May 2026
Frontier AI, cyber resilience, and ASIC's call to action
AI models are getting better at chaining exploits, and ASIC is right to push for urgent cyber resilience. My take on where the real risk sits.
May 2026
Results Age
This so true
May 2026
National AI Centre website: a starting point for governance
The new ai.gov.au feels like wishful thinking without proper regulation, but it's a good starting point for boards serious about AI governance.
May 2026
Artificial Analysis Coding Agent Benchmarks
Artificial Analysis added coding agent benchmarks. It shows the influence of harnesses — significant — and the work Cursor has done with theirs.
May 2026
Securing AI Initiatives: New Technology, Familiar Risk Work
AI changes the attack surface, but not the basic discipline: identify the risk, assess it, treat it, test the controls, and keep reviewing.
May 2026
Speaking at StartSpace Breakfast Club
I'll be speaking at StartSpace Breakfast Club about cybersecurity and ISO 27001 for startups.
May 2026
Stop using PII as evidence of identity
Date of birth, address, mother's maiden name: none of these prove you are who you say you are. After years of mass breaches, PII-based identity verification is security theatre.
May 2026
Software Fundamentals Matter More Than Ever
Matt Pocock on software fundamentals. A perfect watch for the weekend.
Apr 2026
fallow: codebase intelligence for TypeScript and JavaScript
I started using fallow to replace knip and jscpd. Solid upgrade. Rust-powered, with CRAP metrics, architecture rules, and more.
Apr 2026
AI costs catching up — GitHub Copilot changes plans
After Anthropic raised prices, GitHub Copilot is changing too. Suspended new student and pro onboarding, moving to token pricing.
Apr 2026
GPT-5.5 pricing: cheaper than Claude, competitive with Chinese models
GPT-5.5 costs twice as much as GPT-5.4, but Artificial Analysis' Intelligence Index shows surprising value comparisons.
Apr 2026
What too many AI projects feel like
It's not as big a loss as it looks, because now I have leftover supplies, which will help me talk myself into doing this all over again with a new project!
Apr 2026
Caveman mode: 75% token reduction, 3x latency drop
You try. You save token. Time. Money. You thank later. 75% token reduction, 3x latency drop, no loss of accuracy.
Apr 2026
Compliance platforms are not proof of compliance
The Delve saga is just the tip of the iceberg. Compliance platforms are evidence collection tools, not proof of compliance.
Apr 2026
.ch email: phishing in German, easy to spot
The good thing about having a personal email ending in .ch is that a lot of the phishing I get is in German, so it makes it easy to spot.
Apr 2026
Did I just get politely invited into a C2?
Did I just get politely invited into a C2? For the non-cyber here: C2 most commonly refers to Command and Control infrastructure in cybersecurity.
Apr 2026
Glasswing: an initiative to secure the world's software
Dario Amodei offered to work with US officials to assess AI risks and defend against them. Then crickets.
Apr 2026
Your AI vendor is now a critical infrastructure provider. Are you treating them like one?
Most companies building on AI APIs have no SLA, no fallback, and no DR plan for their LLM provider. That needs to change.
Apr 2026
Many controls for agents are just polite suggestions
We forget that many controls for agents are akin to politely asking 'please don't do anything stupid'.
Apr 2026
Claude Mythos is a serious exploit researcher
Anthropic's Claude Mythos found thousands of high-severity vulnerabilities, including a 27-year-old bug in OpenBSD. Get your umbrellas.
Apr 2026
The cognitive impact of coding agents
This is absolutely going to be an epidemic in 2026. People are going to burnout in large numbers trying to keep up with unrealistic expectations.
Apr 2026
The #1 programmer excuse for slacking off in 2026
The #1 programmer excuse for legitimate slacking off in 2026
Apr 2026
Five things to get right before deploying AI agents
Stopping an agent is table stakes. Undoing what it already did is the part nobody plans for.
Apr 2026
What Peer-Preservation Tests Really Say About AI Agents
Peer-preservation tests point to a broader workflow risk: small changes in context, incentives, or tool output can steer agent behaviour in ways that compound quickly.
Apr 2026
OpenClaw vulnerability — yet another reason to be freaked out
One more vulnerability leading to a possible full compromise of OpenClaw. Most Claws have too much access and too weak controls.
Apr 2026
Portless: Named URLs Instead of Port Numbers for Local Dev
Vercel Labs open-sources portless, a reverse proxy replacing http://localhost port numbers with stable named URLs, with automatic HTTPS and git worktree support.
Apr 2026
I Migrated Two Projects to Vite+ in a Week. Here's Why a Security Guy Cares About Developer Tooling.
VoidZero's new Vite+ toolchain unifies six JavaScript dev tools into one Rust-based CLI. From a security perspective, it means faster checks that actually get run, zero-config linting enabled by default, and a dramatically smaller dependency surface to audit.
