The SolarWinds KEV alert this week and the Cisco SD-WAN zero-day earlier made the same point in the same week. Known. Exploited. Active. By the time a vulnerability hits the CISA catalog it is already being used against real organizations. Your annual pen test didn't test the version of SolarWinds you're running today. Your quarterly scan didn't catch the Cisco zero-day before exploitation started. This is the fundamental problem with point-in-time security testing in a world where the KEV catalog updates weekly and exploit code drops within hours of disclosure. Continuous testing doesn't mean running the same scan more often. It means having ongoing visibility into whether what's running in your environment today is actually secure today. That's a different posture. And right now it's the only one that keeps pace with the threat. @Parabellyx @CISAgov @Tenable #CyberSecurity #PenTesting #ContinuousTesting #InfoSec

CISA has added a high-severity flaw in SolarWinds Serv-U to its Known Exploited Vulnerabilities catalog this week. Active exploitation confirmed. SolarWinds. Again. Every time SolarWinds shows up in a CISA KEV alert it should trigger the same question in every security team running their software: Are we patched? When did we last verify? Not six months ago when the quarterly scan ran. Today. The gap between a vulnerability being added to the KEV catalog and active exploitation is not weeks anymore. It's days. Sometimes hours. @CISAgov @SolarWinds @BleepinComputer #CyberSecurity #InfoSec #PenTesting #CISO

A question I'm seeing more of in the crypto community this week and I think it deserves a straight answer. Is Bitcoin going to $40,000? Honestly — it's possible. Here's the scenario where it happens. The Bank of Japan keeps hiking. Carry trade unwinds accelerate. Global liquidity tightens. The Fed signals higher for longer on rates. The Iran conflict escalates and risk assets get sold hard. In that macro scenario Bitcoin could retest $50K or lower. It's happened before at this stage of a cycle. But here's what's different this time. Bitcoin ETFs are seeing $343 million in weekly inflows even as the price sits around $70K. Institutional buyers are not flinching at macro noise the way retail is. Strategy holds 815,000 BTC on their balance sheet. They are not selling. The structural floor is higher than it was in previous cycles because the buyer base is fundamentally different. Could it go to $40K? Yes. Do I think it gets there and stays? No. The institutional bid changes the math. #Bitcoin #Crypto #DigitalAssets #BTC

The AI spending correction that's happening in enterprise right now isn't a bubble bursting. It's a reality check that was overdue. Companies rushed to buy licenses. Anthropic. OpenAI. Microsoft Copilot. All of it. Before they had clear use cases. Before they had governance. Before they had any idea what success looked like. One client spent half a billion dollars in a single month after failing to put usage limits on employee AI licenses. Half a billion. The correction isn't that AI doesn't work. It's that buying licenses without a deployment strategy doesn't work. The companies that get disciplined about this now — specific use cases, clear ROI targets, actual governance — are going to be the ones that pull ahead when the dust settles. The ones that just cut licenses and call it a strategy are going to be behind when the next wave hits. @Microsoft @AnthropicAI @OpenAI #AI #EnterpriseSales #StartupLife #GTM

Two major US banks, Citizens Financial and Frost Bank, were hit via a shared vendor this week. Same pattern. Different victims. The breach didn't come through the front door. It came through a vendor that had standing access and nobody was actively testing that access path. Canvas. GitHub. Carnival. Medtronic. Now two banks. Here's the question worth asking your security team this week: When did you last test the access paths your vendors use to reach your environment? Not when did you last audit the vendor. When did you last test whether their access into your systems is actually secure today. Most organizations can't answer that question. That's not a compliance gap. That's a visibility gap. And it's exactly where attackers are living right now. @CISAgov @Mandiant @Tenable @Parabellyx #CyberSecurity #PenTesting #ContinuousTesting #InfoSec

Channel partners have a new conversation opener this week. Half of global organizations have faced AI-related security incidents. Shadow AI. Prompt injection. AI-powered attacks. Most of your mid-market clients have AI tools deployed. Very few have AI security governance in place. That gap is the conversation. Not "do you have an AI policy?" but "do you know what AI tools your employees are actually using right now and whether any of them have access to sensitive data?" Most clients will pause on that question. That pause is where the engagement starts. @ConnectWise @Pax8 @CISAgov #CyberSecurity #CISO #AISecurity #InfoSec

Let's talk about something that doesn't get enough attention in North American security circles. Israel's cybersecurity industry closed 2025 with $72.6 billion in total exit value. That's a 1,500% increase over 2024. In a single year. Capital raising also hit an all-time high at $8.27 billion, surpassing the previous record of $7.5 billion set in 2021. Companies like Armis, Cato Networks, Cyera, and Wiz — all Israeli-founded — are now category leaders in global cybersecurity. Google paid $32 billion for Wiz alone. The largest acquisition of an Israeli tech company ever. Here's what actually explains it. Mandatory military service runs nearly every Israeli tech founder through Unit 8200 or equivalent intelligence and cyber programs before they ever start a company. They don't learn security theory. They do real offensive and defensive operations. Then they take that experience and build companies around it. The rest of the world is training people in classrooms. Israel is training them in the field. If you want to understand where cybersecurity innovation is coming from over the next decade, watch Tel Aviv. @CISAgov @SecurityWeek @DarkReading #CyberSecurity #InfoSec #Israel #Startup

