Finding the right security tools just doesn’t work the way it should.

Vendors are the ones shaping the conversation.

Gartner decides what you should buy.

You rarely get to see what tools your peers actually use.

So I just launched Stacks on CybersecTools to fix that.

Now, security professionals can:
- Build and share the security stacks they really use
- Highlight top tools in each category based on real usage, not vendor claims.
- Create tier lists of tools based on honest opinions, not paid promotions.

Security professionals should control tool discovery, not vendors.

Stacks make this possible.

Build your stack here: https://cybersectools.com/stacks

🚀 Big milestone! CybersecTools is growing faster than ever:

We’re now powering the community with:
- 3,154 tools
- 941 companies
- 1,331 members
- Nearly 500K page views

Thank you to everyone contributing to the cybersecurity community!

AI Companies are allowing everyone to install unverified code, and no one is stopping them.

Figma's MCP tool has just had a serious security issue that allowed hackers to execute code remotely.

New MCPs are released daily, but AI companies fail to verify their safety before they are used by the public.

- Employees install whatever they find online.
- Security teams can't review everything.
- And we get Shadow AI that's everywhere.

One unsafe MCP could let attackers get into your data, or someone else's.

What OpenAI and Anthropic should do:

→ Mandatory code signing and developer verification for all MCPs
→ Built-in sandboxing - MCPs should run in isolated environments with zero host access by default
→ Explicit permission models - users must approve each capability that an MCP requests
→ Version pinning with alerts when the MCP code changes
→ Give enterprise IT centralized MCP registry controls
→ Enterprise admin dashboards to see what MCPs are running across the org
→ Observability and logging for all MCP actions
→ Human-in-the-loop workflows for high-risk operations

This is shadow IT on steroids, and every CISO should be losing sleep over this.

I just shipped 240+ hours of work into the biggest CybersecTools update yet. Here's what actually changed:

🎯 FOR SECURITY TEAMS

→ Find tools in seconds, not hours
18 categories → 106 specializations → 944 specific tasks
Need "API security testing for cloud"? Go straight there. No more browsing broad categories.

→ See before you buy
Screenshots, features, integrations, all upfront
No more booking demos just to see if it looks right

→ Real reviews from real teams
Not testimonials. Actual pros and cons from people using these tools
Find out if "easy setup" actually means 6 months of integration hell

→ Research on the go
Mobile-optimized UI
Someone mentions a tool at a conference? Look it up right there

→ Contact vendors directly
No redirects. No "book a demo" walls
Just ask your question

📈 FOR VENDORS

→ Capture leads instantly
Contact forms on your page
No friction = no lost conversions

→ Show your product, skip the fluff
Upload screenshots and integrations
Let the tool speak for itself

→ Get recommended by AI agents
Our tools show up when people ask ChatGPT, Perplexity, and other LLMs for security tool recommendations
Reach buyers doing AI-powered research

→ No BS submissions
AI agents strip marketing speak anyway
Just tell us what it does

→ Mobile = money
Your tool looks good on phones now
Because that's where buyers are researching

And bunch of "invisible" optimizations on the back-end.

Less time wasted finding tools. Less friction getting customers.

#cybersecurity #cybersecurityproducts #ciso

Another day, another breach: this time, it's Red Hat.

And yes, their own on-premises GitLab instance.

Shocking? Not really.

Today, it doesn't really matter if you host your systems on-premises or in the cloud.

I use MCPs all the time, especially with Claude Code.

They’re game-changers for building and extending LLMs.

But let’s be honest: from a cybersecurity perspective, MCPs are a dangerous wild card for enterprises.

Right now, it’s almost impossible to verify which MCP servers are legit.

AWS just released Strands Agents – an open source SDK that revolutionizes how we build AI agents with minimal code.

The traditional approach to AI agent development has been painfully complex – requiring intricate orchestration, custom parsers, and months of tuning.

Strands Agents changes everything by embracing modern LLMs' native reasoning capabilities.

