Cybersecurity Roundup: Partnerships, Funding, and Emerging Threats – March 3, 2026 Featured: Cybersecurity and Infrastructure Security Agency, SloppyLemming, Tidal Cyber, OneZero Solutions, and Group-IB with Universidad Nebrija.

A daily briefing that summarizes the week’s most consequential cybersecurity developments and translates them into practical guidance for CISOs, board members, procurement teams, regulators, and security practitioners. This edition examines a high-profile resignation at the U.S. federal cyber agency, a state-aligned threat actor resurfacing in South Asia, vendor validation for AI-driven defensive prioritization, a people-first approach to healthcare security, and an industry-academia partnership to strengthen cyber education. I close with a tactical playbook and priorities that will materially reduce your organization’s near-term exposure.

Executive summary

• Leadership churn at Cybersecurity and Infrastructure Security Agency continues: acting associate director **Shelly Hartsook announced her resignation, removing a central steward of federal capacity-building programs such as Continuous Diagnostics and Mitigation (CDM). This departure deepens questions about continuity, staffing, and federal readiness. .

• **SloppyLemming is actively targeting Pakistan and Bangladesh with a dual-chain malware campaign, combining stealthy backdoors and data exfiltration workflows that exploit public-facing infrastructure and misconfigured collaboration tools — a reminder that nation-aligned campaigns adapt fast and exploit simple operational gaps. .

• Market validation for AI-driven defensive prioritization: Tidal Cyber was included in a SageTap H2-2025 cybersecurity report, reflecting growing demand for procedure-level, AI-guided prioritization (what to fix first across thousands of alerts and procedures). This demonstrates buyers want decisioning, not just telemetry. .

• Healthcare security needs a human focus: OneZero Solutions is positioning operational clarity and people-centric risk workflows as the core of reducing cyber risk in hospitals and clinics — a pragmatic corrective to tooling-only approaches. (Source: South Florida Hospital News; redirect noted.) .

• Industry-academia capacity building: Group-IB and Universidad Nebrija formalized an MOU to integrate threat intelligence into curriculum and practical labs — a critical pipeline step for trained analysts and defenders. .

Taken together, these items map to a clear operating agenda for security leaders: shore up governance and continuity against leadership volatility; harden simple operational hygiene to blunt nimble adversaries; embrace AI for decisioning but demand human-centered processes; and invest in a local talent pipeline through industry-academia partnerships.

Introduction — the macro frame: people, process, and prioritization

If you read only the headlines, cybersecurity looks like an ever-accelerating arms race: models, exploits, and vendors sprinting in parallel. The more important signal beneath the noise is methodological: the gap between detection capability and operational prioritization continues to widen. Organizations are overwhelmed with telemetry and under-invested in the people and processes that convert detection to containment.

This week’s stories illustrate that dynamic in five ways:

1. Leadership matters. When government capacity officers leave — especially those who link programs (CDM, incident response) across agencies — organizational memory and operational maturity erode. That affects national-level coordination and private sector confidence. (CISA resignation.) .

2. Adversaries adapt fast and opportunistically. The SloppyLemming campaign shows how actors reuse toolsets and hide in plain sight (dual malware chains, collaboration tool abuse) — meaning defenders must harden basics first. .

3. Buyers want decisions, not just data. Inclusion of vendors like Tidal Cyber in analyst reports validates that customers want AI-driven procedure-level defensive prioritization. Telemetry without prioritization is table stakes. .

4. Healthcare requires human-centered operational models. Hospitals are fragile systems where downtime risks lives; security cannot be pure tech—process, training, and human operations are critical. .

5. Talent pipelines matter. Industry-academic partnerships are the pragmatic path to scale practitioner skills and align curricula with threat realities. .

This article will unpack each story, provide an operational playbook, and end with board-level KPIs and procurement guidance. If you’re a CISO, CIO, or board member, use the tactical checklist at the end as your immediate roadmap.

