<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>BSG Blog — Cybersecurity Insights</title><link>https://bsg.tech/blog/</link><description>Recent content on BSG Blog — Cybersecurity Insights</description><generator>Hugo</generator><language>en</language><lastBuildDate>Wed, 24 Jun 2026 09:00:00 +0000</lastBuildDate><atom:link href="https://bsg.tech/blog/index.xml" rel="self" type="application/rss+xml"/><item><title>MITRE ATT&amp;CK for Pentesters: A Practical Guide</title><link>https://bsg.tech/blog/mitre-attack-for-pentesters/</link><pubDate>Thu, 04 Jun 2026 10:00:00 +0000</pubDate><guid>https://bsg.tech/blog/mitre-attack-for-pentesters/</guid><description>&lt;p&gt;If your mental model of Enterprise ATT&amp;amp;CK is a fourteen-tactic grid, it is already out of date. &lt;strong&gt;&lt;a href="https://attack.mitre.org/"&gt;MITRE ATT&amp;amp;CK v19&lt;/a&gt;&lt;/strong&gt;, released on 28 April 2026, split the long-standing &lt;em&gt;Defense Evasion&lt;/em&gt; tactic into two — &lt;strong&gt;Stealth&lt;/strong&gt; (TA0005) and &lt;strong&gt;Defense Impairment&lt;/strong&gt; (TA0112) — taking Enterprise ATT&amp;amp;CK to &lt;strong&gt;15 tactics, 222 techniques, and 475 sub-techniques&lt;/strong&gt;.&lt;/p&gt;</description></item><item><title>Patching Fast and Slow</title><link>https://bsg.tech/blog/patching-fast-and-slow/</link><pubDate>Thu, 21 May 2026 12:00:00 +0200</pubDate><guid>https://bsg.tech/blog/patching-fast-and-slow/</guid><description>&lt;p&gt;The patch wave is here. Not coming — here.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.securityweek.com/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft-as-top-breach-vector/"&gt;Verizon 2026 DBIR&lt;/a&gt; reports that vulnerability exploitation now accounts for 31% of initial access vectors, overtaking credential abuse and phishing for the first time. Mandiant&amp;rsquo;s M-Trends 2026 puts the number at 32% — the sixth consecutive year exploitation has led. Meanwhile, patching is getting worse: only 26% of CISA KEV catalog vulnerabilities were fully remediated last year, down from 38% the year before. Median time to patch climbed to 43 days.&lt;/p&gt;</description></item><item><title>LLM Penetration Testing: 2026 Methodology Guide</title><link>https://bsg.tech/blog/llm-penetration-testing-methodology/</link><pubDate>Sat, 02 May 2026 13:00:00 +0000</pubDate><guid>https://bsg.tech/blog/llm-penetration-testing-methodology/</guid><description>&lt;p&gt;LLM penetration testing is not a normal web-app pentest with a chatbot bolted on. The attack surface includes the prompt layer, model behaviour, retrieval (RAG), tool and agent invocation, and output handling — and the most damaging failures usually live in the seams between those layers.&lt;/p&gt;</description></item><item><title>Kubernetes Pentest in 2026: What It Actually Covers</title><link>https://bsg.tech/blog/container-security-kubernetes-pentesting/</link><pubDate>Mon, 20 Apr 2026 10:00:00 +0000</pubDate><guid>https://bsg.tech/blog/container-security-kubernetes-pentesting/</guid><description>&lt;p&gt;A Kubernetes pentest is not a network pentest with YAML on top. It is a different engagement — different scope, different assumptions, different attacker model — and by 2026 that difference matters more than ever.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.cncf.io/announcements/2026/01/20/kubernetes-established-as-the-de-facto-operating-system-for-ai-as-production-use-hits-82-in-2025-cncf-annual-cloud-native-survey/"&gt;CNCF&amp;rsquo;s 2026 cloud-native survey&lt;/a&gt; reports that &lt;strong&gt;82% of container users now run Kubernetes in production&lt;/strong&gt;, up from 66% in 2023. Red Hat&amp;rsquo;s &lt;a href="https://www.redhat.com/en/engage/state-kubernetes-security-report-2024"&gt;2024 State of Kubernetes Security&lt;/a&gt; found that &lt;strong&gt;89% of organizations had at least one container or Kubernetes security incident&lt;/strong&gt; in the preceding twelve months, and 46% of them lost revenue or customers as a result. Wiz&amp;rsquo;s &lt;a href="https://www.wiz.io/reports/kubernetes-security-report-2025"&gt;2025 Kubernetes Security Report&lt;/a&gt; puts the speed of opportunistic attacks in stark terms: &lt;strong&gt;a newly provisioned AKS cluster sees its first attack attempt within 18 minutes&lt;/strong&gt;; EKS within 28.&lt;/p&gt;</description></item><item><title>Cyber Defense Exercises: 40 Teams, 15 Countries</title><link>https://bsg.tech/blog/building-realistic-cyber-defense-exercise-lessons/</link><pubDate>Wed, 08 Apr 2026 08:00:00 +0000</pubDate><guid>https://bsg.tech/blog/building-realistic-cyber-defense-exercise-lessons/</guid><description>&lt;p&gt;Most organizations test their defenses with tabletop exercises — facilitated discussions where someone reads a scenario and teams talk through their response. Tabletops test process. They don&amp;rsquo;t test capability.&lt;/p&gt;
