Compendium

Cybersecurity Engineering — Defensive Practice for Critical Infrastructure and IT

28 min read

Cybersecurity Engineering — Defensive Practice for Critical Infrastructure and IT

Cybersecurity engineering applies systems-engineering rigor to protecting computing assets — endpoints, networks, identities, cryptographic material, operational technology (OT), supply-chain artefacts — across confidentiality, integrity, and availability. This note covers the modern defensive stack as of mid-2026: threat landscape, network + endpoint + identity + cloud + cryptography + OT/ICS controls, vulnerability + incident response practice, and the compliance + standards meshwork (NIST CSF 2.0, ISO 27001, CMMC 2.0, PCI DSS 4.0, EU CRA, DORA).

1. Threat landscape (2023–2026)

1.1 Nation-state APTs

  • Volt Typhoon (Bronze Silhouette, Vanguard Panda; China) — pre-positioning in US critical infrastructure (water, power, transport, telecom) for disruptive operations. CISA/FBI/NSA/MS-ISAC joint advisory CSA AA24-038A Feb 2024 named Living-Off-The-Land (LOLBins) techniques + KV-botnet routers. Reaffirmed in Apr 2024 follow-up advisory. Multiple US sectors found pre-positioned access dating back 5+ years.
  • Salt Typhoon (Ghost Emperor; China) — telecommunications targeting; compromised Verizon + AT&T + Lumen + T-Mobile lawful-intercept + SS7 systems disclosed Oct–Nov 2024 (Wall Street Journal + reporting). Accessed call metadata + SMS + voice content; potential exfiltration of CALEA wiretap systems. US Treasury OFAC sanctioned Integrity Technology Group Jan 2025.
  • APT28 (Fancy Bear, Sofacy; GRU 26165 Russia) + APT29 (Cozy Bear, NOBELIUM, Midnight Blizzard; SVR Russia) — SolarWinds 2020 + Microsoft corp email 2024 access. APT29 social-engineered TLS Office 365 spray Nov 2023.
  • APT3 (Boyusec) + APT41 (Wicked Panda, Barium; China dual espionage + criminal) — supply-chain.
  • Charming Kitten (APT35, Phosphorus; Iran) + MuddyWater (Mango Sandstorm) — credential phish + Israel + Gulf targeting.
  • Lazarus Group (Hidden Cobra; DPRK Bureau 121) — cryptocurrency theft USD 1.7 B 2024 (Chainalysis). DPRK-attributed Ronin Bridge USD 625 M Mar 2022, Harmony USD 100 M Jun 2022, WazirX USD 230 M Jul 2024, DMM Bitcoin USD 308 M May 2024.

1.2 Ransomware

  • LockBit 3.0 — most prolific 2022–2024 RaaS. Operation Cronos (NCA UK + FBI + Europol + 8 other countries) seized infrastructure Feb 19 2024; identified key operator Dmitry Khoroshev “LockBitSupp” May 2024 + USD 10 M reward. LockBit attempted reconstitution but degraded materially.
  • BlackCat / ALPHV — exit-scammed Mar 2024 after USD 22 M Change Healthcare ransom payment then disbanded; affiliates rebranded.
  • Royal / BlackSuit — descendant of Conti; 2023+ on healthcare + manufacturing.
  • Cl0p / Clop — MOVEit Transfer (Progress Software) zero-day mass exploitation May–Jun 2023; 2700+ org compromise; CL0P listed > 750 victims.
  • Hunters International — Hive successor; multi-extortion model.
  • RansomHub — emerged Feb 2024; > 200 victims by year-end.
  • Akira + Play + Medusa + Qilin (Agenda) + 8base + Inc Ransom — second-tier.

Notable 2024 incidents:

  • Change Healthcare (UnitedHealth subsidiary) — BlackCat Feb 2024 attack; payment processing for ~30 % of US healthcare halted weeks; USD 22 M ransom paid (then affiliate threatened second extortion); ~190 M individuals’ PHI exposed; estimated USD 2.5 B+ remediation cost.
  • CDK Global — automotive dealer mgmt system attack Jun 2024 (“BlackSuit”); 15,000 dealers offline 2+ weeks; ~USD 1 B industry losses.
  • Snowflake customer data breaches — credential-stuffing via infostealer-collected creds (UNC5537); Ticketmaster (560 M records), Santander, AT&T (109 M call records), Advance Auto Parts, others May–Jun 2024; Snowflake itself not compromised, multi-factor not enforced on customer accounts.
  • Ascension Health — Black Basta May 2024; clinical operations degraded across 140 hospitals.
  • National Public Data (Jericho Pictures) — 2.9 B records breach disclosed Aug 2024.
  • Halliburton — RansomHub Aug 2024.
  • American Water Works — Oct 2024 (largest US water utility).
  • Sea-Doo / BRP — Aug 2024 production halt.

1.3 Supply-chain attacks

  • SolarWinds Sunburst Dec 2020 — Russian SVR; ~18,000 customers received trojanised Orion; deep compromise of US Treasury, Commerce, DHS, DOJ, Microsoft, FireEye.
  • 3CX VoIP softphone Mar 2023 — North Korea Lazarus; cascading software supply-chain (X_TRADER → 3CX → downstream).
  • XZ Utils backdoor (CVE-2024-3094) Mar 29 2024 — discovered by Andres Freund (Microsoft PostgreSQL maintainer); years-long social-engineering campaign by “Jia Tan” persona to gain XZ utils maintainership + insert SSH-bypassing backdoor into liblzma; caught before stable Debian/RHEL distribution. Widely cited as wake-up call for open-source maintainer-burnout risk.
  • MOVEit — see §1.2 (Cl0p).
  • Codecov Apr 2021 — bash uploader compromise.
  • CCleaner Sep 2017 — Piriform → Avast supply chain.
  • Kaseya VSA Jul 2021 — REvil exploited authentication bypass; 1500+ MSP-managed orgs hit.

