Serto Tech Advisory https://blog.serto.io/en/ Recent content on Serto Tech Advisory Hugo en Tue, 02 Jun 2026 12:30:00 -0300 The NVD Is Not Broken — It Is Architecturally Obsolete https://blog.serto.io/en/2026/06/02/nvd-arquiteturalmente-obsoleto/ Tue, 02 Jun 2026 12:30:00 -0300 https://blog.serto.io/en/2026/06/02/nvd-arquiteturalmente-obsoleto/ <p>On May 26, 2026, the U.S. Department of Commerce Inspector General published a report that confirms what the security community had been flagging for two years: the National Vulnerability Database has stopped being the authoritative source of vulnerability data that underpinned twenty years of vulnerability management practice. The number that matters from the report is not the 27,000-vulnerability backlog. It is the 12%.</p> <p>Twelve percent was the rate of agreement on CVSS severity among independent evaluators inside the OIG itself, testing the same set of vulnerabilities. This is not marginal discrepancy. This is a measure the entire cybersecurity ecosystem has treated as objective for two decades, and which behaves like subjective assessment under the U.S. federal government&rsquo;s own internal testing.</p> AI Democratizes Security, and That's Why Zero Trust Stops Being Optional https://blog.serto.io/en/2026/05/23/ai-democratiza-zero-trust/ Sat, 23 May 2026 18:26:00 -0300 https://blog.serto.io/en/2026/05/23/ai-democratiza-zero-trust/ <p>The cybersecurity talent shortage is so chronic it has become a cliché in CISO conversations. (ISC)² estimates a global gap of roughly 4 million professionals, and the number grows every year, not shrinks. AI does not solve this problem the way most of the market sells it. It does not solve it by hiring more people. It solves it by changing what each person needs to know.</p> <h2 id="the-constraint-the-industry-carried-for-two-decades">The Constraint the Industry Carried for Two Decades</h2> <p>For twenty years, the security industry operated under a simple structural constraint: defending infrastructure required hiring people who mastered each specific tool in use. Not the risk the tool mitigated, the tool itself. An organization running Akamai needed staff with Akamai skills. A company using Palo Alto needed Palo Alto specialists. SOC teams were built around the combination of installed vendors, not around the risk architecture they were meant to defend.</p>