Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Post-incident review: Source map exposure on non-production subdomain

Update (February 24, 2026): @vmfunc has published part two of their series about Persona. You can read it here. We will update this post with part three when it is released. On February 16, 2026, security researchers @vmfunc, @MDLcsgo, and @DziurwaF published a blog post identifying exposed frontend source maps on a non-production subdomain under withpersona-gov.com.

Cloud Security for Financial Services: Building a Compliant AWS Environment

Financial services organizations moving to AWS often discover that retrofitting security and compliance controls costs three to five times more than building them in from the start. Compliance gaps discovered during audits can delay critical initiatives, trigger regulatory scrutiny, and expose organizations to unnecessary risk.

The Rise of the AI Security Engineer: A New Discipline for an AI-Native World

We are witnessing the birth of a new profession in the blend of security engineering and security operations, a discipline that didn't exist five years ago because the systems it protects didn't exist five years ago. As artificial intelligence moves from experimental to essential and agentic systems begin to perceive, reason, act, and learn autonomously, we need defenders who can operate at the same velocity. I'm talking about the AI Security Engineer.

The Vendor Tiering Series: Why Tier Your Vendors

The thing about blanket approaches is that they rarely work or scale. The same holds true for third-party cyber risk management. Treating every provider, stakeholder, or partner with the same intensity is neither productive nor cost-effective. While defaulting to treating every vendor at the same risk level is common, it is not a resilient security strategy.

2026 State of Software Security: Risky Debt is Rising, But Your Strategy Starts Here

You can’t fix what you ignore. For years, organizations have raced to deploy software faster, often leaving a trail of unresolved vulnerabilities in their wake. We call this trail security debt, or flaws that are left unresolved over a year since being discovered, and it isn’t just a technical metric. It’s a compounding business risk that is growing harder to manage every year. Today, we are releasing the 2026 State of Software Security (SoSS) report.

Why CISOs should prioritize continuous control monitoring in 2026

In a recent roundup of strategic initiatives for CISOs, I argued that continuous assurance is the 2026 operating model. Across all ten initiatives, the pattern was clear. Security is no longer being evaluated by effort, it’s being evaluated by outcomes. Boards, customers, and regulators are no longer asking what tools you deployed or how busy your security team is. They are asking a simpler, harder question: Can you prove that your controls are working right now?

Why Most Companies Don't Catch Internal Threats Until It's Too Late

Every year, businesses lose billions to threats that don't come from hackers on the other side of the world. They come from inside the building. Whether it's financial misconduct, data theft, or simple policy violations that snowball into costly incidents, internal threats are consistently one of the hardest risks to detect and manage.

The Surprising Automotive Roots of Modern Combine Harvester Technology

Where do combine harvesters get their brains from? It feels like combine technology has always been developed in-house by the various manufacturers we see today. But the truth is...many of the critical systems that run your combine harvester actually come from the automotive industry. GPS guidance systems, hydraulic components, electronic sensors...the list goes on. Plus the artificial intelligence that drives the insane automation you see in some of the newer models. Automotive technology paved the way for today's high-tech ag machinery.

The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection

Typosquatting is a deceptive technique in which threat actors register misspelled or look-alike domains of legitimate organizations to trick users into visiting fraudulent sites. It remains one of the most effective and underestimated attack vectors in the modern cyber threat landscape. What appears to be a misspelled domain often conceals sophisticated campaigns designed to phish company employees or customers, harvest credentials, deliver malware, and damage organizational reputation.