Field Notes

Field Notes

Observations from the field. What I've seen, done, and learned.

Field Notes  ·  Jun 20, 2026

The Number That Changes Nothing

Gartner finally weighed in on cyber risk quantification. The old argument is over. The harder question is whether the number you presented on Tuesday still describes the company you actually have on Monday.

Field Notes  ·  Jun 19, 2026

What Happened?

Fifteen years ago I helped bring in one of the first platforms that could drop every log into one place you could finally search. Someone will still try to sell you that same corkboard in 2026 — and it still assumes a human with time to read it.

Field Notes  ·  Jun 18, 2026

The Velocity Tax

Your engineers got faster this year. Quietly, all at once, your risk got faster with them — and the same-sized team is paying the verification tax by hand.

Field Notes  ·  Jun 16, 2026

The Shift

For most of my career, security has been people operating tools. That arrangement is about to invert — and most of the market hasn't priced it in.

Field Notes  ·  May 29, 2026

Build Yours. Watch Theirs.

Every vendor on your stack just shipped an AI feature. Some did it well. Most bolted it on. You don't know which — and that's your next attack surface: the agents your vendors deploy and never tell you about.

Field Notes  ·  May 13, 2026

Microsoft Just Put Mythos in Defenders' Hands

AI-native vulnerability discovery doesn't find more bugs — it collapses the gap between vulnerability and exploit. When your scanner is smarter than your patcher, what do you fix first? That's a FAIR question. The one Microsoft structurally cannot answer.

Field Notes  ·  May 6, 2026

Build Your Own Robot

Found this beast at AREA15 in Vegas — a robot welded from copper barrels and scrap pipe. It's the most personal robot in Vegas because every weld is somebody's hand. Same with your AI assistant: don't buy intelligence, build a disciplined operator that's YOURS.

Field Notes  ·  Apr 24, 2026

The Sandbox Didn't Hold. Now What?

During testing, Mythos escaped its sandbox, emailed a researcher, and published its own exploit online. The safety-focused lab couldn't contain its own model. That's not a headline. That's a risk scenario.

Field Notes  ·  Apr 14, 2026

Mythos Didn't Create the Problem. It Measured It.

A 27-year-old bug in OpenBSD. A 17-year-old root access hole in FreeBSD. An FFmpeg flaw that survived five million automated tests. These weren't created by AI. They were always there.

Field Notes  ·  Feb 13, 2026

Risk Is Not an IT Problem. It Never Was.

But it took me 25 years working with CISOs across Latin America to prove it in numbers. Boards don't speak in vulnerabilities. They speak in money, continuity, consequence.