&lt;p&gt;BSG has spent over a decade on the offensive side — &lt;a href="https://bsg.tech/penetration-testing/"&gt;penetration testing&lt;/a&gt;, red teaming, and running CTF competitions at security conferences across Europe. A few years ago, we &lt;a href="https://bsg.tech/blog/bsg-won-sans-netwars-tournament/"&gt;won SANS Grid NetWars&lt;/a&gt;, a defensive investigation tournament, and something clicked: the same skills that make a good attacker make a good exercise designer. We know how real adversaries operate because that&amp;rsquo;s what we do every day. Building realistic exercises for blue teams was a natural next step.&lt;/p&gt;</description></item><item><title>Boutique Cybersecurity Firm: Expertise Over Brand</title><link>https://bsg.tech/blog/what-makes-a-boutique-cybersecurity-firm-different/</link><pubDate>Mon, 30 Mar 2026 09:00:00 +0000</pubDate><guid>https://bsg.tech/blog/what-makes-a-boutique-cybersecurity-firm-different/</guid><description>&lt;p&gt;Here&amp;rsquo;s something most security buyers learn the hard way: the firm you hire and the people who do the work are often not the same.&lt;/p&gt;
&lt;p&gt;At large consultancies, a senior partner sells the engagement. A project manager scopes it. Then the actual testing gets handed to whoever is available — often a junior analyst running automated scans and filling in report templates. You pay for brand recognition, not expertise.&lt;/p&gt;</description></item><item><title>Mobile App Security Testing: iOS and Android Pentest Guide</title><link>https://bsg.tech/blog/mobile-app-security-testing-ios-android/</link><pubDate>Mon, 23 Mar 2026 09:00:00 +0000</pubDate><guid>https://bsg.tech/blog/mobile-app-security-testing-ios-android/</guid><description>&lt;p&gt;Your mobile app runs on devices you don&amp;rsquo;t control, in environments you can&amp;rsquo;t predict. That binary sitting on a user&amp;rsquo;s phone — with its local storage, hardcoded configuration, and network calls — is an entirely different attack surface from your web application. It demands a different testing approach.&lt;/p&gt;</description></item><item><title>Penetration Testing Cost in 2026: $4K–$100K+ Guide</title><link>https://bsg.tech/blog/what-can-you-expect-to-pay-for-penetration-testing/</link><pubDate>Tue, 17 Mar 2026 09:00:00 +0000</pubDate><guid>https://bsg.tech/blog/what-can-you-expect-to-pay-for-penetration-testing/</guid><description>&lt;p&gt;If you&amp;rsquo;re searching for &amp;ldquo;how much does a penetration test cost,&amp;rdquo; you want numbers — not vague marketing. Here&amp;rsquo;s the direct answer: &lt;strong&gt;most penetration tests cost between $4,000 and $25,000&lt;/strong&gt;, with complex enterprise engagements reaching $100,000 or more. But that range is meaningless without understanding what drives the price.&lt;/p&gt;</description></item><item><title>AI Is Changing AppSec: Agentic Security Tools in 2026</title><link>https://bsg.tech/blog/ai-appsec-agentic-security-tools-2026/</link><pubDate>Wed, 04 Mar 2026 11:56:21 +0000</pubDate><guid>https://bsg.tech/blog/ai-appsec-agentic-security-tools-2026/</guid><description>&lt;p&gt;February 2026 was a month that made the application security world pay attention. Anthropic launched &lt;a href="https://www.anthropic.com/news/claude-code-security"&gt;Claude Code Security&lt;/a&gt; — a system that had already found over 500 zero-day vulnerabilities in production open-source codebases before it shipped. Days earlier, the open-source Raptor framework showed that a properly orchestrated LLM could autonomously run Semgrep scans, execute CodeQL queries, validate whether findings are exploitable, generate proof-of-concept exploits, and produce patches. All in a single workflow.&lt;/p&gt;</description></item><item><title>Cloud Penetration Testing: AWS, Azure &amp; GCP Security Assessment</title><link>https://bsg.tech/blog/cloud-penetration-testing-aws-azure-gcp/</link><pubDate>Thu, 19 Feb 2026 16:40:30 +0000</pubDate><guid>https://bsg.tech/blog/cloud-penetration-testing-aws-azure-gcp/</guid><description>&lt;p&gt;Migrating to the cloud does not eliminate security risk — it transforms it. AWS, Azure, and GCP handle infrastructure-level protections, but the responsibility for securing configurations, identities, data, and workloads still falls on your organisation.&lt;/p&gt;
&lt;p&gt;Cloud penetration testing is a controlled security assessment that simulates real-world attacks against your cloud environment. Unlike automated scanning, a cloud pentest uses manual techniques to chain together misconfigurations, overly permissive IAM policies, and exposed services into attack paths that actually compromise data.&lt;/p&gt;</description></item><item><title>From Developer to AppSec Engineer: Career Path Guide</title><link>https://bsg.tech/blog/developer-to-appsec-engineer-career-path/</link><pubDate>Thu, 05 Feb 2026 23:02:15 +0000</pubDate><guid>https://bsg.tech/blog/developer-to-appsec-engineer-career-path/</guid><description>&lt;p&gt;You spend your days building software. You understand how systems are architected, how data flows between components, and how features go from a pull request to production. Now consider this: that same knowledge makes you one of the strongest candidates for a career in application security.