Skip to content

// #security-architecture

1 article

← All tags
🏛️ Architecture

Securing RAG Pipeline Architecture: Vector Databases Are the New Unmanaged Attack Surface in Enterprise AI

The ChromaDB CVE-2026-45829 disclosure exposes a systemic architectural gap in enterprise AI deployments: vector databases used in retrieval-augmented generation pipelines are being deployed without the security controls applied to comparable databases handling sensitive data. The attack surface analysis and architectural recommendations for secure RAG pipeline design apply regardless of which vector database product is in use.

#rag-pipeline +6

Commentary tagged #security-architecture

Opinion

Air-Gapping Is Not a Security Strategy — Operation Highland Proves It Never Has Been

Velvet Ant's ten-year persistence inside an air-gapped network is being reported as an extraordinary technical achievement. It isn't. It is a predictable consequence of substituting physical isolation for security architecture, and the organisations still treating air gaps as a primary control are making the same mistake that left a critical infrastructure network exposed for a decade.

CipherWatch Editorial

Security Intelligence Platform
Opinion

Two PAN-OS GlobalProtect Authentication Bypasses in Three Months Is a Pattern, Not a Coincidence

CVE-2026-0257, a second actively exploited Palo Alto Networks GlobalProtect authentication bypass in the same three-month window as CVE-2026-0300, is not bad luck. It reflects the structural dynamics of high-value attack surface concentration: when enterprise VPN infrastructure is widely deployed, highly privileged, and technically complex, it attracts sustained, focused research from both legitimate researchers and threat actors.

CipherWatch Editorial

Security Intelligence Platform
Opinion

AI Vector Databases Are the New Attack Surface Nobody Inventoried

ChromaDB CVE-2026-45829 is a specific vulnerability in one product. The underlying problem it exposes is structural: enterprise AI deployments are creating new categories of sensitive data storage that are not subject to the security controls applied to comparable databases. The vulnerability is fixable. The architectural gap is not fixed by a patch.

CipherWatch Editorial

Security Intelligence Platform
Opinion

End-of-Life Equipment Is Not a Budget Problem — It's a Security Architecture Decision

The framing of end-of-life network equipment as a procurement or budget problem is systematically incorrect. EoL equipment with active CVEs is a deliberate security architecture choice to operate known-exploitable infrastructure. Treating it as such changes the conversation, the decision-makers involved, and the urgency applied.

CipherWatch Editorial

Security Intelligence Platform
Opinion

The ICS Security Debt Is Now in the Middleware Layer, Not Just the PLCs

Eclipse BaSyx's CVSS 10.0 vulnerability is not a story about old OT equipment running Windows XP. It is a story about new, modern, actively maintained open-source ICS infrastructure that was deployed rapidly into Industry 4.0 architectures without the security scrutiny that its network position demands. The security debt in operational technology environments has migrated upward — into the integration and orchestration layer that connects IT and OT.

CipherWatch Editorial

Security Intelligence Platform
Opinion

Defenders Can't Block Google. That's Why Attackers Are Routing Through It.

AccountDumpling abuses Google AppSheet to deliver phishing. EtherRAT uses Cloudflare and Ethereum nodes for C2. DEEP#DOOR tunnels over Cloudflare. The pattern is consistent: sophisticated attackers have discovered that the fastest route past enterprise security controls is through infrastructure defenders cannot block. The defence posture that assumes blocking bad infrastructure will stop bad traffic is being systematically rendered obsolete.

CipherWatch Editorial

Security Intelligence Platform