It's been an interesting year in security, with many predictions coming true. The increasing difficulty of understanding attack surfaces is a major challenge, driven by the proliferation of IoT devices and cloud adoption. DevSecOps began to take hold this year, with security practices being implemented earlier in the development cycle, offering a more holistic view of vulnerabilities and faster vulnerability fixing. CI/CD drives application development teams to deliver code changes more frequently, making security a first-class citizen. Broken business logic is a vulnerable area, and companies with mature security programs are clearing out low-hanging fruit, discovering new issues. The importance of human creativity and intelligence in identifying and addressing security vulnerabilities will only increase as the attack surface grows. Security will remain critical in the boardroom, with reporting on security metrics becoming essential for companies to show their commitment to improving security. Consumer demand is driving this shift, and we can expect to see more emphasis on security as a differentiator and marketing tool.