&lt;/p&gt;</description></item><item><title>MITRE D3FEND: 267 Defensive Techniques, 7 Tactics</title><link>https://bsg.tech/blog/mitre-d3fend/</link><pubDate>Thu, 29 Jan 2026 17:00:00 +0000</pubDate><guid>https://bsg.tech/blog/mitre-d3fend/</guid><description>&lt;p&gt;MITRE D3FEND is a knowledge graph of cyber&lt;a href="https://bsg.tech/blog/cyber-security/"&gt;security&lt;/a&gt; countermeasures that gives defenders a structured way to select, organize, and communicate defensive techniques. While &lt;a href="https://attack.mitre.org/"&gt;MITRE ATT&amp;amp;CK&lt;/a&gt; catalogs how adversaries attack, D3FEND answers the follow-up question every blue team asks: what exactly should we do about it?&lt;/p&gt;</description></item><item><title>AI Agent Security: Malicious Skills Threatening Dev Environments</title><link>https://bsg.tech/blog/ai-agent-security-malicious-skills-threat/</link><pubDate>Sat, 24 Jan 2026 14:57:24 +0000</pubDate><guid>https://bsg.tech/blog/ai-agent-security-malicious-skills-threat/</guid><description>&lt;p&gt;AI coding assistants like Claude, GitHub Copilot, and Cursor have transformed how developers work. But with great power comes a new attack surface: &lt;strong&gt;executable skills&lt;/strong&gt; that can turn your trusted AI assistant into a threat actor.&lt;/p&gt;
&lt;p&gt;Recent security research has uncovered a concerning pattern. Skills—the plugins and extensions that give AI agents their capabilities—can harbor malicious code that executes with your permissions, accesses your credentials, and spreads across your infrastructure. This isn’t theoretical: researchers have demonstrated &lt;a href="https://blog.lukaszolejnik.com/supply-chain-risk-of-agentic-ai-infecting-infrastructures-via-skill-worms/"&gt;skill worms&lt;/a&gt; that propagate through SSH configurations, exfiltrate secrets via base64-encoded curl commands, and persist across sessions.&lt;/p&gt;</description></item><item><title>Black Box vs White Box vs Grey Box Pentest</title><link>https://bsg.tech/blog/black-box-vs-white-box-vs-grey-box-penetration-testing/</link><pubDate>Fri, 23 Jan 2026 15:36:12 +0000</pubDate><guid>https://bsg.tech/blog/black-box-vs-white-box-vs-grey-box-penetration-testing/</guid><description>&lt;p&gt;What’s the difference between black box, white box, and grey box &lt;a href="https://bsg.tech/blog/penetration-testing/"&gt;penetration testing&lt;/a&gt;? If you think it’s about &lt;em&gt;access levels&lt;/em&gt;, you’re wrong—and you’re not alone.&lt;/p&gt;
&lt;p&gt;Most cybersecurity professionals, vendors, and even some pentest firms get this fundamentally wrong. The confusion costs companies money, weakens &lt;a href="https://bsg.tech/blog/application-security/"&gt;security assessment&lt;/a&gt;s, and leads to compliance issues.&lt;/p&gt;</description></item><item><title>Small Business Cybersecurity Checklist: 13 Essential Steps</title><link>https://bsg.tech/blog/small-business-cyber-security-checklist/</link><pubDate>Fri, 16 Jan 2026 16:07:54 +0000</pubDate><guid>https://bsg.tech/blog/small-business-cyber-security-checklist/</guid><description>&lt;p&gt;These cyber security for small business recommendations focus on the conventional Small and Medium Enterprise organizations. This text does not cover startup specifics or the &lt;a href="https://bsg.tech/blog/application-security/"&gt;application security&lt;/a&gt; needs of software development companies. This is just a checklist of the most crucial cyber security measures every small business owner can and must implement.&lt;/p&gt;</description></item><item><title>API Security Testing: OWASP API Top 10 Walkthrough</title><link>https://bsg.tech/blog/api-security-testing/</link><pubDate>Wed, 14 Jan 2026 21:56:37 +0000</pubDate><guid>https://bsg.tech/blog/api-security-testing/</guid><description>&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;APIs (Application Programming Interfaces) have become the backbone of modern software architecture. From mobile apps to microservices, organisations rely on APIs to connect systems, share data, and deliver functionality. But this connectivity comes with risk.&lt;/p&gt;
&lt;p&gt;In 2026, APIs represent one of the most common attack vectors in web applications. According to &lt;a href="https://www.infosecurity-magazine.com/news/api-flaw-74-organizations-report/"&gt;Traceable AI’s 2025 Global State of API Security Report&lt;/a&gt;, 57% of organisations experienced an API-related data breach over the past two years, and 73% of those breached organisations faced three or more separate incidents. Major breaches continue to be traced back to insecure API endpoints.&lt;/p&gt;</description></item><item><title>OWASP LLM Top 10 (2025): Vulnerabilities &amp; Mitigations</title><link>https://bsg.tech/blog/owasp-llm-top-10/</link><pubDate>Mon, 12 Jan 2026 18:20:19 +0000</pubDate><guid>https://bsg.tech/blog/owasp-llm-top-10/</guid><description>&lt;p&gt;Every organisation seems to be integrating large language models into their products and workflows. Chatbots, code assistants, document analysers, customer service agents—generative AI is everywhere. But security hasn’t kept pace with adoption.&lt;/p&gt;
