Notes from the surface.
Kill chains we have seen, techniques we have shipped, and the occasional opinion on the EASM market.
Anatomy of a Docker → CI/CD → AWS kill chain.
Walkthrough of one anonymized kill chain BleedWatch caught last quarter — the four stages, the surprise, and the product decision behind each detection layer.
Read
Why your dependency graph leaks more than your repo.
Field notes on NPM dependency confusion, typosquat patterns, and the metadata that escapes repository review entirely.
Read
The exposure your AI assistant ships by default.
AI-assisted coding is widening the external attack surface faster than any tool will publicly admit. Field notes from six months of scanning what assistants actually commit.
Read
Solo founder, AI-augmented by design.
Why a one-person team can ship a credible EASM platform in 2026, and the operating model that makes it real instead of a pitch deck.
Read
Clearwing: why one LLM is not enough for production detection.
The multi-model cross-validation pattern we built into BleedWatch, inspired by Lazarus AI's Clearwing — and the three failure modes it actually solves.
Read
Why EASM is still fundamentally broken in 2026.
The category is older than it looks, the incumbents are bigger than they should be, and the surface they actually cover is smaller than their marketing claims. Field notes from rebuilding the category.
Read
After Mythos: what defenders actually need.
Anthropic's Mythos found thousands of zero-days at machine speed. Dario says we have a 6-12 month window. Here's what that means for the people building defensive tools — and what BleedWatch is doing about it.
Read
The cookieless marketing stack I bet on.
No Google Analytics. No Hotjar. No FullStory. Why a security product can't credibly run the same tracking stack it warns customers about — and what I built instead.
Read
Anthropic's commercial terms and why I sleep better.
Zero-retention. No model training. EU residency questions answered honestly. The one external LLM dependency BleedWatch holds, and the contract structure that makes it defensible at procurement.
Read
The pre-launch checklist nobody publishes.
What I've shipped, what I haven't, and which gaps I'm comfortable about vs which keep me up. A solo founder's honest pre-launch ledger.
Read
AI is the attack surface now.
2026 is the year 'AI-assisted dev' became 'AI-assisted leak.' The pattern, the new surface, and the bet behind AgentGuard.
Read
The bench table you won't see anywhere else.
Why I published a public competitive benchmark with corrections-by-attribution, vs the analyst reports nobody can quote in a procurement deck.
Read
What I learned shipping 200+ detection patterns.
ReDoS audit, false-positive rate by pattern family, regex vs semantic boundaries, and the three surprises that changed how I write detection.
ReadGet new research in your inbox.
One short note when we publish. Field reports, methodology updates, occasional opinion. No spam, no marketing, unsubscribe anytime.
By subscribing you agree to our privacy policy.