Our collection of the most insightful and informative InfoSec blogs from the industry's foremost thought leaders.

There are hundreds of InfoSec blogs in the webosphere. Some are clear leaders in the industry, widely regarded as thought leaders and earning recognition from just about everyone in the security field as being among the best of the best. Some started out strong but fizzled out after a few short months, while others have compiled hundreds – thousands, even – of in-depth perspectives on a variety of security topics (from general cyber security to specific topics like data loss prevention (DLP) over the course of nearly a decade.

We scoured the far corners of the web to dig up some of the best, most insightful and informative InfoSec blogs in existence for our newly-updated list for 2019. Not only the blogs you've seen named time and time again in best-InfoSec-blogger lists, but also some hidden gems you may not have known existed but will be glad you've finally discovered. These blogs provide deep insights from some of the leading information security professionals; in-the-trenches viewpoints from security experts who have spent decades working in the field and consulting with the world's largest enterprises, universities, the U.S. Government, startups, and other entities.

These bloggers tackle major security news, InfoSec hacks, tricks, and discoveries, offer tutorials and solutions for problems they've encountered in their day-to-day work, and sometimes bring a little humor to the fascinatingly complex world of information security. Note: These blogs are categorized, and listed alphabetically within each category - they aren't ranked or rated in any other way.

Categories:

Security Researcher Blogs

Adam Shostack and Friends

@adamshostack

Formerly Emergent Chaos, Adam Shostack and Friends is a blog that's been covering security, privacy, and economics (among other unrelated topics) since 2005. Shostack is also the author of author of Threat Modeling: Designing for Security and co-author of The New School of Information Security.

Three posts we like from Adam Shostack and Friends:

Andrew Hay

@andrewsmhay

Andrew Hay is the Co-Founder & Chief Technology Officer (CTO) for LEO Cyber Security, where he's responsible for driving of the strategic vision for the company, as well as the development and delivery of the company's cyber security, digital forensics, incident response, cloud architecture, and advanced research centers of excellence. Hay has held roles for companies such as 451 Research, DataGravity, and Open DNS, where he served as Senior Security Research Lead & Evangelist. He’s often approached to provide expert commentary on security-industry events in the media, including both mainstream publications such as USA Today and niche publications such as TechTarget and Network World. We also have a podcast episode with Hay discussing the rise of the virtual CISO. You can access Hay’s insights directly at his personal blog, where he covers topics he hand-picks based on personal interest and importance to the field.

Three posts we like from Andrew Hay:

Byron Acohido’s Last Watchdog on Privacy & Security

@byronacohido

A Pulitzer prize-winning journalist, Byron Acohido is the founder and executive editor of The Last Watchdog on Privacy & Security. Cybersecurity first gained Acohido's attention in 2000 when he joined the Money section of USA TODAY to cover Microsoft. Since that time, Acohido has authored several books and covered the cybersecurity space through articles, podcasts, and videos, all of which you can access at The Last Watchdog.

Three posts we like from The Last Watchdog:

Dan Kaminsky’s Blog

@dakami

Dan Kaminsky has advised Fortune 500 companies like Cisco, Avaya, and Microsoft, and he’s been a well-known security researcher for more than a decade. His blog, formerly known as DoxPara Research, features in-depth posts with insights on the most pressing security issues facing the industry, such as Heartbleed. It’s kind of like picking Kaminsky’s brain from the comfort of your desk.

Three posts we like from Dan Kaminsky’s Blog:

Elie Bursztein

@elie

Elie Bursztein leads Google’s anti-abuse research efforts, sharing his insights on topics relevant to the world of InfoSec on his personal blog. Bursztein has some impressive achievements under his belt, such as the re-design of Google’s CAPTCHA to make it easier (an effort much-appreciated by Internet users everywhere), implementing faster cryptography to make Chrome safer, and identifying and reporting more than 100 security vulnerabilities to companies like Apple, Microsoft, Twitter, and Facebook.

Three posts we like from Elie Bursztein:

Graham Cluley

@gcluley

Graham Cluley has more than 70,000 followers on Twitter alone, and it’s no surprise given his impressive coverage of InfoSec news and developments. He’s an independent computer security analyst who’s been working in the field since the 1990's, giving him plenty of background and expertise to offer expert commentary on the latest happenings in information security and related topics. In addition to Cluley’s expertise, you can gain insights from a panel of regular contributors featuring several highly-regarded experts in the field. You’ll find plenty of tips for everyday users, along with deep insights into critical security developments.

