All Posts

The organisations that fail compliance audits for vulnerability management rarely have bad security intentions. They have compliance-designed programmes, built to satisfy a framework rather than to manage risk. Episode 10 walks through PCI-DSS v4.0.1, ISO 27001 A.8.8, DORA, NIS2, and the UK Cyber Security and Resilience Bill, showing how a Five Pillars programme produces the evidence each framework asks for as a natural by-product of operating well.

Your vulnerability backlog is not one number. It is at least nine. Here are the three segmentations that make it a usable security metric.

Adding a SAST scanner to your CI/CD pipeline is not the same as securing it. Three documented incidents from the past 13 months — tj-actions, Trivy, and Axios — show how the pipeline execution layer, dependency installation, and runner credentials are all being targeted at scale. Episode 9 builds the threat model your shift-left programme is missing.

FIRST is projecting a median of 59,427 CVEs for 2026. At that volume, a process that requires a human to review each inbound finding is not a triage model — it is a queue that will never clear. Episode 8 covers vulnerability management at scale: the composite scoring model that handles automated classification, why KEV is a hard floor and not a scoring input, and where the asset inventory is still the bottleneck.

Episode 7 of the CAXA Technologies Security Operations Series If a container lives for 60 seconds and your scanner runs on a schedule, you do not have a cloud VM programme. You have a cloud visibility gap with a reporting cadence attached to it. That framing sounds extreme until you look at the data. Sysdig’s 2025 Cloud-Native Security and Usage Report found that 60% of containers now live for 60 seconds or less. In 2019, half of containers lasted at least five minutes. The t

88% of published CVEs carry an exploitation probability below 10%. If your backlog is ordered by CVSS score, most of the effort it consumes is aimed at vulnerabilities attackers are ignoring. This episode delivers a working alternative: EPSS, the CISA KEV catalogue, and SSVC applied to real CVEs.

Most organisations track vulnerability management metrics. Far fewer track metrics that change anything. This episode examines what to measure, where each metric delivers the most value, and why programmes that solve for security have no difficulty during audits while those that solve for compliance struggle to demonstrate whether they are reducing risk at all.

Vulnerability Management programmes rarely fail because individual components are weak. They fail because the people, processes, and technology were designed independently and have drifted apart under operational pressure. Episode 4 of the CAXA Technologies Security Operations Series examines the operating model that turns pillar capabilities into operational reality, and provides a diagnostic framework for identifying where misalignment is constraining your programme.

Buying a better scanner doesn't help if your asset inventory has significant gaps. This episode examines the five pillars every VM programme depends on, maps how they interact as a dependency chain, and explains why the visible symptom is often far from the actual constraint.

Every vulnerability takes a journey through your organisation. This episode examines the seven stages of that lifecycle and reveals where programmes typically stall. Understanding this journey is the first step to making it shorter.

Vulnerability management extends beyond patching, but most programmes plateau before becoming truly risk-informed. This opening episode examines why the fundamentals of asset visibility, prioritisation rigour, and remediation ownership determine programme effectiveness far more than tooling investments.

Leadership often creates the illusion that time is abundant and relevance secure. Memento Mori challenges that comfort. It reminds us that roles shift, identity must evolve, and the real measure of leadership is whether the work holds when we step aside.

As leaders rise, the work changes shape. The satisfaction of direct impact gives way to the discipline of trust. Oikeiosis explores how leadership evolves from personal control to stewardship — from doing the work to designing the systems that let others succeed. It is about carrying responsibility without collapse, and finding strength in alignment rather than authority.

Apathēia teaches that calm leadership is not detachment but reliability. When leaders manage their own reactions, they create space for others to think clearly and act with confidence. Over time that steadiness becomes a foundation for psychological safety. Teams stop managing the leader’s mood and start focusing on meaningful work.

Leadership isn’t a solo act. Sympatheia reminds us that every decision moves through people, processes, and systems that depend on one another. When leaders act without that awareness, trust erodes and progress turns costly. True leadership isn’t about control; it’s about keeping the system healthy so others can do their best work.

Epictetus taught that some things are up to us, and some are not. For leaders, that insight becomes a way to steady teams under pressure. By helping people see what is truly theirs to act on, leaders show trust, protect focus, and give work meaning. The Dichotomy of Control is not about ignoring adversity, but about carrying it with clarity, dignity, and progress.

Leadership is more than optimism. The Stoics practised Premeditatio Malorum — imagining setbacks before they came. By applying this discipline through techniques like pre-mortems and scenario planning, leaders can anticipate shocks, act with calm, and build organisations resilient enough to keep moving forward when disruption inevitably arrives.

Purpose sets the path. Value proves the journey. Discipline keeps you walking it.