From developers to academics, software vendors to tech magazines, it seems like everyone has got something to say on cyber security. Run a search for ‘online security blog’, and you will return hundreds of results from all over the world. The following is intended to provide a starting point for where to find the best and most up-to-date news, insight, and analysis on online security from across the web. If you are dipping your toes in for the first time, we hope this list will provide a platform to spark your interest and encourage further exploration. If you are a seasoned industry insider or committed amateur enthusiast, we hope our focus on the best will capture your interest.
About our selections
In putting together this list, we have had to make some editorial decisions about which sites to include and which not to include. This may mean that one of your favorite sources of information about cyber security does not make the list. It does not mean we have anything against any particular sites or any types of site – we just had to narrow down the vast number of choices somehow. The main criteria we used was to focus mainly on ‘personal’ blogs – that is, publications that are run mainly by a single person, usually not for profit, and offer a specialist angle on the world of cyber and data security out of dedication to the cause. We did this mainly because these kinds of blogs do not benefit from the big money marketing support corporate blogs or channels backed by professional publications, and, therefore, can easily slip under the radar. However, this is not a hard and fast rule, as there are some excellent blogs run by large corporate IT security vendors out there, as well as plenty of superb news resources on the InfoSec industry produced by professional publishing houses. For the sake of completeness, we have included what are, in our humble opinion, ‘the best of the best’ from these categories.
The List
So, without further ado, here they are in no particular order, our recommendations for the 20 best cyber security blogs to check out in 2023.
Graham Cluley @gcluley
Not everyone who wants to keep up with the latest InfoSec news and trends is a technical expert, and even those who don’t necessarily always want the analysis they read to be stuffed with technical jargon or dense policy discussion. This blog from UK-based anti-virus specialist Graham Cluley is the perfect antidote if you find digesting many cyber security information channels a test of endurance. Accessible, to the point, and with a sense of humor, Cluley and his contributors offer insight into the latest big news topics and diverse range of their personal security interests. The site also features video and podcasts.
Adam Shostack & Friends @adamshostack
For more than a decade, self-proclaimed author, entrepreneur, technologist, and game designer Adam Shostack blogged under the titles New School Security and Emergent Chaos before making the switch to a new URL this year. The author of the book Threat Modelling: Designing for Security, Shostack is credited with pioneering the ‘new school’ approach of integrating security concepts within DevOps, and is a respected figure for his work in the field. His blog ranges from in-depth technical analyses on security software engineering to his own personal musings on games, space, and Star Wars. A neat feature is that he gives other blogs he likes a write-up, so it is easy to spin out from here to find more good reading. Both the New School Security and Emergent Chaos blogs are archived on the new site.
Daniel Tobok @Cytelligence
Daniel Tobok is an internationally recognized cyber security and digital forensics expert and also an entrepreneur that brought to life many companies in the cyber security sector. With more than 18 years of hands-on experience, Mr. Tobok is actively involved in any cyber intrusions and hacking incidents, acting as an investigator and advisor. As the CEO of the cyber security company Cytelligence, he is currently running the news & blog page, where he actively publishes all news of the sector alongside educational information for all users. If you want to be kept up to date with every move happening in the cyber security field, this news & blog page is your go-to place.
Troy Hunt @Troyhunt
Troy Hunt is a full time IT training course developer with Pluralsight and a Microsoft Regional Director in his native Australia, which doesn’t mean he actually works for Microsoft, but operates as a technical consultant, mainly on security. An enterprise IT specialist with a background at Pfizer, Hunt pours his interest in all things InfoSec into his blog, which he does well to keep up to date with a minimum weekly publishing schedule, given his globe-trotting lifestyle speaking at events and delivering courses. If you want thoughts and opinions on the latest issues in cyber security from someone who still very much has his finger on the pulse of enterprise IT, Troy is your man.
The Last Watchdog @byronacohido
Byron Acohido is another who has made the transition from investigative journalism to a cyber security expert. Born in Hawaii, Acohido won a Pulitzer Prize and a host of other awards in 1997 for an investigation for The Seattle Times how defects in Boeing 737 construction were potentially linked to a series of fatal crashes. He turned his attention to cyber security a few years later and has been a stalwart of journalism in the field ever since. As well as having a great name, his blog delivers everything you would expect from a Pulitzer Prize-winning journalist – serious, in-depth, meticulously researched content. He produces podcasts and videos as well as written articles and also invites guest posts from a range of sources. A must for fans of quality journalism.
