RSA is always a good opportunity to reconnect with industry friends—2025 was no exception. Beneath the marketing avalanche of “AI-enabled everything,” one theme stuck out in conversations with CISOs and defensive leaders: the mounting time and energy spent on cyber audits, reporting, and remediation.

These Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC) efforts are especially demanding in regulated industries. But with mandates like NIS2 and DORA taking effect in Europe—and domestic frameworks like SOX, SOC2, and CMMC still in play—security leaders are spending more time with audit committees than ever before.

Compliance Theater: Starring the Risk Register

In enterprises, defensive resource allocations are often adjudicated by committees and measured by audit progress and the almighty risk register. This means most of the attention (and budget) aligns with avoiding one specific risk: legal or compliance failure (LCF). It’s no surprise that CISOs are often left with a single 15-minute slot each year to brief the board on the other four cyber risk impacts. That’s a missed opportunity.

Boards need to better understand cyber risk beyond compliance. The “state of rizz” (resilience) depends on more than audit checklists. Point-in-time audits work well for demonstrating regulatory due diligence. If something goes wrong, but the virtual paperwork shows that policies were followed and corrections made, enforcement actions can often be minimized or avoided.

That’s not true for the other risk impacts—operational disruption, financial fraud, brand impairment, and competitive disadvantage. Even after clean audits, the residual risk across these domains remains. Boards need to grasp this difference. And CISOs must continue translating technical risk into business language that supports resilience conversations.

Measuring Rizz: Easier Said Than Sustained

Communicating rizz is momentary. Measuring it is constant. Organizations spend heavily to prevent all five impacts, but security investments tied to non-compliance impacts often receive less scrutiny (ROSI). That’s where control validation comes in.

Looking ahead (meaning, likely six months from now), AI agents will monitor and challenge other AI agents in continuous loops of control testing and remediation, especially as adversary TTPs evolve daily.

The Automation Angle: Purple Teams and Silver Bullets

Until then, automation in purple teaming, breach and attack simulation (BAS), and exposure validation is the best way to scale defenses without burning out staff.

A growing number of vendors (like Picus) offer automated testing platforms with user-friendly workflows. These platforms aren’t silver bullets, but they help CISOs tell a better executive story.

Consider Business Email Compromise (BEC). GRC will enforce controls like phishing simulations and financial separation of duties to satisfy LCF (Limit Control Frameworks) requirements. But if the CISO is also emulating attacks and testing the actual tech stack—email gateways, MFA, IAM policies—the story becomes richer. It shows intentional, tested resilience across financial fraud risk, not just paper compliance. It’s far more compelling than: “We have an EDR as prescribed in our compliance framework.”

Real Rizz Moves: How Live Threat Emulation Beats Paper Promises

To make this real, draw from live TTPs observed in the wild. For example, within the past 90 days (as of May 14, 2025), Recorded Future’s AI Insights flagged dozens of events that could be used as fuel for BAS automation.

• GitHub user winsecurity published AMSI-Bypass-HWBP, a lightweight debugger tool in Rust designed to evade Windows Antimalware Scan Interface (AMSI) detection.
• ANY.RUN detailed a new information stealer called Zhong Stealer that targets the cryptocurrency and fintech sectors through social engineering tactics involving chat support systems.
• @siri_urz shared a sample of DieStealer, indicating its capabilities of credential access and spyware functions.
• Reports from Hunt.io indicated an intrusion campaign targeting South Korean organizations using Cobalt Strike Cat modified for exploitative purposes.
• Kalman reported on a privilege escalation technique in GCP using IAM Conditions linked to tagBindings.
• Check Point Research detailed a spearphishing campaign by APT29 utilizing GRAPELOADER malware against European diplomatic entities.
• Insikt Group noted the discovery of CVE-2021-42013 scanning activities with overlaps found from Alibaba Cloud ISPs.
• Quarkslab reported CVE-2025-24200 as an authorization bypass vulnerability in iOS and iPadOS, allowing physical access to disable USB Restricted Mode before Apple patched it.
• Trend Micro highlighted EncryptHub's reliance on MSC EvilTwin loader exploiting CVE-2025-26633 as part of their custom malware arsenal.
• IBM X-Force detailed a fileless lateral movement technique exploiting COM objects in Windows systems.
• @tangent65536 shared Mimikatz binaries signed with legitimate certificates online.
• Cato Networks reported the Ballista IoT botnet targeting TP-Link routers.
• Coral Jasmine presented the LethalVoid RAT using malicious exfiltration methods via Discord webhooks and FTP.
• ThreatFabric identified Crocodilus Android banking trojan targeting financial institutions.
• Microsoft’s Threat Intelligence Center documented Storm-2460 ransomware’s introduction of PipeMagic malware exploiting CVE-2025-29824.
• Morphisec Labs exposed new delivery techniques for ValleyRAT through phishing tactics.

Risk Registers Win Audits. Rizz Wins Crises.

If the board only sees traffic light audit checkmarks, they’re missing the real color of cyber risk. That’s why rizz narratives must move beyond compliance and into control validation and business risk translation—before the next threat does it for you.