Skip to main content

Guardrails vs Guidelines

· 6 min read

In the rush to integrate generative AI into the software development lifecycle, engineering teams frequently confuse two distinct operational concepts: guardrails and guidelines. To put it simply, a guideline advises: it's soft natural-language context, like an AGENTS.md or Skills file, that the model may or may not act on. A guardrail gates: it's a firm, automated constraint that forces an explicit, binary pass/fail and blocks on failure. Relying on soft guidelines for critical validation is why automated code reviews are risky. They're non-deterministic and quietly ignored.

The Ceiling for DIY Security Reviews

· 5 min read

Every security team is now running the same debate: build your own AI security review, or buy one. You drop a coding agent into CI, it finds real issues, rerun the same PR and you get different findings, different severities, no memory of last triage, no audit trail for AppSec. Get a better model and you get sharper findings but it won't close the gap. The real question isn't whether an LLM can find issues. It's whether you back yourself to build a great harness. That takes eval infrastructure, state, and the kind of engineering Cloudflare, Rogo, and Anthropic are writing blog posts about. Most teams don't have it. That is the ceiling.

Guest Post: How Dam Secure Finds What We Miss

· 11 min read
Daniel Grzelak
Chief Innovation Officer at Plerion

hackaws.cloud is an autonomous AWS penetration testing platform. Customers connect their AWS accounts, configure a foothold identity, and our agent performs real lateral movement and privilege escalation, building a live attack graph as it works.

That means we store AWS account IDs, IAM role ARNs, assumed-role credentials, and full attack path graphs. If tenant isolation fails, one customer could see another customer's AWS infrastructure map, or perform confused deputy attacks to assume roles in other customers' accounts. In an extreme scenario, chained with another bug, an attacker could even access stored credentials. The stakes are about as high as they get for a multi-tenant SaaS.

Tenant isolation isn't new territory for us. At Plerion, where I'm Chief Innovation Officer, we face the same class of problem: our cloud security platform ingests customer cloud configurations, vulnerability data, and identity graphs across thousands of accounts. The compliance requirements alone (SOC 2, ISO 27001) demand rigorous tenant boundaries. hackaws.cloud gave us a greenfield opportunity to apply those lessons from day one rather than retrofitting them.

Announcing our $4M Seed Round

· 3 min read

SYDNEY, AUSTRALIA & SAN FRANCISCO, USA: AI security startup Dam Secure has raised $4 million in a seed funding round led by Washington, D.C.-based cyber and AI investor, Paladin Capital Group, to solve for the security risks created by AI-generated code entering production at scale.