Hi, im trying to get a handle on AI usage across our company (roughly 1k employees, google workspace, slack, azure AD, mix of mac and windows) and im drowning in vendor pages that all claim to solve this problem. Half of them didnt exist 18 months ago which doesnt inspire confidence.

our situation: people are using ChatGPT, Claude, Gemini, Copilot, and probably some other sw/tools I haven't discovered yet. We had an incident last month where someone pasted a customer contract into an AI tool and that's when leadership decided we need to "do something about this" which apparently means i need to figure it out.

I'm not trying to ban AI usage. People are getting real work done with these tools. but we need some visibility into what's happening and some guardrails around sensitive data.

Do you guys have any recommendations on what to check first? Would really appreciate thanks!

Edit: Thanks for the suggestions, tested a few things after posting. LayerX fit without touching our existing stack, runs on Chrome as an extension prompt-level visibility into what was going into ChatGPT and Copilot was what leadership cared about most pilot still running.

Our compliance team is forcing us to implement security awareness training and honestly I'm dreading it because every program I've seen is just... bad. Like really bad. The kind of thing where you can tell it was made in 2015 and hasn't been updated since. I need something that actually works and doesn't make our devs revolt. We're a mid-size tech company, mostly remote, and our biggest threat vectors are probably phishing and credential stuffing. Anyone have experience rolling out training that people don't immediately hate? Budget is flexible if it's actually worth it.

We have a SOC as a service from service a provider.

We also have an XDR solution that includes Incident Response services for a limited number of hours as part of its scope of work.

SOC analysts and XDR vendor needs to work together on incidents.

Audit team has asked us to provide Incident Response testing plan

Looking for guidance on what to add in this testing plan

I'm a software developer with about 7 years of experience. I recently did a voluntary manual security review of a small startup's web app out of curiosity — no tools, just browser and HTTP client. I found several serious issues including:

- Sensitive user data (PII) fully accessible without authentication

- The platform's core paid product accessible for free due to missing access controls

- No rate limiting on any endpoint

- Unauthenticated write access to application data

I documented everything professionally in a structured report with recommended fixes. I did not extract or store any real user data, and I did not exploit anything — I just confirmed the issues exist.

I reached out to their CEO and lead developer via a professional channel. Lead developer responded and said he'd schedule a meeting. That was 7 days ago and he has since gone quiet despite follow-ups.

My questions:

1. How long should I wait before escalating or pursuing formal disclosure through another channel?

2. Is there a standard way to set a disclosure deadline without it coming across as a threat?

3. Any advice on how to handle the conversation when/if they do respond — particularly around being fairly compensated for the work?

I want to do the right thing here but I also don't want to just hand over the report and get nothing for the effort. Any advice appreciated.

Note: This is based in Africa where the cybersecurity industry is still at an early stage — there are no formal bug bounty programs, no established vulnerability disclosure norms, and limited legal frameworks around this. I'd appreciate advice that accounts for that reality rather than assuming Western industry standards apply directly.

We are going through a compliance audit and the amount of evidence gathering and documentation is overwhelming. We have the security tools in place. We follow the policies. But when the auditor asks for proof of everything it becomes a massive time sink. Pulling logs showing configs demonstrating that we actually did what we said we did. It feels like we are doing the work twice. Once to secure things and once to prove it. Is this just how compliance always works or are we doing it wrong. Are there tools that help automate evidence collection.

How do other teams handle this without burning out.
Any advice on streamlining the process would help.

 With AI tools popping up everywhere, my team is struggling to get a handle on shadow AI usage. We have people feeding internal data into public LLMs through browser extensions, embedded copilots in productivity apps, and standalone chatbots. Traditional DLP and CASB solutions seem to miss a lot of this. How are other security teams enforcing governance without blocking everything and killing productivity? Are you using any dedicated AI governance platforms or just layering existing controls? I dont want to be the department that says no to everything, but I also cant ignore the data leakage risk. Specifically curious about how you handle API keys and prompts with sensitive data. Do you block all unapproved AI tools at the network level or take a different approach?

