Security vs Compliance: Why Passing an Audit Isn’t the Same as Being Secure
Many organizations believe they are secure because they are compliant. They pass SOC 2 audits. They maintain ISO certifications. They satisfy HIPAA, PCI, or regulatory requirements. Policies are documented. Controls are implemented. Risk assessments are filed. On paper, everything appears...
When “Low Severity” Becomes High Impact: The Limits of Vulnerability Risk Management
Security teams triage vulnerabilities every day. Findings are categorized. Severity is assigned. Remediation timelines are scheduled. Dashboards reflect progress. The process appears disciplined. Yet some of the most damaging breaches in recent years began with vulnerabilities that were not initially...
CVSS v4 vs CVSS 3.1 – What’s New and Improved
Recently an update to CVSS scoring was released – CVSS V4. But, the real question is why was an update needed? What was wrong with CVSS 3.1? A few things were wrong. Amongst them are: What does v4 now do...
The 5 Things to Do This Quarter to Prepare for 2026 Cyber Threats
Stop trying to predict the next headline. Start removing the easiest paths in. If 2026 is teaching security leaders anything, it’s this: the most damaging cyber incidents aren’t always “loud.” Many are quiet, patient, and designed for leverage—long-term access, disruption...
Top External Network Penetration Testing Findings of 2025
With 2025 in the bag, we wanted to start an annual series highlighting the top findings from the previous year. As trends and technology shifts, as will these findings. We will start with external and dive into internal & web...
AI Changed the Rules: The Threats You Need to Model in 2026
AI is no longer an “innovation project.” In 2026, it’s embedded in how teams hire, support customers, review transactions, manage access, and make decisions at speed. That’s the opportunity and the problem. When you put AI into production, you don’t...
OWASP Top Ten 2025
The OWASP Top Ten is one of the most influential security awareness documents in application security, published by the Open Worldwide Application Security Project (OWASP). It represents a community-driven ranking of the most critical risks facing web applications. The 2025...
External Penetration Testing in 2026: Why Proactive Security Matters More Than Ever
As we move into 2026, an organization’s external-facing assets remain the most targeted—and most tested—entry points for cyber attackers. Websites, web applications, APIs, cloud infrastructure, and public-facing services continue to expand, often faster than security teams can fully account for....
Why LinkedIn Is the New Phishing Hotspot — And What Your Organization Should Do About It
Phishing attacks no longer live inside the inbox. Today, 1 in 3 phishing attempts happen outside of email — especially on platforms like LinkedIn, where attackers know your people are active, visible, and reachable. And while you want your employees...
Why Penetration Testing Is No Longer Optional: Lessons from the SharePoint Breach
In July 2025, Microsoft disclosed a critical vulnerability in SharePoint that allowed attackers to execute arbitrary code and gain access to sensitive systems – no password required. For organizations relying on SharePoint to manage internal documents and workflows, this was...