I strongly believe there are entire companies right now under heavy AI psychosis and its impossible to have rational conversations about it with them. I can't name any specific people because they include personal friends I deeply respect, but I worry about how this plays out. I lived through the great MTBF vs MTTR (mean-time-between-failure vs. mean-time-to-recovery) reckoning of infrastructure during the transition to cloud and cloud automation. All those arguments are rearing their ugly heads again but now its... the whole software development industry (maybe the whole world, really). It's frightening, because the psychosis folks operate under an almost absolute "MTTR is all you need" mentality: "its fine to ship bugs because the agents will fix them so quickly and at a scale humans can't do!" We learned in infrastructure that MTTR is great but you can't yeet resilient systems entirely. The main issue is I don't even know how to bring this up to people I know personally, because bringing this topic up leads to immediately dismissals like "no no, it has full test coverage" or "bug reports are going down" or something, which just don't paint the whole picture. We already learned this lesson once in infrastructure: you can automate yourself into a very resilient catastrophe machine. Systems can appear healthy by local metrics while globally becoming incomprehensible. Bug reports can go down while latent risk explodes. Test coverage can rise while semantic understanding falls. Changes happens so fast that nobody notices the underlying architecture decaying. I worry.

I wish all security pros practiced a scenario-first mindset. Explanations based on risk scenarios before jumping to best practices, gaps, controls, compliance etc. I wrote an essay to coach on this: "Writing a risk scenario" medium.com/starting-up-secur…

I wrote about that moment every security team faces when someone asks if they can work from China for a while, and then everyone freaks out. magoo.medium.com/the-working…

Securing Customer Support: medium.com/starting-up-secur…

Ramping up on bluesky 🦋: bsky.app/profile/mag00.bsky.…

In the wild exploit in Firefox, disclosed and fixed within 25 hours. blog.mozilla.org/security/20…

My "Starting Up Security" writing correlates to my caffeine intake which has dropped off over the last few years. Today I got tricked into an actual coffee, so drafts are open. Taking any requests, just DM ☕️

“Detection is a problem I describe as deceptively tractable.” @Magoo on 🔍 Prioritizing Detection Engineering Proposed implementation order: 1. Get logging in order, focusing on query-ability and minimum viable logs. 2. Spend time on hardening before formalizing detection. 3. Introduce high-quality detections and alerts, starting with a reference alert and focusing on invariants. 4. Address management challenges before scaling detection efforts. 5. Fully embrace an engineering approach to detection, with the ability to throttle or accelerate work as needed. medium.com/starting-up-secur…

I wrote about how detection engineering should be prioritized in a security program. Feedback and discussion welcome! magoo.medium.com/prioritizin…

The boring security management stuff. 🤣 Managing a quarterly security review: Feedback welcome as usual. medium.com/starting-up-secur…

Should CVE-2024-38063 be more widely discussed? It's a zero click IPv6 RCE (????). Am I just not reading this right? Normally there's a of panic about ITW exploitation, exposed hosts, and wormability for a vuln like this. I gotta be missing something. msrc.microsoft.com/update-gu…

1/ Thrilled to announce we’ve raised $150mm Series C at a $2.45bn post valuation led by @sequoia alongside our existing investors @ycombinator, @CrowdStrike, @craft_ventures, @Atlassian, @Workday, and @HubSpot and new friends @GoldmanSachs and @jpmorgan. The terms on this round are exactly as we aim Vanta experiences to be: straightforward and clean.