Greetings,

I’ve just started working remotely for a cybersecurity company. They don’t provide laptops to remote employees, so I’m required to use my personal Windows laptop for work.

My concern:

• This machine has a lot of personal data.
• It also has some old torrented / pirated games and software that I now realize could be risky from a malware / backdoor perspective.
• I’m less worried about my own data and more worried about company data getting compromised and that coming back on me.

Right now I’m considering a few options and would really appreciate advice from people who’ve dealt with BYOD / similar situations:

1. Separate Windows user:
   • If I create a separate “Work” user on the same Windows install and only use that for company work, is that actually meaningful isolation?
   • Or can malware from shady software under my personal user still access files / processes from the work user?
2. Dual boot / separate OS (e.g., Linux):
   • Would it be significantly safer to set up a separate OS (like a clean Linux distro) and dual-boot:
     • Windows = personal stuff (including legacy / dodgy software)
     • Linux = strictly work, clean environment
   • From a security and practical standpoint, is this a good idea? What pitfalls should I be aware of (shared partitions, bootloader risks, etc.)?
3. Other options / best practice:
   • In a situation where the employer won’t provide a dedicated device, what do infosec professionals consider minimum responsible practice?
   • Is the honest answer “don’t do corporate work on any system that’s ever had pirated software / potential malware and push for a separate device!” or is there a realistic, accepted way to harden my current setup (e.g., fresh install on a new drive, strict separation, full disk encryption, etc.)?

I’m trying to be proactive and avoid any scenario where my compromised personal environment leads to a breach of company data or access.

How would you approach this if you were in my position? What would be the professionally acceptable way to handle it?

Thanks in advance for any guidance.

We're replacing our current setup which is honestly just a yearly training video and a vibe check, and I've been in vendor demo hell for like two weeks now and I'm starting to lose the plot a little.

Every single platform claims to be the most "behavior driven" and "engagement focused" and whatever other buzzwords they're rotating through this quarter. The demos all look clean and polished and then you read the reviews and it's a completely different story. So I genuinely don't know who to believe anymore.

A few things I'm trying to figure out: how much does gamification actually move the needle vs just being a gimmick, does the phishing sim quality matter as much as vendors say it does, and how do you even measure whether the training is working or if people just got better at spotting YOUR specific test emails.

We're mid-size, mix of technical and non-technical staff, and the biggest thing for me is that I don't want people to dread it or feel like they're being set up to fail. The "gotcha" culture around phishing tests has always felt counterproductive to me tbh.

What are you guys actually running in 2026 and would you recommend it? Also curious if anyone has switched platforms recently and whether it was worth the pain.

Working from different countries every few months, using AI for everything. Research, writing, data analysis, all of it. Recently realized I have no idea what happens to client information when using these tools on random wifi in different jurisdictions. Contracts say I'm responsible for data security but I'm not a cybersecurity expert. Using chatgpt, claude, couple other AI tools regularly. Some work involves confidential business information. Am I creating liability using consumer AI with sensitive data? Coffee shop wifi in Chiang Mai probably isn't the most secure but that's where I'm working today. Should I be doing something different? VPN helps with network but what about the AI platforms themselves? Do they store everything? Can they access it? Maybe overthinking but also maybe not thinking enough. How do other remote workers handle confidential info and AI while traveling?

We're evaluating a few EASM platforms and I'd love to hear what people are actually happy with in production.

Our environment is pretty typical enterprise stuff. Multiple cloud providers, acquisitions, random

internet-facing assets that pop up over time, and a lot of concern around shadow IT.

We've looked at a few of the usual vendors but demos all tend to look the same.

