IT, Telecom & Cyber · Australia (Perth)

Reassess Cyber Remediation, Crypto and Endpoint Contracts Now

Published May 21, 2026, 6:07 AM AWSTAPACFull category signal
Ask AI
Qualys data shows vulnerability backlog widening sharply

In 60 seconds

Top move

High and growing backlog of known-exploited vulnerabilities is stretching remediation capacity; procurement should assume sustained demand for patching and managed remediation services rather than one-off projects

Key takeaways

  • High and growing backlog of known-exploited vulnerabilities is stretching remediation capacity; procurement should assume sustained demand for patching and managed remediation services rather than one-off projects.[1]
  • Most Australian organisations currently lack confidence or budget for post-quantum cryptography transition, so include crypto-agility and migration support in sourcing for key infrastructure and telecom suppliers.[2]
  • Attackers are favoring social-engineering plus living-off-the-land techniques (ClickFix and MSHTA abuses), shifting the control surface toward endpoint tooling, browsing protections and verified vendor detection claims.[3]
  • Operationally, steady median remediation speed alongside rising volumes means teams are keeping pace but capacity is limited — expect longer open windows for lower-priority assets unless you secure external capacity or prioritized SLAs.[1]
  • Crypto readiness gaps are concentrated in legacy and edge/IoT systems — procurement should flag long replacement cycles and insist on transition plans, not just vendor assurances.[2]

What changed since last run

  • Added substantive vulnerability-remediation workload data (Qualys KEV analysis) that increases emphasis on sustained remediation capacity compared with prior focus on PAM and unsupported software.
  • Added Certes research showing a large gap in post-quantum crypto readiness and scarce dedicated budgeting, which introduces a new procurement requirement for crypto-agility in supplier evaluations.
  • New operational attack techniques (ClickFix social-engineering campaigns and MSHTA living-off-the-land abuse) surfaced and should change short-term vendor detection and endpoint control requirements.

Key facts

  • Median detection-to-closure remained at nine days
  • Share of instances open at 28 days increased versus prior cycle
  • Proactive remediation rate declined as KEV workload grew
  • Majority of organisations identify legacy systems as the primary quantum risk
  • Edge and IoT environments commonly cited as hard-to-migrate areas
  • Low confidence and limited dedicated budgets for crypto migration

Why it matters

High and growing backlog of known-exploited vulnerabilities is stretching remediation capacity; procurement should assume sustained demand for patching and managed remediation services rather than one-off projects. Most Australian organisations currently lack confidence or budget for post-quantum cryptography transition, so include crypto-agility and migration support in sourcing for key infrastructure and telecom suppliers. Attackers are favoring social-engineering plus living-off-the-land techniques (ClickFix and MSHTA abuses), shifting the control surface toward endpoint tooling, browsing protections and verified vendor detection claims. Operationally, steady median remediation speed alongside rising volumes means teams are keeping pace but capacity is limited — expect longer open windows for lower-priority assets unless you secure external capacity or prioritized SLAs

Cost / money

  • Ongoing remediation volumes translate to predictable Opex demand: expect to buy recurring managed patching or vulnerability remediation retainers rather than one-off projects.[1]
  • Post-quantum transition will push capital and project budgets toward legacy replacement or migration work for critical telecom and identity systems if timelines are to be met.[2]
  • Higher dependence on endpoint detection and telemetry to catch living-off-the-land attacks may increase spend on advanced EDR/EDR-X tooling and associated telemetry egress costs.[4]

Supplier / commercial

  • Vendors that can demonstrate sustained remediation throughput and managed-service capacity will command premium pricing and preferred procurement slots.[1]
  • Include crypto-agility and transition support in supplier commercial requirements; vendors lacking migration tooling or professional services will be at a commercial disadvantage.[2]
  • Require proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers.[3]

Safety / operations

  • Longer open windows for non-priority vulnerabilities increase operational exposure during incidents; runbooks and supplier incident obligations need to reflect sustained remediation backlogs.[1][4]
  • Living-off-the-land and clipboard-based attack flows reduce the effectiveness of older blocking tools; operational controls should emphasize telemetry, user workflows and response automation.[3][4]

What to watch

  • Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation.[1]
  • Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines.[2]

Top stories

Story 1SecurityBrief Australia

Qualys data shows vulnerability backlog widening sharply

Signal strongSource-grounded
Source notes [1]Read source

What happened

Qualys analysed remediation timelines for vulnerabilities tied to the US government's Known Exploited Vulnerabilities list and found the workload has risen sharply while median detection-to-closure stayed steady. The pattern leaves a materially larger open backlog at common milestone checks (for example the 28-day mark), which makes remediation capacity a recurring operational constraint. Watch whether proactive remediation rates continue to fall as volume grows, which would push more work into managed services

