Each January on the SEI Weblog, we current the ten most-visited posts from the earlier 12 months. This 12 months’s high 10 record highlights the SEI’s work in software program acquisition, synthetic intelligence, risk modeling, machine studying check and analysis, and enterprise threat administration. The posts, all printed in 2025, are offered beneath in reverse order primarily based on the variety of visits.
10. Views on Generative AI in Software program Engineering and Acquisition
by Anita Carleton, James Ivers, Ipek Ozkaya, John E. Robert, Douglas Schmidt (William & Mary), and Shen Zhang
Within the realm of software program engineering and software program acquisition, generative AI guarantees to enhance developer productiveness and charge of manufacturing of associated artifacts, and in some instances their high quality. It’s important, nevertheless, that software program and acquisition professionals discover ways to apply AI-augmented strategies and instruments of their workflows successfully. This weblog publish focuses on the way forward for software program engineering and acquisition utilizing generative AI applied sciences, similar to ChatGPT, DALL·E, and Copilot, and explores consultants’ views of making use of generative AI in software program engineering and acquisition. It’s the newest in a sequence of weblog posts on these matters.
The weblog publish contains views from SEI Fellow Anita Carleton, director of the SEI Software program Options Division, together with a gaggle of SEI thought leaders on AI and software program together with James Ivers, principal engineer; Ipek Ozkaya, technical director of the Engineering Clever Software program Techniques group; John Robert, deputy director of the Software program Options Division; Douglas Schmidt, who was the Director of Operational Take a look at and Analysis on the Division of Protection (DoD) and is now the inaugural dean of the College of Computing, Knowledge Sciences, and Physics at William & Mary; and Shen Zhang, a senior engineer.
Learn the publish in its entirety.
9. 13 Cybersecurity Predictions for 2025
by Greg Touhill
In his yearly reflection and anticipation weblog publish, CERT Director Greg Touhill calls upon his a long time of expertise as an data know-how and cybersecurity senior govt and what he has discovered main the SEI’s CERT Division (one of many first organizations devoted to cyber analysis and response) and channels the spirit of the close by Punxsutawney Phil, that well-known prognosticating Pennsylvania groundhog, to look into 2025 and forecast what we’ll probably mirror upon on the finish of this 12 months.
Learn the publish in its entirety.
8. Cease Imagining Threats, Begin Mitigating Them: A Sensible Information to Menace Modeling
by Alex Vesey
When constructing a software-intensive system, a key half in making a safe and sturdy answer is to develop a cyber risk mannequin. Menace fashions are necessary as a result of they information necessities, system design, and operational decisions. This weblog publish focuses on a technique risk modelers can use to make credible claims about assaults the system might face and to floor these claims in observations of adversary techniques, methods, and procedures (TTPs).
Learn the publish in its entirety.
7. Introducing MLTE: A Techniques Method to Machine Studying Take a look at and Analysis
by Alex Derr, Sebastián Echeverría, Katherine R. Maffey (AI Integration Heart, U.S. Military), and Grace Lewis
With out correct testing, techniques that include machine studying parts (ML-enabled techniques, or ML techniques for brief) can fail in manufacturing, typically with severe real-world penalties. Testing and analysis (T&E) of those techniques might help decide if they’ll carry out as anticipated—and desired—earlier than going into manufacturing. Nevertheless, ML techniques are notoriously tough to check for quite a lot of causes, together with challenges round correctly defining necessities and analysis standards. Because of this, there are at the moment few accepted greatest practices for testing ML techniques. On this weblog publish, we introduce Machine Studying Take a look at and Analysis (MLTE), a brand new course of and power collectively developed by SEI and the Military AI Integration Heart (AI2C) to mitigate this drawback and create safer, extra dependable ML techniques.
Learn the publish in its entirety.
6. Synthetic Intelligence in Nationwide Safety: Acquisition and Integration
by Paige Rishel, Carol J. Smith, Brigid O’Hearn, and Rita C. Creel
As protection and nationwide safety organizations contemplate integrating AI into their operations, many acquisition groups are not sure of the place to start out. In June, the SEI hosted an AI Acquisition workshop. This weblog publish particulars practitioner insights from the workshop, together with challenges in differentiating AI techniques, steerage on when to make use of AI, and matching AI instruments to mission wants.
Learn the publish in its entirety.
