🚀 New Grad Software Engineers — This is your chance! Secureframe is hiring a New Grad Software Engineer, Growth in New York City, NY 🇺🇸 💰 Salary: $100K–$140K/year 📍 Location: NYC 🎓 New Graduates Welcome Build impactful products, work with cutting-edge technologies, and accelerate your engineering career at a fast-growing tech company. Apply now 👇 studentscircles.com/securefr… Tag a friend looking for their first software engineering role! 🔥 #SoftwareEngineer #NewGradJobs #NYCTech #TechJobs #Hiring

Under DFARS 252.204-7021, defense contractors must hold a current CMMC certification as a condition of contract award. Phase 2 enforcement begins November 10, 2026. Starting that date, self-attestation is no longer sufficient for Level 2 contracts. A C3PAO — an accredited third-party assessor — must independently verify your cybersecurity posture, including supply chain risk management under NIST SP 800-171. NIST SP 800-161r1 requires verifiable attestation of software composition at procurement and delivery. An SBOM you generated yourself does not satisfy independent verifiability. There is no cryptographic mechanism in the SBOM standard that allows an assessor to verify it matches the software it describes. A CBOM receipt does. Every component SHA-384 hashed. Binary Merkle tree. RS256/JWS signed by an independent third party. Verifiable offline against a published public key. Zero data retention. If the manifest changes after issuance, the signature fails. DFARS 252.204-7021 is law. November 10, 2026 is the date. Free trial — no account required. cbomcompliance.com @santoretech @SeraBrynn @secureframe #CMMC #DFARS #NIST800171 #SBOM #supplychainsecurity #C3PAO

Auditors are about to reject every SBOM in the defense supply chain. Here's why — and what replaces it. An SBOM is a document you wrote about yourself. You listed your own dependencies. You generated the timestamp. You said it was clean. A C3PAO auditor cannot verify any of it independently. It's a claim, not evidence. What an auditor actually needs: — Proof of composition at a specific point in time — An independent third party produced it, not you — The contents are cryptographically tamper-evident — Anyone can verify it without contacting you That's a CBOM receipt. Here's exactly what it is: You upload your manifest. Every component gets SHA-384 hashed. Those hashes go into a binary Merkle tree. The root — a single cryptographic fingerprint of your entire software composition — gets RS256 signed and issued as a JWS receipt, timestamped and independently verifiable against a published public key. Your manifest is immediately discarded. Zero retention. The protocol itself is anchored to Bitcoin — not your individual receipt, but the specification that governs every receipt ever issued. The receipt verifies offline. Forever. No network call. No account. No dependency on us existing in 5 years. If a single dependency changes, the Merkle root changes, the signature breaks, and the tampering is detectable. Come back in 30 days and paste the same receipt — it re-evaluates your original components against current CVE databases and tells you exactly what changed. Same receipt. Current threat intelligence. No other tool does this because no other tool issues receipts. They issue reports. Reports expire. Receipts don't. CMMC Level 2 enforcement: November 10, 2026. 300,000 defense contractors. Free trial, no account needed. #compliance #cmmc @santoretech @SeraBrynn @secureframe cbomcompliance.com

For the third year, we're celebrating 50 CISOs and leaders from the public and private sector who are shaping the cybersecurity landscape, starting with: @argvee @SarahASmith75 @Aarti_Borkar @k3r3n3 @LauraLGalante @shehackspurple @ajohnsocyber Read: secureframe.com/blog/cyberse…

Spotless compliance evidence can still hide a broken control - helpnetsecurity.com/2026/06/… - @secureframe #CMMC #FedRAMP #CyberSecurity #Compliance #InfoSec #CyberSecurityNews #CISO

Важный пункт - кроме моментов, когда на личный ноут требуется ставить какие-то сторонние вещи «от компании». Всякие secureframe итд - просите отдельный ноут. Ну и от обустройства офиса тоже отказываться не стоит конечно.