Three posts we like from Graham Cluley:

Hacking Articles

@rajchandel

Founded and authored by Raj Chandel, Hacking Articles is a comprehensive source of information on cyber security, ethical hacking, penetration testing, and other topics of interest to information security professionals. Chandel’s primary interests lie in system exploitation and vulnerability research, but you’ll find tools, resources, and tutorials on everything from social engineering to footprinting, Google hacking, and more.

Three posts we like from Hacking Articles:

Holistic InfoSec

@holisticinfosec

Russ McRee has spoken at leading security conferences, such as Defcon, BlackHat, RSA, and others, and he leads the Blue Team for Microsoft's Windows and Devices Group (WDG). He also writes toolsmith, a monthly column in ISSA Journal, but shares many of his views and perspectives on his belief in a holistic approach to information security at Holistic InfoSec.

Three posts from Holistic InfoSec:

Jeff Soh on NetSec

@JeffSoh

Jeff Soh began blogging in 2007, and continues to share suggestions for intrusion analysts and other miscellaneous news on information security. Soh also offers book recommendations, product recommendations, and useful tips for information security professionals and everyday users.

Three posts we like from JeffSoh on NetSec:

Krebs on Security

@briankrebs

Brian Krebs is a household name in information security, and his blog is among the most well known and respected in the space. An investigative reporter at heart, Krebs comes from a journalist background and has honed his self-taught expertise through over a decade of dedicated interest in security. He is credited with discovering the Target data breach a few years ago and being the first to report on the Stuxnet worm in 2010.

Three posts we like from Krebs on Security:

Liquidmatrix Security Digest

@liquidmatrix

Liquidmatrix is committed to providing long-form articles and in-depth coverage of information security news and information, rebelling against the trend towards superficial coverage without added value. The brainchild of Dave Lewis, a self-professed “jack of all trades and master of none” who holds a day job at Akamai and has been working in the InfoSec field for two decades, Liquidmatrix has been up and running since 1998, making it one of the oldest, established InfoSec blogs remaining current.

Three posts we like from Liquidmatrix Security Digest:

Marco Ramilli’s Blog

@Marco_Ramilli

A computer scientist researcher with an intensive hacking background, Marco Ramilli has been working with the U.S. Government and several leading universities on new security paradigms, penetration testing methodologies and electronic voting systems' security, and malware. His blog, which he started back in 2007, is a reflection of his many experiences in the security field. Ramilli, a TEDx speaker, CTO at Yoroi, and an expert in ethical hacking, advanced targeted attacks, and malware evasion, has earned multiple honors and awards for his work.

Two posts we like from Marco Ramilli’s Blog:

Matt Flynn’s Information Security, Identity & Access Management Blog

@matthewflynn

Matt Flynn is an information security specialist and industry analyst. His personal blog, which reflects his own opinions, covers identity management and security, software, services, processes, and analyses. He’s been blogging since 2006 and has built an impressive collection of posts and perspectives over the years on topics impacting information security professionals.

Three posts we like from Matt Flynn’s Information Security, Identity & Access Management Blog:

NoticeBored

@NoticeBored

Gary Hinson is the blogger behind NoticeBored, where he covers information security topics that catch his eye. Hinson was born and studied in the U.K., and worked in London, Swindon, Bristol, and Brussels before moving to New Zealand in 2005. Hinson covers topics of interest to both consumers and security professionals, with a casual style that allows him to talk about complex security happenings in a language everyone can understand.

Three posts we like from NoticeBored:

Observations on InfoSec

@DanielMiessler

Daniel Miessler is an information security professional, who uses his blog as a platform for collecting and organizing technical knowledge. With information and posts beginning as early as 1999, Daniel provides a robust site and blog for anyone interested in technology and information security.

Three posts we like from Observations on InfoSec:

Robert Penz Blog

@RobertPenz

The Robert Penz Blog covers information about Linux, open source, and IT security, including tips, tricks, and small scripts. Robert became interested in infosec as a student and wrote his masters' thesis on "Analysis and design of a SIM based authentication solution for WLAN”.

