Pay cuts and a personnel freefall.
CISA staff may see pay cuts in 2026. Threat actors advertise a full chain zero-day exploit for iOS. A US-led international coalition releases joint guidance on integrating AI into operational technology. Microsoft lowers sales growth targets for its agentic AI products. A major fintech provider suffers a ransomware-linked breach. Arizona’s Attorney General sues Temo over data collection practices. Lessons learned from Capita’s handling of Black Basta. The UK sanctions Russia’s GRU. My guest is Dave Baggett, co-founder and CEO of INKY (recently acquired by Kaseya), about the challenges of email security. A U.S. Bankruptcy Court insists on AI transparency.
Today is Thursday December 4th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
CISA staff may see pay cuts in 2026.
The Trump administration is ending a major incentive program that boosted pay for nearly half of employees at the Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s primary civilian cyber defense arm. The program, launched in 2015 to help the agency compete with private-sector salaries, has recently faced accusations of mismanagement, including awarding extra pay to staff without critical cybersecurity roles. Still, current and former CISA employees warn that removing the incentives will likely accelerate an already significant talent drain. CISA has lost more than a third of its workforce since last fall, according to an internal memo, and still faces major leadership vacancies. Staff say the cuts could reduce some salaries by up to 25 percent starting in 2026. CISA plans to rely more on its newer Cybersecurity Talent Management System, but employees say it is unclear how many will qualify, raising fears of further weakening the government’s cyber defenses.
Threat actors advertise a full chain zero-day exploit for iOS 26.
A threat actor is advertising what they claim is a full chain zero-day exploit for Apple’s iOS 26, according to Dataminr. The actor says the exploit uses memory corruption to run arbitrary code and links multiple vulnerabilities to achieve remote code execution, escape the app sandbox, and escalate privileges to full device control. They have also provided alleged exploit proof, suggesting the offer may be credible. A successful attack could enable silent device compromise, spyware installation, and data exfiltration of messages, location, and photos. Dataminr detected the listing on a restricted cybercrime forum and urges organizations to treat the threat as critical, monitor mobile traffic, integrate mobile visibility into security tools, enforce DLP controls, and push rapid patching through mobile device management once Apple issues a fix.
A US-led international coalition releases joint guidance on integrating artificial intelligence into operational technology.
The United States and eight international cyber agencies have released joint guidance on integrating artificial intelligence into operational technology, highlighting both efficiency gains and significant safety risks. The document stresses that AI can enhance automation and decision-making in critical infrastructure, but it also expands attack surfaces and can introduce unsafe failure modes.
The guidance centers on four principles: understand the unique risks AI brings to OT, evaluate whether AI is even the right tool, build strong governance frameworks, and embed oversight and failsafe mechanisms. The agencies warn that issues like model drift, poor data quality, opaque decision-making, and overreliance on automation can reduce safety and system availability if not addressed.
AI is rapidly entering systems that control physical processes, and mistakes can have real-world consequences. The guidance urges owners and operators to test thoroughly, maintain human oversight, and ensure AI augments rather than replaces established safety practices.
Microsoft lowers sales growth targets for its agentic AI products.
Microsoft has lowered sales growth targets for its AI agent products after widespread quota misses, a sign that enterprise demand for agentic AI may be far softer than the company projected. The Information reports that some Azure sales units saw fewer than 20 percent of reps hit aggressive targets for Foundry, Microsoft’s tool for building AI applications, prompting quota cuts of 50 percent or more. The weak results follow months of ambitious marketing around “the era of AI agents,” but many customers remain unconvinced, citing high costs, reliability issues, and persistent errors in current agentic systems. Copilot adoption has also been undercut by user preference for ChatGPT. Despite massive infrastructure spending, much of Microsoft’s AI revenue still comes from AI companies renting cloud capacity, raising questions about whether the broader enterprise appetite for agentic AI is smaller, and possibly more speculative, than expected.
A major fintech provider suffers a ransomware-linked breach.
Marquis Software Solutions, a vendor serving more than 700 banks and credit unions, experienced a ransomware-linked breach after attackers exploited its SonicWall firewall on Aug. 14. Investigators found the intruder may have accessed files containing customer data stored on behalf of financial institutions, potentially affecting at least 250,000 individuals. Exposed information includes names, contact details, Social Security numbers, tax IDs, and financial account numbers, though not access codes. Marquis notified institutions between Oct. 27 and Nov. 25.
Arizona’s Attorney General sues Temo over data collection practices.
Arizona Attorney General Kris Mayes has filed a lawsuit accusing Temu and parent company PDD Holdings of sweeping data collection practices and deceptive conduct. The complaint alleges Temu harvests extensive sensitive information, including GPS location and lists of other installed apps, while hiding code that experts identified as malware or spyware. Prosecutors also warn that Chinese law could compel the company to share Americans’ data with the Chinese government. Mayes called the privacy risks “enormous,” saying Temu’s behavior may represent the gravest violation of Arizona’s Consumer Fraud Act. The lawsuit further accuses Temu of copying local brands’ intellectual property. Temu denies the claims, saying it provides affordable products. Other states, including Kentucky, Nebraska, and Arkansas, have filed similar suits.
Lessons learned from Capita’s handling of Black Basta.
Researcher Kevin Beaumont has published an analysis of the 2023 Black Basta ransomware incident involving Capita plc. The London firm received a record £14 million fine from the UK Information Commissioner’s Office for the 2023 Black Basta ransomware incident, with regulators calling the company “negligent” in its cybersecurity practices. The ICO found that Capita’s managed SOC repeatedly failed to meet internal alert-handling targets and left critical detections unaddressed for more than 58 hours, enabling lateral movement and the exfiltration of data on more than 6 million people. Investigators said Capita ignored years of penetration-test findings about Active Directory weaknesses, lacked evidence of testing for affected systems, and misled customers by downplaying the breach as a benign IT outage. The ruling underscores key lessons for organizations: staff and empower SOCs, monitor for data exfiltration tools, conduct meaningful penetration tests, secure Active Directory, and communicate transparently during crises.
The UK sanctions Russia’s GRU.
The UK has sanctioned Russia’s military intelligence agency, the GRU, in full after the Dawn Sturgess Inquiry concluded that President Putin personally ordered the 2018 Salisbury operation. Eleven individuals tied to Russian hostile activity were also exposed. The measures target GRU cyber officers linked to earlier attacks on the Skripals and broader hybrid operations across Europe. The Russian Ambassador was summoned as ministers condemned Russia’s aggression and vowed continued action with allies to counter malign activity and protect UK security.
Coming up, I speak with CEO of INKY (which was recently acquired by Kaseya) Dave Baggett. Dave highlights the need to update email security that was built on a 1971 design. We’ll be right back
A U.S. Bankruptcy Court insists on AI transparency.
The U.S. Bankruptcy Court for the Southern District of California has decided that if lawyers want to bring generative AI into the courtroom, they must now show their work. As of January 1, 2026, any filing touched by an AI tool must come with a sworn note identifying which system was used and confirming that the human filer actually checked the facts and law, rather than trusting the machine like an overeager intern. The order applies to everyone, from seasoned attorneys to self-represented optimists. Two judges signed off, making it official and unmistakably human.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
