Insights & Analysis
Cybersecurity, compliance, AI, and the decisions security leaders actually face.
Anthropic's Mythos -- Making the Balance Due on Your Technical Debt
The cyber world is losing it over vauge claims that Anthropic's Mythos will expose every possible exploitable interface on the Internet. It all comes down to addressing technical debt before the enemy exploits it.
Your SOC 2 Report Might Be a Lie - The Delve Scandal and What It Means for Impacted Customers
A Y Combinator compliance startup called Delve just got caught selling essentially the same SOC 2 report to 494 companies. Not similar, but almost identical. Same paragraphs. Same grammatical errors. Different logos. And the kicker: the reports said every single one of those companies had zero security incidents. All 259 of them. Every observation period. Statistically impossible and apparently nobody noticed, or nobody cared.
Axios npm Supply Chain Attack
On March 31, 2026, attackers hijacked the npm account of **jasonsaayman**, the primary maintainer of the Axios JavaScript HTTP client library. Using stolen credentials, they published two malicious versions (**1.14.1** and **0.30.4**) containing a hidden dependency that silently installed a cross-platform Remote Access Trojan (RAT) on developer machines and CI/CD systems. The attack was live for approximately three hours before npm removed the packages.
Why Your Corporate Emails Are Getting Blocked — And Who's Really to Blame (It's Not The Recipient)
Legitimate corporate emails from well-known companies are getting blocked by Spamhaus ZEN. The culprit in most cases? Google. Here's what's happening, why it's getting worse, and what your organization should do about it.
Don't Make Your Email Filter Your First Line of Defense – Why organizations keep getting phished when the fix is in the DNS
Having worked in email filtering for more than 15 years, I know that proper DNS configuration can dramatically reduce your phishing exposure. Yet most organizations still rely almost entirely on their email filter.
The Grace Period Is Over: AI Has Ended the Era of "Good Enough" Security Configurations
Hackerbot-claw ran autonomously for a week, scanned 47,000 repos, and compromised at least 6 major targets. No zero-days. No nation-state resources. Just AI and misconfiguration.
29 Minutes. That's How Long You Have. What's Your MTTD — and Do You Actually Know It?
The 2026 CrowdStrike Global Threat Report finds that the average attacker breakout time has dropped to just 29 minutes. Fastest observed: 27 seconds. Does your detection and response program reflect this reality?
Claude Code's Remote Control Is a Developer Dream — and a Security Team's Nightmare
Anthropic's Remote Control feature for Claude Code lets developers manage AI-assisted coding sessions from their phones. It's clever engineering — and a significant enterprise security governance challenge.
Claude Code Security Announcement Ruffles Investors
Cybersecurity stocks tumbled after Anthropic announced Claude Code Security. The market reaction reveals a fundamental misunderstanding of where this tool fits in the security stack.
Does "Open to Work" Really Mean "Open to Being Scammed?"
Setting my LinkedIn profile to Open to Work immediately attracted scammers targeting job seekers. Here's what I encountered and what to watch for.
Policies, Procedures, and Standards – Why They Are Needed and Their Impact on Corporate Security
As organizations grow, the absence of formal policies, procedures, and standards creates compounding security and operational risk. Here's why these documents matter — and what happens when organizations skip them.
Security Faux Pas – Owning Up When You Make A Mistake
Even the best security programs experience incidents. What separates resilient organizations from vulnerable ones isn't perfection — it's how employees respond when something goes wrong.
Understanding the Value of a SOC 2 Report (Service Organization Controls)
SOC 1, SOC 2, SOC 3 — the terminology gets muddy fast. Here's how to understand the differences and why a SOC 2 Type 2 report signals genuine security maturity.
Getting a Grip on Your Personal Online Security
Three major data breaches to start 2024 prompted me to audit my own online accounts. Here's the process I used — and why forgotten accounts are a bigger risk than most people realize.
What Is Security & How Much is Enough?
Cybersecurity dominates our lives, yet most organizations still struggle to answer the most fundamental question: how much security is actually enough? The answer depends on risk, not compliance.
Importance of Separating Corporate and Personal Identities and Devices
The Target breach started with a contractor checking personal email on a corporate device. The DNC hack exploited a personal Gmail account accessed from a work machine. Separating your identities isn't optional — it's foundational.
Developing a Security-First Mindset
Security awareness isn't built through annual training. It's built the same way any habit is — through repeated exposure until the right behaviors become automatic.
Importance of Asset Management in Organizational Security
You cannot protect what you don't know exists. Asset management is the foundation of every security and compliance program — here's why it matters and how to think about it.
The Importance of Personal & Corporate Cybersecurity Hygiene
Just as we maintain physical hygiene to stay healthy, cybersecurity hygiene keeps our devices and data secure. Here are the key practices everyone should have in place.
Proper Password Management
Password reuse is one of the most exploited weaknesses in both personal and corporate security. Here's how passwords work, why reuse is dangerous, and what to do about it.
Twitter's Last Days?
The post-Musk acquisition hysteria on Twitter is more theater than substance. Here's a more pragmatic take on what the ownership change actually means.