Buyer takeaway

Treat the KEV backlog as a steady-state demand signal; procurement should buy ongoing remediation capacity or prioritized SLAs, not one-off patch projects

Cost / money

Directionally increases Opex for managed remediation and vendor retainers because internal teams are unlikely to clear the growing volume alone

Supplier / commercial

Vendors offering scale and SLAs for rapid remediation will gain leverage; expect pricing premiums for guaranteed throughput and escalation support

Safety / operations

Operational exposure increases for assets lower in priority lists; incident runbooks must map to supplier remediation timelines and evidence delivery

What to watch

Watch for declining proactive remediation rates and slipping closure windows; that indicates buyers should augment capacity before incidents exploit delays

Key facts

  • Median detection-to-closure remained at nine days
  • Share of instances open at 28 days increased versus prior cycle
  • Proactive remediation rate declined as KEV workload grew

Source excerpts

" The analysis also examined proactive remediation, in which organisations fix vulnerabilities before CISA formally adds them to the KEV list
Researchers describe it as a survival analysis of remediation, measuring exposure over time rather than relying on year-end closure figures. The figures show that KEV vulnerability instances increased 7
Even so, the proactive remediation rate fell to 12
Story 2SecurityBrief Australia

Australian firms lag on post-quantum crypto readiness

Signal strongSource-grounded
Source notes [2]Read source

What happened

Certes research shows many Australian organisations are behind on post-quantum cryptography planning, with legacy systems and edge/IoT cited as top risks. Confidence and dedicated budgeting for migration are low, meaning suppliers that offer migration tooling and professional services will be more valuable operationally. Procurement should validate vendor migration artefacts and build transition commitments into contracts

Buyer takeaway

Make post-quantum readiness a commercial evaluation factor; demand migration plans and evidence instead of accepting roadmap statements

Cost / money

Expect capital and services spend on migrating legacy crypto or buying crypto-agile replacements because transition can be complex and resource-intensive

Supplier / commercial

Vendors with demonstrable crypto-agility, tooling and professional services gain negotiating leverage; consider phased transition pricing and pass-throughs

Safety / operations

Failure to plan accelerates long-term exposure, especially in telecom and critical infrastructure where replacement cycles are long

What to watch

Many vendors and buyers over-index on awareness but underfund execution; don't accept high-level claims without migration artefacts

Key facts

  • Majority of organisations identify legacy systems as the primary quantum risk
  • Edge and IoT environments commonly cited as hard-to-migrate areas
  • Low confidence and limited dedicated budgets for crypto migration

Source excerpts

Certes has published research suggesting many Australian organisations are behind in preparing for post-quantum cryptography, highlighting a wide gap between awareness of quantum threats and confidence in meeting official timelines. The study found that 78% of organisations see legacy systems as their biggest quantum security risk, yet only 11% are confident they can achieve post-quantum readiness within expected deadlines
Its guidance calls for a refined transition plan by the end of 2026, migration of vulnerable systems by the end of 2028, and completion of the shift away from traditional asymmetric cryptography by 2030. For sectors such as critical infrastructure, financial services, telecommunications, healthcare and government, the challenge is compounded by long technology replacement cycles and continued reliance on older systems
Only 2% of respondents said they were fully confident in achieving full crypto agility, while 97% were not fully confident they could meet crypto agility timelines
Story 3SecurityBrief Australia

Australian businesses warned over ClickFix attacks

Signal strongSource-grounded
Source notes [3]Read source

What happened

PhishByte and the Australian Cyber Security Centre flagged ClickFix campaigns that trick users into pasting malicious commands via fake verification prompts on compromised WordPress sites. The technique evades traditional email and attachment controls because it relies on social engineering and clipboard execution, making browser, endpoint and workflow controls more important. Procurement should require suppliers to show concrete detection and response coverage for these social-engineering flows

Buyer takeaway

Prioritise vendors that can demonstrate detection of social-engineering and browser-based command-injection flows with test artefacts

Cost / money

May increase spend on browser isolation, web filtering and advanced endpoint controls because legacy controls often miss these flows

Supplier / commercial

Vendors that can prove practical detection and remediation for ClickFix-like flows will be favoured in shortlist and can command better commercial terms

Safety / operations

Operational detection must tie into runbooks that assume compromise via user action; automation and playbooks matter more than basic alerts

What to watch

This technique targets user trust and small-business tooling gaps; verify vendor claims with empirical telemetry and test cases