Three posts we like from Robert Penz Blog:

Roger's Information Security Blog

@InfoSecTweet

Roger McClinton started his blog back in 2004, primarily as a means to collect the links and research he wanted to easily refer to later. But as time went on, he started adding commentary and to his surprise, his blog developed a substantial readership. After a brief hiatus in the second half of 2013, Roger is again offering news and commentary on all things InfoSec, musings about his current employment situation, and the occasional personal anecdote.

Three posts we like from Roger's Information Security Blog:

Schneier on Security

@schneierblog

Bruce Schneier's blog is another one of those must-haves for a list like this. Schneier has been writing about security issues here since 2004, and in his popular monthly newsletter since 1998, focusing on topics like cryptography, privacy, and government. A renowned cryptography expert, Bruce is also a leading author and speaker in the space.

Three posts we like from Schneier on Security:

Security Through Education

@humanhacker

A free learning resource from Social-Engineer, Inc., Security Through Education focuses on the blend of science, psychology and art that is social engineering – and how it’s used by penetration testers and security enthusiasts. It’s all brought to you by a team of leading professional social engineers, psychologists, researchers, scientists and security enthusiasts. In addition to the blog, you’ll find a newsletter, podcast, and much more to ensure that you’re always in the know, entertained, and never out of consumable security media.

Three posts we like from Security Through Education:

TaoSecurity

@taosecurity

TaoSecurity is FireEye Chief Security Strategist Richard Bejtlich's blog. For over a decade, TaoSecurity has been a source of expertise on cybersecurity, hacking, security strategy, threats, and more. Richard is a recognized security author and his blog contains a great amount of educational security resources.

Three posts we like from TaoSecurity:

Tech Wreck InfoSec Blog

The Tech Wreck InfoSec Blog is run by an Information Assurance Engineer, covering a variety of topics pertaining to information security and related news. The blog provides articles of use to both consumers and security professionals.

Three posts we like from Tech Wreck InfoSec Blog:

Tony on Security

@perezbox

Tony Perez has spent the better part of the past 15 years working in a variety of tech industries, but today he focuses primarily on website security and business. He's the co-founder of Sucuri Security and also leads the GoDaddy SBU. Tony is' a prolific speaker on security-related topics. His blog is a chronicle of his thoughts and experiences as he strives to create "a new security standard for your online presence."

Three posts we like from Tony on Security:

Troy Hunt

@troyhunt

Troy Hunt is a Microsoft Regional Director and MVP who creates Pluralsight courses and travels the world to train technology professionals and speak at technology and security events. He's a sought-after speaker and thought leader, making Hunt's blog a particularly worthy read for any infosec pro. Troy is also the creator of Have I Been Pwned, a free online resource to check if you've been compromised in a breach. Troy was also featured in one of our podcasts, Episode 15: Talking Data Breaches and Getting Pwned.

Three posts we like from Troy Hunt:

Uncommon Sense Security

@jack_daniel

Uncommon Sense Security is the blog of Tenable Network Security Strategist and Security BSides co-founder Jack Daniel. While Jack's updates are not as frequent as they once were, his blog still serves as a trove of infosec knowledge on topics such as vulnerabilities, small business infosec, data breaches, the infosec community, and more. A self-described "infosec curmudgeon," Jack's insights, opinions, and humorous writing style are always worth a read.

Three posts we like from Uncommon Sense Security:

Vendor Blogs

AlienVault Blog

@alienvault

A leading provider of unified security management and community-powered threat intelligence solutions, AlienVault maintains an informative blog covering topics of interest to the infosec community, including news, emerging threats, tips and tricks, and more.

Three posts we like from AlienVault Blog:

...And You Will Know Us by the Trail of Bits

@trailofbits

...And You Will Know Us by the Trail of Bits is the official blog of Trail of Bits, an enterprise infosec consulting firm founded by Dan Guido and Alexander Sotirov. The blog offers expert infosec advice based on consulting experience at some of the world's most advanced security programs. The blog provides excellent educational content focused on vulnerabilities, exploits, malware, and more.

Three posts we like from ...And You Will Know us by the Trail of Bits:

BH Consulting IT Security Watch

@bhconsulting

BH Consulting IT Security Watch covers security news and major data breach news that impacts both consumers and enterprises, featuring insights from Brian Honan, Lee Munson, Gordon Smith, and other thought leaders and contributors. The blog is a monthly digital publication highlighting the most interesting news and articles related to the security field. Much of the coverage is relevant worldwide, though some are specific to BH Consulting news and Ireland.

