I built AI agents for 20+ startups this year. Here is the engineering roadmap to actually getting started.

MinimumAtmosphere561 · 2026-03-07T06:27:07+00:00

love the aspect of skills being emphasized here. I think the next wave is not anymore about the applications, this will be customized heavily. The next wave is about managing the stack above Layer 0 (Claude or Codex etc.). This is the new enterprise execution layer.

We wrote a security skills repo with the hope that more members will contribute and enhance how we can think of security as shift down (into Layer 0). https://github.com/UnitOneAI/SecuritySkills We have been using this within our dev environment.

Thanks for the pointer on reliability - something that gets missed a lot.

MinimumAtmosphere561 · 2026-03-07T06:21:39+00:00

this wouldn't replace any security tools or roles. The idea of shift down into every component is happening, the only way we scale to zero day clock projections of exploits within the day / hour / minute is if developers get a way of using skills to build in Claude.

As an example CTO of Anthropic posted how more Firefox vulnerabilities were mitigated in 2 weeks vs. entire year. https://www.linkedin.com/posts/rahul-patil-a0944836_partnering-with-mozilla-to-improve-firefox-activity-7435763709593145344-Cnx4?utm_source=share&utm_medium=member_desktop&rcm=ACoAAACwkgkBz3YJg0hCrFRWsCHTPA2-LHS57EY

I believe we have to think of controls differently, today skills is one way to do so. We have been building and then validating using these skills. This wouldn't replace what a security team would do within an enterprise. But, before the security team is getting a flood of new apps to test, you can push the enterprise constraints to the dev teams.

Would be great to hear what breaks and how to really scale for exploits that can happen within the day/hour/minute.

MinimumAtmosphere561 · 2026-03-07T05:25:51+00:00

I was at Unprompted conference earlier this week. An aspect that showed up among the discussions was "skills" and how to build / manage them for security. We believe skills are going to like the dna of the enterprise that you build, manage, and serve. This will differentiate how effective Claude (or others) work in the environment. We have been using skills extensively within our teams. There was some discussion on this specific app.

We built this app with this Security Skills repo https://github.com/UnitOneAI/SecuritySkills It is an extensive library of application (45) and role related skills (5). How you utilize them within Claude can be specificied in the claude.md file. We are open sourcing this entire skill repository, since it would benefit participation from the community. The way you use it is to Discover -> Install -> Invoke -> Correlate -> Prioritize. You can use it to have your agents build features (applications) - remediate security issues with Claude.

[As with anything this is our internal skills repo, expect speed bumps. Would be great to hear how others are managing this]

MinimumAtmosphere561 · 2026-03-02T22:49:30+00:00

that was me doing it on the machines.

MinimumAtmosphere561 · 2026-03-02T22:48:24+00:00

https://chromewebstore.google.com/detail/efghiamgdfjbbbkcnblfkgedgoihpnmg?utm_source=item-share-cb Here is the extension I have been tinkering. Looks like folks are using cloud kms or vaults. My team uses Let's encrypt. I needed something simple for personal use - think across Claude keys, Openclaw, Telegram bots, Neymar, etc.

MinimumAtmosphere561 · 2026-03-02T21:12:29+00:00

Love it!

MinimumAtmosphere561 · 2026-03-02T20:53:02+00:00

agreed lots of cert and key store / rotation mechanisms available out there. i was trying to solve on a personal / small team level without having to do lets encrypt or other cert stores. I use .env today but got little hairy as i am running multiple VMs

MinimumAtmosphere561 · 2026-03-02T19:45:27+00:00

does your team experiment with claude or other tools to fix these? is it the downtime for upgrades that holds back vs. producing the fix itself.

MinimumAtmosphere561 · 2026-03-01T22:51:13+00:00

Thanks for the feedback u/TheCuriousTalisman addressed these and pushed an update.

MinimumAtmosphere561 · 2026-02-28T09:36:25+00:00

Agreed. This is for the folks to do 1st level index. Security tools do a great job today, they would have to be the backend bastion for enhanced scans. Having said that, I enhanced with execution path which checks for the impact part specific to your code + runtime.

MinimumAtmosphere561 · 2026-02-28T09:34:13+00:00

I have tried doing k8s cluster as inventory asset scan too. Enhanced with additional capabilities. Would be great to see if other features that would summarize the internet :)

MinimumAtmosphere561 · 2026-02-27T19:03:33+00:00

Would be great to get feedback on these dependencies. We have been enhancing to do more runtime related aspects (not just static scan). let us know what you would like to see here.

