The Builder's Manifesto
Cybersecurity in a world where code is worth nothing
Another agent today.
It's all over Reddit, in every Telegram channel. "I built it over the weekend." "It found a 0-day." "It writes better code than me." Screenshots, demos, euphoria, panic.
Back in the late 80s, when we were pushing ASCII characters across endless green terminals in assembly and FOCAL, nobody thought this would turn into a trillion-dollar industry. We just wanted the machine to obey us, not the other way around.
Now it obeys itself. And we're not the ones making the rules anymore. The rules are making us.
Let's unpack this.
Baseline diagnosis
Code stopped being valuable. It became raw material. Like cowrie shells — once the currency of three continents, then sand on beaches, and eventually the silicon we now etch into chips. Only with code, the whole cycle took a decade or so instead of millennia.
Everyone's doing it now. Some loudly and theatrically, filming themselves for YouTube. Some still embarrassed to say "vibe coding" out loud. Some quietly, on side projects. If you're not doing it — you're not in the industry anymore. One person with agents, a month of work, and a few hundred bucks now ships what used to take a team of 25 and two years. This isn't a forecast. This is the production reality we already live in.
One unpleasant conclusion follows. A vendor's value is no longer in "we know how to build a product." Everyone knows how to build a product. Value now lives elsewhere: data, trust, distribution, chokepoints, the speed of packaging other people's ideas, the ability to turn a zoo of capabilities into one working product.
One in the field is a warrior again. Every human with a brain and a pair of hands is now CEO, R&D, QA, and marketing rolled into one. Any industry that hasn't noticed this is already a corpse. It just doesn't smell yet.
The casualty list, briefly
Pentest becomes a button, with rare expert surges on business logic and physics.
Bug bounty becomes either an auto-triage conveyor belt or a premium lounge for zero-logic finds. No middle ground. The 1-day vacuum-cleaner tier gets swept away by bots.
SOC analyst, signature writer — the last generation of the profession. Not automated. Extinct.
Corporate IT/security stops being the department that buys expensive toys to say "NO" with. It becomes the platform on which employees assemble solutions to their own problems. Shadow IT gets legalized as production.
Middle management, whose job is routing status between layers, is no longer needed. HR hasn't filed the paperwork yet. HR itself is next in line.
Pay-by-volume as a business model — done. From SIEM to DLP, from CASB to PAM. Charging per gigabyte in a world where agents drop 80% of the noise in-line is suicide on a payment plan.
Who survives
Three archetypes survive. Everything else shrinks to zero or consolidates into one of the three.
Expensive infrastructure. Hyperscale clouds, backbone-level DDoS scrubbing, telco infrastructure, certified hardware. And yes, lawful intercept — laugh now, cry later. The logic is simple: agents make software cheap, but they don't make data centers, peering, multi-terabit scrubbing capacity, or regulator relationships cheap. The higher the capex barrier and the denser the regulatory wrapping, the safer the niche. Big players live; they just consolidate harder. Small players get acquired or die.
The chokepoint. The node through which traffic, identity, policies, and decision execution flow. In a world of cheap code, any given logic gets copied in a week. What lives longer is whoever sits in the node — the point where decisions are not just made but enforced. If you're not in the node, you're a feature in somebody else's node. You just haven't figured it out yet.
"Brains in a box" for B2B/B2G. A trusted platform where agents already come wrapped in identity, compliance, audit, insurance, and certification. Enterprise and government will not buy agents à la carte. They will not accept "bring your own API key to a random cloud" — not from the regulator, not from the board, not from the insurer. They will buy a box they can sue. The window for capturing this niche is open another 2–3 years. After that, the market closes around a handful of winners per country. Russia, China, India, Brazil, the Middle East — every major market gets its 10–15 regional champions. This is an existential opening for anyone capable of taking it now.
The middle dies. The classic product vendor, 200–2000 people, three-year roadmap, pushing boxes through distributors — extinct first. Not nimble like the solo operator, not capital-heavy like infrastructure. No regulatory moat, no proprietary data. Just a product that now assembles itself in a quarter.
That's an obituary on installment.
Steam for security
In a world where a pentest runs overnight and a compliance checker is a two-evening job, a new scarcity emerges. The cost of adoption.
