Industry Analysis
In-depth guides and analysis on industry analysis from the Safeguard engineering team.
294 articles
2025 Bug Bounty Program Reforms: What Changed
From Microsoft's AI bounty expansion to the EU CRA's good-faith researcher protections, bug bounty rules of engagement shifted meaningfully in early 2025.
Space Industry Software Supply Chain: Emerging Reality
COTS software, mega-constellations, and export controls are colliding. The space sector's software supply chain risk is shifting faster than its tooling.
The 2024 End-of-Year Vulnerability Disclosure Report
A look back at vulnerability disclosure in 2024: counts, severity distribution, time-to-patch, and the handful of incidents that shifted practice. Numbers, not narrative.
MITRE ATT&CK Meets SSDF: A Mapping
ATT&CK describes how adversaries operate; SSDF describes how to build software that resists them. Here's how to map adversary techniques to secure-development tasks so your threat model drives real engineering change.
OpenTelemetry for Supply Chain Traces: Instrumenting the Pipeline
How OpenTelemetry turns CI/CD pipelines into a traceable, queryable graph that exposes supply chain risk from source control to production deployment.
Azure Sentinel for Supply Chain Detection
Sentinel has everything it needs to detect supply chain attacks in Azure — but only if the analytics rules are tuned to what those attacks actually look like.
BlackTech Firmware Supply Chain Operations
BlackTech's firmware implants in Cisco routers turned edge devices into long-dwell footholds. A look at the tradecraft and what defenders missed.
OSS Code of Conduct: Security Impact
Codes of conduct are not just social documents. They affect maintainer retention, contributor diversity, and ultimately the security posture of the project.
Open Source Security Funding in 2024: Who Pays for the Code We All Depend On
Despite growing recognition that open source underpins critical infrastructure, security funding remains fragmented and insufficient. A look at the numbers and what needs to change.
GCP Security Command Center Integration
An industry-level look at integrating GCP Security Command Center with the rest of the security stack: which findings are signal, which are noise, and how to route the output so it actually gets actioned.
DevSecOps Automation Maturity in 2024: Where Teams Actually Stand
Industry surveys and real-world data paint a sobering picture of DevSecOps automation maturity. Most organizations are still in the early stages despite years of investment.
Azure Monitor for Supply Chain Observability
Supply chain observability in Azure is not missing telemetry — it is missing the right queries. A walk through the Azure Monitor data sources that actually answer the hard questions.