Curated links to authoritative security frameworks, guidelines, and tools
These are the resources I actually use and recommend. Official frameworks, government guidelines, and trusted industry standards โ no affiliate links, no sponsors, just useful stuff.
The gold standard for organizing security programs. Covers Identify, Protect, Detect, Respond, and Recover. Works for any organization size.
The definitive source on password policy. If your organization still requires 90-day password changes, show them this document.
18 prioritized security controls. Implementation Groups (IGs) help you focus on what matters for your organization's size and risk level.
Detailed hardening guides for operating systems, cloud platforms, network devices, and applications. Specific, actionable, and widely respected.
The authoritative guide to Zero Trust. Essential reading as organizations move beyond perimeter-based security.
Practical guidance from the U.S. Cybersecurity and Infrastructure Security Agency. Great starting point for SMBs.
The vulnerabilities actually being exploited in the wild. If you can only patch some things, patch these first.
Annual reports with real data on cybercrime trends, losses by attack type, and emerging threats. Eye-opening statistics for awareness training.
European perspective on cybersecurity. Threat landscapes, good practices, and sector-specific guidance.
Annual report on the top cyber threats in the EU. Data-driven analysis of attack trends, threat actors, and emerging risks. Essential for risk assessments.
Guidelines for securing software and hardware supply chains. Increasingly critical after SolarWinds, Log4j, and similar incidents.
Practical cloud security guidance tailored for small and medium enterprises. Risk assessment, provider selection, and security controls.
EU's updated Network and Information Security directive. Broader scope than NIS1, stricter requirements. Mandatory for many sectors by October 2024.
Step-by-step guidance for building incident response capabilities. Detection, analysis, containment, and lessons learned.
Check if your email or password has appeared in data breaches. Also offers an API for checking passwords during registration.
Everything about passkeys โ the passwordless future. Implementation guides, user experience research, and adoption resources.
Knowledge base of adversary tactics and techniques. Essential for threat modeling, detection engineering, and red team exercises.
Web and application security resources. The OWASP Top 10 is essential knowledge for anyone building or securing web apps.
Thousands of free whitepapers, research, and practical guides. The paid training is excellent too, but the free resources are gold.
Simple, clear guidance for basic security hygiene. Perfect for sharing with non-technical users and small businesses.
Hands-on cybersecurity training through browser-based labs. Great for learning offensive and defensive security skills.
Brian Krebs does deep investigative journalism on cybercrime. Thorough, well-researched, and often breaks major stories.
Bruce Schneier's blog on security, privacy, and technology policy. Thoughtful analysis from a security legend.
Daily cybersecurity news. Good for staying current on vulnerabilities, breaches, and industry developments.