Stone and wood arched doorway with glowing digital overlay showing a garden path and plants
Business

The Cheapest Way Into Your Business Isn’t Malware. It’s a Phone Call.

It’s 4:45 on a Friday.
Someone on your finance team gets a call.
The voice is calm, knows the CFO’s name, references a real invoice number, and just needs “one quick correction” on a wire transfer.
Ninety seconds later, the money is gone.

Nobody wrote a single line of malicious code to make that happen.

That’s not a scare story. It’s the new baseline. CrowdStrike found that 79% of detections in 2025 involved no malware at all — no virus, no exploit kit, nothing your antivirus was ever built to catch. The attacker just… logged in. Or called. Or asked nicely.

If you run a small or midsize business, 2026 is the year to stop thinking about cybersecurity as “did we install the right software” and start thinking about it as “can someone talk, click, or log their way into something they shouldn’t.”

Here’s what the data actually says, and what to do about it.

Continue reading
Standard
Five agents collaboratively repairing a complex machine labeled Mega-Device X1 in a futuristic lab filled with tools and monitors.
AI, webdev

5-Agent Framework for Code Audits

I’ve been seeing the same anti-pattern everywhere lately.
Someone opens Cursor, Copilot or Claude and pastes a giant prompt:

Continue reading
Standard
Business

Scaling Engineering: Ownership Over Hiring

Most engineering leaders think scaling is about hiring.

And honestly, that instinct makes sense — more work, more people, problem solved. But in practice, scaling engineering is mostly about scaling ownership. The teams that succeed aren’t necessarily the ones with the most engineers, the most process, or the fanciest org charts. They’re the ones that can keep ownership close to the work as the organization grows.
That sounds simple until you’ve experienced the moment it breaks down at 2 AM.

I’ve had the chance to see engineering organizations at very different scales — from early startup environments to larger companies like Google, Netflix, Meta, and JFrog.
Every company is unique, but the patterns are surprisingly consistent.

The biggest takeaway is this: every growth stage introduces a new coordination tax.
The challenge isn’t eliminating that tax.
The challenge is preventing coordination overhead from growing faster than the company does.

The First 20 Engineers: Optimize for Builders

At around 20 engineers, speed is your biggest advantage, and process is often your biggest enemy.
Everyone sits close to the product. Engineers talk directly to customers.
The person writing the code can usually explain exactly why it exists and what it connects to. It’s a genuinely magical phase — and it’s also temporary, so it’s worth enjoying while it lasts.

At this stage, ownership should be brutally simple: teams own services end-to-end, carry their own on-call rotation, deploy their own code, and fix their own incidents.
No exceptions.
One of the strongest signals of a healthy engineering culture is whether the people building the software also feel the consequences when it breaks. If your team gets paged because their service is down, reliability becomes surprisingly important. Funny how that works.

The Platform Team Trap

One mistake I see repeatedly at this stage is creating a platform team too early.
The logic is completely understandable — someone notices that everybody is independently building CI pipelines, setting up monitoring, and solving the same deployment problems.

The natural reaction is, “we need a platform team.” And you know what?
That instinct isn’t wrong.
It’s just early.

At 20 engineers, the cost of coordination is often higher than the cost of duplication.
A few redundant solutions are cheaper than introducing another organizational boundary and the meetings, hand-offs, and dependency management that come with it. This tradeoff becomes even more relevant in the AI era.

Generating code is now cheap.
Creating clear ownership is still expensive. The bottleneck is no longer writing software — it’s understanding who should maintain it six months from now. That’s a human problem, not a tooling problem.

Around 50 Engineers: The Coordination Tax Arrives

Continue reading
Standard
Futuristic cockpit with holographic compliance and cybersecurity monitoring dashboard
AI, Business

CMMC Certification Cost: How AI-Native Compliance Can Cut Expenses by over 70%

If you’re pursuing CMMC certification, one of the first questions you’ll ask is:

How much does CMMC certification cost?

The answer depends on your current security posture, the size of your organization, and how you approach compliance. For many small and mid-sized businesses, the total cost of achieving and maintaining CMMC Level 2 compliance can range from tens of thousands to hundreds of thousands of dollars.

The surprising part?

The audit itself is rarely the biggest expense.

Continue reading
Standard
AI

Understanding MCP vs Agent Skills: Key Differences Explained

There’s a lot of confusion right now between MCP (Model Context Protocol) and “Agent Skills.” They’re often mentioned in the same breath, but they solve different problems. If you treat them as interchangeable, you’ll either over-engineer simple workflows or underpower serious integrations.

Here’s the clean way to think about it.

