Thank you for 2M 🙂

I reached a pretty significant milestone on YouTube this week: 2 million subscribers. (WHAT?!)

I feel undeserving but very blessed. Thank you for letting me be a part of the industry and community... especially if my content has helped you in your own path.

Honored to have a seat at the table, but more honored to be sitting together with all of you. 💙

News & Commentary

MITRE funding almost expired, setting the cybersec community ablaze

The big news of the week is that MITRE’s funding for the Common Vulnerabilities and Exposures (CVE) program was set to expire yesterday, April 16. The news broke earlier this week with the release of the below memo to CVE board members:

With just hours to spare, CISA ultimately extended funding for MITRE for the next 11 months — but I feel like this is a good time to revisit just why the CVE program is such a critical asset for security researchers and the cybersecurity community as a whole.

What are CVEs?

Every discovered flaw or weakness in cybersecurity is given a sort of “ID number” — an identifier that helps security researchers remain on the same page when discussing vulnerabilities. It helps us as an industry tactically address and respond to what a problem really is, while making sure we’re addressing the same problem thanks to its unique identifier or CVE. So, CVEs are synonymous with their vulnerabilities.

How do CVEs tie into vulnerability management?

CVEs form the groundwork for vulnerability management. In a typical vulnerability management program, you’ll conduct a vulnerability scan, assess those vulnerabilities, prioritize them, and then remediate them. CVEs are the vulnerabilities at play, and those CVEs help security pros identify, define, and prioritize their remediation efforts.

Okay, let’s say we don’t have CVEs anymore. Can’t we just remediate vulnerabilities as they arise?

In a perfect world where every security researcher and cybersec pro has endless time, sure. But in reality, no, not really.

Simply stated, in the vast majority of environments, it is unfeasible to address every single vulnerability. You have to pick and choose your battles, and that’s where prioritization comes into play. CVEs help us prioritize vulnerabilities, because they collect and file away information about each vulnerability. If security analyst Bob researches CVE-2025-XXXXX and discovers it can give threat actors remote access, for example, Bob can ring the alarm about this specific CVE to alert the security community.

But here’s where it gets tricky. What serves as an “all-hands-on-deck, red-alert” vulnerability for one company may not be the case for another. For instance, if Company B operates in an air-gapped environment with no internet connectivity, that “all-hands-on-deck, red-alert” vulnerability may actually be a nothing burger for Company B. CVEs help security researchers identify and weigh those risks for their industry and even their specific company — and in turn, those risks can be handled appropriately, depending on the organization and its unique environment.

Another analogy: CVEs are like caring for different wounds in the ER. While a scrape warrants a simple bandage, a third-degree burn requires immediate, specialized care. CVEs help us identify which vulnerabilities are scrapes and which ones are third-degree burns, so we can act accordingly.

What might the aftermath look like if funding isn’t renewed?

Luckily, we don’t have to consider the worst until at least 11 months from now, but it’s worth talking about what could happen if funding does dry up.

Frankly, this would be uncharted territory, and it’s difficult to say exactly what the aftermath will look like if funding isn’t renewed. We can only make educated guesses at this point.

I try to steer clear of being an alarmist, but my biggest fear is seeing this centralized security database fall apart, leaving security researchers scrambling to pick up the pieces. MITRE plays a vital part in the CVE process — designating or cutting CVE identifiers — and the national database and resources we all rely on might just fall apart.

The cybersecurity industry has drastically matured over the last couple of decades. We’ve found that by working together, we get more done. Cybersecurity isn’t as daunting. But if cybersecurity is best played as a team sport, then it’s only as good as its community. And without a centralized place for the community to gather and share intel, we’re likely to be more siloed and scrambled. That makes for a much more dangerous world for all of us!

Where should I go to learn more?

Here are a few resources/bits of coverage to learn more:

• https://www.nextgov.com/cybersecurity/2025/04/cisa-extends-mitre-backed-cve-contract-hours-its-lapse/404601/

• https://www.reuters.com/world/us/us-agency-extends-support-last-minute-cyber-vulnerability-database-2025-04-16/

• https://www.reuters.com/technology/us-funding-running-out-critical-cyber-vulnerability-database-manager-says-2025-04-15/ 

• https://x.com/0xTib3rius/status/1912195160416338031 

• https://x.com/cyb3rops/status/1912274753873752461 

• https://www.forbes.com/sites/tonybradley/2025/04/15/cybersecurity-world-on-edge-as-cve-program-prepares-to-go-dark/

Sponsor

Take the fear out of phishing response with automation

Did you know that 57% of organizations experience phishing attempts on a weekly or daily basis? For modern security teams, phishing remains one of the most persistent and resource-intensive challenges their organizations face. What can be done about it?

On April 22, join Tines and Material Security for Take the fear out of phishing response: Lessons from Material Security. You’ll learn:

• The evolution and current state of phishing attacks

• The role of automation and AI in phishing response

• Tips for building a phishing-resistant culture in your organization

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-011.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
April Announcements

You Passed Security+… Great! Tick that HR box.

But can you pass a technical interview?

The Constructing Defense Path (2025 Edition), with its massive hands-on lab and 100+ videos, is one of the flagship ways to start a career in cybersecurity. At only $400 until April 30, it’s a fraction of the cost of other cyber ranges yet more in-depth. Get ready to perform attacks and see what happens from a defensive perspective. Learn. Attack. Defend. Repeat!

Recently Released Bundles:

• The “Mishaal” Bundle – All of Mishaal Khan’s Training for only $150!

• Mastering Active Directory Security (MADS) Volumes 1 – 3 = 20% Off

• Windows Malware Dev (WMD) 1 – 3 = 20% Off

Additional Releases:

• Name Your Price Hack-Along - M!$#'s geoINT Challenge by Mishaal Khan

• Free UC - Phishing by Cori Macy

• Free UC - Windows Internals by Shikata

• Free UC - Windows Administration by Patrick Gorman

• Free UC - Threat Landscape Reports (TLRs) by Jennifer Funk

With new content released twice a month throughout 2025, bi-monthly livestreams with our experts and even some “Name Your Price” options, JHT provides "Focused Technical Training for All Levels" to advance your career regardless of experience level or budget.

Come hang out with us hackers in Discord and engage with me, our All-Star instructors, students, and the rest of our community.

We’re 10 11 issues into this newsletter, and I’d love to check in with you: Is this thing helpful? Mildly entertaining? Awkward?

I can’t promise to make it less awkward, but I would love your ideas on how to make it more entertaining and helpful as a resource.

Please reply to this email and let me know what you’re loving — and what you’d like to see in this thing.

Thank you!