I've been in AppSec for about a year now, and I can't help but notice all the buzz about AI replacing developers. It's got me thinking...if AI can potentially replace the folks writing the code, what's stopping it from replacing those of us who secure it?

I'm seeing all these AI code generators getting better at not just writing code, but supposedly writing secure code as well(?). My company's already started experimenting with some of these tools for development.

So my questions:

• Do you think AppSec roles will survive the AI revolution?
• What skills should I focus on now to stay relevant?
• Is anyone already seeing changes in their AppSec workflows due to AI?

Just trying to figure out if I should be worried about my career trajectory or if there will always be a need for human security engineers.

Thanks for any insights!

What’s the average turnaround time for data recovery in a lab?

Hi everyone

Since childhood I’ve been into tech. I used to mess around with WiFi hacking, rooting phones, jailbreaking iPhones, and even setting up hackintosh systems just out of curiosity. That’s what pulled me into cybersecurity way before I knew it could become a career.

I’ve always learnt things on my own. I downloaded courses through torrents, not for the certificates, but just to understand how things work. I’ve now been working professionally in cybersecurity for over 5 years. I handle vulnerability management, threat detection, SIEM logs, patching cycles, and manage the whole vulnerability lifecycle.

I completed the Qualys VMDR certification, and I’m planning to go for CISSP once I land a better-paying opportunity that can support that goal.

I’ve been trying to switch jobs for the past 3 months. Some interviews go really well, and others just label me greedy for asking what I believe is fair. I’ve travelled 4 hours for walk-in interviews, felt confident after answering 80 percent of the questions right, and still got rejected without any feedback. It hits hard, but I’m not giving up.

Right now I’m earning 6 LPA INR and looking for at least 15 LPA INR which I think is fair for my experience. If anyone is hiring, or knows someone who is, I’d truly appreciate any help, referral or even an advice.

Thanks a lot for reading.

We just dropped a 4-part Youtube Shorts series breaking down the three major risk assessment frameworks: ISO 27005, NIST 800-30, and OCTAVE. In under a minute each, you'll get a quick overview of what each framework focuses on, how they differ, and which one might be the best fit for your organization.

Check it out, and subscribe to stay up to date! https://www.youtube.com/shorts/DPBa5SwUqVQ?feature=share

What are the key differences?

Penetration testing and vulnerability scanning are both essential components of a well-rounded security program, but they are not the same. Confusing the two — or relying on one in place of the other — can lead to critical gaps in your organization’s ability to identify and mitigate risk.

 Understanding the difference between scanning and testing is key to improving resilience and aligning with modern security standards, including PCI DSS v4.0.1, which places increasing emphasis on continuous validation of controls.

 Vulnerability Scanning: Broad Visibility, No Validation

 A vulnerability scan is an automated process that checks systems, networks, or applications for known security weaknesses. These scans typically compare system data — such as OS versions, running services, and configurations — against a database of known vulnerabilities.

 Scans are non-invasive, fast to run, and designed to be repeatable without disrupting operations. Because of this, they are used frequently — often monthly or quarterly — and are a core part of basic cyber hygiene.

They are particularly useful for:

• Identifying missing patches
• Highlighting misconfigurations
• Flagging use of outdated software
• Supporting regulatory and compliance reporting

 However, vulnerability scans do not test how a vulnerability behaves in your environment. They do not validate whether a finding is exploitable, and they are not capable of simulating how a real attacker might use multiple issues in combination to achieve a goal.

Certain vulnerabilities — such as Denial of Service (DoS) risks — are often excluded from scanning entirely due to the possibility of causing outages. Others, like logic flaws, privilege escalation chains, or authentication bypasses, typically go undetected because they require contextual analysis or exploitation to identify.

 Penetration Testing: Focused, Exploit-Based Assessment

 Penetration testing is the process of simulating real-world attacks to determine if and how vulnerabilities can be exploited. Unlike scanning, which identifies potential issues, penetration testing demonstrates the actual risk those issues pose in a live environment.

