Tools and Methods on BSG Blog — Cybersecurity Insights

Mobile App Security Testing: iOS and Android Pentest Guide

Mon, 23 Mar 2026 09:00:00 +0000

Your mobile app runs on devices you don’t control, in environments you can’t predict. That binary sitting on a user’s phone — with its local storage, hardcoded configuration, and network calls — is an entirely different attack surface from your web application. It demands a different testing approach.

Penetration Testing Cost in 2026: $4K–$100K+ Guide

Tue, 17 Mar 2026 09:00:00 +0000

If you’re searching for “how much does a penetration test cost,” you want numbers — not vague marketing. Here’s the direct answer: most penetration tests cost between $4,000 and $25,000, with complex enterprise engagements reaching $100,000 or more. But that range is meaningless without understanding what drives the price.

AI Is Changing AppSec: Agentic Security Tools in 2026

Wed, 04 Mar 2026 11:56:21 +0000

February 2026 was a month that made the application security world pay attention. Anthropic launched Claude Code Security — a system that had already found over 500 zero-day vulnerabilities in production open-source codebases before it shipped. Days earlier, the open-source Raptor framework showed that a properly orchestrated LLM could autonomously run Semgrep scans, execute CodeQL queries, validate whether findings are exploitable, generate proof-of-concept exploits, and produce patches. All in a single workflow.

Cloud Penetration Testing: AWS, Azure & GCP Security Assessment

Thu, 19 Feb 2026 16:40:30 +0000

Migrating to the cloud does not eliminate security risk — it transforms it. AWS, Azure, and GCP handle infrastructure-level protections, but the responsibility for securing configurations, identities, data, and workloads still falls on your organisation.

Cloud penetration testing is a controlled security assessment that simulates real-world attacks against your cloud environment. Unlike automated scanning, a cloud pentest uses manual techniques to chain together misconfigurations, overly permissive IAM policies, and exposed services into attack paths that actually compromise data.

MITRE D3FEND Framework: Complete Guide for Defensive Security

Thu, 29 Jan 2026 17:00:00 +0000

MITRE D3FEND is a knowledge graph of cybersecurity countermeasures that gives defenders a structured way to select, organize, and communicate defensive techniques. While MITRE ATT&CK catalogs how adversaries attack, D3FEND answers the follow-up question every blue team asks: what exactly should we do about it?

AI Agent Security: Malicious Skills Threatening Dev Environments

Sat, 24 Jan 2026 14:57:24 +0000

AI coding assistants like Claude, GitHub Copilot, and Cursor have transformed how developers work. But with great power comes a new attack surface: executable skills that can turn your trusted AI assistant into a threat actor.

Recent security research has uncovered a concerning pattern. Skills—the plugins and extensions that give AI agents their capabilities—can harbor malicious code that executes with your permissions, accesses your credentials, and spreads across your infrastructure. This isn’t theoretical: researchers have demonstrated skill worms that propagate through SSH configurations, exfiltrate secrets via base64-encoded curl commands, and persist across sessions.

Black Box vs White Box vs Grey Box Pentest

Fri, 23 Jan 2026 15:36:12 +0000

What’s the difference between black box, white box, and grey box penetration testing? If you think it’s about access levels, you’re wrong—and you’re not alone.

Most cybersecurity professionals, vendors, and even some pentest firms get this fundamentally wrong. The confusion costs companies money, weakens security assessments, and leads to compliance issues.

Small Business Cybersecurity: Essential Checklist

Fri, 16 Jan 2026 16:07:54 +0000

These cyber security for small business recommendations focus on the conventional Small and Medium Enterprise organizations. This text does not cover startup specifics or the application security needs of software development companies. This is just a checklist of the most crucial cyber security measures every small business owner can and must implement.

API Security Testing: OWASP API Top 10 Walkthrough

Wed, 14 Jan 2026 21:56:37 +0000

Introduction

APIs (Application Programming Interfaces) have become the backbone of modern software architecture. From mobile apps to microservices, organisations rely on APIs to connect systems, share data, and deliver functionality. But this connectivity comes with risk.

In 2026, APIs represent one of the most common attack vectors in web applications. According to industry data, 57% of organisations experienced an API-related data breach in the past year, with 73% of those facing three or more separate incidents. Major breaches continue to be traced back to insecure API endpoints.

OWASP LLM Top 10 (2025): Vulnerabilities & Mitigations

Mon, 12 Jan 2026 18:20:19 +0000

Every organisation seems to be integrating large language models into their products and workflows. Chatbots, code assistants, document analysers, customer service agents—generative AI is everywhere. But security hasn’t kept pace with adoption.

OWASP recognised this gap and released a dedicated Top 10 for LLM Applications. Unlike traditional web vulnerabilities that developers have been battling for decades, LLM risks are fundamentally different. These systems process natural language, generate unpredictable outputs, and often have access to sensitive data and powerful actions. The attack surface is unlike anything we’ve seen before.

OWASP Top 10 2025: What Changed and Why It Matters

Mon, 12 Jan 2026 01:23:41 +0000

The OWASP Top 10 is the definitive benchmark for web application security. The 2025 release brings the most significant changes in years: two entirely new vulnerability categories and major ranking shifts that reflect how modern attacks have evolved.

These changes aren’t academic—they shape security policies, penetration testing requirements, and development practices across the industry. Understanding what changed helps security teams prioritise resources and protect what matters most.

