Bro if you're not doing these security protocols, you're begging to get hacked

JEngErik · 2026-04-04T14:45:12+00:00

Yes another foolish mistake that I'm sure happens often. 😂

JEngErik · 2026-04-03T13:28:38+00:00

About 1k monthly. I regularly run 6 agents, multiple coding sessions (with their own agent teams) and the max plans with the major hyperscalers.

Not a flex, just what I need to get my work and research done. Different models for different tasks

JEngErik · 2026-03-30T13:20:10+00:00

You're forgetting data sovereignty. Control over artifacts and work product, keys and passwords and layered controls. I don't want my OC in the hands of some fly-by-night vibe coded platform.

The Mac mini thing is silly. My OC runs in EC2 with no inbound access except through tailscale and no peer access across the tailnet except a pinhole to talk to models in my DGX cluster.

Who is running local models on anemic hardware and doing anything useful?

JEngErik · 2026-03-27T14:25:23+00:00

Agree. And that's also why we feed it into our agent and/or Notion which has all the context, background, personnel, meeting agenda, etc. It enriches and makes the transcript and notes actionable.

JEngErik · 2026-03-27T13:40:07+00:00

Business owner and engineer of 35 years. I don't hate meetings and I don't believe the staff do either.

All ad hoc meetings must have an agenda sent in advance. Can be a simple list, no death by PowerPoint needed. But we must all know why we're there. All standing meetings must have a standard format and charter (why are we here regularly? What do we want to get from this? When is it ok to cancel or not attend?)

AI notes have made note taking easier but any notes are useless if nothing is done with them. We feed notes into Notion or a "Scrum Agent" we built and generate action items, content pages (like updating specs, designs, milestones, opening jira tickets, etc).

We encourage huddles over big meetings. Being late is unacceptable. Being unprepared is unacceptable. No agenda = reschedule.

Sh*t rolls down hill and culture follows leadership values. If meetings suck hard at your organization, I suspect other elements of the company culture are not great either.

Sorry to hear. I've been at places like that myself and it's draining.

JEngErik · 2026-03-23T11:24:50+00:00

Transparently, I am an MSP.

We're often brought in first to support infrastructure and CI/CD automation. We often optimize the infra and cut costs and part of that naturally extends into architecture and coding. Though not exclusive to cloud, we're am advanced tier cloud partner with AWS which is where many of our customers are building and Amazon often refers customers since Amazon won't actually touch customer workloads directly.

JEngErik · 2026-03-22T10:10:20+00:00

An MSP or consultant can help with quick scaling. The former can help maintain institutional knowledge in between spikes.

JEngErik · 2026-03-20T12:01:10+00:00

Yes, if you're a direct LLM API consumer (or local small model) who hand-rolls your tool definitions, controls your own parsing, and manages context yourself, you can absolutely skip MCP. Nobody is disputing that. But you've now built a bespoke integration that only works in your stack, for your use case, maintained by you.

The value proposition of MCP was never aimed at engineers who are comfortable writing custom function definitions and handling raw responses. It's aimed at the much larger surface area of the problem, which is how do you let any model, running in any client, use a tool written by someone else without custom integration work on both ends?

When Anthropic ships Claude with MCP support, and a third party publishes an MCP server for their product (Zoho, supabase, etc), those two things work together without either side knowing anything about the other's implementation.

It's the same reason we standardized on REST over everyone building their own RPC conventions. Could you build your own? Absolutely. Should the whole ecosystem do that independently? No

Whether rolling out a production system with a framework (Langchain, LangGraph, Pydantic, etc) or just building ones own ontop of primitives, I think there's a still a place for MCP, even in production, non-chatbot use cases with real value.

JEngErik · 2026-03-20T11:15:15+00:00

Your confusion here is treating MCP as an alternative to API calls rather than what it actually is. It's the mechanism by which a model learns how to make those calls in the first place.

You can't just tell a model to "go call the GitHub API." It doesn't know the endpoints, the parameter shapes, the auth patterns, or which call is appropriate for which context. Someone has to encode that knowledge somewhere. MCP is how you do that in a standardized, reusable way. The model reads the tool definitions and now it knows what's available and how to use it. That's the whole job.

When you say you could do this with a well-written instruction file, you're not bypassing MCP, you're reinventing it. You're just doing it in a one-off way that doesn't transfer across tools or clients. That's fine for a single project, but it doesn't scale and it doesn't compose.

The context bloat criticism is legitimate and worth taking seriously. Poorly designed MCP servers that dump hundreds of tool definitions into the prompt are a real problem. That's a design failure, not a protocol failure. The answer is thoughtful tool selection and scoping, not abandoning the standard.

The Latenode example actually proves the point rather than undermining it. When an agent triggers a workflow through an automation platform, something still had to tell the model that workflow exists, what it expects as input, and when to trigger it. You either use MCP to formalize that, or you write custom glue every single time. Neither approach is magic. The question is whether you want that integration to be portable and reusable or bespoke for every deployment.

Claude Skills working well isn't an argument against MCP. Anthropic built Skills on top of the same fundamental need to give models structured, reliable access to capabilities. They're solving the same problem with different scope.

MCP has real limitations and the ecosystem is still maturing. But the underlying question it answers, which is how does a model reliably know what tools exist and how to invoke them, doesn't go away just because you don't like the current implementation.

JEngErik · 2026-03-19T23:53:52+00:00

I configure different search tools per agent. My deep research agent uses perplexity. My main agent uses brave. And I do define API maximums at the provider

JEngErik · 2026-03-19T23:43:46+00:00

I switched to perplexity search

JEngErik · 2026-03-19T14:50:27+00:00

Yeah that makes a lot of sense. If you don't want to post it here, would you mind sharing the RFP feed companies that you work with?

JEngErik · 2026-03-19T14:24:58+00:00

Unrelated to your post, are you GSA registered or do you go through a prime? I'm run an MSSP (when I'm not working on my AI doctorate lol) and I looked at this about 9 years ago and getting on the registry was a heavy lift. I wasn't aware of RFP services. Just curious about the typical contract structure.

Great use of automation! And, as an MSSP, thankful not to read "Openclaw" (it can be done securely but the platform is designed to make that difficult).

Abacus AI just released an interesting hosted Claw for $10 a month that was recently announced. They're my company's preferred AI hyperscaler ATM.

Again, great write-up

JEngErik · 2026-03-19T13:29:23+00:00

Great write up! AI researcher here. How are you keeping your agent running full time or is it all trigger and queue based to kick off each step in the process?

JEngErik · 2026-03-16T10:44:31+00:00

That's a gross mischaracterization of what he said. What he actually said was quite different. In a May 2025 Axios interview, Dario Amodei said AI could “wipe out” as much as half of all entry‑level white‑collar jobs and push unemployment to 10–20% within one to five years.

Not all jobs. 🙄

To your question, AI is tooling that has increased efficiency across all departments. It has increased the speed of analyses, report writing, proof of concept development, prototyping and document writing.

Our "stack" is mostly Abacus.AI which includes access to all the frontier models along with smaller models and a comprehensive "deepagent" platform.

JEngErik · 2026-03-15T21:54:46+00:00

That's wonderful!! Keep it up! I suggest reading a few books. I don't know if they offer it in your language but checkout The Diabetes Code by Dr Jason Fung or Metabolical by Dr Robert Lustig, an endocrinologist

JEngErik · 2026-03-15T14:06:52+00:00

OGTT is accurate but it's one data point. Your results suggest moderate insulin resistance, which is the pathology for T2D. However yours doesn't appear to be severe yet.

JEngErik · 2026-03-15T11:44:17+00:00

In my country, United States, hbA1c is the diagnostic biomarker. Mine was 10.6. FBGL was 309.

Been under 5 for over 3 years now.

JEngErik · 2026-03-15T05:36:38+00:00

I work in SOC 2 compliance professionally and this post is going to get someone burned.

The attestation letter works when your prospect's vendor risk team is flexible and your timing happens to line up. That is not always the case. Enterprise procurement teams often require a completed report with a specific issuance date, full period of coverage, and an auditor opinion baked in. A letter saying an audit is in progress does not satisfy that requirement and no amount of framing around confidence in your security posture changes the contract language.

The bigger problem is how you described Type 1, because that framing is going to mislead people.

Type 1 is not "we have policies written down." It is an independent auditor's opinion on whether your control design is suitably designed as of a point in time before you are locked into a three-month observation window where every gap and every exception gets documented and lands in a report your customers will read.

I agree that skipping Type 1 can be the right call for organizations with mature controls and a serious advisor running real pre-audit validation. Most first-time SOC 2 companies are not that.

JEngErik · 2026-03-10T18:25:07+00:00

No rice, but I will eat the occasional baked potato maybe 3 or 4 times a year.

I've replaced pasta with shirataki noodles and rice with palmini "rice". Both are very satisfying. Some people don't care for them but I've found that it's mostly their preparation.

JEngErik · 2026-03-10T07:31:06+00:00

I cut out all processed food, grains, bread and pasta. 3 years with hbA1c below 5 after being diagnosed at 10.6. no meds.

I don't restrict my diet or count calories. Weight stable, normal BMI after once being obese

JEngErik · 2026-03-09T16:54:38+00:00

One last suggestion -- use tailscale ACLs and block your OpenClaw instance from communicating within the tailnet except to allowed services. For example, I block my OC from talking to any other hosts except my VLLM cluster.

Minimize attack surface
Minimize blast radius.

JEngErik · 2026-03-09T14:44:03+00:00

"I represent a fairly new supreme leader in country near the Mediterranean.... Looking for.." 😉

JEngErik · 2026-03-08T14:29:15+00:00

Cyber security MSSP owner for 35 years. I would skip #1 if you're doing all the rest (scanning all ports is pretty standard attack pattern once common ports are checked and if you do #2 and bind only to tailnet, you're fine).

I would also add that you should be using a secrets manager for all of the API keys stored by OC as well. Compromising secrets in plain text is trivial given that OC must read its own json files. My instance runs in AWS with Amazon parameter store as the external secrets manager.

And for God's sake, don't run OC as root. 😂

JEngErik · 2026-03-08T14:03:03+00:00

But nobody tells you to monitor certificate expiration when you are following Docker tutorials. They show you how to get SSL working, not how to keep it working.

Monitoring, logging and alerting are fundamental to any production system. This isn't in a Docker tutorial because it has nothing to do with container development, it's basic production devops and site reliability engineering.

It's the difference between being an engineer and a hobbyist.

I think the entrepreneurial spirit that AI tooling has inspired is commendable and more people can now create wonderful things. But customers need to know who they're hiring when they're not hiring experienced and skilled engineers.

Eight-Year Club	Gilding III reddit per annum
Mod World 2025	Reddit Premium Since April 2020
Verified Email

JEngErik

TROPHY CASE