Security

Security Insights

Security best practices, threat analysis, and practical guidance for protecting your organization's data and infrastructure.

March 11, 2026

[Security]

CIS Benchmarks for AWS: A Practical Security Hardening Guide

Learn how to implement CIS Benchmarks for AWS to harden your cloud infrastructure. Covers IAM, S3, CloudTrail, VPC, EC2, RDS, and KMS controls with practical guidance for SOC 2 and ISO 27001 compliance.

Read article

McKinsey's AI Platform Got Hacked: What It Means for Your Company

A security firm breached McKinsey's Lilli AI platform, exposing 46.5 million chat messages and 728,000 files. Here's what every company deploying AI should learn from this.

[Security]MAR 11

CIS Benchmarks for Google Cloud Platform: A Practical Security Hardening Guide

Learn how to implement CIS Benchmarks for GCP to harden your Google Cloud infrastructure. Covers IAM, Cloud Storage, VPC, Compute Engine, Cloud SQL, and logging controls with practical guidance for SOC 2 and ISO 27001 compliance.

[Security]MAR 4

How Secure Is My Password? A Complete Guide to Password Security in 2026

Learn how to check if your password is secure, understand how attackers crack passwords, and implement best practices to protect your accounts. Includes password cracking time tables and practical guidance for both individuals and organizations.

[Security]MAR 4

We Built a Customer-Facing MCP Server. Here's What the Spec Didn't Prepare Us For.

Building a customer-facing MCP server? Here's what the spec misses: OAuth IdP gaps, client divergence, multi-tenant auth, and supply chain risk.

[Security]MAR 3

HackerBot-Claw and the Rise of AI Agent Supply Chain Attacks on GitHub Actions

An autonomous AI bot systematically compromised seven major open-source repositories in one week. Here's what tech startups need to know about securing GitHub Actions against AI-powered supply chain attacks.

[Security]MAR 2

OpenClaw Inbox Wipe: 7 AI Agent Security Lessons Every Startup Needs to Learn

An AI email tool deleted Meta's AI Alignment director's entire inbox and ignored stop commands. Here's what startups can learn about AI agent security, kill switches, and compliance controls.

[Security]FEB 26

OpenClaw Infostealer Attack: What the First AI Agent Identity Theft Means for Your Security

Infostealer malware stole OpenClaw AI agent configs, gateway tokens, and behavioral guidelines. With 135,000+ exposed instances and 1,184 malicious skills, here's what security teams need to know.

[Security]FEB 24

OWASP MCP Security Guide: What It Gets Right, What's Missing, and How to Actually Implement It

OWASP released a practical guide for secure MCP server development. We analyze the 8 security domains, highlight what matters most for SaaS companies, and connect it to SOC 2 and ISO 27001 compliance.

[Security]FEB 20

npm Supply Chain Attacks in 2026: What SaaS Engineering Teams Must Know

npm supply chain attacks are no longer theoretical. With Shai-Hulud compromising 796 packages and the September 2025 hijacking affecting 2 billion weekly downloads, SaaS teams need practical defenses beyond npm audit.

[Security]FEB 14

AI-Enabled Attack Patterns: What SaaS Companies Need to Know from Google's Q4 2025 Threat Report

Google's Threat Intelligence Group identified three emerging AI attack patterns in Q4 2025: distillation attacks, AI-powered malware, and nation-state AI integration. Here's what SaaS companies need to understand and how to defend against these evolving threats.

[Security]FEB 13

Malicious Browser Extensions: The Overlooked Attack Vector Threatening SaaS Companies

With 8.8M+ browsers infected by a single threat actor, malicious browser extensions represent a serious but often ignored risk. Learn how to inventory extensions, set policies, and what SOC 2 auditors expect for endpoint security.

[Security]FEB 13

Phishing in 2026: ClickFix, Adversary-in-the-Middle, and AI-Powered Social Engineering

Phishing has evolved beyond Nigerian prince emails. Modern attacks use ClickFix techniques to trick users into running malicious commands, adversary-in-the-middle proxies to bypass MFA, and AI-generated content indistinguishable from legitimate communications. Here's how to update your defenses.

[Security]FEB 13

The New Bottleneck: Why Security Verification Can't Keep Up with AI-Accelerated Development

Development AI was the accelerant, but it didn't create the fire. Security verification is now the constraint holding teams back.

[Security]FEB 11

Supabase Security Best Practices for Production Apps

Learn how to secure your Supabase application with Row Level Security, proper authentication, API key management, and more. Prevent data breaches with this comprehensive security guide.

[Security]FEB 6

Moltbook Data Breach: AI Agent Security Lessons

In January 2026, Moltbook exposed 1.5 million API keys due to a Supabase misconfiguration. Learn what went wrong and how to prevent similar database security failures.

[Security]FEB 3

The Top AWS Security Misconfigurations we Find in Customer Environments

Unencrypted databases, exposed endpoints, IAM misuse: discover the AWS misconfigurations we fix most often during SOC 2 and ISO 27001 audits.

[Security]FEB 1

2026 Supply Chain Security Report: Lessons from a Year of Devastating Attacks

Software supply chain attacks doubled in 2025, with global losses reaching $60 billion. Analyze major attacks like Shai-Hulud, learn SOC 2 and ISO 27001 compliance requirements, and implement practical defenses.

[Security]JAN 30

Secrets Management 101: Stop Storing Credentials in .env Files

Learn why .env files are a security risk - especially with AI coding agents - and how to implement proper secrets management with tools like Vault, AWS Secrets Manager, and Doppler.

[Security]JAN 27

MDM for Startups: Why We Built a Security-First Solution

We built an MDM that gives startups real device security (encryption, remote wipe, inventory) without enterprise bloat, reducing risk, simplifying compliance, and avoiding yet another vendor.

[Security]JAN 23

Nx Supply Chain Attack Exposes Thousands of Developer Credentials on Github - What you should do to keep your organization secure

In August 2025, attackers compromised popular Nx npm packages, embedding malware that stole developer credentials and published them openly on GitHub. Millions risk exposure, from API keys to cloud access tokens. Organizations must urgently rotate credentials, update dependencies, audit logs, and adopt stricter supply chain security practices.

[Security]SEP '25

MCP Security Risk: Hardcoded Credentials in AI Tool Configurations

48% of MCP servers recommend insecure credential storage. Learn secure alternatives using input variables and vault-based injection.

[Security]JAN '25

Other platforms check the box

We secure the box

Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.

Get Started