Welcome to issue #55 of the Resilient Cyber Newsletter.
I hope everyone is enjoying summer, as I know it is going well on my end. As I mentioned, I recently visited Northern Virginia to watch my son compete in the Virginia Little League State Championship this past weekend.
We made it to the quarter finals but lost to a Northern Virginia team. Apparently, my NOVA friends are a little league powerhouse, boasting several teams making it to the finals!
But, enough about me, this week we have a lot of awesome cyber resources to dive into, including a look at how immutable laws of cyber still stand strong 25 years later, AI regulatory contrasts between the U.S. and EU, using LLMs to produce secure code (or not) and the introduction of an Application Attack Matrix among much more.
So, here we go!
Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 45,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 45,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Vulnerabilities are more than just security risks—they’re an expensive, ongoing drain on resources. Chainguard just released an in-depth report, The Cost of CVEs 2025, revealing how vulns are costing organizations of all sizes and industries tens of millions each year. From patch cycles and downtime to compliance overhead and incident response, the report breaks down the true, often overlooked, financial impact of vulnerability management.
Based on data from industry leading security and engineering teams, this report quantifies the organizational toll of chasing CVEs in today's threat landscape. Spoiler: patching everything is neither scalable nor sustainable. It’s time to rethink traditional approaches and consider upstream strategies that eliminate vulnerabilities before they ever make it to production.
This is an excellent report for security leaders to benchmark their current vuln management strategy—and explore how leading teams are shifting left to reduce risk and cut costs.
In a damning piece from Tracey Webb, he calls out the cybersecurity job market, arguing that CISOs and security leaders have outsourced critical hiring functions in Cyber to HR, AI and keyword searches.
The post must have resonated, as it garnered several hundred interactions and nearly 100 shares on LinkedIn. The piece raises points that remind me of a piece I shared earlier this year from Chase Cunningham, who said rampant layoffs weren’t due to AI, but companies just looking to maximize profit and cut expenses (labor).
There’s truth to this piece, but I would also say that struggling folks often miss critical activities such as building a deep network, building a personal brand/reputation, staying relevant in the domain knowledge of emerging technologies, and more.
It’s a two-way street. While hiring is getting more difficult due to ridiculous position descriptions, requirements, automation, and outsourcing to HR, we also need to do everything we can to ensure we’re in a position to be highly in demand and marketable from a labor perspective.
One of the largest cybersecurity conferences is around the corner, in Black Hat. Much like RSA, this event has an angle that looks to highlight the most innovative and disruptive startups, and their recent “Startup Spotlight Competition” finalists were recently announced.
They include:
FireTail.ai
Keep Aware
Prime Security
Twine Security
As seen above, the judging panel also made honorable mention of 5 other firms. Watching the finalists' presentations and seeing who walks away from the event at the top will be exciting!
recently wrote a piece on Microsoft’s Security Response Center’s 10 Immutable Laws of Security, which are now more than two decades old and are framed as fundamental truths related to cybersecurity.
As MSFT pointed out way back, the origin of security issues is much more closely related to the nature of systems, people, and trust than to any specific code or bugs, almost like universal laws of nature.
The laws are inevitably spot on, and what’s ironic is how painfully true they are, but we still counterintuitively violate their principles. See below for some examples:
Law #1 - “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore”.
They explained how, if a stranger came up and handed you a sandwich, you would eat it. Of course not. Yet, ironically, when it comes to open source, we rampantly consume open source software with little insight into its true provenance and origin or its safety, at a pace that is growing more than ever, as I have discussed in various pieces.
Law #8 - “An out-of-date virus scanner is only marginally better than no virus scanner at all.”
While this one is focused on AV, which is still relevant, I couldn’t help but think of the whole shift-left mantra, and how low fidelity noisy tools we’ve dumped on developers that orient around non-exploited/non-exploitable vulnerability, base CVSS scores, and more feel right at home with this law. They’re purely noise and toil, and next to useless.
Law #10: Technology is not a panacea
This one in particular is so damn true as it was 25 years ago. I’ve written many times about People, Process, and Technology - in that order, regarding significance. Yet, the entire cybersecurity industry is oriented around tools, venture capital, and startups; all enterprises drown in tens to hundreds of security tools, most of which are never fully implemented, configured, tuned, optimized, or deliver real value in stopping organizational risks. As I have written, your security tools may be posing more risk than they are stopping!
