“Zero rule violations” isn’t the win you think it is. When static checks become the target, teams optimize around the meter, not the risk. In this post, DryRun Security CEO & Co-founder @wickett Wickett unpacks how rules decay in living systems, why developer experience

Looks like Christmas came early 👀 We're this👇 excited about our new whitepaper on building secure AI applications! Check it out at https://t.co/JP48mNiInO

Building with AI ≠ securing a web app with an LLM tacked on. This breakdown covers the seven failure patterns we keep seeing in production: treating models as trusted compute, burying policy in prompts, over-authorizing agents, ignoring RAG as an attack surface, and more. If

AI is moving fast. Faster than most security programs. Earlier this week, GeminiJack, a zero-click AI vulnerability, exposed serious gaps in how LLMs are being integrated into enterprise systems. No user action. No obvious warning. Real risk. This is the pattern we keep seeing.

LLM apps are moving fast, and the risks are moving faster. That’s why we’ve developed a guide for securing AI Applications. In “Building Secure AI Applications,” we break down how the OWASP LLM Top 10 shows up in real systems and map each risk to controls teams can actually

Mark Burgess once pointed out that determinism in large systems is mostly an illusion. He was right. We pretend our tools can capture risk with fixed rules, but modern software isn’t static enough for that. In our most recent post, @wickett discusses how AI is pushing us into

The teams that win in modern AppSec are not the ones who find the most reachable paths, but the ones who can prove what is actually exploitable. In head-to-head evaluations (including AI-native SAST) DryRun Security keeps winning because we verify intent and behavior before a

We’re at @ainativedev Con New York! DryRun Security is a sponsor, and @cktricky & Andrea Swaney will be on-site. Come say hi at our booth! 🎁 We’re giving away copies of “Vibe Coding: Building Production-Grade Software with GenAI, Chat, Agents, and Beyond,” and you can register

Yes to AI code review. Bigger yes to CSA that closes the gaps.

Would you trust a pitcher calling their own pitches (especially if you’re on the opposing team)? Definitely not. You’d want an unbiased call. Frontier LLM assistants are phenomenal at writing code but they shouldn’t be your security authority. In this post, we break down why

It worked…sometimes. The “it” being our early “Behavioral Questions” prototype (YAML + a slice of code context) that was the first answer to the question: What if you could ask a security question IN PLAIN ENGLISH “Does this change modify authentication logic?” AND get an

Huge thanks to the @LASCONATX volunteer team (incredible hosts) and to everyone who stopped by our booth for great #appsecurity conversations. If you missed it live, catch @wickett's talk "Out of Control: Promise Theory and the Future of Code Security Agents" slides here:

Stop writing policies like it’s 2015. We use natural language and an agentic approach to understand code context in every PR so your AppSec is fast, accurate, scalable. Read more about each step of our journey at https://t.co/fWxzHRaSBW

Thrilled to team up with @secdim to connect DryRun Security contextual risk insights with hands-on secure coding labs. This helps engineering teams turn findings into learning and fixes faster. Thanks, Pedram, for this innovative use case for the DryRun MCP!

From alert to assurance in minutes. CTO and Co-founder @cktricky walks through how DryRun Security Code Insights MCP helps teams investigate NPM supply chain threats without manual toil, saving hours of effort. Teams use Code Insights MCP to move faster during incidents and

Get superhuman visibility into your security posture, architecture, and more! Announcing DryRun Security Code Insights MCP. Now you can ask your code what changed and why: 👉 “Hey DryRun, are there any new admin endpoints this week?” 👉 “Which PRs touched auth or payments?”

CodeRabbit RCE wasn’t prompt injection—it was tool execution + isolation drift + secrets exposure. We’ve stumbled too (IDOR in closed beta), which is why our sandboxed approach avoids this class of risk. 🔗Read more: https://t.co/LwC0X7yJEJ

📣📣📣 The Boring AppSec Podcast Ep. 22 is out with @cktricky (Co-Founder and CTO @dryrunsec )! I really enjoyed this conversation with @JubbaOnJeans and Ken as all of us have been building in the AI space for some time now and have stumbled upon similar blockers and