the #thoughtops blog
security | ai | technology | policy | startups
Free. Occasional. Unsubscribe anytime.
Featured
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.…
Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.…
The FCC Just Banned Every Foreign-Made Router
The FCC added every foreign-made consumer router to the Covered List — a March 2026 supply-chain action that goes far beyond previous adversary-nation bans.…
Vulnerability economics
The four-line economic frame for every vulnerability: cost to introduce, cost to discover, cost to fix, and the value of exploitation — and why the math matters.…
Next things...
Last Saturday Jan 31 was my last day "inside the tent" at Bugcrowd.…
2026 security predictions
2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.…
The Original Bug Bounty: Alfred Hobbs and the Great Lock Controversy of 1851
Alfred Hobbs: The OG bug bounty hunter who cracked England’s ‘unpick-able’ locks. His breaker mindset exposed flaws, sparked innovation, and proved no system is perfect.…
AI security: Tool, Target, Threat
The Tool/Target/Threat taxonomy for AI security — a shared vocabulary for the three orientations every conversation collapses without, built during EO 14110.…
The Bar Fight Risk Taxonomy
After hearing "vulnerability" and "threat" used interchangeably for a >9,000th time I decided to do something about it, and the Bar Fight Risk Taxonomy was born.…
Information Asymmetry and the 1950s Nuclear Bounty
Props to Matt Ploessel for calling out this one... I'd not heard of a bounty around nuclear weapons until today.…
To err is human — Kerckhoffs' Principle in Software Transparency
Shannon and Kerckhoff were pioneers of disclosure thinking — They understood the concept of “build it like it’s broken”. This was especially true in WWII cryptography, but it’s becoming increasingly clear in its relevance to the 'peacetime' software that we use today.…
Latest
All →Slopdemic, Not Vulnpocalypse (Yet)
I joined Sherrod DeGrippo on the Microsoft Threat Intelligence Podcast this week to talk about how AI is reshaping vulnerability research, disclosure, and patching. It was…
My Clanker Setup
A mate messaged me this week asking whether I'd ever written up my clanker setup — which harness I run, which models, what hardware, and…
AI Didn't Break Vulnerability Disclosure. It Exposed What Was Already Broken.
There's a sentence I keep coming back to from a conversation Josh Bressers and I had recently on Open Source Security: we'd…
The Hitchhiker's Guide to Vulnerability Disclosure in 2026
Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.…
Coordinated, Until It Isn't
Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.…
Thoughts on the #slopdemic
Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.…
Continued Monitoring of the Situation
Week two of an AI-powered House Finch nest monitor: four model biases, a Wyze cam back from the dead, and a full pipeline rewrite before the eggs hatch.…
"Monitoring the Situation" - The Internet of Birbs
Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.…
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.…
Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.…
The Compliance Reckoning
AI makes security verification cheap, putting two decades of checkbox compliance, paper pentests, and audit theater under sudden economic pressure.…
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.…
Hot Takes
All →You get to choose your hard
Being known for what you're against is easy. Being known for what you're for…
It's con season
It's con season — Black Hat, DEF CON, and the summer security-conference circuit are nearly here.…
Find it and fix it
A fun exercise: run various models against deliberately vulnerable apps, and eval them on their ability to identify…
Prompt-injection bumper stickers
Prompt injection is climbing out of the chat box and into the physical world. Print an adversarial instruction…
Words mean things
If the AI era teaches you anything, let it be the lesson that words mean things.…
The top five turtles in a stack of 50
AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.…