CyberCX

Australia/New Zealand-headquartered cyber-security services group. Self-describes its DFIR practice as “Australia and New Zealand’s leading and most advanced cyber investigation and response practice.” Publishes an annual threat report drawn from its own incident-response casebook — distinct from intelligence aggregators in that the data is end-to-end incident-derived, not OSINT.

Positions captured in the KB

• Cyber extortion is now the single largest incident category in CyberCX’s casebook (26% in 2025), displacing BEC. “The threats are bigger and better resourced, and the risks are worse than they have ever been” (foreword). [[2026-05-12-cybercx-2026-threat-report]]
• MFA is not a meaningful BEC boundary anymore. “Every BEC incident CyberCX responded to where traditional MFA was enforced … involved session hijacking.” Phishing-resistant MFA (FIDO/passkeys) is positioned as the upgrade path. [[2026-05-12-cybercx-2026-threat-report]]
• First observation of offensive GenAI use by threat actors in CyberCX’s response data in 2025; quality “dubious” but barrier-to-entry has dropped. [[2026-05-12-cybercx-2026-threat-report]]
• AI data spills are now a DFIR engagement category — staff uploading sensitive corporate data to external AI portals, often unquantifiable in scope. [[2026-05-12-cybercx-2026-threat-report]]
• Public production-disclosure: the 2026 report was explicitly not generated with GenAI. [[2026-05-12-cybercx-2026-threat-report]]
• STA practice is one of the largest private-sector offensive-security teams globally — three-year dataset of 7,500+ engagements, 1,400+ customers, 70,000+ findings underpins the 2026 Hack Report. [[2026-05-12-cybercx-2026-hack-report]]
• Severe-finding rates are improving slowly — 33.5% (2023) → 32.7% (2024) → 29.0% (2025). Edelstein’s framing: “defenders are falling behind” despite the improvement, because attacker capability uplift is unlikely to be in the “low single-figure percentage” range. [[2026-05-12-cybercx-2026-hack-report]]
• Root causes are concentrated. “Almost all severe findings fell into four categories” — Configuration & Patch Management 33.4%, IAM 32.1%, AppSec 21.1%, Data Security & Privacy 10.9%. AppSec is the only one trending up year-on-year. [[2026-05-12-cybercx-2026-hack-report]]
• AI penetration tests have a 50% severe-finding rate — “almost double the 26% rate for web-application pen-tests”. Lead author Dimitri Vedeneev attributes this to traditional security patterns (threat modelling, pre-deployment pen-test) being “often not fit for the pace and urgency of AI development.” [[2026-05-12-cybercx-2026-hack-report]]
• MCP is named as an attack-surface. “New standards like Model Context Protocol (MCP) are being adopted, but are not yet secure, enterprise-ready implementations. … data can flow bi-directionally between servers and clients … creating a rise in authentication-related issues with MCP implementations.” First explicit treatment of MCP-as-attack-surface in this KB. [[2026-05-12-cybercx-2026-hack-report]]
• “Vibe-coding to production” is an engagement category. “CyberCX has conducted architecture reviews and penetration tests for a significant number of systems that were built primarily by AI. Often this is by organisations that have done no internal development prior.” [[2026-05-12-cybercx-2026-hack-report]]
• The Financial Services paradox. Lowest-but-one severe-finding rate (22.0%) in the Hack Report; most-impacted sector (18%) in the DFIR Threat Report. CyberCX: “financially motivated threat actors select targets not just by the prevalence of vulnerabilities, but on their ability to monetise attacks. Financial services are an attractive target simply because that is where the money is.” [[2026-05-12-cybercx-2026-hack-report]] [[2026-05-12-cybercx-2026-threat-report]]
• Adversary simulation engagements doubled 2024 → 2025, reflecting customer demand for detect-and-respond assurance over vulnerability inventories. [[2026-05-12-cybercx-2026-hack-report]]
• Both 2026 reports are silent on APRA / ASIC / OAIC / CPS 230 / FAR / Privacy Act. This is now a confirmed CyberCX editorial pattern across the offensive and defensive sides of the practice. [[2026-05-12-cybercx-2026-hack-report]] [[2026-05-12-cybercx-2026-threat-report]]

Notable advisory connections

• Ciaran Martin (former UK NCSC CEO) sits on CyberCX’s Global Advisory Board; quoted in the 2026 report distinguishing “cyber thieves” from “cyber thugs.” [[2026-05-12-cybercx-2026-threat-report]]

STA leadership (named in the 2026 Hack Report)

The 2026 Hack Report names the following STA contributors. Captured here for traceability; only stubs created for the most senior named contributors so far.

• jason-edelstein — Global Executive Director, Security Testing and Assurance. Foreword author.
• dimitri-vedeneev — Executive Director, Secure AI. Lead author; section author for “Hacking AI systems”.
• Liam O’Shannessy — Lead editor.
• Dexter Gillman — Section author (AppSec / industry analysis).
• Raafey Khan — Section author (Application security insights).
• Kris Bergamaschi — Section author.
• Willem Mouton — Section author (Adversary simulation trends).
• Jeremy du Bruyn — Section author.

See also

• hamish-krebs — Global Executive Director, DFIR
• jason-edelstein — Global Executive Director, STA
• dimitri-vedeneev — Executive Director, Secure AI
• ai-governance-au · ai-security-defense · claude-mcps