Each January on the SEI Weblog, we current the ten most-visited posts from the earlier yr. This yr’s prime 10 record highlights the SEI’s work in software program acquisition, synthetic intelligence, menace modeling, machine studying take a look at and analysis, and enterprise danger administration. The posts, all revealed in 2025, are introduced under in reverse order primarily based on the variety of visits.
10. Views on Generative AI in Software program Engineering and Acquisition
by Anita Carleton, James Ivers, Ipek Ozkaya, John E. Robert, Douglas Schmidt (William & Mary), and Shen Zhang
Within the realm of software program engineering and software program acquisition, generative AI guarantees to enhance developer productiveness and charge of manufacturing of associated artifacts, and in some instances their high quality. It’s important, nevertheless, that software program and acquisition professionals learn to apply AI-augmented strategies and instruments of their workflows successfully. This weblog publish focuses on the way forward for software program engineering and acquisition utilizing generative AI applied sciences, corresponding to ChatGPT, DALL·E, and Copilot, and explores consultants’ views of making use of generative AI in software program engineering and acquisition. It’s the newest in a collection of weblog posts on these matters.
The weblog publish contains views from SEI Fellow Anita Carleton, director of the SEI Software program Options Division, together with a gaggle of SEI thought leaders on AI and software program together with James Ivers, principal engineer; Ipek Ozkaya, technical director of the Engineering Clever Software program Methods group; John Robert, deputy director of the Software program Options Division; Douglas Schmidt, who was the Director of Operational Check and Analysis on the Division of Protection (DoD) and is now the inaugural dean of the College of Computing, Knowledge Sciences, and Physics at William & Mary; and Shen Zhang, a senior engineer.
Learn the publish in its entirety.
9. 13 Cybersecurity Predictions for 2025
by Greg Touhill
In his yearly reflection and anticipation weblog publish, CERT Director Greg Touhill calls upon his many years of expertise as an info expertise and cybersecurity senior government and what he has discovered main the SEI’s CERT Division (one of many first organizations devoted to cyber analysis and response) and channels the spirit of the close by Punxsutawney Phil, that well-known prognosticating Pennsylvania groundhog, to look into 2025 and forecast what we are going to possible replicate upon on the finish of this yr.
Learn the publish in its entirety.
8. Cease Imagining Threats, Begin Mitigating Them: A Sensible Information to Risk Modeling
by Alex Vesey
When constructing a software-intensive system, a key half in making a safe and strong answer is to develop a cyber menace mannequin. Risk fashions are essential as a result of they information necessities, system design, and operational decisions. This weblog publish focuses on a technique menace modelers can use to make credible claims about assaults the system may face and to floor these claims in observations of adversary ways, strategies, and procedures (TTPs).
Learn the publish in its entirety.
7. Introducing MLTE: A Methods Strategy to Machine Studying Check and Analysis
by Alex Derr, Sebastián Echeverría, Katherine R. Maffey (AI Integration Middle, U.S. Military), and Grace Lewis
With out correct testing, programs that comprise machine studying elements (ML-enabled programs, or ML programs for brief) can fail in manufacturing, typically with severe real-world penalties. Testing and analysis (T&E) of those programs may help decide if they are going to carry out as anticipated—and desired—earlier than going into manufacturing. Nonetheless, ML programs are notoriously tough to check for quite a lot of causes, together with challenges round correctly defining necessities and analysis standards. In consequence, there are at present few accepted greatest practices for testing ML programs. On this weblog publish, we introduce Machine Studying Check and Analysis (MLTE), a brand new course of and gear collectively developed by SEI and the Military AI Integration Middle (AI2C) to mitigate this downside and create safer, extra dependable ML programs.
Learn the publish in its entirety.
6. Synthetic Intelligence in Nationwide Safety: Acquisition and Integration
by Paige Rishel, Carol J. Smith, Brigid O’Hearn, and Rita C. Creel
As protection and nationwide safety organizations take into account integrating AI into their operations, many acquisition groups are not sure of the place to start out. In June, the SEI hosted an AI Acquisition workshop. This weblog publish particulars practitioner insights from the workshop, together with challenges in differentiating AI programs, steering on when to make use of AI, and matching AI instruments to mission wants.
Learn the publish in its entirety.