I. Leadership shock at Cybersecurity and Infrastructure Security Agency — the departure that amplifies risk

What happened

On March 2, 2026, Federal News Network reported that Shelly Hartsook, who led capacity-building efforts in the agency’s cybersecurity division, resigned; her last day was reported as March 6. Her portfolio included programs like Continuous Diagnostics and Mitigation (CDM) and other externally facing services that deliver security capabilities to federal agencies. The report also noted a trend of departures within the agency and organizational turmoil after leadership changes. .

Source: Federal News Network.

Why this matters beyond personnel headlines

• Continuity of mission-critical programs. Programs like CDM, which provide enterprise asset inventory, vulnerability triage, and patch telemetry to dozens of federal agencies, rely on stable leadership to coordinate procurement, sustain funding, and engage vendors. Leadership turnover delays decisions, interrupts vendor contracts, and reduces the cadence of operational improvements. .

• Confidence and recruiting. Public signalled instability discourages private sector talent from joining or partnering with the agency. One resignation may cascade into more departures if the organization lacks a clear operating plan. .

• Interruption of collaborative ecosystems. CISA is often the convenor for sectoral exercises, information sharing (e.g., ISAC engagements), and incident response coordination. The loss of a capacity-building leader chills these cross-sector efforts temporarily. .

The operational impact firms should expect

• Short delays in federal procurement and guidance publications. Expect slower response times for vendor onboarding requests and guidance updates related to CDM or zero trust deployments. .

• Contract uncertainty for sub-vendors. If CISA pauses a program to reassess leadership direction, contractors may see delayed invoices, renegotiations, or increased requirements. Prepare for cadence changes. .

• Increased private-sector responsibility. In the absence of immediate federal guidance, private entities cannot wait—they must proceed with patching, segmentation, and tabletop exercises independently.

Practical guidance for CISOs & procurement leads

1. Don’t assume immediate policy changes — assume operational drift. Use this window to harden internal programs: inventory critical assets, confirm EDR/patching SLAs, and revalidate escalation pathways with your own vendors. .

2. Proactively engage and document. If you rely on federal programs, request written confirmation of program continuity and timelines. Vendors should obtain written helpdesk SLAs and backup contacts. .

3. Prioritize bilateral resilience. Partner with industry ISACs and sectoral groups to ensure continuity of threat info and exercises while federal coordination stabilizes. .

Opinion — leadership vacuums have real risk premiums

This is not just “bureaucratic drama.” People who hold the institutional memory of cross-agency programs are the glue of national cyber readiness. Agencies need succession plans that preserve program momentum; for private sector buyers, the prudent course is to assume the program you expect to rely on will be late and to move to internal resilience in parallel.

Source: Federal News Network.

II. SloppyLemming resurfaces — dual-chain malware hits Pakistan and Bangladesh

The threat in brief

Security reporting indicates a coordinated campaign by the threat actor labeled SloppyLemming, targeting government and infrastructure entities in Pakistan and Bangladesh using a dual-malware chain: (a) a stealthy backdoor for persistent access and reconnaissance, and (b) a separate exfiltration/command module that leverages collaboration platforms and misconfigured services to siphon data while blending into normal traffic. The campaign demonstrates operational sophistication and opportunistic use of publicly exposed services. .

Source: The Hacker News.

Technical anatomy — what defenders should know

• Dual-chain architecture: Adversaries increasingly separate reconnaissance/persistence from exfiltration to limit detection: a lightweight implant collects credentials and maps the environment, while a second module retrieves data in batches and uses benign channels (cloud docs, spreadsheets, webhooks) to exfiltrate. This reduces network anomalies and increases stealth. .

• Living-off-the-land (LotL) techniques: Use of legitimate system tools and platform APIs allows the attacker to bypass signature-based detection. Attackers abuse automation features to schedule operations and to trigger exfiltration only during legitimate business hours. .

