Two weeks ago I posted week 1 of this build log and asked anyone running a small dev team to tell me how they were handling pentest pressure from their enterprise customers. Around 5 people DM'd.

This week I ran the agent against Juice Shop, a deliberately-vulnerable Angular app the security industry uses as a test bed. It's so well-known it's borderline a meme. Dozens of known issues across every category in the OWASP Top 10. The agents found zero.

A client I had been doing cloud architecture for came to me a while ago with a challenge I keep seeing: Their biggest customer was pressing them on security. Questionnaires, evidence, a pentest report. At the same time, their WAF was lighting up with attackers actively probing for a way in.