I registered my loader under:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\...\Run\WindowsUpdateService&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Every time Windows booted, the loader executed, read the PNG, extracted the payload into RAM, and launched it. A .py file never existed on disk.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;In BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;HKCU\...\Run\BabyLockerKZ&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Exactly the same mechanism.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Same Registry path.&lt;/P&gt;&lt;P&gt;Same logic.&lt;/P&gt;&lt;P&gt;Same “fileless yet persistent” paradox.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Shared Point&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;When critics claimed these two concepts could not coexist, they were wrong.&lt;/P&gt;&lt;P&gt;Both BARADAI and I proved it.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;7.3 Process Concealment: svchost.exe Masquerading&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;My Technique&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I compiled the loader with PyInstaller under the name svchost.exe and assigned it a Windows service icon.&lt;/P&gt;&lt;P&gt;Inside Task Manager, it appeared identical to a legitimate system process.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;In BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI uses Parent PID Spoofing.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Through Windows API manipulation, it makes execution appear as if initiated by svchost.exe or explorer.exe.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;EDR behavioral engines typically flag unknown processes performing system-level modifications.&lt;/P&gt;&lt;P&gt;This technique bypasses those checks.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Shared Point&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Same concealment strategy.&lt;/P&gt;&lt;P&gt;Different implementation layer.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;7.4 Timers and Silent Collection&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;My Technique&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The keylogger embedded data into PNG images every 10 characters OR every 30 seconds — whichever occurred first.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;After each cycle:&lt;/P&gt;&lt;P&gt;-Temporary memory artifacts were cleared&lt;/P&gt;&lt;P&gt;-The process reset&lt;/P&gt;&lt;P&gt;-No ever-growing log file existed on disk&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is why antivirus products could not see it. This is why it could remain undetected for months.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;In BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;“Ghost Software.”&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;After initial compromise, BARADAI does not immediately encrypt.&lt;/P&gt;&lt;P&gt;It silently waits.&lt;/P&gt;&lt;P&gt;Harvests credentials.&lt;/P&gt;&lt;P&gt;Maps the network.&lt;/P&gt;&lt;P&gt;Exfiltrates data.&lt;/P&gt;&lt;P&gt;Encryption is the final signature.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Shared Point&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Both architectures rely on a “silent hunter” model.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I used 30-second image-based exfiltration loops.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;BARADAI remains dormant for days or weeks while collecting intelligence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The logic is identical.&lt;/P&gt;&lt;P&gt;Only the timescale differs.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;----------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;7.5 Why I Believe I Am One of the People Closest to Solving BARADAI&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;These similarities are not coincidence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;They reflect the same technical mindset reaching the same solutions to the same problems.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Because I built this architecture from scratch:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-I understand its weak points — because I encountered the same weak points myself&lt;/P&gt;&lt;P&gt;-I can reverse-engineer LSB steganography workflows — because I wrote the same algorithm&lt;/P&gt;&lt;P&gt;-I understand Registry-based configuration logic — the PAIDMEMES hive pattern is familiar to me&lt;/P&gt;&lt;P&gt;- I understand interruption points inside timer-based collection loops — because I built the same cycle architecture myself&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;8. Microsoft Sentinel Detection Rules (KQL)&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The following Kusto Query Language (KQL) queries are designed for deployment in Microsoft Sentinel.