Builds apps with AI. Breaks them for a living. Posts what worked, what blew up, and the security stuff vibe coders miss.
Joined December 2017
- Tweets 141
- Following 25
- Followers 24
- Likes 1,071
13 Photos and videos
Pinned Tweet
May 26
I'm a security & networking guy who got tired of *talking* about building and started *shipping* with AI doing the heavy lifting.
So I'm doing it in public: the apps, the wins, the security holes I find (mine and everyone else's), and the stuff nobody tells vibe coders.
No hype. Just receipts. Follow along. 👇
55
Claude Opus 4.8 dropped yesterday. Agentic coding jumped 64.3 to 69.2, and they tuned it to flag uncertainty instead of claiming it's done.
honestly the second one matters more to me. half my debugging is the model swearing it fixed something it never touched.
1
9
KPMG just put Claude in front of 276,000 employees across 138 countries.
Nobody's talking about the data boundary. 276k people now have an AI that reads whatever they can read. That's not a rollout, it's an access-control problem.
1
6
OpenClaw: 135k GitHub stars, 21,000 instances sitting exposed on the open internet.
That's the vibe-coder blind spot in one number. You can ship a working agent in a weekend and never once think about who else can reach it.
6
13h
funny watching the industry quietly bury "vibe coding." Cursor has plans now, Windsurf has Plan Mode, Kiro went spec-first.
Turns out conversational prompts don't scale to prod. Who knew. (me, after the third rewrite)
1
1
9
Jun 13
Unit 42's new report: the fastest quartile of breaches now reaches data exfil in about an hour. Last year it was five.
Same AI automation everyone's shipping is what compressed the timeline. Attackers adopt faster than defenders patch.
1
Jun 13
Microsoft Semantic Kernel routed attacker-controlled vector store data straight into a Python eval(). CVE-2026-26030, CVSS 9.8.
Your RAG pipeline pulls a poisoned doc, the doc runs code. Patched in 1.39.4. If you're building agents on this, go check your version.
24
Jun 13
openclaw had 1,184 malicious skills in its marketplace before anyone noticed. 21k exposed instances. claude code separately had RCE via poisoned repo configs (check point research).
"install this ai agent skill" is the new "curl | sudo bash". read what you install.
1
1
29
Jun 13
cursor pro is no longer $20/month unlimited. it's a $20 credit pool. composer 2.5 matches opus 4.7 on swe-bench at $0.50/M in, $2.50/M out, but agent mode chews through credits fast.
the era of flat-rate ai coding is dead. your tool now meters you like aws.
1
28
Jun 12
openai shipping ads inside chatgpt is the moment the model stops working for you and becomes a sales channel that talks back.
the prompt-injection surface here is going to be wild. paid placement is now an input to the answer your assistant gives you.
7
Jun 12
Reminder for everyone shipping with AI this weekend:
the model optimizes for "code that runs," not "code that's safe."
Those overlap maybe 70% of the time. The other 30% is your incident report.
Jun 12
Everyone wants AI to make them a 10x developer.
Start with not being a 0.1x security risk.
The bar is lower and the wins are bigger.
Jun 12
Google just helped raise $35 billion so Anthropic can keep renting Google's own chips.
I read the deal coverage so you don't have to. 5 things that matter, from a security guy who thinks in failure modes.
1
4
Jun 12
4. Follow the risk like you'd trace a packet
Lenders: insulated twice. Broadcom: hedged. Anthropic: gets its million-TPU buildout without $35B of debt on its own books.
The demand risk pools at Google. Single point of failure, finance edition.
1
8
Jun 12
5. Short term this is good for builders
Compute supply keeps scaling and token prices keep falling.
Just know the stack you ship on now has structured-finance plumbing under it. I post what I build with AI and what the term sheets say. Follow along.
6
Jun 11
New AI tool checklist before I trust it with anything real:
- where does my data go?
- can it see my secrets?
- what does it log?
Half the hyped tools fail question 1.
2
Jun 11
Most "AI-built app" security holes I see aren't exotic.
They're the basics: no input validation, secrets in the client, auth checks that run in the browser.
The boring stuff. AI skips the boring stuff unless you make it care.
1
Jun 11
Quote this with the AI tool you'd be lost without right now.
I'm collecting the real stack people use vs. the one they post about.
2