Ross does a great job covering the 10 Laws and how they are as true as ever, while also weaving in relevant context about how the landscape and technology have changed in the past 2+ decades.
This piece from Axious highlighted the ongoing activity of “Scattered Spider,” a hacking group that has been targeting retailers, grocery chains, insurance providers, and airlines across the U.S. using techniques such as help desk impersonation and SIM Swapping.
One thing that makes the group unique is that it isn’t a mature, organized hacking group but a loose coalition of young men and teenagers who came out of the gaming community and are using ransomware to impact their victims.
Despite their age and loose nature, they have an internal organizational structure, tiered positions of maturity, and run like an actual business. While they have made recent headlines, they first gained fame by hacking MGM Resorts and Caesars Entertainment in 2023 and are largely using the same techniques today with much success. This highlights the bleak nature of most modern corporate cybersecurity.
Industry leader Jen Easterly took to LinkedIn, calling the group “Scumbag Spider” instead, and stating they aren’t ninjas and are using attack techniques that could be mitigated by a Secure-by-Design/Demand approach from industry.
She stated:
“IMHO, this isn't a story about clever hackers or even about human error. The fact that Scumbag Spider continues to succeed using largely unchanged tactics over multiple years is yet another example of systems that were never designed with security as a foundational principle.”
I spend a fair amount of my time focused on the public sector, including DoD, due to my role as the Co-Founder and CEO of a Public Sector-focused digital services firm, Aquia.
That’s why the SVDG NATSEC 100 caught my attention this week. Produced in partnership with JP Morgan, it provides insights into the top 100 venture-backed, dual-use, and defense technology companies focused on national security.
The report cites in 2024 they saw a ~2.3x increase in prior year spend by the DoD on NatSec 100 companies, which isn’t too surprising for those paying attention, as the current administration had a strong backing from silicon valley and venture capital as well as a mandate to try and disrupt the status quo in terms of primes and vendors. The report also points out that this still accounts for <1% of the total DoD budget, emphasizing just how dominant the traditional DoD primes are.
Another interesting anecdote is that they offer their analysis and dataset with and without SpaceX, due to its outsized funding, as well as its outsized Government contracts compared to the rest of the NatSec 100, which again for those following politics, could be an interesting thing to keep an eye on given the tension between President Trump and Elon.
Below is a snapshot of some of their key stats/findings:
Also, the top 15 companies ranked:
The report is worth reading if you’re interested in and passionate about the DoD market from a technology and capital perspective.
As part of the recent “Big Beautiful Bill,” a 10-year moratorium (e.g., a ban) on state-level AI compliance and regulation was proposed, but it was recently struck down and removed from the bill's version that passed.
This is a dynamic topic that has valid arguments in both directions. On one hand, AI is too immature and evolving to be regulated effectively. Efforts to do so could hinder innovation and lead to economic and national security consequences for the U.S. (and others).
On the other hand, it could be argued that we need a comprehensive, cohesive compliance regime to avoid a patchwork quilt of state-level regulations that will be costly and cumbersome for businesses to navigate and impose challenges and impacts on consumers. Citizens of different states/nations could be constrained regarding what innovative AI services, products, models, etc., they can access.
We’re headed for that patchwork quilt, as the 10-year state-level ban was removed from the passed bill. Many states have already ushered in one or more AI regulatory requirements that businesses must now navigate.
This topic, as discussed in major news outlets such as AP and many others, involves many dynamics and angles, from differences between the two parties to big techs pushing for the moratorium, to states looking to assert their rights to regulate. In the absence of a coherent Federal-level AI regulatory regime, states are expected to step in, much like they’ve done with privacy here in the US.
In the wake of the 10-year regulatory moratorium failing, some have penned strong opinions on what will happen next. This includes Adam Thierer, who details some of the policy and even national security and economic implications in this piece.