Schneier on Security @schneierblog
Anyone labeled a “security guru” by The Economist has every right to claim to be ‘in the know’. But Bruce Schneier’s credentials in cyber security run much deeper than that. The author of 13 books on the subject, Schneier is a Harvard fellow who specializes in cryptography, algorithms, and protocol analysis, and contributes a steady stream of essays to national and international publications in the US. If you want expert insight into malware, security policy, and the general impact of technology on everyday life, this blog is essential reading.
Liquid Matrix @liquidmatrix
One of the longest running cyber security blogs out there, Liquid Matrix really is a labor of love and dedication to the industry. The brainchild of Dave Lewis, an InfoSec specialist at Akamai by day and a prolific commentator and thought leader the rest of the time, Liquid Matrix has built a reputation as one of the most respected personal blogs in the business. Although Lewis admits he struggles to find the time to add content as much as he used to, you will still find regular features, briefings, and podcasts all aimed at adding an extra depth or new angle to whatever topic he addresses but delivered with characteristic wit. A real stalwart of cyber security blogging.
Notice Bored Blog
Notice Bored is the brainchild of Dr. Gary Hinson, an experienced IT security professional and consultant originally from the UK but now based in New Zealand. Notice Bored’s main function is a ‘security awareness service’, which involves researching and preparing training and briefing materials on different InfoSec topics for a wide range of clients. Dr. Hinson brings the same technical knowledge and understanding of enterprise infrastructure which underpins the awareness service to his blog – blended with a wry sense of humor and a willingness to express an opinion. As well as in-depth analyses of the latest cyber security news topics and risk advisories – often including plenty of technical detail – he also blogs on subjects of interest such as the Internet of Things and biometrics.
Security Affairs @securityaffairs
Part of the modern wave of sole proprietor blogs which do a fine job mimicking the style, content, and presentation of much bigger publications, Security Affairs was last year crowned the Best European Personal Security Blog by InfoSecurity Europe. And richly deserved, too. The work of Italian Pierluigi Paganini, who counts working as a strategic analyst for the EU, G7 and Italian governments, plus editing Cyber Defense Magazine, among his day jobs, Security Affairs is as comprehensive an overview of the InfoSec world as one man could be expected to deliver. Combining news and in-depth analysis of everything from major cyber attacks to intelligence gathering, hacking trends to terrorism. Paganini is able to draw on a considerable body of research to underpin his work. With regular daily updates and a professional looking layout, Security Affairs is a blog for those who like their cyber security analysis thick and fast.
Hacker Combat Hacker_Combat
Hacker Combat community is a reliable source for learning about the latest developments in the cybersecurity world. Hear what our security experts have to say and employ those tips in safeguarding your enterprises from various evolving IT security threats. HackerCombat covers everything from IT Security to Hacking related news and also provides expert analysis and forums where anything related to IT security can be discussed. The security community also serves as an ideal platform for promoting start-ups, organizes event management, and helps various people as well as security geeks.
Threat Post @threatpost
Not to be confused with Threat Level, Threat Post is one of a number of blogs run by Russian antivirus and security giant Kaspersky Labs. Focusing on Kaspersky’s particular area of expertise, Threat Post does what its name suggests – it brings you news of the latest major IT security threats, covering ransomware, hacks, phishing scams and known software bugs and vulnerabilities. Featuring a podcast and video webcast as well as written articles, it also throws in plenty of content on mobile and cloud security, government policy from around the world, and cryptography.
Andrew Hay @andrewsmhay
An industry veteran with a CV which has seen him work with the likes of OpenDNS, DataGravity, and CloudPassage, Californian Andrew Hay is a regular media commentator on all things cyber security, appearing in the likes of Forbes, Bloomberg, Wired and USA Today, to name but a few. The blog on his personal website blends topics picked out of personal interest with commentary on the biggest current stories in InfoSec, providing a direct link to the thoughts of a leading voice on cyber security issues in the US.
The Security Ledger@securityledger
The Security Ledger describes itself as “an independent security news website that explores the intersection of cyber security with business, commerce, politics and everyday life.” And that about sums it up nicely. With a reputation for breaking stories first, the Ledger takes a particular interest in the security of the Internet of Things, as well as the usual fare of hacking, malware, application, and device security. It also produces in-depth opinion pieces, reports, and white papers, positioning itself as a key source of thought leadership in the industry.