&lt;p&gt;OWASP recognised this gap and released a dedicated Top 10 for LLM Applications. Unlike traditional web vulnerabilities that developers have been battling for decades, LLM risks are fundamentally different. These systems process natural language, generate unpredictable outputs, and often have access to sensitive data and powerful actions. The attack surface is unlike anything we’ve seen before.&lt;/p&gt;</description></item><item><title>OWASP Top 10 2025: Full List &amp; Changes from 2021</title><link>https://bsg.tech/blog/owasp-top-10/</link><pubDate>Mon, 12 Jan 2026 01:23:41 +0000</pubDate><guid>https://bsg.tech/blog/owasp-top-10/</guid><description>&lt;p&gt;The OWASP Top 10 is the definitive benchmark for web application security. The 2025 release brings the most significant changes in years: two entirely new vulnerability categories and major ranking shifts that reflect how modern attacks have evolved.&lt;/p&gt;
&lt;p&gt;These changes aren’t academic—they shape security policies, &lt;a href="https://bsg.tech/blog/penetration-testing/"&gt;penetration testing requirements&lt;/a&gt;, and development practices across the industry. Understanding what changed helps security teams prioritise resources and protect what matters most.&lt;/p&gt;</description></item><item><title>DevSecOps Pipeline Security: Essential Guide | BSG</title><link>https://bsg.tech/blog/devsecops-pipeline-security/</link><pubDate>Fri, 09 Jan 2026 16:28:38 +0000</pubDate><guid>https://bsg.tech/blog/devsecops-pipeline-security/</guid><description>&lt;p&gt;Your CI/CD pipeline has become one of the most valuable targets in your organization. It has access to source code, production credentials, deployment keys, and the ability to push code directly to your customers. If attackers compromise your pipeline, they compromise everything downstream.&lt;/p&gt;</description></item><item><title>Secure Coding Training: Why Developers Need It in 2026</title><link>https://bsg.tech/blog/why-every-developer-should-learn-secure-coding-in-2026/</link><pubDate>Thu, 08 Jan 2026 13:57:23 +0000</pubDate><guid>https://bsg.tech/blog/why-every-developer-should-learn-secure-coding-in-2026/</guid><description>&lt;p&gt;Security vulnerabilities cost businesses billions annually. From the &lt;a href="https://bsg.tech/blog/preventing-crypto-exchange-hacks-lessons-from-bybit-heist/"&gt;Bybit crypto heist&lt;/a&gt; to countless data breaches affecting millions of users, the pattern is clear: most security incidents trace back to preventable coding mistakes. Yet despite this, secure coding remains an afterthought in most development workflows.&lt;/p&gt;</description></item><item><title>EU Radio Equipment Directive 2025: RED &amp; EN 18031 Guide</title><link>https://bsg.tech/blog/eu-radio-equipment-cybersecurity-red-en-18031-compliance-2025/</link><pubDate>Sun, 23 Nov 2025 14:36:33 +0000</pubDate><guid>https://bsg.tech/blog/eu-radio-equipment-cybersecurity-red-en-18031-compliance-2025/</guid><description>&lt;p&gt;From 2025, the European Union is raising the bar for cybersecurity in every connected device that uses radio technologies. If your product communicates via Wi-Fi, Bluetooth, cellular, Zigbee, LoRa, or any other radio interface, its path to the EU market now runs through a new compliance regime: &lt;strong&gt;RED cybersecurity requirements&lt;/strong&gt;, the &lt;strong&gt;EN 18031 harmonised standards&lt;/strong&gt;, and the &lt;strong&gt;Delegated Regulation (EU) 2022/30&lt;/strong&gt;.&lt;/p&gt;</description></item><item><title>TLPT: Threat Led Penetration Testing Explained</title><link>https://bsg.tech/blog/tlpt-threat-led-penetration-testing-explained/</link><pubDate>Fri, 20 Jun 2025 10:00:00 +0000</pubDate><guid>https://bsg.tech/blog/tlpt-threat-led-penetration-testing-explained/</guid><description>&lt;p&gt;&lt;strong&gt;Threat Led Penetration Testing (TLPT)&lt;/strong&gt;, also known as threat-led pentesting, is the most realistic form of &lt;a href="https://bsg.tech/blog/cyber-security/"&gt;cybersecurity&lt;/a&gt; validation available today. TLPT combines current &lt;strong&gt;threat intelligence&lt;/strong&gt;, &lt;strong&gt;red teaming tactics&lt;/strong&gt;, and &lt;strong&gt;business risk analysis&lt;/strong&gt; to simulate attacks that your organization is most likely to face. Unlike generic pentesting, TLPT tests not just your systems for vulnerabilities, but also your ability to &lt;strong&gt;detect, respond to, and contain&lt;/strong&gt; those attacks in real time.&lt;/p&gt;</description></item><item><title>EUVD Database: Europe’s CVE Alternative Explained | BSG</title><link>https://bsg.tech/blog/euvd-europes-answer-to-cve-instability/</link><pubDate>Wed, 14 May 2025 11:11:06 +0000</pubDate><guid>https://bsg.tech/blog/euvd-europes-answer-to-cve-instability/</guid><description>&lt;p&gt;As the MITRE-run CVE program faces operational challenges, Europe has quietly launched a significant alternative. The &lt;strong&gt;European Vulnerability Database (EUVD)&lt;/strong&gt;, developed by ENISA, officially went live in April 2025.&lt;/p&gt;
