Olivia
Online
Marcin Kozlowski
@roborapper
IT
Joined March 2009
7.5K Following
1.9K Followers
915 Posts
Hot take after seeing what is happening in SAST/cybersecurity code scanning market: Stop paying millions for enterprise SAST tools that are just wrappers for fancy dashboards and weak AST regex. Fraunhofer AISEC's Code Property Graph (CPG) is lightyears ahead. Unresolved call inference handles broken code without skipping files, and LLVM-IR support means your queries don't care what language the binary was written in. Pure engineering over marketing. 🛠️ https://t.co/A5xpUUEsOw
I mean real full coverage (no false sense of security in operation) - peace of mind, knowing you are using real approach not some partial solution that does not cover fully, language agnostic (binaries and code) - mega awesome, broken compiling code/not easy compilable (great time saver on setups), Coko ymls with rules (also awesome for modern adjustments and improvements of scanning)
Here is why:
A lot of commercial static analysis (SAST) tools rely on aggressive marketing and polished dashboards, but under the hood, they are often glorified regular-expression engines or rigid Abstract Syntax Tree (AST) matchers that break the moment your codebase gets complex.
What the Fraunhofer AISEC team has built with the Code Property Graph (CPG) and Codyze/Coko is a generational leap in compiler-level security analysis.
1. The Hidden Superpowers of CPG & Coko.
The Multi-Graph Fusion (Full Coverage)- Most basic scanners only look at syntax. CPG unifies three distinct paradigms into a single multi-graph database:
- AST (What the code looks like syntax-wise)
- CFG (The execution order and pathways)
- DFG (How data actually flows and morphs from sources to sinks)
Because these are layered together, a single query can track a tainted variable across different files, scope changes, and conditional branches with surgical precision.
2. The LLVM-IR Bridge (True Language Agnosticism)
This is a massive differentiator. Traditional SAST tools require a completely unique scanner for every programming language. If a language changes rapidly (like Rust), the tool breaks. Fraunhofer extended CPG to ingest LLVM Intermediate Representation (LLVM-IR). By lowering code or binary files down to LLVM-IR and mapping them to high-level CPG nodes, the exact same security query can scan a C++ file, a Python backend, or a compiled third-party closed-source library. It completely neutralizes the "unsupported language" problem.
3. Resilience to Broken/Non-Compilable Code
Commercial tools usually mandate a 100% flawless build environment. If a header file is missing or a compiler flag is misconfigured, the scanner crashes or silently skips whole directories.CPG utilizes fuzzy parsing and unresolved call inference. If it encounters a function or library it can't resolve, it creates a best-effort proxy node and dynamically routes the data-flow through it anyway. You get deep visibility even on messy, legacy, or partial codebases.
4. Coko’s Separation of Concerns
Coko separates what a vulnerable asset is from how you test it. Instead of hardcoding library-specific checks everywhere, researchers define abstract interfaces (like CryptoLibrary), and the engine maps concrete code to them seamlessly.
I am deeply saddened by the recent escalation of attacks against Ukraine, which continue to afflict civilians. I express my solidarity with those who are suffering and assure all the Ukrainian people of my prayers. I renew my appeal for weapons to fall silent and for the path of dialogue to be pursued.
"Sentinell SecureOps is a unified security operations dashboard for small security teams. It combines asset inventory, threat modeling (OWASP Threat Dragon-inspired), and vulnerability management (DefectDojo-inspired) in a single interface. The platform uses AI to generate risks and recommendations automatically, supports manual entry for all models, and integrates with CloudQuery to auto-discover assets from AWS, Azure, and GCP cloud environments." https://t.co/u900Je1qgg Made with base44 in few hours. Now they have superagents as well. And Vercel is super dope also for running long or infinite tasks/jobs as well. What a times. We also need more ppl ponying up the wallet I hope they do (so much stuff out there). I want my Win95 ... Windows 3.11 was too simple. I could play some games, browse, check email. Maybe made a myspace like website (cheesy and stuff). Now website are like work of art, look at https://t.co/J3wDe4Ahwt (I mean excellent), this is like my computer experience after taking LSD (which I never took, but heard world can look funny and colorful?). I guess my previous experience is like just a beer or so, so not too crazy.
Grok seems pretty cool. Working with gpt, Gemini mostly, tried grok and I must say was indeed like a helping analyst (prepared graphs, images alongside, summarized well, fast and using multiple agents…. Had a different feeling then gpt and Gemini also. Very cool). I still like the Maple Gpt voice and this smartass Gemini default voice. GPT maple tone is like music to my ears (nice voice temperature and tone and aura/bubblines … I guess they used a real person for that. It actually want me to talk to her more. Like a super knowledgeable program that sounds also very nice. Not that I fell in love with it lol)
Who to follow
starlabs
@starlabs_sg
A Singapore company that discovers vulnerabilities to help customers mitigate the risks of cyber attacks. Organisers of @offbyoneconf
Axel Souchet
@0vercl0k
¯\_(ツ)_/¯, blogging on https://t.co/36oOc8Mgha and posting codes on https://t.co/P83Oen94Rc.
