From my experience all software developers are now security engineers wether they know it, admit to it or do it. Your code is now the security of the org you work for. #GoldenAgeOfDefense

🤔

As a result of a US government directive, we are suspending access to Claude Fable 5 for all users. You can continue to use all other Claude models. Here’s what this means for you: Across Claude products, new sessions will run on your selected default model or Opus 4.8, and existing Fable 5 sessions will end with an error. On the Claude Platform, requests to Fable 5 will also return an error. Please update your integrations to other Claude models. We know this is a disruption to your workflows; we appreciate your patience and support.

Something no one ever said: “We’re getting attacked what should we do?” “Quick! Let’s update our requirements doc and GRC documentation!” 😁

Thank you very kindly, Ryan! 🤙

If you’re a developer you need to join this webinar. Jim is a top tier practitioner for secure coding.

i hooked my whoop to my work calendar to find which coworker gives me the most stress 🚨 thanks to fable, I reverse engineered whoop to pull per minute heart rate. nd matched spikes with cal events and attendees I now have a leaderboard and I think about it daily. few info masked for obvious reasons ;)

We're in the final review phase of OWASP AISVS 1.0, releasing June 24, 2026. Sections C1 and C2 are staged for final review. Can you take a look with an eye for release quality? C1: github.com/OWASP/AISVS/blob/… C2: github.com/OWASP/AISVS/blob/… Feedback via GitHub welcome. Thank you!

I'm doing a free live webinar on Monday, June 15 and I'd love for you to join me. We'll set up a secure Claude Code environment from scratch, load up the Manicode secure coding prompts, and run Claude Code and Codex side by side . Live, no slides, just real demos. 60 minutes on Zoom, 10 AM PT / 1 PM ET, with open Q&A at the end. Bring your setup questions. Register free manicode.com/webinar/

Career update: I’ve joined @OpenAI to lead Cyber with @michaelaiello. Why I joined, and what we’ll be building: It’s clear that AI is fundamentally changing how software is being written and secured. Coding agents are writing the majority of code for many developers, software is getting shipped more quickly, and vulnerabilities that were latent for 20 years are being discovered at a rapid pace. The time to bug discovery, and exploitation once discovered, are trending down (H/T @EppSecurity and @gadievron). I believe we have an unparalleled opportunity to fundamentally 𝘪𝘮𝘱𝘳𝘰𝘷𝘦 cybersecurity in ways that were previously impossible. (H/T @bubblewire’ BSidesSF keynote on reasons for optimism) Over 6 years at @Semgrep, I had the privilege of working with an amazing team building what has become the most popular open source security code scanning tool in the world, that many companies have built their application security program around. Now, at @OpenAI, I’m thrilled to be a part of a company helping shape how software is written, and how security work gets done. It is a massive opportunity, and responsibility, and I don’t take that lightly. Here are my current thoughts about where things are headed: 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐭 𝐛𝐲 𝐝𝐞𝐬𝐢𝐠𝐧. Defenders are not going to win playing bug whack-a-mole. We need to systematically eliminate classes of vulnerabilities, via generating secure code and streamlining the detect → validate → fix process. 𝐀𝐮𝐠𝐦𝐞𝐧𝐭 𝐚𝐧𝐝 𝐞𝐦𝐩𝐨𝐰𝐞𝐫 𝐩𝐞𝐨𝐩𝐥𝐞. We should build models and tools that give defenders “superpowers,” enabling them to be more ambitious in the scope they tackle, shift from being reactive to proactive, and allow them to automate the drudgery so they can focus on the highest leverage work. 𝐒𝐞𝐜𝐮𝐫𝐞 𝐭𝐡𝐞 𝐜𝐨𝐦𝐦𝐨𝐧𝐬. The world runs on open source software. OpenAI has already spent $Ms finding and patching vulnerabilities in the most popular and widely run software, including browsers, operating systems, and core libraries. More on this soon. We’re also working on helping secure critical infrastructure. 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲 𝐚𝐧𝐝 𝐩𝐚𝐫𝐭𝐧𝐞𝐫𝐬. Securing the world is a community effort. I’m looking forward to partnering with cybersecurity vendors, researchers, practitioners, governments, and more to do together what we can’t do alone. 𝐓𝐢𝐦𝐞 𝐭𝐨 𝐛𝐮𝐢𝐥𝐝. Tactically, here are some domains I’m excited about: - Finding, validating, and reliably patching software vulnerabilities at scale. - Eliminating classes of vulnerabilities and making software resilient by design. - Giving broad access to the best cyber models to empower defenders, not just to a select few. - Creating and sharing Skills and playbooks that help in many security domains. - Building platforms that enable defenders to easily orchestrate security work. - Making enterprise agents safe and reliable. Time to build 😎 — What would help you most? What should we build? Let me know.

