Skip to content
← home

tag

#thinking

88 posts

First principles and philosophy: mental models, worldview, frameworks for understanding

Casey Ellis on VulnCheck Threat Con One — vulnerability disclosure post-Mythos
Thinking

The Hitchhiker's Guide to Vulnerability Disclosure in 2026

Post-Mythos vulnerability disclosure: a 2026 field guide for vendors and researchers on AI-era bug bounties, slop triage, and rebuilding ecosystem norms.

17 May 2026 · 13 min read
Security

Thoughts on the #slopdemic

Move over #vulnpocalypse — there's a new term we need to talk about: the #slopdemic. AI didn't invent low-quality vuln reports, but it just turbocharged them, and F/OSS is drowning.

04 May 2026 · 2 min read
Thinking

The top five turtles in a stack of 50

AI defense and code review get the funding, but hospitals still run XP and Ivanti falls over weekly. The security industry is ignoring 45 of its 50 turtles.

02 May 2026 · 1 min read
Thinking

Cryptographically enforced disclosure

A speculative proposal: cryptographically enforced vulnerability disclosure using a drand-triggered dead-man switch to make CVD fallback dates unbreakable.

01 May 2026 · 1 min read
Hot Takes

Security-focussed test/fix is basically “sparkling QA”

A short reaction to Firefox's claim that AI-found defects are finite: security-focused test-and-fix is basically QA wearing a fancier hat.

25 Apr 2026 · 1 min read
Thinking

We don't have a slop problem.

The real security problem isn't AI slop — it's that vulnerability research and the broader industry can't prioritize what actually matters in the noise.

24 Apr 2026 · 1 min read
Thinking

Build the tooling. Don't be the tooling.

The AI move in vulnerability research isn't prompting from scratch every run — it's using AI to build deterministic scanners, fuzzers, and analysis pipelines.

22 Apr 2026 · 1 min read
Thinking

The Compliance Reckoning

AI makes security verification cheap, putting two decades of checkbox compliance, paper pentests, and audit theater under sudden economic pressure.

28 Mar 2026 · 4 min read
Thinking

2026 security predictions

2026 cybersecurity forecast: China's PLA centenary looms, AI turns anyone into a malware developer, and economic pressure pushes more people toward cybercrime. Shift-left finally start working—but only for modern code. The rest of the internet? A triage trash fire.

26 Dec 2025 · 5 min read
Thinking

2025 security predictions retrospective

This time of year, everywhere you see, security guys like me are sharing our hot takes for the year ahead. However, reflecting on the past year is equally important. I like to see how my previous predictions held up and how things actually played out.

16 Dec 2025 · 6 min read
Thinking

First Principles: Bad guys are humans, they're creative and driven, and they don't quit.

Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?

26 Nov 2025 · 2 min read
Thinking

Founders Helping Founders: When Known Vulnerabilities are Life or Death

On today’s episode, Jon Sakoda speaks with Casey on the early economics of paying people to hack companies, criminal creativity, and why founders need to fix their known vulnerabilities.

13 Aug 2025 · 2 min read