Each January on the SEI Weblog, we current the ten most-visited posts from the earlier yr. This yr’s prime 10 listing highlights the SEI’s work in software program acquisition, synthetic intelligence, menace modeling, machine studying check and analysis, and enterprise threat administration. The posts, all revealed in 2025, are offered under in reverse order based mostly on the variety of visits.
10. Views on Generative AI in Software program Engineering and Acquisition
by Anita Carleton, James Ivers, Ipek Ozkaya, John E. Robert, Douglas Schmidt (William & Mary), and Shen Zhang
Within the realm of software program engineering and software program acquisition, generative AI guarantees to enhance developer productiveness and fee of manufacturing of associated artifacts, and in some circumstances their high quality. It’s important, nonetheless, that software program and acquisition professionals discover ways to apply AI-augmented strategies and instruments of their workflows successfully. This weblog put up focuses on the way forward for software program engineering and acquisition utilizing generative AI applied sciences, equivalent to ChatGPT, DALL·E, and Copilot, and explores consultants’ views of making use of generative AI in software program engineering and acquisition. It’s the newest in a sequence of weblog posts on these matters.
The weblog put up contains views from SEI Fellow Anita Carleton, director of the SEI Software program Options Division, together with a gaggle of SEI thought leaders on AI and software program together with James Ivers, principal engineer; Ipek Ozkaya, technical director of the Engineering Clever Software program Techniques group; John Robert, deputy director of the Software program Options Division; Douglas Schmidt, who was the Director of Operational Check and Analysis on the Division of Protection (DoD) and is now the inaugural dean of the Faculty of Computing, Knowledge Sciences, and Physics at William & Mary; and Shen Zhang, a senior engineer.
Learn the put up in its entirety.
9. 13 Cybersecurity Predictions for 2025
by Greg Touhill
In his yearly reflection and anticipation weblog put up, CERT Director Greg Touhill calls upon his many years of expertise as an info know-how and cybersecurity senior govt and what he has realized main the SEI’s CERT Division (one of many first organizations devoted to cyber analysis and response) and channels the spirit of the close by Punxsutawney Phil, that well-known prognosticating Pennsylvania groundhog, to look into 2025 and forecast what we are going to probably replicate upon on the finish of this yr.
Learn the put up in its entirety.
8. Cease Imagining Threats, Begin Mitigating Them: A Sensible Information to Risk Modeling
by Alex Vesey
When constructing a software-intensive system, a key half in making a safe and sturdy resolution is to develop a cyber menace mannequin. Risk fashions are necessary as a result of they information necessities, system design, and operational selections. This weblog put up focuses on a technique menace modelers can use to make credible claims about assaults the system might face and to floor these claims in observations of adversary techniques, methods, and procedures (TTPs).
Learn the put up in its entirety.
7. Introducing MLTE: A Techniques Strategy to Machine Studying Check and Analysis
by Alex Derr, Sebastián Echeverría, Katherine R. Maffey (AI Integration Middle, U.S. Military), and Grace Lewis
With out correct testing, techniques that include machine studying parts (ML-enabled techniques, or ML techniques for brief) can fail in manufacturing, typically with critical real-world penalties. Testing and analysis (T&E) of those techniques can assist decide if they’ll carry out as anticipated—and desired—earlier than going into manufacturing. Nevertheless, ML techniques are notoriously troublesome to check for quite a lot of causes, together with challenges round correctly defining necessities and analysis standards. Consequently, there are at the moment few accepted finest practices for testing ML techniques. On this weblog put up, we introduce Machine Studying Check and Analysis (MLTE), a brand new course of and power collectively developed by SEI and the Military AI Integration Middle (AI2C) to mitigate this downside and create safer, extra dependable ML techniques.
Learn the put up in its entirety.
6. Synthetic Intelligence in Nationwide Safety: Acquisition and Integration
by Paige Rishel, Carol J. Smith, Brigid O’Hearn, and Rita C. Creel
As protection and nationwide safety organizations contemplate integrating AI into their operations, many acquisition groups are uncertain of the place to start out. In June, the SEI hosted an AI Acquisition workshop. This weblog put up particulars practitioner insights from the workshop, together with challenges in differentiating AI techniques, steering on when to make use of AI, and matching AI instruments to mission wants.
Learn the put up in its entirety.
