@devarmorHQ profile picture
DevArmor @devarmorHQ

We automate threat modeling. AI-native. Dev-first. AppSec that keeps up with your shipping speed.

Joined August 2025
  • Tweets 66
  • Following 114
  • Followers 14
18 Photos and videos
Black Hat week is mostly booths and pitches. We're doing the opposite. Aug 5: we're co-hosting The #CISO Roast with @ConductorOneInc and @tines_hq. Invite-only, 130 CISOs, open bar, live roast. With luma.com/bh-ciso-roast?utm_s… #BlackHat2026 #CISOroast
1
"We do threat modeling." Translation: a PDF nobody's opened since the workshop. Our founder @kavousian unpacks the fix in Toreon's Threat Modeling Insider: a finding that can't fail a build is one the next pentest gets to find for you. toreon.com/threat-modeling-i…
5
We are here at @fwdcloudsec in #Bellevue. Right next to @AnthropicAI, table #14!
1
34
DevArmor retweeted
Marco Bravo@marcobravoram
May 27
Check out my latest article: 5 Practices for Threat Modeling at DevSecOps Speed linkedin.com/pulse/5-practic… via @LinkedIn

5 Practices for Threat Modeling at DevSecOps Speed

Threat modeling in most organizations is a one-time artifact, not a practice. And one-time artifacts go stale the moment the next sprint changes the design.

linkedin.com
1
1
1
30
We are concluding penetration tests on @SpursOfficial trophy cabinet firewall. Good news: threat modeling suggests the assets inside have been air-gapped from the rest of the #EPL since 1961,so data loss risk remains completely negligible
adédayò • ajíbóyè@D1Olu
May 23
We are concluding penetration tests on @Arsenal trophy cabinet firewall. Good news: threat modeling suggests the assets inside have been air-gapped from the rest of the #EPL since 2004, so data loss risk remains completely negligible
1
1
60
TrustedSec showed that LLMs can reverse engineer commercial EDR products in days, not weeks. Detection logic, scoring thresholds, allowlists, all inspectable. The assumption that your defensive tooling stays opaque to attackers? No longer valid. signal.devarmor.com/p/the-ap…
2
34
Five unrelated security research drops this week. Same root cause: architectures built on assumptions about who's on the other end of the connection. AI changed the actor. The assumptions didn't update. signal.devarmor.com/p/the-ap…
1
15
the NSA just published a post-hoc threat model for a protocol that shipped without one. that's the whole problem in one PDF. the security design work should've happened before MCP went into production, not after. its why we exist.
NSA Cyber
@NSACyber
May 21
NSA is releasing security design considerations for AI-driven automation leveraging MCP which, while simplifying the integration of diverse capabilities into powerful agent workflows, requires caution. Learn more: nsa.gov/Portals/75/documents…
1
2
45
Your IAM says "human or service account" Your EDR says "they can't see my detection logic" Your browser says "the agent will respect same-origin." None of them checked recently. Read the latest issue of our newsletter: signal.devarmor.com/p/the-ap…
1
11
Attending @fwdcloudsec? We're hosting a happy hour on Monday evening, June 1st co-hosted with @ConductorOneInc . Small group. Good crowd. No pitch. Spots are limited → luma.com/gut2hf86 #fwdcloudsec #AppSec #CloudSecurity #infosec
32
5 API calls from a free account. That's all it took to access another user's source code, credentials, and AI chat history for the platform w/ 8 million users. We spent 2 years asking whether AI-generated code is secure. The @Lovable incidents suggest we asked the wrong question
1
35
Three incidents in four months. A 48-day exposure window. A bug bounty report closed without escalation. Same week, Vercel and Bitwarden's CLI had failures too. The pattern is consistent: the infrastructure AI code runs on is less mature than the code it produces.
1
41
And most security programs aren't set up to audit that layer at all. If your team builds production apps on a vibe coding platform, does your vendor risk assessment treat it like a cloud provider? Because it should. read more: linkedin.com/pulse/when-plat…

When the platform you build on is the vulnerability

The platforms people trust to build on are themselves getting breached. That changes things.

linkedin.com
1
11
Your SAST scans came back clean. The platform hosting the code had a BOLA flaw for 48 days. Nobody scanned that. Read the latest issue of the AppSec Signal: signal.devarmor.com/p/the-ap…
1
5
from @kavousian's Linkedin page: @JamesBerthoty dropped a new category report worth reading: "AI Code Security". It captures what we've been building toward. The core thesis is that traditional AppSec tooling was built for humans writing code.
1
1
14
more replies
No one vendor does all of it yet, but the pieces are coming together fast. We're building right in the middle of this at DevArmor. Reach out if you want to chat about what AppSec looks like in an agentic world.
1
10
Read the full post from here: pulse.latio.tech/p/ai-code-s…

AI Code Security: Enterprise Governance for AI Generated Code

How AI is changing the code security process

pulse.latio.tech
10
The vulnerability management community just spent four days @FIRSTdotOrg 's VulnCon26 talking about prevention. That's new! @MITRE invested a full workshop in CWE root cause mapping. Not "what broke," but "why it broke."
1
4
The CVE program announced a "quality era" focused on structured, machine-readable records & multiple sessions argued that prioritization fails without organizational and architectural context. If you trace a root cause back far enough, you almost always land on a design decision.
1
4
The people building CVE quality frameworks and the people building threat models are starting to ask the same question: how do we stop creating the conditions that produce vulnerabilities in the first place? Read our latest post:devarmor.com/blog/from-findi…
4
Load more