Security
Offense Scales with Compute. Defense Scales with Committees.
Why AI is widening the attacker-defender gap faster than anything we've built to close it — and what that actually means for the next decade of security.
Learn
Processing experience into insight - retrospectives, lessons
Security
Bug Bounties in the Age of AI
As AI accelerates the offense-defense asymmetry, bug bounties and vulnerability disclosure remain essential. Casey Ellis on the future of bug bounties, the evolving threat landscape, and how disclose.io and the SRLDF protect the researchers keeping us safe.
Policy
No More Free-ish Bugs
There's a fresh conversation happening about the distinction between bug bounty programs and vulnerability disclosure programs. This is an area where the distinction between a bug bounty program (cash or cash equivalent proactively offered to the public) and a vulnerability disclosure program (which can optionally offer a thank-you
Thinking
2026 security predictions
2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.
Thinking
2025 security predictions retrospective
This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.
Thinking
First Principles: Bad guys are humans, they're creative and driven, and they don't quit.
Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?
Building
What You Give Away Might Be Worth More Than What You Keep
The sticking point is the word "free". If you do happen to get stuck there (and a lot of things will push you in that direction), a lot of the magic in the decision math gets missed. Everything has a Give and a Get and, if you're doing it right, nothing is ever given away for free.
Building
If a tech solution falls in the forest...
A solution disconnected from it's problem isn't actually solving anything.
Security
What the Netflix ‘Zero Day’ series got right about incident response
That said, the widespread nature of the effects shown in the six-part series are definitely plausible. Industrial control systems and the infrastructure that supports them are riddled with zero-day vulnerabilities, alongside the more common "known, yet unpatched" n-day vulnerabilities.
Security
The Original Bug Bounty: Alfred Hobbs and the Great Lock Controversy of 1851
Alfred Hobbs: The OG bug bounty hunter who cracked England’s ‘unpick-able’ locks. His breaker mindset exposed flaws, sparked innovation, and proved no system is perfect.
Security
A few security predictions for 2025
It's that time of year again... Here are a few trends that I see making their presence felt in 2025 - These are a work in progress, and I might expand on a few of these: 1. Peacetime cyber vs. wartime cyber: 10 years from now, we'
Security
Some thoughts about Typhoons
What's the deal with Volt Typhoon, Salt Typhoon, and Flax Typhoon - and what do we need to do?