1.4 Zero-day market

  • Zerodium (Vienna; legal broker; up to USD 2.5 M for iOS no-click).
  • Crowdfense (UAE; competing broker; USD 3–5 M iOS).
  • Government brokers — TAO NSA, Equation Group (leaked Shadow Brokers 2016–2017 → EternalBlue → WannaCry + NotPetya).
  • Commercial spyware:
    • NSO Group Pegasus (Herzliya Israel; Apple v NSO lawsuit 2021 ongoing; US Commerce Entity List Nov 2021).
    • Cytrox Predator (North Macedonia + Greece; Intellexa consortium; US sanctions Mar 2024 + Jul 2024).
    • Candiru / Saito Tech (Tel Aviv; targeted journalists + dissidents).
    • QuaDream (Tel Aviv; shut down 2023).
    • FinFisher / FinSpy / Gamma Group.
    • Hacking Team / Memento Labs (Milan; leaked 2015).

2. Network security

2.1 Transport-layer cryptography

  • TLS 1.3 — IETF RFC 8446 Aug 2018. AEAD-only (AES-GCM, ChaCha20-Poly1305), 0-RTT optional, removed RSA key transport + static DH + SHA-1 + MD5 + RC4 + CBC. TLS 1.2 deprecation timeline: NIST SP 800-52 Rev 2 mandates 1.3 + permits 1.2 transition; PCI DSS 4.0 requires “secure protocols” effective Mar 2025 (interpreted as TLS 1.2 minimum, with operators urged to 1.3).
  • HSTS HTTP Strict Transport Security RFC 6797 + preload list (Chromium hstspreload.org).
  • Certificate management:
    • Let’s Encrypt (ISRG; Mountain View) — issued > 4 B certificates 2024; > 350 M websites; > 99 % automated via ACME RFC 8555. CA bundle: ISRG Root X1 + X2 ECC.
    • DigiCert / Sectigo / GlobalSign / Entrust commercial.
    • ACME automation — Certbot, Caddy auto-HTTPS, win-acme, lego.
    • Certificate Transparency CT logs — RFC 6962; Chrome/Safari/Firefox required; major logs: Google Argon/Xenon, Cloudflare Nimbus, DigiCert Yeti/Nessie, Let’s Encrypt Oak, Sectigo Sabre/Mammoth.
  • Post-quantum + hybrid — see §6.

2.2 Web application + API protection

  • WAF Web Application Firewall:
    • Cloudflare WAF + Cloudflare API Gateway — managed rules + ML-driven anomaly + L7 DDoS; OWASP Core Rule Set support.
    • AWS WAF + Shield Advanced + Network Firewall.
    • Fastly Next-Gen WAF (formerly Signal Sciences acq 2020).
    • Akamai App + API Protector (formerly Kona Site Defender).
    • Imperva (Thales acquired Dec 2023 USD 3.6 B).
    • F5 BIG-IP ASM + Advanced WAF + NGINX App Protect.
    • Radware Cloud WAF + AppWall.
  • API security specialistsSalt Security, Noname Security (Akamai acquired May 2024 USD 450 M), Traceable AI, 42Crunch, Cequence Security.

2.3 DDoS mitigation

  • Cloudflare — anycast scrubbing across 330+ cities; Magic Transit L3 BGP-based for on-prem; mitigated 26 M rps HTTPS DDoS Sep 2022 + 71 M rps HTTP DDoS Aug 2023 + 100 M+ rps HTTP/2 Rapid Reset CVE-2023-44487 Oct 2023.
  • AWS Shield Standard (free) + Shield Advanced (paid USD 3000/mo + traffic).
  • Akamai Prolexic + Kona Site Defender — long-standing financial-services preference.
  • Imperva DDoS Protection (formerly Incapsula).
  • Microsoft Azure DDoS Protection Standard.
  • Google Cloud Armor.
  • Lumen DDoS Hyper + Mitigation, Neustar/Vercara DDoS Protect, NETSCOUT Arbor.
  • HTTP/2 Rapid Reset (CVE-2023-44487) was patched across Apache + nginx + Caddy + golang + Java HTTP/2 stacks Oct 2023.

2.4 IDS/IPS + NDR

  • Open-source: Snort 3 (Cisco; rule-based signature IDS; founded Sourcefire 1998 Marty Roesch). Suricata (OISF Open Information Security Foundation; multithreaded). Zeek (formerly Bro) — Vern Paxson 1995 LBNL; behavior-oriented + connection logs; deployed at most US national labs + many large enterprises.
  • Cisco Secure IPS (formerly FirePOWER) + Secure Network Analytics (Stealthwatch).
  • Palo Alto Networks Threat Prevention + Cortex XDR — NGFW signatures + sandbox WildFire.
  • Fortinet FortiGuard IPS + FortiNDR.
  • Check Point Quantum IPS + ThreatCloud.
  • NDR Network Detection + ResponseVectra AI, ExtraHop Reveal(x) 360, Darktrace DETECT + RESPOND, Corelight Open NDR (Zeek-based, Open-source-licensed commercial), Lumen Black Lotus Labs telemetry.

2.5 Zero Trust Network Access (ZTNA)

  • CISA Zero Trust Maturity Model v2.0 Apr 2023 — Identity, Devices, Networks, Applications + Workloads, Data pillars; Traditional → Initial → Advanced → Optimal stages.
  • NIST SP 800-207 Zero Trust Architecture (Aug 2020) — the foundational doc.
  • OMB M-22-09 US federal Zero Trust mandate (Jan 2022; full implementation by FY24).
  • Vendor stack:
    • Zscaler ZPA + ZIA + ZDX — pure-play SSE leader; 7000+ customers.
    • Palo Alto Prisma Access (SASE) + Prisma SD-WAN (CloudGenix).
    • Cloudflare Access + Gateway + WARP + Magic WAN = Cloudflare One SSE.
    • Cisco Duo + Secure Access (formerly Cisco Umbrella + Secure Endpoint integrated).
    • Microsoft Entra Private Access + Internet Access (SSE).
    • Okta Workforce Identity + Auth0.
    • Netskope SSE.
    • iboss + Lookout + Versa Networks SASE.
    • Tailscale + Twingate + Cloudflare WARP — developer-friendly ZTNA mesh + WireGuard-based.