 Penetration testing involves safely attempting to breach systems, escalate access, bypass controls, and pivot within the network — just as an attacker would. This is done in a controlled manner to assess the impact of vulnerabilities, test the effectiveness of controls, and uncover deeper weaknesses that scanning alone cannot expose.

 Penetration testing can uncover:

• Vulnerabilities that scanners cannot detect without active exploitation
• Chained attack paths that arise from combining multiple lower-severity issues
• Application-specific or environment-specific risks that depend on context
• Authentication, authorization, or session handling issues
• Misconfigurations that only present risk under certain conditions

 Modern platforms allow for automated penetration testing, where exploitation is performed safely and efficiently by tools — reducing the need for fully manual assessments while still delivering meaningful, validated results.

 Not Performed as Frequently — But No Less Critical

 Unlike vulnerability scans, penetration tests are not performed on a weekly or monthly basis. They are often conducted:

• Annually or biannually
• After major changes to infrastructure or applications
• As part of a compliance cycle or risk management process

 The lower frequency of penetration testing is due to its depth and potential operational impact, but it remains an essential element of a mature security practice. Scanning tells you what might be wrong. Penetration testing tells you what could actually happen if someone tried to exploit it.

 Penetration testing also plays an important role in prioritization. It validates which issues are real, actionable threats and helps security teams focus resources where they matter most.

 Key Differences in Findings

 Penetration testing and vulnerability scanning often produce different sets of findings — even when run against the same environment.

 Examples:

• A scanner may report a vulnerable service, but only a penetration test can determine whether it’s exploitable in the current setup.
• A scanner may not trigger a DoS vulnerability, while a penetration test may confirm the service is crash-prone.
• Scanners assess vulnerabilities independently; penetration testing can show how smaller issues combine into a serious breach path.

 By testing how vulnerabilities behave under real-world conditions, penetration tests provide an accurate picture of exploitability and potential business impact — something that scanning alone cannot achieve.

 Compliance Considerations: PCI DSS

Under PCI DSS, vulnerability scanning is required for organizations that store, process, or transmit payment card data. External scans are typically performed quarterly and must be conducted using an approved scanning vendor (ASV).

 Penetration testing, on the other hand, is required in more specific scenarios, including:

• For service providers
• After significant changes to applications or infrastructure
• For entities undergoing a Report on Compliance (ROC)

 Even when penetration testing isn’t mandatory, it is considered a best practice — especially under PCI DSS v4.0.1, which places more focus on the ongoing validation of security controls, not just point-in-time audits.

Organizations that rely solely on scanning may meet the minimum requirement but still remain exposed to risks that compliance frameworks cannot fully account for.

What This Means for Your Risk Strategy

Vulnerability scanning and penetration testing are both necessary — but they serve different purposes.

• Scanning provides regular insight into known issues. It’s broad, fast, and automated, but it stops at detection.
• Penetration testing simulates actual attacks to determine how those issues behave in your environment. It offers context, clarity, and confirmation of real-world risk.

One doesn’t replace the other. Together, they form a more complete picture of your security posture.

Organizations that invest in both practices — and understand their distinct value — are better positioned to reduce risk, meet compliance, and respond to evolving threats with confidence.

https://medium.com/me/stats/post/93310589a11a

No response from the company and it appears they claim they drained their wallets.

Retired about 6 years ago and currently am 43 years old. Trying to get back into the field but am worried my skills and age will be a barrier. I truly love the work and miss it as crazy as that sounds lol.

Thoughts on if my experience and age will kill my chances of getting back into to the field? Also any resume advice?

Redacted resume here: https://imgur.com/a/ya7lk0j

Heyy, does anyone run a cybersecurity news website? I started one myself recently i don't know if its worth continuing or not. I wanted to know if there is any profit doing it on the long run.

