This article is a continuation of Why LLMs Are Not Planning Machines. In that earlier post, the core claim was simple: large language models can generate plausible action sequences, but they do not plan. They lack a mechanism to reason over uncertainty across time. This follow-up post focuses on what is missing. The missing abstraction is the… Read More »Belief State: Why AI Planning Fails Without It
In the course of my work with LLMs, I’ve been examining a recurring pattern in how large language models are being used inside real systems. In many settings, I observed that LLMs are treated as planners where they are used to generate multi-step workflows, remediation strategies, operational playbooks, and even “autonomous” action sequences. These plans… Read More »Why LLMs Are Not Planning Machines (And What It Means)
A CISO’s reference for evaluating modern web app pentesting programs, what AI actually changes, and how to tell platforms apart from LLM wrappers. Quick Answer Web application penetration testing in 2026 looks structurally different from the annual consulting model most enterprises still run. The shift is driven by three mismatches: applications change daily but get… Read More »Web Application Penetration Testing in 2026: A Practical Guide for CISOs
What our firsthand experience building pentest agents taught us about verifiability, benchmark saturation, and where human researchers still matter most Our firsthand experience with application pentest agents at FireCompass has been unexpected. When we started building them, I assumed AI would become a useful force multiplier for researchers. I did not expect it to start… Read More »Why AI May Disrupt Application Pentesting Earlier Than Most Security Teams Expect