The Next Jump
- 4 mins
My approach to security has always been the same: understand something deeply so you can do the best work on it. Smart contracts, blockchain infrastructure, kernels, open source libraries. The target changed but the method never did. Go deep, find what’s broken, explain it.
I’m changing the target again. This time the shift is bigger than usual. I’ll always do vulnerability research. It’s just how my brain works when I look at software, so it never really stops. But my focus is moving somewhere else. This post is about why.
Something changed
I was at Defcon 2025 with a friend, and we started building with Claude Code. Over a few days we were turning feature ideas and product changes into reality as fast as we could think of them. I’d been using various LLM applications before that for small tasks, nothing serious, but this was different. It just made shit that worked. We’d be building one feature and think of the next one before the first was done.
It was addicting. I remember thinking: this is going to change the world immediately. I upgraded to the $200 plan so I could keep going. I’ve basically been vibe coding every single day since.
I’d never been interested in writing software unless it served my security work. A tool, a PoC, a harness. Now I can just build whatever I want. Every application I’ve ever wished had a specific feature, I can just create the whole thing myself. It’s not replacing the polished products out there with years of engineering behind them, but it’s the exact tool I wanted, doing exactly what I need, built in an afternoon. It’s good, there’s still so much room to grow, and that’s part of what makes it exciting. I went from never wanting to write software to not being able to stop.
The dopamine stopped
I used to get a genuine rush from finding a zero day. That moment when you realize the bounds check is stale, or the input reaches a code path nobody considered. It felt like solving a puzzle that nobody knew existed.
That feeling has been fading. Not because the work got easier. It got different. The tooling changed. The field changed. You can set up an LLM with the right scaffolding and get it to surface bugs that would have taken me days of manual reverse engineering. I still think human vulnerability researchers are critically important. The judgment calls, the context, the intuition for where to look. Machines don’t have that yet. But the raw discovery part, the part I enjoyed the most, doesn’t feel the same when I know there’s a faster path sitting right there.
Finding a zero day used to be proof that I understood something deeply. Now it feels more like a race against tooling that’s getting better every month. I don’t want to race. I want to build.
The gap
My interest has always been in security. That hasn’t changed. I went from smart contract auditing to blockchain infrastructure security to vulnerability research. Each jump was toward something harder and more interesting.
There is a lot of research happening in ML security, but most of it is on the attack side. Demonstrating what’s possible, showing how few samples it takes to compromise a model. The defense work is lagging behind, and what does exist is mostly focused on the application layer. Prompt injection guardrails, operational guardrails, runtime monitoring, API-level protections. Traditional security patterns applied to a new technology.
There are known threats that aren’t being defended against today, and as these models get more capable, new attack surfaces will emerge that we haven’t mapped yet. The current approach isn’t sufficient. I think the security model for machine learning needs to be rethought from the ground up, not just adapted from what we already know.
What’s next
I’m going deeper in the stack. Prompt injection and jailbreaking are currently treated as application-layer threats. I want to work on making machine learning safer at the layers most people never look at.
I’ll be writing about what I learn as I go. If you’ve read my posts about CPU caches and DNS parsers and kernel networking, same idea. Pick something hard, understand it from the ground up, explain it honestly. Different domain, same method.
In vulnerability research, the bug classes are well-understood and the defenses exist. The work is finding new instances. Where I’m going, the attacks are known but the defenses aren’t. There is no established playbook for defending against the things I want to defend against.
If you’re thinking about this space too, or even if you’re not, reach out. I love making new friends.
Feedback is extremely welcome. If any of this interests you, please reach out on X. I love making new friends.