Architecture decisions, technique writeups, and product stories from building an agentic security platform. Updated when we ship something worth writing about.
JFrog and Ox Security disclosed IronWorm: a self-propagating npm worm with a Rust infostealer that fires from a preinstall hook and hunts 86 env vars and 20 credential files. Here's exactly what our no-code-on-your-runner architecture buys you when a worm like this is live, and, honestly, where it doesn't help.
Read →We pointed Pwnkemon at the most-scanned vulnerable web app in the world and let the agent decide what to look for. 13 minutes later: 11 confirmed findings including a critical SQL injection that took the app offline and a JWT key exposure path to admin takeover. Here's what the agent actually did, in order.
Read →Six hours before launch, our own product caught seventeen CVEs we'd picked up overnight. Including a cryptography library advisory published less than twelve hours earlier. Here's what dogfooding actually looks like.
Read →Every other security GitHub Action runs scanner code on your CI runner, the same runner that holds your deploy secrets. We think that's the wrong tradeoff. Here's the architecture we chose instead.
Read →A real scan of a small repo: seven 'high' npm-audit findings, all in dev-tool transitive dependencies, none reachable from production code. Why your scanner doesn't tell you that, and what we do instead.
Read →Most scanners ship you a database query result and call it a report. We think the report IS the product. Here's the anatomy of a Pwnkemon scan output: what's in it, what's deliberately left out, and why.
Read →A 'removed' secret in commit history is still a leaked secret. Half the scanners on the market don't even look. The rest tell you the secret exists but not which commit introduced it. Here's what real git-history scanning needs to do.
Read →