• Credential reuse & supply-chain pivoting: Initial access often comes through credential stuffing or vendor compromise, enabling pivot into government systems. Once inside, attackers target data custodians (e.g., document storage, email, LDAP). .

Likely objectives & indicators of compromise (IOCs)

• Objectives: Access and collection of policy documents, diplomatic communications, or operational data for intelligence purposes; potential disruption in later phases. .

• Behavioral IOCs: Unusual API calls to cloud collaboration services, unexpected OAuth token generation, new service accounts creating frequent revisions in shared documents, and small but frequent file exports timed to non-peak hours. .

• Post-exfil staging: Attackers may use encrypted blobs embedded in benign documents or obfuscated comments to store payloads — making static file scanning less effective. .

Rapid response checklist for targeted sectors

1. Audit service account activity and rotate tokens. Immediately list all service accounts with elevated scopes and rotate keys. Enforce short TTL tokens where possible. .

2. Instrument collaboration tooling telemetry. Configure SIEM/XDR to flag unusual document exports, bulk downloads, and new external sharing endpoints. Capture revision histories for forensic preservation. .

3. Hunt for lateral movement. Track admin logon patterns, new scheduled tasks, and unauthorized use of remote management tools. Use identity telemetry to trace pivot points. .

4. Engage ISAC/CSIRT peers. Share sanitized IOCs with sector ISACs and national CSIRTs for coordinated blocking and remediation. .

Strategic implications

• Operational hygiene is a force-multiplier. For many organizations, basic hygiene (least privilege, token rotation, granular API scopes, and collaboration monitoring) would detect or prevent this campaign. The attack underlines that advanced nation-aligned actors still succeed by exploiting overlooked defaults. .

• Supply chain defense matters. Governments and large enterprises must enforce stronger third-party controls and continuous attestation for vendor access. .

Opinion — the attack is a reminder, not a surprise

Adversaries adapt quickly but often along predictable lines: abuse of convenience. The right posture is not glamour — it’s disciplined hygiene, identity friction reduction, and continuous hunting. If you’re a defender in a government or critical infrastructure organization, assume you are targeted and test accordingly.

Source: The Hacker News.

III. Tidal Cyber’s inclusion in SageTap report — the market confirms demand for AI-driven defensive prioritization

The announcement

A recent PR highlighted that Tidal Cyber was included in the SageTap H2-2025 cybersecurity report, which identifies market leaders and validates rising demand for procedure-level, AI-driven defensive prioritization — i.e., tools that recommend which procedures or alerts security teams should fix first to maximize risk reduction. This reflects buyers shifting from raw telemetry to prioritized decisioning. .

Source: PR Newswire (Tidal Cyber press release).

Why procedure-level prioritization matters

• Signal overload is the core problem. Security ops teams drown in alerts; the key ROI is not detecting more, but resolving the right things quickly. Procedure-level products aim to answer: Which vulnerabilities or misconfigurations, if fixed, will reduce my breach surface fastest? .

• AI for decisioning, not just classification. These solutions use modeling and simulation to estimate risk reduction per remediation action, helping allocate scarce analyst time. Buyers view that capability as operationally valuable. .

• Procurement shift: Procurement teams increasingly ask for demonstrable ROI (reduction in time-to-contain and reduction in potential breach impact), not vendor feature lists.

Evaluation criteria for buyers

When assessing products like Tidal Cyber or similar solutions:

1. Methodology transparency: Can the vendor explain how the AI estimates impact? Are assumptions about attacker behavior explicit? .

2. Data inputs & fidelity: Does the tool ingest asset inventory, network topology, identity sources, detection telemetry, and threat intelligence? Prioritization is only as good as the data. .

3. Actionability & automation: Are remediation tasks actionable and automatable (e.g., playbooks, patch orchestrations, firewall rule changes)? Does the solution integrate with ticketing and orchestration? .

