Roughly 1,000 people have already left the nation's top cybersecurity agency during the second Trump administration, a former government official tells Axios — cutting the agency's total workforce by nearly a third.

Why it matters: The Cybersecurity and Infrastructure Security Agency is also facing a potential 17% budget cut under the president's proposed budget — raising fears that power grids, water utilities, and election systems could be left without a well-equipped federal partner as cyber threats mount.

The big picture: Trump officials are actively pursuing plans to increase offensive cyber operations against adversarial nations like China — and experts warn those nations are bound to respond in-kind to those strikes.

• But security experts fear that with a smaller cyber defense agency, the country won't have the resources needed to protect the homeland.

Driving the news: The White House suggested cutting CISA's workforce by 1,083 positions — from 3,732 employees to 2,649 roles — during the 2026 fiscal year in its proposed budget, released Friday.

• However, the agency has already reached those numbers, sources tell Axios.

Zoom in: About 600 people at CISA took the Department of Homeland Security's second buyout offer in the last two months, according to a source familiar with the matter. Their last day was Friday.

• Roughly 174 people had taken the first round of deferred-resignation offers as of March 28, according to a second source familiar with the matter.
• The rest of the roughly 1,000 departures likely involved people working on government contracts or teams — like the election integrity unit or diversity-and-inclusion offices — that have reportedly been cut, the former official told Axios.

Between the lines: Sources did not have precise details on which departments have been slashed, but public social media posts and other reporting suggest the losses are widespread — including in several of CISA's most visible and impactful initiatives.

• An internal memo sent to employees last week says that virtually all of CISA's senior officials have now left.
• Lauren Zabierek and Bob Lord, two officials who oversaw the agency's touchstone "Secure by Design" initiative, left last month.
• Matt Hartman, the No. 2 official in CISA's cybersecurity division, departed last week.
• Members of CISA's international partnerships and engagement division also left, according to LinkedIn.
• Lisa Einstein, who was CISA's chief AI officer, resigned in February.
• Boyden Rohner, assistant director of CISA's integrated operations division, took an early retirement offer in April.

What they're saying: "I've personally seen how CISA has lost its very best," Jack Cable, CEO and co-founder of Corridor and a former CISA employee who departed in January, told lawmakers during a field hearing in Silicon Valley last week.

• "In the face of increasing threats, we can't undermine the capacity of America's cyber defense agency and its ability to attract and retain the best technical talent," he added. "This only makes us less secure as a nation."

In a statement to Axios, CISA executive director Bridget Bean said the agency has "the right team in place to fulfill that mission and ensure that we are prepared for a range of cyber threats from our adversaries."

• "CISA is doubling down and fulfilling its statutory mission to secure the nation's critical infrastructure and strengthen our collective cyber defense," Bean said.

The intrigue: The agency has considered scrapping plans for mass layoffs due to the overwhelming response to the buyouts, the former official noted.

• Politico Pro previously reported on this possibility.

What to watch: Sean Plankey, Trump's pick to run CISA, will testify before the Senate Homeland Security Committee on Thursday and is expected to field questions about the workforce cuts.

• CISA has already started to appoint new officials to senior roles: Madhu Gottumukkala, former CIO at South Dakota's Bureau of Information and Technology, is now the agency's deputy director. Kate DiEmidio, who most recently was the vice president of government affairs at Dragos, just came on board as CISA's legislative affairs chief.

The number of cybersecurity job listings in the U.S. grew 12% in the last year, according to new data from CyberSeek.

Why it matters: The data is a win for the industry, which has seen its fair share of layoffs and hiring lulls in the last two years.

The big picture: Cybersecurity appears to be a bright point as hiring in the tech industry slowed over the last year amid AI disruptions and broader macroeconomic anxieties.

• The new CyberSeek data tracks changes in the cybersecurity market between May 2024 and April 2025.

Yes, but: The U.S. has only enough cybersecurity workers to fill 74 out of every 100 open jobs, according to the data.

