Hard to give good advice without knowing more where you're @. Leaving out the human and organizational aspects, which might be at least as important:
It could do you well to "harden" your environment and take a hard look at the software you are already running, what it does, and how it got there. Try to remove rather than add. Reduce your surface-area and exposure. Consider what options you have to isolate and "lock down" what remains.
Cut out or replace any software that calls home. Isolate and sandbox things. Take a critical look at your supply-chain(s): Are you satisfied with your repos/registries/installation methods? How auditable are your services in reality? Can you improve on that? Are there things that should be mirrored and/or built from source? (BTW, reading the source of the stuff you use and rely on and building it is a good exercise in itself whether you end up relying on the output or not)
Get familiar with relevant monitoring and debugging tools for whatever you have. Learn how to verify and validate your assumptions of "what is going on". This probably involves getting comfortable and intimate with traditional data-engineering processes and tooling.
This applies to everything: shared infrastructure "in the cloud", IDE and browser on your local workstation, transitive dependencies of apps you are working on and their toolchains, etc.
Maybe you need/want to set up some mirrors and dedicated CI. Forgejo is one easy way to get started as it comes with a lot of the components you need in one package.
If not used to doing so already, force yourself to think from first principles. Take less things for granted. Practice active threat modeling. Think about trust. Audit yourselves.
The "Sec" part is more about processes, focus and mindset. What tools are important can vary widely depending on what you have to work with.