Notes.
Threat write-ups, methodology notes, and field reports from the team running Basirah in production.
RSS FeedRemediation SLAs That Actually Hold
Most vulnerability SLAs are a number copied from a framework into a policy nobody enforces. A deadline without a start event, an owner, and a breach process is a wish. Here is how to design remediation SLAs that get met instead of quietly missed.
CVSS, EPSS, KEV: Which Number Should Actually Move Your Queue?
Three scores, three different questions. Most teams sort their backlog by the one that answers the wrong question. Here is what each signal measures, where each one lies to you, and how to stack them into a queue that fixes what attackers actually reach for.
What broke on February 29: a Gulf conflict debrief
The Gulf conflict tested assumptions about data sovereignty, infrastructure redundancy, and team availability that most security programs had never verified. What broke, and what didn't.
Africa Cybersecurity Mandates: How Basirah Maps to South Africa POPIA, Kenya DPA, and Nigeria NDPA
South Africa POPIA, Kenya Data Protection Act, and Nigeria NDPA each require technical security measures with documented evidence. Here is how Basirah maps to each framework.
East Asia Cybersecurity Mandates: How Basirah Maps to Japan FISC Guidelines and South Korea ISMS-P
Japan FISC Security Guidelines and South Korea ISMS-P certification both require vulnerability management with documented remediation processes. Here is how Basirah maps to each framework.
FAIR + Monte Carlo in Cyber Risk: What Works (and What Breaks)
FAIR can translate cyber risk into financial ranges, and Monte Carlo can make uncertainty explicit, but only if you treat inputs and validation honestly. Here is a pragmatic approach, common failure modes, and how Basirah anchors quantification to verified outcomes.
India Cybersecurity Mandates: How Basirah Maps to CERT-In Directions and RBI Cybersecurity Framework
CERT-In 2022 Directions and the RBI Cybersecurity Framework both require vulnerability management with documented remediation. Here is how Basirah maps to each framework.
APAC Cybersecurity Mandates: How Basirah Maps to Frameworks Across Malaysia, Australia, Singapore, Philippines, and New Zealand
APAC regulators from Malaysia to New Zealand are converging on verified remediation with documented evidence. Here is how Basirah maps to each framework.
EU & UK Cybersecurity Mandates: How Basirah Addresses DORA, NIS2, and UK NCSC CAF Requirements
DORA, NIS2, and the UK NCSC CAF now carry real penalties. Here is how Basirah addresses their cyber risk execution, financial impact quantification, and governance evidence requirements.
GCC Cybersecurity Mandates: How Basirah Maps to NCA ECC, SAMA CSF, and UAE IAS
NCA ECC-2:2024, SAMA CSF, and UAE IAS V2.1 all require verified remediation with audit evidence. Here is where Basirah maps to each framework.
Americas Cybersecurity Mandates: How Basirah Maps to US, Canadian, and Brazilian Frameworks
From CISA BOD 22-01 to Canada OSFI B-13 and Brazil BCB Resolution 4893, Americas regulators demand operational proof of remediation. Here is how Basirah addresses their enforcement requirements.
Anatomy of a Multi-Vector Social Engineering Operation: A Debrief on Offline Social Engineering
A first-hand operational debrief from a multi-vector social engineering attack presented at 44Con. What it reveals about the gap between detection and verified resolution.
Sovereign AI and Enterprise Security: Who Controls Your Vulnerability Data?
As AI embeds itself in security tooling, the question of where your data lives and who can access it is no longer academic. Where sovereign AI fits, and how to evaluate the claims.
The Critical Vulnerability Remediation Challenge
Critical vulnerabilities outpace slow remediation programs. The operational indicators security leaders should track.
Building a Closed-Loop Remediation Program: A Practical Guide
Most vulnerability management programs are open-loop: they issue instructions and hope for the best. Here is how to build a closed-loop system that verifies outcomes and continuously improves.
FAIR Risk Quantification: When 'High/Medium/Low' Stops Working
When your security team says 'critical' and engineering says 'high,' nobody wins. FAIR turns that argument into dollars.
The Hidden Cost of Manual Audit Evidence: A Quantitative Analysis
Manual audit evidence collection costs mid-market enterprises an estimated $180,000 or more per year in direct labor alone. Here is the full breakdown and what to do about it.
Audit Season Doesn't Have to Be a Scramble: Building Evidence as You Go
Continuous evidence collection reduces manual audit preparation and improves evidence quality throughout the year.
Why 'Ticket Closed' Doesn't Mean 'Fixed'
Most organizations equate a closed ticket with a remediated vulnerability. The data says otherwise. What independent verification actually looks like, and what happens when it is absent.