5. Out of Distribution Detection: Realizing When AI Doesn’t Know
by Eric Heim and Cole Frank
A crucial problem in synthetic intelligence is realizing when an AI system is working outdoors its supposed information boundaries. That is the crucial area of out-of-distribution (OoD) detection—figuring out when an AI system is dealing with conditions it wasn’t skilled to deal with. By way of our work right here within the SEI’s AI Division, significantly in collaborating with the Workplace of the Underneath Secretary of Protection for Analysis and Engineering (OUSD R&E) to ascertain the Middle for Calibrated Belief Measurement and Analysis (CaTE), we’ve seen firsthand the crucial challenges dealing with AI deployment in protection purposes.
Learn the put up in its entirety.
4. Introducing the Insider Incident Knowledge Alternate Commonplace (IIDES)
by Austin Whisnant
Latest analysis signifies that organizational insiders perpetrate 35 % of knowledge breaches, and malicious insider incidents price organizations a median of $701,500 yearly. The examine and administration of insider menace and threat stay areas of more and more rising consideration, prevalence, and concern, however capturing and sharing details about insider incidents in a standardized approach has been a problem for practitioners. A typical of incident classification and data sharing might enable practitioners to construct, preserve, deidentify, and share insider menace case information with an eye fixed towards constructing extra sturdy information for evaluation and insights that profit their organizations and the entire neighborhood. On this put up, we introduce the Insider Incident Knowledge Alternate Commonplace (IIDES) schema for insider incident information assortment, present an instance use case, and invite you to collaborate with us on its improvement.
Learn the put up in its entirety.
3. The DevSecOps Functionality Maturity Mannequin
by Timothy A. Chick, Brent Frye, and Aaron Reffett
Implementing DevSecOps can enhance a number of elements of the effectiveness of a software program group and the standard of the software program for which it’s accountable. Implementation of DevSecOps is a posh course of, nonetheless, and the best way a program evaluates progress in its DevSecOps implementation is necessary. We suggest right here a body of reference for DevSecOps maturity, enabling organizations to give attention to outcomes – worth delivered – with out extreme give attention to compliance.
The Division of Protection’s (DoD) DevSecOps Documentation Set emphasizes program actions that velocity supply, tighten safety, and enhance collaboration throughout the software program improvement lifecycle. Evaluating these actions towards a set of traits, attributes, indicators, and patterns will not be enough. It have to be accomplished throughout the context of worth delivered. Subsequently, on this weblog put up, we first outline worth in a DevSecOps context. Subsequent, we describe how the DevSecOps Platform Impartial Mannequin (PIM) supplies an authoritative reference mannequin for evaluating a corporation’s DevSecOps functionality maturity. Lastly, we offer a benchmark instance of a DevSecOps functionality profile.
Learn the put up in its entirety.
2. Evaluating LLMs for Textual content Summarization: An Introduction
by Shannon Gallagher, Swati Rallapalli, and Tyler Brooks
Giant language fashions (LLMs) have proven large potential throughout numerous purposes. On the SEI, we examine the software of LLMs to quite a lot of DoD-relevant use circumstances. One software we contemplate is intelligence report summarization, the place LLMs might considerably scale back the analyst cognitive load and, probably, the extent of human error. Nevertheless, deploying LLMs with out human supervision and analysis might result in important errors together with, within the worst case, the potential lack of life. On this put up, we define the basics of LLM analysis for textual content summarization in high-stakes purposes equivalent to intelligence report summarization. We first talk about the challenges of LLM analysis, give an outline of the present state-of-the-art, and eventually element how we’re filling the recognized gaps on the SEI.
Learn the put up in its entirety.
- Radio Frequency 101: Can You Actually Hack a Radio Sign?
by Roxxanne White and Michael Bragg
In 2017, a malicious actor exploited the indicators in Dallas’s emergency siren system and set off alarms for over 90 minutes. A majority of these assaults can have an effect on units that use radio frequency (RF) know-how, from sensible safety techniques to plane. RF additionally performs a crucial function in lots of army techniques equivalent to navigation, radar, and communication techniques. Widespread DoD use circumstances embody satellite tv for pc communication (SATCOM), radar, and tactical information hyperlinks that assist coordinate troop actions, sign place details about a goal, or assist preserve communication between plane and drones.
On this weblog put up, we discover a number of the fundamentals of radio frequency communication, delve into the generalities of protocols and system interactions, talk about widespread RF instruments, and uncover methods malicious actors can assault techniques. We summarize the fundamentals of RF know-how and the dangers related to it, and we talk about how the SEI helps to safe wi-fi communications.
Learn the put up in its entirety.
Trying Forward in 2026
Be taught extra about our cutting-edge analysis by checking again weekly for posts highlighting the SEI’s work in synthetic intelligence, machine studying, cybersecurity, software program engineering, and vulnerability administration.