Ideas

Thinking
out loud.

Notes on AI security, design, and the places where they collide. Covering LLM exploits, zero-days, and the craft of building things that last.

66
AI Postmortem & Runbook Automation: From 3 Hours to 20 Minutes

AI can compress postmortem writing from 3 hours to 20 minutes and generate runbook first drafts from incident timelines. Here is how to automate the right parts, keep the human analysis intact, and build a postmortem corpus that makes future incidents shorter.

May 2026 SRE
65
MCP Tools for SRE Observability: Giving Your Agent Eyes

Model Context Protocol lets SRE agents query Elasticsearch, Prometheus, Honeycomb, and Kubernetes in natural language. Here is what the MCP tool surface looks like for a real observability stack, and what changes when the agent can see everything.

May 2026 SRE
64
AI Agent On-Call: From Alert to Root Cause Without Waking Anyone Up

PagerDuty and Azure SRE Agents report 75% lower MTTR in 2026. Here is how to structure an AI-assisted on-call workflow: what to automate, where to keep humans in the loop, and how to avoid the false confidence trap.

May 2026 SRE
63
Calm Interfaces: Designing for Attention in the Age of AI

The dominant UI trend of 2026 is not maximalism or AI-first automation. It is restraint. Calm interfaces that respect human attention, surface AI as a thoughtful copilot, and refuse to amplify noise.

May 2026 Design
62
When the Interface Is the Attack Surface: Generative UI Security

AI-generated interfaces can hallucinate dark patterns, render XSS payloads, and systematically violate WCAG — not through malice, but through statistical plausibility. When the UI itself is model output, the security model must treat the interface as untrusted.

May 2026 AI Security
61
Agentic Memory Poisoning: The Attack That Waits

Prompt injection ends when the conversation closes. Memory poisoning does not. The MINJA attack achieves 95% injection success with a payload that sits dormant until the right future query activates it — days or weeks later.

May 2026 AI Security
60
Agent Identity in 2026: Five Competing Standards and No Clear Winner

RSAC 2026 saw five major vendors launch incompatible agent identity frameworks in the same week. Protocol fragmentation is not just an interoperability problem — when an agent cannot verify the identity of the agent it is talking to, every delegation becomes a trust assumption.

May 2026 AI Security
59
The Multi-Hop Delegation Problem: Token Chains in Multi-Agent Systems

When Agent A delegates to Agent B which delegates to Agent C, who actually authorized the final action? Multi-agent delegation chains are breaking the accountability model that OAuth was designed to provide — and most frameworks don't enforce scope narrowing at all.

May 2026 AI Security
58
When Authorization Outlives Intent: Short-Lived Credentials in Agentic AI

65% of agentic chatbots have never been used yet still hold live access credentials. Token lifetime is not a configuration detail — it is the primary blast-radius control for every agentic system in production. One stale credential, seven hundred breach notifications.

May 2026 AI Security
57
Data Visualization as Communication

A chart that requires a legend to decode is a chart that failed. The best data visualizations make their argument without explanation. Chart type as semantic choice, the data-ink ratio, annotation over legend, honest scales — and why misleading visualizations destroy trust faster than bad data does.

May 2026 Design
56
Accessibility Is Not an Afterthought

Designing for the edges of human capability doesn't produce a restricted interface — it produces a better one. The curb cut effect, POUR principles, color contrast, focus management, screen reader semantics, and why accessibility constraints force the clarity every interface should have by default.

May 2026 Design
55
Loading States Are Interface Communication

A spinner is not a design decision — it's a surrender. Every loading state is an opportunity to tell the user something true about what's happening. Skeleton screens vs spinners, progressive loading, optimistic UI, and why specific loading copy beats a bare animation every time.

May 2026 Design
54
AI-Powered Phishing: LLMs as Social Engineering Tools at Scale

Phishing used to be detectable by bad grammar and generic salutations. LLMs eliminated both signals and now enable personalized, contextually aware attacks at a volume no human attacker could produce. The spear-phishing pipeline, voice cloning for vishing, detection evasion, and why verification protocols matter more than email filters.

