.avif)
Dania Durnas
Blog posts by Dania Durnas
Aikido x Drydock | A way for maintainers to catch malware before it ships
Aikido partners with Drydock to bring pre-publish package review to npm and PyPI. See exactly what's inside a release before it ships, malware caught before download number one.
npm v12 delivers one of the biggest security improvements in years
npm v12 makes install scripts opt-in by default, closing the install-time execution path behind a year of npm supply chain worms from Nx to Red Hat.
What is AI SAST?
AI SAST is emerging as a new SAST category, but the meaning is unclear. We clarify the difference between AI-native SAST and AI-assisted SAST, as well as how AI SAST sits in the stack between traditional SAST and AI pentesting.
Move over, Mythos. Here comes... pretty much any other model with a good harness
Mythos has real edges in exploit chain construction. But for most AppSec work, the harness around the model matters more than which model you pick.
The complete GitHub Actions security checklist
GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's what went wrong and how to prevent them from happening to your org.
Why browser extensions are a major security risk and what you can do about it
Browser extensions have lots of security risks, more than we care to admit. We discuss the full extent of the threat and what both individuals and organizations can do about it.
A practical CTO security checklist to be Mythos-ready
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.
It's time to treat browser extensions like supply chain attack vectors
The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)
How Security Teams Fight Back Against AI-Powered Hackers
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.
How does AI pentesting work with compliance?
AI pentesting is being accepted for SOC 2, ISO 27001, and HIPAA (with more likely to come). Here's what auditors actually look for, and where the real limitations are.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
