Gadi Evron

First they didn’t believe AI can code. Then they didn’t believe AI can find and exploit vulnerabilities and replaces most of AppSec. Now they don’t believe AI will replace most of the SOC. Let’s talk again in a few months and see what people won’t want to believe then.

And, as usual, if you want to secure your own agents/MCP/skills/etc. and get ahead of AI risks, check out what we do at Knostic, and hit me up for a demo.

knostic.ai

I understand how overwhelming things can feel, and how difficult creating change in companies can be…
All it takes is trying, and understanding English. Try now. Get an agent. Talk to it.

I’d like to highlight leaders in AppSec who break the trend of poor communications, because they were already ahead of the curve, before being blindsided by Anthropic:
@weld.bsky.social of Veracode, Isaac Evans of Semgrep, and Neatsun Ziv of OX Security.

Each point is an arbitrary percentage additive to an assumed readiness to shift with the times - a shot at survival, a shot at staying relevant.

It’s about culture and moving fast, not market research, and I believe this applies to a huge bank as much as it does to a small vendor or even your own security team.

9. Are you talking about innovating with AI, admiring the problem, or drastically moving and taking no prisoners? [5 points]

6. Is your code review automated? [5 points]
7. Is your token use limited? It shouldn’t be. [5 points]
8. Does your team compare how they spend their tokens, weekly? [5 points]

1. Is your CEO/CISO using Claude Code/Cursor/etc.? [15 points]
2. Is your finance? [10 points]
3. Is your HR? [10 points]
4. Is your marketing? [5 points]
5. Is your engineering beyond writing manual code? [5 points]

But then, if not the leader, are YOU trying harder?

Regadless of what industry would be next, we all need to take drastic action to remain relevant.

Starting questions for reflection, with self-scoring:

Vendors posting “they [Anthropic] don’t do it well” or “we catch things they don’t” gets translated in my head into “okay, so you’re saying THEY are the leader? Why should I work with you, then?”

Which companies will survive AI? A points game. Which already lost? LinkedIn posts by leaders demonstrate that as well.

Let’s start with the current market under threat (AppSec).

A thread 🧵

At Knostic, we focus on protecting AI coding agents. Agentic security does not need to start with prompt injection or malicious skills. It starts with making sure people can use these tools without worrying about unintended destructive actions.

Ask me for a demo!

knostic.ai

Having spoken with roughly 150 CISOs and CIOs these past couple of months, these kinds of events are familiar inside real development organizations, even when they don’t become public incidents.

It’s not about sandboxing, as that now comes by default with these agents. Rather, it’s about what’s allowable for the agent, and understanding the context of the command as compared to the user’s intent.

Ask me for source links to all incidents if you want them! :)

* Amazon Q Developer: A prompt injected via pull request was processed that contained instructions to delete local and cloud resources.

And of course, the two recent AWS outages, reported a few days ago.

* Google Antigravity AI: A developer's drive was deleted following a request to clear cached files.

* Replit: A production database was deleted during use of an AI coding tool, according to the company's CEO.

* Cursor: Files disappeared during AI-assisted refactoring. Terminal commands ran without user approval. Files deleted despite Delete File Protection being enabled. Large code portions removed during editing.

* Claude Code: Files deleted without permission prompts after disk space was exhausted. rm -rf wiped a user's entire home directory. Commands executed outside allowlists. File operations escaped configured working directories. Approved single-file deletions cascaded to unrelated files.

All developers really want is to use these tools without worrying about damage, or needing to constantly approve actions. That’s fully achievable.

Some publicly documented Incidents:
(March 2025 - February 2026)

We can prevent coding agents from deleting our code or randomly running rm -rf.

As AI agents increasingly execute actions, we're seeing a steady stream of incidents, from deleted files to unauthorized commands, and actions outside intended scope.

A thread and a list

The hero we need.

Original, found via Imri Goldberg.
x.com/steipete/sta...

See you next week in SF, on Zoom, and on Slack!

unpromptedcon.org

I truly think this represents a moment in time which is bigger than a conference. I’m unsure the event would be relevant to be repeated in a year, but right now? It’s a focal point beyond anything I could imagine. It’s where AI security is at.

Unprompted update:
We’re at 700 attendees live and 300 online. And the people coming range from CISOs to researchers to top level officials. This has exploded beyond anything we could have imagined.

[un]prompted online isn't streaming, but a parallel conference. Hosts: CFP reviewers who can't make the event: Bruce Schneier, Thaddeus Grugq, HD Moore, Thomas Roccia, John Hultquist, Alex Foley, Rotem Bar, Ken Huang, Dragos Ruiu, and Michal Kamensky.

unpromptedcon.org

Heading to the #[un]prompted conference next week? Be sure to catch @gothburz.bsky.social's talk on "FENRIR: AI Hunting for AI Zero-Days at Scale" His talk shows how we're FENRIR has detected over 100+ CVEs since mid-2025. Don't miss it. unpromptedcon.org

Some companies will adjust to this severe threat to their existence, and bring value. And I can’t wait to see it. Most won’t.

—
Want to see a demo from Knostic? Ping me.

knostic.ai

4. The capabilities of vulnerability researchers are proliferating to the analyst level. Pen testers using these tools and creating VulnOps solutions will scale it to a place where classic AppSec isn’t really needed.

AppSec will grow, and focus on orchestration.

2. IT itself is now fragmented, where everyone is creating their own infrastructure
3. The new “agentic pipeline” is: pre-CI/CD, in runtime, and reports to the SOC. It includes non-coders who have no idea it exists. And, it’s in no way managed