I spend a lot of time on the phone with people deciding which certifications to pursue. They tell me about their career goals, I tell them which credentials fit. Pretty simple most weeks. But every once in a while the cybersecurity news drops something so ridiculous that it basically makes my pitch for me. April 2026 was one of those months.
A cybersecurity company in Mexico called BePrime got breached because their admin accounts didn’t have multifactor authentication turned on. A cybersecurity company. No MFA. On privileged accounts. I had to read the story three times because I kept thinking I was missing something. I wasn’t. They also sued the journalists who reported it, which is a choice. Meanwhile, Microsoft dropped its second largest Patch Tuesday ever, Vercel got popped through a supply chain attack that started at an AI company, and Anthropic announced an AI model so good at finding vulnerabilities that they refused to release it publicly. All in one month.
Every major breach in April 2026 traces back to a fundamentals failure. MFA not enforced. Third party risk not managed. Supply chains not verified. These aren’t exotic problems. They’re the ones certifications were built to solve.
The BePrime Breach: You Can’t Make This Up
BePrime sells managed security services to massive companies. Iberdrola, one of the biggest energy companies in Europe. ArcelorMittal, the world’s largest steel producer. Alsea, which runs Starbucks and Domino’s across Latin America. These organizations paid BePrime to protect their infrastructure. Instead, BePrime became the vector that exposed them.
On April 20, a threat actor dumped 12.6 GB of BePrime’s internal data on a cybercrime forum. The haul included plaintext credentials (yes, plaintext), client penetration testing reports, Cisco Meraki API keys, and access to live surveillance camera feeds inside client offices. The attacker used those Meraki keys to take control of 1,858 network devices: switches, routers, access points. Over 2,600 endpoints were exposed.
The entry point? Admin accounts without MFA. That’s it. No zero day, no novel technique, no sophisticated social engineering campaign. Just unprotected privileged accounts at a company that literally exists to prevent this exact thing from happening to other organizations.
The worst part might be the pentest reports. Those documents map out every known vulnerability in BePrime’s client environments. According to DataBreaches.net, they’re now on a public cybercrime forum. If you’re an attacker targeting Iberdrola or ArcelorMittal, someone just handed you a treasure map. And the live camera feeds? Employees at these companies were being watched through their own office surveillance systems because their security provider forgot a basic control that’s covered in Chapter 3 of every Security+ study guide.
When I’m talking to someone about ISACA certifications and they ask why governance and risk management matter, I usually have to build a hypothetical scenario. Now I can just send them the BePrime article. This is what happens when nobody in the room is asking whether the vendor that manages your security controls has actually implemented the basics themselves. That’s a CRISC conversation. It’s also a conversation that apparently wasn’t happening at any of BePrime’s clients before this went sideways.
The Rest of April Wasn’t Much Better
BePrime got the most attention because of the irony factor, but it wasn’t the only major incident. Vercel, the cloud platform that half the web development world relies on, confirmed a breach on April 19. The attack path on that one is worth understanding because it shows how messy supply chain risk has gotten.
An employee at Vercel had a Google Workspace account. That account was compromised through a breach at Context.ai, an AI tool the employee used. The attacker took those stolen credentials, pivoted into Vercel’s internal systems, and accessed environment variables, employee records, internal dashboards, and API keys. Then someone claiming to be part of ShinyHunters (the actual ShinyHunters group denied involvement) posted stolen data on a breach forum and reportedly demanded $2 million.
Think about the chain there. An AI tool gets breached. That breach compromises an employee credential at a different company. That credential gives access to developer infrastructure used by millions of people. Each link in that chain is a risk management failure that should have been caught. Was Context.ai evaluated as a third party risk? Was the employee’s access properly segmented? Were environment variables that contained sensitive data encrypted at rest? Vercel’s CEO admitted some environment variables weren’t marked as sensitive and therefore weren’t encrypted. That’s exactly the kind of control gap that CISA (the ISACA certification, not the government agency) is designed to catch during an audit.
Microsoft’s 167 patch dump alone would have made April a demanding month for any IT security team. Prioritizing that many vulnerabilities, especially with active zero day exploitation and public proof of concept code circulating, requires people who actually understand risk assessment. Not people who can recite definitions. People who can look at a list of 167 CVEs and tell you which five to patch today and which can wait until next week. That’s a skill, and it’s one that separates teams that stay ahead from teams that are constantly reacting.
Matching the Failures to the Certifications
I talk to people about certifications every day. The question is always the same: which one should I get? My answer changes depending on what you’re trying to do, but April’s news cycle basically wrote a certification roadmap in real time. Each of these failures maps directly to a credential that addresses it.
The BePrime failure is a CRISC problem. ISACA’s Certified in Risk and Information Systems Control (CRISC) is specifically about identifying and managing IT risk at an enterprise level. Vendor risk management is core to that. If anyone at Iberdrola, ArcelorMittal, or Alsea had run a proper third party risk assessment on BePrime, one of the first questions would have been about privileged access controls. Are admin accounts protected by MFA? Are credentials stored securely? Is there a tested incident response plan? CRISC teaches you to ask those questions before you sign the contract, not after the breach shows up on a cybercrime forum.
The Vercel breach is a CISA problem. ISACA’s Certified Information Systems Auditor (CISA) covers exactly the kind of IT audit work that would have flagged Vercel’s control gaps. Environment variables containing sensitive data weren’t encrypted at rest. Employee access from third party tools wasn’t properly segmented. The audit trail that should have caught the initial compromise apparently didn’t work fast enough. A CISA certified auditor reviewing Vercel’s environment before this happened would have been looking at exactly these controls.