5. Out of Distribution Detection: Understanding When AI Doesn’t Know
by Eric Heim and Cole Frank
A vital problem in synthetic intelligence is realizing when an AI system is working exterior its supposed data boundaries. That is the vital area of out-of-distribution (OoD) detection—figuring out when an AI system is going through conditions it wasn’t skilled to deal with. By way of our work right here within the SEI’s AI Division, notably in collaborating with the Workplace of the Below Secretary of Protection for Analysis and Engineering (OUSD R&E) to ascertain the Middle for Calibrated Belief Measurement and Analysis (CaTE), we’ve seen firsthand the vital challenges going through AI deployment in protection purposes.
Learn the publish in its entirety.
4. Introducing the Insider Incident Knowledge Trade Normal (IIDES)
by Austin Whisnant
Current analysis signifies that organizational insiders perpetrate 35 p.c of information breaches, and malicious insider incidents value organizations a mean of $701,500 yearly. The examine and administration of insider menace and danger stay areas of more and more rising consideration, prevalence, and concern, however capturing and sharing details about insider incidents in a standardized means has been a problem for practitioners. A normal of incident classification and knowledge sharing may enable practitioners to construct, keep, deidentify, and share insider menace case information with a watch towards constructing extra strong information for evaluation and insights that profit their organizations and the entire group. On this publish, we introduce the Insider Incident Knowledge Trade Normal (IIDES) schema for insider incident information assortment, present an instance use case, and invite you to collaborate with us on its growth.
Learn the publish in its entirety.
3. The DevSecOps Functionality Maturity Mannequin
by Timothy A. Chick, Brent Frye, and Aaron Reffett
Implementing DevSecOps can enhance a number of elements of the effectiveness of a software program group and the standard of the software program for which it’s accountable. Implementation of DevSecOps is a posh course of, nevertheless, and the best way a program evaluates progress in its DevSecOps implementation is essential. We suggest right here a body of reference for DevSecOps maturity, enabling organizations to deal with outcomes – worth delivered – with out extreme deal with compliance.
The Division of Protection’s (DoD) DevSecOps Documentation Set emphasizes program actions that velocity supply, tighten safety, and enhance collaboration throughout the software program growth lifecycle. Evaluating these actions towards a set of traits, attributes, indicators, and patterns isn’t adequate. It have to be completed inside the context of worth delivered. Due to this fact, on this weblog publish, we first outline worth in a DevSecOps context. Subsequent, we describe how the DevSecOps Platform Impartial Mannequin (PIM) gives an authoritative reference mannequin for evaluating a company’s DevSecOps functionality maturity. Lastly, we offer a benchmark instance of a DevSecOps functionality profile.
Learn the publish in its entirety.
2. Evaluating LLMs for Textual content Summarization: An Introduction
by Shannon Gallagher, Swati Rallapalli, and Tyler Brooks
Giant language fashions (LLMs) have proven great potential throughout varied purposes. On the SEI, we examine the software of LLMs to a lot of DoD-relevant use instances. One software we take into account is intelligence report summarization, the place LLMs may considerably scale back the analyst cognitive load and, doubtlessly, the extent of human error. Nonetheless, deploying LLMs with out human supervision and analysis may result in important errors together with, within the worst case, the potential lack of life. On this publish, we define the basics of LLM analysis for textual content summarization in high-stakes purposes corresponding to intelligence report summarization. We first focus on the challenges of LLM analysis, give an outline of the present state-of-the-art, and at last element how we’re filling the recognized gaps on the SEI.
Learn the publish in its entirety.
- Radio Frequency 101: Can You Actually Hack a Radio Sign?
by Roxxanne White and Michael Bragg
In 2017, a malicious actor exploited the alerts in Dallas’s emergency siren system and set off alarms for over 90 minutes. All these assaults can have an effect on gadgets that use radio frequency (RF) expertise, from sensible safety programs to plane. RF additionally performs a vital function in lots of army programs corresponding to navigation, radar, and communication programs. Widespread DoD use instances embody satellite tv for pc communication (SATCOM), radar, and tactical information hyperlinks that assist coordinate troop actions, sign place details about a goal, or assist keep communication between plane and drones.
On this weblog publish, we discover a few of the fundamentals of radio frequency communication, delve into the generalities of protocols and system interactions, focus on frequent RF instruments, and uncover methods malicious actors can assault programs. We summarize the fundamentals of RF expertise and the dangers related to it, and we focus on how the SEI helps to safe wi-fi communications.
Learn the publish in its entirety.
Trying Forward in 2026
Be taught extra about our cutting-edge analysis by checking again weekly for posts highlighting the SEI’s work in synthetic intelligence, machine studying, cybersecurity, software program engineering, and vulnerability administration.