Key facts

  • Campaigns use fake verification prompts on legitimate websites to deliver commands
  • Technique bypasses common SME controls by relying on user actions
  • Payloads observed include credential and information stealers

Source excerpts

Malicious JavaScript then copies a PowerShell command to the visitor's clipboard and instructs the user to paste it into the Windows Run dialogue and execute it. Because the victim runs the command, the attack can slip past several defensive layers businesses often rely on, including email security gateways, attachment scanning, drive-by download protections and endpoint monitoring tools
In the current campaigns, compromised WordPress sites belonging to legitimate Australian businesses display fake verification prompts to visitors
Because the victim runs the command, the attack can slip past several defensive layers businesses often rely on, including email security gateways, attachment scanning, drive-by download protections and endpoint monitoring tools
Story 4SecurityBrief Australia

MSHTA abuse helps malware hide in Windows processes

Signal strongSource-grounded
Source notes [4]Read source

What happened

Bitdefender reported rising abuse of MSHTA, a legacy Windows utility still present by default, which attackers use to run scripts via signed OS processes and hide activity. This is part of a broader shift to living-off-the-land approaches that reduce visibility for traditional malware signatures; detection requires telemetry and behavioural analytics. Buyers should require supplier evidence of detection for such techniques and include telemetry-access terms in contracts

Buyer takeaway

Demand behavioural and telemetry-based detection capabilities from endpoint vendors and ensure contractual access to necessary logs

Cost / money

May shift spend from basic AV to more advanced EDR/X and telemetry storage/ingestion costs

Supplier / commercial

Suppliers that document detection artefacts for living-off-the-land techniques will be preferred and can justify premium terms

Safety / operations

Operational playbooks should assume attacker use of legitimate OS tooling; detection-to-remediation SLAs must reflect this complexity

What to watch

Legacy OS utilities enabled by default create persistent blind spots; validate that suppliers test for these specific abuse patterns

Key facts

  • MSHTA used to run malicious scripts through signed Microsoft processes
  • Trend is part of broader living-off-the-land attacker techniques
  • Detections for MSHTA-related activity have risen in recent months

Source excerpts

The report described this as part of a broader shift towards so-called living-off-the-land methods, in which attackers rely on legitimate administrative and scripting tools rather than custom executables that are more likely to trigger alarms. In the campaigns Bitdefender reviewed, social engineering was a common entry point
Many of the attacks Bitdefender observed were designed "to minimise detection"
Bitdefender has published research on the use of Microsoft's MSHTA utility in malware attacks, focusing on a legacy Windows tool that remains enabled by default. Attackers are using MSHTA to run malicious scripts through Microsoft-signed processes, making the activity appear more like normal Windows behaviour

VP Snapshot

Executive Risk & Action View

High and growing backlog of known-exploited vulnerabilities is stretching remediation capacity; procurement should assume sustained demand for patching and managed remediation services rather than one-off projects.

Overall
65
Cost
79
Supply
43
Schedule
20
Compliance
15

Top signals

30-180dcost

Signal 1: Cost / money

Ongoing remediation volumes translate to predictable Opex demand: expect to buy recurring managed patching or vulnerability remediation retainers rather than one-off projects.

Signal 2: Cost / money

Post-quantum transition will push capital and project budgets toward legacy replacement or migration work for critical telecom and identity systems if timelines are to be met.

Signal 3: Cost / money

Higher dependence on endpoint detection and telemetry to catch living-off-the-land attacks may increase spend on advanced EDR/EDR-X tooling and associated telemetry egress costs.

30-180dsupply

Signal 4: Supplier / commercial

Vendors that can demonstrate sustained remediation throughput and managed-service capacity will command premium pricing and preferred procurement slots.

30-180dcommercial

Signal 5: Supplier / commercial

Include crypto-agility and transition support in supplier commercial requirements; vendors lacking migration tooling or professional services will be at a commercial disadvantage.

Signal 6: Supplier / commercial

Require proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers.

Recommended actions

CategoryDue 3d

Tag and prioritise critical assets that map to known-exploited vulnerabilities and update procurement scorecards to treat remediation capacity as a pass/fail requirement.

Annotated critical-asset inventory linked to remediation priority for RFPs and statement-of-work scopes.

ContractsDue 3d

Request detection-efficacy reports from endpoint and web-security suppliers that specifically address living-off-the-land techniques and clipboard/PowerShell paste attacks.

Supplier response pack with test cases, telemetry samples and evidence of detection coverage to inform shortlists.

