Key Points
Welcome to issue #3 of The Vulnerabulletin - our monthly cyber-circular packed with research and insights from our in-house security experts, industry news and a rundown of what’s new in Intruder.
This month, we’re peeling back the layers of your front-end code... our research team scanned 5 million apps and discovered that JavaScript bundles are secretly whispering your API keys to the world. We learn how to scale security with ease with Brainlabs, who discuss how they manage a sprawling attack surface that grows with every new acquisition. Listen as we sit down with Drata’s VP of Customer Experience to discuss the right balance between AI and human oversight in the future of compliance and security. Finally we finish with a whistle-stop tour of the industry news and Intruder updates currently blowing up our Slack channels.
Are your API keys hiding in plain sight?… 🔓
One small mistake in a build script can expose your entire AWS environment or Slack workspace. We recently uncovered thousands of active secrets leaked through JavaScript files that traditional DAST tools simply don’t see.
Read Security Engineer Ben Marr’s full deep-dive to understand the limitations of common secrets detection methods and how to ensure your front-end isn't serving up a roadmap for hackers.
Scaling security across a sprawling attack surface 🔬
As Brainlabs grew to 1,000+ employees across 11 offices and completed 10 acquisitions, each one introduced new cloud accounts, inherited infrastructure, and fresh exposure. Their environment changed fast.
In our case study, Brainlabs Global IT Director, Pawel Sieradzki explains how Intruder helped them automatically discover new and inherited assets, continuously monitor their attack surface, and stay ahead of emerging vulnerabilities as the business scaled.
.webp)
Where automation helps most in compliance and security ✅
AI and automation don't replace compliance and security teams, but they do change what teams spend time on.
Intruder’s Head of Customer Success Hannah Payne sat down with Ashley Hyman, VP of Customer Experience, at Drata to talk through where automation helps most in compliance, and why human oversight still matters.
The Vulnerabulletin Board 📌
What our security team has been reading (and meme-ing) this month...
🔮 2026 Cybersecurity predictions (Daniel Miessler) - dabbers at the ready… see what’s on the cybersec bingo card for this year.
🖼️ Fake Windows BSOD scam (Bleeping Computer) - read how a new social engineering campaign is using the Blue Screen of Death to trick hospitality workers into executing malware.
🏆 Our meme of the month:
What's new in Intruder 💡
💬 In-platform commenting - comment directly on issues and occurrences in Intruder to capture context, track remediation activity and collaborate without switching tools
❌ Exclude Apex domains in domain discovery - exclude an entire top-level domain and all its subdomains in one click, for faster and cleaner domain management
🔑 Javascript bundle secrets detection - we've introduced a new check for secrets stores in JS bundles in single page web applications
Intruder IRL 👋
We're very excited to be sponsoring tomorrow's e-Crime & Cybersecurity Congress, Frankfurt where Intruder's Head of Security Dan Andrew will be delivering his seminar Your Perimeter is on the Front Lines: Attack Surface Reduction as a Primary Defence. Fantastisch!
We will be attending and hosting a ton of great events this year, so watch this space...
