ADArshan Dabirsiaghiinnahsra.hashnode.dev·Jul 7 · 6 min readA Prompt Is Not a Security FunctionWhat does it mean for a finding to be a “False Positive” to your team? I watch a lot of metrics on the SAST+SCA triage harness we build at Pixee. Among them are jitter (how often the system changes it31P
ADArshan Dabirsiaghiinnahsra.hashnode.dev·Jul 22, 2025 · 4 min readExploit VerificationToday marks an exciting day for all of us here at Pixee, and maybe in appsec? Excuse me some founder panaché. The Problem: Proving Exploitability Is Hard One of the hardest, most detail-oriented, and time consuming things to do with SAST is to try to...02SR
ADArshan Dabirsiaghiinnahsra.hashnode.dev·Jul 10, 2025 · 4 min readSAST is just crazy bad at XSSXSS is one of the more serious things in appsec, and it's pretty prevalent. It’s also one of those things that is super hard to find accurately via static analysis. And, vendors don’t want to miss it — so, typically any data that gets to a response, ...01R
ADArshan Dabirsiaghiinnahsra.hashnode.dev·Mar 31, 2025 · 3 min read"LLMs Can't Reason"The top post on HN right now (well, yesterday) is about speaking more directly in the age of LLM "fluff". I have nothing to say about the piece’s main points. But, a sentence caught my eye that never seems to receive any pushback: While it's true th...00
ADArshan Dabirsiaghiinnahsra.hashnode.dev·Dec 30, 2024 · 3 min readModel providers give good advice for a changeThis is a great piece by Anthropic. Usually the model providers push you towards complex, high maintenance, and ultimately flakey solutions. This resonates. It seems we all now agree that LLMs are primarily good at data extraction, data summarization...00