EU Radio Equipment Directive 2025: RED & EN 18031 Guide

Sun, 23 Nov 2025 14:36:33 +0000

From 2025, the European Union is raising the bar for cybersecurity in every connected device that uses radio technologies. If your product communicates via Wi-Fi, Bluetooth, cellular, Zigbee, LoRa, or any other radio interface, its path to the EU market now runs through a new compliance regime: RED cybersecurity requirements, the EN 18031 harmonised standards, and the Delegated Regulation (EU) 2022/30.

Cybersecurity Professional Standards

Tue, 29 Jul 2025 13:41:52 +0000

The latest NCSC Cyber Series podcast gathers three voices who know the battlefield from different angles:

Tracey Jones, Senior Analyst at the Bank of England; Gian Andrea Padovani, Senior Manager in the PRA’s Cyber-Resilience team; and Chris Ensor, Deputy Director for Cyber Growth at the NCSC. Their discussion turns a spotlight on an issue that rarely makes headlines yet shapes every breach report we read: professional standards.

TLPT: Threat Led Penetration Testing Explained

Fri, 20 Jun 2025 10:00:00 +0000

Threat Led Penetration Testing (TLPT), also known as threat-led pentesting, is the gold standard for realistic cybersecurity validation. TLPT combines the latest threat intelligence, red teaming tactics, and business risk analysis to simulate attacks that your organization is most likely to face. Unlike generic pentesting, TLPT tests not just your systems for vulnerabilities, but also your ability to detect, respond to, and contain those attacks in real time.

Cyber Incident Response Plan for Small Business [2025]

Sat, 03 May 2025 16:06:58 +0000

In today’s volatile cyber landscape, even small businesses are not immune to disruptive cyberattacks. Ransomware, phishing, and data breaches increasingly target companies of all sizes, and the ability to respond effectively can mean the difference between recovery and ruin. Interestingly, a valuable resource developed for UK local governments offers practical lessons for the private sector: the Local Government Association’s “Cyber Incident Grab Bag.”

Unforgivable Software Vulnerabilities

Fri, 04 Apr 2025 16:27:14 +0000

Every piece of software has bugs. Many have vulnerabilities. But not all software vulnerabilities are created equal.

Some are complicated, buried deep in obscure logic, or made possible by bleeding-edge exploit techniques. Others—well, others are glaringly obvious. These are the ones that make security professionals shake their heads and ask: How did this ever make it to production?

Cyber Kill Chain & MITRE ATT&CK Defense Guide | BSG

Thu, 06 Feb 2025 15:41:48 +0000

In today’s threat landscape, cyberattacks are more sophisticated and persistent than ever. Organizations need structured approaches to detect, analyze, and respond to threats effectively. Two critical frameworks that have shaped modern cybersecurity defense are the Cyber Kill Chain and the MITRE ATT&CK Framework. Understanding these models can significantly improve threat detection, incident response, and overall cybersecurity resilience.

End-to-End Encrypted Messaging: Why It Matters in 2026

Fri, 06 Dec 2024 21:10:51 +0000

As cyber threats evolve, secure communication is becoming a cornerstone of both personal privacy and organizational security. In late 2024, the FBI and CISA explicitly urged Americans to use encrypted messaging apps after the Salt Typhoon campaign compromised major U.S. telecommunications providers, exposing real-time calls and text messages to Chinese intelligence. Their message was clear: if your communications aren’t encrypted, they’re vulnerable.

Enhancing Cybersecurity to Align with NIS2 Directive

Mon, 02 Dec 2024 16:11:58 +0000

The European Union’s NIS2 Directive, reinforced by ENISA’s 2024 Implementation Guidance, sets a comprehensive standard for [cybersecurity](https://bsg.tech/cyber-security/) across critical and digital service providers. For business leaders, adopting these practices ensures regulatory compliance and builds organizational resilience.

Understanding the NIS2 Directive and ENISA’s Guidance

The NIS2 Directive mandates robust cybersecurity measures for entities across sectors such as cloud computing and online platforms. ENISA’s guidance provides actionable steps to implement these measures effectively, emphasizing risk management, incident handling, and supply chain security.

Empowering Cybersecurity Governance: NCSC’s Board Toolkit

Sun, 01 Dec 2024 12:07:28 +0000

Cybersecurity is no longer just a technical issue; it’s a critical business risk that directly impacts organizational stability, reputation, and financial health. As digital dependency increases, so does exposure to cyber threats, from data breaches to ransomware attacks and supply chain vulnerabilities. For board members, addressing cybersecurity is not optional—it’s essential.

Security Awareness Training: Does It Actually Work?

Mon, 25 Nov 2024 16:48:56 +0000

Phishing attacks remain the top cybersecurity threat globally, accounting for 33% of data breaches in small and medium businesses according to Verizon’s 2025 Data Breach Investigation Report. Despite investing heavily in employee training programs, organizations often find themselves repeatedly compromised. This raises a critical question: How effective are these phishing training programs in preventing real-world attacks?

SAMMY: Free Tool to Implement OWASP SAMM Security

Mon, 04 Nov 2024 16:48:46 +0000

In today’s rapidly evolving digital landscape, ensuring the security of software applications is paramount. The OWASP Software Assurance Maturity Model (SAMM) provides organizations with a structured framework to assess and enhance their software security practices. To effectively implement SAMM, organizations can leverage SAMMY, a comprehensive management tool developed by Codific.

How to Show Return on Cyber Security Investment

Thu, 28 Dec 2023 12:00:00 +0000

Demonstrating your return on cybersecurity investment to investors, boards, and top managers is one of the hardest challenges a CISO faces. Yet ROSI (Return on Security Investment) has become a non-negotiable KPI — especially since the SEC’s 2023 cybersecurity disclosure rules now require public companies to report board oversight of cyber risk.