Security guides & playbooks
Practical, vendor-neutral how-tos for practitioners — each one ends in a free tool you can use right away · browse the glossary → · updated June 2026
Where the glossary answers "what is X?", these guides answer "how do I actually do X?" — frameworks, checklists and step-by-step playbooks, grounded in well-established standards (OWASP, NIST, CISA). No fluff, no sign-up to read.
AI security
A practical framework for CISOs and security engineers: the five stages, the top risks, and the controls that map to each — then score your own agents.
9-min read · Read the guide →Retrieval-augmented apps widen the attack surface. A checklist across inputs, retrieval, the model, outputs and tools — with the failure modes to test.
8-min read · Read the guide →Models, weights, datasets and ML libraries are software too. How to handle provenance, unsafe deserialization, and CVEs in your ML dependencies.
8-min read · Read the guide →Vulnerability management
You've got a CycloneDX or SPDX file — now what? How to turn a bill of materials into a fix-first patch queue you can actually work.
7-min read · Read the guide →Which CVE do you fix first? How to combine severity, exploit probability and active exploitation into a defensible, exploited-first order.
8-min read · Read the guide →Unsupported software stops getting security fixes. How to inventory it, see what is about to go EOL, and plan upgrades before the patches stop.
6-min read · Read the guide →An SBOM lists what is inside; a VEX says what actually affects you. The statuses, the justifications, and how to author one from a scan.
6-min read · Read the guide →A no-nonsense playbook: inventory, prioritise, remediate, verify, report — the loop that turns scanning into measurable risk reduction.
9-min read · Read the guide →Compliance
The vulnerability-reporting obligations, the 24h/72h clock, the machine-readable SBOM requirement — and a checklist to be ready before the deadline.
8-min read · Read the guide →What auditors actually want to see for CC7.1 / CC8.1 and Annex A 8.8 — and how to produce that evidence without a spreadsheet marathon.
7-min read · Read the guide →Procurement
Both signal a mature security program, but they are not the same thing. The practical differences, and which one to request when assessing a vendor.
6-min read · Read the guide →A questionnaire is what the vendor says; an SBOM and vulnerability data are independently verifiable. Why you need both to assess a product.
6-min read · Read the guide →A lightweight TPRM program you can actually run: inventory vendors, tier by risk, assess, and monitor — without drowning in spreadsheets.
8-min read · Read the guide →How to run a vendor security assessment end to end — scope, questionnaire, independent verification, scoring and sign-off — before you buy.
7-min read · Read the guide →A SOC 2 report is dense. What to actually check: the type, period, scope, the auditor’s opinion, and — most importantly — the exceptions.
7-min read · Read the guide →Before you sign: the access, data, compliance and operational controls to confirm — plus the software-vulnerability check most checklists miss.
6-min read · Read the guide →Teams adopt tools faster than security can review them. How to surface shadow IT, triage it by risk, and bring it under assessment.
6-min read · Read the guide →Incident response
Product patching guides
Need to patch a specific product? See the step-by-step how-to-patch guides for Windows Server, Exchange, VMware ESXi, FortiGate, Cisco IOS, WordPress, PHP, Ubuntu, Red Hat and SQL Server — each with the latest safe version and live exploitation exposure.
Use the tools the guides point to
- Agentic AI security — AIVSS calculator + Lethal Trifecta screen.
- SBOM scanner — a fix-first patch queue for every component, in your browser.
- Check a version — paste a product + version for an instant verdict.
- Compliance editions — turn your data into framework-ready evidence.