Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVSS Is a Little Bit of Risk: Rethinking CVSS in Vulnerability Prioritization

The best part about my job is that I sometimes get to make some controversial statements. Well, as controversial as things can be in a niche area of cybersecurity like “what is a reasonable measure of vulnerability risk?” Along with my colleague Sander Vinberg we got to explore this question earlier this year at the second Annual VulnCon conference in Raleigh. Even though it’s only been held twice, it is quickly becoming one of my favorite conferences.

Security Alert: CVE-2025-64446 Fortinet FortiWeb Actively Exploited

A critical zero-day, CVE-2025-64446, path-traversal vulnerability in Fortinet FortiWeb, the company’s Web Application Firewall (WAF), is being actively exploited in the wild to create unauthorized administrator accounts on exposed systems. This flaw allows unauthenticated attackers to gain complete administrator access to affected devices.

Why IoT in Your Supply Chain Still Poses a Serious Cyber Risk

In today’s digital economy, every organization—whether a law firm, retailer, or financial services provider—is now part of someone’s critical infrastructure. A dangerous misconception persists: that Internet of Things (IoT) devices and Industrial Control Systems (ICS) are only concerns for industrial or manufacturing sectors. In reality, these technologies are quietly embedded in everyday operations across nearly every industry.

Understanding the MITRE ATT&CK Framework: A Modern Lens on Adversary Behavior

The MITRE ATT&CK framework is one of the most widely adopted and respected resources in the field of cyber threat intelligence. Serving as a common language for security professionals across industries and departments, it provides a consistent and structured way to describe adversary behavior.

3 Truths About the Financial Sector's Digital Supply Chain Uncovered by Bitsight TRACE

When it comes to managing cyber risk, the financial sector is squarely at the top of the food chain. It’s simple economics (and the plot of many movies): financial institutions have the money, and cybercriminals are always looking for ways to take it. As a result, institutions have invested heavily in strengthening their internal systems and cybersecurity controls. Those investments have paid off.

Critical Care, Critical Risk: Inside the Cyber Threats Targeting Healthcare

The healthcare sector remains one of the most targeted industries for cyber attacks due to its critical role in national infrastructure and its extensive repositories of sensitive data containing personally identifiable information (PII). It’s widely assumed that threat actors target healthcare and related organizations because they are perceived as more likely to pay a ransom to restore critical systems and protect patient safety in the event of an attack.

Cybersecurity Burnout's Secret Trigger: Lack of Visibility

The work of a cybersecurity professional never ends, and it’s never easy. Whether they’re responding to incidents in the SOC or briefing the board on supply chain vulnerabilities, security leaders and practitioners live under constant pressure. And while the reality of burnout may not be new, it’s still a growing threat. One that endangers not only the well-being of security professionals but also the resilience of the organizations they protect.

Introducing Bitsight Command Center: The Next Step in Cyber Risk Intelligence

Today’s security teams face disconnected tools and scattered data, which makes managing cyber risk increasingly complex. With the rapid rise in ransomware, new CVEs, and a constant stream of emerging threats, it has become difficult to monitor not only an organization’s own security posture but also the security of its third- and fourth-party vendors.

Delivering Real-Time Feedback with Bitsight Groma: Dynamic Remediation Now Fully Live

In December 2024, we announced Dynamic Remediation, an initiative that accelerates the feedback of customers' remediation efforts. The goal was simple but ambitious: reduce the time between a remediation and seeing that improvement reflected in Bitsight Security Ratings. This initiative was built in response to direct customer input. You asked for faster validation of your remediation, more transparency, and credit when vulnerable assets were remediated or taken offline.