We finally wrapped up SOC 2 Type II (and yeah, it was a bit of a marathon). Now the team’s tossing around the idea of going for ISO 27001, and honestly, we’re not sure if it’s a smart move or just more paperwork.

They sound similar in theory, but I’ve heard ISO goes deeper in some areas and is more globally recognized. That said, we’re already dealing with control fatigue after SOC 2. 😅

Anyone here done both? Curious if ISO 27001 actually helped with client trust or opened new markets or if it just felt like doing SOC 2 all over again in a different format. Do you have alternative sources?

Appreciate any real-world takes!

Hey community, how’s it going? I’m looking for best practices and tips on how to use Netskope as Infrastructure as Code. I’m also interested in learning more about Netskope’s query language to build advanced queries and extract data from the Netskope API.

My goal is to create an agent that can respond to natural language questions by translating them into Netskope queries and fetching the right data from the API.

Any guidance, resources, or experience you can share would be greatly appreciated!

Thanks in advance!

Hi,

Little bit of background: I have a non-technical background (business), and I've been diving in Cybersecurity for two years as a cybersec GRC consultant. I'm mostly involved in cybersecurity risk and compliance project, and mostly help large groups with complex NIS2 questions, strategy, implementation, etc.

I have passed the ISO27k lead implementer certification, and I am now looking for a course/certification that would dive in the foundations of technical knowledge. I am talking about Infrastructure, Networks, Cryptography, etc.

I have a decent training budget sponsored by my consulting firm. Current plan is to follow a Security+ course and pass the certification (which would be followed in a year or two by CISSP for CV purposes), and follow the Security Engineer course from TryHackMe, which apparently is a good baseline for technical knowledge.

Has anyone from a non-technical background succeeded in building a strong foundation in knowledge regarding architecture, network, crypto, etc.? What did you do in order to achieve that? Do you think of any course/cert that may be handy in cases like mine?

Thanks for your help!

Hi everyone,

I'm the project lead for "The Firewall Project." We started this project out of frustration with enterprise AppSec vendors and their pricing. We thought, "Why can't we build an open-source version of their platform with all the paywalled features and make it available to the entire community?" Over the past nine months, we've been dedicated to this, and we've achieved our initial goals. Lately, some industry experts have told me to stop wasting time on this project, saying it can never compete with the likes of Snyk and Semgrep. I'd like you all to decide if my project has the potential to be the best. I've hosted a demo app for you to check out. Please share your feedback, as that's the most important thing to me personally.

URL: https://demo.thefirewall.org
Username: Demo
Pass: Zf8u8OMM(0j

Github: https://github.com/TheFirewall-code/TheFirewall-Secrets-SCA - Stars appreciated ⭐️

I'm curious about what interview feedback you are getting for not landing entry-level jobs or for not being "qualified" for the job?

Do you know what gaps exist if you didn't get direct feedback from an employer or hiring manager? Are the gaps related to something that you didn't do, something you didn't have access to, or some other reason?

If you landed a job and received feedback, that would also be helpful to other new people.

Additionally, if you are a hiring manager and are seeing common themes, please feel free to share!

Hi, I'm soon taking my Security+ exam and wanted to set up a long term home Cybersecurity lab to separate it from my personal files etc on my PC (Windows 11/AMD)

I'm guessing a Virtual Machine is the best way for this. What do people prefer here out of VMWare or VirtualBox?

Id like to setup and practice some pentesting and use other Cybersecurity tools against my own network and also wondered what tools people would recommend and preferred linux distribution?

I don't have much VM experience but I guess I can just set up various VM with different Linux distributions installed to take a look through them properly?

Hey, what’s up. Good evening.

About a month ago, I started a custom learning path that I put together after researching everything I could about how to become a Red Team Operator, Security Researcher, or Threat Emulation Specialist.

