We’re officially in the frantic days of pre-RSA, with product and feature announcements, fundraising frenzy and more.
I cover that this week leading into RSA, along with the DoD rolling out key programs, a brain drain out of CISA, the mania of MCP continuing to dominate the discussion around agentic AI, even in cyber, and I round up key cybersecurity reports from the Verizon DBIR, Mandiant’s M-Trends, and Datadog’s State of DevSecOps.
So buckle up, here we go!
Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 45,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 45,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
What’s driving success for 900+ security leaders? What’s standing in the way?
The new IDC Voice of Security 2025 is in! Watch this webinar to get the full results from the 900+ security leaders surveyed including:
72% of leaders report increased workloads, yet 58% consider their teams to be "properly staffed"
Flawed performance metrics that prioritize speed and volume over efficiency, like number of incidents handled or number of alerts, may be holding teams back
The most common AI use cases for teams are summarization (36%) and threat intelligence analysis (35%)
AppSec leader Endor Labs, where I serve as the Chief Security Advisor, recently made two big announcements. The first is their $93M Series B, boasting 30x ARR and 166% Net Revenue Retention (NRR). The round included participation from DFJ Growth and Salesforce Ventures.
In addition to the funding round, Endor announced two new capabilities:
AI Security Code Review: Discover architectural changes that could affect the security posture of your applications by using Endor Labs’ AI agents to review every Pull Request (PR).
Endor Labs MCP Server: Detect and fix vulnerabilities in AI-generated code - before they leave the IDEA, when you integrate Endor Labs’ scanning with tools like GitHub Copilot and Cursor.
You can find out about the funding round and much more context on the feature announcements here. I am truly excited to be part of such an amazing team helping define AppSec in the Agentic era.
I recently had a discussion with Endor’s CEO Varun too, where we went deep on the intersection of Agentic AI and AppSec, see below:
I’ve been collaborating with Endor Labs for a couple of years now as their Chief Security Advisor and I couldn’t be more excited about the future for this team as they’re incredibly positioned to be the AppSec platform of the agentic-era.
One of the largest U.S. Cybersecurity conferences is around the corner in RSA Conference next week in San Francisco (as if you couldn’t tell from all the product and fundraising announcements on socials etc.)
Part of the event includes the RSA Innovation Sandbox, where some of the most promising companies are highlighted each year. This post from Cole Grolmus of Strategy of Security does a great job breaking down the financing of the companies in this years RSA Innovation Sandbox.
As Cole recapped in his post:
7/10 companies are less than 5 years old
$186M of disclosed financing
Diversified lead investors
7/10 are AI companies - no surprise there, as AI is dominating the startup and VC landscape right now, as I have discussed previously with insights from folks such as Peter Walker of Carta and Mike Privette of Return on Security.
Speaking of financing and funding announcements as we head into RSA, this article from Cybercrime Magazine recapped some of the recent announcements, including:
Reco - $25M
AuthMind - $19.3M Seed
Sentra - $50M Series B
VanishID - $10M
Hopper $7.6M
Cynomi - $37M
Chainguard $356M Series D (largest of the bunch by far)
Miggo - $17M
Endor Labs - $93M Series B
There are several more, so check out the link above for the full list. It is safe to say that RSA helps drive both product and funding announcements!
Many security practitioners never take a step back and examine the startup ecosystem, but they should. This piece from my friend Ross at Venture in Security provides a field guide for security people regarding how startups work.
He covers key concepts such as:
Ten aspects of startups and the tech ecosystem that security practitioners should understand
Aspects of go-to-market (GTM) and sales strategies
How procurement functions and how critical it is
Startups competing with large enterprise players
And much more. I am increasingly realizing how beneficial it is for security practitioners to understand the ecosystem we operate in and the factors that drive its behavior. Ross is among the best at laying those concepts out.
In our world of social media, highlight reels, funding rounds, and acquisitions, we don’t often get a first-hand direct account of the opposite, of “failing”, or shutting down a startup, for whatever reason.
However, Yoad Fekete of Myrror provides just that in Part I of a series of articles, where he discusses shutting down the hit startup Myrror and why. He cites reasons such as an overcrowded market, saturated prospects, pivots, and seeming product market fit (PMF), alongside other issues such as hiring missteps and a war (just an aspect of life, for those from Israel, which represents an outside portion of the cyber startup ecosystem!).
While this first article doesn’t go deep into the details yet, and the subsequent series will, it is a breath of fresh air to hear from those who learned hard painful lessons of failure, because that is where a lot of the real lessons are found, rather than much of the highlights and glamor we typically see on the Internet.
Much of the broader discussion around markets continues to focus on tariffs, which President Trump has announced and implemented. This piece from Wired looks at the tariffs' impact on startups.
This piece particularly gives perspective from those in the venture capital world, ironically a community where President Trump saw large support heading into the election, about the' role of tariffs on the investment and startup community.
Several of the perspectives shared indicate investors may extend their investment cycles to mitigate risks and, in some cases, even change their investment portfolios. Startups also stated that uncertainty is causing them challenges.
It remains to be seen how this plays out and potentially manifests within the cyber startup and investment community.
Sequoia continues to promote AI and agentic AI and its role in reshaping not just technology but society. In this latest piece, Konstantine Buhler lays out what he calls the “always-on " economy and the role of AI in hybrid agent/human systems.
This includes industries such as finance, healthcare, physical, cybersecurity, and much more. These AI-powered systems will potentially be free of historical constraints around availability, support, responsiveness, and more, which are tied to humans’ finite ability for attention and action. AI doesn’t suffer from these same constraints and will lead to a much different society and industries than we see today.
"Fast Track" Authority to Operate (ATO). Rob Vietmeyer recently shared that the DoD will establish a Fast Track ATO process for software.