The Core Difference

MCP is about connecting agents to systems.
Skills are about teaching agents how to do things.

That distinction alone gets you 80% of the way.

Integration Model

MCP is a client-server protocol. You stand up an MCP server, expose tools, and now multiple agents can talk to multiple backends through a consistent interface. It’s a hub.

Skills are much simpler: a folder with a SKILL.md file. The agent loads it when triggered and follows the instructions. No protocol, no network layer, no abstraction.

Implication:

  • MCP scales across teams and services
  • Skills scale across use cases and workflows
Continue reading
Standard
Sport

Train Smarter for Your Ironman with EnduraCoach — The AI Companion That Actually Delivers

A few months ago, I finished a long ride—just over 100 miles, solid climbing, felt strong the entire way. The kind of session that makes you think, I’m on track.

The next week, I pushed again. Then again.

Nothing dramatic—just a bit more volume, a bit more intensity. Exactly what most self-coached athletes do when things feel good.

Two weeks later, I was flat. Not injured. Not sick. Just… off. Power was down, runs felt heavy, motivation dipped. The frustrating kind of fatigue where nothing is clearly wrong—but nothing is clearly right either.

When I looked back, the pattern was obvious:

  • I had increased load too quickly
  • Skipped a proper recovery week
  • Let “feeling good” override structure

What’s worse: all the data was there.
Garmin had it.
The workouts were logged.
The signals existed.

I just didn’t have a system that could connect the dots, enforce discipline, and still adapt intelligently.

That’s the gap.

Most tools today fall into two extremes:

  • Static plans that ignore what you actually did
  • “AI coaching” that sounds smart but you can’t really trust

I wanted something in between:

A system that keeps me honest on the fundamentals—while still helping me think, adapt, and improve.

That’s where EnduraCoach started.

Continue reading
Standard
AI, Business

Why SMBs Struggle with Cybersecurity: The Real Challenges

I recently had a conversation on The Changelog, and it reinforced something I’ve seen over and over again:

SMB cybersecurity isn’t just hard — it’s structurally broken.

Not because people don’t care.
Not because tools don’t exist.
Because the entire model assumes resources that SMBs simply don’t have.

The uncomfortable truth

Security today is designed for enterprises and downsized for everyone else.
That doesn’t work.
Enterprise model:

  • Dedicated security teams
  • Time to triage alerts
  • Budget to stack tools

SMB reality:

  • One DevOps person wearing five hats
  • Compliance pressure (SOC 2, ISO 27001, CMMC…)
  • A pile of tools that don’t talk to each other

So what happens?

They install more tools…generate more alerts…and end up less certain about their security posture.
That’s the paradox.

Continue reading
Standard
Animated coffee cup with a spoon glowing magical shield against dark fiery monsters
AI, Business

SMB Cybersecurity Is Broken — Here’s What We’re Doing About It

SMB cybersecurity is a mess. Yes – It’s 2026 and it’s broken. Big time.

Too many tools.
Too many dashboards.
Too many alerts that nobody has time—or context—to act on.

And the result?
A false sense of security.

You can have RMM, MDM, EDR, SIEM, compliance tools… and still be exposed. Not because the tools are bad—but because the system is unworkable for the people actually running it.

Most small and mid-sized businesses don’t have a SOC.
They don’t have a dedicated security team.
They don’t have time to interpret 300 alerts a day.

What they have is:

  • An overstretched IT person (or MSP or the owner that is busy with 127 other things that are all urgent)
  • A growing attack surface
  • And a stack of tools that don’t talk to each other

That’s the real gap.

A Quick Look

We recently shared a glimpse of what we’re building here:

Continue reading
Standard
Fiery streams of data converting into a green neural network grid
AI, Business

Using LLMs to Find Security Bugs: A Practitioner’s Playbook

TL;DR

LLMs won’t replace AppSec.
They will dramatically compress the search space.

If you use them right:

  • Run multi-model analysis (Opus + GPT + Gemini)
  • Structure prompts around attack surfaces, not “find bugs”
  • Require PoCs or tests for validation
  • Trust only cross-model consensus or reproducible exploits

If you don’t do this, you’ll drown in false positives.


Security research has always been asymmetric.
Attackers need one bug; defenders need zero.
Historically, scale worked against defenders.

LLMs start to rebalance that—not by magically finding zero-days, but by acting as a fast, always-on analyst that can:

  • Read entire subsystems in seconds
  • Connect logic across files
  • Generate realistic attack paths

Used correctly, they don’t replace expertise—they let you spend it where it matters.
Used incorrectly, they produce confident nonsense.
This is a practitioner’s workflow that actually works.

Continue reading
Standard