May 12
Underrated but absolutely true pattern and use-case. In the early days of @AppSecEngineer, we faced this with one of our fortune 100 housing finance customers.
Corporate mail scanners burned the token and without a confirmation page, people were unable to login. Few minutes of absolute panic before we realised and rolled out a fix
if your saas uses magic link signup, check this right now:
your link in the email shouldn't call the verify api directly.
there should be an interstitial confirm page instead.
here's why:
corporate email scanners (microsoft safe links, mimecast, etc) pre-fetch every url in incoming mail. they burn your single-use token before the user even clicks.
then user opens the email, sees "token invalid", retry 2 times, gives up.
cost us two F500 leads before we caught it.
fix: email points to a page with a "sign me in" button → POST from that button hits your verify api.
1
2
523
Apr 2
Cloudflare Workflows is criminally underrated. I needed to add portguese subtitles for all @AppSecEngineer videos today. There are 2651 of them.
Built a workflow to fetch the English subtitles (existing), run it through a translation model and load the portguese subtitles.
All done in approx 20 mins
1
4
262
Mar 19
We manage 2000 accounts on AWS with a 3 person team for @AppSecEngineer. Each customer gets their own sandboxed AWS account with SCPs enabled. They are recycled as users are done with each lab
Mar 19
One company manages 6,000 AWS accounts with three people 😅
Not 60. Not 600. Six thousand! 🔥
Each customer gets their own isolated account with the full microservice stack → 40 services, ~120,000 deployed instances, roughly 1 million Lambda functions across the fleet.
4
573
Mar 17
The @AppSecEngineer team is cooking!
Our new chatbots make it super easy for learners and enterprise admins to get deep insights into their learning progress, recommendations and org-wide training insights.
Watch!
3
259
Feb 26
"Isn't AI your kryptonite?"
Is something a lot of people asked me not to long ago, especially about how AI would impact AppSecEngineer. I realized then that this was the wrong take. AI has the power to build amazing learning experiences and that we're just getting started.
Today we take a step in that direction. Our "Creator Studio" is a force multiplier that allows our customers to build courses and labs, entirely with AI to create relevant, on-demand content. Not just content as in courses and interactive slides, but full-fledged hands-on labs with our AI Agents
Our Ship Week continues.
2
312
Feb 26
True story
- we have atleast 2-3 people in every blackhat training that cannot access labs over https on the browser because of crazy content filtering policies and after informing them atleast 5 times that they need to enable certain hosts
- we have customers who take a couple months to approve @AppSecEngineer domains and port ranges because they need to get approvals and that takes a bunch of questions and multiple rounds of back and forth
- we now have pretty tight requirements in our customer orgs around what models they can use for @secreview_ai , which provider etc and needs a ton of approval because it’s AI
Feb 26
People who keep saying AI is going to replace developers… have they actually worked inside a large enterprise?
A LOT of companies don’t even allow developers to install third party packages.
I regularly talk to friends working at Fortune 500 companies. Some of them aren’t even allowed to install NumPy or Matplotlib without going through layers of approval. In some environments, even access to LLM tools is restricted or sandboxed behind heavy compliance controls.
This isn’t a “move fast and ship AI agents” world.
It’s a world of security reviews. Procurement. Legal approvals. Risk assessments.
I remember years ago it took two weeks just to get approval to use jQuery.
Two weeks. For jQuery.
Now imagine trying to integrate external AI services, autonomous agents, or experimental frameworks into that kind of environment.
AI is powerful. It’s transformative. But enterprise reality moves at a very different speed.
2
553
Feb 23
Super excited for "Ship Week"
This week, we're going to be showcasing some of the stuff that we've shipped since November 2025 for we45, AppSecEngineer and SecurityReviewAI. We've been hard at work and have built some truly useful (and dare I say, revolutionary) solutions to help our customers and the broader community (including OSS solutions)
You will see posts, videos and blogs from us every day this week! Enjoy! Watch this space for more details
2
287
Jan 19
Our products change a lot. We add new capabilities all the time for both AppSecEngineer and SecurityReviewAI
I realized that having somebody write these documents from scratch every single time for every single feature is time-consuming and sometimes error-prone and misses a lot of context.
So, we have built out an agent that automatically discovers new functionality from Git PRs as well as product documentation that we use as developers. We use that to build out updated user manuals. In CI jobs, this has been a game changer as now we can focus on reviewing docs rather than having to build them out
5
363
28 Nov 2025
Recently I got a project task from one of my seniors in this appsec field, and this is the one I know that, when I am with it, it is going to surely scale me high and place me somewhere I want to build, its a
*MULTI-SERVICE DevSecOps Security Testing Platform* I will like to call it VulnFusion:
A learning platform for secure DevSecOps and microservices. It’s a set of intentionally vulnerable services packaged with CI/CD pipelines, container security (SCA, SBOM, signing), and automated testing (SAST, DAST). The platform lets you safely practice finding and fixing vulnerabilities, running security scans, deploying signed containers, and observing end-to-end DevSecOps workflows, all in a controlled environment designed for hands-on experimentation and learning.
#AppSec #DevSecOps #CyberSecurity #PenetrationTesting #SecurityTesting @_appsecnetwork @AppSecEngineer @AppSecPodcast @sec_phoenix @AviveAPP
4
15
1,067
20 Nov 2025
On my journey of AppSec Engr...i have passed through what AppSec is, why they are needed and what values they bring to the community.