Adam makes three primary arguments:
California and New York will now take the lead in shaping national AI policy
It’s a devastating blow for “Little Tech” AI players, as large tech companies will be able to easily comply with the confusing, costly compliance burdens that will come from the patchwork reality
It represents a major setback for America’s efforts to have a coherent, pro-innovation, pro-investment policy approach in the battle against China for global AI leadership
While some may find Adam’s arguments flawed, he raises some good points. In security and compliance, we often use the phrase “high water mark” to meet the most rigorous compliance requirements upfront. Many tech and AI organizations will inevitably be forced to meet the most stringent U.S. (and global) AI regulatory requirements, such as those from NY and CA, regardless of what the other states say or do, due to the reality that it is too costly and impractical to have countless different products and services for each state.
Adam argued that the irony is that much of the animosity around the moratorium was directed at “Big Tech.” Still, those big firms are the ones who will be able to navigate the costly and confusing patchwork AI regulatory model where they are headed, with smaller firms struggling to manage the cost and complexity of compliance. I have seen this play out in areas such as FedRAMP and the DoD SRG related to Cloud and ATO’s in the public sector, as larger firms can afford the time and cost to meet the compliance requirements, and afford to enter these markets, essentially locking out smaller firms with less resources, even if they have innovative products and services the industry could benefit from.
To his last point about impacting a pro-innovation and pro-investment policy approach to compete with China for AI leadership, one of the best ways to mitigate what is happening would be for the Federal government to take the lead with a coherent, cohesive approach to AI regulation, mitigating the states’ need to step in. That said, of course, some states, such as CA/NY, can and will impose their regulatory requirements, but this would at least provide a uniform Federal pathway for industry and also allow companies to avoid some states if needed while still driving the nation forward from a competitive and innovative perspective.
However, watching how we have failed to do something similar around Privacy will leave those of us watching this AI regulatory battle with a sense of déjà vu.
Not to be left out of the conversation, our friends in the EU saw action on AI regulation recently, too. A coalition of Europe’s largest companies asked for a two-year freeze on the implementation of the EU’s AI Act, citing concerns it could impede the EU’s ability to keep pace with China and the U.S.
It will be very interesting to see how this plays out, given the EU by its own admission in some ways has set out to be a “regulatory superpower” despite many concerns from national and industry leaders alike who state the heavy handed compliance approach of t he EU is impacting the EU’s ability to compete and also its economic prosperity and national security.
The EU government and bureaucracy seem to be committed to this path, regardless of the impact on economics or national security.
"I've seen, indeed, a lot of reporting, a lot of letters, and a lot of things being said on the AI Act. Let me be as clear as possible, there is no stop the clock. There is no grace period. There is no pause," Commission spokesperson Thomas Regnier told a press conference.
I always enjoy sharing the below diagram as a stark reminder of just how different the US and EU ecosystem for growth and high-tech are:
The industry continues to be enamored by AI's potential to transform cybersecurity, including in key areas such as SecOps with the SOC. This piece from Spear Investments explores the topic, looking at technical and market factors driving this focus.
The piece emphasizes what is foundational to Agentic SOC operations, which are the data sources and data infrastructure layer. As seen in the image above, this is no small feat and often involves a complex combination of systems, products, and environments to bring things together. As the authors point out, the modern SOC isn’t a static dashboard, but instead a system built on robust real-time data sources providing actionable insights, and can come from sources such as the network, endpoints, identity, and cloud environments.
The industry leaders, such as Crowdstrike and ZScaler, have a significant advantage when it comes to data, given each protects billions of digital assets and/or processes billions and even trillions of transactions, providing them a massive data set to drive higher fidelity insights and even further train models tied to products. This data “moat” is a point the CEO of Horizon3AI, whom I respect, has often cited as key.
From an investor’s perspective, each of these areas of the cyber market has and continues to see double-digit growth annually, as depicted below:
The piece goes on to break down each of these key cybersecurity end markets, leading vendors, disruptors, and the complexity involved within each category defined above. It then discusses how they all provide insights key to powering the future agentic SOC.
A recent paper found that smaller specialized models, coupled with security-centric prompting and guidance, can develop more secure code. While the results seem promising, I inevitably think about reality versus academia and research.
The truth is that most developers have little security education and training and won't natively use security-centric prompts and requests, as this paper outlines.
This means the attack surface is poised to grow exponentially as Developers use vanilla prompts for code generation with little to no context added for security and hardened code, inherently trusting whatever the models output for the sake of moving fast, as developers are incentivized to do.