3. Endpoint security

3.1 EDR / XDR / MDR

  • CrowdStrike Falcon — agent + cloud platform; cohort-leading global; Jul 19 2024 Falcon Sensor 7.11 channel-file update (Channel File 291 IPC template) crashed ~8.5 M Windows devices (CrowdStrike CSA + Microsoft post-mortem); estimated USD 5.4 B+ Fortune 500 losses + USD 10 B total economic impact (Parametrix). CrowdStrike issued root-cause analysis + apologized + remediation tooling (Windows safe-boot script). Q3 FY25 ARR still grew despite churn pressure.
  • Microsoft Defender for Endpoint + Defender for Identity + Defender for Cloud + Defender for IoT + Defender XDR unified portal.
  • SentinelOne Singularity — agent-side AI; Mountain View Calif.
  • Sophos Intercept X + Endpoint + MDR.
  • Trellix (FireEye + McAfee Enterprise merger 2022; STG private equity).
  • Cybereason + Cisco Secure Endpoint (formerly AMP for Endpoints).
  • Cortex XDR + Cortex Xpanse (Palo Alto Networks).
  • VMware Carbon Black + Tanium XEM + Symantec Endpoint Security (Broadcom).

3.2 MDR Managed Detection + Response

  • Arctic Wolf (Eden Prairie MN; > USD 1.4 B ARR 2024; IPO filed 2025).
  • Expel (Herndon VA).
  • Critical Start (Plano TX).
  • CrowdStrike Falcon Complete + Falcon Complete XDR.
  • eSentire + Red Canary + Trustwave SpiderLabs (acquired MC2 Sec 2024) + Rapid7 MDR + Secureworks Taegis (Dell) acquired by Sophos 2025.
  • Mandiant Managed Defense (Google Cloud).

3.3 SIEM / SOAR

  • Splunk Enterprise + Cloud + ES (Enterprise Security) — Cisco acquired Splunk Mar 2024 USD 28 B.
  • Microsoft Sentinel (cloud-native SIEM + SOAR; Log Analytics workspace).
  • IBM QRadar SIEM + QRadar SOAR (Resilient) — IBM sold QRadar SaaS to Palo Alto Aug 2024 for migration to Cortex XSIAM.
  • Google Chronicle Security Operations + SOAR (Siemplify acq 2022).
  • Sumo Logic Cloud SIEM — acquired by Francisco Partners private 2023.
  • Exabeam + Securonix + Devo + Gurucul + LogRhythm Axon + Logpoint — challenger SIEMs.
  • SOAR-only: Tines (Dublin; cloud-native), Torq Hyperautomation, Palo Alto Cortex XSOAR (Demisto), Swimlane, Rapid7 InsightConnect.

3.4 MTD Mobile Threat Defense

  • Lookout (Lookout Mobile Endpoint Security) — divested consumer 2024.
  • Zimperium zIPS + MTD.
  • Pradeo + Check Point Harmony Mobile + Wandera (Jamf) + MobileIron (now Ivanti).

4. Identity + Access Management

4.1 MFA + Passwordless + Passkeys

  • WebAuthn + FIDO2 + CTAP — W3C Rec WebAuthn L2 + L3 in dev; backed by Apple + Google + Microsoft.
  • Passkeys — discoverable WebAuthn credentials, synced via Apple iCloud Keychain (iOS 16+, macOS Ventura+ 2022), Google Password Manager (Android + Chrome 2023), Microsoft Authenticator (2024). Passwordless flows now default on >40 % of top 100 consumer sites by mid-2025.
  • YubiKey 5 Series + Bio + Security Key Series (Yubico Stockholm; founded Stina + Jakob Ehrensvärd 2007).
  • Google Titan Security Key, Microsoft authenticator app + Windows Hello, Solokeys Solo V2, Trustkey + Feitian + NitroKey + OnlyKey.
  • TOTP RFC 6238 — Authy (Twilio sunsetting desktop 2024), Microsoft Authenticator, Google Authenticator (cloud sync added 2023), 1Password, Bitwarden.

4.2 Privileged Access Management (PAM)

  • CyberArk Privileged Access Manager + Conjur Secrets + Vault — public 2014 IPO; market leader.
  • BeyondTrust Password Safe + Privileged Remote Access + Endpoint Privilege Management.
  • Delinea (Centrify + Thycotic merger 2021) Secret Server + Privileged Access Service.
  • HashiCorp Vault (acquired by IBM Apr 2024 USD 6.4 B; closing 2025) — secrets engines + dynamic credentials + transit encryption + PKI + SSH CA. > 65 % Fortune 100 deployments.
  • Saviynt + One Identity + ARCON + WALLIX challengers.

4.3 Identity Governance + Administration (IGA)

  • SailPoint IdentityNow + IdentityIQ (Austin TX; Thoma Bravo took private 2022 USD 6.9 B).
  • Saviynt Enterprise Identity Cloud (EIC).
  • Okta Identity Governance + Lifecycle Management + Workflows.
  • OneLogin (acquired by One Identity; Quest 2021).
  • Microsoft Entra ID Governance (formerly Azure AD Identity Governance).
  • Oracle Identity Governance + IBM Verify Governance + Omada Identity Suite.

