Welcome to another issue of the Resilient Cyber Newsletter.
This week, we cover a broad range of topics, from a 2024 cybersecurity market analysis looking at funding and M&A trends to a look forward to the rest of 2025. We dive into AI from Rise of Agentic AI, LLM Exploit Generation, and Runaway CVE Growth and Prioritization Challenges.
So, kick back and enjoy the discussions, resources, and topics this week!
On a personal note, I got a physical copy of my book that focuses on software supply chain security, “Software Transparency: Supply Chain Security in an Era of a Software-Driven Society”, last week in Japanese, as it has resonated not only in the U.S. market but now is on the shelves in Japan, which is incredible and more than I ever anticipated accomplishing.
Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 30,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 30,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
The latest order aims to cut costs through federal contracts as DOGE continues to carry out its activities across the U.S. federal ecosystem. This includes increased scrutiny of programs, a focus on removing broad consulting engagements without concrete deliverables/outcomes and also looking to establish a system to track and report on contract spending across each agency.
In fact, some firms, such as Booz Allen Hamilton, have already seen negative trends in their share price due to the news. It is reported that BAH generates 98% of its ~11B in annual revenues from contracts with the U.S. government. Similarly, Leidos gets 87% of its revenue from the U.S. government. This demonstrates how some firm’’ concentration of customer base can make them particularly exposed and vulnerable.
This is contrasted with other “large” firms in the Federal space, such as Accenture, which obtains only 17% of its North American revenue from the U.S. government.
Over the last several years we have heard a TON about Secure-by-Design. This is in large part due to the amazing work of the talented folks at Cybersecurity and Infrastructure Security Agency.
In fact, I recently saw some awards given out for "Making Secure-by-Design a reality."
While I'm a huge fan of Secure-by-Design and the need to build in rather than bolt-on security, we've got a ways to go, and you may want to hold the champagne for now.
In my latest article, I discuss some of the complexities of Secure-by-Design, including competing priorities such as speed to market and revenue. Additionally, I cover the challenges of comparing software and cybersecurity with other industries, such as automobiles, in terms of safety, security, and regulation.
I dive into the role of open source and how it complicates the situation, along with the increased democratization of development with GenAI, all under-pinned by runaway vulnerabilities on top of a struggling vulnerability database ecosystem.
All of this comes at a time when we're seeing a massive deregulatory push here in the U.S. and are likely to see efforts such as software liability and Secure-by-Design lose momentum.
Many of us are eager to see a more resilient digital ecosystem and Secure-by-Design.
But we have to be sure we're doing it with eyes open to reality.
Few in the industry do as great of a job looking at the cybersecurity industry as a market as Cole Grolmus. He leads Strategy of Security, and if you aren’t following him, you should be.
He recently did a deep dive into Altitude Cyber’s 2024 market review and provides several excellent insights into the 2024 market and where we may be headed in 2025, including:
M&A activity has been stable, but the mix of buyers and targets and shifting
The increased activity of strategic buyers
Startups being acquired earlier than ever before
Financing dollar volume and count trends
Who the top investors were
Below are a couple of the excellent articles in the article as well, which help visualize the analysis:
In an announcement that has led to much-heated debate within the cyber community, it has been reported that U.S. Defense Secretary Pete Hegseth last week ordered U.S. Cyber Command to cease all planning against Russia, including offensive cyber actions.
The move is being pursued as a part of a broader diplomatic effort to end the war in Ukraine. It’s being reported it could impact several thousands of U.S. personnel across various agencies and entities who conduct offensive and defense operations in cyberspace.
One of the security peers in my network, Jacob Williams, penned a damning LinkedIn article titled “Stop Tracking Russian Cyber? That’s Not How Anything Works..”. In the article, Jacob lays out several challenging aspects of this latest directive, such as procedural problems when it comes to threat actor tracking and classification, false flag operations that could be disguised as Russian, as well as fostering distrust in Government attribution.