I suspect that in the future, we will see the everyday use of tools and secure coding prompt libraries to implement guardrails, allowing developers to lean into AI-driven development while also ensuring more secure outputs. Shout out to Varun Badhwar for also bringing this paper to my attention.
Continuing their series about activities that are difficult behind the scenes that organizations grapple with, Chainguard recently released a piece discussing vulnerability scanner integration.
They outline the challenges of dealing with multiple vulnerability databases, which often have duplicative information, conflicting data, and disparate IDs, making vulnerability scanning and management difficult. Chainguard also describes its internal processes and the tools it uses to identify and communicate vulnerabilities to customers. This activity leads to remediating vulnerabilities, communicating changes to customers in advisories, and providing context-rich information from which scanners can pull.
Chainguard summarizes the difficulties, including the reality that there are tens of thousands of vulnerabilities every year, many captured in NVD and other vulnerability databases, many different vulnerability scanning tools, the need for context, and much more.
This blog is a great peek behind the curtain of vulnerability management as a software vendor.
Several of the industry-leading reports, from M-Trends to DBIR, show that application exploits are on the rise as one of the most dominant attack vectors.
However, the AppSec landscape has changed drastically in the last several years, from Cloud, Microservices, Supply Chain, Runtime, App Logic, and AI 🤖. This Application Attack Matrix from Avi Lumelsky, Hadas Marzook, Gal Elbaz, and the Oligo Security crew is timely.
It looks at the four phases of application attacks: Pre-Intrusion, Intrusion, Post-Intrusion, and Impact. It's tied to real-world security incidents and attacks using various attack techniques and their associated organizational impacts.
This is a great resource that security practitioners, leaders, researchers, and others can leverage. It is grounded in real-world data and accompanying mitigation techniques and can lead to a more resilient digital ecosystem!
One of the leading cloud security conferences of the year recently took place, bringing together industry-leading experts with deep experience in various CSPs, multi-cloud, identity, AppSec, and more.
The playlist is live, but it can be difficult to keep up with, with 43 talks covering various topics and domains. Luckily, this repository puts it all together neatly and well organized, allowing you to focus on the most interesting topics. It breaks the 43 talks down into the following categories:
Building robust and effective detection capabilities in leading CSPs such as AWS can be a complex endeavor, even for the most capable teams. This incredible blog detailing how one team identified their AWS detection deficits and matured them while diving deep into AWS log sources and telemetry is helpful for any security practitioner securing workloads in AWS.
The below image helps highlight the AWS services involved, both from a data source, monitoring, and aggregating perspective.
The author lays out an AWS Log Source Security Summary:
They discuss how they built out detections and enriched log sources with additional information such as network context and threat intelligence, where possible, to provide deeper insights.
Their journey captures key lessons as well:
Context is everything, and raw logs must be enriched with context
Automation is key, due to the scale and complexity of environments
False positives kill
Insights are hidden in the cross-service correlation
Use IaC to manage detection rules
Continuously validate detection rules because they degrade over time
NHI’s continue to be a hot topic, and something I have written and spoken a lot about, including with my friends at Astrix Security. That said, I found this discussion with investor Pramod Gosavi and the founder of Clutch Security to be a good one, covering a wide range of topics related to NHI’s, such as:
How NHI’s are an old problem but being newly recognized as critical
Limitations of traditional secrets management tooling
What NHI attack vectors and breach mechanics look like
The impact of Agentic AI on NHI
Clutch’s vision for this space, and where they’re headed
Hi Chris! My name is Pranav, and I’m the founder of HackWard, a self-led Cybersecurity initiative targeted towards increasing digital awareness and accessibility to people on the understanding of everyday vulnerabilities in the field of cybersecurity! I'm new to Substack and would love to connect with you! Feel free to check out my latest blog if you'd like! https://open.substack.com/pub/hackward/p/quishing-the-qr-code-scam-thats-fooling?r=5zco3z&utm_medium=ios
Hi Chris! My name is Pranav, and I’m the founder of HackWard, a self-led Cybersecurity initiative targeted towards increasing digital awareness and accessibility to people on the understanding of everyday vulnerabilities in the field of cybersecurity! I'm new to Substack and would love to connect with you! Feel free to check out my latest blog if you'd like! https://open.substack.com/pub/hackward/p/quishing-the-qr-code-scam-thats-fooling?r=5zco3z&utm_medium=ios