May 2026 AI Security
53
Agentic AI Authorization: The Permission Problem in Autonomous Systems

When an AI agent asks to read your files, send your email, or execute code — how does the system decide if it should? Most agentic systems grant broad access at deployment time and never revisit it. Least-privilege per task, dynamic permission requests, capability tokens, and why every permission use needs an audit trail tied to the task that justified it.

May 2026 AI Security
52
LLM Denial-of-Service: Token Flooding, Sponge Examples, and Resource Exhaustion

LLMs are uniquely vulnerable to resource exhaustion: the attacker pays almost nothing while the defender pays per token. Token flooding, sponge examples that maximize compute at inference time, recursive expansion attacks, and context window stuffing — plus output token limits, cost-based circuit breakers, and request queuing that actually work.

May 2026 AI Security
51
AI Security Incident Response: When Your Model Gets Weaponized

AI incidents are different from traditional breaches — there's no clear breach moment, behavioral drift is hard to detect, and "rollback" is more complex than reverting a deploy. Detection signals, containment steps, investigation framework for tracing the attack vector, and recovery procedures that close the door before you re-open the system.

May 2026 AI Security
50
Hardening System Prompts: Defense-in-Depth for LLM Applications

The system prompt is the first line of defense in any LLM application — and the most commonly misconfigured one. Instruction anchoring, explicit refusal directives, output constraints, canary tokens for leakage detection, and why no amount of prompt engineering substitutes for access control, model training, or architectural isolation.

May 2026 AI Security
49
Zero-Trust Architecture for AI Systems: Never Trust, Always Verify

Traditional perimeter security fails AI where every model, agent, and pipeline is an internal attack surface. Five zero-trust layers: cryptographic workload identity (SPIFFE/SPIRE), least-privilege tool scoping, data micro-segmentation, continuous output authorization gates, and immutable audit logging the AI system itself cannot delete.

May 2026 AI Security
48
AI Governance and Compliance: Building Accountable AI Systems

The EU AI Act, NIST AI RMF, and sector-specific regulations (SR 11-7, FDA SaMD) are creating concrete compliance obligations. Governance requires traceability, human oversight, continuous monitoring, incident response, and third-party model governance built in from the start — not bolted on after deployment.

May 2026 AI Security
47
LLM API Security: Rate Limiting, Auth, and Prompt Leakage

LLM APIs introduce attack surfaces that don't exist in traditional REST services: system prompt leakage, cost exhaustion attacks (one prompt can burn $50 in compute), cross-user injection through shared context windows, and session isolation failures. Why most rate-limiting implementations are wrong for AI workloads.

May 2026 AI Security
46
AI Supply Chain Security: Compromised Weights and Poisoned Repos

Pickle deserialization gives arbitrary code execution the moment you load a malicious model checkpoint. With 500,000+ models on HuggingFace, typosquatting, compromised maintainer accounts, and poisoned fine-tuning datasets represent a supply chain attack surface the ML community is only beginning to address.

May 2026 AI Security
45
Adversarial Inputs: When AI Sees What Isn't There

Imperceptible pixel perturbations cause confident misclassification — the fundamental geometry of adversarial attacks. Four attack categories (white-box, black-box, physical-world, universal perturbations) and three deployment scenarios: autonomous vehicle perception, biometric bypass, and content moderation evasion. Why defenses keep failing.

May 2026 AI Security
44
Model Theft: Extracting Proprietary AI via API Queries

With 10k–100k queries, attackers can train a local model that achieves 90%+ behavioral agreement with a commercial API — effectively stealing the training investment. Three attacker goals (behavioral clone, white-box proxy, safety bypass) and why logit-masking defenses fail against distillation-based extraction.

May 2026 AI Security
43
Training Data Extraction: Stealing Private Data from Public Models

Nasr et al. (2023) extracted ChatGPT training data including real email addresses and personal data using a $200 divergence attack. Memorization is a feature, not a bug — models must memorize to generalize. Four memorization factors and three extraction techniques that work against production LLMs.