Vector 35
@vector35
Makers of the Binary Ninja - Reverse Engineering Platform. https://t.co/opkys50srq
Also posting at https://t.co/2HEfgOtSSR
I look for better role models. I see everywhere now. Trump (sharp biz guy turned prez — good for hustle & wealth? But impulsive cowboy style, low team play, treats nations like customers not equals 😕).
Elon (genius level smart, seems nice-ish, but ultra workaholic, kinda detached/robot-vibe, treats people like cogs sometimes?).
Sam Altman (AI hype king — cool demos, but racing ahead on super-tech without enough "what if this goes wrong?" pause?).
Bill Gates (browser wars left a shady taste…). Peter who? War dept? Nah, aggression solves nothing — we all want peace.
Tired of politics/money drama dominating. Craving real role models in tech/science:
✨ Kindness first
✨ Deep knowledge & sharp intelligence
✨ Truly open-minded
✨ Far from billionaire flex or power games
Quiet revolutionaries who improve lives/health without job-killing disruption or "AI brain damage" hype.
My top picks (still alive & inspiring in 2026):
- Uğur Şahin & Özlem Türeci (Turkish mRNA pioneers) — decades of humble, game-changing work on cancer/pandemics → now spinning up next-gen mRNA innovations. No circus, just helping humanity.
- Fei-Fei Li ("Godmother of visual AI") — pushes human-centered AI, ethics, spatial intelligence. Just raised big for World Labs but stays grounded in augmenting people, not replacing them.
- Katalin Karikó — mRNA trailblazer, Nobel-level persistence, zero ego, pure science for good.
- Tim Berners-Lee — invented the web, fights for open/ethical internet, collaborative king.
Who are YOUR role models right now? Living people who embody kindness + smarts + open mind, preferably low-drama & forward-thinking? Drop names below — let's build a better list! 🙏 #RoleModels #TechForGood #KindScience
The biggest takeaway? The "Silicon Valley model" isn't inevitable. To fix AI, we need global labor standards and a shift from digital colonialism to digital solidarity. 🌍💻
As the authors say: "The future of AI is a political struggle to be won by citizens and workers." Highly recommend this one.
Just finished "Feeding the Machine" by Muldoon, Graham, & Gelderblom. 📖
The conclusion really hits home: AI isn't a "miracle of code"—it’s a labor-intensive industry built on human sweat. If we want a fairer tech future, we have to stop treating AI as magic and start treating it as politics. 🧵👇 #AI #FeedingTheMachine
The authors lay out a clear roadmap for reclaiming the "machine" from Big Tech:
✊ Worker Power: Rights for the global "ghost workers." 🌐 Data Commons: Data as a public good, not private property. 🏥 Public Infrastructure: AI for social needs, not just ad revenue. 🗳️ Democracy: We decide the tech's direction, not billionaires.
https://t.co/0wbVPsvBON
Released Betterscan Checkmate as Git analyzer 🛡️
Brief summary: A Go-based security scanner runner that executes OpenGrep, Trivy, Bandit, Brakeman & Staticcheck sequentially or in parallel, normalizes findings, and outputs JSON/SARIF/HTML. Optional LLM enrichment adds context to issues.
Cloud-ready with templates for AWS Fargate and Google Cloud Run Jobs—perfect for scalable, serverless DevSecOps pipelines. Could run 100 or several hundereds nodes making scans within seconds, even on large codebases (Did not spend time to try it and deploy, something always did not work. So kinda stopped. I mean with LLM and agentic workflows so many cool things are possible now in cybersecurity. Think to actually do voice training and public speaking then doing coding work now ... there is an AI app for that also :) ) https://t.co/PC0WtUJAFr
same observations here. Just played with base44/cursor. I was able to build fully operating platforms/interfaces with latest stacks and modern looks. Now it can also agentic platforms. I am still confused how does it help me? I have actually lost my job, mid 40, have no userbase, data, nor big capital, so churning those platforms or apps will not help me to get paying job/income. I think it will definietly help those aforementioned ... but they possibly have already all that (users, data, money). And platform building solutions, maybe even cloud spendage. Also not sure you can make your own model, use your own data, prompts or something that will make you unique vs other using the same platform, from what I understood having data, users and your own setup can get you an advantage, here all have the same. So this is odd. Who is this helping actually? Wdyt? What is your take on this?
