Skip to content
AppSec Santa Issue #6 just dropped — read it →

AppSec Santa Weekly

Opinionated changelog analysis and category trends from 290+ AppSec tools — delivered every Tuesday.

216 releases tracked · 6 issues published · 290+ tools watched · 70+ repos

Latest issue
45 releases tracked

#6 — MCP Ships a 200K-Server Protocol RCE, Endor Finds 83% of AI Code Insecure, Nuclei Patches Two CVEs

Anthropic's MCP ships a 10-CVE protocol-level RCE hitting 200K instances. Endor's new benchmark finds 83% of AI-generated code has security bugs. Nuclei, Trivy, Semgrep, Ostorlab all ship. CISA escalates axios. 45 releases tracked.

Read this issue
Recent issues
49 releases

#5 — Anthropic Mythos Finds Thousands of Zero-Days, Axios Reaches OpenAI, Cisco Buys Galileo

Claude Mythos finds thousands of zero-days incl. 17-year FreeBSD NFS RCE. Axios compromise hits OpenAI signing. Cisco buys Galileo. 49 releases tracked.

46 releases

#4 — GitGuardian Ships AI Coding Tool Hooks, Semgrep and OpenGrep Diverge on Taint Analysis

Week of March 31–April 6, 2026: 46 releases across 8 categories. GitGuardian adds Claude Code/Cursor/Copilot secret scanning. Semgrep and OpenGrep ship taint analysis improvements. Snyk makes PR check reports GA. Endor Labs reports 14x surge in OSS malware.

22 releases

#3 — TeamPCP Hits Five Ecosystems, Axios Gets Hijacked, Agentic Security Goes Mainstream

Week of March 25-31, 2026: TeamPCP compromises LiteLLM, Telnyx, Checkmarx KICS. axios npm hijacked (~100M weekly downloads). SonarQube 2026.2 with AI CodeFix. OSV-Scanner v2.3.5 adds Python transitive scanning. Frida 17.9 brings eBPF spawn gating. 22 releases across 6 categories.

By the numbers
216
Releases tracked
6
Weekly issues
290+
Tools watched
70+
Repos monitored
Older issues

#2 — RSAC 2026 Opens: AI Agent Security Dominates, Trivy Compromised Twice

Week of March 17-24, 2026: RSAC 2026 opens with AI agent security from Snyk, CrowdStrike, Microsoft, Palo Alto. Trivy GitHub Action compromised twice via tag poisoning. Semgrep Multimodal launches. Google completes $32B Wiz deal. 25 releases across SCA, IaC, SAST, Mobile, ASPM.

25 releases

#1 — OpenAI Acquires Promptfoo, SCA Leads with 9 Releases

First issue: OpenAI acquires Promptfoo, Mondoo raises $17.5M and ships v13, Gatekeeper v3.22 flips a production default, and SCA leads all categories with 9 releases.

29 releases

About This Newsletter

AppSec Santa Weekly is a free weekly newsletter with opinionated changelog analysis and category trends from 290+ application security tools across 10 categories. Each category section starts with a trend observation — where the tools are heading and what patterns are emerging — followed by individual release breakdowns with context on what they mean.

I built this for security engineers, DevSecOps teams, and anyone who picks tools for a living. No funding news, no conference recaps, no fluff — just tools, changelogs, and what they tell us about where AppSec tooling is going. I track 70+ GitHub repos and 89 vendor blogs every week and package it into a 3-minute Tuesday read.

Frequently Asked Questions

What does AppSec Santa Weekly cover?

Each issue covers changelogs and releases across 10 AppSec categories (SAST, SCA, DAST, IAST, RASP, AI Security, API Security, IaC Security, ASPM, Mobile Security) with opinionated analysis on what each release means for the category. I don't just list what shipped — I explain why it matters and how it fits into broader tooling trends.

How is this different from other AppSec newsletters?

Most newsletters aggregate security news, funding rounds, and blog posts. I focus exclusively on tools and their changelogs. Each category section starts with a trend observation, and each release gets context — like how a new Semgrep feature diverges from or aligns with what other SAST tools are doing.

How often is the newsletter published?

Every Tuesday. Each issue takes about 3 minutes to read. I cover the previous week's releases across all 10 categories.

Who writes AppSec Santa Weekly?

I'm Suphi Cankurt — I've spent years in application security and I run AppSec Santa, an independent comparison site covering 290+ security tools. I track changelogs across 70+ GitHub repos and 89 vendor blogs every week.

Is the newsletter free?

Yes, completely free. No premium tier, no paywalled content. I built this because I was already tracking these releases for AppSec Santa — the newsletter is that research packaged with analysis into a weekly format.

Don't miss the next issue

Tool changelogs with analysis, not noise. Every Tuesday, 3 minutes.