An entrepreneur and explorer living by faith, for family, with freedom.

I love breaking norms, brainstorming ideas, scaling businesses, and connecting with people.

Go ahead and hit me up!

This chart is brutal.

Almost 30% of vulnerabilities are exploited the same day the CVE is published.

Yes, same day.

CVE publication is not an early warning.
Very often, it’s just confirmation that attackers are already using it.

Attackers don’t wait for disclosure.
Defenders still do.

And yes, I know patching is hard.
But let’s stop pretending time is on our side.

It isn’t.

So, if you want to be proactive, you need to test more often. 
There is no other way around. 

Do you want to know how? 
DM me

Thanks, VulnCheck, for the ongoing research.

Jorge  Monteiro

CEO, Ethiack | Securing your tech with Autonomous Ethical Hacking

I keep saying this, because I keep seeing it again and again in the real world.

Most companies are still defending yesterday’s systems against today’s attackers. And the gap is getting bigger, not smaller.

Every week, I talk with security teams doing “all the right things”.
Annual pentests. Endless scanners. Dashboards full of CVSS scores.
And still… the same few exploitable paths keep getting missed.

In this conversation, I share my honest view from building Ethiack and spending years on the offensive side of security:

• Why scanners create more noise than clarity
• Why risk only becomes real when you can actually exploit it
• Why compliance is useful, but far from enough
• Where AI really helps security teams, and where it’s just hype
• Why continuous testing is no longer “nice to have”

This chat was with Michael Bancroft, as part of the KPMG Private Enterprise Global Tech Innovator 2025, representing Portugal.

I’m not claiming to have all the answers.
But I am convinced of one thing: 
Attackers don’t care about reports, tools, or frameworks. 
They care about what works.

If you’re responsible for security and feel that gap growing, this interview might resonate.

Full interview here:
https://lnkd.in/enfJZ7fH

TLDR
Security isn’t about more tools.
It’s about continuously proving what can actually be broken.

Open video: Why Annual Security Testing No Longer Works on youtube.com

Why Annual Security Testing No Longer Works

We are proud to announce that Ethiack has joined forces with Complear to lead a groundbreaking consortium funded by the European Commission! 🇪🇺

As part of the CYSSDE program (Cybersecurity Deployment, Preparedness, Support, Capacity & Capabilities), we are bringing advanced offensive security and continuous penetration testing to the forefront of the sector.

We will work directly with Startups, Hospitals, and Critical Infrastructure to build a more resilient digital health ecosystem.

Together, we are ensuring that the technologies protecting lives are protected themselves.

It is time to elevate the standard of healthcare security in Europe.

#HealthcareSecurity #CYSSDE #MedTech

No alternative text description for this image

Are the 2026 posts still valid? 
Just finished my personal goals, and why not share them publicly? 

First things first. 
I never ever shared my goals publicly before, 
but who cares?
Nobody cares anyway, and at least I can commit publicly 

So, how do I do this?

I now divide my life into 4 main groups. 
(Why Latin? Don't ask...)

Anima: Soul/Spirit, Faith, Curiosity/Learning, Explore/Travel/Adventure
Corpus: Body, Energy, Health
Familia: Family, Friends, Fools
Labour: Work, Money, Contribution

I live my life now by this order (or I try it 😅 )

Then, I write 3 goals for each group.
They may or may not be related inside the group

Example:
If I want to get lower body fat, I might include a running goal and a weight training goal, or even a sleeping goal. 

Other techniques:
- If the goal is too big, I may start with a small goal, and when I achieve it, I push a bit more. 

For now, I will not share them all, but I will share 4 that I feel are the most impactful in some way in 2026.

1. Go 30x Sunday Church 
2. Achieve 12% Body Fat 
3. Read 265 days a bedtime story to Leonor
4. Grow Ethiack to €3M ARR

These may seem very small for some and very big for others. 
But I don't care. 

Ready to share your process?

Every company I talk to thinks they know their attack surface.

Then we just do a passive recon.
Without even looking closer.

And we find
Old cloud projects nobody owns.
Vendors exposing stuff they forgot.
APIs created for a sprint and never removed.