ContractsDue 21d

Issue an RFP addendum requiring crypto-agility commitments and a migration support plan for legacy/edge systems from shortlisted platform and telecom vendors.

RFP responses that include migration roadmaps, professional services options and contractual remedies for missed transition milestones.

CategoryDue 21d

Tender for managed KEV remediation capacity (outsourced vulnerability closure retainers) for non-core systems to reduce internal queueing.

Contracted remediation retainer(s) with defined scope, SLAs and escalation paths to reduce backlog on lower-priority assets.

LegalDue 60d

Negotiate contract clauses that require supplier telemetry access, agent support and evidence-based detection playbooks for living-off-the-land techniques as part of renewal and...

Contract templates with telemetry access terms, required detection artefacts and remedies for failure to detect key techniques.

OpsDue 60d

Build a roadmap and budget request for phased post-quantum migration of critical cryptographic dependencies, starting with inventory and vendor capability assessments.

Approved roadmap and prioritized vendor capability list to feed procurement and capital planning.

Risk register

RiskTriggerMitigation
Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation.Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation.Confirm exposure with category, contracts, and operations before the next supplier commitment.
Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines.Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Tag and prioritise critical assets that map to known-exploited vulnerabilities and update procurement scorecards to treat remediation capacity as a pass/fail requirement.

because the KEV backlog is increasing open exposure and remediation teams are capacity-constrained, so procurement needs an accurate, prioritized scope before engaging vendors.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Request detection-efficacy reports from endpoint and web-security suppliers that specifically address living-off-the-land techniques and clipboard/PowerShell paste attacks.

because ClickFix and MSHTA abuse bypass common controls by relying on user actions and signed OS tooling, so supplier detection claims must be backed by test artefacts.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Issue an RFP addendum requiring crypto-agility commitments and a migration support plan for legacy/edge systems from shortlisted platform and telecom vendors.

because Certes research shows many organisations lack readiness and budgets for post-quantum migration, so procurement must secure contractual transition support rather than rel...

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Tender for managed KEV remediation capacity (outsourced vulnerability closure retainers) for non-core systems to reduce internal queueing.

because the KEV workload has increased materially and internal teams are maintaining median speed but not reducing open backlogs, so external remediation retainers buy throughpu...

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

SecurityBrief Australia

high

Observed supplier signal

Vendors that can demonstrate sustained remediation throughput and managed-service capacity will command premium pricing and preferred procurement slots.

Commercial implication

Vendors that can demonstrate sustained remediation throughput and managed-service capacity will command premium pricing and preferred procurement slots.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

SecurityBrief Australia

high

Observed supplier signal

Include crypto-agility and transition support in supplier commercial requirements; vendors lacking migration tooling or professional services will be at a commercial disadvantage.

Commercial implication

Include crypto-agility and transition support in supplier commercial requirements; vendors lacking migration tooling or professional services will be at a commercial disadvantage.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

SecurityBrief Australia

high

Observed supplier signal

Require proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers.

Commercial implication

Require proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Tag and prioritise critical assets that map to known-exploited vulnerabilities and update procurement scorecards to treat remediation capacity as a pass/fail requirement.

When to use: because the KEV backlog is increasing open exposure and remediation teams are capacity-constrained, so procurement needs an accurate, prioritized scope before engaging vendors.

Expected outcome: Annotated critical-asset inventory linked to remediation priority for RFPs and statement-of-work scopes.

Commercial mechanism to carry into the next supplier conversation

Request detection-efficacy reports from endpoint and web-security suppliers that specifically address living-off-the-land techniques and clipboard/PowerShell paste attacks.

When to use: because ClickFix and MSHTA abuse bypass common controls by relying on user actions and signed OS tooling, so supplier detection claims must be backed by test artefacts.

Expected outcome: Supplier response pack with test cases, telemetry samples and evidence of detection coverage to inform shortlists.

Commercial mechanism to carry into the next supplier conversation

Issue an RFP addendum requiring crypto-agility commitments and a migration support plan for legacy/edge systems from shortlisted platform and telecom vendors.

When to use: because Certes research shows many organisations lack readiness and budgets for post-quantum migration, so procurement must secure contractual transition support rather than rel...

Expected outcome: RFP responses that include migration roadmaps, professional services options and contractual remedies for missed transition milestones.

Commercial mechanism to carry into the next supplier conversation

Tender for managed KEV remediation capacity (outsourced vulnerability closure retainers) for non-core systems to reduce internal queueing.

When to use: because the KEV workload has increased materially and internal teams are maintaining median speed but not reducing open backlogs, so external remediation retainers buy throughpu...

