Hot Takes
Short-form takes — quick reactions and sharp one-liners.
The top five turtles in a stack of 50
AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.
Cryptographically enforced disclosure
A speculative proposal: cryptographically enforced vulnerability disclosure using a drand-triggered dead-man switch to make CVD fallback dates unbreakable.
Peacetime cyber versus wartime cyber
Cyber defense doctrine was built during 15 years of peacetime; the transition to wartime and austerity demands a rewrite of what we accept as polite.
Tactically, Mythos is Anthropic marketing their asses off
Mythos as a tactical Anthropic marketing play against OpenAI — and why open-weight models already made the world-ending case before any of it landed.
AI isn't the problem — asymmetry is
AI isn't the security problem — it widens the asymmetry between vulnerability discovery and remediation, putting attack capability in many more hands.
Mythos feels a lot like Snowden
Mythos is to vulnerability awareness what Snowden was to surveillance: the moment the zeitgeist finally caught up to what insiders already knew.
Security-focussed test/fix is basically “sparkling QA”
A short reaction to Firefox's claim that AI-found defects are finite: security-focused test-and-fix is basically QA wearing a fancier hat.
We don't have a slop problem.
The real security problem isn't AI slop — it's that vulnerability research and the broader industry can't prioritize what actually matters in the noise.
Build the tooling. Don't be the tooling.
The AI move in vulnerability research isn't prompting from scratch every run — it's using AI to build deterministic scanners, fuzzers, and analysis pipelines.
The character of the kingdom
“The character of the kingdom ultimately inherits the character of the king.” - Dr Edwin Louis Cole.
What's your 20/20?
“You can achieve less than you think in a year and more than you think in a decade.”