Half essay, half marginalia. Mostly about AI agents, security systems, the boring details that make products actually work, and what I've learned by writing it down. New entries land here when they're ready.
showing 22 published notes
If an AI security agent becomes part of the SOC workflow, it needs reliability engineering like any other production system.
Threat intelligence pipelines fail when they treat intelligence as a feed problem. The hard part is turning sources into evidence, context, and decisions.
Agentic SOC systems need memory, but not the soft kind. They need a structured graph of entities, evidence, relationships, and decisions.
Agentic incident response is not autonomous panic. It is structured delegation inside a response system that preserves evidence and keeps humans in control.
Modern intrusions often look like normal users doing abnormal things. That makes identity the center of the AI-native SOC.
An AI SOC agent should not graduate to production because it gave three impressive demos. It should graduate because it survived evaluation.
AI can help write detections, but detection engineering is still an evidence discipline, not a prompt trick.
Agentic AI in the SOC becomes dangerous when tools are treated like plugins instead of production security interfaces.
The best AI cybersecurity talk right now is not about replacing analysts. It is about rebuilding the SOC around evidence, workflow, trust, and controlled agentic systems, from someone who can build and lead the work.
Traditional security platforms were built around dashboards and queues. AI-native SecOps platforms need evidence, workflow memory, typed actions, guardrails, and analyst control.
Dark web exposure work is not just searching shady indexes. It is entity resolution, evidence handling, identity risk, source confidence, privacy discipline, and response orchestration.
Modern AI systems are increasingly becoming workflow systems rather than standalone model integrations. The workflow engine becomes the backbone of operational AI.
Security investigations are not search problems. They are evidence problems. Deep research systems need retrieval, correlation, memory, provenance, and a refusal to invent confidence.
AI systems are often evaluated only on model quality. In production, infrastructure reliability matters just as much as intelligence.
Standalone AI interfaces are not enough for real operations. Enterprise AI becomes valuable when it integrates deeply into the systems where work actually happens.
Most "AI product" work is really tool design, approval-flow design, and observability. The model just sits in the middle, doing the easy part. A short essay on what actually makes these systems good.
What you give up, what you get back, where the math actually works out, and the strange small joy of a query plan that ends in s3.GetObject.
A useful word is losing its meaning - not because of anyone in particular, but because everyone is using it for everything. A small attempt to put it back together, with verbs.
After six months of watching analysts work, I'm convinced that what SOC teams need is less AI and more reorganization. The good AI helps with that, too - but only if you start there.
The protocol is small. The interesting design decisions are not. A field report from building, breaking, and re-building a tool server - and what I'd actually do differently next time.
Vesting, cliff, refresh, RSU vs ISO, strike price, dilution - a short, opinionated field guide to the part of an offer most engineers (including me, once) try not to read.
On the gap between a thing that works in the room and a thing that works in a customer's hands on a Tuesday morning. The first half of a long-running argument I keep having with myself.