Påvlø

The most counterintuitive finding in PM-shipped code: engineers are the ones asking for it. A startup CTO posted: "One of our PMs built and shipped a feature. Not spec'd it. Built it, tested it, shipped it to production. In a day." The engineers on his team loved it. The CTO explained why: when PMs build their own ideas, their specifications get sharper. They understand what the agent needs to execute well. Sharper specs produce better agent output. The PM who has shipped a few PRs writes fundamentally different specs than the PM who hasn't. This is the second-order effect nobody predicted. PMs who've shipped code know what's easy and what's hard. They know what a diff looks like. They stop writing 15-page docs that require a 30-minute meeting to decode and start writing 40-line PLANNING.md files with specific metrics, guardrails, and kill criteria. The third-order effect is that engineering trust compounds. The PM who ships clean, focused, well-described PRs earns more trust than the PM who writes perfect specs. Because the eng team can see you understand their world. You're showing them you respect the process. At Anthropic, Claude Code reviews first and catches ~80% of bugs. Then a human engineer does the second pass. For PM PRs, the human review is the safety net. PM gets the intent right. Engineer makes sure nothing breaks. Jiaona Zhang, CPO at Laurel and Stanford lecturer, says her PMs are going beyond prototyping to production. Her designers push code too. Superhuman uses Codex so PMs can contribute lightweight code changes without pulling in an engineer, except for code review. The irony: the PM who never touches code creates more work for engineers through the translation layer. The PM who ships the small stuff lightens their load while simultaneously earning more trust and writing better specs. The incentives all point the same direction.

Anthropic just shipped a security product that does what every engineer has wanted for 20 years: stop sending you 864,603 false alarms a year. The OX Security 2026 benchmark ran the math across 216 million findings at 250 organizations. The average enterprise pulls 865,398 security alerts annually. 795 are real. 91% of SAST findings are false positives. After 15 of their first 20 alerts come back as garbage, engineers stop investigating. A 10-developer team burns 24 hours a week on noise. Real CVEs sit underneath the alarms for months. This is the wound the entire AppSec industry has been bleeding from for two decades, and the valuations show it. Snyk peaked at $8.5B in 2021. BlackRock has it marked at $3.7B. A PE firm offered under $3B this year and got rejected. Synopsys sold its Software Integrity Group for $2.1B last October. Veracode went for $2.5B in 2022. Checkmarx is shopping itself at $2.5B with no taker. Snyk's growth decelerated to 12% last quarter while Palo Alto printed 16% and CrowdStrike printed 21%. Every legacy vendor has been trying to fix this with bolted-on AI for three years. Snyk DeepCode. GitLab Advanced SAST. Datadog Bits AI. IBM watsonx. Each wraps an LLM around the same rules engine that produced the noise. Now read the Anthropic line: "validates each finding to cut false positives, and suggests patches you can review and approve." Anthropic's architecture starts at the model. Everyone else started at the rules engine and tried to bolt context on top. If the validation layer trims 91% noise to something engineers will actually clear, the buyer stops paying for detection. Detection became a commodity years ago. Triage carries the pricing power now. The valuations were already catching up to the constraint. Today accelerated it.

I ACCIDENTALLY OPENED MY CTO'S PERSONAL NOTION WORKSPACE AND NOW I UNDERSTAND WHY HE SHIPS 5X FASTER THAN THE REST OF US. He is 48. I am 26. He manages 3 products and never works past 5 PM. I work 10 hours a day and barely clear my Jira board. In his workspace, one specific document explained everything: Most people panic when the workload scales. They work longer hours, burn out, and eventually drop the ball. High performers do not manage time. They manage boundaries. The document was a list of strict operating rules. Here are 18 systems you can steal.