Something most crypto investors aren't paying enough attention to right now. The Japan carry trade. For years investors borrowed cheap yen at near-zero rates and deployed the capital into higher-yielding assets. Stocks. Crypto. Bitcoin. XRP. The Bank of Japan hiked to 0.75% in December 2025 and economists widely expect at least 1.0% by mid-2026. As funding costs climb, carry trades that worked on autopilot for a decade now require active management. When traders unwind carry trades they sell risk assets to close yen loans. Crypto gets sold. XRP is more sensitive to these flows than Bitcoin or Ethereum. Its smaller market depth and higher speculative positioning make it especially responsive to marginal liquidity shifts. The bullish XRP narrative is real. The regulatory clarity, the Ripple partnerships, the institutional buildout. But macro doesn't care about narratives. If the BoJ keeps hiking, liquidity tightens and XRP feels it first. Watch the Bank of Japan more than the XRP chart right now. @Ripple @CoinDesk #XRP #Crypto #DigitalAssets #Bitcoin

Pipeline velocity is the most underused metric in early-stage B2B sales. Most founders look at pipeline size. That's not the same thing. A pipeline full of deals that haven't moved in 60 days isn't a pipeline. It's a graveyard with optimistic close dates. Pipeline velocity tells you the real number: average deal size multiplied by win rate divided by average sales cycle length. If your velocity is low, one of three things is wrong. Deals are too small. Win rate is too low. Or cycle is too long. Each one has a different fix. But you can't fix what you're not measuring. Run this number today. Then run it again in 30 days. The trend is the signal. @HubSpot @Salesforce #EnterpriseSales #B2BSales #GTM #StartupLife

Everyone tracks revenue. Not everyone tracks the numbers that actually predict whether revenue is sustainable. Three sales efficiency metrics every startup should be watching — and most aren't: CAC. Customer Acquisition Cost. What does it actually cost you to close one customer when you add up sales, marketing, and time? Most founders know this loosely. Very few track it rigorously. CAC Payback Period. How many months does it take to recover what you spent to acquire that customer? Under 12 months is healthy for most B2B SaaS. Over 18 months and you're funding growth on borrowed time. Pipeline Velocity. How fast are deals moving through your funnel? Average deal size multiplied by win rate divided by sales cycle length. One number that tells you whether your pipeline is actually healthy or just full of wishful thinking. Revenue tells you where you've been. These three tell you where you're going. #StartupLife #B2BSales #GTM #Founder

New research shows half of global organizations have now faced confirmed or suspected AI-related security incidents. Shadow AI. Prompt injection. AI-powered attacks. Half. And here's what makes that number alarming beyond the headline. Most of those organizations didn't know they had an AI security problem until after the incident. Shadow AI means employees are using tools IT doesn't know about. Prompt injection means AI systems are being manipulated to take actions their owners never intended. The AI governance conversation in most companies is still happening in the boardroom. The attacks are already happening in production. The gap between where your AI governance is and where your AI exposure is — that's the new attack surface. @CISAgov @MicrosoftSecure @AnthropicAI #CyberSecurity #AISecurity #InfoSec #CISO

Very great to see @UJAFederation that the community showed up

Hot take on startup GTM that I keep coming back to. Most early-stage companies don't fail because they built the wrong product. They fail because they tried to sell to everyone. The instinct to cast a wide net makes sense on paper. More prospects means more chances. More verticals means more surface area. In practice it means your message is generic, your sales cycle is long, and you close nothing. The startups that break through almost always did the opposite. They picked one specific buyer with one specific problem and went uncomfortably deep on it. They said no to interesting conversations that didn't fit. They ignored verticals that looked attractive but weren't the core. And they built reference customers that looked exactly like their next ten targets. The ICP is not a marketing exercise. It's a survival decision. Narrow wins. Wide loses. #StartupLife #GTM #B2BSales #Founder

The Carnival breach this week makes the same point every major breach this year has made. You can have a mature internal security program and still get breached through a vendor's access path. Testing your own environment is necessary. It's not sufficient. Continuous penetration testing has to include the full access surface. Not just your applications. Not just your cloud infrastructure. The integrations. The vendor portals. The contractor accounts that have been sitting with standing access since the project ended. Most organizations have no visibility into whether those access paths are secure today. Not last year when the vendor was onboarded. Today. That's the gap continuous testing closes. @Parabellyx @CISAgov @Tenable #CyberSecurity #PenTesting #ContinuousTesting #InfoSec