Alice in Supply Chains

In this special bonus episode, Adrian and Alexandre are joined by John Hammond, one of cybersecurity’s most recognizable YouTube creators and Senior Principal Security Researcher at Huntress - a cybersecurity company dedicated to protecting businesses of all sizes against modern-day cybercrime - for a deep dive into software supply chain attacks using the recent Axios NPM compromise as a case study. It's a timely conversation: supply chain incidents have gone from occasional headlines to a near-constant drumbeat, and the Axios case offers an unusually clear window into how these attacks actually work end-to-end.- The discussion tackles the viral "stop updating your software" take head-on, with John arguing the real answer is nuance - keep patching Windows and Chrome, but treat CI/CD dependencies very differently. Adrian lays out his case for splitting vulnerability management into two distinct processes: traditional scan-driven work for compliance, and a separate intelligence-driven "VulnOps" function that operates more like incident response. - The group also walks through the remarkable social engineering campaign that compromised the Axios maintainer — a patient, weeks-long con involving a fake Slack workspace, rescheduled Teams meetings, and a click-fix payload disguised as an audio troubleshooting step. One striking data point from John: the malicious package detonated 89 seconds after hitting NPM.- The back half turns practical, with a concrete checklist for third-party risk teams and internal dev orgs: pin dependency versions, cache artifacts locally (which saved Tenchi during the Trivy incident, when attackers modified previously released binaries), enforce age-based release gates, separate CI from CD, apply least privilege to pipeline credentials, and maintain an asset inventory that can answer "do we have this package?" in seconds. John closes with homework for listeners: look up the Clean Source Principle.

In this April 2026 episode of Alice in Supply Chains, Adrian and Alexandre cover three stories that weren't on anyone's 2026 bingo card — and all of which land on the TPRM analyst's desk.AI in your third parties. Amazon's recent downtime, linked to engineers being mandated to use AI on production systems, raises a question most TPRM programs aren't equipped to answer: do you even know which of your vendors are using AI, which models, and how much agency those models have over customer data? Alexandre walks through AWS's generative and agentic AI scoping matrix — from no-agency to full autonomy — as a useful framework for architectural follow-up conversations. The pair also push back on Anthropic's "Mythos" vulnerability research claims, arguing the economics don't hold up against cheaper models, or against the real bottleneck: remediation, not discovery.‍The FCC's ban on non-US routers. Adrian and Alexandre argue this is a thinly veiled economic measure dressed up as security policy. If this were really about backdoors, the US would mandate minimum security controls (as it does for medical devices and aviation) rather than country-of-origin rules. Netgear's mysterious exemption, the Salt Typhoon breaches that needed no backdoors, and the collapsed consumer labeling program all get airtime.‍Is your third party a military target? Two AWS regions in Bahrain and the UAE were damaged during the Iran conflict, with one data center indefinitely down. Separately, a pro-Iran group compromised Stryker's Intune tenant and issued wipe commands across managed devices — including employees' BYOD phones. The takeaway: centralized management tools (Intune, MDM, patch management, AD) are high-value targets that TPRM questionnaires rarely probe deeply enough, and kinetic ceasefires don't extend to cyberspace.‍Links: https://www.tenchisecurity.com/en/insights-news/cisa-says-harden-intune-heres-what-that-means-for-your-third-partyhttps://aws.amazon.com/pt/ai/security/agentic-ai-scoping-matrix/https://aws.amazon.com/pt/ai/security/generative-ai-scoping-matrix/https://www.defendersinitiative.com/p/from-this-point-on-it-only-gets-rougherhttps://arstechnica.com/tech-policy/2026/04/fcc-exempts-netgear-from-ban-on-foreign-routers-doesnt-explain-why/https://www.scworld.com/podcast-episode/2673-esw-310-shamim-naqvi-grace-burkard

