The BSI report for 2025 (as of October 2025) is out.1 There is not much fundamentally new. Here the key points, with some context: The threat level remains high and stable.2 Misconfiguration of systems and software jumped from 28% in the previous period to 44%.3 Web-facing attack surfaces are in a “concerning state”.4 The scope includes all reachable IPs under .de domains. EDR and similar security tools do not provide sufficient protection. They remain ineffective against common attack patterns and can be bypassed with so-called EDR killers, according to Heise.5 Small and medium-sized businesses are increasingly targeted by ransomware groups. The report calls this a “fundamental misjudgment” of risk by those in charge.6 Questionable self-praise This is also typical for the BSI: Self-praise about supposed wins against international cybercrime and improved protection of critical infrastructure. That sounds odd when the same report states:7 Read more

“Ship fast, fail fast”, sometimes shortened to “fail cheap”, is a common mantra in agile environments.1 It addresses real problems with rigid processes, hierarchies, and tech stacks. For years, the industry has promised higher speed through agile methods. That sounds good. Still, when people ask if I work in an agile way, I avoid a straight answer. People confuse speed with maturity. Moving faster does not fix a wrong direction. Speed as replacement for clarity. Read more

For many, AI is the great promise for salvation. More efficiency, more ease, more future. Everyone is talking about it, so it must be true. And so many are jumping on the bandwagon, which, from the external perspective, appears to be a big party.My impression is that the discussion in medium-sized companies tends to focus more on opportunities and less on realities. There is a lack of honest assessment of the situation. And by that I don’t just mean the technology, but above all the non-technical governance. Read more