&lt;p&gt;Though some viewed it as a reaction to MITRE’s instability, the EUVD was long in the making. Its creation was mandated under the &lt;a href="https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555"&gt;&lt;strong&gt;NIS2 Directive&lt;/strong&gt;&lt;/a&gt; (Articles 62–63), adopted in 2022, which required ENISA to develop a vulnerability database serving the EU digital ecosystem.&lt;/p&gt;</description></item><item><title>Cyber Incident Response Plan for Small Business [2025]</title><link>https://bsg.tech/blog/cyber-incident-response-tips-for-small-businesses/</link><pubDate>Sat, 03 May 2025 16:06:58 +0000</pubDate><guid>https://bsg.tech/blog/cyber-incident-response-tips-for-small-businesses/</guid><description>&lt;p&gt;In today’s volatile cyber landscape, even small businesses are not immune to disruptive cyberattacks. Ransomware, phishing, and data breaches increasingly target companies of all sizes, and the ability to respond effectively can mean the difference between recovery and ruin. Interestingly, a valuable resource developed for UK local governments offers practical lessons for the private sector: the Local Government Association’s “Cyber Incident Grab Bag.”&lt;/p&gt;</description></item><item><title>MITRE Unforgivable Vulnerabilities Explained</title><link>https://bsg.tech/blog/unforgivable-software-vulnerabilities/</link><pubDate>Fri, 04 Apr 2025 16:27:14 +0000</pubDate><guid>https://bsg.tech/blog/unforgivable-software-vulnerabilities/</guid><description>&lt;p&gt;Every piece of software has bugs. Many have vulnerabilities. But not all software vulnerabilities are created equal.&lt;/p&gt;
&lt;p&gt;Some are complicated, buried deep in obscure logic, or made possible by bleeding-edge exploit techniques. Others—well, others are glaringly obvious. These are the ones that make security professionals shake their heads and ask: &lt;em&gt;How did this ever make it to production?&lt;/em&gt;&lt;/p&gt;</description></item><item><title>Preventing Crypto Exchange Hacks: Lessons from Bybit Heist</title><link>https://bsg.tech/blog/preventing-crypto-exchange-hacks-lessons-from-bybit-heist/</link><pubDate>Wed, 26 Feb 2025 11:27:46 +0000</pubDate><guid>https://bsg.tech/blog/preventing-crypto-exchange-hacks-lessons-from-bybit-heist/</guid><description>&lt;p&gt;Bybit, a cryptocurrency exchange, &lt;a href="https://announcements.bybit.com/article/incident-update---eth-cold-wallet-incident-blt292c0454d26e9140/"&gt;recently suffered one of the largest crypto thefts in history&lt;/a&gt;, with attackers making off with $1.4 billion. The attack, attributed to North Korean cybercriminals, exploited vulnerabilities in Bybit’s security processes, leveraging malware and social engineering to bypass multi-signature protections. This blog post breaks down how the attack occurred, the techniques used by the attackers, and lessons for the crypto industry.&lt;/p&gt;</description></item><item><title>Cyber Kill Chain vs MITRE ATT&amp;CK: A Defender's Guide</title><link>https://bsg.tech/blog/cyber-defense-using-cyber-kill-chain-and-mitre-attck-explained/</link><pubDate>Thu, 06 Feb 2025 15:41:48 +0000</pubDate><guid>https://bsg.tech/blog/cyber-defense-using-cyber-kill-chain-and-mitre-attck-explained/</guid><description>&lt;p&gt;Ask two defenders to explain an intrusion and you will often hear two different vocabularies. One describes &lt;em&gt;stages&lt;/em&gt; — reconnaissance, delivery, command and control. The other reels off &lt;em&gt;technique IDs&lt;/em&gt; — T1059, T1003, T1021. Both are describing the same attack. They are just using two different models: the &lt;strong&gt;Cyber Kill Chain&lt;/strong&gt; and the &lt;strong&gt;&lt;a href="https://attack.mitre.org/"&gt;MITRE ATT&amp;amp;CK&lt;/a&gt; framework&lt;/strong&gt;.&lt;/p&gt;</description></item><item><title>The Future of Authentication: Passkeys vs Passwords and 2FA</title><link>https://bsg.tech/blog/the-future-of-authentication-when-passkeys-beat-passwords-and-2fa/</link><pubDate>Wed, 22 Jan 2025 11:22:47 +0000</pubDate><guid>https://bsg.tech/blog/the-future-of-authentication-when-passkeys-beat-passwords-and-2fa/</guid><description>&lt;p&gt;Passwords have been around for decades, but they come with plenty of headaches. Many people use weak passwords or reuse the same ones across different sites. This makes them easy targets for hackers. Phishing attacks, where scammers trick you into giving up your password, are still very common. And even if you have a strong password, it’s no good if it gets stolen in a data breach.&lt;/p&gt;</description></item><item><title>2024’s Worst Cyberattacks: Security Lessons &amp; Tips | BSG</title><link>https://bsg.tech/blog/lessons-from-2024s-worst-cyberattacks-and-how-to-stay-secure/</link><pubDate>Mon, 13 Jan 2025 23:47:29 +0000</pubDate><guid>https://bsg.tech/blog/lessons-from-2024s-worst-cyberattacks-and-how-to-stay-secure/</guid><description>&lt;p&gt;2024 was a challenging year for &lt;a href="https://bsg.tech/blog/cyber-security/"&gt;cybersecurity&lt;/a&gt;, with some of the most significant data breaches and cyberattacks making headlines. In this article, we analyze the key breaches outlined in &lt;em&gt;Wired’s&lt;/em&gt; article, &lt;a href="https://www.wired.com/story/worst-hacks-2024/"&gt;“The Worst Hacks of 2024,”&lt;/a&gt; along with high-value reference sources to dive deeper into the methods attackers used and the lessons we can learn. For each breach, we summarize the incident, highlight the vulnerabilities exploited, and recommend actionable countermeasures to strengthen defenses.