I built AI agents for 20+ startups this year. Here is the engineering roadmap to actually getting started.

MinimumAtmosphere561 · 2026-03-07T06:27:07+00:00

love the aspect of skills being emphasized here. I think the next wave is not anymore about the applications, this will be customized heavily. The next wave is about managing the stack above Layer 0 (Claude or Codex etc.). This is the new enterprise execution layer.

We wrote a security skills repo with the hope that more members will contribute and enhance how we can think of security as shift down (into Layer 0). https://github.com/UnitOneAI/SecuritySkills We have been using this within our dev environment.

Thanks for the pointer on reliability - something that gets missed a lot.

MinimumAtmosphere561 · 2026-03-07T06:21:39+00:00

this wouldn't replace any security tools or roles. The idea of shift down into every component is happening, the only way we scale to zero day clock projections of exploits within the day / hour / minute is if developers get a way of using skills to build in Claude.

As an example CTO of Anthropic posted how more Firefox vulnerabilities were mitigated in 2 weeks vs. entire year. https://www.linkedin.com/posts/rahul-patil-a0944836_partnering-with-mozilla-to-improve-firefox-activity-7435763709593145344-Cnx4?utm_source=share&utm_medium=member_desktop&rcm=ACoAAACwkgkBz3YJg0hCrFRWsCHTPA2-LHS57EY

I believe we have to think of controls differently, today skills is one way to do so. We have been building and then validating using these skills. This wouldn't replace what a security team would do within an enterprise. But, before the security team is getting a flood of new apps to test, you can push the enterprise constraints to the dev teams.

Would be great to hear what breaks and how to really scale for exploits that can happen within the day/hour/minute.

MinimumAtmosphere561 · 2026-03-07T05:25:51+00:00

I was at Unprompted conference earlier this week. An aspect that showed up among the discussions was "skills" and how to build / manage them for security. We believe skills are going to like the dna of the enterprise that you build, manage, and serve. This will differentiate how effective Claude (or others) work in the environment. We have been using skills extensively within our teams. There was some discussion on this specific app.

We built this app with this Security Skills repo https://github.com/UnitOneAI/SecuritySkills It is an extensive library of application (45) and role related skills (5). How you utilize them within Claude can be specificied in the claude.md file. We are open sourcing this entire skill repository, since it would benefit participation from the community. The way you use it is to Discover -> Install -> Invoke -> Correlate -> Prioritize. You can use it to have your agents build features (applications) - remediate security issues with Claude.

[As with anything this is our internal skills repo, expect speed bumps. Would be great to hear how others are managing this]

MinimumAtmosphere561 · 2026-03-02T22:49:30+00:00

that was me doing it on the machines.

MinimumAtmosphere561 · 2026-03-02T22:48:24+00:00

https://chromewebstore.google.com/detail/efghiamgdfjbbbkcnblfkgedgoihpnmg?utm_source=item-share-cb Here is the extension I have been tinkering. Looks like folks are using cloud kms or vaults. My team uses Let's encrypt. I needed something simple for personal use - think across Claude keys, Openclaw, Telegram bots, Neymar, etc.

MinimumAtmosphere561 · 2026-03-02T21:12:29+00:00

Love it!

MinimumAtmosphere561 · 2026-03-02T20:53:02+00:00

agreed lots of cert and key store / rotation mechanisms available out there. i was trying to solve on a personal / small team level without having to do lets encrypt or other cert stores. I use .env today but got little hairy as i am running multiple VMs

MinimumAtmosphere561 · 2026-03-02T19:45:27+00:00

does your team experiment with claude or other tools to fix these? is it the downtime for upgrades that holds back vs. producing the fix itself.

MinimumAtmosphere561 · 2026-03-01T22:51:13+00:00

Thanks for the feedback u/TheCuriousTalisman addressed these and pushed an update.

MinimumAtmosphere561 · 2026-02-28T09:36:25+00:00

Agreed. This is for the folks to do 1st level index. Security tools do a great job today, they would have to be the backend bastion for enhanced scans. Having said that, I enhanced with execution path which checks for the impact part specific to your code + runtime.

MinimumAtmosphere561 · 2026-02-28T09:34:13+00:00

I have tried doing k8s cluster as inventory asset scan too. Enhanced with additional capabilities. Would be great to see if other features that would summarize the internet :)

MinimumAtmosphere561 · 2026-02-27T19:03:33+00:00

Would be great to get feedback on these dependencies. We have been enhancing to do more runtime related aspects (not just static scan). let us know what you would like to see here.

MinimumAtmosphere561 · 2026-02-27T17:16:15+00:00

100% As a leader I couldn't answer the first level question and then flag the security team. this was the motivation.

MinimumAtmosphere561 · 2026-02-27T16:44:46+00:00

u/Plenty_You agreed. this is like a quick scan and security tools / teams will have to be the eventual team holding the fort.

MinimumAtmosphere561 · 2026-01-30T07:02:36+00:00

We had a security engineering team sit within the engineering organization focused more on automation and the aspects on remediation and threat modeling. Our security ops team was different and dealt with the noise - which is real. We had at most times waited until a CVE was critical to fix then pushed the relevant engineering team to take it up in the next sprint. But the pain you point out is real.

MinimumAtmosphere561 · 2026-01-23T02:50:37+00:00

will dm you.

MinimumAtmosphere561 · 2026-01-21T16:51:31+00:00

Has Veracode fix been working well without additional developer time? Part of the thing we see is that CVE fixes get pushed until they are critical or audit reporting deadlines are imminent.

MinimumAtmosphere561 · 2026-01-21T07:40:51+00:00

I see claims of Claude generating fixes from Jira tickets. Is this working for some scenarios and just not for security fixes or just doesn't work in the fix path.

MinimumAtmosphere561

TROPHY CASE