How and where do you evaluate Windows Server vNext?

quote: "I never considered security issues in Windows Server vNext by since this preview and not for production. As it's preview Code there could be security issues that don't get discovered and published as CVE even though the base might be quite similar to Windows 11 preview"

This is a double edged sword; you can argue that using test builds of any software or OS can make you safer than others, given that you know what you're doing, because mainstream exploits from APT's are developed for versions that most users are on: this is also amplified by security fixes usually being sent to test version users, to be softly tested or just due to it being in master of its codebase early, ahead of the vulnerability disclosure and patch. Or when security improvements are long lead, by putting a wrench in the foundation of some components, for example to secure against entire classes of attacks.

Of course, some individuals and corporations can also be specifically targeted, for which their environment and versions of whatever is to be attacked is mapped out, but it's not like the attacker has access to Windows OS source code to easily spot newly added shortcomings anyways; more likely than the test build being of any help to their attack, is that they are in a knownledge debt towards the things changed in said build, having to do more effort or having to make changes to un-break their method of attack as it wasn't seen in the mainstream targeted crowds yet.

As with any deployment of Windows Server, main or preview, it's crucial to harden the system for its specific role and scenario's, so that automated bots and exploit scanners/pentest before hack attempt will reach the lowest amount of services possible, as each one may have recently incorporated a design flaw leading to vulnerabilities. The danger from known insecure protocols and that Windows is never secure out of the box is higher than any flaky code added here. All around, as long the sysop knows what they are doing, they should be safe, and for the reasons i mentioned may even be safer than without insider.

Final thing i'd like to mention is that as long a new build arrives on the Thurdsday or Friday after the Microsoft monthly patch tuesday (second tuesday of any month), it should incorporate all CVE vulnerability patches, security fixes that MS released to main versions of either Windows Server or Windows 11, because insider preview builds are known to be based off of the master branch, as Microsoft words it "The latest code from our engineers". So, as long builds are on time, insider preview users, whether it be server or Win11, should be able to keep themselves safe in regards to known and patched vulnerabilities, as long the user also understands that this timing of Patch Tuesday it's more critical to decide on updating their OS than on other weekly build dates.