&lt;/p&gt;</description></item><item><title>Enhancing Cybersecurity to Align with NIS2 Directive</title><link>https://bsg.tech/blog/strengthening-cybersecurity-practices-in-compliance-with-the-nis2-directive/</link><pubDate>Mon, 02 Dec 2024 16:11:58 +0000</pubDate><guid>https://bsg.tech/blog/strengthening-cybersecurity-practices-in-compliance-with-the-nis2-directive/</guid><description>&lt;p&gt;The European Union’s NIS2 Directive, reinforced by ENISA’s 2024 Implementation Guidance, sets a comprehensive standard for [&lt;a href="https://bsg.tech/blog/cyber-security/"&gt;cybersecurity&lt;/a&gt;](&lt;a href="https://bsg.tech/cyber-security/"&gt;https://bsg.tech/cyber-security/&lt;/a&gt;) across critical and digital service providers. For business leaders, adopting these practices ensures regulatory compliance and builds organizational resilience.&lt;/p&gt;
&lt;h2 id="understanding-the-nis2-directive-and-enisas-guidance"&gt;Understanding the NIS2 Directive and ENISA’s Guidance&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://www.enisa.europa.eu/topics/awareness-and-cyber-hygiene/raising-awareness-campaigns/network-and-information-systems-directive-2-nis2"&gt;NIS2 Directive&lt;/a&gt; mandates robust cybersecurity measures for entities across sectors such as cloud computing and online platforms. &lt;a href="https://www.enisa.europa.eu/publications/implementation-guidance-on-nis-2-security-measures"&gt;ENISA’s guidance&lt;/a&gt; provides actionable steps to implement these measures effectively, emphasizing risk management, incident handling, and supply chain security.&lt;/p&gt;</description></item><item><title>NCSC Cyber Security Board Toolkit: Director's Guide</title><link>https://bsg.tech/blog/empowering-cybersecurity-governance-ncscs-board-toolkit/</link><pubDate>Sun, 01 Dec 2024 12:07:28 +0000</pubDate><guid>https://bsg.tech/blog/empowering-cybersecurity-governance-ncscs-board-toolkit/</guid><description>&lt;p&gt;Cybersecurity is no longer just a technical issue; it’s a critical business risk that directly impacts organizational stability, reputation, and financial health. As digital dependency increases, so does exposure to cyber threats, from data breaches to ransomware attacks and supply chain vulnerabilities. For board members, addressing cybersecurity is not optional—it’s essential.&lt;/p&gt;</description></item><item><title>Security Awareness Training: Does It Actually Work?</title><link>https://bsg.tech/blog/the-truth-about-phishing-training-why-its-not-as-effective-as-you-think/</link><pubDate>Mon, 25 Nov 2024 16:48:56 +0000</pubDate><guid>https://bsg.tech/blog/the-truth-about-phishing-training-why-its-not-as-effective-as-you-think/</guid><description>&lt;p&gt;Phishing attacks remain the top cybersecurity threat globally, accounting for 33% of data breaches in small and medium businesses according to Verizon’s 2025 Data Breach Investigation Report. Despite investing heavily in employee training programs, organizations often find themselves repeatedly compromised. This raises a critical question: How effective are these phishing training programs in preventing real-world attacks?&lt;/p&gt;</description></item><item><title>SAMMY: Free OWASP SAMM Assessment Tool by Codific</title><link>https://bsg.tech/blog/enhance-software-security-with-sammy-and-owasp-samm/</link><pubDate>Mon, 04 Nov 2024 16:48:46 +0000</pubDate><guid>https://bsg.tech/blog/enhance-software-security-with-sammy-and-owasp-samm/</guid><description>&lt;p&gt;In today’s rapidly evolving digital landscape, ensuring the &lt;a href="https://bsg.tech/blog/software-product-security-where-to-start/"&gt;security of software applications&lt;/a&gt; is paramount. The OWASP Software Assurance Maturity Model (SAMM) provides organizations with a structured framework to assess and enhance their software &lt;a href="https://bsg.tech/blog/cyber-security/"&gt;security practices&lt;/a&gt;. To effectively implement SAMM, organizations can leverage SAMMY, a comprehensive management tool developed by Codific.&lt;/p&gt;</description></item><item><title>How to Show Return on Cyber Security Investment</title><link>https://bsg.tech/blog/security-return-on-investment/</link><pubDate>Thu, 28 Dec 2023 12:00:00 +0000</pubDate><guid>https://bsg.tech/blog/security-return-on-investment/</guid><description>&lt;p&gt;Demonstrating your return on cyber&lt;a href="https://bsg.tech/blog/cyber-security/"&gt;security investment&lt;/a&gt; to investors, boards, and top managers is one of the hardest challenges a CISO faces. Yet ROSI (Return on Security Investment) has become a non-negotiable KPI — especially since the &lt;a href="https://www.sec.gov/rules-regulations/2023/07/s7-09-22"&gt;SEC’s 2023 cybersecurity disclosure rules&lt;/a&gt; now require public companies to report board oversight of cyber risk.