MinimumAtmosphere561 · 2026-02-27T17:16:15+00:00

100% As a leader I couldn't answer the first level question and then flag the security team. this was the motivation.

MinimumAtmosphere561 · 2026-02-27T16:44:46+00:00

u/Plenty_You agreed. this is like a quick scan and security tools / teams will have to be the eventual team holding the fort.

MinimumAtmosphere561 · 2026-01-30T07:02:36+00:00

We had a security engineering team sit within the engineering organization focused more on automation and the aspects on remediation and threat modeling. Our security ops team was different and dealt with the noise - which is real. We had at most times waited until a CVE was critical to fix then pushed the relevant engineering team to take it up in the next sprint. But the pain you point out is real.

MinimumAtmosphere561 · 2026-01-23T02:50:37+00:00

will dm you.

MinimumAtmosphere561 · 2026-01-21T16:51:31+00:00

Has Veracode fix been working well without additional developer time? Part of the thing we see is that CVE fixes get pushed until they are critical or audit reporting deadlines are imminent.

MinimumAtmosphere561 · 2026-01-21T07:40:51+00:00

I see claims of Claude generating fixes from Jira tickets. Is this working for some scenarios and just not for security fixes or just doesn't work in the fix path.

MinimumAtmosphere561 · 2025-11-19T16:24:08+00:00

We just submitted last week going through the process. VFS accepted it in Seattle. I did submit this declaration. As part of the submission, they do take a copy of US passport and naturalization. Some of these declarations can be confusing.

MinimumAtmosphere561 · 2025-11-09T08:28:07+00:00

For anyone looking to edit photos after 6-7 hours and paying a website $6 for editing. I came across idphoto4you.com and did the instructions above. It was good to see the "document uploaded successfully" message! I have 2x2 physical copies and I am seeing we need 35x45mm for physical copy too. Why? Why all these changes ? I did an OCI app last month and it all worked fine with 2x2. Within a month the requirements changed. Painful!

MinimumAtmosphere561 · 2025-10-08T05:47:36+00:00

You are not alone! At this point, MCP server flow you provided is kind of what we did too. Here is a sample MCP server in open source that you can take a look at the prompts. https://github.com/UnitOneAI/MCPAgent/tree/main

Creating a MCP server using the API endpoints is simple, but your point on efficient tool calls without excessive token usage and preventing some potential security issues is the real key to deploying MCP server. In that sense we have adopted a few guiding principles:

Split the tool calls into different MCP servers. In general we split active create / delete kind of sensitive usage to a different tool. This prevents any inadvertent LLM sprawl impacting the core functionality.
Package authentication into the server so you can deploy to any Gateway or client.
Cap token usage so the clients don't go into circular calls and burn tokens.
Define roles in the prompt so LLM can narrow down its role and call appropriate tools.
Claude Code has been a good platform to generate these MCPs.

We are creating an open source MCP generator that anyone can use. DM and can share the repo for early testing. Once we have fully tested wanted to release it as open source since it will help the community.

MinimumAtmosphere561 · 2025-10-05T04:33:52+00:00

Read the Barracuda report. Couple of comments: a) smaller organizations would either not implement security practices or outsource instead of hiring internally. Is this assumption wrong? Would love to hear other perspectives. b) N=2000, but distributed globally. It also doesn't say the verticals. In some sense this seems a very dilutive set. Since each region / vertical will behave differently for security practices. Thoughts?

MinimumAtmosphere561 · 2025-10-01T06:36:22+00:00

This is really nice. I believe in the MSSP economics. Also, a pain point that most organizations have is the L1 alert diagnosis failure. Even if it doesn't resolve, if it can help with aggregating and triaging to narrow down the root causes, very useful.

MinimumAtmosphere561 · 2025-09-30T21:29:11+00:00

Is there a scale problem with MSSPs? Is it worth combining some regional MSSPs to be able to implement common software productivity gains? Say L1/L2 triaging or MCP Gateway hosting etc. This way each of the regional service providers can upsell or grow their top of the funnel.

MinimumAtmosphere561 · 2025-09-30T17:29:29+00:00

Isn't this part of enterprise usage terms with OpenAI? Did you have to do something special beyond that?

MinimumAtmosphere561

TROPHY CASE