Expected outcome: Contracted remediation retainer(s) with defined scope, SLAs and escalation paths to reduce backlog on lower-priority assets.

Commercial mechanism to carry into the next supplier conversation

Talking points

High and growing backlog of known-exploited vulnerabilities is stretching remediation capacity; procurement should assume sustained demand for patching and managed remediation services rather than one-off projects.
Most Australian organisations currently lack confidence or budget for post-quantum cryptography transition, so include crypto-agility and migration support in sourcing for key infrastructure and telecom suppliers.
Attackers are favoring social-engineering plus living-off-the-land techniques (ClickFix and MSHTA abuses), shifting the control surface toward endpoint tooling, browsing protections and verified vendor detection claims.
Operationally, steady median remediation speed alongside rising volumes means teams are keeping pace but capacity is limited — expect longer open windows for lower-priority assets unless you secure external capacity or prioritized SLAs.

Supplier radar

SupplierSignalImplicationNext stepConfidence
SecurityBrief AustraliaVendors that can demonstrate sustained remediation throughput and managed-service capacity will command premium pricing and preferred procurement slots.Vendors that can demonstrate sustained remediation throughput and managed-service capacity will command premium pricing and preferred procurement slots.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
SecurityBrief AustraliaInclude crypto-agility and transition support in supplier commercial requirements; vendors lacking migration tooling or professional services will be at a commercial disadvantage.Include crypto-agility and transition support in supplier commercial requirements; vendors lacking migration tooling or professional services will be at a commercial disadvantage.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
SecurityBrief AustraliaRequire proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers.Require proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Tag and prioritise critical assets that map to known-exploited vulnerabilities and update procurement scorecards to treat remediation capacity as a pass/fail requirement.because the KEV backlog is increasing open exposure and remediation teams are capacity-constrained, so procurement needs an accurate, prioritized scope before engaging vendors.Annotated critical-asset inventory linked to remediation priority for RFPs and statement-of-work scopes.

    high confidence

  • Request detection-efficacy reports from endpoint and web-security suppliers that specifically address living-off-the-land techniques and clipboard/PowerShell paste attacks.because ClickFix and MSHTA abuse bypass common controls by relying on user actions and signed OS tooling, so supplier detection claims must be backed by test artefacts.Supplier response pack with test cases, telemetry samples and evidence of detection coverage to inform shortlists.

    high confidence

  • Issue an RFP addendum requiring crypto-agility commitments and a migration support plan for legacy/edge systems from shortlisted platform and telecom vendors.because Certes research shows many organisations lack readiness and budgets for post-quantum migration, so procurement must secure contractual transition support rather than rel...RFP responses that include migration roadmaps, professional services options and contractual remedies for missed transition milestones.

    high confidence

  • Tender for managed KEV remediation capacity (outsourced vulnerability closure retainers) for non-core systems to reduce internal queueing.because the KEV workload has increased materially and internal teams are maintaining median speed but not reducing open backlogs, so external remediation retainers buy throughpu...Contracted remediation retainer(s) with defined scope, SLAs and escalation paths to reduce backlog on lower-priority assets.

    high confidence

What to do / What to watch

What to do now

  • Tag and prioritise critical assets that map to known-exploited vulnerabilities and update procurement scorecards to treat remediation capacity as a pass/fail requirement.

    Why: because the KEV backlog is increasing open exposure and remediation teams are capacity-constrained, so procurement needs an accurate, prioritized scope before engaging vendors.

    Owner: Category

    Expected outcome: Annotated critical-asset inventory linked to remediation priority for RFPs and statement-of-work scopes.

    [1]
  • Request detection-efficacy reports from endpoint and web-security suppliers that specifically address living-off-the-land techniques and clipboard/PowerShell paste attacks.

    Why: because ClickFix and MSHTA abuse bypass common controls by relying on user actions and signed OS tooling, so supplier detection claims must be backed by test artefacts.

    Owner: Contracts

    Expected outcome: Supplier response pack with test cases, telemetry samples and evidence of detection coverage to inform shortlists.

    [3]

Next few weeks

  • Issue an RFP addendum requiring crypto-agility commitments and a migration support plan for legacy/edge systems from shortlisted platform and telecom vendors.

    Why: because Certes research shows many organisations lack readiness and budgets for post-quantum migration, so procurement must secure contractual transition support rather than rel...

    Owner: Contracts

    Expected outcome: RFP responses that include migration roadmaps, professional services options and contractual remedies for missed transition milestones.

    [2]
  • Tender for managed KEV remediation capacity (outsourced vulnerability closure retainers) for non-core systems to reduce internal queueing.

