Mastodawn

Vulnerability management always ran on a buffer: The months between when a vulnerability was found & when someone could figure out how to weaponize it. It worked: triage by severity, schedule fix & validate. Then #AI changed everything. HT @TheHackersNews. https://cybersec.picussecurity.com/s/ai-broke-vulnerability-management-that-s-why-cisos-are-moving-budget-to-bas-28007

AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS.

AI cut exploit timelines to 24 hours in 2026 while patching takes 43 days, widening exposure and driving BAS adoption.

The Hacker News

Ben Rothke 3d ago

Over the past few years, I’ve argued that Facebook doesn’t take security or fraud seriously. This is as I wrote last year on Facebook: it doesn’t care about security, and in 2023, Facebook doesn’t care about fraud.

Meta Platforms is one of the world’s largest technology companies. With a market capitalization exceeding $1.5 trillion, annual revenue topping $200 billion, nearly 80,000 employees, and more than 3 billion daily users across its family of apps, Meta has resources that most organizations can only dream of.

Yet despite those resources, fraud remains deeply embedded in its ecosystem.

https://medium.com/@brothke/i-reported-a-facebook-scam-meta-reported-back-looks-fine-to-us-bdb1f8fa42eb

I Reported a Facebook Scam. Meta Reported Back: ‘Looks Fine to Us’

When fraud is the bottom line

Medium

Ben Rothke 4d ago

To be an AI-powered SOC or not to be, that is the #AI #SOC question. There’s now >100 vendors advertising AI-powered SOC capabilities. Agentic SOC, autonomous analyst, AI triage, etc. Where does #infosec hype end & real solutions begin? HT @scanner_dev. https://api.cyfluencer.com/s/choosing-not-to-be-an-ai-soc-and-going-headless-instead-27939

Choosing not to be an AI SOC... and going Headless instead

97 vendors now claim to run your SOC with AI. Most are wrapping a slow query on top of a thin API.

Ben Rothke 4d ago

CyberCanon 4d ago

🏭 𝗦𝗲𝗰𝘂𝗿𝗶𝗻𝗴 𝘁𝗵𝗲 𝗽𝗵𝘆𝘀𝗶𝗰𝗮𝗹 𝘄𝗼𝗿𝗹𝗱 🏭

This week's book review topic is #OperationsTechnology (OT), with a no-nonsense title, 𝙎𝙚𝙘𝙪𝙧𝙚 𝙊𝙥𝙚𝙧𝙖𝙩𝙞𝙤𝙣𝙨 𝙏𝙚𝙘𝙝𝙣𝙤𝙡𝙤𝙜𝙮, authored by Andrew Ginter.

✍ Dr. Georgianna Shea provides her qualified assessment: https://cybercanon.org/secure-operations-technology/

🛒 Bookshop affiliate link: https://tinyurl.com/3f8rvcx4

#CyberCanonReview #CybersecurityBooks #OTSecurity

Ben Rothke Jun 3

You’ve been tasked with reporting your organizational security risk posture to the Board. What do you do? First, use #FAIR from @FAIRInstitute. Then, use the tactics detailed in “A #CISO Guide to Reporting Risk to The Board’. Great advice from @XMCyber_.
https://api.cyfluencer.com/s/ciso-guide-to-reporting-risk-to-the-board-27724

CISO guide to reporting risk to the board

Ben Rothke Jun 2

My @OneRSAC book of the month review: Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance, by Cindy Cohn of @EFF, pub. by @MITPress. She writes of #EFF cases w/ @NSAGov #NSA, @Snowden & many other #privacy issues to protect individuals. https://www.rsaconference.com/library/blog/bens-book-of-the-month-privacys-defender

Ben Rothke Jun 2

CyberCanon Jun 2

𝗔 𝗥𝗲𝗮𝗹 𝗙𝗔𝗜𝗞 𝗥𝗲𝘃𝗶𝗲𝘄!

Dave Heaney takes on Perry Carpenter's 𝙁𝘼𝙄𝙆: 𝘼 𝙋𝙧𝙖𝙘𝙩𝙞𝙘𝙖𝙡 𝙂𝙪𝙞𝙙𝙚 𝙩𝙤 𝙇𝙞𝙫𝙞𝙣𝙜 𝙞𝙣 𝙖 𝙒𝙤𝙧𝙡𝙙 𝙤𝙛 𝘿𝙚𝙚𝙥𝙛𝙖𝙠𝙚𝙨, 𝘿𝙞𝙨𝙞𝙣𝙛𝙤𝙧𝙢𝙖𝙩𝙞𝙤𝙣, 𝙖𝙣𝙙 𝘼𝙄-𝙂𝙚𝙣𝙚𝙧𝙖𝙩𝙚𝙙 𝘿𝙚𝙘𝙚𝙥𝙩𝙞𝙤𝙣𝙨.

✍ https://tinyurl.com/yc827cf4

Perry is a HoF author of Transformational Security Awareness, and knows his stuff

#CyberCanonReview #CybersecurityBooks

Ben Rothke Jun 1

Excellent @XMCyber_ piece why CVE count is a meaningless metric. #CVE counts & #CVSS scores remain default language of vulnerability management. But neither tells you whether you’re actually reducing exposure. Such that CVE counts fail as a risk metric.
https://api.cyfluencer.com/s/your-cve-count-is-a-meaningless-metric-27649

Your CVE Count Is a Meaningless Metric

The CVE count and CVSS scores remain the default language of vulnerability management. Yet neither one tells you whether you're actually reducing exposure. That disconnect is more widespread than most teams realize. In this blog, I'll explain why the CVE count fails as a risk metric, why the behavior persists, and what a more meaningful measure looks like.

XM Cyber

Ben Rothke May 29

BlackFog Q1 2026 Ransomware Report: Only 1 in 9 #ransomware attacks made public as data exfiltration hits 96%. Ransomware activity in Q126 continued to demonstrate both the scale and diversity of modern attacks. In terms of disclosed attacks for this period. https://api.cyfluencer.com/s/blackfog-q1-2026-ransomware-report-only-1-in-9-ransomware-attacks-made-public-as-data-exfiltration-hits-96-27624

BlackFog Q1 2026 Ransomware Report: Only 1 in 9 Ransomware Attacks Made Public as Data Exfiltration Hits 96%

BlackFog Q1 2026 Ransomware Report reveals only 1 in 9 attacks are disclosed as data exfiltration hits 96% worldwide.

BlackFog

Ben Rothke May 28

Automated penetration testing is all the rage. Informative @PicusSecurity on the differences between it & traditional vulnerability scanners. More importantly, it details what automated pen testing can’t do, including finding AI & LLM guardrail weaknesses.
https://cybersec.picussecurity.com/s/what-does-automated-penetration-testing-actually-find-27597

What Does Automated Penetration Testing Actually Find?

Automated penetration testing finds confirmed exploits, attack paths, and AD weaknesses, not theoretical CVE lists. Learn what it surfaces, what it misses, and how to act on results.