Ironically, news also recently revealed that CISA stated they are NOT changing their stance when it comes to detecting and disrupting Russian APTs, despite the recent directive from the Trump administration. Given that, there seems to be some disagreement or disconnection between the DoD and CISA with regard to Cybersecurity and Russia. I suspect this could also be due to the fact that a new Director for CISA hasn’t been named yet, so their viewpoints as an organization may not be entirely in line with the DoD, which has a new Trump-appointed SecDef.
Award winning journalist Kim Zetter published a comprehensive piece analyzing the topic, and what is or isn’t true, as well as its implications.
Many tech leaders across Europe continue to raise concerns about overregulation, with the latest warning coming from the CEO of Remote. Job van der Voort recently stated the EU is going “overboard on tech regulation.” Job is the CEO of Remote, which is valued at over $3bn. He discusses how the regulation in the EU is stifling innovation and will have economic ramifications for the EU and companies trying to exist there.
We see this trend unfolding while the EU drives ahead with efforts such as NIS2, DORA, the EU AI Act, and more, while the U.S. is conversely pursuing a large deregulatory push with the new U.S. Presidential administration.
While a product's technical capabilities are key, and engineers and developers know this better than most, they also need to be able to communicate its value, especially early on. Founding teams and early-stage startups spend a fair amount of their time building market and brand awareness, evangelizing their vision, and trying to find product market fit.
This is an excellent post from Crystal Poenisch, who has held marketing roles at various successful companies, such as Chainguard and Aqua Security. She discusses how product marketers and founding sales teams need to understand products, what they do, how it does it and the value it brings to prospects and early customers.
She covers key topics, such as:
The importance of visualizations in technical marketing
This is a truly awesome article from Joseph Thacker. Even as someone now on the "offensive" side of security, this is incredibly well written and helps you understand how AI agents and AI applications are potentially vulnerable and can be exploited.
It covers:
Understanding and getting comfortable with current AI models and LLM's
AI Attack Scenarios
The AI App "Responsibility Model"” building on the widely used CSP Shared Responsibility Model
Mitigations and controls to minimize risks
This is one of the best articles I've seen on the topic. I definitely recommend reading it!
There has been much discussion about whether, how, and to what extent malicious actors can use LLMs to impact and aid exploit activity significantly. That said, there isn't a lot of great research showing how effective in application LLMs can be in exploitation.
Luckily, the team at OWASP® Foundation continues to crank out amazing research, reports, and guidance. This latest publication examines GPT-4o, Claude, and DeekSeek r-1 (self-hosted/local) to see how these LLMs performed against the intentionally vulnerable OWASP Juice Shop app and were evaluated against the popular Cybench framework.
They were able to replicate performance from earlier research against Cybench, with ChapGPT-4o performing the best
The LLMs still required extensive human involvement to accomplish tasks and were noisy
The local/self-hosted DeekSeek models didn't perform well and may require threat actors to leverage cloud-based LLM's
They also explored agents.. with limited success in effectiveness and value
A lot of great insights in this paper into how LLMs can and do perform against current benchmarks when it comes to exploitation
By now, you've likely realized that there is a story, post, or article about Agentic AI everywhere you turn.
But what the hell is it exactly, and what will its impact be? I found this paper from James Carson to be a great concise primer and deep dive on the topic.
It covers:
What are AI agents, and what is the "Agentic"?
5 Types of AI agents
Existing Agentic Tools
Applications of AI Agents
Challenges and Risks
Viewpoints from Big Tech
Really solid resource for those wanting to understand Agentic AI and its potential implications better
Agentic AI is the buzzword of 2025, with startups and incumbents looking to leverage it for everything, including cybersecurity. This covers areas such as SecOps, AppSec, GRC, and, yes, Offensive Security (OffSec).
In this piece, Shahar Peled argues that OffSec hasn’t evolved with broader security when it comes to DevOps, APIs, Automation, and more and is still plagued with problems such as being point-in-time, expensive, and challenging to scale. He argues that Agentic AI can change this by moving towards making Pen Testing continuous, context-aware, and actionable.
That said, he cautions we aren’t there yet and challenges remain, but their promise is real, which could disrupt Pen Testing as we know it.
Organizations continue to explore AI's value in cybersecurity challenges. One of those is alert fatigue, as organizations struggle to keep up with notifications about vulnerabilities, malicious activity, misconfigurations, and more.