    Why: because the KEV workload has increased materially and internal teams are maintaining median speed but not reducing open backlogs, so external remediation retainers buy throughpu...

    Owner: Category

    Expected outcome: Contracted remediation retainer(s) with defined scope, SLAs and escalation paths to reduce backlog on lower-priority assets.

    [1]

Longer view

  • Negotiate contract clauses that require supplier telemetry access, agent support and evidence-based detection playbooks for living-off-the-land techniques as part of renewal and...

    Why: because attacks increasingly abuse trusted OS tools and social engineering, so contractual access to telemetry and specific detection evidence transfers operational risk to supp...

    Owner: Legal

    Expected outcome: Contract templates with telemetry access terms, required detection artefacts and remedies for failure to detect key techniques.

    [4]
  • Build a roadmap and budget request for phased post-quantum migration of critical cryptographic dependencies, starting with inventory and vendor capability assessments.

    Why: because organisations currently report low confidence and sparse budgets for post-quantum work, so procurement must plan funding and supplier support well ahead of migration dates.

    Owner: Ops

    Expected outcome: Approved roadmap and prioritized vendor capability list to feed procurement and capital planning.

    [2]

What to watch

  • Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation
  • Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines
  • Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation.: Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation
  • Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines.: Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines
  • High and growing backlog of known-exploited vulnerabilities is stretching remediation capacity; procurement should assume sustained demand for patching and managed remediation services rather than one-off projects
  • Most Australian organisations currently lack confidence or budget for post-quantum cryptography transition, so include crypto-agility and migration support in sourcing for key infrastructure and telecom suppliers
  • Attackers are favoring social-engineering plus living-off-the-land techniques (ClickFix and MSHTA abuses), shifting the control surface toward endpoint tooling, browsing protections and verified vendor detection claims
  • Operationally, steady median remediation speed alongside rising volumes means teams are keeping pace but capacity is limited — expect longer open windows for lower-priority assets unless you secure external capacity or prioritized SLAs

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)May 20, 2026, 10:09 PM
CrowdStrike (CRWD)285 +0.00 (+0.00%)May 20, 2026, 10:09 PM
Zscaler (ZS)195 +0.00 (+0.00%)May 20, 2026, 10:09 PM
Fortinet (FTNT)72 +0.00 (+0.00%)May 20, 2026, 10:09 PM
  • CrowdStrike: Endpoint detection demand suggests favourable procurement posture toward proven EDR providers; check vendor roadmaps and telemetry capabilities
  • Fortinet: Network and web controls matter more as attackers use browser-based social engineering; leverage NGFW and web-filtering capabilities in sourcing

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] Qualys data shows vulnerability backlog widening sharply

securitybrief.com.au · n.d.

Expand

AI reading

Qualys analysed remediation timelines for vulnerabilities tied to the US government's Known Exploited Vulnerabilities list and found the workload has risen sharply while median detection-to-closure stayed steady. The pattern leaves a materially larger open backlog at common milestone checks (for example the 28-day mark), which makes remediation capacity a recurring operational constraint. Watch whether proactive remediation rates continue to fall as volume grows, which would push more work into managed services

Buyer takeaway

Treat the KEV backlog as a steady-state demand signal; procurement should buy ongoing remediation capacity or prioritized SLAs, not one-off patch projects

Cost / money

Directionally increases Opex for managed remediation and vendor retainers because internal teams are unlikely to clear the growing volume alone

Supplier / commercial

Vendors offering scale and SLAs for rapid remediation will gain leverage; expect pricing premiums for guaranteed throughput and escalation support

Safety / operations

Operational exposure increases for assets lower in priority lists; incident runbooks must map to supplier remediation timelines and evidence delivery

What to watch

Watch for declining proactive remediation rates and slipping closure windows; that indicates buyers should augment capacity before incidents exploit delays

Key facts

  • Median detection-to-closure remained at nine days
  • Share of instances open at 28 days increased versus prior cycle
  • Proactive remediation rate declined as KEV workload grew

Source excerpts

" The analysis also examined proactive remediation, in which organisations fix vulnerabilities before CISA formally adds them to the KEV list
Researchers describe it as a survival analysis of remediation, measuring exposure over time rather than relying on year-end closure figures. The figures show that KEV vulnerability instances increased 7
Even so, the proactive remediation rate fell to 12

