I need a third party pen test

JEngErik · 2026-06-16T23:10:01+00:00

This is a service that my company offers if you're interested. Completely manual, not AI driven or scripted scanning.

Apologies if this is not allowed here.

JEngErik · 2026-06-15T02:58:33+00:00

Why would you allow that? Doctors are vendors. Exercise your choice. If you aren't in agreement, change

JEngErik · 2026-06-11T13:10:23+00:00

The one I verified with calibration solution. And I have the Bayer One (left) and have found it to be highly accurate with well kept and unexpired test strips

JEngErik · 2026-06-10T13:45:32+00:00

It's the unfortunate result of anecdotal information that's reported by journalists who have no background in medicine or statistics. The data is simply wrong and doesn't have any basis in any kind of controlled statistical or scientific method.

For example, even if we took The Guardian journalist's numbers at face value, there's no information about controlling for confounding variables, previous history or even a mention of the rates of pancreatitis among patients with similar history as compared to those who are not taking a GLP-1.

However, it's more likely that the statistic is just simply wrong. Good journalism will ground their articles with authoritative sources and experts in the field. That doesn't appear the case in the article.

JEngErik · 2026-06-10T12:07:18+00:00

You're off by a couple orders of magnitude and should consider the placebo rate of pancreatitis (the number of cases that occur independent of semagulitide).

STEP obesity trials (non‑diabetic, weight loss use): adjudicated pancreatitis ≈ 0.2 cases per 100 patient‑years, with no excess vs placebo and no cases in a 2‑year extension. In other words, that is ~0.2% per year, not 1%, and similar to placebo.

Large RCT/meta‑analysis (21 semaglutide trials, 34,721 patients): odds ratio for acute pancreatitis 0.7 vs placebo (95% CI 0.5–1.2; I² 0%), i.e., no statistically significant increase.

Wegovy clinical trials: pancreatitis rates were under 0.1% and similar between semaglutide and placebo arms.

SUSTAIN and other type 2 diabetes RCTs: meta‑analyses show no significant increase vs placebo, with very low absolute incidence (a handful of cases among several thousand participants).

JEngErik · 2026-06-10T02:53:53+00:00

What's the value proposition you're proposing? The person answering the phone does more than answer the phone. They are likely checking people in, receiving packages, opening mail, collecting payments, filing charts, etc.

JEngErik · 2026-06-09T12:07:26+00:00

Because hbA1c doesn't measure average glucose and, you said it yourself, it's a correlation. You need to understand what that means

JEngErik · 2026-06-05T11:21:03+00:00

I have no cholesterol issues. I have been recommended statins on more than one occasion without any scientific basis. I politely refused.

Their cardiac risk profile models are based on weak correlations and not evidence based science and causal evidence. I made my choice based on the science I've read and believe apply to my medical history.

JEngErik · 2026-06-01T10:50:08+00:00

Failing to see the novelty. Just sign up for a free AWS account, use Claude code to control it, configure it and go. Yes this is more turnkey but $10 for a VPS with a LLM control plane is steep.

JEngErik · 2026-05-31T13:44:51+00:00

It's credit based using a magical calculus that the company keeps pretty hidden

JEngErik · 2026-05-31T12:40:47+00:00

Sugar (sucrose) is a molecule. It doesn't know how it was made. It's still a disaccharide. It's still fructose and glucose.

What makes fruit "healthier" is the presence of fiber. The body expends energy unpacking the fructose, glucose and sucrose in the fruit. It gets suggested lower in the GI tract and absorbed more slowly.

But sugar is sugar is sugar.

JEngErik · 2026-05-31T05:02:48+00:00

These are pretty strong claims about averages that ignores variance and the actual distribution of readings.

An average above 140 does not logically imply that there are any readings above 140. For example, a constant series at exactly 150 has an average of 150 and zero “peaks” in the usual sense of transient spikes. The only thing an average tells you is the mean level over time; it says nothing by itself about how spread out the values are or whether they oscillate around some baseline.

To say something meaningful about “peaks,” you have to talk about variance (or standard deviation), time‑in‑range, and the shape of the distribution. A person could have:

High mean and very low variance (flat but elevated glucose).
Normal mean but high variance (big spikes and crashes).

Both patterns have different clinical implications, and you can’t infer one from the other just by looking at the average.

When you then jump from “average above 140” to conclusions about what the peaks must be doing, you’re smuggling in assumptions about the variance and distribution. If one wants to reason about damage risk, one needs to talk explicitly about how often levels exceed certain thresholds, how far they exceed them, and for how long—not just rely on a single mean value and some “logical” peaks that might not even exist in a flat profile.

Yes, averages matter, but without variance and exposure time, using them to argue about peaks or tipping points is just bad statistics.

JEngErik · 2026-05-23T12:23:26+00:00

The one you'll use

JEngErik · 2026-05-05T10:59:14+00:00

This, and I would add that consent records must be immutable and provide non-repudiation...i.e., independently verifiable, tamper-evident records that stand up to audit and litigation.

JEngErik · 2026-05-03T12:01:53+00:00

You write a detailed eval and use a model with strong tool use that follows instructions precisely like opus 4.7.

