CEO & Co-founder
Arnaud is the CEO and co-founder of Bastion. He spent close to 7 years at Palantir where he was leading operations and development for France. He now leads Bastion's mission to help startups and SMBs achieve SOC 2 and ISO 27001 compliance through managed services and security automation.
Blog Posts by Arnaud Drizard
ShadowPrompt: How a Zero-Click Vulnerability in Claude's Chrome Extension Could Hijack Your Browser
A zero-click vulnerability in Anthropic's Claude Chrome extension allowed any website to silently inject prompts and steal sensitive data. Here's what happened, how it worked, and what it means for your AI tool governance.
Axios npm Supply Chain Attack: Maintainer Account Hijacked, RAT Deployed to Millions
On March 31, 2026, attackers hijacked the primary maintainer's npm account for Axios, the most popular HTTP client in JavaScript, and published malicious versions that deployed a cross-platform remote access trojan. Here's what happened, who was affected, and what your team should do right now.
LiteLLM PyPI Supply Chain Attack: What Happened and How to Protect Your Organization
On March 24, 2026, attackers compromised the popular LiteLLM Python package on PyPI, injecting malware that harvested credentials, exfiltrated secrets, and attempted to backdoor Kubernetes clusters. Here's what happened, why it matters, and what your team should do now.
Trivy Security Scanner Hit Twice: How Incomplete Containment Led to a Second GitHub Actions Breach
Aqua Security's Trivy scanner was compromised a second time in March 2026 after attackers exploited credentials missed during the first incident response. Here's what happened, why it matters, and how to protect your CI/CD pipelines.
CIS Benchmarks for Microsoft Azure: A Practical Security Hardening Guide
Learn how to implement CIS Benchmarks for Microsoft Azure to harden your cloud infrastructure. Covers Entra ID, Storage Accounts, NSGs, VMs, Azure SQL, Key Vault, and Azure Monitor controls with practical guidance for SOC 2 and ISO 27001 compliance.
What is the CAIQ? A Complete Guide for SaaS Companies
Learn what the Consensus Assessments Initiative Questionnaire (CAIQ) is, why SaaS companies receive it from prospects, and how SOC 2 and ISO 27001 certifications make completing it faster.
CIS Benchmarks for AWS: A Practical Security Hardening Guide
Learn how to implement CIS Benchmarks for AWS to harden your cloud infrastructure. Covers IAM, S3, CloudTrail, VPC, EC2, RDS, and KMS controls with practical guidance for SOC 2 and ISO 27001 compliance.
McKinsey's AI Platform Got Hacked: What It Means for Your Company
A security firm breached McKinsey's Lilli AI platform, exposing 46.5 million chat messages and 728,000 files. Here's what every company deploying AI should learn from this.
OpenClaw Security Best Practices: How to Deploy AI Agents Without Exposing Your Organization
OpenClaw's rapid adoption has outpaced its security defaults. Learn how to lock down network bindings, manage secrets, enforce least privilege, vet third-party skills, and monitor agent activity to keep your deployment secure and compliant.
CIS Benchmarks for Google Cloud Platform: A Practical Security Hardening Guide
Learn how to implement CIS Benchmarks for GCP to harden your Google Cloud infrastructure. Covers IAM, Cloud Storage, VPC, Compute Engine, Cloud SQL, and logging controls with practical guidance for SOC 2 and ISO 27001 compliance.
How Secure Is My Password? A Complete Guide to Password Security in 2026
Learn how to check if your password is secure, understand how attackers crack passwords, and implement best practices to protect your accounts. Includes password cracking time tables and practical guidance for both individuals and organizations.
HackerBot-Claw and the Rise of AI Agent Supply Chain Attacks on GitHub Actions
An autonomous AI bot systematically compromised seven major open-source repositories in one week. Here's what tech startups need to know about securing GitHub Actions against AI-powered supply chain attacks.
OpenClaw Inbox Wipe: 7 AI Agent Security Lessons Every Startup Needs to Learn
An AI email tool deleted Meta's AI Alignment director's entire inbox and ignored stop commands. Here's what startups can learn about AI agent security, kill switches, and compliance controls.
Is a Penetration Test Required for SOC 2?
SOC 2 auditors don't require a penetration test, but your customers effectively do. Here's why enterprise buyers expect it and how to scope yours correctly.
OWASP MCP Security Guide: What It Gets Right, What's Missing, and How to Actually Implement It
OWASP released a practical guide for secure MCP server development. We analyze the 8 security domains, highlight what matters most for SaaS companies, and connect it to SOC 2 and ISO 27001 compliance.
npm Supply Chain Attacks in 2026: What SaaS Engineering Teams Must Know
npm supply chain attacks are no longer theoretical. With Shai-Hulud compromising 796 packages and the September 2025 hijacking affecting 2 billion weekly downloads, SaaS teams need practical defenses beyond npm audit.
AI Agent Security Guardrails: What SOC 2 and ISO 27001 Certified SaaS Companies Need Now
Compliance frameworks are catching up to AI agents. If you're SOC 2 or ISO 27001 certified and shipping autonomous AI features, here's how to build guardrails that satisfy auditors while enabling innovation.
AI-Enabled Attack Patterns: What SaaS Companies Need to Know from Google's Q4 2025 Threat Report
Google's Threat Intelligence Group identified three emerging AI attack patterns in Q4 2025: distillation attacks, AI-powered malware, and nation-state AI integration. Here's what SaaS companies need to understand and how to defend against these evolving threats.
Malicious Browser Extensions: The Overlooked Attack Vector Threatening SaaS Companies
With 8.8M+ browsers infected by a single threat actor, malicious browser extensions represent a serious but often ignored risk. Learn how to inventory extensions, set policies, and what SOC 2 auditors expect for endpoint security.
Phishing in 2026: ClickFix, Adversary-in-the-Middle, and AI-Powered Social Engineering
Phishing has evolved beyond Nigerian prince emails. Modern attacks use ClickFix techniques to trick users into running malicious commands, adversary-in-the-middle proxies to bypass MFA, and AI-generated content indistinguishable from legitimate communications. Here's how to update your defenses.
Supabase Security Best Practices for Production Apps
Learn how to secure your Supabase application with Row Level Security, proper authentication, API key management, and more. Prevent data breaches with this comprehensive security guide.
Moltbook Data Breach: AI Agent Security Lessons
In January 2026, Moltbook exposed 1.5 million API keys due to a Supabase misconfiguration. Learn what went wrong and how to prevent similar database security failures.
ISO 42001: Do You Need It If You Only Use AI APIs?
Do you need ISO 42001 if you only use AI APIs? Learn the key differences between AI developers and AI consumers for compliance.
Secrets Management 101: Stop Storing Credentials in .env Files
Learn why .env files are a security risk - especially with AI coding agents - and how to implement proper secrets management with tools like Vault, AWS Secrets Manager, and Doppler.
Understanding Shared Responsibility Models with Third-Party Providers
Many B2B SaaS companies misunderstand shared responsibility models when using cloud and SaaS providers, creating security gaps and compliance failures. Learn how responsibility shifts across IaaS, PaaS, and SaaS, and how to document it for SOC 2 and ISO 27001.
Other platforms check the box
We secure the box
Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.
Get Started