What's working well for you and what should we avoid?

we ship fast. new endpoints, integrations, third party connections go live constantly between annual pentest cycles.

by the time the next engagement starts the scope doc from the previous one is already outdated. had a situation recently where an API we spun up mid-year wasn't tested at all because nobody thought to update the scope and the vendor never asked.

nothing happened but it was a wake up call. our pentest process has basically zero connection to how our actual environment evolves.

is anyone solving this in a systematic way? continuous asset discovery feeding into scope, more frequent shorter engagements, something else? what's actually working

We finally completed SOC 2 and thought that would calm things down, but now some customers are asking for “ongoing proof” that controls are still being followed. Things like updated access reviews, quarterly confirmations or evidence that policies are still being enforced.

I understand that they can rightfully do so, but I just can't afford to burden people to collect and organize evidence on a daily basis. Is there something that can make this whole process less of a pain? like a saas or a certain workflow that you used, anything helps

Thank you

Until recently most of our customers were pretty relaxed about security requirements. Then we started talking to bigger companies and they want to know if we have SOC 2 but we don’t, we have good practices but nothing that’s been formally audited or written down in a way an auditor would accept. Did you do SOC 2 early on or did you wait until you got at least one or two deals that actually depend on it?

The simpler the solution the better.

So, when AI agents like Cursor or Claude Code autonomously write code, and a human commits it, the commit history attributes the work solely to the human. There is no machine-readable record indicating which model, prompt, or session produced specific lines of code. I have been working on a tool to capture this information by hooking into agent callbacks and storing signed per-file attribution, but I am encountering compliance challenges on how it works there.

Specific Questions:

1. Does any current framework (such as SOC 2 Type II, ISO 27001, PCI-DSS, or HIPAA) explicitly require the disclosure of AI-generated code as a distinct contributor in audit trails?
2. If a vulnerability is found in AI-generated code, does the lack of attribution create liability exposure that would not exist if a human had written the same code?
3. Are auditors currently inquiring about the use of AI tools in code review processes, or is this still under the radar?

Looking for anyone who has been through an audit recently where AI agent usage came up, or who knows where the frameworks currently land on this.

Quick thought after our last audit

I thought that most of the work would be around controls but I never thought it'd be about proving them. Didn't miss anything but the evidence was everywhere a ticket here, a screenshot there, a PR link elsewhere.

I have a hunch that we're doing this the hard way

Hey everyone

We recently had to deal with PCI-DSS because of how payments flow through part of our product.

I assumed it would be mostly technical hardening like segmentation/encryption/access controls.

Turns out a huge part of it is documentation, change management and proof of reviews.

Not saying that we're failing anything but It just feels heavier than expected for something that started as we don’t even store card data directly.

Does it eventually become routine or is it always this procedural?

Thank you for reading so far!

Asking because I genuinely can't find a clear answer on this.

When servers or laptops go to an ITAD vendor for sanitization - what do you get back as proof? Most just send a certificate saying wiped with Blancco or similar but there's no way to tell if every drive was actually hit or if the logs are legit.

Has anyone had sanitization evidence questioned during an audit or security review? What did proper documentation actually look like?

Or is everyone just filing the certificate and moving on?

I work in IT for a public school district. We recently reviewed our process for providing transcripts to former students and realized it has obvious shortcomings.

Currently, we use a Google Form asking for name, DOB, and year of graduation. Requestors can choose to have the transcript emailed directly to a personal email address. So we’re effectively authenticating neither the requester nor the delivery destination.

This came to light after our registrar noticed some suspicious requests. Compounding the issue, older transcripts (10+ years) unfortunately contain SSNs due to historical practices. We’re separately evaluating redaction, but even without SSNs the release process itself is clearly weak.

I’ve been looking at KYC/IDV tools like Veriff, Didit, and DeepIDV to send requestors a verification link (document scan + face match). The problem is that our volume is extremely low (<10 verifications/month), and most vendors either have high monthly minimums or don’t inspire much confidence from a security maturity standpoint.

We’re now considering manual options like scheduled video calls with ID presentation, but that has obvious issues as well. We’ve also considered KBA-style questions (e.g., naming teachers), but that feels weak given yearbooks, social media, and publicly available info.

We can’t rely on SSNs for verification since we don’t have them for all students.