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;They target specific behavioral artifacts associated with BARADAI and the broader MedusaLocker family.&lt;/P&gt;&lt;P&gt;Deploy all three as scheduled analytics rules.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Rule 1: PAIDMEMES / BabyLockerKZ Registry Artifact Detection&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;High confidence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Detects exact forensic strings unique to MedusaLocker v3 / BARADAI.&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;If This Rule Triggers&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The device is actively infected with BARADAI or the malware has successfully established persistence.&lt;/P&gt;&lt;P&gt;Treat as a P1 incident.&lt;/P&gt;&lt;P&gt;Immediately isolate the endpoint.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Rule 2: Shadow Copy &amp;amp; Backup Deletion Chain Detection&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;High confidence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Detects BARADAI’s recovery-destruction sequence.&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;If This Rule Triggers&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;A ransomware payload is actively preparing for encryption.&lt;/P&gt;&lt;P&gt;This is your final detection window before data loss begins.&lt;/P&gt;&lt;P&gt;Immediately isolate the affected endpoint and every reachable network share.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Rule 3: EnableLinkedConnections — Network Share Privilege Escalation Detection&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Medium-High confidence.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Detects BARADAI’s technique for accessing administrator-mapped network drives from non-elevated processes.&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;If This Rule Triggers&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;An attacker is preparing to encrypt network shares normally visible only to administrator-level processes.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is a pre-encryption lateral movement signal.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;----------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;9. MITRE ATT&amp;amp;CK&amp;nbsp;Mapping&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;10. Decryption Research and My Current Approaches&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Let me be completely transparent.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Current status:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;There is no verified public decryptor available for BARADAI.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-The No More Ransom project lists no decryptor for any MedusaLocker v3 / BabyLockerKZ variant&lt;/P&gt;&lt;P&gt;-The AES-256-CBC + RSA-4096 implementation is mathematically sound&lt;/P&gt;&lt;P&gt;-Historical decryptors existed only for significantly older MedusaLocker v1 and early v2 variants by exploiting key sanitization weaknesses in memory management&lt;/P&gt;&lt;P&gt;-Those vulnerabilities were patched in v3&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;What We Know About the Encryption&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI uses intermittent encryption for large files:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-Files larger than ~7.7MB are not fully encrypted&lt;/P&gt;&lt;P&gt;-The malware encrypts 750KB, skips 250KB, encrypts another 750KB, and repeats&lt;/P&gt;&lt;P&gt;This dramatically reduces encryption time while still rendering the file structurally unusable.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;---------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;What I Am Currently Researching&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I am currently analyzing the BARADAI binary from multiple angles:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;PRNG Weaknesses&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I am investigating the entropy source used during AES key generation.&lt;/P&gt;&lt;P&gt;If the PRNG is insufficiently random, the effective key space may be reducible.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Key Sanitization Behavior&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I am investigating whether AES keys remain in memory after usage.&lt;/P&gt;&lt;P&gt;This weakness existed in MedusaLocker v1 and v2 and enabled historical decryptors.&lt;/P&gt;&lt;P&gt;Although patched in v3, implementation mistakes remain possible.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;PAIDMEMES Registry Storage&amp;nbsp;Analysis&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The PAIDMEMES hive stores runtime state.&lt;/P&gt;&lt;P&gt;I am investigating whether this storage area contains recoverable cryptographic material.&lt;/P&gt;&lt;P&gt;Registry-stored cryptographic data could provide a viable decryption foothold.