Recorded April 1, 2026 — post-RSA 2026 editionHosts Adrian Sanabria (The Defenders Initiative) and Alexandre Sieira (CTO and Cofounder, Tenchi Security) reconvene — both recovering from the notorious con crud — to dig into the biggest stories from a packed month in third-party and supply chain security.This month, we have two main stories:The ongoing Delve controversy and data leaksOur RSAC Conference 2026 takeawaysAlex’s ESW Appearance securityweekly.com/esw452The episode we did with AJ Yawn on issues with SOC 2 reports https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2Tony Martin-Vegue’s excellent “acting rationally, given the incentives” take on the Delve scandal https://www.linkedin.com/posts/tonymartinvegue_i-know-youre-tired-of-the-delve-discourse-activity-7441294170406891520-UtGgAdrian’s blog with his RSAC Conference 2026 takeaways https://www.defendersinitiative.com/p/i-watched-all-11-main-stage-keynotesAlex Sieira’s RSAC talk with Alex Pinto (login required to watch the recording) https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1755192044047001WRoaAdrian Sanabria and Adam Shostack’s talk on Breach Transparency from RSAC https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1756101254392001bKZATenchi’s ‘near miss’ report https://www.tenchisecurity.com/en/insights-news/secure-practices-trivy-supply-chain-attack

The Alice in Supply Chains Podcast is back for another episode! On it, Adrian Sanabria and Alexandre Sieira share their expert opinions on the most pressing matters in the TPCRM world -  as presented on issue #42 of our newsletter of the same name, also launched today!Here are our stories for this episode and their associated links:Cyber Risk at Scale: Safeguarding Portfolio Value in Private EquityGartner Predicts: TPCRM Evolves for the AI EraCanadian Privacy Commissioners Investigate the PowerSchool Breachhttps://www.newswire.ca/news-releases/ontario-and-alberta-privacy-commissioners-release-investigation-findings-into-powerschool-breach-affecting-school-boards-and-other-educational-bodies-866592221.htmlhttps://www.ipc.on.ca/en/resources/ontarios-privacy-commissioner-releases-investigation-findings-powerschool-breach-affecting-schoolhttps://oipc.ab.ca/wp-content/uploads/2025/11/FINAL-Investigation-Report-Regarding-PowerSchool-Breach-FOIP2025-IR-02.pdfnewswire.ca Ontario and Alberta privacy commissioners release investigation findings into PowerSchool breach affecting school boards and other educational bodiesAlso, RSAC is just around the corner! From March 22 to March 25, 2026, Tenchi Security will host the cybersecurity community attending RSA Conference in San Francisco at Harlan Records, which was exclusively reserved for the Tenchi Lounge - a space to unwind, exchange ideas, and build meaningful connections. Need more details? Check here: https://www.tenchisecurity.com/en/tenchi-rsa-lounge-2026

In this special interview episode, hosts Adrian Sanabria and Alexandre Sieira sit down with Tony Martin-Vegue, author of the upcoming book Heatmaps to Histadograms: A Practical Guide to Cyber Risk Quantification. Tony shares his journey from IT and cryptography to becoming a leading voice in cyber risk quantification, including his six years building Netflix's risk quantification program from the ground up.Tony Martin-Vegue brings over two decades of experience in IT and information security. With an economics degree that his mentor recognized as ideal for risk management, Tony has built cyber risk quantification programs at several large companies. Most recently, he spent six years at Netflix where he led approximately 3,000 FAIR-based risk assessments. He now runs his own consulting and advisory firm while promoting quantitative approaches to cyber risk.Resources Mentioned in the Episode:The website for Tony’s book: https://www.heatmapstohistograms.com/Link to Solar Winds breach: https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breachLink to Colonial Pipeline breach: https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attackThe Scoville Scale: https://en.wikipedia.org/wiki/Scoville_scaleHow to use Monte Carlo simulations in Excel: https://support.microsoft.com/en-us/office/introduction-to-monte-carlo-simulation-in-excel-64c0ba99-752a-4fa8-bbd3-4450d8db16f1The FAIR Institute: https://www.fairinstitute.org/The FAIR Framework: https://www.fairinstitute.org/blog/integrating-fair-models-a-unified-framework-for-cyber-risk-managementHow to Lie with Statistics: Information Security Edition https://www.youtube.com/watch?v=p3jJnl99LmcCyentia’s IRIS Retina Report https://www.cyentia.com/services/iris-risk-retina/Verizon’s 2025 Data Breach Investigations Report: https://www.verizon.com/business/resources/reports/dbir

