In Formula 1, milliseconds matter… and so does security. Keeper Security has helped Atlassian Williams F1 Team tighten its cyber defences, revealing how the iconic racing team is using KeeperPAM to protect its data, systems and global operations without taking its foot off the accelerator.

Announced on 13 January 2026, a new case study from Keeper Security details how Atlassian Williams F1 Team has overhauled its privileged access strategy using KeeperPAM, a unified, cloud-native Privileged Access Management (PAM) platform built on zero-trust and zero-knowledge principles. With terabytes of sensitive telemetry and performance data generated every race weekend, any breach, whether trackside or back at base, could be race-ending.

Unlike many organisations, Atlassian Williams F1 Team’s infrastructure isn’t parked in one place. It’s constantly on the move, travelling across more than 20 countries each season. From airports and paddocks to garages and headquarters, the team needed cybersecurity that could keep pace with a relentless global schedule without adding friction.

“We travel to more than 20 countries each season, and every week we’re in a new location,” said James Vowles, Team Principal, Atlassian Williams F1 Team. “Our infrastructure isn’t sitting safely in a single building – it’s traveling with us. That means we have to be secure wherever we are, from airports to garages to our HQ at Grove. With Keeper, we can build that fortress around our operations.”

KeeperPAM delivered that protection by putting zero trust at the heart of access control. Through role-based access, privileged session monitoring and automated provisioning, the platform allows Atlassian Williams F1 Team to enforce least privilege while keeping engineers and staff moving at racing speed.

The team has also streamlined operations by funnelling all privileged connections through a single platform, giving security teams better visibility and faster reaction times when something looks off.

“We now have a single platform where all of our connections go through,” said Harry Wilson, former Head of Information Security, Atlassian Williams F1 Team. “We can apply policies, monitor usage and generate alerts when something unexpected happens. Doing that on our server estate was critical to us.”

KeeperPAM brings together enterprise password management, secrets management, privileged session management, endpoint privilege management, secure remote access and dark web monitoring into one cloud-native platform. By replacing legacy tools with a single solution, Keeper Security says organisations gain real-time visibility, automated least-privilege enforcement and AI-driven threat detection, helping them spot threats before they cross the finish line.

For Atlassian Williams F1 Team, flexibility was just as important as control. Engineers occasionally need elevated access, but only when it’s genuinely required  and never longer than necessary.

“There are times when employees need local admin rights on a case-by-case basis,” added Wilson. “With Keeper, we can grant that access in real time and remove it automatically, which gives us confidence that privileged access is always controlled and temporary.”

Keeper Security believes modern PAM needs to work quietly in the background, more like a finely tuned race engine than a heavy braking system.

“Modern PAM has to do more than secure credentials. It has to automate provisioning, rotate secrets and eliminate standing privileges – all without burdening IT teams,” said Craig Lurey, CTO and Co-founder, Keeper Security. “That’s why we designed KeeperPAM to replace complexity with automation, freeing organisations like Atlassian Williams F1 Team to focus on what they do best.”

By centralising all credentials within a zero-knowledge environment, Atlassian Williams F1 Team has eliminated plaintext exposure while automating the provisioning and deprovisioning of privileged access. The result is lower operational overhead for IT teams and fewer roadblocks for engineers pushing performance innovation.

With KeeperPAM in place, Atlassian Williams F1 Team can now operate securely on any device, on any network, anywhere in the world. In a sport where marginal gains make all the difference, cybersecurity has become another competitive edge, helping the team stay secure, agile and firmly in the race.

The post Keeper Security puts Atlassian Williams F1 Team in pole position on cybersecurity appeared first on IT Security Guru.

BreachForums, one of the most well-known English-language cybercrime forums, has reportedly suffered a data breach, exposing user information after the site was taken offline once again.

As reported by The Register, a database linked to the forum was leaked online, potentially revealing account details, private messages and metadata on close to 325,000 accounts. However, security researchers caution that while the leak may attract attention, its intelligence value and authenticity remain uncertain.

