Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CISO Executive Briefing: This Week's Threats, Priorities, Foresight & Execution

Cyber risk remains at an elevated baseline. Ransomware holds at “new normal” highs, state actors exploit supply chains and zero-days, and AI accelerates attacks. Last week’s signals confirm active exploitation of known vulnerabilities and credential/ICS exposure. Winning CISOs reduce attack surface at first principles, assume breach, and enforce continuous validation with measurable business outcomes.

Top 10 Application Security Risks (2026 Edition)

You already know the threats are getting worse. What’s harder to articulate — especially to leadership — is exactly how they’re getting worse, and what’s slipping through the cracks in your current program. The application security risks your teams face in 2026 are not just more numerous than they were five years ago; they’re structurally different.

Top Software Supply Chain Security Best Practices for Enterprises

If an attacker compromised a dependency buried three levels deep in your build pipeline tonight, how long would it take you to find out? Open source libraries, third-party frameworks, transitive dependencies, build tooling, and now AI-generated code that developers may not have reviewed line by line: each of these components flows into your application, whether your team explicitly chose it or not. Each component is a potential entry point.

Why Restricting AI Code Security Tools Is the Wrong Answer - and What AppSec Programs Actually Need

I signed the Free Fable letter at freefable.org. I want to explain why — and why the reasoning behind it matters for AI code security beyond any single AI model. Cybersecurity defenders are not just critics of technology. We are the builders and operators of the systems that keep real organizations running under pressure.

What is Application Threat Detection and How Does it Work?

Security threats don’t announce themselves. They can slip in through vulnerabilities in your code, hide in third-party libraries, and exploit gaps that your team hasn’t had time to patch yet. That’s why application threat detection isn’t just a nice-to-have; it’s the foundation of a modern security program.

Why Claude Mythos Changes AppSec Research, Not Your Scanning Stack

If you’re like our team, the morning after the Claude Mythos announcement brought more questions than answers. Among them: “Serious question. Do customers still need SAST?” It’s a fair question if you stop at the headline. Claude Mythos, Anthropic’s frontier AI model currently gated to vetted partners through Project Glasswing, had autonomously identified thousands of zero-day vulnerabilities across major operating systems and browsers . No rule books, no checklists.

Why AI Changes Everything About Software Risk

Software risk has always existed. What’s changed is the scale, speed, and economics of it. For decades, organizations operated under a relatively stable set of assumptions: humans write code, security teams scan it, vulnerabilities get prioritized and patched. The process was slow, imperfect, and often underfunded — but it was manageable. AI has dismantled those assumptions. And if your security program is still calibrated to the old model, you’re already behind.

What Every CISO Needs to Know About AI-Assisted Development

There’s a conversation happening in boardrooms, security operations centers, and developer standups that I find both thrilling and concerning: the conversation about AI-assisted development. Engineering teams are shipping features in hours that once took months. Products that would have required six-month roadmaps are being prototyped in a weekend.

6 Best Practices for Managing Software Supply Chain Risks

Modern software is not written from scratch. It’s assembled. Developers pull from open-source repositories, import third-party libraries, accelerate development with AI coding assistants, and deploy across multi-stage CI/CD pipelines that span dozens of tools, services, and vendors.

Veracode's 20th Anniversary: Two Decades of Data Powering the Future of Software Security

Twenty years ago, the idea of continuously scanning software for vulnerabilities at scale was ambitious. Today, it’s essential. As Veracode marks its 20th anniversary, we’re not just looking back at what we’ve built; we’re looking forward at what the data tells us about where software security needs to go next. And the data says a lot.