Alice in Supply Chains is a monthly podcast by based on the Alice in Supply Chains newsletter - that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's Co-founder and CTO Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanabria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.1. 2026 OutlookAI hits "put up or shut up" time—needs to prove enterprise value beyond demosGeopolitical fragmentation accelerating, impacting supply chain dependenciesChina signaling supply chain independence (banning US/Israeli security vendors, declining Nvidia H200s)Upcoming episode with Tony Martin-Vegue on cyber risk quantificationRSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week2. AnnouncementsUpcoming episode with Tony Martin-Vegue on cyber risk quantificationRSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week3. Stories coveredStory 1: ENISA NIS2 SurveySurvey of 1,080 professionals across 27 EU countries on cybersecurity investments.Top investment driver: Regulatory compliance (70%), far ahead of proactive risk management (42%)Hardest to implement: Vulnerability management (#1), TPRM (#2)Supplier inventory: Under 10% of companies maintain one—current TPRM approaches don't scaleTop 2026 concerns: Ransomware and supply chain attacks (~47%)https://www.enisa.europa.eu/publications/nis-investments-2025Story 1 Resourceshttps://www.enisa.europa.eu/publications/nis-investments-2025Story 2: SOC 2 Fraud AllegationsSocial media discussions allege compliance platforms and auditors are rubber-stamping SOC 2 reports.Claims of nearly identical reports across different companiesNo AICPA enforcement—peer review doesn't verify actual control testingPost-breach cases (e.g., PowerSchool) reveal SOC 2s claiming controls that weren't implementedTakeaway: Don't over-trust SOC 2s for critical third parties; consider independent verificationStory 2 Resourceshttps://www.linkedin.com/posts/troyjfine_details-have-emerged-regarding-a-widespread-activity-7415043499676483584-nI5Zhttps://www.linkedin.com/posts/sieira_details-have-emerged-regarding-a-widespread-activity-7415394996184424449-CSzOhttps://infosec.exchange/@AlexandreSieira/115865691003110478Story 3: Japan & Korea Cybersecurity RegulationsBoth countries responding to major 2025 breaches (Asahi, SK Telecom, KT, Coupang) with new rules.Mandatory breach reporting with government actively assisting incident responseKorea: GDPR-style fines up to 3% of annual sales for repeat breachesJapan: Expanding cyber intelligence capabilities, reflecting reduced reliance on US protectionTPRM angle: Public breach disclosure would enable better third-party "background checks" than self-reported questionnairesStory 3 Resourceshttps://www.centerforcybersecuritypolicy.org/insights-and-research/japans-new-active-cyber-defense-law-a-strategic-evolution-in-national-cybersecurityhttps://www.japantimes.co.jp/news/2025/12/23/japan/crime-legal/new-cybersecurity-strategy-police-sdf/https://www.koreatimes.co.kr/southkorea/20251212/science-minister-vows-punitive-fines-against-companies-with-repeated-security-breachesOther Resources MentionedThe Alice in Supply Chains Newsletter https://www.linkedin.com/newsletters/alice-in-supply-chains-6976104448523677696/Episode 440 of the Enterprise Security Weekly podcast: why cybersecurity predictions are so bad https://youtu.be/qyn7F2NPCMs?si=P0bhGQtwwHXrnIhWPrior episode with AJ Yawn discussing how the SOC 2 sausage gets made https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2"The Security Products We Deserve" talk https://www.youtube.com/watch?v=GHuQC1qLnJ4Stay safe and stay vigilant!