The agent writes the code. Assembles the analyzer. Trains the detector. Getting it into an enterprise environment is still three months minimum. Procurement. Integration. SLA and contracts. Regulatory sign-off. Operator training. Adaptation to the specific stack. And that's if you're lucky and the customer isn't running an accredited enclave.
That delta — from working product to working-in-production product — is the last real moat. Not the code. Compatibility with somebody's organization.
This is where the new shape of the chokepoint lives. Not "yet another platform." A Steam for security — an environment where rolling out a new module is two clicks, not a quarterly project. Identity is inherited from the platform. SLA inherited. Data flow inherited. Accreditation inherited. The operator doesn't learn a new interface. Procurement happens once, for the platform; after that, it's pay-per-use.
Whoever builds that layer first inside a regulated environment isn't capturing a single product market. They're capturing the right to be the entry point for everyone else. That's the chokepoint in its mature form: externally, a storefront for the customer; internally, a runtime for builders shipping "skills," "brains," "solvers." All plugged into a shared bus, shared policies, shared audit.
The vendor of the future isn't a feature factory. It's the editorial desk of a platform, solving the one problem no agent will ship over a weekend: the problem of being accepted.
Night of the living dead
Three archetypes survive. Three others are zombies. Economically dead, clinically still breathing, financially still paying dividends. AV/EDR, NGFW, SIEM — the three cash cows of the security budget. They survive as infrastructure. They die as products. The distinction matters.
The classic signature-based AV has been technically dead for a decade, but lives on because the regulator demands it, the insurer demands it, the internal policy demands it. Remove the regulator and 30% of the market evaporates in a year. EDR without an agent is an alert landfill. EDR with an agent is a platform that auto-closes 80% of incidents on its own.
While AV/EDR vendors are busy one-upping each other on who disassembles binaries better on the endpoint, those same endpoints are now hosting entities that will do absolutely anything — you just have to ask. That's a huge problem. It's an equally huge opportunity.
NGFW survives as infrastructure — physics hasn't been repealed, packets still need to move at line rate. But the industry around it — the policy-management overlays, the Wireshark-consultant cottage industry that spent years selling "management of complexity no human can hold in their head anymore" — is dead. An agent does in an hour what used to ship as a year-long project. The agent writes rules on the fly, the human approves the diff. When they can be bothered.
SIEM is the sickest cow in the barn. Technically: a log landfill with regex correlation dressed up as "expert expertise." Economically: one of the fattest segments in the security budget. Everyone who operates it hates it with sincere passion. The pay-by-volume model is fundamentally at war with agents: the vendor earns by making you ship more, the agent earns by shipping exactly what you need. These models are incompatible. Either SIEM reinvents itself as outcome-based — "I pay per incident caught" — or it becomes the mainframe of 2005: still alive, still needed by banks and governments, but inertia, not future.
The unifying logic of zombies. All three cows stand on regulatory inertia, organizational inertia, and budgetary inertia. Each of those pillars is thinning in real time. Sooner than anyone expects, regulators will greenlight continuous autonomous compliance, and the accumulated certification value evaporates within a couple of years. Vendors who believe "the certificate will save us" are tactically right and strategically dead.
But being a zombie is not a verdict, it's a starting position. The cows have everything the newcomers lack: customers, distribution, certifications, purchasing habits, and plenty of kelp to graze on. All they're missing is brains. Brains can be bought in a quarter through a marketplace model — provided the cow is still alive enough to self-diagnose. Whoever repackages their legacy as a "box with plug-in brains" first captures a platform the newcomers couldn't build in ten years. Whoever bolts on an "AI assistant" cosmetically ends up in the textbook five years from now: "How to lose a market while holding all the cards."
The choice is simple: reinvent yourself in 2–3 years, or become the next BlackBerry. BlackBerry, by the way, was profitable right up to the end. And then it wasn't.
Identity: growing, but losing track of who it protects
Identity is the only "old" segment that clearly survives and grows. It's the chokepoint in its purest form: everything passes through identity, everything is attributed to identity, everything is governed by identity. The market will double and keep growing over the next years without any heroics on the vendors' part.