Three posts we like from BH Consulting IT Security Watch:

Cisco Talos

@TalosSecurity

Cisco's industry-leading threat intelligence team aims to protect organizations' people, data, and infrastructure from active adversaries. The Talos blog was launched in 2008 and has become a comprehensive resource on the latest security approaches, emerging threats, and sound advice for protecting your organization from the evolving threat landscape.

Three posts we like from Cisco Talos:

Duo Blog

@duosec

Duo provides tools, including two-factor authentication, endpoint security, and single sign-on, to enable your users to securely and reliably access your applications. The Duo Blog is regularly updated with insights on the latest threats, security tips, tricks, and techniques, and other news of interest in the modern information security space.

Three posts we like from Duo Blog:

F-Secure Blog

@FSecure

The F-Secure Weblog by F-Secure's Security Research and Technology fellows. The blog is research-heavy, with lots of educational content covering the latest findings from F-Secure Labs. Focal points include vulnerability discoveries, software patches, mobile security, and more.

Three posts we like from the F-Secure Weblog:

FireEye Blog

@FireEye

FireEye takes a three-pronged approach to security, encompassing innovative technologies, expertise, and threat intelligence capabilities, addressing the complete security operations lifecycle from end to end. Likewise, the FireEye blog encompasses three key focal areas: threat research, products and services, and perspectives from executives, covering the latest advanced threats, cyber attacks, threat research, and threat intelligence, as well as news and trends in cyber security with a focus on how those threats impact business.

Three posts we like from FireEye Blog:

Flashpoint

@FlashpointIntel

Flashpoint's experts share their unique discoveries, observations, and opinions on trending topics in business risk intelligence, the deep web, and the dark web. The blog dives into specific industries and even publishes podcast episodes.

Three posts we like from Flashpoint:

flyingpenguin

@daviottenheimer

Davi Ottenheimer, David Willson, Matthew Wallace, and Bryan Zimmer comprise the team behind security consultancy flyingpenguin. Ottenheimer has more than two decades of experience managing global security operations and assessments, including 10 years of experience leading incident response and digital forensics, and he is the chief blogger behind the flyingpenguin blog, offering in-depth analysis of information security news, events, and developments. Davi was in Episode 11 of the Digital Guardian podcast, during which he discussed the role of artificial intelligence and machine learning in the security space.

Three posts we like from flyingpenguin:

Google Project Zero

@Google

Google Project Zero is a team of security analysts tasked with sniffing out zero day vulnerabilities. Project Zero was first announced on July 15, 2014, and the blog has been operating since late 2014. It's a treasure trove of in-depth research and analysis from the Project Zero team, which consists of some of the most forward-thinking minds in the information security space.

Three posts we like from Google Project Zero:

Sophos Naked Security

@NakedSecurity

Sophos' Naked Security blog is great for security news. The blog features content from a wide range of security experts with a focus on malware, consumer privacy, social media security, and more.

Three posts we like from Naked Security:

Patrick Wardle's Objective-See (Apple/OSX/macOS malware) blog

@objective_see

Objective-See was created to provide simple, effective OS X security tools to address the growing need for security solutions as Macs became more prevalent. This blog is managed by Patrick Wardle, Founder and Chief Research Officer at Digita Security. Wardle has presented at more than 25 security conferences including Black Hat, DefCon, RSA, and other leading security events.

Three posts we like from Patrick Wardle's Objective-See blog:

Recorded Future

@RecordedFuture

Recorded Future aims to organize and analyze threat data in a new, innovative way to support better, faster, and more comprehensive security. The company's goal is to provide organizations with real-time, contextualized threat intelligence, enabling them to address threats proactively at the speed and scale demanded in modern times. The Recorded Future blog focuses on news and analysis of the latest concerns in the infosec landscape.

Three posts we like from Recorded Future:

Tripwire - The State of Security

@TripwireInc

Tripwire provides compliance and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. Tripwire's The State of Security blog offers news, trends, and insights on the latest happenings in the evolving cybersecurity space.