I have gone through STRIDE , PASTA, Attack Trees, SRE(security requirements engineering), SDLC/SSDLC..
and now I am moving into learning the OWASP TOP 10 (Web, Mobile and API), OWASP ASVS(section1-5)
(stiill using STRIDE though...PSATA is not for the weak :) )
#AppSec #Pentesting #Tech #Software @commando_skiipz @Dghost_Ninja @TemitopeSobulo @_appsecnetwork @AppSecEngineer
4
20
1,833
26 Oct 2025
Built 10 AppSecEngineer Labs on AI Agents over the weekend. Completely wiped but feels great getting so much done
3
346
28 Aug 2025
Your dependencies are someone else’s code.
Which means your attack surface is growing silently.
This bootcamp helps you tame the chaos and secure your entire software supply chain.
➩ Package scanning
➩ Sigstore signing
➩ SLSA, attestations & more
🏅 Includes 2 Certification Exam Attempts
🎓 Comes with AppSecEngineer Pro Annual Subscription
Sign up today — zurl.co/TIleV
2
260
20 Aug 2025
You can’t DevSecOps your way out of bad pipelines.
This bootcamp gets deep into automation, policy, SBOMs, and real security in CI/CD.
No buzzwords. Just hands-on, down-to-the-wire sessions.
➢ Break & fix pipelines
➢ Policy-as-code, secrets, SBOMs
🏅 Includes 2 Certification Exam Attempts
🎓 Comes with AppSecEngineer Pro Annual Subscription
Sign up today — zurl.co/VI149
2
217
12 Aug 2025
Enough with threat modeling that lives in stale confluence pages.
You’ll build threat models that guide design, not just sit in a folder.
We’ll show you how to break apps before attackers do.
➤ Live threat modeling on real apps
➤ Agile. Repeatable. Actually useful.
🏅 Includes 2 Certification Exam Attempts
🎓 Comes with AppSecEngineer Pro Annual Subscription
Sign up today — zurl.co/jTcZQ
2
240
23 Jul 2025
"This is literally magic!"
Is something I heard from our customer. They needed to train their security champions on the latest vulnerability on one of their heavily used Java library. This library was being used across thousands of developers across their product portfolio
Normally this would take several weeks to design, create and rollout training for their developers. With AppSecEngineer CreatorStudio, it took them 15 mins. They were able to build a well-researched course, with video, voiceovers, diagrams, code snippets, articles AND practical challenges in 15 mins!!
We were thrilled to see how our AI was able to help them learn faster, so they can ship safer.
Here's my demo explaining how it works
1
2
415
4 Jun 2025
Over the next three weeks, we're going to release 2-4 courses on AppSecEngineer on deep-dive LLM Security concepts like Semantic Input Validation and LlamaFirewall
In addition, we realize that a lot of these concepts are new to everyone and will be releasing entry level courses on AI Agents, MCP and more.
Hope you enjoy it!
1
1
9
248
14 May 2025
I recently spoke at an AppSecEngineer webinar on AI Agent security, where I especially focused on MCP and Agent Attack and Defense.
Hope you find it useful
(link in first comment)
1
1
3
293
3 Apr 2025
برايي هاذي أفضل قنوات يوتيوب لتعلّم الأمن السيبراني 2025 – حسب التخصص:
🔹 أساسيات وشامل:
John Hammond
NetworkChuck
The Cyber Mentor
Simply Cyber
🔹 الاختراق الأخلاقي وBug Bounty:
LiveOverflow
HackerSploit
IppSec
STÖK
NahamSec
🔹 الشبكات والبنية التحتية:
David Bombal
CBT Nuggets
Professor Messer
🔹 التحليل الجنائي DFIR:
13Cubed
DFIRScience
BlackPerl
Josh Brunty
🔹 أمن التطبيقات (AppSec):
OWASP Foundation
Snyk
AppSecEngineer
DevSlop
🔹 تحليل البرمجيات الخبيثة:
MalwareTech
The PC Security Channel
REsearch
🔹 أمن السحابة (Cloud Security):
Day Cyberwox
John Savill
AWS Security
🔹 التوعية والهندسة الاجتماعية:
The Hated One
Computerphile
Social-Engineer.org
🔹 إدارة الحوادث (Incident Response):
Black Hills InfoSec
DFIRScience
Threat Hunting Project
🔹 التشفير والخصوصية:
Computerphile
The Hated One
Naomi Brockwell
🔹 DevSecOps وأمن البرمجيات:
DevSlop
Snyk
GitHub Security Lab
ابدأ من التخصص اللي يهمك وطور مهاراتك خطوة بخطوة.
66
554
27,435
3 Apr 2025
Did an inventory of videos, labs and content on AppSecEngineer
Turns out we have 2105 videos, 3257 labs lab documentation and over 250 challenges, not to mention our AI-enabled challenges (unlimited).
The sheer scale of content we've created for our users is mind-boggling
1
2
201
21 Mar 2025
When we went with a no-password (login magic link only) approach for AppSecEngineer, we did face a little backlash. This was before we added Social and SSO.
In hindsight it was the best decision we made. Dealing with passwords is painful. Because you're not just dealing with potentially poor passwords and a host of other password management issues, but credential stuffing as well.
Remember, not storing unnecessary data is a major W from a security and risk perspective
2
1
7
943