David Kasabji

I think AI coding hype follows roughly four stages: 1. Amazement You try it and can’t believe how much code it generates from a few prompts. 2. Expansion You start more and more projects because shipping suddenly feels cheap and fast. This is also the phase where people start convincing everyone around them: - coworkers - management - friends in other companies because nobody wants to “fall behind” in 6–12 months. That creates a massive snowball/FOMO effect. 3. The grind phase You realize the generated code has architectural issues, sloppy mistakes, weird abstractions, duplicated logic, broken edge cases, etc. So you start: - re-prompting - switching models - increasing reasoning effort - reviewing fixes - generating fixes for previous fixes And suddenly you spend your days reviewing AI-generated pull requests instead of building software. 4. Realization You realize AI coding increases output much faster than it increases certainty. The code still needs: - review - testing - ownership - architectural understanding - long-term maintenance Usually by expensive senior engineers. And the interesting thing is: this whole cycle can take many months or even more than a year because people become socially and professionally invested in the narrative themselves. Once teams, managers, and entire companies have been convinced that this is the future, it becomes psychologically and politically very hard to later say: “Actually, the ROI is much lower than we expected.”

One thing I noticed while benchmarking LLMs on security event data: The models often overfit on narrative plausibility and environmental assumptions. If an artifact looks like a test, lab artifact or pentest remnant, the model may start inventing an "authorized testing" story around it and dismiss the event as a false positive - even when the technical indicator itself is clearly suspicious or intentionally malicious. Examples: - "EDRTest" - "PentestPersistence" - "EICAR_Check" - "InternalSecurityTool" A human analyst can fall for this too, but with LLM-based SOC workflows this becomes interesting at scale. An attacker could intentionally name persistence keys, services or binaries in a way that nudges the model toward a benign interpretation. What surprised me most: The model often correctly understands the technical artifact first ... and then talks itself out of escalating it. This is only one of many weird benchmark-design problems I ran into while testing LLMs on DFIR / detection-engineering data 🙂

I dont understand this - my experience is different. Are your referring to coding part? I dont use that much. But for CTI work, Claude is far superior than any other model currently. The OSINT techniques and report creations are truly way ahead of GPT or Grok (i dont use Gemini). It seems that Claude understands concepts of Cyber or at least CTI. I was following your posts about degradation, and just yesterday did another CTI Analysis and report creations with exact same prompts between the two, and Claude nailed it with the concepts and structure and the approach - I even used Sonnet for it.

Luckily techniques used to achieve AOBs remain same, because they are limited by the OS capabilities. Detecting malicious behaviour was important, but now will become cruicia. But it is not easy, you truly need to understand underlying systems and architectures, combined with adversary TTP knowledge, to craft such detections that produce high signal and low noise alerts.

Hot take: AI-driven adversaries operating inside your network in 2026 would be EASIER to catch than humans. LLMs hallucinate, can't distinguish honeypots from production assets, and lack adversarial intuition. Deploy deception. This is the one phase where the tech works in your favor. Wrote about it here: https://t.co/wv5oLNFtKr

I dont understand these people saying that codex is better than claude code. I literally started building a complete new project with both of them, using same copy/paste prompts. And not only Claude built a true-working application, but just the experience of building it - how it guides you with what it is doing, and asking you questions - is whole next level compared to Codex. I have to assume you guys are trolling, or just building some small-scale apps or scripts. Once I finished the project (completely vibe-coded with Claude, since codex couldnt produce working versions and many UI bugs), I duplicated the files and asked Codex to review the codebase and propose improvements. It did propose some tweaks and 'optimizations', but what it built, it broke the entire app, which wont launch. I guess this is just another perspective - and I hope someone actually does YT video side-by-side comparison, using exact same prompts to build a medium-scale app (lets say 10k LOCs) from scratch, so that we can all see more objective perspective. I use Claude Code in VS Code.

Mobile app. Some stuff we need extensions for to be built-in to Dia (adblocks, true-privacy pwd manager, Dia email, instead of reading other providers content, ..). Basically, make Dia one stop shop for everything and not rely on third-party software to extend those features which are typically used in browser (mail, pwd, adblocks, notion, …)

The attempted attack was sophisticated and it happened over the weekend at 3 AM local time. The threat actor moved fast from initial compromise, internal recon, and payload installation, combined with lateral movements (some within minutes, but in total 3 hours from first payload up to exfil attempt). Unfortunately, stolen credentials made the attacker's process faster, as they were still valid in this specific scenario.