Things I actually use and read.
A running list of tools, databases, and blogs I find myself returning to. No sponsored picks — just resources I've found genuinely useful working in offensive security and infrastructure hardening. Updated when something earns a spot.
My morning routine starts with NVD and CISA KEV. First week on the job, my lead told me: "patch KEV entries before anything else — those are already being exploited in the wild." He was right. I've seen it happen twice since.
The canonical source for CVE data. Every entry includes CVSS scores, affected software CPEs, references, and patch info. Slow to enrich new CVEs lately due to backlog, but still the standard reference. Pair it with the free API for automation.
If a CVE is on this list, it's being actively exploited. CISA mandates federal agencies patch these within tight deadlines — a strong signal for prioritization even in private orgs. Subscribe to the RSS. Treat it as your patch priority queue.
Offensive Security's public archive of exploits, shellcode, and papers. Useful for understanding what an attacker would actually run against a given CVE. Also includes the Google Hacking Database (GHDB) — often overlooked by defenders.
Fast CVE lookups via API, free for non-commercial use. Returns CVSS, EPSS score, whether the CVE is in KEV, and ransomware campaign associations. Great for quick triage scripts. No Shodan account needed.
I used to follow too many feeds and ended up reading nothing. Now I keep it to three: Krebs for investigations, The Hacker News for daily headlines, and Schneier for the longer perspective. That's usually enough signal before coffee.
Brian Krebs, former Washington Post reporter, does the deep investigative work most outlets skip. His pieces on cybercriminal forums, breach anatomy, and fraud rings are unmatched. Slow burn but high signal — subscribe by email.
High-volume daily news. Good for staying on top of breaking vulnerabilities, breach disclosures, and malware campaigns. Not always deep — but fast. I skim the headlines and drill into anything that touches infrastructure I manage.
Bruce Schneier has been writing about security, policy, and trust for 30+ years. Less about breaking news, more about the "why it matters" layer. His weekly Crypto-Gram newsletter is worth the subscription. Good for developing a security mindset beyond patch cycles.
Technical depth from SANS instructors and researchers. The daily Internet Stormcast podcast is 5 minutes of "what's happening on the internet today." The blog covers DFIR walkthroughs, cloud security, and more. Essential for defenders.
Personal blog and newsletter from a 20+ year security practitioner. Mixes security with AI, philosophy, and career thinking. His newsletter reaches 35k+ people weekly. Good if you want the field's bigger picture beyond daily vulnerabilities.
Independent security analyst with 30+ years in the industry. Covers breaches, malware, and scams in accessible, well-written posts. Less technical than some but great for staying informed without deep-diving every topic. Good podcast too.
Shodan changed how I think about internet-facing infrastructure. Running my own org's name in Shodan during a security audit found two forgotten test servers with open Elasticsearch instances. Neither was in our asset inventory. Always run Shodan on yourself before someone else does.
Search engine for internet-connected devices. Invaluable for asset discovery, exposure audits, and understanding your attack surface from the outside. Free tier is useful; paid unlocks full results and API access. Every security professional should know how to use it.
Contextualizes noisy internet scanners and mass-exploit attempts. Helps you distinguish targeted attacks from background internet noise in your logs. Free community tier gives IP lookups — useful for SOC triage to filter out false positives.
The industry-standard taxonomy for adversary tactics, techniques, and procedures (TTPs). Invaluable for threat modelling, detection engineering, and red/blue team exercises. Learn the framework — it's the shared language between attackers and defenders.
Aggregate malware scanning across 70+ AV engines plus behavioural sandboxing. Essential for quick file and URL triage. Remember: uploading a file makes it public — don't submit sensitive documents or proprietary binaries.