In the past 2 weeks I didn't ship a single new agent or detection capability. The scanner barely moved. Instead I built almost everything that wraps it: the product's website, intake form, Stripe checkout, domain authorization flows and the AWS infrastructure to host all of it.

Last week I delivered a production scan to a customer. Authed scan against their live SaaS, full sweep across what the agents can do today.

Last week I kept catching myself building the same mistake in different costumes. Each time the work looked like progress. Each time, the honest answer to "is this actually good?" was "no, it just looks good on the target I built it against."

I ran a full scan against a customer last week. Real authed scan, real Django app, real money on the clock. The scan produced 6 validated findings, which is a fine result for a first pass on a new target. Then I broke down where the cost actually went.

If you watch a human pentester start an engagement, the first day usually doesn't involve any attacks.It involves a notebook, or a whiteboard, or a text file, and a lot of clicking around.

Two weeks ago I posted week 1 of this build log and asked anyone running a small dev team to tell me how they were handling pentest pressure from their enterprise customers. Around 5 people DM'd.

This week I ran the agent against Juice Shop, a deliberately-vulnerable Angular app the security industry uses as a test bed. It's so well-known it's borderline a meme. Dozens of known issues across every category in the OWASP Top 10. The agents found zero.

A client I had been doing cloud architecture for came to me a while ago with a challenge I keep seeing: Their biggest customer was pressing them on security. Questionnaires, evidence, a pentest report. At the same time, their WAF was lighting up with attackers actively probing for a way in.