Join Alexandre Sieira (CTO & Cofounder, Tenchi Security) and Adrian Sanabria (Principal Researcher, The Defender's Initiative) as they unpack the most relevant stories from our latest Alice in Supply Chains newsletter (issue #40) - and discuss what they mean for third-party cyber risk management.Topics approached on the last podcast of 2025:- Trends in Supply Chain Attacks in general, as observed through this year;- The Risks of Ignoring Corporate Culture in Third-Party Due Diligence- CISOs Are Losing Control of Their Security Outcomes- Cyber Insurance

Join Alexandre Sieira (CTO & Cofounder, Tenchi Security) and Adrian Sanabria (Principal Researcher, The Defender's Initiative) as they unpack the most relevant stories from our latest Alice in Supply Chains newsletter (#39) - and discuss what they mean for third-party cyber risk management.In this episode, the duo dive into:Liability in the Age of AI: Who is truly accountable when AI "hallucinates" and causes reputational or financial damage?The Fog of War in Breach Reporting: Why early breach disclosures are often highly inaccurate ?The Cloud Availability Crisis: It’s not just AWS and Azure. We analyze the recurring, major outages impacting global infrastructure - and the critical dependencies putting your entire digital supply chain at risk.Don't miss their expert discussion on navigating modern digital supply chain risks!

In this episode, Alexandre Sieira (CTO & Cofounder of Tenchi Security) and Adrian Sanabria (Principal Researcher at The Defender's Initiative) celebrate the 3rd anniversary of the Alice in Supply Chains newsletter - the very starting point for this podcast. Together, they revisit key highlights from issue #37, unpacking the stories shaping today’s supply chain security landscape:-The Salesloft “Perfect One Attack, Use Many” case-Vendors charging customers to complete security questionnaires-New CISA tools for supply chain security-The Sinqia compromise and the HSBC BRL theftStay tuned, every month, for in-depth insights, expert analysis, and key discussions on TPCRM challenges.

Alice in Supply Chains is a monthly podcast inspired by the Alice in Supply Chains newsletter, delivering sharp discussions and insights on all things related to third-party cyber risk management (TPCRM). Hosted by two of the industry’s leading voices - Alexandre Sieira, Co-founder & CTO of Tenchi Security, and Adrian Sanabria, Principal Researcher at The Defender’s Initiative - the show offers expert analysis and practical takeaways to help you navigate today’s complex cybersecurity landscape.In this episode, they dive into three standout stories from issue #36 of the newsletter of the same name, Alice in Supply Chains:How third-party disruptions can derail operations;The unusual case of Clorox vs. Cognizant;Why relying on EU cloud regions may not guarantee data sovereignty - and Microsoft’s admission to French customers.

Alice in Supply Chains is a monthly podcast by Tenchi Security based on the Alice in Supply Chains newsletter that provides interesting discussions and expert insights on all things related to third-party cyber risk management (TPCRM).It's hosted by two leading voices in the industry, Alexandre Sieira, Tenchi Security's CTO and Co-Founder  & The Defender's Initiative Principal Researcher, Adrian Sanabria - and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.This episode is based on the content of issue #35 of the newsletter and covers:- Prolific cybercriminal group now targeting aviation and transportation Companies- Patient's death linked to cyber attack on NHS, hospital trust says- Cyberattack on Brazil tech provider affects reserve accounts of some financial institutions;

We’re thrilled to announce a special bonus episode of the Alice in Supply Chains podcast featuring an insightful conversation you won’t want to miss.In this episode, Alexandre Sieira, CTO and Co-founder of Tenchi Security, and Adrian Sanabria, Principal Researcher at the Defender's Initiative, sit down with AJ Yawn - Director of GRC Engineering at Aquia, author of GRC Engineering for AWS, and host of CyberTakes.Together, they take a deep dive into SOC 2 and its fate - exploring challenges, limitations, why it’s become so popular - and what the future holds. It’s a timely and important discussion for anyone interested in cyber risk management.

