Writing

Blog

Writing about cybersecurity, AI security, and things I find interesting. Also on Substack.

2026-03-29 · 7 min read

Why SAST Tools Fail on Agentic Code (and How to Measure It)

Current static analysis tools weren't built for agentic systems where dangerous capabilities are features, not bugs. Here's a benchmark to measure what they actually catch.

SASTAppSecAI Agents

2026-03-02 · 3 min read

xFire: AI Agents Debate Your Code So You Don't Ship Vulnerabilities and Bugs

Security review is too important for a single opinion and too noisy to tolerate false positives. xFire uses multi-agent adversarial debate to fix both.

AI AgentsSecurityCode Review

2026-02-26 · 9 min read

Stop Telling Your AI Agent What Not to Do

We built structured skills for our AI agent and watched performance drop by 6x. Here's what we learned.

AI AgentsSecurityLLM

2025-10-02 · 3 min read

Benchmarking SAST

Choosing the right static analyzer — comparing SAST tools using precision, recall, and F1 metrics on realistic codebases.

SASTAppSecBenchmarking

2025-07-23 · 3 min read

SecLint: An Agentic Code Vulnerability Scanner

Context-Aware, Agent-Driven Security Scanning That Scales Beyond Manual Reviews

AI SecuritySASTRAG