SECFORCE LTD

If you're a new CISO trying to get a real picture of your organisation's security posture, forget red teaming. Start with purple teaming instead. You might have heard of red teaming, but purple teaming is likely what you really need. Purple teaming is when attackers and defenders are in direct contact during a series of pre-planned security tests, working openly and sharing real-time insights to improve defences against real-world attacks. This is in contrast to red teaming, which is when attackers try a range of different attack vectors that (within the scope of the exercise) defenders don’t know about, to see how far they can go. Based on running hundreds of testing engagements, we can say that purple teaming is the best offensive security assessment for most organisations and especially for new CISOs. Even organisations not ready for red teaming can typically benefit from purple teaming. Interested to learn more? Let’s talk: https://lnkd.in/e6bd7jUJ 

#DEFCONTraining DEF CON Training Singapore kicks off and everything is ready. Can’t wait to see everyone there - this is going to be good. Giorgio B. DEF CON DEF CON Training

We onboarded a Hollywood celebrity into our client's biometrically authenticated app. To see how, check out our latest blog post: https://lnkd.in/dMXFwzMY

DORA's reporting requirements are a little more complex than most organisations might realise. Most financial entities focus on the incident reporting timelines (4 hours, 72 hours, 1 month) in the “ICT-Related Incidents Management, Classification and Reporting” pillar. But there are actually reporting requirements you need to be aware of in the other pillars of DORA, too. Here's what the full picture looks like (make sure to swipe right if you’re a Critical Third-Party Provider). Where are you in your DORA compliance journey?

Rodrigo Marcos Alvarez (SECFORCE LTD CEO & CREST Chair) and I are attending the National Cyber Security Show in Birmingham next week. Look forward to seeing some of you there! Reach out for a catch up ☕

The misconception ends here. A vulnerability scan should not be confused with a pen test. Pen tests can involve vulnerability scanning, but they are a completely different service with very different outcomes. Vulnerability scanning shows you (some of) the software vulnerabilities that weaken your environment. Penetration testing pits an ethical hacker against your systems, demonstrating how a compromise would go down in the real world. You should be running scans at least monthly. And doing pen testing whenever anything significant changes in your environment (e.g., every major infrastructure change, new deployment, or product release), or regularly as part of a mature security posture. If you're thinking about buying an offensive security service soon, read our guide on how to tell the difference: https://lnkd.in/dFNx8Ax5 

How similar are DORA and NIS2, really? DORA has been on the radar for a while now, but the DORA vs NIS2 question still comes up a lot. So here's the short version: they are not the same. NIS2 is a broad EU directive covering cybersecurity across many sectors. DORA is a regulation built specifically for the financial sector, and it goes further than NIS2 with mandatory annual resilience testing, threat-led penetration testing every three years, and strict ICT third-party risk management requirements. We break down the key differences at a glance here: https://lnkd.in/dyvJCQU4 Want to talk about where your organisation stands? Drop us a message.

Excited to share that I've officially achieved the CREST Certified Red Team Manager (CCRTM) certification! 🎉#CREST #CCRTM #RedTeam #Cybersecurity #InfoSec

AI can probably trick you… But can YOU trick AI? The National Cybersecurity Alliance is running an #AIFools campaign. Their goal? To help organisations stay on top of AI-powered scams and other risks, such as oversharing sensitive data with AI models. It's a fantastic initiative. But if you're building with AI rather than just using it, you may also want to test the LLMs themselves. That's why we built LLMGoat. LLMGoat is a free, open source, deliberately vulnerable LLM environment built around the OWASP Top 10 for LLM Applications. Can you finish all 10 challenges that simulate real-world vulnerabilities? There’s only one way to find out: https://lnkd.in/dhzqaam9

Can you trust a cheap pen testing quote? Two factors determine the cost of a pen test: - The amount of testing and reporting time allocated (make sure you’re not being sold a vulnerability scan instead of a pen test OR that you’re not being OVERscoped). - The cost of skilled personnel needed (look for companies with references, case studies, and focused offensive security practices). To get a cheaper test you have to dial these variables down. Low penetration testing quotes can mean that the scoping of the target was not accurate or that a pen testing vendor is skipping essential staff training and development. However, you can also pay too much for a pen test. Read more here: https://lnkd.in/daTWRi8D