CLICK HERE TO DOWNLOAD THIS IMAGE & COLOR IT IN!Inside: Apple patches its seventh exploited zero-day this year, Caleb Sima explains why crown jewels beat “secure everything,” and Google Cloud shows what bioproduction tabletops can teach us about shared fate. Plus, Ally’s first interactive exercise template is live, and by popular demand — report export to PDF is here.
We've got some big news to share...Ally has built our first exercise template for customers to use!
For this first template, we focused on one of the biggest hurdles facing facilitators — engagement.
This template is built in a whiteboard app, which gives us a ton of interactivity throughout the exercise. Things like dot voting for decision making, polling on declaring an incident, and spinner wheels that can introduce chaos to spice up the exercise. No more falling asleep at the table (whether it be virtual or full of pizza).
I recently had an interesting discussion about using the whiteboard app. The pushback was that execs at large companies will never use it. Well, that’s probably true and this method isn’t for them. You’ll need different tools for different audiences and we’ll build more options over time. But for facilitators with a tech-savvy audience looking to up their game this is a great tool (especially for virtual exercises!).
If you’d like to see a demo and learn how you can use it for your next exercise, please reach out!
Your allies in IR,
Rob & Scout
Apple just patched CVE-2025-43300, a critical ImageIO vulnerability already under active exploitation. The flaw could allow attackers to corrupt memory through a malicious image — making this one you can’t ignore. If your team hasn’t updated iOS, iPadOS, or macOS yet, now’s the time. See Patch Details
Google Cloud’s Office of the CISO explored tabletop exercises at the Bio-ISAC Biosecurity Summit, role-playing a cyberattack on biomanufacturing. The session showed how diverse groups respond to evolving threats, highlighting shared fate, constructive conflict, and avoiding cognitive dead ends. These lessons help leaders refine real-world security responses before the next crisis hits. Lessons from the Summit
Caleb Sima outlines how CISOs can move past “secure everything” with a focused crown jewels strategy. The approach directs scarce resources toward assets attackers want most — making defenses practical, measurable, and far more effective. If your team hasn’t defined its crown jewels yet, now’s the time! Read More on LinkedIn
The latest ByteWise episode takes a pause from technical talk and gets real about stress in IT and InfoSec. Brian, Daniela, and Glen share how pressure shows up for them, why disconnecting is tough in a 24/7 world, and what short- and long-term strategies actually help. From quick fixes to deeper ways of recharging, it’s an honest look at the human side of security work. Listen to the Episodes
Built by our killer principal engineer, Megh!
If you’re thinking “how do I export this report”…you’d be right.
Export was not something we thought too much about going into beta testing but it came up on almost every call — testers wanted to export the report to pdf. There are some good reasons for this: executives won’t sign in to portals, there’s a need to store evidence for controls, and personalization of what exercise feedback is presented, to name a few.
So, we built it.
The first release of report export is now available in your production accounts. You can select which report modules you want included and then export or print. Easy as pie.
We’ll add additional reporting module options for export over time.
Cheers,
Rob & Scout
If your execs still expect PDFs hand-delivered like it’s Y2K, we’ve got you covered. Apple’s patch tally, Caleb’s crown jewels playbook, and Google’s shared-fate tabletops all point to the same theme — focus where it counts and make it stick.
About Ally Security
Ally is here to support facilitators, which in turn creates a virtuous cycle where exercises take less time, provide more value, are run more frequently, and can make every organization can be better prepared.
The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.
