There’s a time-old proverb that goes, “May you live in interesting times.” My friends, if this year has taught us anything, it’s that “interesting” is simply too polite. Turbulent, transformative, epoch‐making — take your pick, because we’ve seen it all. Technology, geopolitics, digital society, regulation, human behavior — they’ve been shifting underneath us like massive tectonic plates. And of course, our DevOps/DevSecOps world is right in the middle of the quake.

If you’re reading this, you’re feeling it too. Whether it’s the breakneck pace of generative AI, the widening attack surface of hybrid work, the supply-chain sabotage, or the new era of adversary tools empowered by autonomous agents, we are at a watershed moment. So, in the spirit of the season and in full “Shimmy” voice, I want to reflect on what I’m thankful for — not just as founder and editor, but as a fellow traveller, community member and eternal optimist. Because for all the drama, the disruption, the chaos — there’s still a lot worth celebrating in DevSecOps.

Five Things I’m Grateful for in DevSecOps This Year

1. AI (R)evolution Hitting Security and DevOps — and We Leapt In

The explosion of generative AI, agentic AI and machine learning isn’t just a DevOps story anymore — it’s a cybersecurity story, and a DevSecOps story. Our community didn’t recoil — we leaned in. We experimented with AI for code review, threat hunting, anomaly detection and even “human-plus-machine” workflows. We treated AI not as a foe, but as a collaborator.

But let me be blunt: The attackers got wise, too. AI-driven phishing, automated malware generation, LLMs being used to plan red-team ops — these are real.  And because of that, our DevSecOps teams raised their game. I’m thankful we are evolving at the speed the adversary demands.

2. Security Finally Got a Real Seat at the Table

This is one of the big shifts I’ve been waiting for — and I’m grateful we got here. Secure-by-design, shift-left, supply-chain resilience — they’re not optional anymore, they’re operational. High-profile breaches across sectors—from luxury retail to healthcare to manufacturing — forced us out of complacency. 

Tools like SBOMs (software bills of materials), zero-trust architectures and continuous compliance — they’re moving into the baseline. And as someone who’s talked about DevSecOps for years, it’s personally rewarding to see the conversation flip from “should we” to “how do we best.” But make no mistake: We’re far from finished.

3. Hybrid/Remote Work, Culture and Resilience — We’re Not Only Surviving, but We’re Adapting

Remember the mad dash to remote in 2020-21? This year, it matured. Hybrid is now the norm — so is our DevSecOps culture. I’ve seen teams refine asynchronous workflows, inject incident-response practices into remote environments, and lean on observability and security pipelines even when no one is physically co-located. I’m thankful for the resilience this community shows.

And culturally: Inclusive practices, diversity of voices, international cooperation — these things matter in security just as much as in DevOps. Because adversaries don’t respect borders or time zones, and neither should we.

4. Platform Engineering + Developer Experience Meet Security Requirements — And That’s a Good Thing

If you’d told me five years ago that “platform engineer” would become a hot title in security-conscious DevOps, I’d have raised an eyebrow. But here we are. Internal Developer Platforms (IDPs), self-service dev & sec pipelines, secure infrastructure as code — all of that is becoming mainstream. And I’m grateful.

Why? Because when engineers say “I just want to build,” and I hear “I just want to build safely,” we’re winning. When we can reduce friction for developers and bake in the guardrails for security, we get velocity and resilience. That’s the sweet spot.

5. The DevSecOps Community: Stronger, Louder, More Inclusive

This one never changes — but this year it felt truer. From hearty debates about burnout to real talk about supply-chain flaws, identity and inclusion, we showed up for each other. The open-source tools, the community projects, the sharing of “we screwed up and here’s what we learned” stories — they’re wonderful.

I’m thankful for every practitioner who decided to show vulnerability, to speak up, to mentor, to champion someone new. The adversaries may be ruthless — but so are we in our collaboration. That gives me hope.

Three Things We’re Less Thankful For (And Must Fix)

1. The Unrelenting Talent Crunch, Layoffs and Burnout

We’re desperate for DevSecOps talent. Demand is off the charts. Yet supply is lagging. The result? Overwork, incident rates, stretched staff, teams that skip the reviews to just “get it out the door.” That’s not sustainable. The layoffs we’ve seen in “tech” broadly still ripple into our space. I wish I could help every friend seeking the next gig. We’ve got to invest in training, mentorship, compassion and sustainable practices. Because this field runs on human energy — not just tools.

2. Tool Sprawl, Complexity and the Friction Trap

We all love tools. But dear Lord, the tool chains are getting bloated. Monitoring dashboards here, SIEMs there, agent tools everywhere, orchestration platforms, IDPs, cert-management… It’s easy to lose flow. And guess what? Attackers love complexity too — because it gives them hiding spots.

We need a renaissance of simplicity, clarity and focus. Because delivering value + staying secure shouldn’t feel like running a marathon uphill in a windstorm.

3. Security Theater, Compliance Mind-lessness and False Comfort

Yes—I’m thankful that the “S” in DevSecOps is getting attention. But too many organizations still treat it as a checkbox exercise. If your board wants “cyber hygiene” and all you do is generate reports and tick boxes, you’re in trouble. Regulation is important but insufficient when it’s just bureaucratic motion. We need proactive resilience, incident readiness, truth-telling metrics, not “we’re compliant, so we’re safe” fiction.

Shimmy’s Take: Grateful Beats Grumpy, Every Single Time

Looking back, it’s abundantly clear: We. Have. A. Lot. More. to be thankful for than to rage about. The future of DevSecOps is brimming with possibilities. AI, when wielded with discipline and human values, will supercharge our teams — not replace them. Our push toward secure, resilient pipelines, supply chains, identity-centric architectures, and inclusive cultures will pay dividends. And that beating heart of community — stronger, more curious, more generous than ever — is our secret reagent.

So, as we head into the holiday season, what am I excited about? New technologies, yes. New threats? Unfortunately yes. New voices, fresh perspectives, bold partnerships. That’s what gives me energy. Because I believe with every fiber of my Blues-Brothers-hat self: The best days of DevSecOps are ahead of us.

To all the security ops, devs, platform engineers, incident responders, mentors, advocates, challengers, skeptics and champions reading this — thank you. From the bottom of my heart. I’m thankful for your continued passion, your shared curiosity, and your willingness to step into the unknown and make it better.

From the dock at Boca Cove to the cloud securely humming somewhere, let’s keep building, breaking, fixing, learning — and above all, working together.