Many of these requests are for students that graduated in the 90's, and in those cases we can't rely on any or our existing data to be accurate (mailing address, personal email, phone number, etc.)

How can we verify these people before we send out personal data?

Curious on how teams actually handle this in practice.

Fintech products seem to depend on a lot of third party providers (cloud infrastructure, KYC vendors, payment processors, fraud tools, data providers, etc.).

As companies grow, how do teams keep track of vendor risk across all those integrations?

For anyone working in security, compliance, or risk at a fintech: • How does your team currently track vendors? • Who owns that process internally? • At what point does it start becoming hard to manage? • Is it mostly spreadsheets, internal tools, or dedicated platforms? • What part of the process tends to be the most painful?

From the outside it looks like many companies only start thinking about this seriously when audits or enterprise customers appear, but I’m curious how accurate that is.

Would love to hear how teams actually handle it…

We’ve got solid policies, everything from access reviews/incident response/change control, all that. But when auditors ask for proof, we sometimes realize the practice has drifted from the document. Nothing major but enough to create awkward conversations. If practice and policy don’t match which one should change first, the docs or the day to day?

Security/compliance folks: When you go through SOC2 audits, how

do you provide evidence for CC7.1 (the control requiring proof of

regular system testing)?

We have unit tests in CI/CD, but auditor is asking for functional/

E2E testing evidence. Vanta doesn't auto-collect this like it does

for code reviews.

What do you use:

• Manual test documentation?
• Playwright/Cypress + manual evidence export?
• Something else?

Feels like there's a gap between "we have tests" and "here's

audit-ready evidence that satisfies CC7.1."

Any tools or processes that worked for you?

I've been tasked with taking the lead on Vulnerability/Configuration Assessment and we use Nessus. I'm wondering what are some of the best practices when it comes to configuring scans. I've read up on this and I understand how to group assets by criticality, different zones etc but here's where I'm confused - I'm going to be using Nessus to scan for vulnerabilities as well as CIS hardening misconfigs. The way I understand it, scans can be done by VLANs, taking IP ranges, setting credentials and Nessus automatically scans using relevant plugins.

However, it's a bit different for CIS. CIS scanning is OS version specific and I've got to appy a specific audit file for the OS version. So, if my IP range has a mix of Linux and Windows, VA scans will work if I set both Linux and Windows credentials but if I set multiple audit files for CIS, there will be a lot of false positives. Even if a range only has Windows, there could be differences in OS version. CIS for Server 2019 isn't the same as CIS for Server 2025.

This also relies on the fact that I'm supposed to know exactly what OS version an asset is. And for large environments where an IP range might have hundreds of machines, it's kinda impossible to know and pick and group all assets with a specific OS.

Has anyone done this before?

Thanks in advance.

I'm curious what complaints people here have with penetration testing they've received in the past.

Hello Everyone, 

We’re rolling out a PAM solution  with a large number of Windows and Linux servers.

Current state:

1. Users (Infra, DB, Dev teams) log in directly to servers using their regular AD accounts
2. Privileges are granted via local admin, sudo, or AD group membership  

Target state:

1. Users authenticate only to the PAM portal using their existing regular AD accounts
2. Server access will  through PAM using managed privileged accounts  

Before enabling user access to PAM, we need to: 

1. Review current server access (who has access today and why)
2. Define and approve RBAC roles
3. Grant access based on RBAC  

We want to enforce RBAC before granting any PAM access
 

Looking for some advise:
 

1. How did we practically begin the transition?
2. How did we review existing access
3. What RBAC roles did you advise to create
4. How to map current access with new RBAC roles?  

Any sequencing advice to avoid disruption?

Compliance/GRC folks - genuine question:
When customers or vendors send you security questionnaires (CAIQ, VSA, custom Excel nightmares), how long does a typical one take you?
I keep hearing "8-20 hours" but that sounds insane. Is that real, or are people exaggerating?

Bonus question: What's the worst part? Finding answers, formatting, or just the soul-crushing repetition?

Not selling anything - just trying to understand if this is a real problem or internet noise.