Beyond code: Building security for modern organisations
Security has fundamentally changed.
Our latest research shows that operational failures, compromised credentials, governance weaknesses, and social engineering now cause more financial damage than smart contract vulnerabilities.
This month’s releases reflect that reality, from launching an open-source threat modelling framework built for modern organisations to becoming an official SEAL Certification provider and publishing one of the largest empirical studies ever conducted on Web3 security.
Product updates
Introducing TRACE: Threat modelling for modern organisations
Modern organisations no longer operate behind a single security perimeter.
Critical infrastructure now spans cloud platforms, third-party providers, contractors, automation, remote teams, and distributed decision-making. Traditional threat modelling frameworks weren’t designed for this environment.
That’s why we released TRACE, Oak Security’s open-source threat modelling methodology for distributed, cloud-first organisations.
TRACE helps organisations model:
Technical systems
Human decision-making
Organisational structure
Trust relationships
External dependencies
The release includes:
Complete TRACE methodology
Long-form research paper
TRACE is released under the Creative Commons Attribution 4.0 (CC BY 4.0) licence and is free to use, modify, and build upon.
Explore TRACE
The OpSec Academy
Threat modelling is only one part of operational security.
We’ve also expanded the Oak OpSec Academy, a growing library of free operational security guides covering:
Device hardening
Wallet and key management
Infrastructure security
Authentication
Secure communications
Incident response
Physical security
Every guide is free to access and designed to provide practical improvements your team can implement immediately.
Browse the OpSec Academy
Oak Security is now a SEAL certification provider
Operational security has become one of the largest sources of loss across Web3.
We’re pleased to announce that Oak Security can now perform SEAL Certifications.
Unlike traditional smart contract audits, SEAL Certifications evaluate whether protocols can:
Defend against operational threats
Detect incidents quickly
Respond effectively when attacks occur
As operational failures increasingly dominate ecosystem losses, security assessments need to evaluate far more than code.
Interested in obtaining a SEAL Certification? Contact us at info@oaksecurity.io or via the contact form
Research spotlight
The state of Web3 security (2022 - Q1 2026)
Together with rekt.news, we’ve published one of the largest empirical studies ever conducted on Web3 security.
The dataset includes:
23,818 published audit findings
22 auditing firms
218 exploit incidents
$7.76B in documented losses
Key findings
Human attacks now dominate losses
More than 52% of all documented losses originated from:
Phishing
Private key compromise
Social engineering
Supply-chain attacks
More audits ≠ fewer losses
Audit activity tripled between 2022 and 2024, yet ecosystem-wide losses remained largely unchanged.
Losses remain concentrated
The eight largest incidents account for more than half of all recorded losses.
Risk has shifted
Operational failures, governance attacks, and private key compromise now create greater economic impact than traditional smart contract exploits.
Ethereum and BNB Chain dominate losses
Together they account for approximately 94% of recorded incident losses.
Download the report here
Industry watch
AI security is moving from theory to reality
June marked one of the most significant months yet for AI cybersecurity.
Highlights included:
New U.S. government initiatives focused on frontier AI security
Growing international cooperation around advanced AI safety
Rapid improvements in autonomous vulnerability discovery
Increasing concern over prompt injection, agent hijacking, and AI supply-chain attacks
The trend is becoming clear:
AI is simultaneously strengthening defenders while dramatically increasing attackers’ capabilities.
Organisations can no longer treat AI as an experimental productivity tool, it has become part of both the attack surface and the security toolkit.
OpSec tip of the month
Audit your AI tools and agents
AI assistants, coding agents, local models, and chatbots increasingly have access to files, repositories, APIs, and sensitive conversations.
Treat them like privileged insiders.
This month:
✓ Inventory every AI tool your team uses
✓ Remove unnecessary permissions
✓ Restrict access to only required repositories or folders
✓ Prefer isolated environments for sensitive work
✓ Schedule a recurring 30-day permission review
Least privilege applies to AI too.
CypherTalk highlights
AI-Assisted Security with Prof. Arthur Gervais
This episode explores:
How AI is transforming vulnerability discovery
AI-assisted smart contract security
Real-time blockchain exploit detection
The balance between offensive and defensive AI
Why human expertise remains essential in an AI-driven security landscape
Emerging threats from AI-powered social engineering and autonomous agents
Listen here
Peter Kacherginsky returns to share the latest in Web3 security
This episode explores:
Why operational attacks are replacing smart contract exploits
Threat intelligence for defenders
AI’s growing impact on cybersecurity
Architectural security and threat modelling
Predictions for the next generation of attacks
Listen here.
SEAL certifications with Isaac Patka
This episode explores:
Why operational security needs its own certification
Incident response and SEAL 911
Human risk and social engineering
Multisig security
AI and the changing attack landscape
Building resilient protocols beyond smart contract audits
Listen here
Regulators’ corner
Why the CLARITY act matters
Jan recently spoke with Jacob Robinson, host of the Law of Code podcast, about:
The CLARITY Act
Permissionless innovation
Decentralisation and regulation
The future of crypto compliance
If you’re interested in how regulation is evolving alongside Web3 security, it’s well worth a listen.
Listen here
Stay connected
Looking to strengthen your protocol’s security?
Whether you’re interested in security audits, operational security, SEAL Certification, threat modelling, or protocol design, our team is here to help.
Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.

