Career update: I’ve joined @OpenAI to lead Cyber with @michaelaiello. Why I joined, and what we’ll be building: It’s clear that AI is fundamentally changing how software is being written and secured. Coding agents are writing the majority of code for many developers, software is getting shipped more quickly, and vulnerabilities that were latent for 20 years are being discovered at a rapid pace. The time to bug discovery, and exploitation once discovered, are trending down (H/T @EppSecurity and @gadievron). I believe we have an unparalleled opportunity to fundamentally 𝘪𝘮𝘱𝘳𝘰𝘷𝘦 cybersecurity in ways that were previously impossible. (H/T @bubblewire’ BSidesSF keynote on reasons for optimism) Over 6 years at @Semgrep, I had the privilege of working with an amazing team building what has become the most popular open source security code scanning tool in the world, that many companies have built their application security program around. Now, at @OpenAI, I’m thrilled to be a part of a company helping shape how software is written, and how security work gets done. It is a massive opportunity, and responsibility, and I don’t take that lightly. Here are my current thoughts about where things are headed: 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐭 𝐛𝐲 𝐝𝐞𝐬𝐢𝐠𝐧. Defenders are not going to win playing bug whack-a-mole. We need to systematically eliminate classes of vulnerabilities, via generating secure code and streamlining the detect → validate → fix process. 𝐀𝐮𝐠𝐦𝐞𝐧𝐭 𝐚𝐧𝐝 𝐞𝐦𝐩𝐨𝐰𝐞𝐫 𝐩𝐞𝐨𝐩𝐥𝐞. We should build models and tools that give defenders “superpowers,” enabling them to be more ambitious in the scope they tackle, shift from being reactive to proactive, and allow them to automate the drudgery so they can focus on the highest leverage work. 𝐒𝐞𝐜𝐮𝐫𝐞 𝐭𝐡𝐞 𝐜𝐨𝐦𝐦𝐨𝐧𝐬. The world runs on open source software. OpenAI has already spent $Ms finding and patching vulnerabilities in the most popular and widely run software, including browsers, operating systems, and core libraries. More on this soon. We’re also working on helping secure critical infrastructure. 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲 𝐚𝐧𝐝 𝐩𝐚𝐫𝐭𝐧𝐞𝐫𝐬. Securing the world is a community effort. I’m looking forward to partnering with cybersecurity vendors, researchers, practitioners, governments, and more to do together what we can’t do alone. 𝐓𝐢𝐦𝐞 𝐭𝐨 𝐛𝐮𝐢𝐥𝐝. Tactically, here are some domains I’m excited about: - Finding, validating, and reliably patching software vulnerabilities at scale. - Eliminating classes of vulnerabilities and making software resilient by design. - Giving broad access to the best cyber models to empower defenders, not just to a select few. - Creating and sharing Skills and playbooks that help in many security domains. - Building platforms that enable defenders to easily orchestrate security work. - Making enterprise agents safe and reliable. Time to build 😎 — What would help you most? What should we build? Let me know.

📣🚨 Featured @defcon creator talk! James Campbell, one of our own community members, is presenting a novel tool he developed for security research on maritime industrial control networks. This is one you won't want to miss! HTX (Home Team Science & Technology Agency) #DEFCON #DCSG #DEFCONTalks #DEFCONSpeakers #MHV #MaritimeVillage

Normies think you need AI to accidentally fuck up prod Little do they know IT nerds have been doing this for decades.

ShinyHunters is ransoming ... HALLMARK CARDS Those fucking shitty birthday cards you pick up at the drug store ARE BEING HELD RANSOMWARE WHO RANSOMS BIRTHDAY CARDS (info via @AlvieriD)

You have competition. And they don’t have to play fair. 👀 Today, Senior Principal Security Researcher @_JohnHammond and special guest @JimBrowning11 are dropping serious intel on the dark economy of cybercrime. Last chance to register: okt.to/ntQCFy

I sat down with @_JohnHammond and asked him everything. Check it out, and don’t forget to subscribe 🫶 youtu.be/qe5W3Ky-ElE

Instagram breach or no breach? Either way, they need to brush up on customer disclosure. Sick of companies thinking silence is the best option.

yo... Wtf???????

.@_JohnHammond and I will be there 🥳

I’m dating a smart man who turns off his brain around me

Chats w / @_JohnHammond now live #wehackhealth youtu.be/hVq81j8WLwE?si=6GVF…

Great start to the day with John Hammond’s keynote at BSidesNYC 0x05 #BSidesNYC

So special thanks to @M_haggis for taking it on, and giving the idea for a "ClickFix Wiki" a better home! It has been incorporated into his ClickGrab project. I wouldn't be able to maintain the site or resource, so I really appreciate him picking it up! mhaggis.github.io/ClickGrab/

Hello. The Huntress CTF is back for its third year. October 1st through October 31st with new challenges each and every day, all month long. Free to play, register at any time (even while the game is running!) and play whenever you want at your leisure. ctf.huntress.com

‼️ After posting their goodbye note on BreachForums, Scattered Lapsus$ Hunters provided proof of access to FBI NICS (background check) and Google LERS (Law Enforcement Request System).

I’m so excited for this! @_JohnHammond was one of the OGs in the @BSides_NoVA community (I’ve lost count how many times his team won the CTF) and it’s exciting to have him back this year as our keynote.

We are thrilled to announce that @_JohnHammond will be the keynote speaker at @BSidesNYC on October 18, 2025! We look forward to John sharing his insights.

My husband is the best 🥰

And that's a wrap! Thanks @defcon especially the #IoTVillage. 'Til next time! ❤️

you need... "her" malware?