Used in this brief

  • Next 72 hours — Tag and prioritise critical assets that map to known-exploited vulnerabilities and update procurement scorecards to treat remediation capacity as a pass/fail requirement.. Rationale: because the KEV backlog is increasing open exposure and remediation teams are capacity-constrained, so procurement needs an accurate, prioritized scope before engaging vendors.. Owner: Category. KPI: Annotated critical-asset inventory linked to remediation priority for RFPs and statement-of-work scopes
  • Next 2-4 weeks — Tender for managed KEV remediation capacity (outsourced vulnerability closure retainers) for non-core systems to reduce internal queueing.. Rationale: because the KEV workload has increased materially and internal teams are maintaining median speed but not reducing open backlogs, so external remediation retainers buy throughpu.... Owner: Category. KPI: Contracted remediation retainer(s) with defined scope, SLAs and escalation paths to reduce backlog on lower-priority assets
  • Watch whether proactive remediation rates continue to fall as workload grows — a directional sign that buyer-supplied patch programs need external augmentation
Open original source

[2] Australian firms lag on post-quantum crypto readiness

securitybrief.com.au · n.d.

Expand

AI reading

Certes research shows many Australian organisations are behind on post-quantum cryptography planning, with legacy systems and edge/IoT cited as top risks. Confidence and dedicated budgeting for migration are low, meaning suppliers that offer migration tooling and professional services will be more valuable operationally. Procurement should validate vendor migration artefacts and build transition commitments into contracts

Buyer takeaway

Make post-quantum readiness a commercial evaluation factor; demand migration plans and evidence instead of accepting roadmap statements

Cost / money

Expect capital and services spend on migrating legacy crypto or buying crypto-agile replacements because transition can be complex and resource-intensive

Supplier / commercial

Vendors with demonstrable crypto-agility, tooling and professional services gain negotiating leverage; consider phased transition pricing and pass-throughs

Safety / operations

Failure to plan accelerates long-term exposure, especially in telecom and critical infrastructure where replacement cycles are long

What to watch

Many vendors and buyers over-index on awareness but underfund execution; don't accept high-level claims without migration artefacts

Key facts

  • Majority of organisations identify legacy systems as the primary quantum risk
  • Edge and IoT environments commonly cited as hard-to-migrate areas
  • Low confidence and limited dedicated budgets for crypto migration

Source excerpts

Certes has published research suggesting many Australian organisations are behind in preparing for post-quantum cryptography, highlighting a wide gap between awareness of quantum threats and confidence in meeting official timelines. The study found that 78% of organisations see legacy systems as their biggest quantum security risk, yet only 11% are confident they can achieve post-quantum readiness within expected deadlines
Its guidance calls for a refined transition plan by the end of 2026, migration of vulnerable systems by the end of 2028, and completion of the shift away from traditional asymmetric cryptography by 2030. For sectors such as critical infrastructure, financial services, telecommunications, healthcare and government, the challenge is compounded by long technology replacement cycles and continued reliance on older systems
Only 2% of respondents said they were fully confident in achieving full crypto agility, while 97% were not fully confident they could meet crypto agility timelines

Used in this brief

  • Cost / money: Post-quantum transition will push capital and project budgets toward legacy replacement or migration work for critical telecom and identity systems if timelines are to be met
  • What to watch: Watch vendor claims of 'post-quantum readiness' for marketing language; many firms report low confidence and no dedicated budgets, so ask for concrete migration artefacts and timelines
  • Next 2-4 weeks — Issue an RFP addendum requiring crypto-agility commitments and a migration support plan for legacy/edge systems from shortlisted platform and telecom vendors.. Rationale: because Certes research shows many organisations lack readiness and budgets for post-quantum migration, so procurement must secure contractual transition support rather than rel.... Owner: Contracts. KPI: RFP responses that include migration roadmaps, professional services options and contractual remedies for missed transition milestones
Open original source

[3] Australian businesses warned over ClickFix attacks

securitybrief.com.au · n.d.

Expand

AI reading

PhishByte and the Australian Cyber Security Centre flagged ClickFix campaigns that trick users into pasting malicious commands via fake verification prompts on compromised WordPress sites. The technique evades traditional email and attachment controls because it relies on social engineering and clipboard execution, making browser, endpoint and workflow controls more important. Procurement should require suppliers to show concrete detection and response coverage for these social-engineering flows

Buyer takeaway

Prioritise vendors that can demonstrate detection of social-engineering and browser-based command-injection flows with test artefacts

Cost / money

May increase spend on browser isolation, web filtering and advanced endpoint controls because legacy controls often miss these flows

Supplier / commercial

Vendors that can prove practical detection and remediation for ClickFix-like flows will be favoured in shortlist and can command better commercial terms

Safety / operations

Operational detection must tie into runbooks that assume compromise via user action; automation and playbooks matter more than basic alerts