May 2026 AI Security
42
Multimodal Prompt Injection: Instructions Hidden in Images

Text rendered in white-on-white, steganographic LSB embedding, QR codes in document corners, natural-language overlays on product photos — four vectors for hiding AI instructions inside image content. When a vision-capable agent processes your uploaded receipt and executes the attacker's instructions instead of summarizing expenses.

May 2026 AI Security
41
Design Tokens: The Single Source of Truth for Visual Style

Design tokens are the atomic units of a design system — named variables for color, spacing, typography, and motion that connect design tools to production code. The three-layer architecture, how dark mode becomes a token swap instead of a codebase audit, and naming conventions that scale.

May 2026 Design
40
Form Design: The Interface Nobody Thinks About

Forms are where users do the work. Validation timing, label vs. placeholder, the questions you shouldn't ask, and why forms are conversations — not questionnaires. Every unnecessary field is a question that insults the user's time.

May 2026 Design
39
Motion Design Principles: Animation That Earns Its Place

Motion in interface design has one job: reduce cognitive load by making state changes perceptible. Duration tables, the four principles of purposeful motion, what to avoid (bounce on controls, animating everything), and how to build a motion system that creates coherent product feel.

May 2026 Design
38
AI Red Teaming Methodology: Breaking Models on Purpose

Red teaming AI systems requires a different methodology than traditional software. A four-phase process — threat model, attack technique families (jailbreaking, prompt extraction, indirect injection, capability elicitation), systematic coverage, and reporting — plus why attack success rate matters more than existence.

May 2026 AI Security
37
Agent Sandboxing: Containing AI in Production

Process isolation doesn't contain what an AI agent decides to do. The primary escape vector is prompt injection through tool outputs — a five-layer containment architecture covering capability minimization, output validation, data flow control, human confirmation gates, and tool output sanitization.

May 2026 AI Security
36
LLM Fine-tuning Security: Backdoors You Train In

Fine-tuning on custom data can override safety alignment trained into the base model. How backdoor attacks embed hidden triggers at 0.1% contamination rates, the four attack surfaces (data poisoning, alignment erosion, instruction injection, membership inference), and mitigations that actually transfer to the fine-tuned version.

May 2026 AI Security
35
AI-Assisted Social Engineering: Deepfakes, Voice Cloning, and Spear Phishing at Scale

AI has collapsed the cost curve of impersonation attacks. Spear phishing at $0.01 per target, voice cloning from 3 seconds of audio, real-time deepfake video in browser tabs. The Hong Kong CFO fraud case, why detection arms races favor attackers, and what actually works for defense.

May 2026 AI Security
34
LLM Hallucination as a Security Vector

Hallucinated package names get installed. Hallucinated URLs get visited. Slopsquatting — publishing packages at names LLMs consistently hallucinate — lets attackers weaponize model errors at scale. Why confidence amplifies the risk, and how to verify before you install.

May 2026 AI Security
33
Error States: Designing for Failure

Most design systems are designed for success. Error states are afterthoughts — vague, blame-shifting, and unhelpful. The anatomy of a bad error message, what makes one good, and why empty states are the most underused onboarding opportunity in any product.

May 2026 Design
32
Color Systems: Beyond the Palette

A palette is a collection of colors. A color system is a set of rules for how they relate and where they're used. The three-layer architecture (primitive, semantic, component), why dark mode is a semantic problem, and why the neutral scale is where the real design work happens.

May 2026 Design
31
Typography Hierarchy: How Visual Weight Guides the Eye

Hierarchy is the typographer's grammar. How size, weight, spacing, and color combine to create a reading order the eye follows without thinking — and the squint test that tells you whether your hierarchy is structural or just decorative.

May 2026 Design
30
Memory Poisoning in AI Agents

AI agents with persistent memory are uniquely vulnerable to a slow, stealthy attack: adversarial content injected into vector stores that biases agent behavior over time. Why it's nearly undetectable, how vector databases become the primary target, and what memory integrity design actually requires.

