.avif)
Dania Durnas
Blog posts by Dania Durnas
Move over, Mythos. Here comes... pretty much any other model with a good harness
Mythos has real edges in exploit chain construction. But for most AppSec work, the harness around the model matters more than which model you pick.
The complete GitHub Actions security checklist
GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's what went wrong and how to prevent them from happening to your org.
Why browser extensions are a major security risk and what you can do about it
Browser extensions have lots of security risks, more than we care to admit. We discuss the full extent of the threat and what both individuals and organizations can do about it.
A practical CTO security checklist to be Mythos-ready
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.
It's time to treat browser extensions like supply chain attack vectors
The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)
How Security Teams Fight Back Against AI-Powered Hackers
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.
How does AI pentesting work with compliance?
AI pentesting is being accepted for SOC 2, ISO 27001, and HIPAA (with more likely to come). Here's what auditors actually look for, and where the real limitations are.
Why Determinism Is Still a Necessity in Security
AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.
WAF vs. RASP vs. ADR
WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.
What is Slopsquatting? The AI Package Hallucination Attack Already Happening
AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
