Compliance & Regulatory
Regulatory frameworks decoded: what changed, what the auditors check, what the fines are when you get it wrong.
40 posts in this cluster
148 security roles across six months of HN Who's Hiring. What the 2026 CISO market actually looks like.
Pulled six months of Hacker News 'Who is hiring?' threads, filtered to 148 security-adjacent roles. Distribution by month, role types (compliance is 29, threat detection 16, offensive security only 1), location breakdown, contact-information quality, and company-type clustering. Practical takeaways for candidates, hiring managers, and companies about to post for their first security engineer.
Two years of Item 1.05. What Form 8-K cyber filings say, and the seven things they never say.
Read every Item 1.05 8-K filed from December 2023 through April 2026. What the filings actually contain, the seven things they deliberately never say (threat actor, ransom payment, root-cause vector, specific systems, record count, insurance recovery, CISO accountability), the amendment problem, the small-cap gap, and four practical read-outs for vendors, buyers, boards, and pre-IPO companies.
98 HIPAA breaches in six weeks, 9.5M patients. What the HHS wall actually shows.
Pulled the last six weeks of breaches off the HHS OCR wall: 98 incidents, 9.46M affected individuals. Statistical breakdown of breach type, location, state, entity type, and business-associate involvement, with the shape of the top 10 by population affected. What the 2025 Security Rule NPRM is about to change for small practices, and four concrete actions a small or mid-sized covered entity can take this quarter before the rule lands.
SMB EDR Buyer Guide 2026: Microsoft Defender vs SentinelOne vs CrowdStrike vs Huntress vs Sophos
Side-by-side EDR comparison for the 10-500 seat SMB range. Microsoft Defender for Business, SentinelOne Singularity Core, CrowdStrike Falcon Go, Huntress Managed EDR, Sophos Intercept X. Per-seat pricing, detection philosophy, managed-service availability, MITRE ATT&CK results, and real TCO (not just license fee). Decision framework that picks for you by profile. Red flags to avoid in SMB sales pitches.
CIRCIA Incident Reporting: What Critical Infrastructure Owes CISA in 2026
CISA final rule (6 CFR Part 226) defines what counts as a reportable incident, who must report, and the 72-hour (or 24-hour for ransom payments) clock. Covered entity definition across 16 critical infrastructure sectors. Incident Report fields, safe harbor provisions, interaction with SEC 8-K / NERC CIP / TSA / HIPAA, and the runbook for the first 24 hours of an incident where reporting is mandatory.
What ChatGPT, Claude, and Gemini Actually Keep About You
Every AI chatbot retains your conversations. Retention periods, training use, law enforcement access, and breach history vary dramatically. A practical data privacy map of ChatGPT, Claude, Gemini, Copilot, Grok, and Meta AI. Including the NYT v. OpenAI court order requiring indefinite retention.
Your Encryption Has an Expiration Date
Every HTTPS connection, Signal chat, and VPN on the internet relies on crypto that quantum computers will break. NIST finalized the replacements in 2024. A post-quantum cryptography migration guide for application security and compliance teams.
Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses
Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware attacks to double-extortion, and what it means for incident response and cyber insurance.
EU NIS2 Directive: Why US Companies Need to Care
NIS2 became enforceable across EU member states in October 2024. It's Europe's biggest cybersecurity regulation since GDPR, covering 100,000+ entities across 18 critical sectors. And. Surprise to many US companies. It affects any non-EU company that provides services to EU customers in covered sectors. Penalties up to €10M or 2% of global revenue. A practical guide to whether NIS2 applies to you and what to do about it.
US State Data Privacy Laws 2026: The Complete Matrix Every Business Needs
If you do business in the US, you are likely subject to multiple state data privacy laws. California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and a growing list of states have active laws with enforcement authority. A practical matrix of what each law requires, the thresholds that trigger applicability, and the unified compliance approach that handles all of them.
