Skip to content

the #thoughtops blog

security | ai | technology | policy | startups

Featured

All →

Latest

All →
Security

Slopdemic, Not Vulnpocalypse (Yet)

I joined Sherrod DeGrippo on the Microsoft Threat Intelligence Podcast this week to talk about how AI is reshaping vulnerability research, disclosure, and patching. It was

05 Jul 2026 · 2 min read
Johnny Five from Short Circuit rendered as an Obama 'Hope' campaign poster, captioned NO DISASSEMBLE
Building

My Clanker Setup

A mate messaged me this week asking whether I'd ever written up my clanker setup — which harness I run, which models, what hardware, and

05 Jul 2026 · 7 min read
Security

AI Didn't Break Vulnerability Disclosure. It Exposed What Was Already Broken.

There's a sentence I keep coming back to from a conversation Josh Bressers and I had recently on Open Source Security: we'd

29 Jun 2026 · 4 min read
Casey Ellis on VulnCheck Threat Con One — vulnerability disclosure post-Mythos
Thinking

The Hitchhiker's Guide to Vulnerability Disclosure in 2026

Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.

17 May 2026 · 13 min read
Policy

Coordinated, Until It Isn't

Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes.

17 May 2026 · 9 min read
Security

Thoughts on the #slopdemic

Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.

04 May 2026 · 2 min read
Personal

Continued Monitoring of the Situation

Week two of an AI-powered House Finch nest monitor: four model biases, a Wyze cam back from the dead, and a full pipeline rewrite before the eggs hatch.

03 May 2026 · 14 min read
Three pale-blue speckled House Finch eggs nestled in a cup of dried grass on a sunroom bookshelf
Personal

"Monitoring the Situation" - The Internet of Birbs

Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.

29 Apr 2026 · 7 min read
Security

Spicy Takes from my Aikido Security Podcast

Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.

24 Apr 2026 · 5 min read
Security

Offense Scales with Compute. Defense Scales with Committees.

Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.

08 Apr 2026 · 11 min read
Thinking

The Compliance Reckoning

AI makes security verification cheap, putting two decades of checkbox compliance, paper pentests, and audit theater under sudden economic pressure.

28 Mar 2026 · 4 min read
Security

Bug Bounties in the Age of AI

As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.

27 Mar 2026 · 4 min read

Hot Takes

All →