▲ 6 r/platform_engineering+4 crossposts

AMA with Josh: what slows teams down after they find a risk?

Finding risks is usually not the hard part anymore.

The harder questions are:

- Is this actually important?

- Who owns it?

- What application does it affect?

- Is there evidence for the control?

- What should we fix first?

- What can AI safely help with?

I’m hosting an AMA with Josh from IBM Concert to talk about how teams move from findings to action across application risk, compliance, resilience, and remediation.

We can also get into how Concert helps with things like application context, compliance controls, evidence assessment, vulnerability prioritization, remediation planning, integrations, and AI-assisted workflows.

Drop your questions below.

reddit.com
u/therealabenezer — 8 days ago

AI found 500 vulnerabilities. Which 5 do you fix first?

If AI-driven scanners make vulnerability discovery much faster, discovery stops being the bottleneck. The hard part becomes deciding what is real, what matters, who owns it, and what can be fixed without breaking production.

What signals should decide priority?

- customer-facing service

- active traffic

- exploitability

- revenue impact

- recent deploy

- service owner

- error rate

- compliance exposure

- available rollback/fix path

How are teams avoiding "faster finding, same old backlog"?

reddit.com
u/therealabenezer — 20 days ago

What should this community be best at?

I want r/IBMObservability to be useful for practitioners, not just a place where product names show up.

The topics that seem most useful so far:

- AI-assisted code security

- LLM workload monitoring

- incident response and alert quality

- vulnerability prioritization

- cloud cost and optimization

- practical Instana, Turbonomic, and Concert workflows

If you work in SRE, platform, AppSec, DevOps, or cloud ops, what would make this community worth joining?

reddit.com
u/therealabenezer — 20 days ago

AI-assisted code: what security checks are actually catching real issues?

AI can generate working code fast, but it also seems to create a different kind of review problem: the code looks plausible, tests may pass, and the risky assumption is buried in the implementation.

For teams using Copilot, Cursor, Claude, or similar tools, what has actually caught real security issues before code reached production?

- SAST

- dependency scanning

- human review

- threat modeling

- package hallucination checks

- prompt-injection checks

- runtime monitoring

What has been useful, and what mostly creates noise?

reddit.com
u/therealabenezer — 20 days ago

What do you actually monitor for LLM apps in production?

Latency and error rate are obvious, but LLM workloads add signals that traditional APM does not really explain.

For teams running LLM features in production, what has been useful to track?

- token cost

- prompt/version traces

- retrieval quality

- hallucination or bad-answer reports

- latency by model/provider

- privacy-safe logs

- tool-call failures

- user-visible quality regressions

Which metrics changed how you operate the system, and which turned out to be dashboard decoration?

reddit.com
u/therealabenezer — 20 days ago
▲ 4 r/platform_engineering+5 crossposts

AMA: Mythos-Class AI Changes Security Discovery. What Changes Next?

Hey r/IBMObservability, we're from the IBM Concert platform team. I'm joined by Josh, a PM on the Concert team. The math of IT operations just changed. Mythos-class (Fabel 5) AI can scan environments and surface vulnerabilities at a volume and velocity no human team can triage, let alone remediate. Discovery is no longer the bottleneck. Validation, prioritization, governance, and execution at scale is.

That gap is what Concert exists to close. It pulls findings from any source, AI-driven or traditional, correlates them with business context, ranks by actual impact, and drives remediation through governed, auditable workflows across pipelines and infrastructure. Same closed loop across the platform: Observe, Optimize, Protect, Resilience, and Workflows, where insight in one domain informs action in another.

Ask us anything about:
How Concert Protect operationalizes Mythos-scale discovery without drowning teams
Secure Coder and catching risk the moment code is written, then automating remediation downstream
Where agents act autonomously today vs where humans stay in the loop

reddit.com
u/therealabenezer — 26 days ago
▲ 4 r/platform_engineering+3 crossposts

Mythos and observability: what happens after AI finds the vulnerability?

Hey folks, I work on the IBM Observability team and wanted to get your take on Project Glasswing and Claude Mythos Preview.

Mythos is being used by select partners, including IBM, to find and validate software vulnerabilities much faster than traditional workflows. IBM is also expanding tools like IBM Concert to unify application, infrastructure and network signals into a single operational view.

Curious how people think this should work in practice: if AI can surface more vulnerabilities faster, what should observability platforms show to help teams prioritize by business impact, reduce noise and move from detection to response?

reddit.com
u/therealabenezer — 2 months ago
▲ 2 r/u_therealabenezer+1 crossposts

Quick poll to set the stage. If your team is running a GenAI app at work (not solo side projects), what is it?

  • Customer-facing chatbot or support agent
  • Internal knowledge assistant (RAG over docs)
  • Industry-specific workflow automation
  • Summarization (meetings, docs, incidents)
  • Code generation or dev productivity
  • Agentic workflows

Drop your questions for Jayanth on instrumenting LLM and agent apps, tracing hybrid stacks, OpenTelemetry, sampling and cost, and where APM is heading.

reddit.com
u/therealabenezer — 2 months ago

Hey all, I'm Abenezer, a PM on the IBM Observability team. Wanted to share something from our Research group that I think is relevant to anyone thinking about where AI agents fit in IT operations.

ITBench is an open-source framework that spins up real Kubernetes environments, injects faults (service outages, compliance gaps, cost anomalies), and measures how well AI agents diagnose and fix them. It covers three domains: SRE, CISO, and FinOps.

It was presented at ICML 2025 and most recently at SRECon.

Repo: https://github.com/itbench-hub/ITBench

Curious what this community thinks. What incident types or environments would make a benchmark like this more realistic for what you deal with day to day?

If there's interest, I can bring in the IBM Research scientists behind ITBench for an AMA. Let me know.

u/therealabenezer — 3 months ago

I work on the IBM Observability team, and I will be joined by a PM who works on IBM Instana’s LLM observability feature. We are curious how folks are monitoring generative AI workloads in production. When you deploy large language models, it can be hard to see what is going on. We want to hear about the pain points around measuring the latency of each step, tracking how many tokens are processed and understanding how much cost your model is burning.

For context, Instana’s GenAI observability delivers high‑fidelity telemetry with one‑second metric granularity and end‑to‑end tracing. It collects LLM‑specific metrics such as token usage, latency and request cost, and you can instrument applications using the Traceloop SDK, exporting traces through an agent or directly to Instana depending on your environment. Instana also integrates with vLLM to provide detailed runtime metrics like throughput, latency and resource utilization. If you are also curious about Instana's LLM monitoring capabilities drop your questions below.

reddit.com
u/therealabenezer — 3 months ago

As AI-generated code becomes the norm, developers are shipping faster than ever. How are you checking AI-assisted code for security before it goes live? Are you relying on manual review, scanners, guardrails in the IDE, or something else? Have you found an approach that actually works

reddit.com
u/therealabenezer — 4 months ago