Security Awareness Training Buyer Guide 2026: KnowBe4 vs Hoxhunt vs Curricula vs Proofpoint
Most awareness programs are box-checking. Click rates stay at 18% and nobody knows if that's good. This is the honest buyer guide. Ten vendors compared (KnowBe4, Proofpoint, Hoxhunt, Curricula, Ninjio, Infosec IQ, Living Security, Barracuda, Mimecast, specialized phishing). Metrics that matter vs vanity metrics. Realistic click rate curve (2-10%). Program design that works. Executive + VIP programs. Compliance-specific requirements.
Clearview AI's Privacy Settlement: Victims Are Now Shareholders
Clearview AI scraped 30+ billion photos from public internet to build a facial recognition system sold to law enforcement. A landmark $52 million ACLU settlement followed. A data privacy and facial recognition investigation.
Healthcare Ransomware in 2026: Why 118 Breaches in Two Months Is a Warning
118 healthcare data breaches in the first two months of 2026. 9.6 million patients affected. Healthcare is now the most targeted industry for ransomware. 22% of all attacks globally. A deep dive into the attack patterns, the regulatory pressure, the compliance landscape (including the proposed HIPAA pentest mandate), and what healthcare CISOs should be doing right now.
GRC Platform Buyer Guide 2026: Vanta vs Drata vs Secureframe vs Thoropass vs Sprinto
Every SOC 2 evaluation ends at the same five platforms. Picking between them is a once-every-three-years decision usually made on demo quality or salesperson persistence. This is the honest GRC platform buyer guide. What these platforms do. Where Vanta, Drata, Secureframe, Thoropass, and Sprinto meaningfully differ. Pricing transparency. Integration depth. Auditor ecosystem. When the whole category isn't the right answer.
$438 Million Stolen: The LastPass Breach Three Years Later
The LastPass breaches cost users $438 million in cryptocurrency theft and destroyed enterprise trust in cloud password managers. A deep dive into the breach timeline, architectural failures, and password manager security comparisons.
Why Your Cyber Insurance Won't Pay: The Denial Patterns You Need to Know About
Cyber insurance premiums are up 50-100%. Policy exclusions have quintupled in six years. Payouts are routinely denied for reasons that aren't obvious until your claim is rejected. A detailed walkthrough of how carriers deny claims in 2026, the exclusions biting hardest, and what your organization should be doing to actually get paid when you need to.
MDR Buyer Guide 2026: How to Evaluate Managed Detection and Response Providers
Every MDR vendor claims the same outcomes. Real differentiators are buried under marketing. This is the complete MDR buyer guide. Where MDR sits vs EDR/XDR/MSSP. Provider categories (pure-play, EDR-operated, MSSP, regional MSP). 8 real differentiators to evaluate. Pricing transparency ($25K-$600K+/yr). Red flags. Evaluation process. Post-onboarding common issues. Alternative models.
The $434 Billion Industry That Knows Where You Sleep
The US data broker industry is a $200+ billion economy selling everything from your home address to your health conditions. A data privacy investigation with opsec guidance for consumer cybersecurity.
vCISO Services 2026: The Complete Guide to Hiring Fractional Security Leadership
There's a middle path between no CISO and burning $400K on a full-time hire at 80 employees. Virtual CISO, fractional CISO, CISO-as-a-service. This is the complete vCISO services guide. When to hire one, engagement structures (full vs advisory vs project vs interim), what month one looks like, the 12-month roadmap, how to evaluate candidates, typical deliverables, pricing honesty, when to graduate to in-house.
The SaaS Vendor Security Audit Checklist: What to Ask Before You Buy
Your organization uses 150+ SaaS vendors. Any one of them could be a breach that exposes your customer data. A practical procurement security audit checklist. The questions to ask every new SaaS vendor, the contract clauses that protect you, the ongoing monitoring that catches vendor degradation, and the decision framework for whether a specific vendor is worth the risk.