I really, really wish @AnthropicAI would release $500/month and $1000/month plans for Claude Code. It doesn't need to have the same insane value multiple as the $200/month plan, just something to reduce the stress of the 5 hour and weekly limits. cc: @_catwu @bcherny

‼️🚨 BREAKING: ServiceNow has been breached. Customers are reporting unauthorised access to their instances. One customer states their security team reported this vulnerability to them, and they closed the case twice, saying they had already known since the 7th of April.

Introducing Claude Fable 5: a Mythos-class model that we’ve made safe for general use. Its capabilities exceed those of any model we’ve ever made generally available.

Just landed nested subagent support in Claude Code Starting to experiment more with agents kicking off agents as a way to better manage context. Capped at depth=5 to start, going out in today’s release. Lmk what you think!

If you've adopted AI at your company but haven't seen any tangible results, read this 1990 article: "The Dynamo and the Computer" by Paul David. When electricity first arrived, factories that "adopted" it barely got faster. They just swapped the steam engine for an electric one and ran everything else exactly as before: same machine layout, same workflow, same management. Electricity in, no real gains out. The most common mistake with any new technology is to drop it into the old organization and then declare the transformation done. The real leap came decades later, when each machine got its own small motor. Suddenly machines no longer had to be lined up around one central drive shaft. They could be rearranged around the actual flow of work. The productivity gains didn't come from electricity. They came from REDESIGNING THE ENTIRE FACTORY around it. AI is the same. Bolting it onto your existing process gets you a faster steam engine. The payoff comes when you redesign the work itself. (link to paper in comments)

Human time fix and patch methods are not effective anymore. Agentic everything and soon. Automated discovery, patching and verification is the way. Likely with a focus on local models. And it’s non trivial to set up and it’s not a product.

For the first time in 19 years, vulnerability exploitation is the #1 breach entry point. Not credentials. Not phishing. Software flaws, hit within hours of disclosure because AI compressed the attack timeline. The 2026 Verizon DBIR analyzed 22,000 breaches across 145 countries. The data is clear: the window between disclosure and exploitation closed. Your traditional endpoints have runtime detection. Your AI endpoints don't. Every deployed model and agent is making decisions right now with no behavioral detections, no forensic trace, and no automated containment. That's the gap AI-EDR closes. For details, see: na2.hubs.ly/H060vtF0

Personal update: I’ve decided to leave OpenAI. Not that I ever worked there. But it just looks like everyone else is doing it, so I thought I'd hop on the bandwagon. In other news, I've decided to join @AnthropicAI to work on AGI for the benefit of Claude. I don't think they realize that I've decided to join, and to be honest, I don't think my decision carries much weight with them, since I wasn't offered a job there. But the decision stands.

Introducing a new side project called Model Regression. It tests daily Claude, GPT, and Grok on various benchmark statistics to determine how well its performing and to identify model degrades over time. @edskoudis had an idea for model testing before they conducted offensive testing to ensure the model was performing as expected, and @BlasikRandy pushed me down this road with actually going and doing it. The main intent here is the frontier models will experience outages, issues, bugs, intentional/unintentional nerfing of the models without notice. You can't typically trust day to day activities in these models for stability, so leveraging this on your daily routine to see how well the model is performing for that day is something I'll be using everyday. Runs every morning in my DGX sparks environment and automatically updates with how well its performing. Enjoy! modelregression.com/ Also open-sourced the project, can run on your own server as well and look at the benchmarks and how they are calculated: github.com/HackingDave/model…

On advanced corporate jargon…. facebook.com/reel/1504613141…

😂 🤣 🤪