In this special interview episode, Adrian and Alexandre sit down with Alex Pinto, lead author of the Verizon Data Breach Investigations Report, to walk through the 2026 edition before the broader industry has fully digested it.

Pinto explains why the 2026 dataset, with 31,850 incidents and 22,624 confirmed breaches contributed by over 100 organizations in 145 countries — is the most statistically rigorous breach corpus in the industry.

Tenchi Security is a 2026 contributor, providing the survival-analysis dataset behind the report's new look at third-party MFA and cloud privilege exposures. Alex Sieira walks through what the curves actually mean: half of MFA findings get fixed in seven days, but 45% of cloud privilege management findings are still open a year after discovery.

The conversation digs into the headline shifts: vulnerability exploitation has now overtaken credential abuse as the most common initial access vector. Third-party involvement in breaches has climbed from 30% last year to 48% this year, and the median time to fully remediate CISA KEV findings slipped from 32 to 43 days.

will probably be the most-talked-about new section of the 2026 report: Verizon analyzed an anonymized dataset from Anthropic. The data includes analysis of nearly 800 threat actors, maps their prompt activity to MITRE ATT&CK techniques, and cross-references it against MITRE's software database. The DBIR folks immediately think to ask the data: “are attackers using LLMs for novel techniques, or for things every EDR already catches?”
The trio close out by debating Sieira's hypothesis that the metric to watch isn't total CVE volume — it's the percentage of vulnerabilities with reliable working exploits, which is the variable AI is most likely to move — and Pinto makes the case that vulnerability management is becoming a crisis-management discipline rather than a dashboard-watching one.
References:

• The 2026 Verizon Data Breach Investigations Report (DBIR): https://www.verizon.com/business/resources/reports/dbir/
• Sieira and Pinto's RSA 2026 talk on how cloud-hyperscaler UX design impacts security outcomes https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1755192044047001WRoa
• The Vercel Breach: https://cyberscoop.com/vercel-security-breach-third-party-attack-context-ai-lumma-stealer/
• The British Library breach write-up Adrian cited as a candid post-incident report (their "Learning Lessons" document): https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf

• 
  

Tenchi Security has an article out with the biggest insights related to the report, find it here!

Episode #17 of the Alice in Supply Chains podcast, with co-hosts Alex Sieira (CTO & Co-founder, Tenchi Security) and Adrian Sanabria (Principal Researcher, The Defenders Initiative), is now live!

This month they dig into what happens when one breach detonates a chain of others, and why "we have a SOC 2 report" is no defense when the vendor underneath you gets popped.

The featured case is Marquis Software Solutions vs SonicWall, where a 2025 breach of SonicWall's MySonicWall cloud backup service gave attackers everything they needed to break into Marquis, drop ransomware, and exfiltrate data on customers of 74 banks and credit unions. Three layers of lawsuits later (consumers suing the banks, banks pressuring Marquis, Marquis now suing SonicWall), Adrian and Alex use the case to make a point about software liability, the absurdity of "as-is" terms in critical infrastructure, and why bare-minimum vendor diligence and self-attestations will surface during discovery as exhibits against you.
Story two is the Trivy supply chain compromise, where TeamPCP turned Aqua Security's open-source container scanner into a credential-harvesting beachhead. After an incomplete credential rotation following an earlier incident, the attackers pushed a malicious binary, dropping an infostealer that ran before the legitimate scan and silently swept GitHub tokens, AWS/GCP/Azure credentials, SSH keys, and Kubernetes tokens out of CI/CD runners and developer machines. The blast radius reached Cisco, the European Commission, Checkmarx, Bitwarden's CLI, LiteLLM, Guesty, S&P Global, and seeded the CanisterWorm npm worm.