5. Out of Distribution Detection: Figuring out When AI Doesn’t Know
by Eric Heim and Cole Frank
A crucial problem in synthetic intelligence is figuring out when an AI system is working outdoors its supposed data boundaries. That is the crucial area of out-of-distribution (OoD) detection—figuring out when an AI system is going through conditions it wasn’t educated to deal with. By way of our work right here within the SEI’s AI Division, significantly in collaborating with the Workplace of the Underneath Secretary of Protection for Analysis and Engineering (OUSD R&E) to ascertain the Heart for Calibrated Belief Measurement and Analysis (CaTE), we’ve seen firsthand the crucial challenges going through AI deployment in protection functions.
Learn the publish in its entirety.
4. Introducing the Insider Incident Knowledge Alternate Normal (IIDES)
by Austin Whisnant
Current analysis signifies that organizational insiders perpetrate 35 % of information breaches, and malicious insider incidents value organizations a median of $701,500 yearly. The research and administration of insider risk and threat stay areas of more and more rising consideration, prevalence, and concern, however capturing and sharing details about insider incidents in a standardized method has been a problem for practitioners. A regular of incident classification and data sharing might permit practitioners to construct, preserve, deidentify, and share insider risk case information with a watch towards constructing extra sturdy information for evaluation and insights that profit their organizations and the entire group. On this publish, we introduce the Insider Incident Knowledge Alternate Normal (IIDES) schema for insider incident information assortment, present an instance use case, and invite you to collaborate with us on its growth.
Learn the publish in its entirety.
3. The DevSecOps Functionality Maturity Mannequin
by Timothy A. Chick, Brent Frye, and Aaron Reffett
Implementing DevSecOps can enhance a number of features of the effectiveness of a software program group and the standard of the software program for which it’s accountable. Implementation of DevSecOps is a fancy course of, nevertheless, and the way in which a program evaluates progress in its DevSecOps implementation is necessary. We suggest right here a body of reference for DevSecOps maturity, enabling organizations to deal with outcomes – worth delivered – with out extreme deal with compliance.
The Division of Protection’s (DoD) DevSecOps Documentation Set emphasizes program actions that pace supply, tighten safety, and enhance collaboration throughout the software program growth lifecycle. Evaluating these actions towards a set of traits, attributes, indicators, and patterns shouldn’t be ample. It have to be completed inside the context of worth delivered. Due to this fact, on this weblog publish, we first outline worth in a DevSecOps context. Subsequent, we describe how the DevSecOps Platform Unbiased Mannequin (PIM) gives an authoritative reference mannequin for evaluating a corporation’s DevSecOps functionality maturity. Lastly, we offer a benchmark instance of a DevSecOps functionality profile.
Learn the publish in its entirety.
2. Evaluating LLMs for Textual content Summarization: An Introduction
by Shannon Gallagher, Swati Rallapalli, and Tyler Brooks
Massive language fashions (LLMs) have proven large potential throughout numerous functions. On the SEI, we research the software of LLMs to a lot of DoD-relevant use instances. One software we contemplate is intelligence report summarization, the place LLMs might considerably cut back the analyst cognitive load and, probably, the extent of human error. Nevertheless, deploying LLMs with out human supervision and analysis might result in important errors together with, within the worst case, the potential lack of life. On this publish, we define the basics of LLM analysis for textual content summarization in high-stakes functions similar to intelligence report summarization. We first talk about the challenges of LLM analysis, give an summary of the present cutting-edge, and at last element how we’re filling the recognized gaps on the SEI.
Learn the publish in its entirety.
- Radio Frequency 101: Can You Actually Hack a Radio Sign?
by Roxxanne White and Michael Bragg
In 2017, a malicious actor exploited the alerts in Dallas’s emergency siren system and set off alarms for over 90 minutes. Most of these assaults can have an effect on units that use radio frequency (RF) know-how, from sensible safety techniques to plane. RF additionally performs a crucial function in lots of navy techniques similar to navigation, radar, and communication techniques. Frequent DoD use instances embrace satellite tv for pc communication (SATCOM), radar, and tactical information hyperlinks that assist coordinate troop actions, sign place details about a goal, or assist preserve communication between plane and drones.
On this weblog publish, we discover among the fundamentals of radio frequency communication, delve into the generalities of protocols and system interactions, talk about frequent RF instruments, and uncover methods malicious actors can assault techniques. We summarize the fundamentals of RF know-how and the dangers related to it, and we talk about how the SEI helps to safe wi-fi communications.
Learn the publish in its entirety.
Trying Forward in 2026
Be taught extra about our cutting-edge analysis by checking again weekly for posts highlighting the SEI’s work in synthetic intelligence, machine studying, cybersecurity, software program engineering, and vulnerability administration.