• It also took about 21% longer for recruiters to fill these roles than other tech jobs during the year-long period.

Zoom in: Employers listed more than 514,000 cyber-related jobs between May and April — marking an increase of about 57,000 job listings.

• Most cybersecurity job postings focused on oversight and governance, implementation and operation, and design and development roles.
• Only 54% of the roles required either a bachelor's degree or a graduate degree, according to CyberSeek — suggesting that employers are becoming more comfortable with hiring people with nontraditional backgrounds.
• Virginia, California and Texas had the most cybersecurity job postings.

The intrigue: In the last 12 months, 10% of employers recruiting for cyber jobs explicitly listed AI as a required skill.

Cybersecurity companies are calling a truce in the war over what to call nation-state spies — kinda.

Why it matters: Fancy Bear, Forest Blizzard, APT28 and Iron Twilight all describe the same Russian military hacking unit.

• It's nearly impossible for anyone outside the cybersecurity world to understand which hacking groups matter when each one comes with a half-dozen names.

The big picture: Cybersecurity vendors have historically used their own internal naming systems to track nation-state and cybercriminal hacker groups.

• Part of that is marketing: If one company's name becomes the most recognized, a customer might turn to that company first when that group hacks its systems.
• But researchers have long noted that these inconsistencies also reflect deeper disagreements — each vendor draws different lines for who is considered in what group.

Zoom in: Microsoft, CrowdStrike, Palo Alto Networks and Google unveiled a new partnership yesterday to help decode their own naming conventions.

• To kick things off, Microsoft and CrowdStrike published the first version of their joint threat actor mapping project.
• CrowdStrike said in its own blog post that the duo has already "deconflicted more than 80 threat actors through direct, analyst-led collaboration."
• Google, including its Mandiant unit, and Palo Alto Networks will also contribute.

Between the lines: "Disparate naming conventions for the same threat actors create confusion at the exact moment defenders need clarity," Michael Sikorski, chief technology officer for Palo Alto's Unit 42 threat intelligence unit, told Reuters.

Yes, but: The effort acts more like a glossary than a naming overhaul.

• Rather than coming up with a unified system, the map just gives cyber defenders a new, single reference point that helps them translate the various names.

@ D.C.

☎️ An unknown individual appears to have spoofed White House Chief of Staff Susie Wiles' phone number and has been impersonating her in calls and texts to Republicans and business executives. (Wall Street Journal)

👀 Palantir has received more than $113 million in federal government spending since the second Trump administration started as it helps DOGE facilitate information-sharing across federal agencies. (New York Times)

📇 The Trump administration is expected to soon rename the AI Safety Institute to the Center for AI Safety and Leadership. (Axios Pro)

@ Industry

💰 Zscaler has agreed to buy managed detection and response provider Red Canary for an unspecified amount. (Cybersecurity Dive)

📈 Netskope has hired Morgan Stanley to help it prepare for a potential U.S. initial public offering that could raise more than $500 million. (Reuters)

🙈 A day after reporting quarterly earnings, SentinelOne faced hours-long service outages last week that made it impossible for enterprise customers to see the threats on their networks. (Axios)

@ Hackers and hacks

⚠️ Both The North Face and Cartier disclosed that hackers stole customers' information in recent cyberattacks. (BBC)

🛍️ Victoria's Secret temporarily took down its U.S. website last week and told employees to avoid using company technology amid a "security incident" targeting the retailer. (Bloomberg)

🚔 International law enforcement last week seized and took down the web infrastructure of AVCheck, a large-scale service where cybercriminals checked if legitimate antivirus tools had detected their malware. (CyberScoop)

🏔️ I sat down with Dr. Cornel West at the inaugural Web Summit Vancouver last week to talk about a topic off the beaten cybersecurity path: the meaning of "truth" in a tech-driven world.

• 💡 "Before the worms get my body, I want to bear witness to a truth bigger than my career," West told the audience. "I don't want to just be a brand on my life — I want to be tied to a cause."
• 📺 Check out the rest of our conversation here.