Perspectives on AI security, trust verification, and defending the new attack surfaces that AI creates.
How CraftedTrust connects registry search, certification, governance, identity, and attestations across the agent trust journey.
Read article → Trust & VerificationWe scanned 4,274+ MCP servers and analyzed their security posture. Here's what we found: grade distributions, auth gaps, compliance failures, and the state of the ecosystem.
Read article → Trust & Verificationx402 micropayments let AI agents pay per-request for trust verification and other premium CraftedTrust workflows using USDC on Base.
Read article → Trust & VerificationCraftedTrust anchors certifications as EAS attestations on Base, making them independently verifiable and tying them back to registry and governance workflows.
Read article → AI & PolicyCraftedTrust maps trust and certification data to major compliance frameworks, giving enterprises auditable signals for agent governance and review.
Read article → AI & PolicyWe filed a formal comment with the NIST NCCoE on AI agent identity and authorization. Here's what we said and why it matters for the MCP ecosystem.
Read article → Trust & VerificationTouchstone is CraftedTrust's security research authority for MCP servers, spanning scans, advisories, disclosures, and certification support.
Read article → AI & PolicyPentera's 2026 benchmark report reveals most organizations rely on legacy security controls for AI. Here is what needs to change, backed by data from 300 US CISOs.
Read article → AI & PolicyAI agents can browse, execute code, and make API calls. Each capability is an attack surface. Mapping the threats from prompt injection to supply chain risk.
Read article → SecurityA complete tabletop exercise kit with facilitator guide, three ready-to-use scenarios, discussion prompts, and scoring rubric. No external facilitator needed.
Read article → SecurityHow to implement VLANs and firewall rules on equipment you already own. Separate guest WiFi, IoT, servers, and workstations into isolated segments.
Read article → SecurityOWASP Top 10 with real code examples in Python and JavaScript. Vulnerable code vs. fixed code, plus Semgrep scanning and pre-commit hooks.
Read article → SecurityEvery office has IoT devices nobody thinks about. How to find them with Nmap, segment them onto a VLAN, and set up firmware update schedules.
Read article → SecurityThe 7 most exploited OAuth/OIDC misconfigurations with code examples showing the vulnerability and the fix. Open redirects, PKCE, token storage, and more.
Read article → AI & PolicyLive deepfakes are being used in Zoom calls to authorize wire transfers. The technology, the detection artifacts, and a practical verification protocol.
Read article → BusinessYou can't protect data you haven't classified. A 4-tier system, inventory process, and handling rules for every classification level.
Read article → Business5 metrics that matter, how to translate technical findings to financial risk language, and what to say when the board asks "are we secure?"
Read article → SecurityTop 10 container security mistakes and how to fix each one. Dockerfile templates, Trivy scanning, and Kubernetes NetworkPolicy examples.
Read article → BusinessA vendor risk workflow for teams without a GRC department. Scoring vendors, security questionnaires, and contract clauses that protect you.
Read article → AI & PolicyAI agents make API calls and access databases, but IAM was built for humans. OAuth2 client credentials, short-lived tokens, and agent permission matrices.
Read article → ExtensionsDeep technical analysis of fetch overrides, DOM scraping, data staging, and C2 exfiltration. How 6-factor risk scoring catches each pattern.
Read article → SecurityA plain-English breakdown of the seven checks in a website security scan. Learn what SSL, SPF, DMARC, DKIM, and security headers do and how to fix common gaps.
Read article → PrivacyHow Chrome extensions access your data, real-world incidents from the 2025-2026 AI chat harvesting wave, and how multi-factor risk scoring catches malicious patterns.
Read article → SecurityA practical guide to penetration testing for businesses. Learn what to expect, how to scope an engagement, and how to get the most value from your pentest.
Read article → AI & PolicyA practical checklist for securing AI deployments in enterprise environments. Covers data protection, model security, access controls, and compliance.
