20 years of pentests: the way in was almost never a clever 0-day. It was the forgotten subdomain, the cert nobody tracked, the staging box that quietly went public. Defenders work from last quarter's asset list. Attackers scan today. That gap is the whole game.

#infosec #appsec #pentest

The wild part of building solo with an AI pair isn't that it writes the code. It's that it frees up the hours for the work that actually needs 20 years of judgment: where the trust boundary goes, what must never leave the box, which edge case is the whole product.

#buildinpublic #infosec #appsec

Hot take after 20 years in compliance: most of it is a copy-paste problem pretending to be a governance problem.

Controls live in Word. Evidence lives in screenshots. The mapping between a control and what actually proves it lives in someone's head — and walks out the door when they leave.

We built ours OSCAL-native: machine-readable controls, diffable in git, queryable by an agent. Compliance as code, not as PDF.

#infosec #compliance #OSCAL #GRC

Gave our GRC platform an MCP server.

An AI agent now queries it directly: which assets sit behind a risk, which controls are overdue, what's open now. No dashboards, no CSV exports.

What mattered to me as a security person: it's strictly tenant-scoped and permission-based. The agent only sees what the user may, and missing rights return an error, not data. AI access to compliance data without a clean permission model is the shortcut I've spent 20 years fighting.

#infosec #compliance #MCP

made a thing: https://web.isidaten.com

compliance-plattform für DACH. ISMS, DSMS, BCM, DMS auf einer objektbasis. OSCAL-nativ. zu dritt gestartet.