u/Glittering-Bet-7570

Hot take: agentic workflows are basically SAST/DAST, just with a reasoning loop on top.

We’ve been experimenting with systems that don’t just run static or dynamic checks once and stop there, but continuously loop : checking code, exploring runtime behavior, revisiting assumptions, pivoting when something interesting shows up…...

And honestly, once the system starts understanding context instead of just matching signatures, things get interesting fast.

Especially around:

• logic flaws
• weird edge cases
• multi-step exploitation paths
• “this technically works but absolutely should not” type bugs

That said, current models still hallucinate, lose context, and do pretty dumb things pretty often, so this definitely doesn’t feel like “AI replaces AppSec engineers” territory at all.

But it does feel like security testing workflows are starting to shift in a meaningful way.

Curious if other people are seeing the same thing or if this still feels like AI hype from your side.

We’ll be digging into this more in a live session soon if anyone wants to join, challenge the takes, or just nerd out about where AppSec tooling is heading.

Hey all! Sharing this week's issue I wrote on the TeamPCP supply chain compromise.

84 malicious npm versions, 160+ packages hit across ecosystems, all properly signed. Nothing looked wrong on paper. That's exactly the problem.

Covered CI/CD cache poisoning, OIDC abuse, and why the "just sign your packages" narrative is starting to show its limits. Provenance is necessary, but it's not sufficient.

Curious how people here are actually handling pipeline integrity checks. Feels massively underrated compared to the signing conversation.

Link in comments