Alice in Supply Chains is a monthly podcast by ⁠⁠Tenchi Security ⁠⁠based on the ⁠⁠Alice in Supply Chains newsletter, ⁠⁠that provides interesting discussions and expert insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's CTO and Co-Founder  ⁠⁠Alexandre Sieira ⁠⁠& The Defender's Initiative Principal Researcher, ⁠⁠Adrian Sanaria⁠⁠, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.This episode is based on the content of issue #34 of the newsletter of the same name, and covers:- Cyber attack on Rhode Island's benefit system- Retail attacks in the UK and the US- How to incentivize security by design

Alice in Supply Chains is a monthly podcast by ⁠Tenchi Security ⁠based on the ⁠Alice in Supply Chains newsletter, ⁠that provides interesting discussions and expert insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's CTO and Co-Founder  ⁠Alexandre Sieira ⁠& The Defender's Initiative Principal Researcher, ⁠Adrian Sanaria⁠, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.This episode is based on the content of issue #33, published on May 16th, 2025, and covers the following stories:- EU businesses looking to ditch US Cloud Companies- Insights from the UK ICO Investigation into the 2022 NHS Breach- The great Hanoi rat massacre and modern risk practices- JPMorgan's CISO open letter: a call to action

Verizon’s 2025 Data Breach Investigations Report (DBIR) is out — and one of the top takeaways couldn’t be more clear: third-party risk is rapidly accelerating. This year, breaches involving third parties doubled compared to last year (from 15% to 30%), often driven by vulnerability exploitation and business disruptions. As the report puts it: when a vendor is hosting your data, the best strategy is to focus on how secure and resilient their environment truly is.The DBIR also highlights a shift in how organizations are addressing third-party risk. While traditional risk questionnaires remain part of the equation, the report underscores a growing need for TPCRM solutions that deliver quantifiable, actionable insights — especially those that assess real-world security controls. At Tenchi, that’s exactly where we’re focused: helping organizations achieve continuous, cooperative, and comprehensive visibility into third-party cyber risk.Tenchi CTO and Co-Founder, Alexandre Sieira, and Adrian Sanabria, Principal Researcher at the Defender's Initiative — both hosts of our Alice in Supply Chains podcast — had the great pleasure of speaking directly with Alex Pinto from Verizon Business, one of the key minds behind the DBIR, right as the report was released to the public.

Alice in Supply Chains is a monthly podcast by Tenchi Security based on the Alice in Supply Chains newsletter, that provides interesting discussions and expert insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's CTO and Co-Founder  Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanaria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.This episode is based on the content of newsletter issue #32, published on April 17, 2025. Check out the full material for more stories, links and details!Themes discussed in this episode:- Oracle breaches: from denial to lawsuit- GitHub Action Hacked: Lessons Learned

Alice in Supply Chains is a monthly podcast by Tenchi Security based on the Alice in Supply Chains newsletter that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's CTO & Co-founder Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanabria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.This episode is based on the content of newsletter issue #31, published on March 17th, 2025. Check out the full newsletter for more stories, links and details!Here are the stories we discuss this month:-Details on the Bybit Heist-Surge in supply chain cyber attacks-Ransomware trends and law enforcement success-Exploiting abandoned resources in cloud storage

Alice in Supply Chains is a monthly podcast by Tenchi Security based on the Alice in Supply Chains newsletter that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's Co-founder and CTO Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanaria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.This episode is based on the content of newsletter issue #30, published on February 19, 2025. Check out the full newsletter & subscribe for more stories, links and details!

Alice in Supply Chains is a monthly podcast by Tenchi Security based on the Alice in Supply Chains newsletter that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's Co-founder and CTO Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanaria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape. This episode is based on the content of newsletter issue #29, published on January 17, 2025. Check out the full newsletter for more stories, links and details! Here are the six stories we discuss this month: -Chinese hackers are deep inside America's telecoms -BeyondTrust incident hits US Treasury -Deloitte downplays breach affecting Rhode Island -US government to ban China Telecom and TP-Link -Are we overfocused on APTs? -76% of attacks in the mining industry linked to suppliers