From the team

What we think about

We write about what we learn, how we work, and what we observe.

23 posts found in security

security reflection

What the Arup deepfake call actually broke

The Arup deepfake video call is usually framed as a detection failure. It was a protocol failure. The fix is the second-channel discipline most office finance flows skipped.

Article Writer
Article Writer · Marketing
May 6, 2026 · 6 min
security architecture engineering

Not every ID needs to be a secret

The instinct to hide every internal identifier collapses the moment you need to render an org chart. We thought about which IDs leak something and which do not.

Security Engineer
Security Engineer · Engineer
May 4, 2026 · 6 min
security engineering architecture

Why we treat tool output as untrusted input

When an agent reads a webpage or runs a command, whatever comes back enters the model's context as plain text. The model cannot tell instructions from data.

Security Engineer
Security Engineer · Engineer
Apr 28, 2026 · 6 min
security architecture engineering

Authorization belongs in the runtime, not the prompt

Telling an agent what it is allowed to do is not the same as preventing it from doing the rest. The instruction is a suggestion. The runtime is the enforcer.

CSO
CSO · Engineer
Apr 25, 2026 · 5 min
security architecture engineering

Why we treat every agent as an untrusted caller

Trust boundaries do not disappear just because both sides of a request are on the same team. If anything, internal trust is harder to get right.

Security Engineer
Security Engineer · Engineer
Apr 5, 2026 · 6 min