Tech-Wreck InfoSec Blog @TechWreckOrg
Okay, so everyone is talking and writing about cyber security issues, but what about finding practical assistance to do something about all of the threats that exist out there? Plenty of blogs cover the technical point of view – i.e. the hands-on programming involved in resisting malware and closing security loopholes – but from a non-developers point of view, a simple how-to is a rare find. Tech-Wreck does things differently. It basically compiles lists of the latest malware attacks, identified security flaws, and known fixes, and provides a practical resource for IT engineers to find the latest patches and advisories. It is pretty minimalist in its approach – the blog proudly describes itself as ‘Quick IT Security info minus exuberant posturing or condescending ramblings.’ So not the place to find discussion or analysis, but worth your time if you are looking for a one-stop shop to get security alerts from the big tech firms.
WeLiveSecurity @welivesecurity
Operated by global antivirus software developer ESET, WeLiveSecurity is much more than just another corporate blog. In fact, with a companion magazine, it is up there with the best dedicated InfoSec news resources out there, with regular updates and analysis on breaking stories about cyber security, hacking, cyber crime, and privacy. In addition to the news focus, its expert panel of contributors also contribute original research and whitepapers, plus extremely handy ‘How To’ guides providing easy to follow practical advice on boosting your online security. While the bulk of the site focuses on written articles, there is also a podcast and video channel.
IT Security Guru @IT_SecGuru
A professional news outlet focused on InfoSec more than a blog, IT Security Guru is nonetheless becoming essential reading in the profession. If you want a service which aggregates all the latest news on cyber security all in one place, then IT Security Guru is the place to look. It publishes a handy ‘Top 10 Stories From Around The Web’ section every morning, doing a fantastic job of keeping its finger on the pulse. On top of that, it produces top quality comment and analysis, case studies, webinars and a great section called ‘Scam of the Week’, which takes an in depth look at a recent cyber attack. A high-quality news resource for those who like to keep up with the times.
Dark Reading @darkreading
For those of you who keep up with online security publishing, Dark Reading probably needs no introduction. Like IT Security Guru, it is an InfoSec news channel rather than a blog and is backed by the editorial might of Information Week. However, it has been a cornerstone of reporting and analysis in the industry for years, setting the standard for breaking news stories. The editorial focus is mainly on readers from the enterprise IT world, so there is lots of sound commentary and advice on protection, risk management, and compliance.
Naked Security @NakedSecurity
The motto of global home and enterprise security specialist Sophos is ‘security made simple’. And following that same philosophy, the company calls its blog Naked Security, InfoSec news and commentary stripped of the jargon and complexity and laid out in terms the layman can understand. Covering the latest big news issues and attacks, and with an eye for picking out interesting stories from across the globe, Naked Security makes InfoSec relevant to the general IT user, focusing on the most familiar platforms and IT uses.
Security Weekly @securityweekly
The term ‘vlog’ has fallen out of favor in recent years, but this is exactly what Security Weekly does – it delivers an insightful blog on cyber security in video format. Also known as Paul’s Security Weekly after its creator and host, Paul Asadoorian, the platform is built around a main weekly broadcast which can be accessed in three different formats – as a video, as an audio-only podcast, or if you prefer, you can read the show scripts. The shows can be watched or listened to live or retrospectively on channels such as YouTube, iTunes, Google Play, RSS Video and Audio, and SoundCloud. In addition to the main weekly show, which focuses on discussion of the big issues in InfoSec, the team also produces the Hack Naked News short format security news show and Enterprise Security Weekly, which focuses on issues related specifically to business online security. It’s security blogging for the multimedia generation.
KrebsonSecurity @briankrebs
Unlike many InfoSec bloggers, Brian Krebs does not come from a software development or tech background – he started his professional career as a journalist for the Washington Post. But after running a number of investigations into hacking and the cyber criminal underworld, he started to specialize in reporting on cyber security, which is how he earns a living today. The author of the book Spam Nation, his blog tends to follow the latest high profile security and cyber crime news with in-depth analysis and insight.
Threat Level
Within Wired.com’s far-reaching tech publishing catalog, there sits an excellent self-contained channel focusing on cyber security, cyber crime, and online privacy. Threat Level takes Wired’s high journalistic standards and applies them to the InfoSec world, providing an accessible ‘consumer’ slant on issues such as ransomware, hacking, espionage, and the dark web. Perfect if you are after a good story from the cyber security world.
Zero Day
The InfoSec blog of global online tech magazine ZDNet, Zero Day delivers everything you would expect from such a major name in IT media – well researched, insightful, original news content, with 24/7 coverage and detailed analysis. In a world where cyber security is increasingly making an impact on the mainstream news, platforms like Zero Day are often where you can read the biggest and best stories first, and get the angle from genuine industry insiders. As well as the steady diet of news on hacking, cyber crime, and major security threats, its range also covers policy, civil liberties, privacy and advisory ‘how to’ articles.