4.4 Cloud Infrastructure Entitlement Management (CIEM)

  • Wiz (USD 12 B valuation Apr 2024 round + USD 23 B + Google announced acquisition bid in 2024 then revisited — see CSPM §5.1).
  • Orca Security, CrowdStrike CIEM (acquired Bionic Apr 2024), Sonrai Security, Microsoft Entra Permissions Management (formerly CloudKnox 2021), Tenable Cloud Security (Ermetic acq 2023 USD 265 M), Saviynt CIEM.

4.5 Secrets Management

  • HashiCorp Vault + AWS Secrets Manager + Parameter Store + Azure Key Vault + GCP Secret Manager + GCP Workload Identity Federation.
  • 1Password Business + Secrets Automation + Doppler + Infisical (open-source) + CyberArk Conjur.
  • GitHub OIDC for Actions + GitLab OIDC tokens + Spiffe/Spire zero-trust workload identity.

5. Cloud security

5.1 CSPM / CNAPP

  • Wiz (Tel Aviv + NY; founded 2020 Assaf Rappaport ex-Microsoft Cloud Security GM; USD 350 M ARR + USD 12 B val 2024; Google Cloud agreed Mar 2025 to acquire for USD 32 B).
  • Orca Security — agentless side-scanning of cloud volumes.
  • Lacework — acquired by Fortinet Aug 2024 USD 150–225 M (down from USD 8.3 B valuation 2021).
  • Prisma Cloud (Palo Alto Networks; RedLock + PureSec acquisitions).
  • Microsoft Defender for Cloud + AWS Security Hub + Inspector + GuardDuty + Macie + GCP Security Command Center.
  • Trend Vision One (Trend Micro).
  • CrowdStrike Falcon Cloud Security.
  • Aqua Security + Sysdig Secure + Snyk + Check Point CloudGuard + Tenable Cloud Security.
  • CNAPP unifies CSPM (posture) + CWPP (workload runtime) + CIEM (entitlements) + IaC scanning + container/K8s security.

5.2 Container + K8s security

  • Falco (CNCF) — Sysdig-originated runtime security; eBPF-based.
  • Tetragon (Isovalent → Cisco Apr 2024 USD 2 B) — Cilium eBPF runtime + observability.
  • Aqua Trivy — most-used FOSS vulnerability scanner (image, IaC, K8s, repo).
  • Sysdig Secure + Falco Enterprise.
  • Wiz Container Security.
  • Twistlock → Prisma Cloud Compute.
  • KubeArmor (Accuknox) + ARMO Kubescape + Prisma Cloud Defender + Snyk Container.

5.3 CI/CD + SAST/DAST/SCA

  • Snyk Code + Container + IaC + Open Source (Boston + Tel Aviv; > USD 290 M ARR 2024).
  • GitHub Advanced Security — CodeQL (Semmle acq 2019); Secret Scanning, Dependabot, code scanning. Native to GitHub Enterprise Cloud.
  • GitLab Ultimate — SAST + DAST + Dependency Scanning + Container Scanning + Secret Detection bundled.
  • Veracode Static + Software Composition Analysis (SCA) — Veracode acquired Longbow Security 2024 for ASPM.
  • Checkmarx One + SCA + IaC Security + SCS Supply Chain.
  • Sonatype Nexus Lifecycle + Sonatype Lift (formerly MuseDev) + Sonatype Repository Firewall.
  • JFrog Xray + JFrog Curation + JFrog Advanced Security.
  • Semgrep + Semgrep Supply Chain + Mend.io (formerly WhiteSource) + Black Duck (Synopsys + Software Integrity Group spun out Mar 2024).

5.4 IaC scanning

  • Checkov (Palo Alto Networks Bridgecrew acq 2021; open-source).
  • Snyk IaC + Snyk Cloud.
  • tfsec / Trivy (Aqua) + Terrascan (Tenable) + Regula (Fugue → Snyk) + Kics (Checkmarx).
  • Spectral (Check Point) + GitLab IaC scanning + Prowler (open-source AWS auditor).

5.5 SBOM + software supply-chain

  • SBOM formats:
    • CycloneDX — OWASP Foundation; JSON/XML/Protobuf; v1.6 2024.
    • SPDX — Linux Foundation; v3.0 2024; ISO/IEC 5962:2021.
  • NTIA “Minimum Elements for an SBOM” Jul 2021 — supplier, component name, version, unique identifier, dependency, author, timestamp.
  • EO 14028 May 2021 — US federal SBOM requirement.
  • CISA Secure Software Acquisition Guide 2024 + OMB M-22-18 + NIST SP 800-218 SSDF.
  • SLSA Supply-chain Levels for Software Artifacts v1.0 — OpenSSF; build-provenance levels.
  • Sigstore — cosign (image signing) + rekor (transparency log) + fulcio (CA); originated Google ChainGuard team 2021 → Linux Foundation Sigstore project.
  • ChainGuard (Kirkland WA; “secure-by-default” container images; Distroless + Wolfi distro) — USD 3.5 B val Oct 2024.

6. Cryptography

6.1 Post-Quantum Cryptography (PQC)

After 8-year NIST PQC Standardization (2017–2024):

  • FIPS 203 — ML-KEM Module-Lattice Key-Encapsulation Mechanism (CRYSTALS-Kyber) — finalised Aug 13 2024. Replaces RSA-OAEP + ECDH for key establishment. Variants ML-KEM-512/768/1024 ≈ AES-128/192/256 classical security.
  • FIPS 204 — ML-DSA Module-Lattice Digital Signature Algorithm (CRYSTALS-Dilithium) — finalised Aug 13 2024.
  • FIPS 205 — SLH-DSA Stateless Hash-Based Digital Signature Algorithm (SPHINCS+) — finalised Aug 13 2024.
  • FIPS 206 — FN-DSA Falcon — draft Q1 2025.
  • HQC + BIKE + Classic McEliece — round-4 KEMs under continued evaluation; HQC selected as alternate to ML-KEM Mar 2025.

