Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Zack Korman Profile picture
Zack Korman
@ZackKorman
CTO @ Pistachio. I build AI cybersecurity stuff.
Oct 27 16 tweets 6 min read
Here’s what I have on ChatGPT Atlas’ security so far. I’ll have to do multiple threads as I find more, as I have a newborn that thinks she’s more important than AI security (she is). This thread is just some preliminary findings. Caveat: If you’re reading this because you want to see what attackers can do +examples, that will come in a later thread. I don’t want that to feel half-assed or rushed. This thread is just to share some info on how it works and problems I see right now.
Oct 25 23 tweets 5 min read
This isn’t how you build security at a startup. It’s bad advice and isn’t feasible either. So, I wrote this thread with my advice on product security at a startup, based on what I’ve done at Pistachio at different stages (from one person in tech to twenty). Hopefully it helps. Image Caveats: First, I’m not saying this is the “one true way”, just that it’s my advice because it’s my experience. Ofc, it depends on the type of product you’re building. Second, this is for technical founders, not non-technical founders trying to vibe code or something dumb.
Oct 19 25 tweets 6 min read
I wrote this thread about phishing simulations. We’ve sent about 3m sims, so we have pretty good data. I want to show what “works”, what people fall for, who falls for sims, etc. Also, why do sims at all. Sorry it’s long and boring, but might be useful for a very niche audience. DATA (1): To explain how our system works so you can understand the data: we figure out info about each user (role, software they use, locations, languages, etc) and use that to target sims. And based on how a person responds, that helps us decide the next sim to send.
Oct 13 23 tweets 4 min read
As promised, a thread about AI in cybersecurity. I want to explain how these systems work and why I think despite the hype and the stupid sales people, there’s also something very real going on in this space. One caveat: I’m the CTO at Pistachio, so I’m obviously pretty biased. We have an AI insider threat detection product. But that also means I’ve worked very hands on with these systems. Still, grain of salt and all that.
Sep 27 29 tweets 5 min read
Here’s a thread about how I approached getting ISO27001 certified at Pistachio, written for people who hate these things as much as I do. As @IceSolst says, ACAB includes auditors. Caveats, as usual: First, I’m a total amateur. I did this once and hopefully never again. Some days I actively try to forget some of what I learned. ISO27001 made me dumber. This is just about what worked for me. Second, my org is 70 people, so YMMV. Anyway, here we go:
Sep 21 21 tweets 4 min read
Microsoft allows you to authorize enterprise apps with permissions in your tenant, and sometimes those permissions are super broad. Here’s a guide for monitoring those apps and (sort of) setting tighter restrictions than permissions allow. Note, this doesn’t actually modify permissions. What it does is allows you to set which endpoints you expect the app to call, and auto-delete the app if it accesses something else. It’s not perfect, but it’s something.