Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
The top five turtles in a stack of 50
As an industry we're focused on the top five turtles in a stack of 50. AI for defense and code review matters — we need to be doing it — but it gets the most attention because it gets the most funding because it's the most visible. Meanwhile
Cryptographically enforced disclosure
Been playing around with the idea of cryptographically enforced disclosure. You disclose something — there's a CVD timeline and a fallback date. At the fallback, it all goes on the blockchain, with a drand-triggered encryption key as the dead-man switch. No one can say "we're just
"Monitoring the Situation" - The Internet of Birbs
Two pale-blue speckled eggs on the sunroom bookshelf turned into three cameras, an Unraid NAS, two AI models, and a journal that writes itself every morning. None of it had to be useful — it just had to be possible. Because joy.
Spicy Takes from my Aikido Security Podcast
Nine takes from my RSAC conversation with Mackenzie Jackson on Aikido's Secure Disclosure podcast — on bug bounty, AI slop, hack-back, vibe coding, and why the internet still working is a minor miracle.
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.
Vulnerability economics
* Every vulnerability costs something to put there. * Every vulnerability costs something to discover. * Every vulnerability costs something to fix. * The exploitation of every vulnerability has a value associated with it.
No More Free-ish Bugs
There's a fresh conversation happening about the distinction between bug bounty programs and vulnerability disclosure programs. This is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thank-you
Bugcrowd 2013 to 2025 — People and Places
For the Love of the Game: DistrictCon's Year 1 Junkyard
Notes from judging DistrictCon's Junkyard Year 1 — a Pwn2Own-style exploit contest targeting end-of-life devices. Disco balls, DNA sequencers, gym treadmills, and self-propagating game worms. Includes exploit chain diagrams for all eleven talks.
2025 security predictions retrospective
This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.
First Principles: Bad guys are humans, they're creative and driven, and they don't quit.
Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?
Hacker Summer Camp 2025 — People, Places, and Things
A little photo diary of Hacker Summer Camp 2025.