Texas SB 2610: The Safe Harbor Most Texas Businesses Don't Know They Qualify For
Texas SB 2610 created a cybersecurity safe harbor defense against lawsuits for Texas businesses that implement recognized frameworks like NIST 800-53, HITRUST CSF, ISO 27001, or the Texas Cybersecurity Framework. Most Texas small-and-mid-size businesses have never heard of it. Here's how it works, what qualifies, and the documentation trail you need to actually invoke the defense in court.
The SEC 4-Day Breach Rule: What Public Companies Actually Have to Do
Since December 2023, public companies in the US must disclose material cybersecurity incidents on Form 8-K within four business days. Two years in, companies are still getting the rule wrong. Both over-disclosing non-material incidents and under-disclosing material ones. A practical walkthrough of what the rule requires, what materiality actually means, and the governance framework public companies need in place before an incident happens.
Third-Party Risk Management: The Complete Program Guide for 2026
Your security posture is the posture of the weakest vendor that holds your data. This is the complete TPRM guide. Five-phase vendor lifecycle. Four-level vendor classification. Due diligence depth by risk tier. Contract provisions that matter (breach notification, right to audit, subcontractor restrictions, insurance, data residency, termination). Ongoing monitoring. Incident coordination. The 10 program failures we see.
ISO 27001 vs SOC 2 in 2026: Which Certification Wins Deals, and When You Need Both
Your enterprise prospect just asked for "your SOC 2" or "your ISO 27001" and procurement will not move without it. Here is the 2026 comparison. What each certification actually covers, what it costs, how long it takes, and the dual-certification path most B2B SaaS companies end up on by Series B.
CMMC 2.0: The Cybersecurity Certification Every DoD Contractor Needs
CMMC 2.0 rolled out in phases starting late 2024. By 2028, every DoD contractor handling Controlled Unclassified Information will need formal certification. Level 1 for small vendors, Level 2 for most primes, Level 3 for highest-sensitivity work. Contractors who don't have it lose DoD contract eligibility. A practical walkthrough of the framework, assessment process, and preparation roadmap.
Bug Bounty Program Management: The Complete Guide for 2026
The successful programs share a pattern. Treat researchers as partners. Pay fairly. Fix quickly. Communicate. Failed programs argue scope, downgrade severity, and ignore reports. This is the complete 2026 bug bounty program management guide. Whether to run one, platform selection, scope definition, reward schedules, operational cadence, legal structures, the 10 program mistakes, and the progression from VDP to public bounty.
HIPAA's Proposed Pentest Mandate: What Healthcare Organizations Need to Know
HHS proposed the most substantial HIPAA Security Rule update in two decades in January 2025. Mandatory annual penetration testing, formal vulnerability scanning, network-segmentation requirements, and tightened encryption standards. The rule isn't final yet but healthcare organizations have a 12-24 month window to get ready. Or be out of compliance on day one.
Board Cybersecurity Briefing: The Complete Guide for CISOs and Directors
Most board cybersecurity briefings are compliance theater. CISO meets reporting requirement. Board meets duty to receive reports. Nothing changes. This is the board briefing framework that works. Five-question structure. Metrics that make sense at board level. Annual cadence. Duty of care under Caremark + SEC 4-day rule. How to structure decks, pre-reads, and executive session discussions.
ISO 27001:2022 Complete Implementation Guide for US Companies Going International
European customers expect ISO 27001. SOC 2 alone might not get you through their procurement. This is the complete ISO 27001:2022 guide for US companies going international. What changed from 2013 to 2022. ISO 27001 vs. SOC 2 comparison. Statement of Applicability. 18-month implementation plan. Certification body selection. Cost framework. Pitfalls from real engagements.
Keycloak: Realm Configuration Tells You Everything
Keycloak is enterprise identity and access management. And a high-value target. Publicly exposed realms, enabled self-registration, and console access lead to full SSO compromise. A penetration testing guide to IAM security audits and incident response.
NIST Cybersecurity Framework 2.0: The Complete Implementation Guide
Every vendor questionnaire asks about NIST CSF alignment. Most companies answer yes without actually aligning. CSF 2.0 shipped February 2024 with a new Govern function. This is the complete implementation guide. Six functions in detail. Implementation Tiers. Profiles. The 12-month plan. Common mistakes. How CSF relates to SOC 2, ISO 27001, SP 800-53, PCI, HIPAA.