Read article → Privacy9M+ users had AI chats harvested by malicious extensions in 90 days. How content script interception works, why AI conversations are high-value targets, and what to do about it.
Read article → Trust & VerificationMCP connects AI agents to external tools - but who verifies the servers? We built a 12-factor CoSAI-aligned scoring system across 4,274+ servers to bring transparency to the protocol.
Read article → SecurityYou don't need a six-figure consulting engagement to understand your security posture. Here's how to get started with the major frameworks - for free.
Read article → ExtensionsMost users install extensions without reading permissions. What "read and change all your data on all websites" actually means, and why your AI chats are the most valuable target.
Read article → SecuritySBOMs are becoming mandatory for government vendors. What they are, SPDX vs CycloneDX, and how to generate and scan one with free tools.
Read article → SecurityThe software supply chain is the most underdefended attack surface in modern computing. Here is how attackers exploit it and what you can do today.
Read article → Security82% of attacks are now malware-free, relying on stolen credentials and identity abuse. How credentials reach the dark web and how to harden your identity posture.
Read article → AI & PolicyThe EU AI Act is live, the SEC wants AI disclosures, and your customers want transparency. A practical guide to AI governance without the legalese.
Read article → SecurityHow phishing kits actually work: typosquatting, Let's Encrypt trust, HTML cloning, reverse proxy credential harvesting, and Telegram bot exfiltration.
Read article → SecurityFrom the biggest breaches to the most important policy shifts, here is what defined cybersecurity in 2025 and what it means for 2026.
Read article → AI & PolicyEmployees are pasting proprietary data into AI tools without IT's knowledge. How to discover unauthorized AI usage and build an acceptable use policy.
Read article → SecurityDNS is the backbone of the internet, and it is almost never secured. Here is why DNS attacks are so effective and what protective DNS can do for you.
Read article → BusinessWhat your policy actually covers, what's excluded, the 12 controls insurers require, and how better security can reduce your premium 15-30%.
Read article → BusinessSecurity awareness training is universally hated. Here is how to build a security culture that employees actually engage with instead of resent.
Read article → SecuritySTRIDE made accessible. Walk through a real SaaS login flow, compare frameworks, and get a 1-hour workshop format any team can run.
Read article → AI & PolicySQL injection dominated the 2000s. Prompt injection is the equivalent for the AI era. Here is how it works, why it is hard to fix, and what defenders need to know.
Read article → SecurityA complete operational playbook covering prevention, active incident response, and recovery. Includes the 3-2-1-1 backup rule and a pay/don't pay framework.
Read article → PrivacyIf you are not paying for the product, you ARE the product. Here is how free tools monetize your data and what to look for before you install.
Read article → SecurityThe 5 main MFA bypass techniques in active use: SIM swapping, AitM proxies, push bombing, SS7 interception, and session theft. Which methods are actually phishing-resistant.
Read article → AI & PolicyAI agents are making thousands of API calls per minute. Most APIs were not built for this. Here is what breaks and how to fix it.
Read article → BusinessA complete IR plan template for organizations with no dedicated security staff. Detection, containment, recovery, customer notification, and when to call law enforcement.
Read article → Business43% of cyberattacks target small businesses. Most don't have dedicated security staff. Here is why attackers prefer small targets and what you can do.
Read article → SecurityThe most common cloud misconfigurations, CLI commands to find public-facing storage, a 10-item audit checklist, and a 30-minute monthly routine.
Read article → SecurityEveryone talks about Zero Trust. Few understand it. Here is what it actually means, why it matters for small businesses, and how to start implementing it.
Read article → SecurityHow passkeys work, why they eliminate phishing by design, and step-by-step setup for Google, Apple, and Microsoft accounts.
Read article → AI & PolicyDeepfakes, voice cloning, and GPT-generated phishing - AI is supercharging social engineering attacks. Here is what changed and how to adapt.
Read article →