6.2 PQC migration timelines

  • CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) — NSA Sep 2022 + updated Apr 2024. PQC mandate for US National Security Systems (NSS); software signing must transition by 2025, all NSS by 2033.
  • CISA + NIST + NSA “Quantum-Readiness” factsheet 2023 + 2024 inventory + crypto-agility guidance.
  • NIST SP 1800-38 PQ migration playbook.
  • Hybrid TLSX25519MLKEM768 deployed by Cloudflare + Chrome 124 (Mar 2024) + Firefox 132 (Oct 2024); ~12 % of TLS connections to Cloudflare are PQ-hybrid by year-end 2024.
  • OpenSSL 3.5 + AWS-LC + BoringSSL ship ML-KEM 2025. OpenSSH 9.0 added Streamlined NTRU Prime hybrid 2022; ML-KEM hybrid added 9.9 in 2025.

6.3 Hardware Security Modules (HSMs)

  • Thales Luna Network HSM + payShield 10K (formerly SafeNet + Gemalto).
  • AWS CloudHSM (uses Cavium → Marvell LiquidSecurity 2 chips).
  • Azure Dedicated HSM + Managed HSM (Marvell LiquidSecurity backend).
  • GCP Cloud HSM (Marvell + Thales Luna).
  • Marvell LiquidSecurity 2 + 3 — chip-scale Cu-rooted HSM.
  • Entrust nShield Connect + Solo + Edge.
  • Utimaco SecurityServer + u.trust General Purpose HSM.
  • Fortanix DSM Data Security Manager + Confidential Computing Manager — software-defined + confidential-compute-anchored.
  • Atos Trustway + IBM Hyper Protect Crypto Services (Z16 Crypto Express).

6.4 Key Management Services (KMS)

  • AWS KMS — symmetric + asymmetric + HMAC; envelope encryption pattern.
  • Azure Key Vault + Managed HSM + GCP Cloud KMS + External Key Manager (EKM) + Akeyless + HashiCorp Vault Transit + KMIP secrets engines.

6.5 Confidential computing

  • Intel TDX (Trust Domain Extensions) — VM-level isolation; Sapphire Rapids + Emerald Rapids 2023+ Xeon.
  • AMD SEV-SNP (Secure Encrypted Virtualization Secure Nested Paging) — Milan + Genoa + Bergamo + Turin EPYC.
  • AWS Nitro Enclaves — secured VM partitions inside EC2.
  • Azure Confidential Computing — DCsv3/DCadsv5/ECasv5 (SEV-SNP); preview TDX.
  • GCP Confidential VMs + Confidential GKE Nodes + Confidential Space.
  • Apple Private Cloud Compute (PCC) Jun 2024 WWDC — server-side AI inference w/ verifiable confidential VM stack + transparency-log binary release.
  • Confidential Computing Consortium (Linux Foundation 2019) — Microsoft + Intel + Google + Red Hat + IBM + Alibaba + Arm + Oracle + Meta.

7. Critical infrastructure + OT/ICS security

7.1 Standards + frameworks

  • ISA/IEC 62443 family — multi-part OT cybersecurity standard. 62443-3-3 system requirements + security levels SL1-SL4. 62443-4-1 secure-product-dev lifecycle. 62443-4-2 component requirements.
  • NIST CSF 2.0 — released Feb 26 2024 — added Govern function (6 functions total: Govern, Identify, Protect, Detect, Respond, Recover); applies to all sectors.
  • NIST SP 800-82 Rev 3 — Guide to OT Security (Sep 2023).
  • Purdue Reference Architecture — ISA-95; Levels 0 (process), 1 (sensors/actuators), 2 (PLC/RTU/SCADA HMI), 3 (manufacturing operations MES), 3.5 (DMZ), 4 (enterprise), 5 (corporate).
  • NERC CIP — North American Electric Reliability Corp Critical Infrastructure Protection v6 + v7; mandatory for Bulk Electric System.
  • TSA Pipeline Security Directives (post-Colonial Pipeline May 2021); updated 2022 + 2023 + 2024.
  • EPA Water Sector Cyber Action Plan 2024 — voluntary sanitary surveys w/ cyber components.

7.2 OT/ICS visibility + detection tools

  • Claroty xDome + CTD (Continuous Threat Detection) + SRA (Secure Remote Access) (NY + Tel Aviv; founded 2015).
  • Dragos Platform (Hanover MD; founded Robert M. Lee 2016; series F 2021 USD 1.7 B val).
  • Nozomi Networks Vantage + Guardian (San Francisco + Switzerland).
  • Tenable.ot (acquired Indegy 2019).
  • Forescout eyeInspect (formerly SilentDefense) + 4D Platform.
  • Cisco Cyber Vision (acquired Sentryo 2019).
  • Microsoft Defender for IoT (acquired CyberX 2020).
  • Armis Centrix + Otorio + Industrial Defender ASM + Verve Industrial (acq Rockwell 2023).

