Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Every year, the Verizon Data Breach Investigations Report sets the tone for how the industry understands the threat landscape. And every year, the most important question isn’t what’s changed — it’s whether organizations are keeping up. Based on the 2026 Verizon DBIR, the honest answer is: not fast enough.

The way software gets built has fundamentally shifted. AI coding agents are no longer just autocomplete on steroids; they’re resolving packages, configuring environments, selecting tools, and in some cases running the entire development lifecycle, with or without a human in the loop.

Every defense contractor preparing for CMMC has the same expensive surprise: the third-party engineering firm with VPN access into one file server just doubled the size of their assessment. CMMC, the Cybersecurity Maturity Model Certification that DoD will require on covered solicitations starting November 10, 2026, is scored against the systems that touch Controlled Unclassified Information, or CUI.

In the world of application security, vulnerabilities are always a moving target. As modern applications keep becoming increasingly API-driven, cloud-native, and dependent on third-party services, the attack surface has expanded dramatically. For years, the OWASP Top 10 has served as the North Star for security professionals, providing a consensus-based ranking of the most critical web application security risks.

On May 14, GitGuardian found a public GitHub repository called "Private-CISA" — 844 MB of plain-text passwords, AWS tokens, and Entra ID SAML certificates belonging to CISA, exposed since November 2025. Some credentials were still valid. CISA pulled it offline within 26 hours.

Security leaders know the threat is real. Getting finance to agree is a different problem. Brand protection ROI is calculable, but most teams never build the model, so the budget request dies in review. The core formula is straightforward: add avoided fraud losses, account takeover (ATO) remediation savings, churn prevention value, and analyst time recovered, then subtract software cost and edivide by that cost.

How do you navigate VMware Cloud Foundation (VCF) 9 terminology changes? The quick answer is that VCF 9 rebrands legacy products to unify the platform.

See how Torq harnesses AI in your SOC to detect, prioritize, and respond to threats faster. Request a Demo AI in security operations is moving fast. Agent capabilities are compounding, and the conversation has shifted from whether AI belongs in the SOC to how much it can take on alongside human analysts. But every serious conversation with a CISO eventually lands on the same question: can I trust it? Trust isn’t a model problem. It’s a grounding problem.

The ripple effects of a cyberattack rarely stay contained. Modern organizations rely on vast ecosystems of vendors, suppliers, SaaS providers, and partners. As those connections deepen, so does the potential blast radius of a third-party compromise. What begins as an exposed system or stolen credential inside a vendor environment can quickly cascade across the supply chain. Attackers understand this. Increasingly, they target trusted third parties as an indirect path into larger organizations.

The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework. The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.