Cybersecurity knowledge, the working reference
Reference entries for the regulations, methodologies and threat patterns we get asked about most — NIS2, DORA, the EU AI Act, the Cyber Resilience Act, continuous threat exposure management (CTEM), SBOM, prompt injection, post-quantum cryptography. Two kinds: definitions answer "what is X", playbooks answer "what do I do when X happens". All ungated, all updated regularly, all source-cited.
Definitions
- Definitions6 min
What is TLPT (Threat-Led Penetration Testing)?
TLPT is a regulator-mandated form of penetration testing where the attack scenarios are explicitly driven by threat intelligence about adversaries currently targeting the tested entity, executed by an independent red team under a documented methodology with verifiable evidence chain.
- Definitions7 min
What is an EU AI Act high-risk system?
A high-risk AI system under Regulation (EU) 2024/1689 is one whose deployment falls into the use-cases listed in Annex III (incl. critical infrastructure security, biometrics, education, employment, law enforcement, justice) and which is therefore subject to the technical-documentation, risk-management, human-oversight and post-market-monitoring obligations of Title III, Chapter 2 (Articles 9-19).
- Definitions7 min
Decreto Legislativo 138/2024 — the Italian NIS2 transposition
Decreto Legislativo 138 of 4 September 2024 is the Italian transposition of NIS2 (Directive (EU) 2022/2555). It identifies essential and important entities, defines technical and organisational measures, attaches personal liability to top management, and operationalises ACN as the competent national authority and CSIRT Italia as the national CSIRT.
- Definitions7 min
What is CTEM (Continuous Threat Exposure Management)?
CTEM is a five-stage, continuously running program — scoping, discovery, prioritization, validation, mobilization — that keeps an organisation's exposure surface measured, ranked by exploitability, and provably reduced over time. It is the framework Gartner codified to replace point-in-time pentesting and standalone vulnerability scanning as the basis of cyber-risk management.
- Definitions8 min
What is the EU Cyber Resilience Act (CRA)?
The EU Cyber Resilience Act — Regulation (EU) 2024/2847 — sets horizontal cybersecurity requirements for any "product with digital elements" placed on the EU market. It mandates secure-by-design and secure-by-default engineering, a vulnerability-handling process, SBOM provision, and incident/vulnerability reporting to ENISA. Full application begins 11 December 2027; reporting obligations under Art. 14 already apply from 11 September 2026.
- Definitions6 min
What is an SBOM (Software Bill of Materials)?
An SBOM is a machine-readable inventory of every software component — direct dependencies, transitive dependencies, embedded libraries, build-time tools — that ships inside a software product, with version, supplier and cryptographic identifier per item. The two dominant formats are CycloneDX (OWASP) and SPDX (Linux Foundation, ISO/IEC 5962).
- Definitions7 min
What is prompt injection (OWASP LLM01)?
Prompt injection is an attack class where adversary-controlled text — supplied either directly to the model or indirectly via a document, web page, email, image, audio file or tool output the model consumes — overrides the system prompt and induces the model to perform actions or disclose information the system designer did not intend. It is ranked LLM01 — the highest-risk item — in the OWASP Top 10 for LLM Applications.
- Definitions8 min
What is Post-Quantum Cryptography (PQC)?
Post-Quantum Cryptography (PQC) is the family of cryptographic algorithms designed to remain secure against an adversary equipped with a large-scale quantum computer. As of August 2024, NIST has standardised three primary PQC algorithms — ML-KEM (FIPS 203, key encapsulation), ML-DSA (FIPS 204, digital signatures), and SLH-DSA (FIPS 205, hash-based signatures) — and explicitly recommends that organisations begin migration now.
Playbooks
- Playbooks8 min
NIS2 Title 13 incident timeline — the practical playbook
A step-by-step operational reference for the NIS2 Title 13 incident reporting cadence: what to do in the first hour, by hour 24, by hour 72, and by month 1. Decision gates, evidence checklists, common failure modes.
- Playbooks9 min
Signed-malware supply-chain response — the CISO playbook
Operational playbook for the first 72 hours after a package you trusted — and that carried a valid signature — is reported compromised. Decision gates, credential rotation order, evidence list, regulator notification triggers.
Frequently asked
What is the difference between NIS2 and DORA?+
NIS2 (Directive 2022/2555) is the horizontal EU cybersecurity regime covering essential and important entities across most regulated sectors. DORA (Regulation 2022/2554) is the financial-sector-specific regime with stricter obligations on ICT operational resilience, TLPT (Threat-Led Penetration Testing) and ICT-third-party risk. Financial entities are subject to both in parallel.
Does the EU Cyber Resilience Act (CRA) apply to my product?+
The CRA applies to any "product with digital elements" — hardware or software — that connects directly or indirectly to a device or network and is placed on the EU market. Full application begins 11 December 2027; reporting obligations under Article 14 already apply from 11 September 2026. Open-source non-commercial contributors are out of scope; anyone monetising open source is in.
What is CTEM and how does it differ from a pentest?+
Continuous Threat Exposure Management (CTEM) is a five-stage cyclic program (scoping, discovery, prioritization, validation, mobilization) that keeps an organisation's exposure surface measured and provably reduced in continuous fashion. A pentest produces a point-in-time report; CTEM produces a continuously updated exposure ledger with cryptographic evidence per remediated item.
When does prompt injection (OWASP LLM01) become a regulatory issue?+
For LLM-powered systems that fall under the EU AI Act Annex III (high-risk), prompt-injection resistance is part of the Article 15 cybersecurity conformity property. For LLM tools used inside NIS2 essential and important entities, the same control sits under "appropriate and proportionate technical and organisational measures". A vendor that cannot demonstrate layered defences against prompt injection is already at procurement disadvantage.
Should I start a post-quantum cryptography (PQC) migration now?+
Yes for any data with a confidentiality lifetime extending past the cryptographically relevant quantum computer (CRQC) horizon (typically 5-15 years). The "harvest now, decrypt later" threat model means encrypted traffic exfiltrated today can be decrypted retroactively once a CRQC exists. Hybrid TLS (X25519MLKEM768) and cryptographic inventory are the practical first steps for 2026.