Security teams aren’t blind because they’re bad.
They’re blind because the environment never stops changing.

If your visibility isn’t continuous, it’s already outdated.
Attackers know this. 
That’s why they win.

DM me for a free recon scan
The worst scenario: you will get to know the same you already know
The best scenario: you will know a bit more

Let’s talk about the elephant in the room in Retail: 

...
before the 🐘

Ethiack “State of Digital Exposure for European Retail”, which analyzed over 50,000 assets from 1,700 retail companies.

It’s a HUGE report. 

And when you finish reading it, you’ll understand where Retail stands and what needs to be done to improve the security posture of the industry.

It’s freely accessible here - no email required: https://lnkd.in/eNNYc7fh

Now the Elephant 🐘
11% of Retail companies still use PHP

2h to find a critical vulnerability.

Crazy how AI pentesting changes the game.

Hacker. CTO @ Ethiack. Invited Professor at University of Porto and Porto Business School.

Our pentesting agent found a 1-click ATO to RCE in Moltbot (Clawdbot) Gateway Control UI in under 2 hours.

Local instances can also be exploited with one click.

Patched in main, update now.

Watch the exploit 👇

By Henrique Branquinho, Bruno Mendes and team. 

Blog post: https://lnkd.in/ep-Rrjax

What a surprise
AI just became the main character in cybersecurity.

Here’s what most people are missing:

- This isn’t just “tools getting smarter”. We are actually witnessing threats accelerating faster than human workflows

- Attackers are automating recon, phishing, and exploitation; the gap is speed.

My take: the next advantage won’t be “best detection”.
It’ll be the fastest feedback loop: detect, validate, fix, retest...

Two security models 

Select one...

Traditional security model:
Plan
Schedule
Test
Wait

Attacker model:
Wait & Watch
Detect change
Exploit immediately

If your defence reacts more slowly than the attacker,
The outcome is predictable.

Security is a race.
Timing beats tooling.

Choose the attacker model. 
Attack yourself before you get attacked

77% of organizations now use AI in security operations.

said Global Cybersecurity Outlook 2026, WEF

But 54% say they lack the skills to do it properly.
41% still require human validation for AI decisions.

AI in security is not about replacing humans.
It’s about deciding where humans must stay in control.

That line matters more every year.

Looking for an exceptional QA with hands on in automation and AI.

Apply here

We are hiring a 𝐐𝐀 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 𝐄𝐧𝐠𝐢𝐧𝐞𝐞𝐫 at Ethiack -> https://lnkd.in/eEu9haA7

Here are a few things I would like you to know:

At Ethiack, we secure organizations. Our mission is to offer the best pentest in the world: a combination of the speed of automated and agentic vulnerability detection with the deep knowledge of the best hackers in the game.

The engineering team is the backbone of this mission. We are a group of curious, self-learning individuals striving to build a premium product. Although young and not yet "seniors" on the CV, we are eager to try, fail, and learn from the outcomes. If you ever get blocked, you can count on a team that is always willing to jump in and help you find a solution.

That collaborative spirit is what keeps us moving forward.

We ensure our portal is stable, the UX is smooth, and vulnerabilities are detected instantly, even when targeting huge attack surfaces. This is where you come in: help us ensure that the quality of what we offer is truly world-class.

📩 Reach out to me if you want to know more about us and the role.

#QAAutomation #CyberSecurity #Hiring #TechJobs #Ethiack

They say that Attack Surface Management is obsolete 

I don't think so. 

 IMO, asset inventory is still one of the most underestimated security problems.

Not detection.
Not response.
Inventory.

You can’t protect what you don’t know exists.
And most companies don’t actually know what’s exposed right now.

If IT and Security have different lists, you don’t have visibility.
You have opinions.

First discover what you have
Then test it.

Cybersecurity needs "herd immunity."

Here's the uncomfortable truth:

It doesn't matter if your organization is secure if your suppliers, partners, and customers aren't.

I just published an opinion piece in Jornal de Negócios on why cybersecurity is no longer just a tech issue, but it's an economic infrastructure problem.