What makes Strands powerful:
‣ Drop the complex agent frameworks – define agents with just a model, tools, and prompt
‣ Build with any model supporting reasoning (Bedrock, Anthropic, Meta, Ollama)
‣ Choose from 20+ pre-built tools or easily create custom ones
‣ Scale from prototype to production with flexible deployment options

The model-driven approach is a game-changer – AWS teams reduced agent development time from months to days while improving user experience. Multiple AWS services already use Strands in production.

With contributors like Anthropic, Meta, PwC, and Tavily joining the open community, Strands is positioned to become a standard for agent development.

Security teams should pay attention – this could radically simplify building specialized security agents for threat detection, IR automation, and compliance monitoring.

https://aws.amazon.com/blogs/opensource/introducing-strands-agents-an-open-source-ai-agents-sdk/

Want to make more informed security decisions? → Join 1000+ cybersecurity leaders leveraging data-driven insights with my weekly 10-minute read. View my newsletter at the top of this post.

A master chef doesn't just order takeout when facing a unique culinary challenge. So why are security teams relying exclusively on off-the-shelf vendor solutions for our most critical problems?

Since introduction of Cloud we've transformed from builders to buyers, from creators to consumers.

The typical security department today has analysts, compliance specialists, and vendor management - but where are the builders?

The good news? Everything is changing.

AI is democratizing development capabilities in ways that were unimaginable just a few years ago.

The economics of build vs. buy have fundamentally shifted.

Can your team solve a security challenge without waiting for a vendor to build it? If not, you might be surrendering your most powerful advantage.

Check out my latest article on why building capabilities are making a comeback in cybersecurity and what it means for your team's effectiveness: https://mandos.io/blog/why-building-is-back-in-cybersecurity-and-what-it-means-for-your-career/

#cybersecurity #engineering #ai

While 89% of organizations discuss security at board level, exposure management ranks LAST in investment priorities.

The data tells a sobering story:
‣ 55% of organizations still operate with crippling IT/security data silos
‣ 62% say these silos slow security response times
‣ 51% of companies with risk frameworks admit they don't follow them closely
‣ It would take organizations SIX YEARS to break down their existing silos

Security teams remain trapped between technical and business realities.

Most concerning: 40% of security professionals say IT teams don't understand organizational risk tolerance.

We've reached the limits of traditional vulnerability management. In a world where attack surfaces constantly expand, we need exposure management.

And the most mature security organizations are 1.6x more likely to invest in exposure management. They understand what others miss: effective security requires breaking down both technical and organizational silos.

Don't let your security strategy fall behind → Join 1000+ cybersecurity leaders future-proofing their programs with my weekly 10-minute read: mandos.io/newsletter

10 books that transformed my cybersecurity leadership journey and life in ways no certification ever could.

I'm constantly asked about the books I cherish the most - here's my decade-tested list:

‣ Extreme Ownership - Taught me accountability starts with me, not my team, transforming how I handle security incidents.

‣ How to Be Free: An Ancient Guide to the Stoic Life - Equipped me to maintain composure during breaches when everyone else panics.

‣ How to Measure Anything in Cybersecurity Risk - Revolutionized how I quantify threats and communicate ROI to executives.

‣ Against the Gods: The Remarkable Story of Risk - Provided historical context that helps me frame cybersecurity as risk management, not fear-mongering.

‣ Word Power Made Easy - Enhanced my ability to articulate complex security concepts to non-technical stakeholders.

‣ Never Split the Difference - Negotiation techniques that secured budget increases when traditional justifications failed.

‣ The Culture Map - Essential wisdom for security leaders managing global teams with different communication styles.

‣ Meditations - Ancient wisdom that grounds me during constant industry disruption.

‣ The Lean Product Playbook - Methodology I applied to build agile security programs that adapt to evolving threats.

‣ The Culture Code - Blueprint for creating security teams where psychological safety enables transparent incident reporting.

Technical knowledge matters, but leadership wisdom transforms security careers.

Want to cultivate a strategic security mindset? → Join 1000+ cybersecurity leaders developing executive-level thinking with my weekly 10-minute read: mandos.io/newsletter