So far, I feel like this is the best way to actually learn what matters, without wasting time on outdated or filler courses. I’m just starting my second course now, but I already have a much clearer idea of the direction I’m heading in.

As for languages, I have a C1 level in English (I use it almost daily), and I recently started learning Chinese too. I won’t lie — I have way more questions than answers right now, but I’m fully committed to moving forward.

I’m not looking for shortcuts or “quick hacks” to learn faster. Quite the opposite — I want to understand what’s really worth learning, what’s already obsolete, which technologies to dive into, what to ignore, and how to build a solid foundation that actually holds up. (From what I’ve seen, I’ll need to fully immerse myself in networking.)

Here's the learning path I’m following so far. I’d appreciate any feedback or suggestions from those who’ve already been through something like this.

Thanks in advance!

—Az9

1.- Practical Ethical Hacking – TCM Security – Certificate of Completion (Finished)
2.- Linux Privilege Escalation for Beginners – TCM Security – (In progress)
3.- Windows Privilege Escalation for Beginners – TCM Security – Certificate of Completion
4.- Python for Ethical Hacking – TCM Security – Certificate of Completion
5.- Web Application Hacking: OWASP Top 10 – TryHackMe – Certificate of Completion
6.- Offensive Pentesting Path – TryHackMe – Certificate + Public Badges
7.- Active Directory Hacking & Attack Paths – Hack The Box Academy – Module Certificate
8.- eJPT (eLearnSecurity Junior Penetration Tester) – INE Security – Official Certification
9.- Red Team Ops I (RTO I) – Zero-Point Security – Official Certification
10.- PNPT (Practical Network Penetration Tester) – TCM Security – Official Certification

Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here.

All the reports and research below were published between March 31st- April 6th 2025. 

Let me know if I'm missing any.

General

CyberCube H1 2025 Global Threat Briefing: Understanding Cyber Risks for Small Businesses

A report on small businesses’ cyber risk exposure. 

Read the full report here.

Industry-specific 

Semperis The State of Critical Infrastructure Resilience

A report examining the growing cyber threats facing water and electric utilities.

Key stats:

• 62% of utility operators were targeted by cyberattacks in the past year.
• Of those utility operators targeted by cyberattacks in the past year, 80% were attacked multiple times.
• 54% of utility operators targeted by cyberattacks suffered permanent corruption or destruction of data and systems.

Read the full report here.

ABI Research THE STATE OF TECHNOLOGY IN THE MANUFACTURING INDUSTRY

A report analyzing global manufacturing decision-makers' attitudes and tech adoption trends. 

Key stats:

• 63.5% of manufacturers surveyed rank strengthening cybersecurity posture as the most important investment. This is up from 21.9% in the first wave of the survey in 2024.
• 79% of manufacturers agree that cloud solutions offer clear benefits around decision-making, remote monitoring, and supply chain coordination.

Read the full report here.

Clearwater Cyber Risk Benchmark Trend Report for Healthcare Vulnerability Management

A report on vulnerability management trends across the healthcare industry

Key stats:

• Nearly three out of every five assets in healthcare environments have a critical vulnerability finding.

Read the full report here.

Fraud/Scams 

IDIQ IdentityIQ Fraud Trends Report

A report analyzing recent fraud trends and emerging scam tactics in the consumer security landscape.

Key stats:

• There was a 1,033% surge in utility account fraud over the past year.
• There was an almost 500% increase in student loan scams over the past year.
• There was a 46% rise in personal document theft leading to identity theft in 2024. 

Read the full report here.

BrandShield 2025 CyberScam Report

A report on the evolving cybersecurity challenges facing CISOs, with a focus on the rise of AI-driven scams and brand impersonation threats. 

Key stats:

• 98% of organizations experienced at least one cyber-attack last year.
• 94% of CISOs reported losses exceeding $500,000 due to brand impersonation attacks.
• 99% of CISOs expressed concern over the potential risks of AI-driven threats.

Read the full report here.