4. Evaluation & red teaming: Require vendor to show red-team validation that following the prescribed priorities materially reduces compromise success rates.

Tactical roadmap for security operations

• Pilot with a single high-value domain. Run a 90-day pilot focusing on, say, externally exposed assets: measure time-to-remediate and modeled reduction in attack surface. .

• Integrate with SOAR and CMDB. Ensure prioritization outputs become automated tasks or tickets with clear owner assignment. .

• Require runbooks & rollback plans. Prioritization should come with operational playbooks—what to do, how to test, and how to rollback if the change breaks services.

Market and policy note

Analyst validation signals investment momentum. Expect consolidation as larger platform vendors embed such decisioning or acquire specialists. For policymakers, these tools could be useful in resource-constrained settings (municipalities, smaller agencies) to maximize limited cyber teams’ effectiveness. .

Source: PR Newswire (Tidal Cyber/SageTap notice).

IV. Healthcare security with a human focus — OneZero Solutions’ operational clarity

The story

A report highlighted how OneZero Solutions emphasizes human processes, clear operational communications, and practical security playbooks to reduce risk in healthcare environments. The firm’s approach centers on aligning clinical workflows with security controls to avoid downtime and patient harm. (Source: South Florida Hospital News; page redirect noted.) .

Source: South Florida Hospital News (OneZero Solutions feature).

Why healthcare needs a human-centered security model

• The stakes are literal lives. Unlike many industries, cyber incidents in hospitals can directly cause patient harm. Thus, balance between security friction and clinical access must be carefully managed. .

• Complex operational environment. Healthcare IT systems mix legacy devices, medical devices (OT), EHR systems, vendor consoles, and third-party cloud services—each with unique operational demands and patching constraints. .

• Workforce constraints. Clinical staff cannot be burdened with security tasks; security controls must be minimally disruptive and provide clear escalation mechanisms.

Key practices OneZero advocates (and that actually work)

1. Clinical-security co-design: Security architects should shadow clinical workflows to understand critical path tasks and design controls that do not impede immediate care. .

2. Surgical playbooks: Create role-specific checklists (e.g., ED nurse, radiology tech, IT on call) that describe required actions during an incident, tailored to preserve patient care. .

3. Operational clarity & drills: Conduct realistic drills with clinical participation; measure time to restore critical workflows and adjust playbooks accordingly. .

4. Prioritize lethality-reducing fixes: Triage fixes by patient-safety impact (e.g., ensure infusion pumps remain segmented and verified before other less-critical tasks). .

Quick checklist for hospital CISOs

• Map critical workflows and identify the minimum tech required to continue life-sustaining operations.

• Create rapidly accessible runbooks for frontline staff with non-technical language.

• Build vendor contingency plans for medical device vendors that cannot be patched quickly.

• Invest in tabletop frequency (quarterly) and measure closure of playbook gaps.

Opinion — healthcare security is a human problem first

Tooling is necessary but insufficient. The most effective programs make security predictable and low-cognitive for clinicians. Workflows and playbooks win more operational security battles than dashboards alone.

Source: South Florida Hospital News (OneZero Solutions).

V. Group-IB and Universidad Nebrija — industry + academia to scale cyber talent

The partnership

Group-IB announced a memorandum with Universidad Nebrija to integrate threat intelligence into cyber curricula, offer practical labs, and create internships that prepare students for real threat-analysis roles. This is part of a broader trend of private companies embedding operational expertise into academic training programs. .

Source: Group-IB press release.

Why this model matters

• Bridging the skills gap. Universities often graduate students with theory but little exposure to real telemetry and live toolchains. Industry partnerships provide that bridge. .

• Rapid upskilling for employers. Employers benefit from a pipeline of interns and grads who already know SIEM, threat hunting, and intelligence tradecraft. .

• Mutual benefit & ethical training. Industry can shape curricula to include ethical constraints and legal frameworks required for responsible use of offensive/defensive capabilities.