But inside that growing market, a quiet catastrophe is unfolding, and nobody's saying it out loud yet.
Your $20K-a-month CAPTCHA is trivially bypassed by any bot with a fistful of free proxies. Bot detection is a lost arms race. Device fingerprinting gets bypassed. Behavioral biometrics will be broken by agents in the next cycle — not because the defense is bad, but because agents have learned to imitate humans better than the average human is at proving they're one. This is shrinkflation of usefulness on autopilot.
But this is a symptom, not the disease. The disease is deeper. Identity is historically built on one assumption: a human stands behind every action. Good human, bad human, authorized or not — still a human. The whole threat model, the whole compliance framework, the whole audit trail — it's all about a human actor. Now, behind half the actions stands not a human but an agent — acting on behalf of a human, on behalf of another agent, on behalf of a service, or on its own.
Service accounts are too static, too privileged, no delegation semantics. A user's OAuth token can't tell you whether the action was the user's or an agent's acting as them. API keys don't support agent-to-agent-to-agent delegation chains. None of the existing primitives covers "agent X acts on behalf of human Y within scope Z for TTL T minutes, with sub-delegation allowed and a full audit trail for every hop." Did someone say blockchain?
This gap is a category in itself, and it doesn't exist yet — Agent Identity & Access Management. It sits between IAM and PAM. There is no clear leader. In most regional markets, nobody is even moving. The window is open a year, maybe eighteen months, then it closes around two or three winners like every identity category before it. Whoever ships a certified Agent IAM for regulated environments first, with an audit model the regulators will accept, takes a position nobody dislodges for a decade.
What do regulators think (and do they think)
Current regulations — every single one — are written under the paradigm "one actor = one human." That's not a limitation. It's the baseline assumption, wired into the terminology itself.
PCI DSS requires unique identification of every human with access to payment data. What if it's not a human? Silence in the standard.
NIST SP 800-63 — an excellent standard, fully built on "subscriber = human being." The whole assurance model is about proving this human is that human. For agents, it's conceptually inapplicable.
Sector regulators in regulated markets — central banks, financial supervisors, critical-infrastructure authorities — all work with terms like "user" and "subject of access" where the subject is presumed human. Agents don't fit. Mandates like PCI DSS and NYDFS require MFA for critical infrastructure — which loses operational meaning when you have 500 agents executing payment transactions.
EU AI Act, CISA, Asian regulators — same thing, local seasoning. Everyone knows there's a problem. Nobody has operational requirements.
No major regulator is ready for a world where half of all identities are non-human. This creates two parallel processes, and both are dangerous.
First — regulatory theater of the absurd. Organizations retrofit 2010 requirements onto 2026 reality. Agents get registered as service accounts, delegation chains aren't logged, the auditor doesn't know what to ask, the CISO doesn't know what to answer. Everyone pretends. This continues until the first loud incident. Then — panic-mode regulation, written in a week, poorly compatible with reality.
Second — the battle for the standard. The vendor who walks into the regulator's office first, carrying a ready model, a vocabulary, an audit procedure — writes the regulation around their own vision and their own product. The window for this move is now. Regulators who prefer concrete methodologies over abstract principles — and there are many — will adopt whatever the first serious entrant hands them. Whoever delivers the playbook becomes the standard.
Imagine that, a couple of years from now, regulators start accepting a report from a certified autonomous scanner as a valid annual security assessment. This isn't science fiction. It's the direct consequence of regulators loving concrete methodologies. Whoever brings the first methodology wins the category. Whoever waits for the "official position" loses.
Three years from now, any security audit that doesn't ask "show me the inventory of your agent identities, their permissions, and the audit logs" is not an audit. It's a ritual. A couple of years after that, the absence of an Agent IAM in critical infrastructure becomes a regulatory finding — the way missing MFA is today.
The new physics of M&A
Classic corp-dev rests on one assumption: the target has no alternatives, so it'll wait. It'll wait while the analyst rereads the pitch deck. While the lawyers argue over warranties for three months. While Big Four spends 400 billable hours establishing that revenue is, in fact, revenue, and was, in fact, earned. While the investment committee reconvenes next quarter because somebody's on vacation. While you haggle over a three-year earn-out, conditional on retaining the key people whom you will then squeeze out through "culture fit" by month three.
