Insights on identity, security, and the exposures no one asked for.
a16z's "Avoiding Death on the Yellow Brick Road" argues AI app companies survive by building off the smooth horizontal road the frontier labs own, in the messy vertical workflows raw capability can't reach. Read it for security and the labs become CrowdStrike, Microsoft, Wiz, and Cortex. The piece lays out three tests and four moats. This is the diligence-grade version of the scorecard: where Setu is genuinely off the road, where it is sitting on the road and pretending otherwise, and the one moat that isn't built yet.
RBI's Cyber Security Framework names HoneyPots in Annex 2 alongside SIEM and threat feeds. The unsolved half of the directive is placement: in a 40,000-host bank, where do you actually put the lures? That is a three-dimensional fit problem — environment × threat vectors × deception palette (decoys, breadcrumbs, tripwires, tokens) — and the substrate that produces a placement plan is an event graph composed with attack surface management, not either one alone.
Two articles in the past 72 hours sharpened the post-Mythos picture: the boardroom is offering a four-to-eight-week budget window, and the operator commentariat is rejecting any new tool as the answer. Both are right. The defender stack that survives both readings is the one whose measurement layer is signed, externally verifiable, and tied to fundamentals — identity governance, segmentation, response cycle time — rather than to a new tool category.
Medtronic on April 16. Holland America's Mariner Society loyalty program on April 18. The disclosures are vague enough to drive a truck through, but the structural read is consistent across both: a single foothold's blast radius was already set the moment the credential was issued, and event-tier detection had nothing to say about it. Walking the public facts through Setu's surfaces — hygiene scanner, entity graph, velocity scorer, on-prem companion, dispatches feed — and naming the gaps.
Every step inside Vercel was a valid API call by a valid principal. The origin sat two vendors upstream and two months back in time. This is a post-hoc reconstruction of which Setu surfaces would have fired, in what order — and why the Salesloft / Drift breach nine months earlier is the same shape, one scale larger.
AWS GuardDuty, CrowdStrike Falcon, and Microsoft Defender have the data positions to ship a pretrained security model that arrives at your tenant pre-baked. None has. The answer is the design constraint nobody on stage will name: security graphs do not transfer. What does compound is per-tenant analyst feedback — if you ship something useful on day one to generate it.
A typical mid-market SOC maintains 800–2,000 detection rules. The maintenance cost is enormous, the coverage is incomplete, and the rules largely do not compose. This is the architecture detection engineering has had for twenty years, and it is the architecture we are arguing should be replaced over the next decade.
A modern SIEM ingests 100 GB to 50 TB per day, but the view is a flat stream of events. A campaign — by which we mean a coordinated set of attacker actions over hours or days, carried out across multiple identities, hosts, and systems — is by definition a structure across many events. The SIEM's primary view does not show campaigns. The graph does.
A vocabulary has been forming in identity security around the word "intent." The word does useful work in talks; it does less work in production. Intent is unobservable, behavioral baselines decay, and the intent score doesn't tell the analyst what to do. Blast radius does.
There were 28,902 CVEs published in 2023. The premise that the job is to patch them faster is incomplete enough to be misleading. The breaches that actually happened in the last two years happened because, once one foothold existed, the path from foothold to crown jewels was short, undefended, and invisible to the SOC.
There's a version of the moats conversation security vendors love to have, and a different version that survives a serious diligence review. This post is the second one. We name the four powers we sometimes get credited for that aren't real moats, and the two we are actively building.
There's a popular line in vendor decks that modern attacks demand learned graph neural networks. It's a real trend. But the heat kernel is a smoothing operator, not a probability of compromise — and the day-one product still has to ship before the GNN data exists.
Enterprises are deploying AI agents faster than they can secure them. The result: 63% have already experienced AI-related security incidents. The missing piece isn't another firewall — it's an identity-aware control plane that treats every agent, every credential, and every access path as a first-class security object.
Role-stacking, context-loading, and iterative refinement make LLMs useful for security work. But the need for these techniques reveals that our tools still can't connect the dots between identities, permissions, and Expected Compromise Impact without a human in the loop.
Monad wants to be the perfect pipe between your security tools and your SIEM. Vega wants to eliminate the pipe entirely by querying data where it lives. Both miss the real problem: neither pipe-fitting nor federated SQL gives you the identity-aware, graph-correlated context that actually reduces exposure.
Lawrence Pingree's JIT-TRUST framework argues that static policies and time-boxed access can't govern autonomous AI agents. We agree. Here's how Setu already implements the core principles—and where the industry needs to go next.
The explosion of AI adoption has created a new class of security challenge. The typical response—adding another visibility layer—addresses symptoms while ignoring the root cause. AI exposure isn't fundamentally about AI. It's about identity.
As AI adoption accelerates, organizations face a new category of security challenges: shadow AI, prompt injection attacks, data exfiltration through LLMs, and ungoverned AI agents. A unified approach to AI security requires visibility, control, and continuous protection across the entire AI lifecycle.
Secure Enterprise Browsers control the endpoint. Identity Risk Graph controls the access paths. Together, they create a unified security architecture that reduces ECI at both the browser and identity layer—closing gaps that neither can address alone.
Traditional security tools scan periodically, fragment context across silos, and flood teams with alerts lacking exploitability insight. A new architecture is required—one that maintains continuous, stateful awareness of your cloud environment.