May 2026 AI Security
29
Browser-Use & Computer-Use: The New AI Attack Surface

When AI agents can click, type, and navigate browsers autonomously, every website becomes a potential attack vector. Hidden page instructions, ARIA label injection, financial fraud via mid-task manipulation — the threat model is fundamentally different from chat-based AI.

May 2026 AI Security
28
System Prompt Extraction: How Attackers Steal Your LLM Configuration

System prompts are not secrets. Five reliable extraction techniques — from direct instruction to differential probing to token smuggling via tool calls — and why designing your product assuming the prompt is public is the only safe posture.

May 2026 AI Security
27
OWASP LLM Top 10: A Practical Field Guide

The OWASP Top 10 for LLM Applications from specification to practice. Real attack patterns and mitigations for all ten categories — from Prompt Injection and Insecure Output Handling to Excessive Agency and Model Theft — with a prioritization framework for shipping teams.

May 2026 AI Security
26
AI Worms: When Agents Infect Each Other

Self-replicating prompts that spread through multi-agent systems without any user interaction. Morris II demonstrated this in 2024. How propagation works, why standard defenses fail, and the mitigations that actually help — privilege separation, human confirmation gates, and memory integrity checks.

May 2026 AI Security
25
White Space Is Not Empty

The blank areas in a design aren't the absence of design — they're the most active part of it. A case for negative space as the primary tool of visual hierarchy, grouping, emphasis, and rhythm. Plus the spacing system problem that causes most visual inconsistency in production.

May 2026 Design
24
OAuth 2.0's Agent Problem: When AI Tokens Live Forever

AI agents inherit OAuth tokens that outlive their tasks, accumulate scopes across sessions, and become high-value targets when stored in MCP config files. The authorization model wasn't designed for autonomous agents — here's what secure agent authorization actually requires.

May 2026 Web Security
23
Indirect Prompt Injection via Tool Outputs

The injection variant that bypasses every system-prompt defense: adversarial instructions embedded in MCP tool responses, database records, and retrieved web content. Why standard defenses fail, and how the MCP tool layer amplifies the blast radius.

May 2026 AI Security
22
MCP Complete Guide: What It Is, How to Build It, How to Use It

Model Context Protocol from first principles: the Host/Client/Server architecture, building MCP servers in TypeScript and Python with real code examples, configuring Claude Desktop, and understanding when MCP is the right tool versus other approaches.

May 2026 AI Development
21
AI Skills vs MCP: Workflow Layer vs Tool Layer

Skills and MCP both extend AI agents, but at completely different layers. Skills define what the agent does (CLAUDE.md slash commands, reusable workflows); MCP defines what the agent can reach (external tools, APIs, databases). How to create both, and how they compose.

May 2026 AI Development
20
2026 Linux Kernel LPE Trilogy: Copy Fail, Dirty Frag & Fragnesia

Three critical local privilege escalation vulnerabilities — CVE-2026-31431, CVE-2026-43284/43500, CVE-2026-46300 — all actively exploited in spring 2026. Breakdown, detection, and exact patch commands for Ubuntu, RHEL, and SUSE.

May 2026 Zero-Day
19
NGINX Rift: 18-Year-Old Rewrite Flaw Enables RCE (CVE-2026-42945)

A heap buffer overflow in nginx's rewrite module — dormant since 2008, CVSS 9.2, no auth required — was disclosed April 2026 and immediately exploited. How to detect vulnerable configs and patch or mitigate now.

May 2026 Zero-Day
18
Vibe Coding's Hidden Security Bill

Developers using AI coding assistants are shipping features faster than ever. They're also shipping vulnerabilities faster than ever. The security debt of vibe coding is real, accumulating, and largely invisible until it isn't.

May 2025 AI Security
17
MCP: The New Attack Surface Nobody Saw Coming

Anthropic's Model Context Protocol gives AI agents persistent access to tools and data sources. It also gives attackers a new vector that most security teams haven't modeled yet — and the window to get ahead of it is closing.