That assumption no longer holds.
The target now has alternatives. A three-person team ships a real product in 90 days. After 90 days, they either have live demand or they don't. If they do, somebody else already bought them while you were aligning scope of work with the auditor. If they don't, you paid six months of corp-dev labor for an asset the market has already buried.
You're not the price setter anymore. You're the late bidder at a fair that closes in an hour.
Due diligence as a ritual is dying. Not because it isn't needed, but because it can't take six months. If your team can't make the "buy / partner / integrate / kill" call within three weeks, you will buy things nobody needs anymore. At whatever price the seller names, because he has a second and third buyer moving at the same speed — and they also didn't make it in time.
DCF valuation on a five-year horizon for a startup assembled in a quarter is theater. Nobody knows whether this capability will still be relevant a year from now, never mind five. You're paying a premium for the illusion that your analyst understands the future better than the market does. He doesn't. The market understands faster, because the market is a thousand parallel experiments, and your analyst is one Excel.
A three-year earn-out is an insult to a founder who built more in six months than your product team did in a year. He won't sit three years in your corporate cage. He'll leave in month nine, build the next thing, and sell it to your competitor. A 24-month non-compete is even funnier. While your lawyers celebrate having protected the IP, the founder has forked the idea, changed five words, rewritten it in a different language, and shipped it under a different brand a month after closing.
If your corp-dev takes more than 30 days from first contact to term sheet — you're not in the game. You're an expensive ass in love with slides. While you're contracting Big Four for $500K to produce a valuation you'll ignore anyway, the target either goes to the moon via a different buyer, or proves itself a dud — and you find out from Twitter, not from the due diligence report.
If your integration takes more than 90 days — you bought a shadow, not an asset.
If you're buying to deny the competitor a buy — you're buying fear, not value. A blocking acquisition works for three months. Then the clone ships, and your $50 million becomes a museum piece.
Cybersecurity as a streaming service
M&A without M&A, and R&D without R&D
The way out of this paradox: port bug bounty logic onto M&A. Or, if you prefer: port the streaming service logic.
In the new world, a vendor runs into a throughput problem. 500 pitches a quarter, a three-person corp-dev team, engineers who can't integrate even what was already bought. The classic conveyor breaks under volume. But this problem is already solved on the offensive side: there are a hundred times more researchers than any security team can hire, and the bounty model lets you get results without hiring.
Port the logic. External teams, solo operators with agents, small startups, open-source forkers — they're the researchers. They bring a ready module or a prototype. The platform is the bounty program.
Tier 0 — submission. Minimum package: manifest, tests, sandbox demo, license. Automated security and compliance scan — ironically, by agents. Decision "in or out" in 72 hours, not six months.
Tier 1 — sandboxed marketplace. The module is available to customers in preview. Pay-per-use. Zero upfront. The entire economy runs on retention and actual usage. Prove yourself through users, not slides.
Tier 2 — curated. Based on retention and outcome metrics, the module enters a ranked tier. Extended contract, marketing support, embedding into the main flow.
Tier 3 — acquisition. A module that has proven itself over 6–12 months becomes an M&A candidate. But this is no longer a slide-based deal. Due diligence was done by the market. The price is set by data, not by a pitch-deck narrative.
Tier -1 — sunset. Anything that didn't earn its audience gets auto-archived. Not "we made a strategic decision." "The market didn't confirm."
Yes, you'll be drowned by the wave. That's a feature, not a bug. You need fast triage, a conveyor for sinking the losers and surfacing the useful. It's not easier than classic M&A. It's different. Where the classic is slow, expensive, and exclusive, this one is fast, cheap, and distributed. Due diligence gets distributed onto the customers. Failure is visible in three months, not three years. Honest accounting is baked into the model, not stapled onto it in quarterly reports.
A few things worth saying honestly, though.
Trust problem — the sandbox lets a lot of people in, and for security products specifically, this is dangerous. Solved through hard isolation, replaying against known-good and de-identified data, cryptographic attribution, reputation graphs.
Data leakage — the module provider sees customer telemetry. Without the right contracts, it's a catastrophe.