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Weaknesses in Intermittent Encryption&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The 750KB-encrypt / 250KB-skip pattern enables structural comparisons between encrypted and unencrypted regions.&lt;/P&gt;&lt;P&gt;Known file formats (.docx, .xlsx, etc.) contain predictable header structures.&lt;/P&gt;&lt;P&gt;This creates potential for partial known-plaintext attacks.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;I will publish my findings in Vol.4 of this series regardless of the outcome.&lt;/P&gt;&lt;P&gt;-------------------------------------------------&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;If You Are a BARADAI&amp;nbsp;Victim&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;-Do not pay the ransom until all alternatives are exhausted&lt;/P&gt;&lt;P&gt;-Contact professional incident response services&lt;/P&gt;&lt;P&gt;-Preserve all encrypted files and ransom notes — a future decryptor may eventually become available&lt;/P&gt;&lt;P&gt;-Regularly monitor nomoreransom.org&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;----------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;11. Defensive Recommendations&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Priority 1: Phishing-Resistant MFA (Against AiTM)&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Traditional MFA — push notifications, SMS codes, authenticator apps — can be defeated by AiTM reverse-proxy attacks.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Deploy:&lt;/P&gt;&lt;P&gt;-FIDO2 hardware security keys (YubiKey, etc.)&lt;/P&gt;&lt;P&gt;-Windows Hello for Business&lt;/P&gt;&lt;P&gt;These technologies cryptographically bind authentication tokens to the legitimate TLS session of the login portal.&lt;/P&gt;&lt;P&gt;Stolen cookies become useless in separate sessions.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Priority 2: Eliminate RDP Exposure&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI’s primary initial access vector is exposed RDP on TCP 3389.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-Disable Internet-facing RDP at the perimeter firewall&lt;/P&gt;&lt;P&gt;-Enforce MFA + VPN for all remote administrative access&lt;/P&gt;&lt;P&gt;-Implement account lockout policies and Network Level Authentication (NLA)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Priority 3: Immutable Backups&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI deletes Volume Shadow Copies via vssadmin.&lt;/P&gt;&lt;P&gt;Implement:&lt;/P&gt;&lt;P&gt;-A 3–2–1 backup strategy with at least one offline/immutable copy&lt;/P&gt;&lt;P&gt;-Azure Immutable Blob Storage (WORM)&lt;/P&gt;&lt;P&gt;-Multi-user authorization for backup vaults&lt;/P&gt;&lt;P&gt;-Monthly restoration testing&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;---------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Priority 4: FSRM Canary Files&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;Configure Windows File Server Resource Manager (FSRM):&lt;/P&gt;&lt;P class="lia-indent-padding-left-30px"&gt;Immediately alert when files with extensions:&lt;/P&gt;&lt;P&gt;.BARADAI&lt;/P&gt;&lt;P&gt;.BAVACAI&lt;/P&gt;&lt;P&gt;.BASANAI&lt;/P&gt;&lt;P&gt;.BAGAJAI&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;are created.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Trigger automated scripts that:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-Terminate the originating user session&lt;/P&gt;&lt;P&gt;-Revoke network share access&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;--------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Priority 5: Deploy the Sentinel KQL Rules Above&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;The three rules in Section 8 provide layered behavioral detection that signature-based tooling cannot replicate.&lt;/P&gt;&lt;P&gt;Deploy them before an incident occurs.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;--------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Priority 6: Zero Trust Architecture&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;BARADAI’s EnableLinkedConnections Registry modification allows standard user processes to encrypt administrator-mapped drives.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;-Segment backup servers, Domain Controllers, and critical infrastructure&lt;/P&gt;&lt;P&gt;-Require hardware-backed MFA for sensitive segments&lt;/P&gt;&lt;P&gt;-Implement least privilege and Just-In-Time (JIT) administrative access with Azure PIM&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;------------------------------------------------------------------------&lt;/P&gt;&lt;P&gt;📢 Call to Action: Collective Intelligence&lt;/P&gt;&lt;P&gt;I started this research alone. But disrupting the impact of the B-Family requires collective effort.