JD Tech Consulting

Writing

Notes from the work.

Short, opinionated reads on the technology, security, and AI shifts founders and operators actually get burned by — breaches and email-security failures, the platform and infrastructure changes that break things quietly, and the AI decisions that carry real risk. No hot takes for their own sake. If it isn't useful, it doesn't get published.

7 pieces

Luminous particles and data threads drifting out through a faint geometric boundary against a near-black background.
Latest
AI3 min read

Your company is already an AI company. Nobody approved it.

While leadership debates an AI policy, the team already pasted source code, customer lists, and contracts into ChatGPT. Shadow AI is the fastest-growing data-loss channel in business — here's how to govern it without pretending you can ban it.

Read the piece
A glowing key looping past an open vault-lock ring, bypassing the barrier rather than passing through it.
Security4 min read

MFA didn't fail. Your session cookie did.

Infostealers don't crack multi-factor auth — they skip it, by lifting the session cookie that proves you already logged in. Here's how pass-the-cookie attacks actually work, and the defenses that change the math.

Read
A clean channel of luminous data being diverted off-course by a single intruding thread splicing into the flow.
AI3 min read

Prompt injection is not a bug you can patch.

Everyone shipping an AI agent is quietly betting they've solved prompt injection. They haven't — nobody has. It's an architectural flaw in how LLMs read instructions, and the only real defense is designing agents that can't be talked into doing damage.

Read
A torrent of luminous code-like lines funneling through a single narrow bright aperture — a bottleneck under pressure.
Tech3 min read

AI writes the code. Who's reading it?

AI made writing code nearly free, so teams are shipping far more of it. The data says quality and stability are sliding — because the bottleneck quietly moved from writing to reviewing, and most teams didn't move with it.

Read
A lattice of connected nodes representing software packages, with one infected node rippling corruption through the network.
Security3 min read

Your dependencies are the attack surface now.

A self-replicating worm tore through npm twice in 2025 — stealing credentials, spreading through trusted packages, even wiping machines when cornered. If one install runs an attacker's code with your keys, your supply chain is your perimeter.

Read
A glowing certification seal hovering in space, hollow and casting a long empty shadow behind it.
Security3 min read

SOC 2 is not security.

A clean SOC 2 report says a vendor's chosen controls operated during a window that already closed. It doesn't say they can't be breached today — and a 2025 auditor scandal showed how thin that trust really is.

Read
Streams of light passing through a narrow checkpoint gateway while some are turned away into shadow.
Security3 min read

Microsoft joined the party. Your email still isn't safe.

A year after Outlook started rejecting unauthenticated bulk mail, most senders think passing SPF, DKIM, and DMARC means they're done. Authentication is the ticket in — it was never the thing that gets you to the inbox.

Read

New pieces land most weeks. Prefer them in your inbox? Reply to any note and say the word.

Get in touch

Let's talk.

Tell us what you're working on. We'll take it from there.