This is a good blog from Sean Cassidy at Asana, looking at how they leverage AI to address alert fatigue. They are focusing on their SIEM tool and looking to drive down the false positive rate to ensure analysts look at real security risks rather than noise, which leads to cognitive overload and potentially missing real threats.
They also use AI to analyze and enrich alerts and actively engage involved users to verify activity and determine whether it is malicious or benign. They are also exploring the use of AI for vulnerability triage, enriching vulnerabilities with custom fields, setting up due dates, and adding comments for analysis by security teams.
The team is also exploring additional AI use cases such as auditing access to production, conducting security reviews, bug bounty routing and more.
If you’ve been learning much about GenAI and LLM security, you know that the system prompt is an enticing target for attackers and something GenAI providers try to safeguard.
As it turns out, OpenAI didn’t do such a great job of doing that with their latest release, ChatGPT 4.5. At least, that is the takeaway from a recent blog post from AI security startup Knostic.
They demonstrate how they got ChatGPT 4.5 to turn over the system prompt by utilizing well-crafted prompts.
If you’re looking to learn more about AI Security, you can catch my conversation with Knostic Co-Founder and industry security legend Sounil Yu below:
AppSec, Vulnerability Management and Software Supply Chain Security (SSCS)
Vulnerability Researcher Jerry Gamblin recently shared a snapshot of the CVE landscape as we head further into 2025, and it’s bleak. We already know organizations struggle to keep up, with vulnerability backlogs ballooning to hundreds of thousands and millions of unresolved vulnerabilities in large enterprise environments.
As he shows, we saw 48.37% year-over-year CVE growth in 2025 compared to 2024, and of course, 2024 also saw double-digit growth over the prior year.
Has your organization gotten 48% more effective in vulnerability management in the last year?
As vulnerabilities continue to balloon out of control and organizations' internal vulnerability backlogs climb in tandem, many are looking for ways to optimize their vulnerability prioritization.
This article from my friend Patrick Garrity at VulnCheck provides a good framework for evidence-based vulnerability prioritization.
The article also emphasizes that only 1.1% of vulnerabilities over the past decade are known to have been exploited, further illustrating that focusing on exploitation is a key part of effective prioritization.
Patrick also discusses the nuances of exploit availability, such as the difference between weaponized exploits, and Proof-of-Concepts (PoC)’s. The chart below also helps demonstrate how exploit maturity builds into known exploitation.
Frequently lost in the conversation of prioritization is internal organizational context. Patrick covers factors such as assets being connected to the Internet, remotely reachable, the automatability of exploitation, and more.
As organizations continue to drown in vulnerabilities, the industry has sought improvements to add a signal to the noise. Vulnerability backlogs have ballooned to hundreds of thousands or millions for large enterprise environments.
One promising source of vulnerability intelligence is the Exploit Prediction Scoring System (EPSS), which is run by the same organization that leads the Common Vulnerability Scoring System (CVSS). For those unfamiliar, EPSS is intended to provide a score based on the probability that a vulnerability will be exploited in the next 30 days.
However, how effective is it, really?
This interesting research looks into just that and the correlation of EPSS to the Cybersecurity and Infrastructure Security Agency (CISA)'s Known Exploited Vulnerability (KEV) catalog. It shows that in many cases, CVEs with low EPSS scores ultimately get exploited and made their way onto KEV in many cases.
This means that if organizations solely use EPSS for vulnerability prioritization, they would miss many vulnerabilities that DO get exploited and pose risks. The key takeaway here is that EPSS isn't perfect. Like other vulnerability prioritization schemes, it has some challenges and areas for improvement.
Organizations ultimately need to use multiple sources of vulnerability intelligence and organizational context to drive effective vulnerability management.
While many have grown skeptical of Software Bill of Materials (SBOM) and their utility and value, there are also many others who continue to view them as a key part of broader software supply chain security and AppSec efforts.
This resource from OpenSSF is a data set of SBOM tools and resources across the two leading SBOM formats, CycloneDX and SPDX respectively, which is interactive and can be used to identify tools, resources and more.