Metrics gaming — the moment metrics exist, metric-farmers appear. You need adversarial design from day one.
Legal and IP — template contracts, or you're in legal hell. That templating of contracts and processes is the real investment the platform makes.
What this all means
The pyramid flips: instead of 20 juniors and 2 seniors, you get 2 seniors and 20 agents. Where the juniors go is a separate industry question nobody has an answer to yet. The people who decided to "go into tech" in 2024 walked straight into a profession. Be careful what you wish for.
What to do right now
Stop building three-year roadmaps. Move to 60–90 days on the hypothesis, six months to prove demand, then either scale it or kill it.
Stop selling features. Sell usefulness, detections, findings, the chokepoint, the trusted box. If you're not in the node and you're not a certified container — you're a feature in somebody else's product.
Build an internal marketplace with bounty-style M&A. Not next year. Next quarter. Because in a year, your niche will already be taken.
Hire platform curators and builders, not code writers. The vendor of the future is the platform owner — whoever delivers demonstrated usefulness — not a conveyor of features.
Invest in data, ground truth, telemetry, labeled incidents. That's the only thing an agent can't synthesize over a weekend. For now.
Get ready for regionalization. In B2B/B2G, the market fragments along national boundaries. Whoever ships the regional trusted box first holds a position that's untouchable for a decade. Whoever's late never gets in.
Stop buying and selling fear. Blocking deals now work for three months and cost tens of millions.
And now to you, everyone else in IT
We went through this on the security example not because security is more interesting. Because security gets hit in the face first: shorter pain cycles, angrier customers, on the other side of the fence is not an accountant but a well-prepared attacker, sharper regulators. Whatever lands in security in 2026, lands in the rest of IT soon after. Very soon.
If you read all of the above and thought "lucky us, we're not in security" — I can't even laugh at that.
In observability, DevTools, DataOps, CRM, ERP, document management, BI, HR-tech — same story, 12–18 months delay. Your three-year plan is already a corpse. Your six-month corp-dev process is already a corpse. Your "unique codebase" is already sand. Your segment between the solo operators and the hyperscalers is already dying, you just don't see it in the quarterly report yet.
Small teams ship a CRM in a quarter. Five people ship an ERP for a narrow vertical — or a single customer — in six months. They don't "compete" with you. They take one customer a month out of the segments you considered too small to look at. Two years from now, you'll discover your market has halved, and the culprit will not be "economic headwinds."
This isn't the end of the industry
It's the industry returning to its roots.
Back in '95, when we dialed past BBSes and they called us criminals, when we ran SATAN against Nimda, Code Red, Slammer — we weren't doing it because somebody approved a budget, or because there was a plan, or because marketing ran a market analysis.
We did it because we could.
Because we were curious.
Because we saw a problem — and we had the hands and the brains.
That was our world then. The world of the electron and the switch, the beauty of the baud. Then the industry grew up. It accumulated processes, quarterly plans, investment committees, six-month due diligence, architectural boards, ISO certifications on the processes for writing documentation about the processes for writing documentation. All of it earns its keep while it helps you build. Right up to the moment it starts getting in the way.
That moment is now.
A single person with an idea and a few hundred bucks has more capability than your 200-engineer R&D department. Not because they're smarter. Because they don't spend 80% of their time on approvals, reviews, and "aligning with stakeholders." They have no stakeholders. They have a problem, a tool, and an evening. They hold their own stake.
The rules of the new industry are the old rules you forgot.
Build what solves a real problem. Not what lands in a Magic Quadrant, or some Tragic Quadrant. Not what passes the investment committee. What the customer actually needs.
Cultivate, don't cage.
Buy speed.
Kill what doesn't work. Kill fast. But be ready for it to come back.
Return the last word to those who build, not those who balance an Excel sheet for the next board meeting.
This is our world now — the world of the agent and the prompt. We explore, and they call us disruptive. We build, and they call us reckless. We ship in a weekend what their committees couldn't ship in a year, and they call it unserious.
Our crime is that of curiosity. Again.
You may stop this individual founder, that specific startup, this particular weekend hack. You can't stop all of us.
I'm a builder. And this is my manifesto.
No comments:
Post a Comment