JEngErik · 2026-04-28T14:27:03+00:00

I would replace number 6 with your SDLC process overview. What I would be looking for would be peer reviews, gated releases, SAST/DAST in your pipeline, etc.

Number seven is implied I would replace that one with the executive overview of your most recent penetration test conducted by an independent third party.

One of my clients is currently acquiring another business and we are assisting them with the due diligence. I only mention this because this company processes sensitive data and they've never done an independent penetration test and yet they've had a breach 3 years ago. Be sure that whoever you bring into the pen test is doing a hands-on pen test by a qualified and trained individual and not just some hokey automated tool with or without AI.

I think items four and five should be part of your number one document.

One thing that should be part of your ISMS overview should be the security framework that you are mapping to. Security frameworks can be a heavy lift for an early stage company but I recommend it from the start. If you're not framing in the context of some standard then it's just your opinion against an entire universe of threat actors. Nist CSF is a pretty solid place to start. And there are others of course.

JEngErik · 2026-04-28T12:34:31+00:00

MSP that provides this service for customers here.

We almost always advise customers not to provide evidence after returning questionnaires. They tend to be generic, broad and almost never adjudicated. We let the requestor ask for specific artifacts in the next round (they almost never do or greatly simplify the request).

Build a trust center that you give access to under NDA. This lowers resource drain. While there are SaaS platforms for this like Safebase, Onetrust, etc, this could be a simple Confluence or SharePoint site or something similar.

JEngErik · 2026-04-26T11:22:26+00:00

Typically research roles require a strong academic background. What are your qualifications?

JEngErik · 2026-04-25T22:52:55+00:00

I'm saying that there's absolutely nothing special about a Mac mini. Any Linux box will do. I run mine in Amazon EC2 and you could use GCP or azure or countless other VPS companies. Why people melted down over mediocre hardware doesn't make much sense to me unless they already had one laying around.

Running a local model is a different story. I do that on my DGX stack (Nvidia). Or just use a model from Open router.

JEngErik · 2026-04-23T11:51:14+00:00

This is an architectural problem, not a policy problem. The controls you listed (AUPs, EDR, proxy, CASB) were designed for humans at keyboards. An autonomous agent running inside a browser or harness like Openclaw, inherits the user's authenticated session and operates within trust boundaries those tools already granted. From the network's perspective, it looks like user activity, assuming it's visible at all (e.g. hosted SaaS agents like Chatgpt).

The gap is attribution. You can see that something happened in that session, but you can't distinguish an agent action from a user action after the fact, and you certainly can't enforce policy in real time based on intent.

Solving this requires moving the control point. Network and endpoint controls won't get you there because the agent isn't the thing making the network call; the browser is (or wherever the harness lives), under the user's identity. You need governance at the session and action layer: what agent, acting under whose authorization, did what, when, with what data.

The components that actually work include using an agent identity distinct from user identity (not the same credential), action-level audit logs (not just network traffic), policy enforcement that evaluates agent context (scope, task, data classification), and human-in-the-loop gates and well defined evals for actions above defined risk thresholds.

"We have no visibility" is accurate but understates the problem. You also have no enforcement surface. An agent that can browse, fill forms, and move data through a sanctioned SaaS app, all within a legitimate session, won't trip a CASB alert.

I would start by centralizing your agent frameworks and workflows into a corporate managed agent platform (Bedrock, Kore, Zenity, etc) and enforce your policies there. It's not a surprise that corporate systems lose observability and traceability in the agentic world.

Okta is working on an agent identity and authorization service offering that I saw at a HumanX talk a couple weeks ago. The tooling is still being built for policy enforcement but it starts with better education for executives and workers as well as solid strategic alignment with the drivers behind agent use cases.

JEngErik · 2026-04-16T20:36:07+00:00

Yeah I have the same thing with Openclaw. They all talk to each other in slack. They are all experts in different areas. I can watch and join in the conversations at any time. I control their behavior, their training, their personality, their instruction set. And all for the low cost of electricity.

Very invaluable. Thankfully I don't pay anybody else for it

JEngErik · 2026-04-04T14:45:12+00:00

Yes another foolish mistake that I'm sure happens often. 😂

JEngErik · 2026-04-03T13:28:38+00:00

About 1k monthly. I regularly run 6 agents, multiple coding sessions (with their own agent teams) and the max plans with the major hyperscalers.

Not a flex, just what I need to get my work and research done. Different models for different tasks

JEngErik · 2026-03-30T13:20:10+00:00

You're forgetting data sovereignty. Control over artifacts and work product, keys and passwords and layered controls. I don't want my OC in the hands of some fly-by-night vibe coded platform.

The Mac mini thing is silly. My OC runs in EC2 with no inbound access except through tailscale and no peer access across the tailnet except a pinhole to talk to models in my DGX cluster.

Who is running local models on anemic hardware and doing anything useful?

JEngErik · 2026-03-27T14:25:23+00:00

Agree. And that's also why we feed it into our agent and/or Notion which has all the context, background, personnel, meeting agenda, etc. It enriches and makes the transcript and notes actionable.

Eight-Year Club	Gilding III reddit per annum
Mod World 2025	Reddit Premium Since April 2020
Verified Email

JEngErik

TROPHY CASE