7.3 Notable ICS malware + incidents

  • Stuxnet — Iran Natanz uranium-enrichment centrifuge sabotage 2010; Symantec + Kaspersky + Langner Communications dossier 2010–2011; attributed jointly to US NSA + Israel Unit 8200; demonstrated PLC-level malware.
  • Industroyer / CrashOverride — Ukraine Kyiv power-grid attack Dec 2016 (followed Dec 2015 BlackEnergy); Sandworm Russia GRU 74455 attributed; Industroyer2 2022 attempted reuse against Ukrainian substation, mitigated.
  • TRITON / TRISIS / HatMan — Saudi Arabian petrochemical facility 2017 targeting Triconex Safety Instrumented System; attributed Russia TsNIIKhM/M-13 + FBI sanctions 2022.
  • Colonial Pipeline ransomware May 7 2021 — DarkSide RaaS; 8800 km pipeline shut 6 days; USD 4.4 M ransom paid (later partially recovered by DOJ); US East Coast fuel panic.
  • JBS USA + JBS Australia ransomware May 30 2021 — REvil; USD 11 M paid.
  • Oldsmar FL water utility incident Feb 5 2021 — operator caught remote attempt to raise NaOH dosing 100× via TeamViewer; attribution unclear.
  • Aliquippa Water Authority PA + Florida Water Utility Oct 2024 + American Water Works Oct 2024 — CyberAv3ngers (IRGC Iran linked) Unitronics PLC + ransomware; CISA AA23-335A + AA24-241A advisories.
  • Halliburton breach Aug 21 2024 — RansomHub; data exfil + Q3 financial impact disclosed 10-Q.
  • Sea-Doo / BRP Aug 2024 production halted.
  • Mexico Pemex 2024 + Toyota Japan 2024 + Norsk Hydro 2019 LockerGoga + Maersk NotPetya 2017 USD 300 M+ — legacy major OT-adjacent incidents.

8. Vulnerability management

8.1 Vulnerability identifiers + scoring

  • CVE (Common Vulnerabilities + Exposures) — MITRE-administered, sponsored by CISA; ~30,000 CVEs published in 2024 (record high); CNA Council expansion 2023.
  • NVD (National Vulnerability Database) — NIST; CVE enrichment via CVSS + CWE + CPE. NVD analysis backlog crisis Feb 2024 — analysis rate collapsed; CISA + Microsoft + other CNAs took up enrichment; recovery ongoing 2025.
  • CVSS Common Vulnerability Scoring System:
    • CVSS 3.1 still dominant in NVD as of 2026.
    • CVSS 4.0 released Nov 1 2023 (FIRST.org); finer metrics; vendor adoption uneven 2024–2025.
  • EPSS Exploit Prediction Scoring System — FIRST + Cyentia Institute; ML-based likelihood of exploitation in next 30 d. v3 2023; used for risk-based prioritisation.
  • CWE Common Weakness Enumeration — MITRE; CWE Top 25 Most Dangerous (2024 list: out-of-bounds write, XSS, SQLi, CSRF, path traversal, etc.).
  • KEV CISA Known Exploited Vulnerabilities Catalog — Nov 2021+; > 1300 entries; FCEB binding directive deadlines.

8.2 Scanning tools

  • Tenable Nessus Professional + Tenable Vulnerability Management (formerly Tenable.io) — Columbia MD.
  • Qualys VMDR + TotalCloud + Patch Management.
  • Rapid7 InsightVM + Nexpose — Boston.
  • Microsoft Defender Vulnerability Management (formerly Threat + Vulnerability Mgmt).
  • CrowdStrike Falcon Exposure Management (Spotlight).
  • GreenBone OpenVAS — open source.
  • Wiz Vulnerability Management + Orca Vulnerability Management — cloud-native, agentless.

8.3 Patch + endpoint management

  • Tanium XEM (Converged Endpoint Mgmt) + Patch + Comply — Emeryville CA.
  • IBM BigFix (acquired HCL Software 2019 → spun back to HCL).
  • Ivanti Endpoint Manager + Patch Mgmt + Security Controls — endured multiple critical Pulse Secure + Ivanti Connect Secure zero-days 2024 (CVE-2024-21887 + CVE-2024-46805 + CVE-2025-0282).
  • Automox + ManageEngine Patch Manager Plus + Kandji + Jamf Pro/Now + Microsoft Intune + Workspace ONE (VMware Omnissa spinoff 2024).

8.4 Pentest, Red Team, Bug Bounty

  • Pentest firms — Bishop Fox, Coalfire, NCC Group, Rapid7 Penetration Services, Cobalt (PtaaS), Synack (PtaaS), HackerOne Pentest, Trail of Bits, Mandiant Proactive Services, IOActive, NetSPI.
  • Red Team — Mandiant Red Team, RhinoSecurity Labs, Inversecos, TrustedSec, SpecterOps.
  • Bug bounty platforms — HackerOne (San Francisco; founded 2012), Bugcrowd (San Francisco), YesWeHack (Paris), Intigriti (Antwerp), Synack (Sunnyvale), Federacy, Open Bug Bounty.

