惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Fortinet All Blogs
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Hugging Face - Blog
Hugging Face - Blog
V
Visual Studio Blog
小众软件
小众软件
有赞技术团队
有赞技术团队
雷峰网
雷峰网
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
AWS News Blog
AWS News Blog
C
Cisco Blogs
美团技术团队
T
Threat Research - Cisco Blogs
C
CERT Recently Published Vulnerability Notes
人人都是产品经理
人人都是产品经理
宝玉的分享
宝玉的分享
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
W
WeLiveSecurity
D
DataBreaches.Net
博客园 - 司徒正美
Blog — PlanetScale
Blog — PlanetScale
IT之家
IT之家
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
Vercel News
Vercel News
月光博客
月光博客
T
Tailwind CSS Blog
H
Help Net Security
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
Microsoft Security Blog
Microsoft Security Blog
V
V2EX
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
Recent Announcements
Recent Announcements

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
cyber.md: A Security Posture File for Agent-Native Development
guysenkot · 2026-05-10 · via Hacker News - Newest: "AI"

Agents have changed how I think about secure development [1], and specifically the way security knowledge moves through a repository. Today, developers and agents at Baz are generating more code than ever, and the amount of code being written is outpacing our SOC2-mandated security processes.

The classic security review was designed for a world where humans opened pull requests, humans reviewed them, humans remembered the threat model, humans knew which parts of the codebase were dangerous to touch AND humans eventually exploited. That is no longer the case.

Agents are independently refactoring API routes, modifying deployment logic, adding integrations, and editing database queries. Simultaneously, bad-actor operated agents [14, 15] are leveraging cyber-capable models to conduct reconnaissance and enumeration with unprecedented scale and intelligence.They do it quickly, repeatedly, and often with a very narrow view of the task in front of them.

We think there’s a need for a new primitive: versioned security posture that agents can read, diff, and apply during normal development.

We’re calling this cyber.md

The file itself is intentionally boring. It names the repo or service it applies to. It describes the protected assets. It records the trust boundaries. It captures the invariants that should survive refactors. It explains which tests should be suggested when certain kinds of code change. Commit the advice, not the exploit.

But there is an important constraint: cyber.md should not become a vulnerability report or risk register. The checked-in version should contain safe guidance, invariants, patterns, and tests. Exact exploit chains, private topology, customer-specific incidents, sensitive findings, and bypass instructions should not live in plaintext next to the code. If the review produces sensitive details, those belong behind some kind of private context broker [2, 3, 4, 5].

Why Markdown? What’s a posture file?

Agents know Markdown. The happy path and the edge cases are well known to agents, and repo-aware tools are particularly good at using Markdown files as durable context.

Security posture should work the same way, with more care.

A posture file is not a pentest output. It is not a list of bugs to fix. It is not a secret notebook of attack paths. It is the durable security memory of a repository [6, 7, 8, 9, 10]. It answers questions like: what assets are protected here, where are the trust boundaries, which invariants must code preserve, which modules need extra care, what tests should be suggested when certain areas change, what guidance is safe to show every agent, and what guidance must stay private.

The goal is not to tell an agent how to break the codebase. The goal is to tell the agent how not to accidentally weaken it.

Not just for security review

cyber.md might make you think it’s just for scheduled security scans, but the more interesting use case is normal coding: Inside an agent-native workflow [13], a cyber.md becomes a source for opportunistic hardening. When a developer asks Claude Code to add a feature, change an endpoint, refactor a worker, update a dependency, or adjust logging, a lightweight context layer can inspect the task and changed files, select the relevant posture guidance, and inject a small amount of advice before implementation. That advice should be intentionally small and just enough context to bias the implementation toward the safer path.

Under the hood

The simplest version of the cyber.md loop has three parts.

First, a posture generator reads the repository and creates or updates cyber.md. This can run manually, on a schedule, after major architecture changes, or as part of a security review. It uses a reasoning model to summarize the codebase into assets, boundaries, invariants, risk categories, preferred patterns, and test expectations.