The goal is for software vendors to demonstrate that their products are trustworthy. This comes alongside software acquisition, FAR reform and modernization, and efforts to streamline procurement and integrate innovative technologies into the DoD and Federal space.
It will be interesting to see how this fits into existing ATO paradigms, 800-171, CMMC, FedRAMP, and other existing compliance requirements for those selling software to the Federal government.
Also, they should explain how they "demonstrate" security, how "secure" is defined, and what the process looks like from both a technical and process perspective regarding third-party assessment and/or self-attestations.
We continue to hear about cybersecurity increasingly being a board priority, with more and more CISOs and cyber leaders looking to get exposure to the board, and even on the board in some unique cases. This article from Rosalyn Page looks at some key aspects of what boards may and may not want to hear from security leaders.
Rosalyn makes key recommendations, such as the need to find an ally on a board, understanding the board's bios and makeup, and the key focus areas they are concerned with.
As the craze around MCP continues, the security community continues looking to learn about MCP, its potential gaps, shortcomings, and risks. This repo for a “Damn Vulnerable Model Context Protocol (DVMCP) is a “educational project designed to demonstrate security vulnerabilities in MCP implementations”.
It includes a series of challenges demonstrating different types of MCP vulnerabilities and attack vectors.
While AI has a ton of excitement, it also adds real pressure to security teams. This piece from CSO Online explains how teams are now trying to grapple with AI governance and security amongst the ever-expanding list of security responsibilities, and doing it without any additional training or expertise.
It is also amplifying existing challenges around code velocity, application security, and more, as developers and engineers are moving quicker than ever with the help of AI tooling.
The interest and excitement around MCP continues, becoming a unified “language” for connecting AI models with various data sources, tools, and external applications.
This piece from Astrix does a great job of helping us understand MCP and how it will fit into the ecosystem moving forward, facilitating agentic workflows and architectures.
at the Pragmatic Engineer, one of the leading outlets on Substack. It is full of incredible details of MCP, along with excellent visualizations of how it works and the role it will play in the evolving AI-driven development ecosystem.
The widely cited Verizon Data Breach Investigations Report (DBIR) just dropped this week, and I will be diving into it in much more detail in a standalone piece and article soon. Still, some early highlights are interesting, as always.
From the AppSec perspective, vulnerability exploitation is on the rise, and in a big way. Since last year, it has grown by 34% as an initial step for data breaches and now accounts for 20% of all breaches. This comes after DBIR called 2024 the “Vulnerability Era.”
This demonstrates the continued importance of AppSec and vulnerability management, especially given that the report highlights most of this occurs at the Web App layer.
Some other quick metrics from the report, before I have time to dig in further, include:
Humans are still involved in 60% of data breaches
The median amount being paid to Ransomware groups is $115k
44% of cyber breaches involving ransomware, up from 37% last year
It takes a median of 32 days to resolve vulnerabilities in perimeter devices
In addition to product and funding announcements, it is also apparently the time of year for industry-leading security reports. On top of the Verizon DBIR being out, Google’s Mandiant dropped its M-Trends report, which always has some great insights.
It covers key topics such as:
Campaigns and Global Events
Targeted Attacks
Ransomware
Cloud Compromises
Threat Techniques
This report provides some excellent insights into threat actors, specific campaigns, vulnerabilities, and more.
Additionally, much like DBIR, it clearly shows that vulnerability exploitation is the leading initial attack vector. This is the fifth year in a row that Mandiant’s report has shown this to be the case.
Based on these leading reports and broader industry trends, it is easy to argue that AppSec is as vital as ever, and something organizations continue to struggle with.
Attackers know this and are taking advantage of it.
Another annual report I often look forward to is Datadog’s State of DevSecOps Report. To provide these insights, they examined tens of thousands of applications across containers, the cloud, and more.
They lay out some key facts they found:
Exploitable vulnerabilities are prevalent in web applications, particularly those that use Java
No surprise here, and explains why we’re seeing so much exploitation in other reports such as DBIR and M-Trends
Not only is Java the most vulnerable, it is also the ecosystem where it takes the longest to patch - not a good combination!
Attackers continue to target the software supply chain
Datadog identified thousands of malicious PyPI and npm libraries in the wild, some via package/typosquatting and others with malicious takeovers of dependencies and projects
Use of long-lived credentials in CI/CD pipelines is still too high, but is slowly decreasing
Only a fraction of critical vulnerabilities are truly worth prioritizing
There are many other great insights and visualizations in their report, including dependency upgrades, container bloat contributing to attack surface, and much more. I strongly recommend checking it out!
AppSec company Ghost Security published an interesting report titled “Exorcising the SAST Demons: How Ghost is Replacing Rule-Based Scanning with AI-powered Triage and Detection”.
The report included scanning 3,000 real-world open source repos in various programming languages and identifying over 2,000 security findings. 91% of these were false positives and noise, and manual triage would have required 350 hours of labor to address only 180 true positives.
This further highlights the noise and toil legacy AppSec tooling burdens development teams and why developers overwhelmingly dread interacting with security teams. This emphasizes the need for modern AI-native platforms and capabilities to bolster the fidelity of findings and help organizations focus on true risks.
They shed some light on their use of LLMs tailored for AppSec, as seen below:
The frenzy around MCP continues, as cloud-security leader Wiz announced “Wiz MCP Server,” which allows users to intuitively ask Wiz about critical risks in their cloud, locate vulnerable code, generate fixes with AI, and push remediations, all within the Cursor UI/IDE.
Despite all the MCP excitement, Wiz also pointed out security concerns with MCP and recommended folks check out this MCP Security Briefing, which I shared last week.
This continues the trend of industry leaders rapidly adopting and implementing MCP into their product offerings to enable agentic workflows and use cases.