The Microsoft Patch Tuesday triage is a CISM problem. Someone has to look at 167 vulnerabilities, understand the organization’s risk posture, and make fast decisions about what gets patched now versus what gets scheduled for next cycle. That’s security program management. ISACA’s Certified Information Security Manager (CISM) covers security program development and management, incident management, and risk assessment at the management level. The person making that call for your organization needs to understand both the technical severity and the business impact. That’s what CISM is built for.
The AI threat acceleration is an AAIR problem. The Anthropic Mythos announcement, GPT-5.5 shipping with a “High” cybersecurity risk classification, and the LMDeploy SSRF exploitation 13 hours after disclosure all point to the same thing: AI is making the threat environment move faster than most organizations can respond. ISACA’s Certified in AI and IT Risk (AAIR), which opened for registration on April 15, 2026, is specifically designed for professionals who need to evaluate whether AI implementations create more risk than they reduce. That’s the conversation every organization should be having right now, and almost nobody has people qualified to lead it.
Straight talk on stacking: If you’re reading this list thinking “I need all four of those,” slow down. Nobody gets four certifications at once. Start with the one that maps to your current role or the role you want next. If you’re in risk management or GRC, CRISC is probably your move. If you’re in audit, CISA. If you’re managing a security program, CISM. If you’re focused on emerging AI risk, AAIR gives you first mover advantage since the cert is brand new and the holder pool is tiny. Pick one, pass it, get the career benefit, and then decide on the next one. That’s how this works in practice.
The Supply Chain Problem Isn’t Going Away
Three of April’s biggest stories involved supply chain failures. BePrime’s clients got burned because their security vendor was the weak link. Vercel got burned because an employee’s third party AI tool was the weak link. Bitwarden CLI users got burned because a CI/CD pipeline dependency was the weak link. In every case, the organization that got hurt didn’t make the mistake directly. Someone they trusted did.
This is why third party risk management isn’t some obscure GRC topic that only auditors care about. It’s the thing that determines whether your company ends up on a breach notification list because somebody you paid to protect you couldn’t protect themselves. I see organizations spend six figures on their own security controls and then hand admin access to a vendor they never audited. It happens constantly, and every time, the explanation after the breach is some version of “we assumed they had it under control.”
The Vercel story adds another layer. The breach started at Context.ai, an AI tool that an employee was using. How many AI tools are your employees using right now that your security team hasn’t evaluated? Probably more than you think. A recent study found that 90% of employees use AI at work but only 16% feel adequately trained on how to use it safely. That gap is a supply chain risk that most organizations haven’t even started to measure, let alone manage.
Frequently Asked Questions
What was the BePrime data breach in April 2026?
BePrime, a managed cybersecurity services provider in Mexico, was breached in April 2026 after attackers exploited administrator accounts that lacked multifactor authentication. The breach exposed 12.6 GB of data including plaintext credentials, client penetration testing reports, Cisco Meraki API keys controlling 1,858 network devices, and live surveillance camera feeds from Fortune 500 client offices. Affected clients included Iberdrola, ArcelorMittal, Whirlpool, and Alsea. BePrime subsequently threatened legal action against the journalists who reported the incident.
Which ISACA certifications address vendor and third party risk?
CRISC (Certified in Risk and Information Systems Control) is ISACA’s primary certification for enterprise IT risk management, including third party and vendor risk assessment. CISA (Certified Information Systems Auditor) covers the audit and control evaluation side, including assessing whether vendors have appropriate security controls in place. For organizations dealing with AI related vendor risk, ISACA’s new AAIR (Certified in AI and IT Risk) certification, which opened for registration in April 2026, specifically addresses how to evaluate risk introduced by AI tools and implementations.
What happened in the Vercel breach?
Vercel, the cloud development platform behind Next.js, disclosed a breach on April 19, 2026 that originated through a supply chain compromise. A Vercel employee’s Google Workspace account was compromised through a prior breach at AI platform Context.ai. The attacker used those credentials to access Vercel’s internal systems, including environment variables (some of which weren’t encrypted at rest), employee records, internal dashboards, and API keys. A threat actor posted stolen data on a breach forum and reportedly demanded $2 million in ransom.
How many vulnerabilities did Microsoft fix in April 2026?
Microsoft’s April 2026 Patch Tuesday addressed 167 vulnerabilities across Windows, Office, SharePoint, and related products. Notable patches included a SharePoint Server zero day (CVE-2026-32201) already under active exploitation, the “BlueHammer” Windows Defender privilege escalation (CVE-2026-33825) with public proof of concept code, a CVSS 9.8 remote code execution in Windows IKE Service Extensions (CVE-2026-33824), and a critical TCP/IP RCE (CVE-2026-33827) exploitable through IPv6 packets when IPSec is enabled.
What is ISACA’s AAIR certification?
AAIR stands for Certified in AI and IT Risk. It’s a new ISACA certification that opened for registration on April 15, 2026, with first exams expected in Q2 2026. AAIR is designed for IT professionals who need to evaluate whether AI implementations create more risk than they reduce. It covers AI governance, AI related risk assessment, and the integration of AI risk into enterprise risk management frameworks. AAIR is part of ISACA’s broader AI certification stack alongside AAISM (AI Security Management) and AAIA (AI Assurance).