Anthropic’s Claude Mythos Preview and Mozilla’s record patch batch suggest AI bug-finding could finally tip software security toward defenders. But penetrate-and-patch is the wrong end state. AI’s lasting contribution to security will come from making whole classes of vulnerability impossible to express in the first place.

After years of communicating mainly through papers, talks, and tweets, I’m starting a blog to share thoughts on programming languages, software engineering, security, and life beyond the keyboard.