What to watch

This technique targets user trust and small-business tooling gaps; verify vendor claims with empirical telemetry and test cases

Key facts

  • Campaigns use fake verification prompts on legitimate websites to deliver commands
  • Technique bypasses common SME controls by relying on user actions
  • Payloads observed include credential and information stealers

Source excerpts

Malicious JavaScript then copies a PowerShell command to the visitor's clipboard and instructs the user to paste it into the Windows Run dialogue and execute it. Because the victim runs the command, the attack can slip past several defensive layers businesses often rely on, including email security gateways, attachment scanning, drive-by download protections and endpoint monitoring tools
In the current campaigns, compromised WordPress sites belonging to legitimate Australian businesses display fake verification prompts to visitors
Because the victim runs the command, the attack can slip past several defensive layers businesses often rely on, including email security gateways, attachment scanning, drive-by download protections and endpoint monitoring tools

Used in this brief

  • Next 72 hours — Request detection-efficacy reports from endpoint and web-security suppliers that specifically address living-off-the-land techniques and clipboard/PowerShell paste attacks.. Rationale: because ClickFix and MSHTA abuse bypass common controls by relying on user actions and signed OS tooling, so supplier detection claims must be backed by test artefacts.. Owner: Contracts. KPI: Supplier response pack with test cases, telemetry samples and evidence of detection coverage to inform shortlists
  • PhishByte and the Australian Cyber Security Centre flagged ClickFix campaigns that trick users into pasting malicious commands via fake verification prompts on compromised WordPress sites. The technique evades traditional email and attachment controls because it relies on social engineering and clipboard execution, making browser, endpoint and workflow controls more important. Procurement should require suppliers to show concrete detection and response coverage for these social-engineering flows
  • Buyer bottom line: social-engineering attack flows reduce the value of standard email and attachment controls — demand browser and endpoint detection evidence from security suppliers
Open original source

[4] MSHTA abuse helps malware hide in Windows processes

securitybrief.com.au · n.d.

Expand

AI reading

Bitdefender reported rising abuse of MSHTA, a legacy Windows utility still present by default, which attackers use to run scripts via signed OS processes and hide activity. This is part of a broader shift to living-off-the-land approaches that reduce visibility for traditional malware signatures; detection requires telemetry and behavioural analytics. Buyers should require supplier evidence of detection for such techniques and include telemetry-access terms in contracts

Buyer takeaway

Demand behavioural and telemetry-based detection capabilities from endpoint vendors and ensure contractual access to necessary logs

Cost / money

May shift spend from basic AV to more advanced EDR/X and telemetry storage/ingestion costs

Supplier / commercial

Suppliers that document detection artefacts for living-off-the-land techniques will be preferred and can justify premium terms

Safety / operations

Operational playbooks should assume attacker use of legitimate OS tooling; detection-to-remediation SLAs must reflect this complexity

What to watch

Legacy OS utilities enabled by default create persistent blind spots; validate that suppliers test for these specific abuse patterns

Key facts

  • MSHTA used to run malicious scripts through signed Microsoft processes
  • Trend is part of broader living-off-the-land attacker techniques
  • Detections for MSHTA-related activity have risen in recent months

Source excerpts

The report described this as part of a broader shift towards so-called living-off-the-land methods, in which attackers rely on legitimate administrative and scripting tools rather than custom executables that are more likely to trigger alarms. In the campaigns Bitdefender reviewed, social engineering was a common entry point
Many of the attacks Bitdefender observed were designed "to minimise detection"
Bitdefender has published research on the use of Microsoft's MSHTA utility in malware attacks, focusing on a legacy Windows tool that remains enabled by default. Attackers are using MSHTA to run malicious scripts through Microsoft-signed processes, making the activity appear more like normal Windows behaviour

Used in this brief

  • Supplier / commercial: Require proof points for detection of social-engineering techniques and living-off-the-land methods when qualifying endpoint, mail and web-security suppliers
  • Next quarter — Negotiate contract clauses that require supplier telemetry access, agent support and evidence-based detection playbooks for living-off-the-land techniques as part of renewal and.... Rationale: because attacks increasingly abuse trusted OS tools and social engineering, so contractual access to telemetry and specific detection evidence transfers operational risk to supp.... Owner: Legal. KPI: Contract templates with telemetry access terms, required detection artefacts and remedies for failure to detect key techniques
  • New operational attack techniques (ClickFix social-engineering campaigns and MSHTA living-off-the-land abuse) surfaced and should change short-term vendor detection and endpoint control requirements
Open original source

[5] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source

[6] Fortinet

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View