During what is a busy time for cybersecurity reporters, I'm grateful to have had the opportunity to speak with Cynthia Brumfield. Cynthia contributes regularly to CSO Online, among other tech and cybersecurity publications, including her Substack, Metacurity.
Together, we explored everything from how she approaches Black Hat convention coverage to why staying for DEF CON is so important, along with the agenda gaps she’s noticed that were historically filled by public policymakers. Beyond the trade shows, we also discussed product news and her secret sauce for identifying trends that matter to her readers.
I’ll be on the ground in Vegas next week for DEF CON, and plan to interview some other familiar faces in cybersecurity.
I’m curious to learn about how you tackle coverage for larger industry conferences.
Every year I’ve covered what I call the “Hacker Summer Camp” events has been different. I've covered two [Black Hat conferences] in person, on the ground, live. That's been much different than attending them remotely. Of course, you really can't attend DEF CON remotely, so remote coverage is contingent on research that's released in conjunction with both Black Hat and DEF CON. That research gives me a sense of the information being conveyed at DEF CON.
Because I'm a freelancer, my time allocation and pitches are contingent on what the publications want. The year before last, I wrote several big pieces on the ground from both DEF CON and Black Hat around two specific angles, because the publication I was writing for really wanted to get at those particular questions. In other circumstances, I go through the agenda for both events and identify writing opportunities that way. It’s all contingent on editorial interest and what people are willing to pay for.
We’ve heard many reporters say they prefer to be in Las Vegas the second half of the week so they can also attend DEF CON. Is that your preference as well?
There’s a lot of overlap. Many organizations and researchers will give a talk at Black Hat and share the same presentation or talk at DEF CON, but the approach is different. Black Hat tends to be more corporate than DEF CON. I mean, we’re forgetting BSides Las Vegas, which always sounds very cool and usually precedes the other two big events, but has a lot of the same kinds of speakers and content. I haven't been fortunate enough to get to Vegas early enough to attend BSides Las Vegas, but when I have attended [the major shows] in person, I'm there the entire week.
It's a Las Vegas overdose. That's what happened the year before last, when I went in person. Part of it is because I do want to be there for everything, but it depends on the budget and how much intestinal fortitude people have to spend that much time in Vegas, where they think the more interesting topics will be. DEF CON is more interesting in some respects than Black Hat because it’s much less corporate and marketing-focused. But so much of DEF CON is off the record, as is the video and image-based content, where it’s not at Black Hat.
They’re both good. I’m feeling a little bit of FOMO by not going this year. On the other hand, I've been to Vegas three times in the past year, so I'm not terribly sad to not be going.
How do you feel about product news generally?
Well, I’ll be honest and say that 99% of the pieces that I'm pitched are products. They're kind of banal in their approach. Nothing is exciting about them, nothing interesting.
I do tend to look more at embargoed pitches because they may include something interesting that nobody else has covered. Seldom do I take a pitch that’s been pitched to me and then pitch to my editors, but I will use that pitch at some point if it's relevant to a topic I'm interested in that has a good angle for the readership of the various publications.
I hate to burst your bubble, but rarely do I pick up a pitch and say, “I’m going with that one.”
What is it like to work as a freelancer for CSO? Do you have the freedom to cover what you want, or does a dialogue need to happen with your editor in the weeks leading up to publication?
None of the publications I freelance for want product pitches. That's not their media. That's not what they do. I have another publication of my own called Metacurity, where sometimes products make it in because they're hooked to a bigger news story or a bigger angle.
I've had people say to me, “Why don't you include this product announcement of my company in Metacurity?” I tell them that’s not what I do.
It’s just not engaging to you.
Some products are just so dynamite that you can't not include them, and they’re engaging in different ways, but for the most part, no.
What product in the last six to 12 months have you heard about and said, “That’s dynamite?”
Google has an AI agent it calls Big Sleep. The PR team shared that Big Sleep detected a second critical vulnerability that was on the radar of threat actors, but hadn't been exploited yet.
How do you decide what to include in your newsletter?
About six years ago, I sat down and built this system that would go through RSS feeds and pick out stories based on keywords. Then, if multiple publications covered that particular keyword, it would cluster all the publications together.
That’s what, to a large degree, guides my prioritization, both for Metacurity and what I pitch to other publications. Today [July 21], for example, my system flagged SharePoint’s zero-day. So, when I ran the system, it clustered 16 to 17 different articles at the top of the results that I ran through this complex algorithmic system. I use that as a guide very frequently for what is and isn’t relevant.
I also keep an eye on social media to see what people are talking about on Bluesky. A major scoop by top publications will catch my attention, even if my algorithm disagrees.
What do you anticipate the top three or four trends that will show up in your inbox?
It’s hard to know. AI has been so dominant the last couple of years, and is even more so now. We even have subverticals of AI now, “vibe hacking” and “vibe coding.” There’s also the evolving law and policy surrounding emerging AI products. That’s going to be dominant, too.
When it comes to Hacker Summer Camp, It's hard for me to tell you because a lot of my previous DEF CONs and Black Hats pieces have been driven by public policymakers who show up and give keynotes. The last time I checked the agenda, there were a few from the public policy arena, but it was even very light this year at the RSAC Conference. There aren’t the kind of keynote speeches that you've expected from a week at Black Hat. I assume threat intelligence will be divulged during the event, which will probably be focused on China. China still seems to be dominant as it has been over the last couple of years.
You mentioned not seeing a significant number of keynotes from public policymakers this year. We get readouts of reporters being added to the attendee list. It seems smaller than in past years. I wonder if there’s a correlation there.
This year, we have the added dark cloud of the Trump administration pulling people out of line at airports and detaining them before returning them to their home countries. The grounds for this are difficult to determine. I know, and you probably know, who some of these people are who say they're not coming to Black Hat and DEF CON because they don't want to risk it. That's been disincentive. I suspect that's true for many events.
You’ve covered the Trump administration’s cybersecurity policy closely since his inauguration. Do you find sources to be forthcoming with their opinions, or are they guarded?
It was even difficult under the Biden administration. CISA was very helpful in communication around the CVE (Common Vulnerabilities and Exposures) Program because they are the primary funder. The House Committee on Homeland Security is really good.
How have cybersecurity vendors helped to close the gap?
Vendors and CISOs in particular have been very communicative with me on all kinds of issues. But there's a real hesitancy at the moment to step into the political arena, because no one wants to be publicly supportive or critical of anything that may be transpiring. No one wants to say anything in either direction.
We’ve discussed industry shows, but do you attend vendor conferences?
As a freelancer, I don't have the budget to attend vendor conferences using the publication’s budgets. There are sponsored vendor conferences, which I’ve attended on my own. They have to be really interesting. I want to make connections and learn more about topics that are relevant to me. I’m very choosy.