Second, a posture context layer reads cyber.md during coding tasks. In Claude Code, this can be implemented with hooks, commands, or an MCP-backed broker. In CI, it can be implemented as a GitHub Action or a pull request bot. In a custom agent harness, it can be another context retrieval step [11].

Third, an agent receives only the relevant guidance. The agent does not need the entire posture file every time. It needs the small slice that applies to the current task.

A typical flow is straightforward: the developer asks the agent to change code, the task and touched files are classified, relevant posture guidance is selected, private context is fetched only if needed, a small advice packet is injected, the agent writes normal product code, and the diff is checked against the relevant invariants.

The important part is that cyber.md remains the durable, reviewable source of security guidance. The hooks and brokers are just delivery mechanisms.

Attackers can read markdown

There is an obvious problem with putting security guidance in a repository: attackers can read Markdown too. A repo-visible posture file can leak what the team cares about protecting. Even if it avoids exploit details, it may still reveal trust boundaries, sensitive surfaces, data flow assumptions, and areas that deserve extra scrutiny. Public forks, cloned repositories, archived copies, and old commit history can make those assumptions hard to remove later.

A repo-visible file should include durable security assumptions, safe implementation advice, trust boundaries, protected assets, risk categories, preferred patterns, test expectations, confidence levels, and human review triggers.

It should not include secrets, credentials, exploit chains, exact bypass steps, customer-specific incidents, sensitive production topology, internal attacker paths, or instructions that make exploitation easier.

There is another risk: Markdown files that agents treat as instructions can become an attack surface. A small change to an instruction file can alter how an agent behaves. A malicious dependency, compromised branch, unsafe prompt injection, or poisoned context source [16] can turn helpful guidance into harmful guidance. In other words, don’t import cyber.md from anywhere.

It should be reviewed like code. It should be protected by ownership rules. Changes should be diffed carefully. Sensitive versions should be encrypted or permissioned. The agent should treat guidance as advisory and should still defer to tests, reviewers, policies, and explicit developer intent.

Optional: the split model

We are also experimenting with a split model for sensitive but useful information. In this scenario we keep the “safe posture guide” described previously in Git, alongside the regular code. Sensitive versions that include things like vulnerability scan reports, private architecture notes, and sensitive service context are saved in a permissioned broker and/or as an encrypted file. The broker (in our case a tightly controlled MCP server) should return the minimum useful advice for the task, not the whole private threat model.

What can go wrong?

There are several ways to build this badly.

A file named cyber.md is easy to find. If it contains detailed threat modeling notes [23, 24], it becomes free reconnaissance. Realistically your attacker, once they have access to your code, produces this without you. We believe the mitigation is separation: safe guidance in Git, sensitive detail on a brokered file elsewhere (see above, split mode).

The second failure mode is instruction poisoning. Any file that an agent reads as guidance can be modified, misread, over-weighted, or combined with malicious context. This is especially important for repo-level instruction files. Treat them as part of the trusted development surface: Protect them with code owners, review rules, signing where practical, and conservative runtime handling.

The third failure mode is the broker. A context broker that classifies tasks, retrieves posture guidance, filters sensitive details, and injects advice could become a target.

The fourth failure mode is pull request noise. If you use a non cyber-capable model you will likely get bad advice.

The fifth failure mode is stale guidance. Threat models, like any context, rot. Architecture. A stale cyber.md can make agents preserve rules that no longer match reality. This file needs owners, review cadence, and confidence levels.

For now, cyber-capable models and a posture file is not a replacement for SAST, DAST, SCA, secret scanning, dependency review, human threat modeling, architecture review, incident response, or security ownership [22]. We’re suggesting a context primitive that makes agents more likely to preserve known security properties during coding. It does not prove the code is secure.

What should go in cyber.md?

While we are still refining the best format, we have identified several effective patterns.

A useful cyber.md begins by defining its scope, specifying the relevant repositories, languages, frameworks, and data sensitivity levels [18, 20, 21]. It must explicitly outline protected assets that require careful handling, such as user identities, secrets, admin privileges, and integration credentials. Furthermore, it should identify trust boundaries, providing a mandatory invariant and specific coding guidance for each.

