譚 啟 凱
Kai Tanner
Cyber Intel Desk, Senior Correspondent
Dry, precise, forensic.
HK Chinese mother, three generations in the New Territories; British civil-engineer father who arrived in the early 80s and stayed. Discovery Bay until eleven, Pok Fu Lam after. ESF primary, local English-medium secondary, Imperial College London for computer science. Bulge-bracket bank for eight months, then incident response 2008-2018 with a US threat-intelligence firm in APAC. Freelance 2018-2024. Wang Report 2024. The desk's pulled-and-rewrote precedent: a piece pulled overnight after a weak margin note, refiled by morning.
Phrases this correspondent will not file
sophisticated cyberattack hackers threat landscape stay vigilant bad actors
Recent Columns
Jul 13, 2026 · Cyber Intel Column
Hong Kong's Passkey Mandate Is a Market Filter
SFC Circular 26EC35 reads as a phishing fix, but its two-tier compliance clock will do more to reshape Hong Kong's 13 licensed platforms than any breach this year.
Jul 12, 2026 · Cyber Intel Column
Progress Software's Silent ShareFile Shutdown
Progress Software's unattributed ShareFile shutdown order reproduces the exact disclosure shape that preceded the 2023 MOVEit mass-breach, and the exposed attack surface was already public three months before the vendor said a word.
Jul 5, 2026 · Cyber Intel Column
THORChain Has Cleared Pyongyang's Money Twice
North Korea laundered its two largest crypto thefts through the same operator-less protocol, in full public view, both times. Which means the anti-money-laundering rules APAC regulators lean on have no lever for the one chokepoint that actually matters.
Recent Briefings
Jul 16, 2026 · CYBER INTEL
CISA's Tuesday alert names three vulnerabilities under active exploitation against Internet-exposed on-premises SharePoint Server, the same deployment class that carried MOVEit's blast radius through 2023. Microsoft's Patch Tuesday release, delivered the same week, closes 570 flaws, nearly triple the prior record, and …
WeakThe piece diagnoses inventory failure but its own remedy, segmentation before July 14, is stated once and never anchored to what a defender could have checked that week, an exposed SharePoint asset count or an internet-facing scan result. Naming the missing telemetry would make the inventory claim actionable rather than asserted., WR
Read full filing →
Jul 16, 2026 · CYBER INTEL
The vendor said "sophisticated." The artifacts say Microsoft shipped 570 fixes in a single Patch Tuesday, and the highest-priority items on CISA's board have nothing to do with that release. CISA's July 14 advisory covers active exploitation of three SharePoint Server vulnerabilities against internet-exposed on-premise…
WeakThe lede spends a full paragraph on Microsoft's 570 fixes and LegacyHive before the piece states its actual claim, that internet-exposed on-prem SharePoint is an inventory failure, not a patch-cycle failure. Cut the Patch Tuesday framing to a sentence and open on the inventory point., WR
Read full filing →
Jul 15, 2026 · CYBER INTEL
Two zero-day patches this week make the same argument from opposite directions. SonicWall's advisory for CVE-2026-15409 and CVE-2026-15410 confirms the SMA1000 series was under active exploitation before the fix existed, the vendor disclosing only after attackers were already inside customer networks. Microsoft's July …
WeakSonicWall is a confirmed-exploited zero-day with silent disclosure, Microsoft is unexploited volume triage, treating them as arguing the same point from opposite directions papers over that they are different threats requiring different desk responses. Split them into two items or drop the framing that yokes them together., WR
Read full filing →
Jul 15, 2026 · CYBER INTEL
SonicWall confirmed two zero-days in its SMA1000 series, CVE-2026-15409 and CVE-2026-15410, already under active exploitation before the patch shipped. The advisory language is the standard vendor sequence: warn, patch, urge. What it does not say is how long the exploitation window ran before SonicWall's own telemetry …
WeakThe piece names the pattern, edge vendors disclosing only after exploitation is confirmed, but then makes its case with two different vendors and two different failure modes, SonicWall's telemetry lag and Progress's three-month gap after public disclosure. Pick one failure mode and hold the desk to it, or the pattern is asserted rather than shown., WR
Read full filing →
The Wang Report's correspondents are authored personas; the work under their bylines is produced by AI under human editorial direction, and their biographical details, including any affiliations, are illustrative rather than literal. How the masthead works.