Cybersecurity

Threat modelling for zero-day vulnerabilities

Threat modelling for zero-day vulnerabilities is a peculiar exercise in preparing for the unknowable. These are not the comfortable, catalogue‑ready bugs that live in CVE databases. These are the ones nobody—least of all the vendor—has seen fit to admit exist. They arrive without warning, without a patch, and with precisely zero days’ notice before being exploited. The task, therefore, is less about ticking boxes and more about building the sort of resilience that can withstand the unexpected without falling to pieces. ...

August 3, 2025 · 7 min
An enormous, intricate tapestry hanging on a wall, with lots of loose threads dangling, a person on a ladder sewing them back in, lots of bright golden yellow, Renaissance-inspired realism, ornate patterns, dramatic chiaroscuro lighting

Tidying the loose ends before the whole thing unravels

In the spring of 2021, Dutch Institute for Vulnerability Disclosure (DIVD) researcher Wietse Boonstra quietly uncovered seven critical flaws in Kaseya’s widely used IT management software. DIVD warned the company within days, flagging more than 2,200 vulnerable systems across the globe. Weeks later, three flaws remained unpatched—and the REvil ransomware gang pounced. Overnight, some 1,500 organisations were paralysed, from supermarkets in Sweden to schools in New Zealand. This was not an isolated close call. In a 2023 study with the University of Twente, DIVD found that less than half of Dutch municipalities acted promptly when notified of exploitable flaws in their email systems. In some cases, local authorities ignored the warnings entirely. ...

August 3, 2025 · 5 min