May 2025 AI Security
16
The Jailbreak Arms Race: Why AI Safety Keeps Falling Behind

Every safety measure deployed in a large language model has been bypassed. Not some — every one. On why the jailbreak problem is structurally different from other security problems, and what that means for AI deployment.

Apr 2025 AI Safety
15
DeepSeek and the Open-Source LLM Security Question

DeepSeek's emergence forced a real conversation the AI industry had been avoiding. The model capability gap is closing. The governance gap is not. A framework for thinking about open-weight model risk.

Feb 2025 AI Security
14
AI Finds 0-Day in Linux Kernel Before Any Human Did

Google's Project Big Sleep agent autonomously discovered a memory-corruption vulnerability in the Linux kernel's io_uring subsystem — patched before public disclosure. The era of AI-first vulnerability research is here.

May 2025 AI Security
13
Prompt Injection: The Vulnerability AI Can't Patch Itself

Unlike buffer overflows or SQL injection, prompt injection attacks are semantic — they exploit the model's instruction-following nature. Understanding why this class of vulnerability is structurally different from everything that came before it.

May 2025 LLM Security
12
RAG Poisoning: When Your AI Knowledge Base Becomes an Attack Vector

Retrieval-Augmented Generation systems trust their data sources implicitly. Injecting adversarial content into a vector database can hijack every query that retrieves it. A walkthrough of the attack surface.

Apr 2025 LLM Security
11
Sleeper Agents in LLMs: The Attack That Survives Fine-Tuning

Anthropic's 2024 research showed that LLMs can be trained to behave normally until a specific trigger condition is met — and that standard RLHF safety training fails to remove the behavior. What this means for any organization deploying third-party models.

Apr 2025 AI Safety
10
Malicious Models on Hugging Face: The New Supply Chain Attack

Researchers discovered over 100 models on Hugging Face Hub containing serialized payloads that execute arbitrary code on load via pickle deserialization. The ML supply chain has the same vulnerabilities as npm — and less scrutiny.

Mar 2025 Supply Chain
09
CVE-2024-6387: How a 0-Day in OpenSSH Went Undetected for 18 Years

regreSSHion was a signal flare. A race-condition vulnerability dormant since 2006, rediscovered by Qualys's AI-assisted static analysis pipeline. On how AI-powered code auditing is surfacing bugs that escaped a generation of manual review.

Feb 2025 Zero-Day
08
AI-Discovered Critical Vulnerabilities in 2025: A Running Tally

From Google's Big Sleep SQLite buffer overflow to Microsoft's Security Copilot flagging misconfigurations in Azure — a curated log of vulnerabilities where AI either found the bug, accelerated the patch, or changed the disclosure timeline.

Jan 2025 AI Security
07
The Case Against Consistent Design

Why the obsession with pixel-perfect consistency might be the thing that's making your product feel lifeless — and what to reach for instead.

May 2025 Design
06
Monospace as Aesthetic Statement

There's a reason the most interesting corners of the web keep reaching for fixed-width fonts. It's not nostalgia — it's a precision play.

Apr 2025 Typography
05
Speed Is a Design Choice

Performance and aesthetics are the same conversation. A 3-second load time isn't a technical problem — it's a trust problem, a brand problem, a relationship problem.

Mar 2025 Performance
04
The Grain Always Comes Back

On the resurgence of texture in digital interfaces, and why generations of designers keep rediscovering that the most modern surfaces are never perfectly smooth.

Feb 2025 Texture
03
What Dark Mode Actually Means

Dark mode isn't an accessibility feature or a user preference toggle. For some of us, it's the only honest way to work — a disposition, not a setting.

Jan 2025 Philosophy
02
Static Sites and the Long Game

Every framework promises the future. HTML has already survived three decades. There's something to be said for betting on the thing that doesn't need updating.

Dec 2024 Web
01
Why I Keep Coming Back to Georgia

Screen-native, battle-tested, and more expressive than anything that came after it. The most underrated typeface in the history of digital design is already on your device.

Nov 2024 Typography

Stay in the loop

New ideas, when they're ready.

Get notified  →