Writing
Notes from the work.
Short, opinionated reads on the technology, security, and AI shifts founders and operators actually get burned by — breaches and email-security failures, the platform and infrastructure changes that break things quietly, and the AI decisions that carry real risk. No hot takes for their own sake. If it isn't useful, it doesn't get published.
7 pieces

Your company is already an AI company. Nobody approved it.
While leadership debates an AI policy, the team already pasted source code, customer lists, and contracts into ChatGPT. Shadow AI is the fastest-growing data-loss channel in business — here's how to govern it without pretending you can ban it.
Read the piece
MFA didn't fail. Your session cookie did.
Infostealers don't crack multi-factor auth — they skip it, by lifting the session cookie that proves you already logged in. Here's how pass-the-cookie attacks actually work, and the defenses that change the math.
Read
Prompt injection is not a bug you can patch.
Everyone shipping an AI agent is quietly betting they've solved prompt injection. They haven't — nobody has. It's an architectural flaw in how LLMs read instructions, and the only real defense is designing agents that can't be talked into doing damage.
Read
AI writes the code. Who's reading it?
AI made writing code nearly free, so teams are shipping far more of it. The data says quality and stability are sliding — because the bottleneck quietly moved from writing to reviewing, and most teams didn't move with it.
Read
Your dependencies are the attack surface now.
A self-replicating worm tore through npm twice in 2025 — stealing credentials, spreading through trusted packages, even wiping machines when cornered. If one install runs an attacker's code with your keys, your supply chain is your perimeter.
Read
SOC 2 is not security.
A clean SOC 2 report says a vendor's chosen controls operated during a window that already closed. It doesn't say they can't be breached today — and a 2025 auditor scandal showed how thin that trust really is.
Read
Microsoft joined the party. Your email still isn't safe.
A year after Outlook started rejecting unauthenticated bulk mail, most senders think passing SPF, DKIM, and DMARC means they're done. Authentication is the ticket in — it was never the thing that gets you to the inbox.
ReadNew pieces land most weeks. Prefer them in your inbox? Reply to any note and say the word.
Get in touch
Let's talk.
Tell us what you're working on. We'll take it from there.