Implementation design — what good partnerships include

1. Sanitized telemetry feeds and labs. Industry partners supply realistic but anonymized datasets for students to analyze. .

2. Capstone projects on real problems. Students produce operational artifacts (IOC catalogs, playbooks, red-team reports) as graded deliverables. .

3. Internship ladders & apprenticeship pathways. Graduates transition into graduated roles (tier-1 analyst → tier-2 hunter → threat intel). .

4. Faculty exchange & training. Practitioners teach modules, ensuring curriculum remains current with live threats.

Practical steps for universities & companies

• Companies: Commit to at least a 2-year curriculum partnership rather than one-off workshops. Ensure legal vetting for data sharing. .

• Universities: Build modular courses that can be updated quarterly as threats evolve; measure employment outcomes. .

• Policy actors: Fund and recognize accredited industry-academic cyber programs as part of national workforce strategies.

Opinion — scaling talent is a long game that must start now

Industry-academic partnerships are the pragmatic path to increase the defender pool with realistic skills. Treat these programs as strategic investments in national resilience, not philanthropic gestures.

Source: Group-IB press release.

Cross-cutting analysis — five themes connecting this week’s news

1. Continuity risk is a real security control. Leadership departures at agencies are not administrative trivia — they increase operational risk across sectors that depend on federal coordination. .

2. Adversaries exploit convenience and misconfiguration. SloppyLemming’s campaign is a reminder: most successful intrusions still rely on credentials, exposed services, or misconfigured collaboration tooling. .

3. Decisioning > detection. Analyst validation of vendors like Tidal Cyber shows the market wants AI to tell defenders what to do — not just what’s wrong. .

4. People and process matter more in constrained domains. Healthcare’s constraints make operational clarity a higher ROI than flashy tooling. .

5. Talent pipelines are strategic. Group-IB and Universidad Nebrija’s partnership addresses the intractable shortage of trained cyber defenders by making education operationally relevant. .

Actionable playbook — immediate to strategic steps (practical, prioritized)

Immediate (this week)

• Inventory dependency on federal programs. If your business relies on CISA programs (CDM, incident response playbooks), document the program owner, next contact, and contingency plan. (High priority for vendors selling into federal space.) .

• Rotate service account credentials & scan collaboration automations. Audit Google Apps Scripts, Microsoft Power Automate flows, webhooks, and service accounts for suspicious routines. (High priority for public sector and infrastructure orgs.) .

• Run a 48-hour “what-ifs” tabletop centered on losing a critical government coordination partner — test bilateral continuity and private sector partnerships. (Recommended for large vendors and sector ISACs.) .

Near term (30–90 days)

• Pilot an AI prioritization tool (e.g., Tidal Cyber style) for a single high-value domain and measure real remediation time savings and residual risk reduction. Integrate outputs into SOAR workflows. .

• Healthcare focus: Co-design at least one clinical playbook with frontline staff and run a measured drill; measure time to restore critical flows and iterate playbook. .

• Onboard academic partners: If you run a security program, establish at least one university partnership to receive interns and provide lab datasets. Formalize data sharing agreements and lab curricula. .

Strategic (6–12 months)

• Invest in identity resilience: Adopt short-lived service tokens, conditional access, and continuous authentication for critical systems; mandate rotation and attestation for all vendor tokens. .

• Procurement standards for decisioning tools: Require vendors to expose methodology, data inputs, and red-team validation reports when buying AI prioritization tools. Demand SLAs that tie outputs to measurable reductions in MTTD/MTTR. .

• Workforce pipeline funding: Sponsor multi-year university partnerships that include capstone, lab, and internship programs. Track placement and measure reduction in mean time to staff serious incidents. .

Risk register — 10 things to watch for (practical)

1. Program pauses at federal level — budget or leadership changes that pause program rollouts and slow vendor payments. (Mitigate with bilateral continuity planning.) .