Michael Tigges, Senior Security Operations Analyst at Huntress, said the dataset should be treated with caution.

“This data leak, while potentially useful for authorities and security professionals researching adversarial activities, is ultimately of limited forensics use,” he said.

“While the database leak may be legitimate, the integrity is called into question as it was derived from another cybercrime group, ShinyHunters.”

He added that such leaks are sometimes used to infer links between threat actors, but warned that datasets may be incomplete, selectively modified, or deliberately misleading.

“The reliability of the information must be highly scrutinised, as it may not be legitimate data or could be altered to disguise or prevent disclosure of information,” Tigges said.

Criminal trust continues to erode

The breach is likely to further undermine confidence in BreachForums among cybercriminals, following a series of takedowns and reappearances over recent years.

Gavin Knapp, Cyber Threat Intelligence Principal Lead at Bridewell, said the platform’s turbulent history has already damaged its credibility.

“Criminals are likely questioning its credibility and losing trust in it, and it’s often referred to as a potential honeypot for law enforcement,” Knapp said.

Knapp noted that the real-world impact of the leak depends largely on the operational security (OPSEC) practices of individual users.

“The data leak is obviously a problem for legitimate accounts used for crime, as opposed to sock-puppet accounts used by researchers or law enforcement,” he said.

“However, the impact depends on whether users exposed information that could be linked back to a real-world identity, such as unique email addresses or reused passwords.”

He added that the same risks apply to investigators and researchers who may also face exposure if poor OPSEC was used, and that it remains unclear how current or complete the leaked data is.

Limited underground reaction

Despite the publicity surrounding the breach, reaction within cybercrime communities appears muted.

Michele Campobasso, Senior Security Researcher at Forescout, said responses across underground forums have been limited or dismissive.

“On one of the XSS forum forks following the takedown, some users responded with sarcasm,” he said.

“In other underground forums and communities where we have access, we found no reaction on the topic.”

This lack of engagement may reflect growing scepticism among threat actors toward long-running forums, many of which are viewed as compromised or unreliable.

Disputed links to ShinyHunters

The breach has also prompted speculation around the involvement of the ShinyHunters extortion group, although responsibility remains disputed.

Campobasso said that while there is no conclusive evidence linking ShinyHunters to the leak, the claim is not implausible given recurring references to a figure known as “James” across multiple iterations of the shinyhunte[.]rs website.

Cached versions of the site show repeated mentions of “James”, including defacement messages, accusations from other group members, and a manifesto attributed to the same pseudonym. Linguistic patterns in the text suggest possible French influence, although Campobasso cautioned against drawing firm conclusions.

“It is possible that either the data leak was performed by James, or that someone is attempting to frame them in order to disrupt their reputation within the cybercriminal ecosystem,” he said.

A familiar pattern

Ultimately, the BreachForums incident highlights a recurring issue within cybercrime communities: instability, internal conflict and declining trust.

For defenders, the breach reminds them that leaked criminal datasets should be treated carefully, validated rigorously and never assumed to be complete or accurate, even when they appear to offer rare insight into adversary activity.

The post BreachForums Data Leak Raises Fresh Questions Over Credibility appeared first on IT Security Guru.

This week, Keeper Security the launch of its JetBrains extension, offering JetBrains Integrated Development Environment (IDE) users a secure and seamless way to manage secrets within their development workflows. By integrating directly with the Keeper Vault, developers can replace hardcoded secrets with vault references and execute commands using injected credentials, ensuring sensitive data remains protected at every stage of development. 

Secure secrets management protects the credentials, API keys, tokens and certificates that applications rely on to function safely. When these secrets are mishandled, such as being stored in plaintext, hardcoded into source code or shared insecurely, they become easy targets for attackers. The Keeper JetBrains extension eliminates these risks by allowing developers to store, retrieve and generate secrets from the Keeper Vault without leaving their IDE.