Today we're shipping the first open-core network auditor with a built-in, auditor-grade SOC 2 pre-audit reporter. NSAuditor AI EE 0.3.1 CE 0.1.29 are live on npm. 📌 The market gap we're closing: SOC 2 readiness today is split into two camps that don't talk to each other. GRC platforms (Vanta, Drata, Secureframe) automate the workflow of evidence collection and auditor handoff — but they have no native vulnerability scanning. They depend on you to import findings from somewhere else. Legacy scanners (Tenable, Qualys, Rapid7) produce voluminous CVE reports — but they don't map findings to TSC controls, don't sign evidence, and don't speak GRC-platform APIs. NSAuditor AI EE 0.3.x is the bridge. Deep network and cloud scanning auditor-mapped findings signed evidence artifacts native push to GRC platforms — in a single, scriptable CLI workflow. 🔐 What ships in 0.3.x — the full SOC 2 hardening track: ✅ 7 fully covered AICPA Trust Services Criteria 2017 controls CC6.1 · CC6.2 · CC6.6 · CC6.7 · CC6.8 · CC7.1 · C1.1 (5 partial · 34 explicitly out-of-scope, surfaced in every report) ✅ Cover-page Scope Attestation on every artifact — framework version, scan window, scope IDs, scanner version, TSA policy lineage. ✅ SHA-256 chain-of-custody — each artifact paired with a .sha256 sidecar, chain-of-custody envelope binds the bundle. ✅ RFC 3161 trusted timestamping — TSA signing of every evidence artifact, with cert chain validation, policy-OID negotiation, and X.660 first-arc constraint enforcement. Real FreeTSA fixtures shipped; openssl ts -verify integration tested. ✅ Ed25519 cryptographic suppression signing — canonical JSON with RFC 5198 NFC normalization, payload-version-2 framing, 64KiB DoS cap, NFC-key collision detection, explicit unsupported-type rejection. ✅ Identity verification engine — suppression approvers verified against a corp identity registry with O(1) lookup and 10k-member perf headroom. ✅ WORM evidence storage — S3 Object Lock COMPLIANCE-mode push with SHA-256 manifest and SEC 17a-4 / FINRA 4511 retention semantics. ✅ Native Vanta GRC connector — TestResult outcome mapping, retry/backoff, idempotent scan IDs, 1MiB response cap, 180s duration cap, foreign-token format detection across 18 known non-GRC token prefixes (GitHub, Slack, AWS, Stripe, GCP, npm). Drata Secureframe on roadmap. 📊 SOC 2 Type II ready: — Recurring-scan attestation with cadence gap detection and scope-drift detection (CC8.1 evidence) — SLA & MTTR engine with per-severity targets, finding-lifecycle tracking, transient-closure exclusion, semver-aware version-tolerance modes — Per-approver renewal cadence rolling-quarter trend metric with governance bands 🎯 Tabletop simulation for CC4.1 CC7.3 monitoring evidence: A configurable probe-event manifest correlates scanner-emitted control probes against SIEM detection events. Coverage thresholds presetable (75/90% for Type II, 85/95% for high-assurance), strict UTC timestamp enforcement closes a CC7.1/CC7.2 evidence-correlation gap. 📚 Resources: → Product home: nsauditor.com/ai/ → SOC 2 coverage matrix: nsauditor.com/ai/docs/soc2/ #SOC2 #AICPA #Cybersecurity #GRC #Vanta #VulnerabilityManagement #OpenSource #CloudSecurity #Infosec #DevSecOps #ComplianceAutomation #RFC3161 #Ed25519 #NSAuditor

Last week at CS5 West, the Secureframe team joined DoD officials and DIB leaders shaping CMMC's future. We connected with defense contractors, discussed Secureframe Defense, and heard from @coalfire, @RedspinInc, @exostar, @RSMUSLLP & more. Continuing the conversation May 11-13 → hubs.li/Q04cTx2k0

As @basepowerco began to scale rapidly and expand beyond Texas, they needed SOC 2 to unlock partnerships. And they need to do it fast, with a small IT team and a growing stack of RFPs to answer. 🔋⚡ See how Secureframe made it possible: secureframe.com/customers/ba…

During my time @Opendoor, @chintanparikh94 was easily one of my favorite engineers to collaborate with. Smart, opinionated, deeply cares about the customers. When he said he’s leaving Secureframe to start a newCo with @chrissesi, I immediately asked where do I wire - even before they joined YC. It was a short but really fun journey to work with them - and @Opendoor is getting (again) a truly phenomenal team!

CMMC is reshaping cybersecurity for hundreds of thousands of defense contractors. In May, the lead architect who built it takes the stage at the Secureframe National Cybersecurity Summit. Katie Arrington, former CISO and CIO of the U.S. Department of Defense, drove CMMC's creation to ensure the DIB protects itself and the nation in cyberspace. Phase 1 is live, Phase 2 is coming. Readiness can't wait. Join us May 13 for her keynote on defending what matters. Register: hubs.li/Q049WsmL0

Yuma's @EvanMalanga joins Nasdaq @TradeTalks to discuss AI, security, and governance alongside @shravvmehtaa of @Secureframe and @swboyer of @Bitsight. 🎥 hubs.li/Q04bSX3C0

defense(.)ai & defence(.)ai moved from Porkbun to Spaceship. Now they redirect to Secureframe. Sale, or just another hidden .ai signal? 🔥

Secureframe expands Comply with User Access Reviews for automated governance helpnetsecurity.com/2026/04/…

@getdelve is no longer a @ycombinator company. That's not a small thing. Y Combinator has backed 4,000 startups since 2005. They've stood by founders through bad press, pivots, and public embarrassments. They almost never cut ties. So when they scrub a company from their directory entirely, it means something crossed a line they don't usually draw. As cleanly as I can summarize it: Delve is a compliance automation startup helping companies get SOC 2 and ISO 27001 certifications. An anonymous Substack account called DeepDelver, claiming to be a former customer, alleged that Delve was rubber-stamping compliance reports, bypassing critical requirements, and passing off certifications without actually doing the work. Then it escalated. Internal Slack messages. Video recordings. A separate accusation that Delve used an open-source tool without attribution. Malware found in a project belonging to one of their customers. A security researcher reportedly accessed sensitive Delve data. Insight Partners quietly deleted posts about their investment (though the main post was later restored). Y Combinator pulled Delve from the portfolio entirely. The COO confirmed it on X: "YC and Delve have parted ways." The founders pushed back. They hired cybersecurity forensic experts. Called it a coordinated cyberattack, not a whistleblower. Said the evidence was fabricated. CEO Karun Kaushik did admit: "We grew too fast and fell short of our own standard." That line is doing a lot of work. Truth about compliance automation as a category: the product IS trust. You are selling other businesses the assurance that they meet legal and security standards. If there's any gap between what your tool actually verifies and what it certifies, you're not just a startup with quality issues. You're a liability for every customer on your books. Vanta, Drata, Secureframe, all of them operate in this same tension. Automate the process vs. actually verify the outcome. For most, it's just an ongoing product challenge. For Delve, it appears to have become an existential one. Whether the allegations are fully true, partially true, or coordinated smear, the result is the same: Y Combinator publicly ended the relationship. That almost never happens. The reputation hit is permanent. The YC stamp was always their biggest asset. Now it's gone.

Excited for this segment at the summit!

The frameworks most security leaders rely on predate the threats they're facing now. Gen. Paul Nakasone, former NSA Director and U.S. Cyber Command chief, joins Secureframe CEO Shrav Mehta on May 12 to talk nation-state threats, AI risk, and what compliance frameworks miss. Register: secureframe.com/summit