2. Token/service account exposure leading to stealthy exfiltration. (Mitigate with rotation and monitoring.) .

3. Overreliance on opaque AI prioritization without independent validation. (Mitigate with proof-of-value pilots and red team tests.) .

4. Clinician workflow disruption from poorly designed security controls. (Mitigate with co-design and rapid rollback playbooks.) .

5. Academic pipeline mismatch — curricula not aligned with operational needs. (Mitigate by contracting for practical labs and internships.) .

6. Supply chain single points of failure for security tooling or cloud providers. (Mitigate with redundancy planning.) .

7. Incident reporting lags due to unclear federal guidance during agency transitions. (Mitigate: maintain private reporting channels with vendors and ISACs.) .

8. False positive-driven burnout if prioritization tools are not tuned. (Mitigate with human-in-the-loop and threshold tuning.) .

9. Legal/regulatory uncertainty for healthcare incident scopes. (Mitigate with legal pre-clearance and rapid notification templates.) .

10. Talent drain if industry fails to invest in steady pipelines. (Mitigate via long-term education partnerships.) .

Board-level KPIs & audit checklist (what the board should demand)

• % of critical models/tools with documented validation (e.g., AI prioritization tools with red-team evidence): target ≥ 90% for high-impact tooling. .

• Mean Time to Detect (MTTD) for high-value assets: target < 1 hour.

• Mean Time to Contain (MTTC) (post-detection): set tiered targets (e.g., < 4 hours for internet-facing services).

• % of service accounts rotated in the last 30 days: target ≥ 95% for critical tokens. .

• Workforce pipeline metrics: number of active interns/apprentices from academic partnerships, and % of hires meeting job-ready criteria. .

Procurement redlines for decisioning tools (sample contract language)

• Methodology disclosure clause: Vendor must provide a written methodology for risk scoring and prioritization, including assumptions and known limitations. .

• Red-team validation evidence: Vendor must supply independent red-team reports at contract signing and annually. .

• Audit & exportable artifacts: Vendor must be able to export decisions and data inputs for a specified retention window for legal and regulatory review. .

• Incident collaboration SLA: Vendor must commit to joint IR and communication playbooks and response timelines for critical incidents. .

Measuring success — simple metrics for operational leaders

• Remediation velocity: median time from prioritized recommendation to verified remediation.

• Reduction in attack surface exposure: modeled using decisioning tool outputs (pre/post pilot). .

• Clinical uptime during drills: % of critical clinical flows maintained during tabletop exercises. .

• Analyst productivity: number of true positives resolved per analyst per week after prioritization tool adoption. .

• Hiring throughput: % of job openings filled from academic partnerships within 6 months. .

Conclusion — act on governance, hygiene, and human processes

This week’s round-up gives a simple, urgent set of instructions:

1. Governance: Assume continuity risks in federal programs; get written confirmations and internal contingency plans. .

2. Hygiene: Fix the basics now — service token rotation, least privilege, and collaboration monitoring. Those steps blunt campaigns like SloppyLemming. .

3. Prioritization: Move from telemetry to decisioning — pilot validated AI prioritization tools and demand transparent methodology. .

4. People-first: In healthcare and other high-stakes domains, design controls for clinicians and continuity. .

5. Talent: Build long-term pipelines via industry-academic partnerships to ensure the next generation of defenders is field-ready. .

If your security program can do only three things in the next 90 days: (a) rotate and inventory service tokens across critical systems; (b) pilot a prioritized remediation tool for a core risk domain and validate with red-team evidence; (c) run at least one cross-functional tabletop that includes procurement, legal, operations, and executive leadership — you will materially reduce your near-term exposure.

Sources

• Source: Federal News Network.
• Source: The Hacker News.
• Source: PR Newswire (Tidal Cyber / SageTap notice).
• Source: South Florida Hospital News (OneZero Solutions feature).
• Source: Group-IB press release.