9. Standards + compliance

  • NIST SP 800-53 Rev 5 (Sep 2020 + supplements) — control catalog for US federal systems; mapped to ISO 27001.
  • NIST SP 800-171 Rev 3 (May 2024) — Controlled Unclassified Information (CUI) for non-federal systems; basis of CMMC.
  • NIST CSF 2.0 — see §7.1.
  • ISO/IEC 27001:2022 + 27002:2022 — ISMS + 93 controls (down from 114 in 2013); transition deadline Oct 31 2025.
  • ISO/IEC 27017 — cloud-specific.
  • ISO/IEC 27018 — PII processor.
  • ISO/IEC 27701 — privacy management system (PIMS).
  • ISO/IEC 27036 — supplier relationships.
  • SOC 2 Type II — AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Audit firms: Schellman, A-LIGN, KirkpatrickPrice, Coalfire, BARR Advisory, EY/PwC/KPMG/Deloitte.
  • PCI DSS 4.0 — released Mar 2022; PCI DSS 3.2.1 retired Mar 31 2024; future-dated v4.0 requirements (51 items inc. customised approach + new MFA + script integrity for e-commerce + targeted risk analyses) effective Mar 31 2025.
  • HIPAA Security Rule + HHS OCR NPRM Notice of Proposed Rulemaking Dec 27 2024 — major modernisation: mandatory MFA, encryption-at-rest + in-transit, vulnerability scanning + pen-testing minimums; comments closed Mar 7 2025.
  • HITRUST CSF v11 — healthcare-oriented; AI-related assurance added 2024.
  • FedRAMP — federal cloud authorisation; Low/Moderate/High; FedRAMP Authorization Act 2022 signed Dec 23 2022 (NDAA FY23); FedRAMP 20x modernisation initiative 2024.
  • StateRAMP — state-level analog.
  • IL5 / IL6 DoD Impact Levels — Defense data on cloud.
  • CMMC 2.0 — Cybersecurity Maturity Model Certification. Final rule 32 CFR Part 170 published Oct 15 2024, effective Dec 16 2024; 3 levels (Foundational L1, Advanced L2, Expert L3); DoD contractor phased rollout 2025–2028; built on NIST SP 800-171.
  • GDPR (EU; 2018) + CCPA / CPRA (California 2018 + 2020); 14+ US state privacy laws by mid-2025.
  • CRA EU Cyber Resilience Act — adopted Oct 10 2024; in force Dec 2024; product cybersecurity essential requirements for digital products with digital elements (PDEs); 36-month compliance window for most products, 12-month for reporting obligations.
  • DORA Digital Operational Resilience Act (EU) — applies Jan 17 2025; financial entities + ICT third-party providers; mandatory incident reporting + TLPT Threat-Led Penetration Testing every 3 yrs.
  • NIS2 EU Directive — Network + Information Security 2; transposition deadline Oct 17 2024; broader sectoral scope + harmonised reporting + management-board accountability.
  • PIPL China (2021) + DSL Data Security Law China + LGPD Brazil (2020) + POPIA South Africa + PIPEDA Canada.
  • SEC Cybersecurity Disclosure Rule — final Jul 26 2023; effective Dec 18 2023. Form 8-K Item 1.05 — material cybersecurity incident disclosure within four business days of materiality determination; 10-K Item 106 annual risk management + governance disclosure. First wave of 8-K Item 1.05 filings 2024 (Microsoft + Caesars + Clorox + 23andMe + others).

10. Incident response

10.1 NIST SP 800-61 Rev 3 Incident Response Lifecycle (Apr 2024 draft → final 2025)

  1. Preparation — playbooks, IR retainers, comms templates, evidence-collection tooling.
  2. Detection + Analysis — SIEM + EDR + threat intel correlation.
  3. Containment — isolate + segment + credential rotate; short-term + long-term containment.
  4. Eradication — remove malware + close vulnerabilities + reset credentials.
  5. Recovery — restore from clean backups + harden + monitor.
  6. Lessons Learned / Post-Incident — root cause + control gaps + reporting.

10.2 IR firms (retainer + emergency)

  • Mandiant (Google Cloud; acquired Mar 2022 USD 5.4 B; Kevin Mandia founder 2004 ended FireEye CEO).
  • CrowdStrike Falcon Complete + Services.
  • Kroll Cyber Risk + Cyber Defense (formerly Aon Cyber Solutions; merged Kroll 2018).
  • Stroz Friedberg (Aon Cyber Solutions) — digital forensics + IR + insider risk.
  • Charles River Associates (CRA) Cyber + Forensics.
  • **BlackBerry Cylance IR (now BlackBerry Optics).
  • Coveware — ransomware negotiation specialist (Westport CT; acquired by Veeam Sep 2024).
  • Unit 42 (Palo Alto Networks) + Cybereason IR + IBM X-Force IR.
  • Secureworks Taegis VDR + IR (acquired by Sophos Sep 2025).
  • Insurance-driven panels — Beazley, Coalition, Chubb, AIG, Hiscox, AXA XL; coordinated breach counsel via firms like Mullen Coughlin, BakerHostetler, Wilson Elser, Constangy, Lewis Brisbois.

10.3 Coordinated Vulnerability Disclosure (CVD)

  • ISO/IEC 29147:2018 + 30111:2019 — vendor vulnerability handling.
  • CERT/CC (CMU Software Engineering Institute) — original CSIRT (1988); 45-day disclosure default.
  • CISA Coordinated Vulnerability Disclosure Process + Vulnerability Disclosure Platform (VDP) for FCEB.
  • Vendor PSIRTs — Cisco PSIRT, Microsoft MSRC, Google VRP, Apple Security Bounty, Adobe PSIRT, Oracle CPU schedule.

10.4 Threat intelligence

  • Mandiant Advantage Threat Intel + Recorded Future + CrowdStrike Falcon Intelligence + Microsoft Defender TI (RiskIQ) + Flashpoint + Group-IB + Intel 471 + Cisco Talos.
  • MITRE ATT&CK — adversarial tactics + techniques + procedures framework; v15 Apr 2024 + v16 Oct 2024; STIX 2.1 native.
  • MITRE D3FEND — defensive countermeasures framework.
  • STIX 2.1 + TAXII — OASIS open threat-intel exchange standards.

11. AI-specific security concerns (2024–2026)

11.1 Threat surface

  • Prompt injection (direct + indirect) — embedded instructions in user input or retrieved content steer LLM. OWASP Top 10 for LLM Applications v1.1 (Apr 2024) ranks LLM01.
  • Jailbreaks — adversarial prompts bypass safety; many-shot jailbreak (Anthropic Apr 2024 paper), DAN-style + obfuscation patterns, encoding-based + multi-turn.
  • Data poisoning — corrupting training or fine-tune data; backdoor triggers.
  • Model exfiltration + theft — API distillation attacks (e.g., DeepSeek-V2/R1 OpenAI accusations Jan 2025); membership inference; model inversion.
  • Supply-chain attacks on model weights — Hugging Face malicious model uploads (JFrog Security found 100+ malicious pickle-deserialization payloads 2024); use safetensors not pickle.
  • Agentic tool-call hijacking — agent with tools (browsing, code execution, email) coerced into destructive actions via indirect prompt injection. Greshake et al. 2023 Indirect Prompt Injection; SEP NDSS 2024.
  • RAG retrieval poisoning — injected docs into retrieval corpus subvert downstream LLM.