Three posts we like from Tripwire - The State of Security:

The Veracode Blog

@veracode

Application security firm Veracode's blog has grown into one of the leading sources for appsec news and insights. With regular contributions from security experts such as Laura Paine, Suzanne Ciccone, John Zorabedian, and others, the blog offers informed commentary on the latest security issues. Favorite topics include application security testing, software vulnerabilities, hacking, mobile security, and more.

Three posts we like from the Veracode Blog:

Security News Blogs

Cyber Sins

@rnarang

Cyber Sins is the blog of Rishi Narang, a consultant, writer, and researcher who focuses on cyber security and threat intelligence. The blog offers information about cyber attacks, web security, and more subjects in information security.

Three posts we like from Cyber Sins:

Infosec Island

@InfosecIsland

InfoSec Island aims to provide a place for IT and network professionals to go to find help and information quickly and easily, by combining an online community, infosec portal, and a social network. Infosec Island’s blog features several contributors and includes information about the Cloud, malware, cyberattacks, and more topics related to information security.

Three posts we like from Infosec Island:

IT Security

@kevtownsend

Kevin Townsend’s IT Security blog aims to present and discuss information security in a “new and challenging manner.” A panel of leading information security experts contribute regularly, offering an expert perspective on many of the pressing news stories and incidents impacting the field of information security today. Contributors include Dr. Brian Bandey, David Harley, Bev Robb, and other thought leaders, as well as, of course, Townsend himself.

Three posts we like from IT Security:

IT Security Guru

@IT_SecGuru

All the breaking IT security news you need to stay abreast of the latest happenings in the industry are found at IT Security Guru – first thing in the morning. With the goal of compiling all the most pressing industry news in one spot, IT Security Guru makes it easy for you to keep your finger on the pulse of the InfoSec world without spending hours searching the Internet or scrolling through dozens of blogs and news sites.

Three posts we like from IT Security Guru:

SANS Security Awareness Training Blog

@SecureTheHuman

SANS Security Awareness provides training classes, training materials, and other resources necessary for educating not only Security Awareness specialists, but also the end users within organizations. The SANS Security Awareness Training Blog touches on current news, events, and insights and opinions on effective security awareness planning and training.

Three posts we like from SANS Security Awareness Training Blog:

Security Affairs

Security Affairs is the blog of Pierluigi Paganini, a member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and a member of the Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation. He's also the Director of the Master in Cyber Security at Link Campus University, a Security Evangelist, Security Analyst, and Freelance Writer. Also serving as Editor-in-Chief of Cyber Defense Magazine, Paganini brings a wealth of expertise to this regularly updated blog that covers everything from cyber warfare to deep web, IoT, laws and regulations, malware, security, and more.

Three posts we like from Security Affairs:

The Security Ledger

@securityledger

The Security Ledger is run by Paul Roberts, former ThreatPost editor and analyst at 451 Research and Kaspersky Lab. The independent blog focuses on cybersecurity, bringing insight to subjects such as the internet of things, malware, government policy, and consumer security.

Three posts we like from The Security Ledger:

Security Weekly

@securityweekly

Paul Asadoorian’s Security Weekly features a weekly live video broadcast, along with written posts, covering the latest InfoSec news, hacker techniques, tutorials, InfoSec research, and more. With a mix of technical content and entertainment, Security Weekly’s objective is to “use new technologies to reach a wider audience across the globe to teach people how to grow, learn, and be security ninjas.”

Three episodes we like from Security Weekly:

ThreatPost

@threatpost

You'd be hard pressed to find a "Best of InfoSec" blog list that doesn't include ThreatPost. Billed as "an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide ," ThreatPost is run by a team of recognized infosec experts with a focus on topics such as privacy, web security, vulnerabilities, and more.

Three posts we like from ThreatPost:

Wired's Threat Level

@WIRED

Wired is an established digital publication focused on technology and gear, but it's not as widely recognized for its impressive coverage of the InfoSec realm, though it should be. Wired talks privacy, crime, and security online, delving into clever hacks and workarounds and reporting on the latest security news impacting consumers and professionals in the field.

Three posts we like from Wired's Threat Level:

Zero Day

@ZDNet

ZDNet's Zero Day is your source for the latest news and insights in software and hardware security research, threats, vulnerabilities, cyberattacks, and other happenings of interest to the modern information security professional.

Three posts we like from Zero Day: