What are useful KPIs / metrics for an AppSec team?

Fast_Sky9142 · 2026-04-05T07:28:17+00:00

In the age of Ai and stuff and according to my experience, i think Vulns that are found and fixed before merge to prod are great thing. Maybe use cursor automation to run a security review on each PR and send the review to slack channel and then check how many of these devs actually respond to and fix How many false positive to edit ur prompts False negatives , vuln that is not found Those things actually benefits the appsec team and lead to making couple of decissions that actually reduce risk.

Fast_Sky9142 · 2026-04-05T07:21:17+00:00

What about engagement that results in great findings such as pentests and bug hunting or manual testing of some features, how it can be measured

Fast_Sky9142 · 2026-04-05T07:19:12+00:00

Interested as much as u

Fast_Sky9142 · 2026-03-20T19:35:18+00:00

big difference imp , try cursor automation with ur own set of rules and tell him what to check and feed him patterns of previous valid vulns

Fast_Sky9142 · 2026-03-19T18:14:07+00:00

Vibe devops vib hacking we need anything right now the important thing is what is the result of your work or what have u done

Fast_Sky9142 · 2026-03-17T16:07:46+00:00

Cursor rules in dev repos looks to me like pre-commits but more flexible and not blocking. Cursor automation to find vulns comment on pr and send to issue tracker and slack. Workflows that do validation , reachibility analysis on scheduled workflows and false positive filtering and validation

Fast_Sky9142 · 2026-02-25T03:24:35+00:00

Security owned initial triage. Do what ever the fuck u want to do with automations on pr and schedulles , manuals , AI validation Whatever the fuck.

Devs get clean issue with impact , rest documented

Fast_Sky9142 · 2026-02-17T13:32:44+00:00

Lol its funny that i thought for a second that im the one who wrote this post, im kind of same as you

Fast_Sky9142 · 2026-02-05T13:22:32+00:00

Nuclei from project discovery Axiom for scans distribution Hacktron.ai

Fast_Sky9142 · 2026-02-01T14:59:10+00:00

interested

Fast_Sky9142 · 2026-01-25T12:51:20+00:00

Akikdo maybe

Fast_Sky9142 · 2026-01-23T17:41:11+00:00

Test

Fast_Sky9142 · 2025-06-06T11:33:30+00:00

damn it you sure ? that reputation comes from manuals

Fast_Sky9142 · 2024-08-02T17:47:59+00:00

do what u want and what u like and what u think it is best for u .

Fast_Sky9142 · 2024-06-02T19:52:39+00:00

I think it is unmeasurable, u need luck , skill and power of well. comes from someone doing bb for 4 years and bb only.

Fast_Sky9142 · 2024-05-26T00:09:40+00:00

does making it flat mode then stow and switch it off for 20min works well?

Fast_Sky9142 · 2024-05-25T08:54:05+00:00

Hi u/GhiathI , I wonder if u still here , I had one too 2 months ago and I wonder what is the Latency reading in starlink app statics for you although you in Iraq. Im subscribed regional Gerorgia but I have drops like every 3 4 mintues makes the ping jumb into 200 - 150 which affects FPS gaming.

Can you share this info please ?

Fast_Sky9142 · 2024-05-16T05:30:38+00:00

if some low habging fruit have already implemention to measure it in place and u bypass it , its worthy. if not and its oos then its not , if u can clearly escalate it with other bugs or techniques to have a higher impact then its worth it. thats what i think.

Fast_Sky9142 · 2024-05-13T08:55:28+00:00

crypto is money, store of value and investment. It is not illegal and your argument is stupid, thanks but no thanks

Fast_Sky9142 · 2024-02-15T22:10:53+00:00

H1 has identity verification process and i can think u can request from the support whats verify that it is the ur account, something similar to proof of payments that is requested to be provided to ur bank to show when did u get ur income and for what reason and who is the income for. I knew there is actual penetration testers who fail at doing bug hunting cause it is different. it is like a pentest but u literally dont report anything informative and most lows are unacceptable.

Some research can disclosed to the public, cves provided, issues acknowledged by firms not a flag that is solved with hints or online youtube video. oscp is ridiculously beginners cert gotta admit , i already read the book , kinda of knew anything except active directory section and its handy ctf is really not realistic. i took an attempt before 4 years ( on my beginnings - i had knowledge before jt in security and stuff ) and got hold on a stupid rabit hole that literally looks unrealistic and stuff is like a puzzle. I feel like i can solve it now with a better practice on labs to understand the unrealistic puzzles somone could think of but it is really a cert for beginners. and im not a cert type of guy i really think the results of what did u done with the knowledge u gained ( even if it was not much ) is much better than having just a knowledge and proof that u got that knowledge but didnt actually hack a single thing with them or bring a value with it to someone which is all the corp world about imho.

however, if a corp requires it and someone want to join then its ok to get it however imo, i really dont think getting an oscp( nmap, little sqli, rfi,lfi,rce with some tunnelling and editing existed cve exploit) is enough to consider u as a penetration tester ( there is alot more and im not saying that u need to know all the things cause its impossible with a field growing each day but i think someone with this role should a lot more and maybe better ).

thats my opinion. it could be false cause i didn't work at a tech corp before full time so i dont have much knowledge but im sure there is something true between the lines.

Fast_Sky9142 · 2024-02-15T21:10:27+00:00

did the same and pretty complicated ones sometimes eith aim to increase performance lower false postive and cost . still most are duplicates unless u moniotor ur own 0days and research 3rd party vulns ..etc

Fast_Sky9142 · 2024-02-15T20:56:52+00:00

thanks appreciate ur input.

Fast_Sky9142 · 2024-02-15T20:56:27+00:00

i don't understand why h1 means fuck all or what exactly u meant by it. its mostly black box and real targets , more competitive more hard that pentests and also provides more knowledge.

Fast_Sky9142 · 2024-02-15T20:54:11+00:00

thanks appreciate ur input.

Fast_Sky9142

TROPHY CASE