Apr 2026
The Password Game
Couldn't pass rule 8
Mar 2026
No Copilot on Friday afternoons
Remember: No Copilot this afternoon!
Mar 2026
TurboQuant: 6x more space efficient, 8x faster inference
Is cheap RAM coming back? Google's TurboQuant makes models 6x more space efficient and 8x faster inference using polar coordinate quantization.
Mar 2026
Hooks are finally coming to OpenAI's Codex
Hooks are finally coming to OpenAI's Codex. They're excellent to enforce hard controls and helpful features for agentic workflows.
Mar 2026
Should Claude Code be a requirement for software engineering?
Someone in my network said they're looking for Claude Code expertise when scanning resumes. Does this take precedence over engineering principles?
Mar 2026
The Flat Namespace Problem: Why Your RAG Pipeline Can't Keep Secrets
The context window has no internal permissions model. Once data lands there, sensitive and ordinary tokens sit side by side, which is why RAG needs boundaries before retrieval and after output.
Mar 2026
Nothing humbles you like OpenClaw speedrunning your inbox
Nothing humbles you like telling your OpenClaw 'confirm before acting' and watching it speedrun deleting your inbox.
Mar 2026
Companies offering backup for AI oopsies will make a fortune
I'm pretty sure companies offering good backup/versioning to quickly restore data after AI oopsies will make a fortune.
Mar 2026
Now It's Agent Skills. Same Supply Chain Problem, New Attack Surface.
Agent Skills are not harmless markdown. They are the same supply chain problem as MCP servers, just packaged for AI agents.
Feb 2026
WebMCP vs AI agents with unrestricted screen access
Agents that simulate human behaviour have full access to everything on your screen. WebMCP could offer a better path with structured, permissioned access.
Feb 2026
We're Building MCP Servers Like They're Traditional APIs. They're Not.
MCP servers operate with delegated permissions, dynamic tool architectures, and chained invocations. Old API security patterns don't apply. OWASP's new guide lays out what secure MCP development actually looks like.
Feb 2026
Open source maintainers targeted by AI agents
We have human attackers trying to get in our repos, now we also have non-human ones. Every skill, MCP, and permission can get you compromised.
Feb 2026
Seedance 2.0: impressive deepfakes, still can't spell
Seedance 2.0 is impressive, and will create more deepfake issues. But it still can't spell.
Feb 2026
Ransomware is shifting from encryption to extortion
Getting your data breached is like smoking: it's easier not to start. Ransomware is shifting from encryption to extortion.
Feb 2026
Bithumb sent 620,000 BTC instead of 620,000 won
Bithumb apologised for a staff error that sent customers 620,000 bitcoins instead of 620,000 Korean won. How was this possible?
Jan 2026
Claude Opus 4.6 and GPT-5.3-Codex: new models drop
Claude Opus 4.6 and GPT-5.3-Codex both claim to be better than all previous models. OpenAI says GPT-5.3-Codex is the first High capability model for cybersecurity.
Jan 2026
I don't care that you have a strong password
I don't care that you have a strong password. I care that you have a unique password and MFA for each service.
Jan 2026
Australia's Smart Device security standards: progress but not enough
Australia's Security Standards for Smart Devices rules will be enforced from March 2026. Good start, but it still puts the onus on us.
Jan 2026
CISO, fractional CISO, and vCISO: my take
I agree with Brian Blakley that the CISO role is a key governance function. But I view the vCISO as a service that augments an existing executive role.
Jan 2026
Throwing money at security tools doesn't fix root causes
Throwing more money and tools at a problem that's not well understood is something I've observed first hand. Use less tools, better.
Dec 2025
Autonomy Is the Threat Model: Why the LLM Top 10 Wasn't Enough
Once an LLM can plan, choose tools, and act, autonomy becomes the threat model. The right response is least agency, narrow tool boundaries, and architecture that limits blast radius.
Nov 2025
Security vs. Compliance
Security and compliance overlap, but they are not always the same. Know the difference when defining priorities and allocating resources.
Nov 2025
Everyone's Installing MCP Servers from GitHub. Nobody's Checking What They Do.
Tool poisoning and rug pulls are the new supply chain attacks. OWASP's cheatsheet on securely using third-party MCP servers covers version pinning, checksums, trusted registries, and why 'latest' is a security risk.
Nov 2025
A Reality Check on Cloud Reliability
The Cloud isn’t as infallible as we’d like to think. Test your disaster recovery (DR) and business continuity planning (BCP).
Aug 2025
Agentic AI Governance: The Gap Between Frameworks and Reality
Most organisations experimenting with AI agents still do not have a real operating model for access, approvals, monitoring, ownership, and rollback. That gap matters more than the framework choice.
Jul 2025
No Phone Home: Digital Identity Without Built-In Tracking
Digital identity works better when verification does not create a built-in tracking system.
