Writing

My weekly take on AI security — the one signal worth holding onto from each Context Window edition.

Latest · Edition #14

"Look, an instruction!" That's the bug.

Every week this newsletter covers a new place an attacker hid an instruction, and a new AI assistant that found it and ran it. Last September, ForcedLeak showed Salesforce Agentforce reading hidden instructions out of a Web-to-Lead form and exfilling CRM data through an expired allowlisted domain.

Every week this newsletter covers a new place an attacker hid an instruction, and a new AI assistant that found it and ran it.
Read more Listen

May 11, 2026

Archive

May 4, 2026 · #13

When Trust Is the Exploit

The angle that stuck with me this week isn't about any single vulnerability.

Read more

April 27, 2026 · #12

Three Layers, Three Attack Surfaces, One Agent

Most security teams are securing one layer.

Read more

April 20, 2026 · #11

Every Consultancy Is a Honey Pot Now

The Big Three consulting firms don't just advise on AI.

Read more

April 13, 2026 · #10

Anthropic’s Oppenheimer Moment

They did something more permanent: they told the world it exists, it works, and it finds zero-days in every major OS and browser, some of them sitting undetected for 27 years.

Read more

April 6, 2026 · #9

Instructions Are Not Guardrails

North Korea convinced an npm maintainer to trust an AI-generated persona by writing technically convincing messages for two weeks.

Read more

March 30, 2026 · #8

Zero Day to Zero Second, When Security Tools Become the Weapon

The TeamPCP campaign broke three security reflexes we've relied on for decades.

Read more

March 23, 2026 · #7

AI Didn’t Create New Vulnerabilities, It Made Old Ones Affordable

Infrastructure was never fully hardened, and for years, it didn't need to be.

Read more

March 16, 2026 · #6

Built-in AI Security Is a Sensor, Not a Solution

OpenAI buying Promptfoo is genuinely good news for the industry.

Read more

March 8, 2026 · #5

Zero Trust for Agent Memory

A decade ago, the industry made a fundamental shift: stop trusting internal network traffic.

Read more

March 1, 2026 · #4

Not All Agents Are Built Equal, Why Posture Management Must Evolve for Non-Deterministic Risk

Pro-code agents behave like traditional apps, deterministic, scoped, predictable.

Read more