Blog

TL;DR Schellman’s core value of "quality above all" means understanding your business and comprehending why you need any given compliance service. In the case of penetration tests, it's not just about counting how many vulnerabilities we find. Good pen testing gives you risk ratings that fit your actual setup, shows we understand your specific business and technology, keeps communication clear throughout the project, and provides advice you can actually use. We focus on being your security partner and helping you understand real business risk instead of just checking compliance boxes.

The S&P study on Generative AI asserts that, “The percentage of companies abandoning the majority of their AI initiatives before they reach production has surged from 17% to 42% year over year, with organizations on average reporting that 46% of projects are scrapped between proof of concept and broad adoption.”

The EU Cyber Resilience Act (CRA) sets a new regulatory benchmark for product cybersecurity, impacting manufacturers, importers, and distributors worldwide. In this article, we’ll explain the Act’s scope, key requirements, and timeline to help your organization understand what’s changing and how to prepare with a readiness assessment.

Organizations are under increasing pressure to secure and govern their AI systems responsibly. Fortunately, industry frameworks are stepping in to help, including the Cloud Security Alliance (CSA) Artificial Intelligence Controls Matrix (AICM), which maps to the ISO 42001 standard for AI management systems. Together, these frameworks provide a powerful roadmap for aligning AI governance with established security and compliance practices.

As a penetration tester, few things are more frustrating than firing up Burp Suite, configuring your proxy, and then watching Java applications completely ignore your interception attempts. While web browsers play nice with proxy certificates, Java applications seem determined to make your life difficult.

TAMPA, Fla. – August 27, 2025 – Schellman, a leading provider of attestation and compliance services and a top 50 CPA firm, is proud to announce that Marci Womack, Managing Director in Schellman's Federal Practice overseeing the emerging Cybersecurity Maturity Model Certification (CMMC) assessment program, has been appointed to Cyber AB’s inaugural CMMC Third-Party Assessment Organizations (C3PAOs) Advisory Council.

If you’re considering a SOC 2 audit, be it due to a customer request or to strengthen your security posture, you may already understand that this examination will include an evaluation of your product or service on a more operational and security-oriented level. You may even already grasp that during a SOC 2, your scope will be evaluated against a set of trust services criteria (TSC) that provide the backbone of the assessment. But what are the trust services categories, the criteria that make up each category, and which ones will you actually need for your SOC 2 audit? At Schellman, we have over two decades of experience in SOC 2 examinations, and we want to help you navigate what can be a complex process. Read on to discover what inclusion of each category will mean for your SOC 2 examination. From there, we’ll give you some guidelines for your internal conversations when making your choice. Afterwards, you’ll be that much closer to pinning down what you need from your upcoming SOC 2 report.

After nearly a decade of leading penetration testing engagements and growing our team from one tester to 43 professionals, we've learned that the questions you ask during vendor selection can determine whether you'll receive genuine security value and a successful engagement, or just frustrating checkbox exercises.