An attacker doesn't need to breach you directly. 
They just need to find the weakest link in your supply chain.

Think:
→ A logistics partner with outdated systems
→ A SaaS connected via API
→ A payment processor running unpatched software

One breach propagates across the entire value chain. 

We learned this lesson during the pandemic: individual immunity isn't enough. You need collective immunity to stop transmission.

The same applies to cybersecurity.

We can't have a few well-protected organizations operating in an ecosystem full of vulnerabilities. The digital economy is interconnected. One weak link compromises everyone.

What needs to change:
✓ Annual compliance checklists → Continuous exposure validation
✓ Point-in-time pentests → Autonomous Pentesting (AI+Humans)
✓ Individual security → Supply chain-wide verification
✓ Static reports → Real-time risk visibility

The solution isn't just securing your own perimeter.

It's ensuring every partner, vendor, and supplier in your value chain is continuously tested and validated.

Supply chain security isn't optional anymore. It's baseline.

And it's why continuous pentesting across the entire ecosystem is the only way to build real "herd immunity" against cyber threats.

Full article (Portuguese) in comments 

Are you securing your organisation, or your entire supply chain?

When you ask me: “Can I schedule this test?”

I can tell you so much about your security posture.

It assumes risk appears on a date.
It assumes attackers respect timelines.
It assumes systems stay still.

None of that is true.

Security should trigger on change, not time.
Anything else is false comfort.

One of the hardest and most frequent things I tell prospects is this:

“No, you can’t schedule it.”

This is the most asked request and the one I keep saying no to.

Not because I want to be difficult.
Because scheduled security is already obsolete.

If your testing waits for a calendar invite,
Your exposure window is wide open by design.

CEOs and CISOs worry about different things


CEOs worry about:
• Cyber-enabled fraud
• AI-related data leaks
• Financial and reputational loss

CISOs worry about:
• Ransomware
• Supply-chain exposure
• Operational continuity

Why this matters:
• Security buying is moving upwards to the board
• Tools that talk only CVEs are losing relevance

This favors platforms that translate technical exposure into business risk.
At Ethiack we are now calculating financial annual expectancy loss of every vulnerability and giving CISOs the ROI

From recon to ransom negotiation. 
Traditional attack timeline: days to weeks.
AI-powered attack timeline: minutes to hours, 

What is this table really saying:
• The kill chain is being compressed
• The learning curve for attackers is dropping
• “Annual pentest + awareness training” is just not enough

Devil’s advocate (because we need to be honest):
• Not every attacker can pull off full autonomy end-to-end
• Real environments still have friction, MFA, segmentation, and detection
• Defenders also use AI; the arms race is symmetric in tools, asymmetric in incentives

Still, the direction is obvious: continuous exposure management wins, time based defenses lose when time collapses.

Question: if attacks move at machine speed, why are most defenses still running on human calendars?

Sales went signal-based.
Security stayed calendar-based.

Modern outbound reacts to intent.
Page visits.
Job changes.
Buying signals.

Pentesting still runs on schedules.
Once a quarter.
Once a year.
When procurement says so.

Attackers don’t wait for your calendar.
Why do security teams?

Security has a lot to learn from Sales...

Sales teams don’t say:
“Let’s only reach out to buyers on the first Monday of the month.”

That would be insane.

Yet in security, we do the equivalent.
We test on dates instead of signals.

Intent signals changed sales.
Change signals must change security.

Resilience beats prevention

In the recent report: Global Cybersecurity Outlook 2026 from World Economic Forum, only 19% say their cyber resilience exceeds requirements.
Most still operate at “minimum acceptable”.

Resilient orgs:
• Assume breach
• Test continuously
• Recover faster
• Simulate real adversaries

This is exactly where offensive security wins.

taplio

Jorge Monteiro's Linkedin Analytics

Jorge Monteiro

Performance ScoreJorge Monteiro's LinkedIn Performance

What is Jorge talking about?

Jorge Monteiro's Best Posts (last 30 days)

Ready to grow your LinkedIn presence?