Posts

Most SaaS startups don’t fail their first security review because the framework was too hard. They fail because nobody owned login abuse until a customer flagged it. They fail because admin role changes were trusted on the client side. They fail because webhooks weren’t signed and a third party became an attacker. These are not exotic problems. They are basic ones, and they almost always trace back to the same root cause: there was no moment in the build process where someone asked, “how could this be misused?” ...

For about 20 years, SOC 2 logging worked because it answered one question: who did what, when? User logs in. Developer pushes code. Admin changes a permission. Every meaningful action traced back to a human identity. Every framework — SOC 2, ISO 27001, NIST 800-53 — assumed this. Logging infrastructure was built around it. AI agents are quietly breaking that assumption. If you’re shipping AI features on top of customer data — even just an internal automation that summarizes vendor contracts or routes support tickets — you’re running a system that takes actions, accesses data, and makes decisions. Your SIEM sees the API calls. It does not see what the agent was trying to do, why it picked one file over another, or what it produced as a result. ...

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week. ...

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week. ...

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week. ...

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week. ...

On april 11 we ran a free 90-minute AI workshop at Burlington Central Library — Ron Ness Training Room — for finance professionals in the area. 10 people showed up. most had never seriously used Claude or Gemini before. by the end they were building their own prompts and applying them to real accounting work. Here’s what we covered and what we learned. Who showed up Accountants, Bookkeepers, a couple of small business owners, and a few finance students. mix of experience levels — some had tried ChatGPT once or twice, others had never opened it. ...

Most people download claude, open it, type a question, and think that’s it. that’s like buying a laptop and only using the calculator app. claude cowork is different. it’s not a chatbot. it’s more like an employee who works in your computer — reads your files, writes real documents, runs tasks while you sleep, and never has to be re-explained who you are. but it only works if you set it up right. so here’s exactly how. ...

Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week. ...

If you have MFA enabled, you may still have a control gap. Here is why phishing-resistant authentication is becoming an auditor expectation — and how passkeys close that gap. ...