Setting MTTR Goals: How SLAs Improve Vulnerability Management
SLAs for vulnerability management often get a bad rap. They can sometimes be unrealistic or unenforceable. They can also create a lot of manual work if your vulnerability management tool cannot track them for you. However, SLAs are important since they help measure performance, enforce accountability, and ultimately, ensure that critical and high-priority vulnerabilities are addressed as fast as possible. Many compliance frameworks, such as PCI DSS, are now also requiring them.
Why You Need Unified Policy as Code for Terraform Workflows
Terraform, HashiCorp's Infrastructure as Code (IaC) tool, has become the de facto standard for provisioning and managing cloud infrastructure. From startups to Fortune 10 enterprises, it powers the provisioning of cloud resources at scale. But with this power comes risk: a single misconfiguration in Terraform can expose sensitive data, inflate cloud costs, or create compliance gaps and replicate this across hundreds of assets. That's why Policy as Code is essential when using Terraform. By expressing rules as code, organizations can set guardrails directly into their IaC workflows. This ensures that security, compliance, and operational best practices are enforced automatically, without relying on manual reviews or tribal knowledge. However, many existing Policy as Code tools for Terraform come with significant limitations.
Styra OPA Alternative for Infrastructure Security and Compliance Policies
In case you haven't heard yet, the creators of Open Policy Agent (along with many team members from Styra) are leaving to join Apple. Styra's Enterprise OPA customers have received news that their subscriptions will be ending. The news sent a shockwave through the OPA and Rego communities. It's uncertain what this means for the future of OPA; will the code still be maintained, will it remain available as open source in the long run, will the license be changed? In this blog we'll share our perspective and take a look at alternatives for Policy as Code use cases.
Microsoft 365 CIS Benchmark 5.0: What You Need to Know
On April 30th, 2025, the Center for Internet Security (CIS) released version 5.0 of its popular Microsoft 365 Foundations Benchmark, introducing a host of new best practices and refinements to help organizations secure their cloud-based collaboration and productivity environments. For security researchers and practitioners, understanding these updates is crucial for maintaining a robust security posture against evolving threats. This article delves into the key aspects of the CIS Microsoft 365 Foundations benchmark, what's new in 5.0, and what you need to do to remain compliant.
Why Vulnerability Automation Is the Smart Way to Tackle NIS2
The NIS2 Directive brings stricter cybersecurity requirements for organizations across the EU. However, because EU companies must ensure that their suppliers are NIS2 compliant as well, any company doing business in the EU is ultimately also required to comply with NIS2. This means that many organizations globally need to implement enhanced risk management, more rigorous incident reporting, and a greater focus on overall cybersecurity resilience.
Security and Compliance: Addressing Poor Tooling
Security and compliance play integral roles in maintaining a healthy IT environment. While security safeguards an organization from breaches and threats, compliance ensures adherence to specific regulatory requirements. However, many organizations face a significant disconnect between these two functions, largely due to what we term as 'poor security tooling'. In this blog post, we will unpack the impact of this issue and illustrate how Mondoo can help bridge this gap.
Simplifying Compliance: Introducing the Mondoo Compliance Hub
Compliance isn't just about passing audits; it forms the core of your relationships with customers, stakeholders, and collaborators. As a CISO, GRC professional, or a Security Engineer, you're all too familiar with the challenges: complex regulations, resource constraints, and a perpetually changing threat landscape.
Streamlining Compliance: Best Practices for GRC Pros
In today's global economy, governance, risk, and compliance (GRC) is more critical than ever. Regulations change constantly, and keeping up can feel like an insurmountable task. Businesses that fail to meet these regulatory requirements face penalties, damaged reputations, and potential operational disruptions. But it's not just about avoiding negative consequences.
A DevOps Approach to AWS Security: Policy as Code
As DevOps practitioners ourselves, we know securing your AWS environments is complicated. Have you thought about approaching security the same way DevOps teams build and manage their AWS infrastructure? If not, then you should.
Ready to Transform Your Security?
See how Mondoo can help you find and fix vulnerabilities faster.