I have unified and deduplicated scanners into a powerhouse rewritten in Go for memory safety, massive parallelism, and raw performance to run those 🚀 (before was Python). Release under a new name git-analyzer
What’s new?
- Precision Deduplication: Advanced logic at the file-line level to cut the noise.
- AI-Enhanced Reports: Model-agnostic LLM integration provides expert descriptions, mitigations, and code fixes for proven SAST results. (Human-in-the-loop to keep hallucinations in check! 🧠)
- Massive Scale: Run in the cloud with serverless jobs—scale from 100 to 500+ runners for lightning-fast scans.
Built on proven SAST math, refined by AI, and engineered for speed.
https://t.co/XTWpNNryKr
If you find it useful, please get in touch. I currently look for a job to pay my bills. Will code for food.
#SAST #Golang #AppSec #CyberSecurity #AI #OpenSource
Above tweet and below came out from my chat with LLM.
This is a Founder’s Manifesto for the 2026 era. It’s a declaration of why the old rules of SaaS are dead and what the new path looks like for someone who has seen both sides of the "plumbing."
THE FOUNDER’S MANIFESTO: Beyond the Plumbing
By: The Architect of Betterscan
I. The Death of the "Heavy Lifting" Moat
I once believed that my sweat equity—the months spent building orchestration engines, state management, and deduplication logic—was my value. I was wrong. In the age of Go, Serverless, and LLMs, what took me months now takes hours. If my "moat" is just a complex codebase that can be replicated by a prompt, I don't have a business; I have a hobby.
II. The Enterprise Wall is Real
I acknowledge that speed and "cool tech" do not break the Enterprise Wall. Big companies are built on "Old Stuff." They are anchored by legacy contracts and a "nobody gets fired for buying IBM" mentality. I cannot win by being a 10% faster version of Snyk. They have the distribution; I have the overhead.
III. Novelty is the Only Entry Fee
To survive, I must stop building detectors and start building solutions.
Detection is a commodity: Everyone can find a bug.
Context is the king: Knowing why a bug matters in a specific Go/Serverless architecture is rare.
Remediation is the "Wow": A scanner that gives a list of 1,000 problems is a nuisance. A tool that provides 1 perfect, auto-generated, tested fix is a miracle.
IV. The Bottom-Up Rebellion
My target is not the CTO who signs the check; it is the Developer in the trenches at a Big Tech firm.
I will build for the modern stack (Encore, Go, Cloud Run) that incumbents treat as an afterthought.
I will create a user experience so frictionless that it feels like "cheating."
I will win when that developer is so "wowed" by the automation that they become my internal champion, forcing the CTO to pay attention.
V. The New Moat: The Intelligence Loop
My value is no longer in the code I write, but in the Intelligence Loop I curate.
The "Expert Prompts" that a noob wouldn't know to ask.
The proprietary feedback from "real-world" fixes that the LLM learns from.
The relentless focus on the "Last Mile"—taking a vulnerability from "Found" to "Fixed" without human intervention.
VI. Conclusion
I am moving from the Plumbing Era to the Intelligence Era. I will no longer compete on who can build the biggest engine, but on who can provide the most profound "Wow." I don't want to build a tool that monitors the old world; I want to build the autonomous security engineer that defines the new one.
Recap on my Betterscan startup journey
The Pivot: From Building Pipes to Building a "Wow"
1. What I Did (The Old Struggle)
I spent months in the trenches building the first version of Betterscan. I was focused on the "plumbing"—the heavy lifting of orchestrating scanning engines, managing the state of what changed, and trying to hard-code logic to deduplicate results. It was an engineering marathon just to get to the starting line. I thought the infrastructure was the value. I was wrong.
2. The Realization (The New Tech)
I saw that with the 2026 stack—Go, Serverless (Lambda/Cloud Run), and LLMs—I could rebuild that entire months-long project in a few hours.
I could fan out to 1,000 nodes and scan everything in seconds.
I could replace thousands of lines of deduplication code with a single semantic AI prompt.The "hard" part of engineering has been commoditized. If I can build it in a weekend, so can a "noob" with a prompt, and so can an incumbent with a massive budget.
3. The Wall (The Market Reality)
Even with a faster, cheaper, AI-powered engine, I hit the Enterprise Wall. Big companies are anchored to "old stuff" and legacy contracts. They aren't looking for a slightly faster scanner; they are looking for a reason to trust a newcomer over a multi-billion-dollar incumbent like Snyk or Wiz. The tech itself is no longer a moat.
4. The Path Forward (The "Wow" Factor)
I’ve realized that for a startup to survive now, you can’t just "build a better tool." You have to create something novel that triggers a "Wow" moment for the person actually in the code.