&lt;/p&gt;</description></item><item><title>CVE-2022-0271: Leaflet Maps Marker SQL Injection Exploit</title><link>https://bsg.tech/blog/bsg-discovers-sql-injection-vulnerability-in-leaflet-maps-marker/</link><pubDate>Mon, 08 Aug 2022 13:42:00 +0000</pubDate><guid>https://bsg.tech/blog/bsg-discovers-sql-injection-vulnerability-in-leaflet-maps-marker/</guid><description>&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;In the ever-evolving landscape of cybersecurity, vulnerabilities can emerge in the most unexpected places. Recently, our team at BSG made a significant discovery: a SQL Injection vulnerability in the popular Leaflet Maps Marker plugin for WordPress (&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2022-1123"&gt;CVE-2022-1123&lt;/a&gt;). As with the previous discovery of &lt;a href="https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/"&gt;CVE-2022-25854&lt;/a&gt;, Ihor Bliumental was directly involved. This discovery underscores the importance of proactive security measures and the need to address vulnerabilities promptly to safeguard WordPress websites.&lt;/p&gt;</description></item><item><title>CVE-2022-25854: Tagify npm Stored XSS Vulnerability</title><link>https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/</link><pubDate>Tue, 10 May 2022 16:01:51 +0000</pubDate><guid>https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/</guid><description>&lt;h2 id="preface"&gt;Preface&lt;/h2&gt;
&lt;p&gt;Due to the russian war on Ukraine, we are much less active on this blog and social media. However, some events make us hit the dust off the keyboard and share some information. For instance, a vulnerability is worth a CVE. We found this one in February 2022, and a few others are under review. Meanwhile, all BSG team members are safe, and we stay operational.&lt;/p&gt;</description></item><item><title>BSG Wins SANS NetWars: Ukraine’s First CTF Champions</title><link>https://bsg.tech/blog/bsg-won-sans-netwars-tournament/</link><pubDate>Thu, 02 Dec 2021 22:23:39 +0000</pubDate><guid>https://bsg.tech/blog/bsg-won-sans-netwars-tournament/</guid><description>&lt;p&gt;Today BSG has participated in the first-ever SANS NetWars tournament brought to Ukraine by USAID Cybersecurity Activity, the Ukrainian National Security Council, and the Service of Information Protection. To our immense surprise, we have won in this cyber range competition!&lt;/p&gt;</description></item><item><title>Software Supply Chain Security: Beyond XZ Utils</title><link>https://bsg.tech/blog/software-supply-chain-security/</link><pubDate>Tue, 02 Nov 2021 20:47:26 +0000</pubDate><guid>https://bsg.tech/blog/software-supply-chain-security/</guid><description>&lt;p&gt;In March 2024, the open-source world got the closest look it has ever had at a perfectly executed software supply chain attack — and it was found almost by accident. A Microsoft engineer named Andres Freund noticed that SSH logins on a Debian test machine were taking about half a second longer than they should. Chasing that latency led him to a backdoor planted in &lt;strong&gt;liblzma&lt;/strong&gt;, a compression library bundled with &lt;strong&gt;XZ Utils&lt;/strong&gt;, a package so unremarkable that almost nobody thinks about it. He &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"&gt;disclosed it publicly on 29 March 2024&lt;/a&gt;. The vulnerability, &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"&gt;CVE-2024-3094&lt;/a&gt;, carries a CVSS score of 10.0.&lt;/p&gt;</description></item><item><title>Software Product Security: Where To Start?</title><link>https://bsg.tech/blog/software-product-security-where-to-start/</link><pubDate>Wed, 29 Sep 2021 17:37:12 +0000</pubDate><guid>https://bsg.tech/blog/software-product-security-where-to-start/</guid><description>&lt;p&gt;There is plenty of publicly available information about how software development teams can make their products more secure. However, this knowledge is often obscure to software engineers. Developers get stuck in their routine jobs following the usual development cycle with no incentive to learn about security. From initial design specifications to basic functionality and a prototype, to an MVP, to regular customer feature requests, to fixing bugs… On and on goes the feature-centric development cycle, with little or no effort spent on securing the product. Until there is a breach, or the regulator unleashes its wrath on management, or a big client demands actual proof of product security, or an M&amp;amp;A deal requires a demonstration of due diligence.&lt;/p&gt;</description></item><item><title>How to Choose a Penetration Testing Company?</title><link>https://bsg.tech/blog/how-to-choose-a-penetration-testing-company/</link><pubDate>Wed, 29 Sep 2021 07:57:12 +0000</pubDate><guid>https://bsg.tech/blog/how-to-choose-a-penetration-testing-company/</guid><description>&lt;p&gt;Today is a time of frequent data breaches, automated hacking systems, and all types of consumer protection regulations like DSS, PCI, and GDPR. Because of this, &lt;strong&gt;&lt;a href="https://bsg.tech/penetration-testing/"&gt;penetration testing&lt;/a&gt;&lt;/strong&gt; is now considered an &lt;strong&gt;essential security requirement for all types and sizes of businesses&lt;/strong&gt;, not just governments and banks.