The Axios npm Breach: 7 Supply Chain Lessons Every MSP Can Absorb Right Now
Straight from Blacksmith: Listen to our discussion about the Axios attack on Get NIST-y! Axios’ late‑March supply chain compromise turned one ubiquitous open‑source package into a delivery system for a cross‑platform RAT — and for managed service providers, it is a dress rehearsal for the next upstream software failure that ripples across every […]
What the Tinder / Match Group Breach Teaches About Real-World Compliance
The Tinder / Match Group incident is a near‑perfect case study for MSPs: a big brand, sensitive data, and an attack that rides through humans, identity, and SaaS sprawl instead of some exotic zero‑day. Used well, it can sharpen your own program and give you a concrete story to tell every SMB you serve. What […]
Designing a Low-Lift, Win-Win Compliance Engagement for MSP Clients
Designing a good compliance engagement is less about adding more tasks and more about changing the shape of the work so clients feel like they are telling a story, not doing homework. Done well, that structure also makes your delivery more consistent and scalable as an MSP. Why compliance feels like homework Most clients experience […]
5-Tier Risk Framework for Mitigating Human Error
Most security incidents still start with a person: a rushed click, a reused password, a file sent to the wrong place. For years, the default answer has been “more awareness training,” but that treats every employee as the same level of risk and ignores the environment they work in. A better approach is to treat […]
OAuth Abuse Is the New Phishing: Why “Log In With X” Keeps Burning You
OAuth abuse has quietly become the phishing technique that slips past your MFA, your “security‑aware” users, and your cloud email filters. Recent campaigns abusing OAuth redirects and malicious apps in Microsoft Entra ID and Google Workspace show that “Log in with X” is now one of the easiest ways into your SaaS estate. Phishing Without […]
MFA Bypass Kits, AI Phishing, and the End of ‘Good Enough’ Authentication
MFA used to be the control that let MSPs and security pros sleep at night. In 2026, industrial‑grade phishing kits and AI email engines have turned “we turned on MFA” into the new “we installed antivirus” — expected, but nowhere near enough. When MFA stops saving you Picture the pattern you’ve seen in too many […]
Compliance Debt Is the New Tech Debt: Surviving 2026’s Layered Cyber Regulations
Compliance debt is the pile‑up of half-implemented controls, untested policies, and missing evidence that builds as new regulations land faster than teams can operationalize them. In 2026, SEC exam priorities, NIS2, and AI-governance rules are turning that debt into a real balance sheet risk for security leaders. What “compliance debt” really is Like tech debt, compliance debt […]
Security Reporting Rules Are Coming for Everyone: How MSPs and vCISOs Prepare Clients for CISA‑Grade Incident Disclosures
The era of “optional” cyber incident reporting is ending, and the operational burden is going to land squarely on managed security providers and vCISOs. CISA is actively refining cyber incident and ransom‑payment reporting rules under CIRCIA, reopening comments, and launching town halls with critical infrastructure sectors to stress‑test what’s realistic. Even if many of your […]
When Ransomware Becomes a Civic Emergency: What Cities Must Learn from St. Paul
When ransomware hits a city, it stops being an IT story and becomes a public safety problem. In 2025, St. Paul, Minnesota gave us a template for what that escalation looks like. When “IT Outage” Turns into a State of Emergency On July 25, 2025, St. Paul began detecting suspicious activity on its internal networks, […]
Turning a Free Risk Assessment Into Your Client Security Language (Not Just a Compliance Check)
Most MSPs don’t have a language problem with security; they have a translation problem. The Blacksmith Free Risk Assessment gives you a single, reusable grammar you can use to talk about both compliance and security with non‑technical clients in a way that sticks. The problem: no shared language with clients When you walk into a QBR and start talking […]