Blog

Insights, tutorials, and best practices for secure development

HIPAA Security Scanning: Map Technical Safeguards to Automated Vulnerability Detection

HIPAA security scanning maps technical safeguards to SAST, SCA, and DAST tools. Automate ePHI risk analysis and produce audit-ready evidence.

Apr 12, 20263 min read

pci-dssvulnerability-scanningcompliance+1 more

PCI DSS Vulnerability Scanning: Map Requirements to Tools and Pass Your Audit

PCI DSS vulnerability scanning maps key requirements to scanning tools. Learn quarterly ASV scans vs. continuous scanning and what auditors expect.

Apr 12, 20263 min read

supply-chainpypiai-security+1 more

The Mercor Breach: How a Poisoned Security Scanner Cascaded Through AI Infrastructure

A threat group compromised Trivy, used it to steal LiteLLM's PyPI credentials, and published poisoned packages that led to a 4TB data breach at Mercor. Here's how the cascading supply chain attack worked and what it means for AI infrastructure security.

Apr 11, 20267 min read

security-headersweb-securitysecurity-scanning+1 more

Security Headers Check — Are Your HTTP Headers Protecting You?

A security headers check reveals if your HTTP headers defend against clickjacking, XSS, and MIME sniffing. Learn to configure every critical header.

Apr 11, 20264 min read

compliancesoc2security-scanning+1 more

SOC 2 Compliance: Security Requirements for Engineering Teams

SOC 2 compliance requirements map to Trust Services Criteria CC6, CC7, and CC8. Learn what engineering teams must implement, which tools help, and how to produce audit evidence.

Apr 11, 20266 min read

dastci-cdsecurity-testing+3 more

How to Integrate DAST Into Your CI/CD Pipeline

Learn how to integrate DAST into CI/CD pipelines with staging environments, authenticated scans, failure thresholds, and PR-level results.

Apr 10, 20264 min read

ai-securityvulnerability-scanningappsec+1 more

Rafter Is Glasswing for the Rest of Us

Anthropic's $100M Project Glasswing uses an unreleased frontier model to find zero-days in critical infrastructure. Most teams need something different: automated scanning that catches known vulnerabilities on every pull request.

Apr 10, 20265 min read

dastsecuritytools+2 more

DAST Tools Comparison: ZAP vs Burp Suite vs Invicti vs Acunetix vs Nuclei (2026)

Compare top DAST tools — ZAP, Burp Suite, Invicti, Acunetix, and Nuclei — on pricing, scan speed, false positives, and CI/CD integration.

Apr 8, 202613 min read

devsecopsmetricssecurity-kpis+2 more

5 DevSecOps Metrics That Prove Your Security Program Works

Track DevSecOps metrics like MTTR, escape rate, and scan coverage. Learn the five KPIs that turn security into a measurable program.

Apr 8, 20263 min read

devsecopssecurity-toolssdlc+2 more

DevSecOps Tools Comparison: Map Your Toolchain Across Every SDLC Phase

Compare DevSecOps tools across every SDLC phase — plan, code, build, test, deploy, and monitor. Open-source and commercial options included.

Apr 7, 202612 min read

secrets-detectionhardcoded-credentialsdevsecops+1 more

Secrets Detection: How to Find and Fix Hardcoded Credentials in Your Code

Secrets detection tools find hardcoded API keys, passwords, and tokens before production. Learn how regex and entropy scanning work.

Apr 7, 20264 min read

ai-securityai-agentssupply-chain+2 more

The AI Agent Attack Surface Is Real: 5 Incidents That Prove It

Five real AI agent security incidents. Three attack patterns. One conclusion: the agent attack surface isn't theoretical anymore. Here's what the incidents prove and what to do about it.

Apr 6, 20268 min read

Showing 13–24 of 191 posts