📖 4 min read

NETWORK SIGNAL THIS WEEK

Activity across DoGood member submissions:

Exposure management evaluations: ↑ 2x YoY

Credential / PAM initiatives: ↑ 3x YoY

AI governance evaluations: ↑ 4x in 90 days

Exposure management submissions in our network more than doubled year-over-year. Credential and PAM priorities tripled.

Three stories this week explain why this pattern is accelerating.

What happened Attackers have had administrative access to Cisco Catalyst SD-WAN environments since 2023 — three years before a joint advisory from Five Eyes intelligence agencies made the vulnerability public last week. The flaw allowed unauthenticated access to the platform that manages how enterprise networks route traffic across sites and clouds.

Why it matters This is now a vendor accountability conversation, not just a patch ticket. Administrative access to an SD-WAN platform means access to network configuration across an entire WAN fabric. Organizations reviewed security posture, ran risk assessments, and renewed contracts during those three years — without knowing this platform was compromised. If someone on your team owns WAN infrastructure, they should see this story.

What leaders are doing Organizations are asking Cisco account teams one question: when did you know exploitation was occurring? Those answers are being documented ahead of renewal conversations. This is the same accountability framework that emerged after the Fortinet SSO disclosures earlier this year — vendor notification timelines are becoming a formal part of how IT leaders evaluate trust.

Source: CISA Emergency Directive 26-03 / Cisco Talos

📡 Network signal: Exposure management evaluations in our network more than doubled year-over-year. Organizations are building discovery programs that don't depend on vendor notification as the trigger.

What happened Vulnerability exploitation is now the leading cause of enterprise breaches, accounting for 40% of incidents in 2025 — a finding from IBM's 2026 X-Force Threat Intelligence Index released February 25. Public-facing application exploitation jumped 44% year-over-year. The majority required no authentication to access.

Why it matters The most common breach entry point isn't a sophisticated zero-day. It's an application sitting exposed on the internet with no authentication required. IBM also found over 300,000 ChatGPT credentials on dark web marketplaces in 2025. The tools employees use to move faster are generating credentials that feed directly into automated attack infrastructure. Third-party and supply chain compromises are up nearly 4X since 2020.

What leaders are doing Budget is accelerating into two categories this report validates directly. First, exposure management — finding and prioritizing what's reachable before attackers do. Second, credential hygiene — knowing what's been compromised before it's used. Organizations aren't waiting for breach notification. They're building continuous visibility programs.

Source: IBM X-Force Threat Intelligence Index 2026

📡 Network signal: Credential and PAM-related submissions in our network tripled year-over-year. The IBM data confirms what this network is already funding.

What happened Chinese-affiliated threat groups are issuing attack commands through Google Calendar event descriptions and Dropbox file updates. Cloudflare documented the technique — which they call "Living off the XaaS" — in their inaugural Cloudforce One threat report published March 3, drawing on visibility across 20% of global web traffic. Attack traffic flows through platforms organizations have explicitly approved. Security tools tuned to detect unusual outbound activity can't see it.

Why it matters 94% of all login attempts on Cloudflare's network are automated bots. Of human login attempts, 46% use credentials already exposed in prior breaches. For most organizations, a significant portion of login attempts hitting their systems right now are automated and credential-based — and most security teams don't have that number in front of them. Layered on top: security tools tuned to detect unusual outbound traffic can't see attack activity flowing through Google Calendar. The controls most organizations have invested in are increasingly misaligned with how attacks actually move.

What leaders are doing Two evaluation categories are accelerating: SaaS security posture management (visibility into what's happening inside approved platforms, not just what's leaving the network) and identity threat detection (distinguishing legitimate user behavior from automated credential attacks). The question sharpening vendor conversations: can you see attack activity that moves through our sanctioned SaaS?

Source: Cloudflare Cloudforce One Cyber Threat Report 2026

📡 Network signal: Leaders this month described the same problem — tools deployed, alerts firing, no prioritization of what to act on first. When attack commands move through Google Calendar, that gap becomes structural.

Organizations don't know what's exposed until something forces the discovery.

Exposure management mentions more than doubled year-over-year in member submissions. Credential and PAM priorities tripled. Leaders are building the foundational visibility layer that should have existed before the Cisco advisory, before the IBM data, before the Cloudflare report.

The organizations ahead of this aren't buying more tools. They're buying prioritization.

The ability to answer: what's reachable, what's been compromised, and what do we close first. That's the market movement this week's stories are pointing to — and it's been visible in this network for twelve months.

1. When a critical vulnerability is disclosed in infrastructure we own — what's our discovery process? The Cisco story is a three-year gap between exploitation and notification. If vendor advisory is your primary discovery mechanism, that's worth examining.

2. Do we know what percentage of our login attempts are automated? Cloudflare found 94% of login attempts across the internet are bots. Your identity vendor should have this number for your environment. If they don't, ask why.

3. Where does our exposure management program start and stop? IBM found 44% more attacks starting with public-facing applications that require no authentication. Are those applications in scope for your team's visibility program?

5,000+ senior IT leaders at companies averaging $24B in revenue sharing real buying-motion data. Not surveys. Not analyst projections. What operators are actually purchasing, replacing, and escalating. Every meeting is opt-in, pre-screened, and paid ($200–400). You control your calendar. Apply to Join →