Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

At 1Password, our mission is simple: to protect people’s most critical information, their credentials. At the time of writing this post, I personally have 291 items in my vault, so the long-term confidentiality of this data is critical to myself and every 1Password user. We are thrilled to announce the first major milestone in our post-quantum cryptography (PQC) journey, the successful deployment of PQC on 1Password’s web application.

The latest European Commission guidance on the Cyber Resilience Act sends a clear message to manufacturers of connected products: cybersecurity must be designed in from the start, maintained throughout the product lifecycle, and supported by demonstrable processes for risk management, vulnerability handling and ongoing support. For organizations building, deploying and managing connected devices, this is a significant shift. The CRA is not simply another compliance exercise.

When people talk about AI security risks, the conversation usually starts with the model. Can it be jailbroken? Can someone get around the guardrails? Can an attacker make it say or do something it should not? Those are fair questions, but they are not the most important ones. The bigger risk is not the model on its own: it’s everything the model is connected to.

We're proud to introduce Programmable Flow Protection: a system designed to let Magic Transit customers implement their own custom DDoS mitigation logic and deploy it across Cloudflare’s global network. This enables precise, stateful mitigation for custom and proprietary protocols built on UDP. It is engineered to provide the highest possible level of customization and flexibility to mitigate DDoS attacks of any scale.

For years, the conversation around digital transformation in Southeast Asia focused on “getting to the cloud.” Today, that conversation has shifted. Our region is no longer just adopting the cloud; we are leapfrogging traditional development cycles by integrating AI and cloud-native architectures at a staggering pace. However, this acceleration has created a byproduct that many organizations are struggling to contain.

On March 31, 2026, two malicious versions of axios were published to npm, , using credentials stolen from a lead axios maintainer. The attacker injected a hidden dependency into both releases that drops a remote access trojan (RAT) on any machine that ran npm install during the exposure window. No CVE identifier has been assigned at the time of writing. The malicious dependency executes automatically at install time via a postinstall hook, without any action by the developer.

Security debt (the accumulation of unresolved vulnerabilities that are over a year old) is no longer just a technical problem. It has become a significant business liability that directly impacts risk, revenue, and reputation. For too long, it has remained a concern siloed within IT departments. That approach is no longer sustainable. It is time to elevate security debt to a board-level key performance indicator (KPI) and tie its reduction to strategic business objectives.

For managed security service providers (MSSPs), alert fatigue doesn’t just burn out your analysts: it’s a real risk to your business. From the financial costs of missed SLAs and security incidents to the customer trust lost when critical alerts are overlooked, alert fatigue negatively impacts customer outcomes, client retention, and your profitability.

For managed security service providers (MSSPs), customer loyalty is the most critical indicator of business health. Unlike other metrics that you directly control, such as mean time to respond or mean time to detect, it can’t be gamed: customers will either stay with you or they’ll churn. This means that the top priority for any MSSP should be to deliver the specific customer outcomes they were hired to provide, like helping to stop threat actors before they cause damage.

In January 2026, the National Security Agency released its first Zero Trust Implementation Guidelines (ZIGs). Their aim was to do something prior guidance intentionally avoided: move Zero Trust from architectural alignment to operational execution. That timing matters. Zero Trust has been a framework for years and rightly so. Like a quality standard, it is designed to evolve. The same tools, techniques, and skills shaping modern cyber defense are available to both friend and foe.