We strongly believe the cyber.md should be a defensive AppSec guidance layer [17], not an attack playbook. Its purpose is to help a cyber-capable model review code safely by describing security intent, expected controls, ownership and trust boundaries without exploit recipes or sensitive operational details.

An exposure layer could define where any public surface interacts with users and agents. It should guide the model to check whether inputs are authenticated, validated, scoped, rate-limited, and handled according to the intended trust level. It should not enumerate attacker tactics or provide step-by-step abuse paths.

The reachability layer exists to help the model understand whether a risky code path is relevant to the reviewed Change. It should describe service relationships, ownership, and expected control handoffs at a high level so the model can avoid false positives and identify missing protections. It should avoid disclosing unnecessary topology, secrets, or operational internals.

The privilege layer exists to clarify what authorization model should apply. It should describe expected identity boundaries, tenant scoping, role checks, and policy enforcement responsibilities so the model can verify that sensitive operations are protected before execution.

The data-flow layer exists to protect sensitive data. It should describe data classes, allowed movement, required validation, storage expectations, logging rules, and encryption requirements. The goal is to help the model verify safe handling, not to reveal where valuable data can be targeted.

The control layer exists to encode defensive standards. It should capture required controls such as authn/authz, input validation, output encoding, secrets handling, dependency hygiene [19], audit logging, isolation, and secure defaults. Controls should be tied to owners and source evidence so findings are actionable.

The evidence layer exists to keep the model grounded. Claims should point to code, config, policy, tests, or scan results, but only at the level needed for remediation. The output should answer: what defensive expectation applies, whether the Change preserves it, what evidence supports the conclusion, and what remediation is needed.

We hate scan reports

Security teams often struggle because review happens after the shape of the code is already set. This means they scan a given state with zero impact on what’s already working in production and is generally where great code scan reports go to die. cyber.md is an opporutnity to move posture guidance earlier. Not to a separate planning meeting. Not to a quarterly review. To the exact moment the agent is about to write code.

The improvement is not dramatic on any single pull request. That’s the point. The codebase gets harder to break because small improvements keep showing up where the code is already changing. But compounding only works if the advice is good. Bad advice compounds too.

That is why the loop needs feedback [12]. Did the suggestion result in a useful test? Did the reviewer accept it? Did it prevent a real class of issue? Did it create churn? Did the same warning appear five times without changing the code? These questions matter more than whether the agent sounded security-aware.

What’s coming?

The first version of the loop is intentionally simple: a Markdown file, a posture generator, and task-specific injection into coding sessions.

There are a few possible next steps. We’re exploring them but we’re open to feedback if you think there’s a better way:

  • Posture diffs should become first-class. When cyber.md changes, developers and agents should be able to see whether the repository added a new trust boundary, improved an invariant, downgraded confidence, or introduced a new watch area.
  • Agent hooks should get better at selecting only the relevant posture context. Large files are useful for humans, but agents need concise packets.
  • Private posture brokers should become easier to run. Teams should be able to keep sanitized guidance in Git while storing sensitive findings in encrypted or permissioned backends.
  • Test generation should become more reliable. The most valuable output is often not advice, but a small regression test that locks in the invariant.
  • Posture maturity should become measurable. Over time, teams should be able to see whether more high-risk flows have invariants, whether more changes include security tests, whether repeated advice is turning into durable code patterns, and whether developer trust in the suggestions is improving or declining.

What will it cost?

Nothin. A cyber.md file is just Markdown. You can write the first version manually. You can ask a reasoning model to draft it from the repository. You can review it like any other documentation change. The runtime cost depends on how often you regenerate posture and how much context you inject. The practical version does not need to run a full codebase scan on every pull request. Generate or refresh the posture file occasionally, then use cheap task-level selection during everyday coding.

There is also an attention cost. Developers have a limited appetite for AI-generated review comments. If the loop creates noisy, generic, or low-confidence suggestions, it will train people to ignore it. That is worse than not having it at all.

Where do I start?

Create cyber.md at the repo root or in the service directory. Add scope, protected assets, trust boundaries, security invariants, area-specific guidance, preferred patterns, and required tests by change type.

