The archive
Everything written.
7 essays and field notes. New writing publishes most Fridays.
- Total
- 7
- This year
- 7
- Readers
- 1.2k
2026
7 essays
The prompt is the new perimeter
Twenty years of firewall thinking taught us to draw a circle around the things we trust. LLMs ate the circle. What replaces it isn't another box — it's a discipline.
What OWASP misses about LLM agents
The Top-10 is a checklist for web apps. Agents aren't web apps. Here's the column I'd add — and the one I'd quietly remove.
I shipped an AI feature on Friday. By Monday it was a liability.
A two-week postmortem on going fast with an LLM, and the four guardrails I won't ship without again.
A small ritual for reading other people's threat models
Five questions I ask before I ever pull up a diagram. Most documents fail on question two.
Your RAG pipeline is a confused deputy
A 1988 paper has more to say about modern retrieval-augmented agents than most of the 2024 ones do.
The audit log is the most underrated AI safety feature
If you can't replay what your agent did, you don't have a product — you have a wager.
On charging for software you can run locally
Three pricing models I tried for an offline-first tool, and what each one actually rewarded.