11.2 Defenses

  • NIST AI RMF 1.0 (Jan 2023) + NIST AI 600-1 Generative AI Profile (Jul 2024).
  • EU AI Act — adopted Mar 13 2024; in force Aug 1 2024; staged application 2024–2027; high-risk AI + GPAI obligations.
  • ISO/IEC 42001:2023 — AI management system standard.
  • NIST SP 800-218A Secure Software Development Practices for Generative AI.
  • MITRE ATLAS — Adversarial Threat Landscape for AI Systems; ATT&CK-like matrix.
  • OWASP Top 10 for LLM Applications v1.1 + OWASP Machine Learning Top 10.
  • AI gateways + guardrails — Cloudflare Firewall for AI, Lakera Guard, Robust Intelligence (Cisco acquired 2024), Protect AI, HiddenLayer, NeMo Guardrails (NVIDIA), Lasso Security.

12. Privacy engineering

  • Differential Privacy (DP) — Dwork et al. 2006; (ε, δ)-DP; deployed Apple (iOS keyboard + Safari + Photos), Google (Chrome + RAPPOR + Maps Privacy Sandbox), US Census 2020 redistricting data (TopDown Algorithm), Microsoft Office Telemetry.
  • Homomorphic Encryption (FHE) — IBM HElib + Microsoft SEAL + OpenFHE + Zama Concrete + Duality SecurePlus.
  • Secure Multi-Party Computation (MPC) — Sharemind + Inpher Sigma + Roseman Labs Crandall + Cybernetica + Partisia Blockchain.
  • Privacy Sandbox (Google Chrome) — Topics API + Protected Audience + Attribution Reporting; replaces 3rd-party cookies. Original 2024 deprecation moved to user choice 2025.
  • Data Loss Prevention (DLP) — Microsoft Purview, Symantec DLP, Forcepoint DLP, Netskope DLP, Zscaler DLP, Nightfall AI.
  • DSPM Data Security Posture Management — Cyera (Series D 2024 USD 1.4 B val), Sentra, Varonis, BigID, Securiti AI, Concentric AI, Normalyze (Proofpoint acq Oct 2024).

13. Application security (AppSec) + Secure SDLC

13.1 Frameworks + standards

  • OWASP Top 10 (2021) — Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable + Outdated Components, Identification + Authentication Failures, Software + Data Integrity Failures, Security Logging + Monitoring Failures, SSRF.
  • OWASP API Security Top 10 (2023) — BOLA / Broken Object Level Authorization #1; broken authentication, BOPLA, unrestricted resource consumption, broken function-level auth, etc.
  • NIST SP 800-218 SSDF Secure Software Development Framework v1.1.
  • BSIMM (Building Security In Maturity Model) — Synopsys/Cigital; benchmark across ~130 firms.
  • OWASP SAMM Software Assurance Maturity Model.
  • OWASP ASVS Application Security Verification Standard v4.0.3.

13.2 Threat modeling

  • STRIDE — Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege (Microsoft).
  • PASTA — Process for Attack Simulation + Threat Analysis (Tony UcedaVélez).
  • MITRE ATT&CK + D3FEND mapping for blue-team gap analysis.
  • Tools: Microsoft Threat Modeling Tool, IriusRisk, ThreatModeler, OWASP Threat Dragon, ThreatPlaybook.

13.3 Fuzzing + SAST/DAST/IAST

  • AFL++ + libFuzzer + Honggfuzz — coverage-guided fuzzers.
  • OSS-Fuzz (Google) — 1100+ open-source projects continuously fuzzed; > 12000 bugs found.
  • ClusterFuzz + ClusterFuzzLite.
  • DAST — OWASP ZAP, Burp Suite Pro (PortSwigger), Acunetix (Invicti), Rapid7 InsightAppSec, Veracode Dynamic.
  • IAST — Contrast Security Assess + Protect, Veracode Runtime Protection.

14. Cyber insurance + GRC

14.1 Cyber insurance market

  • ~USD 17 B global premium 2024 (Marsh + Aon estimates).
  • Hardening cycle 2020–2023 (MFA + EDR + immutable backups required for binding); softening 2024 with new entrants.
  • Major carriers: Beazley, Chubb, AIG, AXA XL, Munich Re, Allianz, Coalition, Resilience, At-Bay, Cowbell, Corvus (Travelers).

14.2 GRC platforms

  • OneTrust (Atlanta + London) — privacy + GRC unicorn.
  • ServiceNow GRC + IRM, Archer (formerly RSA Archer; spun out Cinven 2023), MetricStream, Diligent (HighBond), AuditBoard (IPO filed 2024).
  • Compliance automationDrata, Vanta, Secureframe, Sprinto, Tugboat Logic (OneTrust 2021), Hyperproof, Strike Graph — automated SOC 2 + ISO 27001 + HIPAA + PCI evidence collection.

15. Workforce + certifications

  • (ISC)² CISSP — Certified Information Systems Security Professional; ~170k holders 2024.
  • CompTIA Security+ + CySA+ + PenTest+ + CASP+.
  • ISACA CISA, CISM, CRISC, CGEIT.
  • GIAC (SANS Institute) — GSEC, GCIH, GPEN, GCFA, GREM, GCED, GSE.
  • Offensive Security — OSCP, OSEP, OSWE, OSED.
  • Cloud-specific — AWS Security Specialty, Azure SC-100/200/300/400, Google Cloud Professional Security Engineer.
  • AI security — emerging: OWASP AI/ML certifications, Carnegie Mellon SEI AI Engineering credentials.
  • Workforce gap — ISC2 2024 Workforce Study: 5.5 M cybersecurity workers globally, ~4 M shortage.

Adjacent

Graph View