&lt;/p&gt;</description></item><item><title>Social Engineering: What It Is and How to Prevent It?</title><link>https://bsg.tech/blog/social-engineering-what-actually-is-it-and-how-to-prevent-an-attack/</link><pubDate>Fri, 24 Sep 2021 07:29:48 +0000</pubDate><guid>https://bsg.tech/blog/social-engineering-what-actually-is-it-and-how-to-prevent-an-attack/</guid><description>&lt;p&gt;Social engineering is the manipulation of people — rather than software — into handing over confidential information, credentials, or access. Instead of breaking a system, the attacker convinces a person to open the door for them.&lt;/p&gt;
&lt;p&gt;It works because it targets judgment, not code. No firewall asks an employee to slow down and double-check who is really on the other end of a video call. That gap is exactly what these attacks exploit, and in 2026 the tooling behind them has changed dramatically.&lt;/p&gt;</description></item><item><title>Announcing the Web Application Pentester Training</title><link>https://bsg.tech/blog/announcing-the-web-application-pentester-training/</link><pubDate>Thu, 05 Aug 2021 09:08:14 +0000</pubDate><guid>https://bsg.tech/blog/announcing-the-web-application-pentester-training/</guid><description>&lt;p&gt;We are happy to announce that registration for the &lt;a href="https://bsg.tech/pentester-training/"&gt;BSG web application pentester training&lt;/a&gt; is now open, and the new group starts the pentester training in autumn 2021. If you plan to reach new career horizons in cybersecurity, we will help you to consider a proper decision by answering the most frequently asked questions.&lt;/p&gt;</description></item><item><title>Berezha Security Becomes BSG: New Identity Unveiled | BSG</title><link>https://bsg.tech/blog/berezha-security-has-rebranded-to-bsg-new-identity-new-achievements/</link><pubDate>Thu, 20 May 2021 18:11:15 +0000</pubDate><guid>https://bsg.tech/blog/berezha-security-has-rebranded-to-bsg-new-identity-new-achievements/</guid><description>&lt;p&gt;Berezha Security has rebranded to BSG – Berezha Security Group – and we are happy to present our new identity, which better reflects our company’s philosophy and values we carry in the world.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;“Defeating tomorrow’s security challenges – today” became the BSG mission&lt;/strong&gt;.&lt;/p&gt;</description></item><item><title>Remote Work Security Audit – a Need or a Habit?</title><link>https://bsg.tech/blog/remote-cybersecurity-audit/</link><pubDate>Tue, 10 Nov 2020 09:00:00 +0000</pubDate><guid>https://bsg.tech/blog/remote-cybersecurity-audit/</guid><description>&lt;p&gt;A year ago, before the COVID-19 pandemic, probably very few people could imagine how the world would change. Working from home, remote business meetings, online events, and digital concerts are only some new normal examples. The things we could not imagine going virtual very much did, to everyone’s surprise. One of the areas that tended to be very onsite and face-to-face was conducting a security audit – remote work security assessment.&lt;/p&gt;</description></item><item><title>How to check your website security online</title><link>https://bsg.tech/blog/how-to-check-your-website-security-online/</link><pubDate>Sat, 27 Jun 2020 14:00:33 +0000</pubDate><guid>https://bsg.tech/blog/how-to-check-your-website-security-online/</guid><description>&lt;p&gt;In Berezha Security, we provide high-quality &lt;a href="https://bsg.tech/application-security/"&gt;Application Security services&lt;/a&gt;, and web application security assessments are a large portion of what we do. However, a full-scale &lt;a href="https://bsg.tech/application-security/"&gt;web app pentest&lt;/a&gt; is not what all our website visitors seek; some are looking for a quick and straightforward way to check their website security without the need to hire security experts. It may seem that we are in a position to ignore those requests; however, we think it would be irresponsible. Here you are with a bunch of simple tips and tricks you can use to quickly check your website security.&lt;/p&gt;</description></item><item><title>The Difference Between Organization and Product Security</title><link>https://bsg.tech/blog/the-difference-between-organization-and-product-security/</link><pubDate>Sat, 13 Jul 2019 18:41:39 +0000</pubDate><guid>https://bsg.tech/blog/the-difference-between-organization-and-product-security/</guid><description>&lt;p&gt;Among Ukrainian organization, we get the most requests from IT companies, and in this post, I want to talk about some accumulated experience. Quite possibly, it will be useful to other organizations in this business, and maybe organizations from different sectors. So if you know a CIO/CTO from an IT-firm, show them this text. It was written for them.&lt;/p&gt;</description></item></channel></rss>