When I started this newsletter ~3 years ago, the idea was to write about AppSec things that most people didn’t write about. It was a good time to start the newsletter because I was then leading a Security team (and setting up an AppSec program). Every day, I dealt with multiple AppSec problem statements at work and had the opportunity to test my hypothesis about AppSec. This made it simple to write posts with depth. I lived through every problem I wrote about, which — in my opinion— lent authenticity to the posts. That way, even when I wrote seemingly controversial things (like wondering if DAST is dead or if WAF is pointless), I knew the opinions came from living the reality of running an AppSec program every day.

In the last 15 months, things have changed. I still work in AppSec, but as a founder (I co-founded Seezo) and not as a practitioner. Sure, I still care about the security of the software we build, but most of my day is spent on Product, GTM (go-to-market), and leading a fantastic team. This makes it hard to write the typical Boring AppSec post. Not because I don’t have enough topics to write about (there is a long list of drafts sitting on a Google doc somewhere), but it’s hard to be authentic about it when you don’t deal with the problems every day.

That does not mean I don’t have interesting things to write about. Over the last year, I have spoken to dozens (if not 100+) of AppSec teams and learned much more about the industry. I have gained a perspective that 15 years of consulting + being an operator did not provide.

So, starting next week, this newsletter will focus on building in AppSec. This does not mean the newsletter will be used as a sales engine for Seezo. Most topics will revolve around hypotheses about the industry, frameworks to solve thorny AppSec problems with code/software, engineering challenges in building an LLM-powered AppSec product, and more. It’s an exciting time to build in AppSec, and I will write about those exciting things.

This is a marked change from the original premise of the newsletter. So, if you unsubscribe after reading this, I’d understand. While the premise changes, the style will remain the same (there will be bad jokes and hot takes). Given that the content will be more aligned with what I do every day, I hope to post more often this year, too (it should be easy, given I published only two posts last year).

That’s it for today, and thanks for following along so far! You can drop me a message on Twitter (or whatever it is called these days), LinkedIn, or email. If you find this newsletter useful, share it with a friend or colleague or on social media.

P.S.: Apologies for the dramatic title. The blog is definitely “changing,” but not as significant as the changes that Dylan talks about. Sometimes, a good headline comes to you, and you roll with it, even if it’s not a 100% appropriate :-)