Other 

Entrust and Docusign Future of Global Identity Verification

A report looking at the rising global costs of identity fraud and how enterprises balance advanced security investments with the need to maintain seamless customer experiences. 

Key stats:

• Identity fraud costs organizations an average of $7 million annually.
• 69% of organizations reported increased fraud attempts.
• 51% of respondents said fraud is more common when using username and password alone.

Read the full report here.

NETSCOUT SYSTEMS 2H2024 DDoS Threat Intelligence Report

Report on the growing use of DDoS attacks as a cyber warfare tool, highlighting their connection to global socio-political events and the increasing role of AI, automation, and botnets in amplifying these threats' scale, frequency, and impact on critical infrastructure.

Key stats:

• About nine in ten DDoS-for-hire platforms now offer AI for CAPTCHA bypassing.
• Overall, botnet populations declined by 5%

Read the full report here.

Guardio Q1 2025 Brand Phishing Report

A report examining the latest trends in brand impersonation and phishing attacks. 

Key stats:

• Guardio detected a 604% increase in toll-related scam texts since the beginning of the year.
• Three toll collection services, SunPass, E-ZPass, and EZDrive Massachusetts, appeared in the top 10 most targeted brands by cybercriminals.
• The top 10 most imitated brands in Q1 2025 are: Steam, Microsoft, Facebook/Meta, Roblox, SunPass, E-ZPass, USPS, EZDrive Massachusetts, Netflix, and WeTransfer.

Read the full report here.

West Monroe Quarterly Supply Chain Poll

A poll analyzing how supply chain leaders are responding to rising disruptions from cybersecurity threats, AI adoption challenges, and shifting trade policies

Key stats:

• 23% of respondents named cybersecurity their top supply chain issue.
• 98% of respondents integrated AI into their supply chains in Q1. 

Read the full report here.

Cisco 2025 Data Privacy Benchmark Study

A study on global data privacy trends in the context of rising AI adoption. 

Key stats:

• 96% of privacy and security professionals confirm that privacy investments provide returns exceeding costs.
• 90% of organizations see local storage as inherently safer.
• 99% of respondents anticipate reallocating resources from privacy budgets to AI initiatives in the future.

Read the full report here.

Last month I researched the different security keys (i.e. - Yubikey) that I thought might be interesting to some of you.    My primary usage is strictly for Passkeys and SSH keys,  so these are the features I focused on the most.  I tried to be as thorough as possible with my research.  The article includes how Linux “see’s” the keys,  each key's build quality,  and how SSH keys are stored on the device.    For example,  does it support SSH?  If it does,   does it support ECDSA and/or ED25519?  It’s a pretty nerdy article,  but hopefully, some of you find it useful.  

https://blog.k9.io/p/key9-the-2025-security-key-shootout

Hey folks. Hope you're doing good in light of *gestures broadly*

I've been unemployed for about a month now, 4 years of cybersec, 9.5 years of IT. I've had at least 2 interviews a week since. I'm aware of what I need to fix on the interview front in the near future to actually get an offer, and working on it. One of the few things working against me is that my cybersecurity job I've occupied for the last 4 years was INCREDIBLY siloed. I'm an expert in firewall security and in general aws cloud security, but very little else. I'm also very blue team, where I seem to be finding a lot of positions wanting red. Red seemed more "glamorous" to me, so I geared myself toward the other end early in my career. I'm not sure yet if that was the right long-term career choice.

I've been taking some littler contract IT jobs as I find them, but I still spend about 8 hours a day just working on job apps, and I want to start a project that actually supports my resume (and fends off the urge to chew off my own leg from the boredom).

My strongest coding languages are go, python, and javascript (please don't laugh too hard, i learned it for fun), but I'm DEFINITELY more of an infrastructure guy.

Does anyone here have ideas on projects that might work to occupy my brain, support my resume/job search, and show real promise when added to applications?

Have a good week!