Alex walks through the "how not to get Trivied" playbook: pin GitHub Actions to commit SHAs, kill long-lived CI/CD credentials in favor of OIDC and ephemeral tokens, compartmentalize CI from CD (ideally on different platforms), shrink your dependency graph, and demand evidence of SAST/SCA and IR practice from every third party whose code ends up in your pipeline.
Resources:

• https://destroyedbybreach.com
• https://kaynemcgladrey.com/compliance-paperwork-wont-save-you-from-a-vendor-breach/
• https://www.acaglobal.com/industry-insights/sonicwall-cloud-backup-breached-firewall-configurations-compromised/
• https://www.tenchisecurity.com/en/insights-news/secure-practices-trivy-supply-chain-attack
• https://thenewstack.io/teampcp-trivy-supply-chain-attack/

In this special bonus episode, Adrian and Alexandre are joined by John Hammond, one of cybersecurity’s most recognizable YouTube creators and Senior Principal Security Researcher at Huntress - a cybersecurity company dedicated to protecting businesses of all sizes against modern-day cybercrime - for a deep dive into software supply chain attacks using the recent Axios NPM compromise as a case study. It's a timely conversation: supply chain incidents have gone from occasional headlines to a near-constant drumbeat, and the Axios case offers an unusually clear window into how these attacks actually work end-to-end.

- The discussion tackles the viral "stop updating your software" take head-on, with John arguing the real answer is nuance - keep patching Windows and Chrome, but treat CI/CD dependencies very differently. Adrian lays out his case for splitting vulnerability management into two distinct processes: traditional scan-driven work for compliance, and a separate intelligence-driven "VulnOps" function that operates more like incident response.

- The group also walks through the remarkable social engineering campaign that compromised the Axios maintainer — a patient, weeks-long con involving a fake Slack workspace, rescheduled Teams meetings, and a click-fix payload disguised as an audio troubleshooting step. One striking data point from John: the malicious package detonated 89 seconds after hitting NPM.

- The back half turns practical, with a concrete checklist for third-party risk teams and internal dev orgs: pin dependency versions, cache artifacts locally (which saved Tenchi during the Trivy incident, when attackers modified previously released binaries), enforce age-based release gates, separate CI from CD, apply least privilege to pipeline credentials, and maintain an asset inventory that can answer "do we have this package?" in seconds. John closes with homework for listeners: look up the Clean Source Principle.

In this April 2026 episode of Alice in Supply Chains, Adrian and Alexandre cover three stories that weren't on anyone's 2026 bingo card — and all of which land on the TPRM analyst's desk.

• AI in your third parties. Amazon's recent downtime, linked to engineers being mandated to use AI on production systems, raises a question most TPRM programs aren't equipped to answer: do you even know which of your vendors are using AI, which models, and how much agency those models have over customer data? Alexandre walks through AWS's generative and agentic AI scoping matrix — from no-agency to full autonomy — as a useful framework for architectural follow-up conversations. The pair also push back on Anthropic's "Mythos" vulnerability research claims, arguing the economics don't hold up against cheaper models, or against the real bottleneck: remediation, not discovery.

‍

• The FCC's ban on non-US routers. Adrian and Alexandre argue this is a thinly veiled economic measure dressed up as security policy. If this were really about backdoors, the US would mandate minimum security controls (as it does for medical devices and aviation) rather than country-of-origin rules. Netgear's mysterious exemption, the Salt Typhoon breaches that needed no backdoors, and the collapsed consumer labeling program all get airtime.

‍

• Is your third party a military target? Two AWS regions in Bahrain and the UAE were damaged during the Iran conflict, with one data center indefinitely down. Separately, a pro-Iran group compromised Stryker's Intune tenant and issued wipe commands across managed devices — including employees' BYOD phones. The takeaway: centralized management tools (Intune, MDM, patch management, AD) are high-value targets that TPRM questionnaires rarely probe deeply enough, and kinetic ceasefires don't extend to cyberspace.

‍

Links:

https://www.tenchisecurity.com/en/insights-news/cisa-says-harden-intune-heres-what-that-means-for-your-third-party

https://aws.amazon.com/pt/ai/security/agentic-ai-scoping-matrix/

https://aws.amazon.com/pt/ai/security/generative-ai-scoping-matrix/

https://www.defendersinitiative.com/p/from-this-point-on-it-only-gets-rougher

https://arstechnica.com/tech-policy/2026/04/fcc-exempts-netgear-from-ban-on-foreign-routers-doesnt-explain-why/

https://www.scworld.com/podcast-episode/2673-esw-310-shamim-naqvi-grace-burkard

Recorded April 1, 2026 — post-RSA 2026 edition
Hosts Adrian Sanabria (The Defenders Initiative) and Alexandre Sieira (CTO and Cofounder, Tenchi Security) reconvene — both recovering from the notorious con crud — to dig into the biggest stories from a packed month in third-party and supply chain security.
This month, we have two main stories:

