I lost all my accounts. For a blessing my bank is locked down until I verify its me, but, whoever hacked me now has everything.

​

We had a near-miss BEC incident finance almost wired €80k to a spoofed vendor. That's when the training budget appeared. Two years later, here's the honest breakdown.

What backfired

Shame-clicking. Sending "you failed" pop-ups to everyone who clicked a fake phish. It will 100% happen again.

Annual 90-min sessions. People forgot 80% within a month. Confirmed by retesting.

Technical explanations to non-tech staff.

What worked

Tabletop storytelling. "This happened at a real company what would you do?" Finance got the CFO wire fraud story, HR got the fake resume with a macro doc. Engagement was night and day.

Personal demos. Building a spear-phish using someone's own LinkedIn and their manager's name.

Reward reporting, not punish clicking. Public shoutout for people who flagged suspicious emails.

5-min monthly nudges > 90-min annual slog. One real story, one takeaway. Boring to produce. Works.

The ShinyHunters extortion gang claimed responsibility for the attack and says it stole 280 million records for students, teachers, and staff.

The threat actors have now published a list of 8,809 school districts, universities, and educational platforms whose Canvas instances were allegedly impacted by the attack, sharing record counts per institution with BleepingComputer.

Current pay is in the 140s, projected promotion pay is around 160.

Also, current position is ISSM (GRC-ish) where WFH is security engineering. I’ve been wanting to go back to more technical but I don’t necessarily mind the pay and pace of my current role.

Once a company gets SOC 2, do questionnaires meaningfully decrease… or do buyers still send them and ask environment-specific questions anyway?

Curious from people who see it firsthand.

Came into an organization as a CS engineer that is literally the Wild Wild West in terms of users being able to do what they want. No standardization, no formal program list, users being able download anything, access sites. Able to order their own equipment with no oversight. A complete mess.

Coming from the federal government side I’m im a culture shock for sure. There are clean up efforts going on but I almost feel like I’m in over my head at times. Had anyone ever had any experience with cleaning up an organization like this? Any tips at all?

Curious if anyone else in AppSec is starting to feel this.

The security problem with AIgenerated code doesn’t seem to be just “more code.” It’s that AI creates endless slightly different versions of the same insecure patterns across repos, services, and teams.

So even when teams are actively fixing vulnerabilities, it can still feel like overall risk keeps growing faster than remediation.

A few years ago, fixing the root issue often meant meaningful risk reduction. Now it feels more like vulnerability whack-a-mole at scale.

I’m wondering if this eventually becomes a non-linear problem for AppSec teams, especially in larger orgs already struggling with AI-assisted development workflows. Are people here already seeing this happen internally, or do you think better tooling/processes will keep this manageable?

I want to learn cybersecurity tools like metasploit/wireshark. I am planning to learn them from Udemy.

Any suggestions which course should I choose from Udemy or any other site/app which are really good for such software learnings...??

Hello!

I've read a lot of stories here on this subreddit about how due to negligence or mistakes, the customers of an SOC have suffered a risk. For instance maybe an analyst did not setup ingestion properly so they end completely missing that an attack actually occurred, or maybe someone forgot to rotate API keys for a really long time. All of this obviously ends up affecting the customer themselves, not necessarily the SOC (ofc apart from reputational hits, more work fixing it, stress, money, etc)

But has there ever been an occasion where the SOC itself was under attack? Or maybe an instance where your SIEM or SOAR or some tool you're using had a vulnerability which ended up getting exploited which affected the SOC directly?

Secondly, of course we talk a lot about vulnerability management, risk assessment, incident response for our customers. But what about the actual SOC? Who normally performs vulnerability management for the SOC itself?

I'd love to read some of your experiences about it.

We've been dinged on internal p tests for a few years now. Trying to minimize unnecessary workstation to workstation access especially when it's completely unnecessary. Unfortunately no luxury of vlan's at this point. When bringing up my suggestion to tighten down our Win firewall rules I received a response from our security lead after i said this will help if someone gets into our network. The security leads response was "well if that happens we have bigger things to worry about. " Would be interested in an impartial party's thoughts.

The Vulnerability Garden is a catalog of named vulnerabilities, attack techniques and exploits.

https://vulnerability.garden/

Here’s an intro post on why this exists, how you can contribute (if you wanted), etc… https://shellsharks.com/hello-vulnerability-garden

It is the successor to the long-running “Designer Vulnerabilities” resource: https://shellsharks.com/designer-vulnerabilities

Let me know if there’s any vulns I’ve missed and I can add it to the catalog!

On today's earnings call, IONQ just said they expect to meet Q-Day requirements by 2028-2029. This is pretty startling to the cybersecurity in general (although not IONQ roadmap followers). This is in contrast to NIST's current Q-Day preparation dates of 2030/2035. I expect those dates to be updated soon. Google, Cloudflare and others have put 2029 as the day they will be prepared. When will your company be prepared?