For Claude Code, start with a hook that reads the current prompt and touched files, selects a small relevant slice, and injects a compact advice packet. For pull requests, start with a CI job that comments with two or three posture suggestions only when the diff touches a relevant area.

References

  1. Debois, Patrick. “Context Is the New Code.” AI Engineer Europe, 2024. AI Engineer Europe.
  2. Lowin, Jeremiah. “Your MCP Server is Bad (and You Should Feel Bad).” AI Engineer, 2026. AI Engineer.
  3. OX Security. “Anthropic’s Model Context Protocol Has Critical Security Flaw Exposed.” Tom’s Hardware, 2026. Tom’s Hardware.
  4. Cyata. “Anthropic’s Official Git MCP Server Had Some Worrying Security Flaws.” TechRadar, 2026. TechRadar.
  5. Koi Security. “A Malicious MCP Server Is Silently Stealing User Emails.” ITPro, 2025. ITPro.
  6. Packer, Charles, Sarah Wooders, Vivian Fang, and Ion Stoica. MemGPT: Towards LLMs as Operating Systems. Berkeley, CA: University of California, Berkeley, 2023. arXiv:2310.08560.
  7. MemGPT Project. “MemGPT.” Accessed May 10, 2026. MemGPT Project.
  8. Monigatti, Leonie. “MemGPT: Towards LLMs as Operating Systems.” 2025. Leonie Monigatti.
  9. Rasmussen, Preston, et al. Zep: A Temporal Knowledge Graph Architecture for Agent Memory. 2025. arXiv:2501.13956.
  10. Pawar, Tejas, et al. IMDMR: An Intelligent Multi-Dimensional Memory Retrieval System for Enhanced Conversational AI. 2025. arXiv:2511.05495.
  11. Lewis, Patrick, Ethan Perez, Aleksandara Piktus, Fabio Petroni, Vladimir Karpukhin, Naman Goyal, Heinrich Küttler, et al. “Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks.” Advances in Neural Information Processing Systems 33 (2020). arXiv:2005.11401.
  12. Shinn, Noah, Federico Cassano, Ashwin Gopinath, Karthik Narasimhan, and Shunyu Yao. “Reflexion: Language Agents with Verbal Reinforcement Learning.” 2023. arXiv:2303.11366.
  13. Schick, Timo, Jane Dwivedi-Yu, Roberto Dessì, Roberta Raileanu, Maria Lomeli, Luka Zettlemoyer, Nicola Cancedda, and Thomas Scialom. “Toolformer: Language Models Can Teach Themselves to Use Tools.” 2023. arXiv:2302.04761.
  14. Park, Joon Sung, Joseph O’Brien, Carrie Cai, Meredith Ringel Morris, Percy Liang, and Michael Bernstein. “Generative Agents: Interactive Simulacra of Human Behavior.” Proceedings of the 36th Annual ACM Symposium on User Interface Software and Technology, 2023. arXiv:2304.03442.
  15. Wang, Lei, et al. “Voyager: An Open-Ended Embodied Agent with Large Language Models.” 2023. arXiv:2305.16291.
  16. Anthropic. “Constitutional AI: Harmlessness from AI Feedback.” 2022. arXiv:2212.08073.
  17. OWASP Foundation. OWASP Application Security Verification Standard 4.0.3. 2021. OWASP.
  18. National Institute of Standards and Technology. Secure Software Development Framework (SSDF) Version 1.1. Gaithersburg, MD: NIST, 2022. NIST SP 800-218.
  19. Google. Supply-chain Levels for Software Artifacts (SLSA). Accessed May 10, 2026. SLSA.
  20. CISA. Secure by Design. Accessed May 10, 2026. CISA.
  21. Google. Building Secure and Reliable Systems. Sebastopol, CA: O’Reilly Media, 2020. Google SRE.
  22. Dowd, Mark, John McDonald, and Justin Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Boston: Addison-Wesley, 2006.
  23. Threat Modeling Manifesto Working Group. Threat Modeling Manifesto. Accessed May 10, 2026. Threat Modeling Manifesto.
  24. Microsoft. “The STRIDE Threat Model.” Accessed May 10, 2026. Microsoft Learn.