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If your organization or threat-hunting operations have observed additional logs, unusual network traffic, or alternative steganographic payload samples associated with the B-Family (BARADAI, BAVACAI, BASANAI, etc.), do not remain silent.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Data Sharing &lt;/STRONG&gt;You may share anonymized IoCs or log artifacts with us. and&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Direct Contact&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;If you have technically significant observations or findings related to BARADAI analysis, you can contact me directly through my Webex profile.&lt;/P&gt;&lt;P&gt;Webex Contact - email address removed for privacy reasons&lt;/P&gt;&lt;P&gt;Our collective security depends on the aggregation of these small signals.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;---------------------------------------------&lt;/P&gt;&lt;P&gt;Sources and References&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;For technical verification and further investigation, refer to the following resources:&lt;/P&gt;&lt;P&gt;Threat Intelligence &amp;amp; Ransomware Reports&lt;/P&gt;&lt;P&gt;CYFIRMA: Weekly Threat Intelligence Report (2026–05–08)&lt;/P&gt;&lt;P&gt;Ransomware.live: BAVACAI Group &amp;amp; DLS Infrastructure&lt;/P&gt;&lt;P&gt;PCrisk: BAVACAI | BAGAJAI | BASANAI Analysis&lt;/P&gt;&lt;P&gt;Technical Foundations &amp;amp; MITRE TTPs&lt;/P&gt;&lt;P&gt;CISA: MedusaLocker Advisory (AA22–181A)&lt;/P&gt;&lt;P&gt;Picus Security: MedusaLocker TTPs and Simulation&lt;/P&gt;&lt;P&gt;Barracuda: GhostFrame Phishing Kit Spotlight (2025–12–04)&lt;/P&gt;&lt;P&gt;Detection &amp;amp; Response Tools&lt;/P&gt;&lt;P&gt;Microsoft Sentinel: Official Shadow Copy Deletion Analytics Rule&lt;/P&gt;&lt;P&gt;GitHub (Bert-JanP): Hunting Queries and Detection Rules&lt;/P&gt;&lt;P&gt;No More Ransom: Global Decryption Tools Repository&lt;/P&gt;&lt;P&gt;Cassandra MARE Independent Research&lt;/P&gt;&lt;P&gt;Deniz Tektek: Stegomalware &amp;amp; Fileless Persistence (2026–04–05) &lt;A class="lia-external-url" href="https://medium.com/@deniizz/stegomalware-steganografi-ve-windows-registry-ile-kalıcılık-sağlayan-png-01e50849a218" target="_blank"&gt;https://medium.com/@deniizz/stegomalware-steganografi-ve-windows-registry-ile-kalıcılık-sağlayan-png-01e50849a218&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Cassandra Community: Initial BARADAI Analysis (2026–05–14) &lt;A class="lia-external-url" href="https://medium.com/@cassandracommunity/baradai-ransomware-hayalet-yazılım-ı-parçalarına-ayırıyoruz-0c04bb008f73" target="_blank"&gt;https://medium.com/@cassandracommunity/baradai-ransomware-hayalet-yazılım-ı-parçalarına-ayırıyoruz-0c04bb008f73&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This article has been published strictly for defensive purposes. All described techniques have been analyzed within the context of threat detection and defense.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This is my debut article on the Microsoft Tech Community. I am Deniz Tektek, a Red Team Operator, Cybersecurity Analyst, and Founder of the Cassandra community. My work focuses on the intersection of human psychology, IoT security, and the development of zero-trust local AI agents.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This article, “The Fileless Paradox,” is the inaugural entry in my "We Saw It Coming" threat intelligence series, where I document technical overlaps between independent research and active real-world threats.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;What’s Next?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Vol. 2: "Invisible Exfiltration" — Analyzing how BARADAI’s C2 hides in plain sight.&lt;/P&gt;&lt;P&gt;Vol. 3: "The Human Gateway" — Why your MFA and AI-driven defenses are currently being bypassed.&lt;/P&gt;&lt;P&gt;Vol. 4: "Cracking BARADAI" — My ongoing decryption research.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Connect With Me If you want to discuss these findings, exchange logs, or collaborate on security research, please check my profile bio for contact information or connect with me via LinkedIn. I welcome all technical perspectives and peer reviews.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;My LinkedIn: &lt;A class="lia-external-url" href="https://www.linkedin.com/in/deniz-t-91166438a" target="_blank"&gt;https://www.linkedin.com/in/deniz-t-91166438a&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Deniz Tektek — May 2026&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;© Deniz Tektek &amp;amp; Cassandra — All Rights Reserved.&lt;/P&gt;&lt;P&gt;Originally published on Microsoft Tech Community. Cross-posted on Medium.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 29 May 2026 21:03:13 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-community/the-fileless-paradox-how-my-33-day-old-research-became-today-s/m-p/4524086#M9984</guid>
      <dc:creator>DenizTektek</dc:creator>
      <dc:date>2026-05-29T21:03:13Z</dc:date>
    </item>
  </channel>
</rss>

