Hunting Webshells: Tracking TwoFace with @r0bf4lc and I from the 2018 @sansforensics #ThreatHuntingSummit is now available: youtube.com/watch?v=GjquFKa4… New tips for #threathunting #webshells on #MSExchange, check it out!

I made the decision to build @GraphnAISec to be model agnostic very early on. My theory was that context and harness were more important than model. That no matter which model provider you chose, you could achieve the desired results with the right harness and context. I haven't shared this outside of a few demos until now, but the capability has been there for months. Full freedom to choose which provider(s) and model(s) to use with GraphnAI's Multi-Agent Intelligence Service. Each of the 6 agents can be individually configured with a model of your choice, as well as fallback choices if your preferred model is unavailable. I also theorized that organizations would become cost conscious with their token spend. So, I built accounting features with configurable limits to prevent you from unexpectedly exceeding your budget. Full transparency around not only how many tokens the platform is using, but how they're being used. Measurable ROI of agentic activity. Recent news has proven these to be wise decisions.

Someone should start a "Days since Anthropic last reset usage limits for everyone because they screwed something up." counter.

After days of Claude Fable 5 slowly chugging along working on something, and me wondering how anyone is hitting limits on MAX 20x plan... It suddenly decided to spawn 37 agents to review the work it just completed and ate up the entire 5 hour limit in 27 minutes.

Finalized @Techstars application just before storms hit and knocked out my internet. 🤞

I gave Fable a complex spec to implement last night. It split it into 6 slices. 17 hours later, it's still working on the 3rd slice. It's working so slowly, that my MAX plan token limits will reset before it ever exhausts it. I don't know how anyone is burning through token budget with how slow it is at using them right now.

I haven't seen an announcement yet, but it looks like Claude usage limits got reset? I was at ~30% for the week earlier today. Just checked again and now I'm at 1%. Anyone else seeing this?

It's been a few hours... where are all the 0-days? I thought everyone recently decided against responsible disclosure, so shouldn't be in the middle of a 0-daypocalypse with these new model drops? 🤔🤪

I've been building a defensive (blue team) cybersecurity tool with Opus for months. 0 offensive capabilities/features/aspects to it. Opus has never once refused to work on it. First prompt of Fable 5 to work on a new feature in the same project... it thinks for ~20 minutes then comes back with this. 🙄

So Fable 5 argues with itself twice as much as Opus 4.8 then? 🤔🤪

Four months ago, I proudly shared scale testing results for an early private preview version of GraphnAI. ~1M nodes and ~1.8M edges ingested and analyzed in just under 17 minutes! GraphnAI has evolved significantly since then, with 3 additional patents filed covering analysis that goes much deeper. The edge count grew 3x, and that's AFTER our patent-pending edge consolidation cut the total number of edges by ~50%. The focus throughout was accuracy. Analysis stayed fast at small scale, but we knew we needed another round of large-scale testing. Some increase was expected. The initial results were not: analysis at the ~1M node scale had grown over 10x, taking ~177 minutes to complete. I refused to accept that, and the refusal paid off. We've brought analysis down to just over 19 minutes at the ~1M node and ~6M edge scale. That's analysis far more complex and complete, with more features and capabilities than four months ago, at the cost of only ~2 extra minutes. In that post four months ago, I may have said that unlike Domino's🍕in the 80s, I wouldn't be making a "30 minutes or less" guarantee... but I'm happy to see we can still deliver time-to-value of 30 minutes or less (often far less!) even at massive scale. #BuildingInPublic #IdentitySecurity

With all the VC horror stories I've read on here lately, I'm glad my VC experiences have been mostly positive. Then again, I haven't started actively raising yet. Since announcing the founding of GraphnAI at the beginning of the year, I've met with a half dozen or so VC firms, a few bigger names, a few smaller. All interested in investing in a Series A, one interested in Series D. All of them contacted me first and said they like to establish relationships a year or more in advance. Most of them virtual meetings, but a couple in-person too. The VCs I met with were all very attentive and seemed genuinely interested. Because GraphnAI is currently pre-revenue and more on the line between Pre-Seed and Seed, and all the VCs I've met with so far only do Series A or later, I did apply to both YC and a16z speedrun. Rejected by both with the same "we encourage you to try again later" form e-mail most people applying to them get.

But can it run Crysis?

Working on stuff in Claude Code without issue. Start a new session and "SURPRISE! Opus 4.8!". Cool, except every prompt results in this API Error. Completely unusable.

With agentic engineering, there's an interesting opportunity for software companies to significantly reduce, and potentially even eliminate, their tech debt. There's also risk of burying themselves under it faster than ever before. Tech debt most commonly arises from making trade-offs during the software development process to meet business needs. Balancing available resources to ship code by an established deadline. Just like with a credit card, if you only make the minimum payment, you'll end up further and further in debt. With AI being the great accelerator that it is, smart organizations have an opportunity to pay down the tech debt faster than ever or even avoid accumulating it altogether. Think about it like paying your entire credit card balance off every month. You avoid interest payments and may even earn rewards. However, if you're not careful, you could end up accelerating your tech debt accrual rate and end up crushed under it. AI models are trained on decades of human behavior that includes our propensity to make decisions that create tech debt. They are programmed to mimic us. If you lean too far towards the "vide coding" end of the spectrum, you'll quickly end up with a mountain of tech debt. Having seen the consequences of not managing tech debt properly firsthand, my first instinct was to try to avoid it all together. I quickly learned this is a losing battle. Every AI coding agent fights back against it because it's so deeply ingrained in their training and programming. It felt counterintuitive, but embracing the propensity to make trade-offs that create tech debt turned out to be the winning strategy. The key is applying the AI accelerator to the tech debt management process. Allow the agent to create the tech debt, but make it document it with a backlog entry whenever it does. Once the code being worked on is "complete", start a fresh/clean session to resolve the backlog entry before anything ships. This pays the debt off immediately. The speed at which it's able to accomplish these tasks, means you're still shipping significantly faster than you could in the pre-AI era, but with fewer compromises. Because tech debt often creates vulnerabilities, a side benefit to reducing/eliminating it is fewer vulnerabilities.

When there's not enough room in your saddle bags for @drpepper...

Just submitted @GraphnAISec to @speedrun 007! I've had a lot of interest from investors for Series A and later, so this would really help reach the milestones they're looking for at those rounds faster.

When you ask Claude to find a 0-day but forget to tell it not to make any mistakes...

When did everyone forget about "assume breach", "impost cost", and threat modeling? Those concepts have been around a very long time. They seemed to reach peak popularity a little over a decade ago. Today they feel almost forgotten, lost amongst the fear mongering and mass hysteria surrounding the latest AI hype cycle. Is AI accelerating growth of the threat landscape? Probably. Should you panic? Probably not. Let's snap back to reality here. The number of organizations that need to concern themselves with 0-day vulnerabilities is extremely small. Finding and using 0-days may be a little faster and easier with recent advancements in AI, but it still comes at a high cost. It's still much more economical for your adversary to exploit the hundreds to thousands of vulnerabilities that are months to years old lurking in your environment. The biggest ROI for any organization's security program still comes from threat modeling, employing the "assume breach" mentality, and imposing cost. Master these, and you'll never lose sleep over 0-days.