• The ongoing Delve controversy and data leaks
• Our RSAC Conference 2026 takeaways

1. Alex’s ESW Appearance securityweekly.com/esw452
2. The episode we did with AJ Yawn on issues with SOC 2 reports https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2
3. Tony Martin-Vegue’s excellent “acting rationally, given the incentives” take on the Delve scandal https://www.linkedin.com/posts/tonymartinvegue_i-know-youre-tired-of-the-delve-discourse-activity-7441294170406891520-UtGg
4. Adrian’s blog with his RSAC Conference 2026 takeaways https://www.defendersinitiative.com/p/i-watched-all-11-main-stage-keynotes
5. Alex Sieira’s RSAC talk with Alex Pinto (login required to watch the recording) https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1755192044047001WRoa
6. Adrian Sanabria and Adam Shostack’s talk on Breach Transparency from RSAC https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1756101254392001bKZA
7. Tenchi’s ‘near miss’ report https://www.tenchisecurity.com/en/insights-news/secure-practices-trivy-supply-chain-attack
   

The Alice in Supply Chains Podcast is back for another episode! On it, Adrian Sanabria and Alexandre Sieira share their expert opinions on the most pressing matters in the TPCRM world - as presented on issue #42 of our newsletter of the same name, also launched today!

Here are our stories for this episode and their associated links:

1. Cyber Risk at Scale: Safeguarding Portfolio Value in Private Equity
2. Gartner Predicts: TPCRM Evolves for the AI Era
3. Canadian Privacy Commissioners Investigate the PowerSchool Breach
4. https://www.newswire.ca/news-releases/ontario-and-alberta-privacy-commissioners-release-investigation-findings-into-powerschool-breach-affecting-school-boards-and-other-educational-bodies-866592221.html
5. https://www.ipc.on.ca/en/resources/ontarios-privacy-commissioner-releases-investigation-findings-powerschool-breach-affecting-school
6. https://oipc.ab.ca/wp-content/uploads/2025/11/FINAL-Investigation-Report-Regarding-PowerSchool-Breach-FOIP2025-IR-02.pdf

newswire.ca Ontario and Alberta privacy commissioners release investigation findings into PowerSchool breach affecting school boards and other educational bodies

Also, RSAC is just around the corner!

From March 22 to March 25, 2026, Tenchi Security will host the cybersecurity community attending RSA Conference in San Francisco at Harlan Records, which was exclusively reserved for the Tenchi Lounge - a space to unwind, exchange ideas, and build meaningful connections. Need more details?

Check here:

https://www.tenchisecurity.com/en/tenchi-rsa-lounge-2026

In this special interview episode, hosts Adrian Sanabria and Alexandre Sieira sit down with Tony Martin-Vegue, author of the upcoming book Heatmaps to Histadograms: A Practical Guide to Cyber Risk Quantification.

Tony shares his journey from IT and cryptography to becoming a leading voice in cyber risk quantification, including his six years building Netflix's risk quantification program from the ground up.

Tony Martin-Vegue brings over two decades of experience in IT and information security. With an economics degree that his mentor recognized as ideal for risk management, Tony has built cyber risk quantification programs at several large companies. Most recently, he spent six years at Netflix where he led approximately 3,000 FAIR-based risk assessments. He now runs his own consulting and advisory firm while promoting quantitative approaches to cyber risk.
Resources Mentioned in the Episode:

• The website for Tony’s book: https://www.heatmapstohistograms.com/
• Link to Solar Winds breach: https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach
• Link to Colonial Pipeline breach: https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack
• The Scoville Scale: https://en.wikipedia.org/wiki/Scoville_scale
• How to use Monte Carlo simulations in Excel: https://support.microsoft.com/en-us/office/introduction-to-monte-carlo-simulation-in-excel-64c0ba99-752a-4fa8-bbd3-4450d8db16f1
• The FAIR Institute: https://www.fairinstitute.org/
• The FAIR Framework: https://www.fairinstitute.org/blog/integrating-fair-models-a-unified-framework-for-cyber-risk-management
• How to Lie with Statistics: Information Security Edition https://www.youtube.com/watch?v=p3jJnl99Lmc
• Cyentia’s IRIS Retina Report https://www.cyentia.com/services/iris-risk-retina/
• Verizon’s 2025 Data Breach Investigations Report: https://www.verizon.com/business/resources/reports/dbir