Unlike standalone plug-ins or external vault tools that rely on third-party servers, the Keeper JetBrains extension operates within a zero-knowledge architecture, ensuring all encryption and decryption occur locally on the user’s device. Integrated natively with Keeper Secrets Manager and KeeperPAM®, it brings enterprise-grade privilege controls directly into the developer’s workflow to deliver strong security without slowing down development. 

“Modern software development demands security at every layer,” said Craig Lurey, CTO and Co-founder of Keeper Security. “Integrating Keeper into JetBrains ensures developers can apply secure-by-design principles from the start, eliminating hardcoded credentials and strengthening the integrity of the software supply chain.”

The Keeper JetBrains extension provides a range of powerful capabilities, including secrets management that allows users to save, retrieve, and generate secrets directly from the Keeper Vault. It also supports secure command execution by enabling applications to run with secrets safely injected from the vault. In addition, the extension offers logging and debugging tools, giving users access to logs and the ability to enable debug mode for full operational transparency, and it supports cross-platform use across Windows, macOS, and Linux environments.

The JetBrains extension builds on Keeper’s broader KeeperPAM® platform, an AI-enabled, cloud-native privileged access management solution that unifies password, secrets, connection and endpoint management under a zero-trust, zero-knowledge framework. 

 

The post Keeper Security Launches JetBrains Extension appeared first on IT Security Guru.

A cyber attack on shared IT systems used by several London councils has resulted in the theft of personal data relating to thousands of residents, raising renewed concerns about the resilience of local government cyber security and the risks posed by interconnected public-sector infrastructure.

Kensington and Chelsea Council confirmed that sensitive personal information was accessed during the incident, which also disrupted services across neighbouring boroughs. The attack prompted swift intervention from the National Cyber Security Centre (NCSC) and the Metropolitan Police, underlining the seriousness of the breach.

Cyber security leaders warn that the incident reflects a broader and accelerating threat to public-sector organisations. Darren Guccione, CEO and co-founder of Keeper Security, noted that this is the second significant cyber incident affecting a UK local authority in less than two months, highlighting how persistently councils are being targeted.

“Councils and other arms of government remain high-value targets for cybercrime because they hold extensive sensitive personal data and operate interconnected, often legacy, systems that are both attractive to attackers and difficult to defend at scale,” Guccione said. He added that the frequency of these attacks suggests adversaries are shifting away from opportunistic intrusion towards sustained and sophisticated campaigns designed to exploit systemic weaknesses and undermine public trust.

The technical characteristics of the attack have also raised alarm among experts. Graeme Stewart, head of public sector at Check Point, said the incident shows “all the signs of a serious intrusion”, citing multiple boroughs being taken offline and internal warnings instructing staff to avoid emails from partner councils.

“That’s classic behaviour when attackers get hold of credentials or move laterally through a shared environment,” Stewart said. “Once they’re inside one part of the network, they can hop through connected systems far faster than most councils can respond.”

Stewart added that the rapid shutdown of services suggests authorities feared escalation into encryption or large-scale data theft. “Councils hold incredibly sensitive material – social-care files, identity documents, housing records. If attackers got near that, the fallout wouldn’t stay local,” he warned.

The incident has also highlighted the risks created by shared and centralised IT platforms across local government. Dray Agha, senior manager of security operations at Huntress, described such environments as a “double-edged sword”.

“While shared systems are efficient, the breach of one council can instantly compromise its partners, crippling essential services for hundreds of thousands of residents,” Agha said. He stressed the need to move beyond purely cost-driven IT strategies and towards segmented, resilient architectures capable of containing attacks before they spread.

For residents affected by the breach, the immediate concern is how their personal information may be misused. Chris Hauk, consumer privacy advocate at Pixel Privacy, urged individuals to remain vigilant for phishing and fraud attempts, while calling on the council to provide tangible support.

“People that have had their data exposed should stay alert for phishing schemes and other scams,” Hauk said. He added that Kensington and Chelsea Council should offer free credit monitoring to affected residents, noting that government bodies frequently expect private-sector organisations to do the same following similar breaches.