Small Business Cybersecurity: The Complete Guide for Under-100 Employee Companies
Every cybersecurity article is written for the CISO of a Fortune 500 company. Meanwhile most US businesses have under 50 employees, one IT person (sometimes the owner's nephew), and no realistic budget for enterprise tooling. This is the complete guide for small businesses. The 10 controls that actually work. Starter program at $2K/year. Growth program at $15K/year. Industry-specific adds. What not to waste money on.
Penetration Testing in Dallas-Fort Worth: The Complete Guide for DFW Businesses
Everything DFW businesses need to know about penetration testing in 2026. Texas SB 2610 safe harbor and how annual pentesting qualifies. Texas Insurance Data Security Law. Texas HB 300. Federal overlays (HIPAA, PCI, CMMC, SEC, NYDFS for NY-licensed Texas firms). Pricing ranges for the DFW market. Vendor selection criteria. Red flags. Compliance-driven engagement patterns. The buying process.
MongoDB: The Database That Ships Without a Lock
MongoDB deployed with --bind_ip 0.0.0.0 and no authentication is still being indexed by Shodan in 2026. The ransomware groups know it. A reminder of why database penetration testing and vulnerability assessments matter for compliance.
Penetration Testing in Connecticut: The Complete Guide for CT Businesses
Everything Connecticut businesses actually need to know about penetration testing in 2026. CT regulatory landscape (CTDPA, CT Insurance Data Security Law, HIPAA, PCI, NYDFS, CMMC as they apply to CT businesses). What a real pentest is vs a vulnerability scan. Pricing ranges for the CT market. Vendor selection criteria. Red flags to avoid. The full engagement process from scoping to remediation.
NYDFS 23 NYCRR Part 500: The Complete Implementation Guide for 2026
The Second Amendment phased in through November 2025. If your Part 500 program was last rebaselined against the 2017 rule you are operating under regulation that no longer exists. This is the complete 2026 implementation guide. Every section mapped to what it requires in practice. Section-by-section walkthrough of 500.1 through 500.18. The DFS enforcement pattern with actual settlements. Budget ranges. The full DFS examination procedure. The 10 gaps that appear on every readiness engagement.
HIPAA Security Rule 2025 Update: The Complete Covered Entity + Business Associate Guide
HHS dropped a Notice of Proposed Rulemaking in January 2025 that rewrites the HIPAA Security Rule. First substantial update since 2013. The language is specific where it used to be vague. This is the complete guide we wish every covered entity and business associate had. What changed in the 27 distinct updates. The gap analysis framework. The 180-day implementation plan. Budgets. Tool stack. And the OCR audit procedure.
SOC 2 Type II Readiness: The 12-Month Timeline for Startups
SOC 2 Type II is not a certification you buy. It is an attestation of controls that were in place and operating effectively over months. If your enterprise prospect wants the report today and you are starting from scratch, the math does not work. This is the honest 12-month SOC 2 Type II timeline we walk startups through. Week by week. What to do, buy, write, and skip.
PCI DSS 4.0 Compliance: The Complete Guide for 2026
Every page of the PCI DSS 4.0 spec is comprehensive and unreadable. This is the guide we wish existed when we started running PCI engagements. What 4.0 actually requires, what bites merchants hardest in 2026 assessments, the 12-18 month compliance order of operations, realistic budgets, and how to pick a QSA. Written by the people who audit against this framework for a living.
PCI DSS 4.0: The March 2025 Mandate That's Still Biting E-Commerce
PCI DSS 4.0 became mandatory March 31, 2025. A year later, e-commerce merchants are still flunking compliance assessments, QSAs are being stricter, and payment processors are issuing non-compliance notices. A practical walkthrough of what actually changed from 3.2.1, the requirements biting merchants hardest, and how to actually pass a 4.0 assessment.
Jump to another topic
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.