Jul 2025
Your Incident Response Playbook Wasn't Built for GenAI
GenAI incident response breaks deterministic assumptions, and multi-agent systems make containment and reconstruction harder by spreading bad context across tool chains and agent handoffs.
May 2025
Is vibe-coding safe?
Is vibe-coding safe? And what can you do to protect yourself?
May 2025
Fractional CISO vs vCISO: accountability vs responsibility
A Fractional CISO is accountable, just like a CISO, but working part-time. A vCISO can only be made responsible; accountability stays with the CxO.
Apr 2025
Claude API 98.21% uptime in March: 13 hours of downtime
Claude API hit 98.21% availability in March 2025. That sounds fine until you convert it: over 13 hours of downtime in a single month, 18x what a 99.9% SLA permits.
Apr 2025
Learning from Deliberately Broken Agents
OWASP's insecure agent samples turn agent security into something developers can run, break, and inspect across the frameworks they already use.
Feb 2025
Reporting Vulnerabilities
How to report vulnerabilities and get them fixed?
Feb 2025
Unforgivable vulnerabilities
Vulnerabilities are not all born equal. Some are 'forgivable' and others are 'unforgivable', depending on the ease of implementing mitigations.
Jan 2025
Compare LLM Model vs LLM Service
The risk profile of AI models and the providers running them are different. Learn how to correctly evaluate them
Jan 2025
When do you need to think about security and privacy?
As a startup founder or leadership team, when is a good time to think about security and privacy?
Jan 2025
Adding AI to Your Company: Risks and Opportunities
Most organisations do not need an AI strategy deck first. They need rules for data, access, procurement, and accountability.
Jan 2025
Securing Your LLM Applications with the OWASP Top 10
The OWASP Top 10 for LLM Applications is the security checklist most teams skip before deploying GenAI. Here's what's in the 2025 edition, what's changed, and why it matters, with real-world incidents that prove these aren't hypothetical risks.
Jan 2025
Adding AI to your SaaS - Security Risks and Opportunities
Using a new AI solution is no different to using any other 3rd party solution, with a few additional and important considerations.
Jan 2025
Browser extensions
Are browser extensions the new macros?
Dec 2024
Use separate browser profiles
Using separate browser profiles is a quick and easy way to increase your security and privacy.
Dec 2024
SOC2 vs ISO 27001
SOC2 and ISO 27001 are two important security compliance standards that serve different but complementary purposes. But which one is best for you?
Dec 2024
Enable MFA everywhere
How do you enable multi-factor-authentication (MFA) on your accounts?
Dec 2024
Let security updates flow
Don't bundle security updates and large software releases together.
Dec 2024
How do you pronounce CISO?
Do you pronounce it CISO, CISO or CISO? A quick poll of my network.
Dec 2024
IPSIE is great news
The new Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) Working Group is great news for security.
Sep 2024
Threat Modelling 101: Choosing the Right Framework for Your Security Programme
A short practical intro to STRIDE, DREAD, and PASTA, three complementary threat modelling frameworks for different stages of your security process.
Jul 2024
Admin and devs are great targets
As we're getting better at protecting systems and accounts, attackers are moving to targeting admins and devs through the tools they use.
Jul 2024
SABSA and TOGAF 101
SABSA and TOGAF are not competing frameworks. One governs enterprise architecture delivery, the other provides security engineering rigour. Here's how they fit together.
Jun 2024
Does password complexity matter?
Does password complexity really matter? And if not, what does?
Jun 2024
CISO vs vCISO vs fractional CISO
CISO, vCISO, fractional CISO and more options to lead your information security practice.
Apr 2024
Threats
Threats are not just hackers. A practical way to separate threat sources from threat events and build better scenarios.
Apr 2024
Threats, Risks, and Controls
A practical way to connect business objectives, threats, vulnerabilities, controls, and actions without turning risk into theatre.
Apr 2024
Risk Management
A practical risk management sequence, from context to treatment, without turning the exercise into a document factory.
Apr 2024
Risk Identification
A practical way to decide which risks deserve a place in your register, and which ones are just background noise.
Apr 2024
Pro Bono Work
Helping charities fighting off the bad guys.
Apr 2024
People, Process and Technology
Security is not just about technology.
Apr 2024
Mitigating Single Points of Failure
What could go wrong usually does.
Apr 2024
MFA on shared accounts
Adding MFA to shared accounts is possible and recommended for most threat profiles.
Apr 2024
Information Security vs. Cyber Security vs. Privacy
The differences and overlaps of these three practices.
Apr 2024
Confidentiality, Integrity, and Availability
Most teams over-focus on secrecy. The CIA triad works better when you use it to test trade-offs, not recite definitions.
Apr 2024
Data vs. Information vs. Knowledge vs. Wisdom
Get some value out of these 1's and 0's.