Transparency will be critical in limiting long-term harm, according to Paul Bischoff, consumer privacy advocate at Comparitech. He called on the council to clarify what types of personal data were compromised as quickly as possible.

“Until then, victims cannot make informed choices about how to protect their personal information and finances,” Bischoff said. He noted that attackers have already published a proof pack containing sample stolen documents – a common tactic used by ransomware groups to substantiate their claims and apply pressure. “Based on our research into hundreds of ransomware attacks, the vast majority of these claims are legitimate,” he added.

At a policy level, Guccione pointed to the UK Government’s recently launched Cyber Action Plan, which includes more than £210 million in funding and the creation of a new Government Cyber Unit to improve coordination and resilience across public services.

“The plan is a positive development in recognising the cross-government nature of this challenge,” he said, but warned that central initiatives must be matched by action at the organisational level. He urged public-sector bodies to accelerate adoption of identity-centric security models, enforce stronger access controls, segment networks to limit lateral movement and implement continuous monitoring.

“Only by elevating cybersecurity from a technical afterthought to a core governance priority can public services reduce their exposure to increasingly persistent attacks and maintain citizens’ trust in the digital services they rely on,” Guccione said.

As investigations continue, the incident is expected to intensify scrutiny of cyber maturity across UK local authorities, many of which continue to deliver critical digital services under tight budgets and complex operational constraints.

The post London council cyber attack exposes personal data and highlights risks of shared public-sector IT appeared first on IT Security Guru.

We’re on the edge of something interesting in the industry right now, and it’s the transformation of the modern SOC.

We Know the Problem

Everyone knows that security operations centres are faced with too much, too hard, and too fast – not to mention too confusing. We know the stats: thanks to the cyber talent crunch, limited resources, and a ton of new attacks (thanks, bots and AI), 40% of alerts get ignored. Even worse, 61% of security teams admit to ignoring alerts that later proved to be critical incidents.

We’ve Dipped Our Toe in the Solution

The simple answer is “figure out how to get less alerts.” Check. Reducing noise is key. But once you do, is the problem solved?

No, but you’re on the right track. The next step is where the transformation really takes place, and where the industry is looking to go next. We’ve talked noise reduction, but now, what we need when we’ve only got a few (ish) alerts is to know is which one of those is worth our time? If we can only get to five a day, which ones should we be going after? And what determines what comes next on our roster?

Let’s Go All the Way

The answer is risk. You need to prioritise those remaining few (hundred) alerts by risk, which is a multifaceted project, then streamline remediations based on which ones present the biggest, most immediate, or most impactful threat.

Reducing noise is a good start, but it’s only that. Here’s where we jump off, and how to build a risk-first alert pipeline that analysts trust. And that will truly have the power to transform the SOC.

First, Let’s Talk Noise Reduction

Before we jump to the conclusion, let’s orient ourselves and look at where we’ve come from.

Nobody Can Function with Alert Fatigue

Faced with an average of 83 different tools from 29 different vendors, SOCs are forced to wade through deluges of data to find the rare, true positive needle in a haystack.

It doesn’t come easy, and SOCs waste most of their time looking. That’s why it’s so important to, before anything else can get better, cut the noise. Prophet Security, an AI SOC Platform company, does a great job of explaining the process of reducing alert fatigue, but then adds this insightful conclusion: “Do not chase volume alone. Reducing alert count without measuring risk impact creates blind spots.”

Cutting Down Alerts? It’s a Good Start

And this is the jumping off point. Having fewer alerts is, well, good. But those still have to be actioned on and someone has to decide which comes first. Typically, SOCs make that decision based on severity scores. It’s the way the industry does things, it’s the way we’ve always done things.

But these days, security no longer exists in a vacuum and “how big a deal” a certain exposure is really doesn’t matter if it isn’t a big deal to the business. Today, all security priorities are intrinsically tied to business objectives – it’s about time! – which means that the alerts that represent the biggest overall business risk are the ones that need to be taken care of first.

