In the enterprise security news,
- lots of funding, but no acquisitions?
- New companies
- new tools
- including a SecOps chrome plugin
- and a chrome plugin that tells you the price of enterprise software
- prompt engineering tips from google
- being an Innovation Sandbox finalist will cost you
- Security brutalism
- CVE dumpster fires
- and a heartwarming story about a dog, because we need to end on something happy!
All that and more, on this episode of Enterprise Security Weekly.
I'll be running an panelcast with Fastly, titled Security Without Speed Bumps: Using WAF Simulator to Transform DevSecOps Workflows. Join me for this exciting webcast on April 16th. To register for this panelcast, go to securityweekly.com/WAF
Adrian Sanabria
- FUNDING: Courtesy of the Security, Funded newsletter, #189 – Cool Quantum Croissants
Last week's vibe check asked, "what's the strongest early signal a security tool will succeed in your org?"
The clear winner was "quick time-to-value (days, not weeks)"!
In this week's funding:
- Tailscale rasied a $160M Series C from Accel
- Anecdotes, a US-based GRC platform, raised a $30M Series B from DTCP
- Aurascape, a US-based AI security posture management platform raised a $26.2M Series A from Mayfield and Menlo Ventures.
- Outtake, a US-based agentic AI security platform raised a $16.5M Series A from CRV.
- Finally, NetRise announces a $10M Series A led by dnxVentures to focus on supply chain security.
Also, when was the last time we saw an acquisition? Oh, RIGHT, RSA is coming up. We're gonna get all those announcements at once.
- NEW COMPANIES: AuthZEN Aims to Harmonize Fractured Authorization Controls
- NEW TOOLS: COACH, from Dropzone.ai
A Chrome plugin from Dropzone.ai that peeps the alert in the current tab and gives you some recommendations on how to deal with it.
- NEW TOOLS: Vendr Chrome Extension Makes Enterprise Pricing Visible
- NEW TOOLS: step-security/harden-runner
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
- LEARN: Google Prompt Engineering v7 2025
Apparently a really great prompt engineering howto from Google
- RSAC: RSA’s Innovation Sandbox: Cybersecurity Startups Must Accept $5 Million Investment
This is old news that we never covered, because I put it in the wrong place and lost it for a few months.
Now that RSAC is coming up, it's worth a chat. Not too different from how Shark Tank does things, apparently.
- ESSAYS: Security Brutalism – Modern Adversary
- REPORTS: From KPMG – Top Geopolitical Risks in 2025
We've often talked about how cybersecurity isn't the business's top priority, but less so about what IS a business's top priorities. This report is a great opportunity to understand exactly what those risks are. The report doesn't attempt to quantify these risks, but it still provides a useful perspective for those of us deep in the cybersecurity bubble 24/7.
- DUMPSTER FIRES: “CISA have, at the last minute, extended the MITRE CVE contract”
What a wild ride this was the other day.
At around 1:23pm Eastern, we see a tweet that CVE is in trouble. Tomorrow.
Then, I start seeing a flood of posts on LinkedIn from everyone, including Jen Easterly
And then part of the CVE board decides to fork and start a non-profit! This is something they apparently had been planning for at least a year.
I'm up late, trying to think through the damage, the potential scenarios, what advice to give IANS clients...
And then, in the morning, we see that a deal was done, and all is fine.
Too soon. This was the tariffs all over again. All this buildup, then a delay. Buildup, exceptions. Also like the tariffs, I think the damage was already done in those 12-16 hours. No one in this industry is going to be comfortable depending solely on CVE/NVD going forward.
- THREATS: AI-hallucinated code dependencies become new supply chain risk
- ATTACKS: Recently I was targeted by an extremely sophisticated phishing attack…
WILD story and some very interesting and useful analysis of how this attack was put together. A very convincing phish.
- WEIRD: Microsoft: Windows ‘inetpub’ folder created by security fix, don’t delete
"This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."
- SQUIRREL: Missing toddler who walked 7 miles through Arizona wilderness led to safety by a dog
