New photo · Friday, Apr 17 📸 Tap to view!

here ya go :)
photos.app.goo.gl/VdFeMamWhsMd...

Sometimes you bear witness to something you doubt people would believe you saw in person.
Congrats to two of my favorite people in AppSec, Tonya Janca and Jason Haddix, for being immortalized as Funko at the same #SnowFROC

Final talk of the day at #SnowFROC 2026
Scaling AppSec through humans & agents
from, Mudita Khurana, Staff Security Engineer at Airbnb

#SnowFROC 2026
Passkeys in the Wild
from
Geoff Robinson, Principal Consultant, Cybersecurity Assessment at ivision

They really leaned into the Snow part of #SnowFROC this year at The Cable Center in Denver...

#SnowFROC 2026
npm's dark side: Preventing the next Shai-Hulud
from
Jenn Gile, OpenSourceMalware.com

#SnowFROC 2026
Inside the Modern Threat Landscape: Attacker Wins, Defender Moves, and Your Priorities
from
Chris Lindsey, Ox Security

ATLSECCON 2026: Context, Identity, and Restraint in Modern Security From AI agents to identity abuse, ATLSECCON 2026 focused on how security teams can reduce exposure, improve visibility, and make trust enforceable while moving ever faster.

Last week I was in #Halifax, one of my favorite cities, at #ATLSECCON 2026, one of my favorite conferences.
Here are my notes about what I learned
blog.gitguardian.com/atlseccon-20...

#SnowFROC 2026 has kicked off with the Keynote:
Threat Modeling Deve!oper Behavior: THe Psychology of Bad Code
from
Tanya Janca, SheHacksPurple.ca

While I am honored and beyond excited to get to be part of #SnowFROC this week, I am actually more looking forward to seeing some of my favorite people I have met in recent memory
Check out this lineup!!!
snowfroc.com/schedule

The Mother of All AI Supply Chains: Technical Deep Dive - OX Security No Input Sanitization, No Warning: The MCP Vulnerability Behind 30+ Disclosures This post is part of OX Security's The Mother of All AI Supply Chains research — a comprehensive investigation into one…

"Developers are not security engineers; we cannot expect tens of thousands of implementers to independently discover and mitigate a flaw that is baked into the official SDKs they trust. "

I read a lot of reports; this tone feels different here, and I am here for it.
www.ox.security/blog/the-mot...

The Future Of GitHub Actions Security And What You Can Do Right Now GitHub is hardening Actions with deterministic dependencies, scoped secrets, and policy controls. Teams still need immediate detection and remediation for today’s risk.

There are some very good and positive changes coming to native GH actions security.
I had some thoughts on what to do in the meantime, as they make these changes.

blog.gitguardian.com/future-of-gi...

A Look At GitGuardian's ML-Powered Contextual EnrichmentAnd Incident Scoring In this quick introductory video, Mathieu Bellon, Senior Product Manager at GitGuardian, sits down with Dwayne McDaniel, Developer Advocate, to cover some of the advancements GitGuardian has made by…

I am downright proud to be a part of the team at GitGuardian.
We keep innovating and working to make life easier for anyone trying to get a handle on secrets sprawl.

youtu.be/iyKHvK3g9g8

BSides MKE 2026: Security Maturity in Changing Conditions Security maturity was the thread running through BSides MKE 2026, from clearer business language to role clarity, AI governance, and non-human identity risk.

I had the very special honor of speaking at #BSidesMKE this year. I wrote up a few notes about this awesome community event.

blog.gitguardian.com/bsides-mke-2...

All too soon, we are already at the #ATLSECCON 2026 closing keynote:

"Humans Are Awesome At Decision Making"
from
Andy Ellis, Legendary CISO, Duha

When the Plan Doesn’t Exist: Agile Business Continuity and Disaster Recovery

Tarek Habib, Partner, KPMG

#ATLSECCON 2026

Vibe Coding vs Vibe Crime – How bad actors and defenders are leveraging AI differently
from
Shannon Murphy, Global Security and Risk Strategist, Trend Micro

#ATLSECCON 2026

When AI Broke Your Security Model: What Still Works, What’s Dead, and What to Fix First
from
Pascal Fortin, CEO, Cybereco

#ATLSECCON 2026

Day 2 of #ATLSECCON 2026 kicks off with
"The 5 W's and the How of Compliance"
From
Linda Mitton, GRC Practice Lead, Parabellyx Cybersecurity

Defence Through Deception

Jon Moore, C3SA Cyber Security Audit Team

#ATLSECCON 2026

Your AI Agents Are Lying To You
from
Jason Keirstead, Founding CTO, LangGuard[.]AI
#ATLSECCON 2026

Beyond the Silos: Operationalizing Exposure Management in a Fragmented Landscape
from
Tara Jaques, Technical Director, Tenable

#ATLSECCON 2026

From Pets To Cattle - ATLSECCON From Pets To Cattle To Agents: Evolving Identity And Security For Workloads https://tinyurl.com/pets-atlseccon

A HUGE
THANK YOU
To everyone who came out to my new talk at #ATLSECCON 2026
"From Pets To Cattle To Agents: Evolving Identity And Security For Workloads"

Here are the slides
tinyurl.com/pets-atlseccon

Completely packed room for Amy Yee at #ATLSECCON 2026
"The Five People You Meet in Cybersecurity: Lessons in Trust, Failure, and Leadership"

Very good reminder we are all human!

The Evolution of Security Through the Endpoint

From Chris Gaba, RVP, Global Sales
Prisma Browser, Palo Alto Networks

#ATLSECCON 2026

#ATLSECCON 2026 Opening Keynote

"Dangerous Data"
From the always amazing Wendy Nather
Senior Research Initiatives Director at 1Password

#ATLSECCON 2026 has officially kicked off.
Biggest year ever, over 1750 people here in Halifax for 2 full days of learning and community.

2026 Global Threat Report | Latest Cybersecurity Trends & Insights | CrowdStrike Discover key cyber threat trends in CrowdStrike’s 2026 Global Threat Report. Learn about rising attacks, malware-free threats, and evolving adversary tactics. Download the report now.

I read a lot of reports, and sometimes I see a common thread running through multiple ones.
For example, these three:

www.crowdstrike.com/en-us/global...

www.cncf.io/wp-content/u...

www.gitguardian.com/state-of-sec...

TL;DR:
More credentials == more ways attackers get in.

Defending Your Software Supply Chain: What Every Engineering Team Should Do Now | Docker The latest supply chain attack wave is not a single incident to respond to. It is a permanent shift in the threat landscape. In this blog by the Docker CISO Mark Lechner, we share the recommended…

"Treat every CI runner as a potential breach point
TeamPCP’s credential stealer ran inside CI/CD pipelines, dumping process memory and sweeping 50+ filesystem paths for secrets. "

Stay safe out there.

www.docker.com/blog/defendi...

#BSidesMKE
Flynding Your Place
Sean Juroviesky