So, how do you do that?

Determining Risk to the Business: The Real Metric

We’ve carried the ball halfway down the court, and now it’s time to sink it in. To really help SOCs out, any sort of automated SOC tool needs to do more than cut down on noise. It needs to tell you what to do with the alerts that are left, and tie those decisions transparently to:

• Asset criticality. Is this a moderate severity vuln on a database holding cardholder information? That’s huge. Or is it a critical vulnerability on a stale on-premises database that holds no secrets? Not as big of a deal.
• How likely is this to be exploited? Are there currently strong security controls surrounding this asset, blocking any potential attacks? We can wait on the fix, then. Are there zero policies in place, meaning all an attacker has to do is compromise this one weakness and they’re in? Put that higher on the list.
• Risk to the business. If this vulnerable system goes down, what’s the worst that can happen? Is it a SCADA system or an API connecting highly regulated data? Priority one. Is it a retired server that’s been languishing in the digital corner? You get the point.

Looking at these other angles shows why simple severity scores won’t cut it. They say nothing of the context around the exposure; what it’s putting at risk, how real that risk might be, the impact if that risk becomes a real threat or gets exploited.

All these things need to be taken into account by your automated SOC tool if it’s going to do more than give you more puzzles to solve. SOCs have enough on their plates; these types of answers should come standard.

So, what’s the technology that can get it done?

A Modern, Risk-First Alert Pipeline

When looking for the right AI SOC platform, it needs to be one that will do this sort of math for you, not take out a bunch of alerts, hand you the rest, and say “good luck.”

That’s why you want one with a modern, risk-first alert pipeline. This sounds like a bunch of security-ish buzzwords strung together with hyphens, but it’s really where the magic takes place.

Can AI Help? Yes.

But first, does AI help? In 2025, you don’t have to ask. Yes, artificial intelligence helps in this whole process. Like with most technologies, applying AI, generative AI, machine learning, agentic AI, natural language processing, and everything AI can move the needle significantly; but only when used in the right way.

Building Out Alerts by True Risk

Here’s what a risk-first alert pipeline looks like in action:

1. Upstream Filtering: AI agents, especially agentic AI agents, ingest alerts and analyse them (early in the pipeline, or at the source). They filter out false positives here, leaving less mess to work with downstream.
2. User Behaviour: Helps filter out false positives by comparing normal baselines to existing identity and session activity.
3. Contextual Enrichment: Using only the alerts that aren’t marked duplicates or false positives, autonomous AI agents get to work. They gather and correlate data from all relevant sources (SIEMs, cloud logs, identity platforms, EDR) to build the beefed-up attack story and deliver SOCs alerts they can use. Right away.
4. Contextual Reasoning: You can’t chase dynamic threats with static rules. Agile, agentic AI agents “think” on the spot (using LLMs and domain-specific data) to make conclusions about the evidence, ask investigative questions, and come up with next steps.
5. Blended Scoring: The ultimate, prioritised list should be one where multiple factors have been taken into account: severity (yes), context (SIEMs, EDR, etc.), behavioural analytics (does surrounding system behaviour deviate from the norm?), and confidence scoring (how “right” the AI thinks its reasoning is, so SOCs know what they’re working with). All AI-based decisions should be transparent and auditable to boost trust; no “black box” scoring.

The result is that you get your alerts not only thinned out, but organised by order of importance to the business, not an arbitrary security scoring chart. Don’t misunderstand; severity needs to be factored in, too. It just can’t be the only factor.

The Benefit of a Risk-First Alert Model

With a risk-first alert model, SOCs can place their limited resources where it counts, instead of chasing down alerts that may not have been the best use of company time.

This means that security teams look really good when presenting to boards at the end of the year, and that non-security board members can immediately grasp why SOCs did what they did, how that positively impacted the business, and where their money was going.

And, most importantly, be happy with it.

The post From noise to signal: Building a risk-first alert pipeline that analysts trust appeared first on IT Security Guru.