Posts

AI-Driven Development Life Cycle: Reimagining Software Engineering

The article introduces the AI-Driven Development Lifecycle (AI-DLC), a new methodology that positions AI as a central collaborator rather than just an assistant in software development. It argues that traditional AI approaches, such as AI-assisted and AI-autonomous development, yield suboptimal results. AI-DLC operates on two dimensions: AI-powered execution with human oversight, where AI creates plans, asks clarifying questions, and defers key decisions to humans, and dynamic team collaboration, where teams focus on creative problem-solving while AI handles routine tasks. The lifecycle has three phases: Inception, where AI transforms business intent into requirements via Mob Elaboration; Construction, where AI proposes architecture, code, and tests through Mob Construction; and Operations, where AI manages infrastructure and deployments with team oversight. Key benefits include increased velocity, higher quality, more innovation, faster market responsiveness, and improved developer ex...
Post a Comment
Read more

Prempti - Falco-powered policy and visibility layer for AI coding agents

Prempti is an experimental tool from Falco Security that provides guardrails and real-time visibility for AI coding agents by intercepting tool calls before they execute. It evaluates every shell command, file write/edit/read, web fetch, and MCP call against customizable Falco rules written in YAML, producing verdicts: Allow (proceeds), Deny (blocked with LLM-friendly explanation), or Ask (prompts user for approval). Two operational modes are available: Guardrails mode (default, verdicts enforced) and Monitor mode (observe-only, all calls proceed while verdicts are logged). A default ruleset covers working-directory boundaries, sensitive paths (.env, ~/.ssh/, cloud credentials), sandbox disable attempts, credential access, destructive commands, exfiltration, MCP server config poisoning, skill file injection, and persistence vectors. Users can add custom rules to ~/.prempti/rules/user/. A Claude Code skill is included for interactive rule authoring. Supported agents include Claude Code ...
Post a Comment
Read more

We hardened zizmor's GitHub Actions static analyzer

Trail of Bits collaborated with zizmor maintainers over three months to bring zizmor's YAML anchor support to full coverage, after attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate secrets and backdoor LiteLLM on PyPI in March 2026. To stress-test the tool, Trail of Bits built a corpus of 41,253 workflow files from 6,612 high-value open-source repositories (the 10,000 most-starred repos created between 2022-2025 that use GitHub Actions). Only 43 of 41,253 workflows (0.1%) use YAML anchors, but those include foundational projects like Bitcoin Core and Home Assistant. Four anchor handling bugs were found and fixed: aliases in sequences incorrectly flattened (causing crashes or wrong-location findings), anchor prefixes leaking into values, duplicate anchors causing crashes, and the template-injection audit crashing on aliased run values. The corpus also surfaced deserialization edge cases (if: 0 as integer, timeout-...
Post a Comment
Read more

ExploitBench – Real exploitation is a ladder

ExploitBench is a benchmark from Carnegie Mellon University that measures how far AI agents climb the exploitation ladder, from reaching vulnerable code (T5 coverage) to triggering the bug (T4 reproduction) to building target-specific primitives (T3) to generic arbitrary read/write primitives (T2) to full arbitrary code execution (T1). The first benchmark, v8-bench, targets V8 (the JavaScript and WebAssembly engine inside Chrome, Edge, Node.js, and Cloudflare Workers) with the V8 security sandbox enabled, testing against 41 CVEs. Grading is deterministic with no LLM-as-judge. As of May 18, 2026, the leaderboard shows Claude Mythos Preview (with and without AutoNudge) achieving mean capability scores of 9.90/16 and 9.55/16, and GPT-5.5 (Codex) at 5.51. Mythos Preview reached Tier 1 (full arbitrary code execution) on 21 of 41 CVEs (51%), while GPT-5.5 cracked Tier 1 on 2 CVEs. Claude Opus 4.7 with AutoNudge escaped the V8 sandbox into Tier 2 on one CVE. The cheapest full ACE run cost $14...
Post a Comment
Read more

How Uber Runs 60,000 AI Agent Tasks Per Week With MCP

This Agentic AI Foundation blog post summarizes a talk by Meghana Somasundara and Rush Tehrani at the MCP Dev Summit North America 2026 about Uber's production-scale MCP deployment. Uber runs 60,000 AI agent executions per week, with over 1,500 active agents monthly and more than 90% of Uber's 5,000-plus engineers using AI tooling every month. The infrastructure is built on MCP, which the authors state "are what make AI usable at Uber." Before MCP, every agent team built bespoke integrations to Uber's 10,000-plus internal services, resulting in hundreds of non-reusable parallel integrations. The solution was a control plane consisting of the MCP Gateway and Registry, which automatically translates Uber's service interface definitions (proto and thrift files) into MCP tool descriptions using an LLM. Everything runs through code as pull requests with security scanning before deployment. Security layers include authentication on by default for sensitive data, a P...
Post a Comment
Read more

Stateless: The Future of MCP Transports

This blog post from the Agentic AI Foundation (AAIF) summarizes a talk by Shaun Smith (Hugging Face) and Kurtis Van Gent (Google Cloud) at the MCP Dev Summit North America 2026 about making the Model Context Protocol stateless. The motivation comes from operational scale: Google Cloud supports MCP servers for AlloyDB, Spanner, Cloud SQL, Bigtable, and Firestore, while Hugging Face runs over 2,500 MCP servers via Spaces and manages over 20 million tool calls across 40+ databases in a single month, with a single tool call generating over 100 MCP protocol messages. The core problem is that MCP is currently stateful, requiring initialization handshakes and persistent session context, which breaks down behind load balancers where requests can arrive at any server. The proposed solutions include: SEP-1442 (removing the initialization handshake as a required first step, folding protocol negotiation into the first actual request like tools/list), SEP-2322 (fixing elicitation by making it a seq...
Post a Comment
Read more

scopeshift - An automated tool to test AI models against scope manipulation (deceiving an AI agent about its real target)

scopeshift is an automated tool that sits in the network path of an LLM-driven offensive-security agent and systematically deceives it about its real target through coordinated manipulation of network, DNS, and MCP signals. It operates through four independent subsystems: shift-local (reverse proxy that rewrites responses to make a remote target appear local, including URL substitution, cookie domain stripping, HTML comment injection, header removal, meta tag stripping, and title rewriting), shift-dns (synthesizes TXT attestation records that can include the agent's own egress IP via the $SELF_EGRESS placeholder, with optional A/AAAA redirect to the local proxy and transparent interception of hardcoded DNS), and shift-mcp (a deceptive MCP server that returns operator-configured answers to scope and rules-of-engagement queries). The tool requires Python 3.11+, installs via pipx or uv, and includes a Docker sidecar demo where an unmodified Claude Code agent runs as a sibling containe...
Post a Comment
Read more