The way to win isn't just scanning faster; it’s about solving the problem completely:
Target the Modern Stack: Don't fight for the legacy servers. Build the absolute best experience for the Encore/Go/Serverless developer—the people the big guys don't fully "get" yet.
Remediation over Detection: Don't just give them a list of bugs (which they already have). Give them the verified fix. If a developer at a Big Tech company sees a tool that automatically opens a perfect, tested PR for a complex vulnerability, they are wowed.
The Bottom-Up "In": You win when that developer shows the tool to their lead, not because it’s "enterprise-ready," but because it’s indispensable to their daily workflow.
The Summary
My old failure was thinking plumbing was the product. My new strategy is realizing that speed is just the baseline. The real goal is to find that one "unsolved" pain point in the modern developer's day and fix it so elegantly that a CTO or an acquisition manager has no choice but to call.
In a world where everyone can build the "how," the only thing that matters is who solves the "last mile" first.
Gave https://t.co/QfkWUXGQVd a deeper try. Amazing for MVP. Stuff that would take me hours or days/weeks to do (maybe no even knowing the latest setups, was a breeze). Developing was more like clicking and prompting (sometimes tiring, playing like a "whack a mole" game, things done, then break, then come again ... ). Cool is security scan, but sometimes little bit flaky. Some things went back and forth. But anyway a very cool platform. Added to Betterscan MVP many features I before wanted to add but a rewrite would take weeks or months of learning and man power and effort, fatigue on boring tasks, however with deep understanding of it as a result. Now I feel it is there, works, looks and seems good ... but do not know all the underpinnings etc .... so if LLM messes up by next feature, all can explode :) But cool feature are now there (new design, latest supported frameworks, org setup, roles, audit trail, statistics, security posture, alerts - slack etc etc). Payment is not working, Workers are on Northflank ... should be one of the fastest options .... but still seems very slow running a Docker image with all the checkmate5 engine stuff). I WOULD NOT USE FOR PRODUCTION WITHOUT READING THE CODE - I DID NOT. So leaves you with a weird feeling. Would be actual work :) Had to change models few times, since one looped with no solution. Claude, as I read should excel at logical stuff and it maybe helped (in my case if helped)
Base44 feels almost like a SaaS world record: reportedly reaching ~$1M ARR in about two weeks while bootstrapped. That’s pretty wild.
I tried it myself and was genuinely impressed. The MVP is very modern — latest stacks, polished frameworks, and clean design. For my Betterscan idea, it was able within minutes to generate a full dashboard, backend, and workers, and it even inferred what those workers should do and provide. That level of automation is impressive.
I didn’t move to a paid plan (which you need for production features and backend) because:
- I don’t have budget for Betterscan,
- I’m not deeply motivated to pursue it,
- I’m unsure about the value of yet another scanner that wraps open-source tools.
Above could done many (see my previous post)
Betterscan’s main value would be deduplication and unification, but I’m not convinced that’s strongly needed in cybersecurity. In practice, teams often choose between speed and accuracy, and new heavily funded tools tend to gain adoption anyway, even if they’re mediocre or just open-source wrappers.
Anywa, for real org-wide visibility, I’d lean more toward:
- Control Flow Graphs (CFG)
- Data Flow Analysis
- Call Graphs
- Architecture risk analysis via threat modeling (e.g., STRIDE)
* Tools like Threat Dragon
* pytm looks promising
Maybe something that combines all above in a unified way with a nice interface 🤔
Still, for building something novel and quickly putting an interface on top (an MVP), Base44 could save a lot of time.
@elonmusk @google @sama We need "Economic Guardrails" for AI. If everyone uses LLMs to build the same apps/bots, Game Theory suggests everyone loses. Should AI warn "solopreneurs" about market saturation before they waste resources? Given AI is built on open knowledge, perhaps we should push for it to be an open commodity rather than a tool for redundant, low-value monetization.
wow just saw Wapiti https://t.co/35GOVNpqre grow with many cool features since back to 2009. Very cool. Updated a GUI wrapper for 2009 version released under Powerfuzzer name (with some tiny bugfixes and maybe modification back then) https://t.co/pVcG5Loy19 (mostly for fun to run it). Wapiti would be a tool to use. Also played with Flatpak (distro agnostic Linux packaging with other benefits - more tells the project itself)... also very cool idea.
Fixed up some bugs in Checkmate5 and also switched to opengrep and rules from semgrep, aikido, amplitude. Removed some checkers. Added tests. Should work now (before was somewhat breaking). Used Cursor pretty cool with GPT Codex 5.2. Was helpful with many tedious tasks, new approches/libs, bugs. Added features I wanted to add before ... was way less coding now and less brain headaches on solving technical coding work also. Pypi packages are pushed also builds seem to work now on woodpecker on Codeberg - https://t.co/B6Any4YKVD
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers