Security guides & playbooks

Practical, vendor-neutral how-tos for practitioners — each one ends in a free tool you can use right away · browse the glossary → · updated June 2026

Where the glossary answers "what is X?", these guides answer "how do I actually do X?" — frameworks, checklists and step-by-step playbooks, grounded in well-established standards (OWASP, NIST, CISA). No fluff, no sign-up to read.

AI security

How to secure AI agents & LLM apps, end-to-end

A practical framework for CISOs and security engineers: the five stages, the top risks, and the controls that map to each — then score your own agents.

9-min read · Read the guide →

Securing RAG & LLM apps: a practical checklist

Retrieval-augmented apps widen the attack surface. A checklist across inputs, retrieval, the model, outputs and tools — with the failure modes to test.

8-min read · Read the guide →

AI/ML supply-chain security: securing your model stack

Models, weights, datasets and ML libraries are software too. How to handle provenance, unsafe deserialization, and CVEs in your ML dependencies.

8-min read · Read the guide →

Vulnerability management

How to read and act on an SBOM

You've got a CycloneDX or SPDX file — now what? How to turn a bill of materials into a fix-first patch queue you can actually work.

7-min read · Read the guide →

How to prioritise patches: KEV, EPSS, CVSS & SSVC

Which CVE do you fix first? How to combine severity, exploit probability and active exploitation into a defensible, exploited-first order.

8-min read · Read the guide →

How to find end-of-life software before it bites you

Unsupported software stops getting security fixes. How to inventory it, see what is about to go EOL, and plan upgrades before the patches stop.

6-min read · Read the guide →

How to write a VEX (and why your SBOM needs one)

An SBOM lists what is inside; a VEX says what actually affects you. The statuses, the justifications, and how to author one from a scan.

6-min read · Read the guide →

Building a vulnerability management program from scratch

A no-nonsense playbook: inventory, prioritise, remediate, verify, report — the loop that turns scanning into measurable risk reduction.

9-min read · Read the guide →

Compliance

EU CRA: what you must do before 11 September 2026

The vulnerability-reporting obligations, the 24h/72h clock, the machine-readable SBOM requirement — and a checklist to be ready before the deadline.

8-min read · Read the guide →

SOC 2 & ISO 27001: evidencing vulnerability & patch management

What auditors actually want to see for CC7.1 / CC8.1 and Annex A 8.8 — and how to produce that evidence without a spreadsheet marathon.

7-min read · Read the guide →

Incident response

How to respond to a zero-day in 24 hours

A calm, repeatable runbook for the moment a critical bug drops: confirm exposure, scope blast radius, mitigate, patch, and communicate.

7-min read · Read the guide →

Product patching guides

Need to patch a specific product? See the step-by-step how-to-patch guides for Windows Server, Exchange, VMware ESXi, FortiGate, Cisco IOS, WordPress, PHP, Ubuntu, Red Hat and SQL Server — each with the latest safe version and live exploitation exposure.

Use the tools the guides point to

Agentic AI security — AIVSS calculator + Lethal Trifecta screen.
SBOM scanner — a fix-first patch queue for every component, in your browser.
Check a version — paste a product + version for an instant verdict.
Compliance editions — turn your data into framework-ready evidence.

Start with the agentic AI tools →