Security Autopsy

It Is 8 AM On A Monday. Your Company Is Breached. What Do You Do?

It is 7:58 on a Monday. You walk into the office, coffee in hand. The phone rings. It is your IT director, and his voice is shaking a little. "We have a problem. The servers are encrypted. There is a ransom note. Nobody can log in." In

AI security capabilities and the human side of vulnerability management

Mythos, oh Mythos. The whole web started to panic, leadership started to care about security... "good", but not really because this is fear, not real interest in securing their clients' data and environments. Mythos came out hard, finding vulnerabilities from 20+ years, because they required context of

Fraud

Offensive Fraud Prevention

To follow the previous article "Fraud & Application Security: Ignoring each other is costing your business!", Business logic flaws, not SQL injection, are where the real money disappears! Traditional penetration testing, SAST and scanners catch technical vulnerabilities, while fraud-enabling business logic defects drain $12.5 billion annually from

Product Security

Transforming Cybersecurity - How the next generation of security products should not require any IT knowledge

We don’t lack cybersecurity ideas. We lack companies hiring juniors and products that are secure by default. These two problems are connected, and until we fix both, we’ll keep talking about a skills shortage while making it impossible to build a secure society.

Product Security

Fraud & Application Security: Ignoring each other is costing your business !

Fraud is one of the most overlooked areas in cybersecurity, often caused by insecure design and weak controls. At DoorDash I saw how easily people abuse normal features to make money. Fixing this isn’t just shifting left; it requires real collaboration between security and fraud teams.

Vulnerability Management

Vulnerability Management Program - How to implement SLA and its processes

Defining good SLAs is a tough challenge, but it’s at the heart of any solid vulnerability management program. This article helps internal security teams set clear SLAs, define the right metrics, and adjust their ticketing system to build a successful vulnerability management program.

Millions of Vulnerabilities: One Checklist to Kill The Noise

One important subject to discuss when talking about vulnerability management is the day you open the valve on a code scanning tool that generates an enormous number of security findings. This has been a problem in information security since the early 2000s that is still being worked on, and now,

Product Security

Beyond Patching: Eradicating Vulnerabilities Root Causes

We’ve all seen it — a CVE comes in, we patch it, a sprint later it’s back again… or something just like it. The same class of issues, over and over. Sound familiar? It’s time we stop playing whack-a-mole and admit the truth!

Vulnerability Management

🧭 TTDO: The Security Metric That Actually Measures Accountability

Time-to-Developer Ownership (TTDO) might be the most overlooked and game-changing metric in vulnerability management today. What is it? Why should you care?

Vulnerability Management

🔥 Let’s start talking about vulnerability management.

I've decided to start blogging about vulnerability management because there's something we need to get straight: chasing CVSS, VPR, EPSS scores (or whatever else) won't actually make your company safer. Context will.