Denis Makrushin

Most clouds share one access layer across regions. One breach, lateral movement everywhere. We made fully autonomous regions with shadow org that auto-replicates all resources. No difference for UX. Patented. Compromising the area gives attacker nothing. yandex.cloud/ru/blog/multir…

AI agents ship and test code in production. Next frontier: trustworthy across SDL. RepoAudit reduces LLM hallucinations by feeding data-flow paths instead of raw code, reducing false positives and improving agentic code review. Binary analysis is coming: repoaudit-home.github.io

It’s time to move beyond 'shift left'. The next strategic move is 'shift down', embedding security directly into dev platforms. So, let's define the 2026 agenda for security leaders: bring security controls closer to dev platforms.

A small step in the large open-source: CVSS integration in Trivy. At the heart of our #AppSec platform is an open-source SCA project called Trivy. This time, we are not only integrating, but also contributing: in Trivy 0.65.0 release we added the CVSS vector support.

Restored my bot that collects security insights. It scrapes #bugbountytips #bugbountytip #bugbounty #pentest #redteam via Playwright, sends it to DeepSeek-V3 for review, publishes daily 13:37 UTC in “Research Hub” TG. Got hashtags / sources to add? DM me. makrushin.com/research-hub/

Secret detection is easy in single repo and deterministic pattern. It gets tricky at enterprise scale monorepos + non-deterministic strings. We benchmarked engines, mapped their limits and defined use-cases with highest precision/recall/perf: medium.com/p/0cf351e74250 #AppSec

Over 1,000 GitHub repositories at risk: how to detect RepoJacking vulnerabilities. In this paper, we share our methodology, tools and key findings to help the community effectively detect and mitigate repository hijacking. makrushin.com/repojacking-gi… #DevSecOps #BugBounty

Advanced Research Review 2024 Let's review last year's perspective research reports. Use the knowledge to refine your strategies, strengthen defenses, and take your findings forward in 2025. makrushin.com/advanced-resea…

Sprint from idea to Application Security course makrushin.com/application-se…

I've compiled a collection of vulnerabilities and an overview of attack methods against Github users identified in 2024. The material will be helpful for both developers, #devsecops and #appsec engineers in protecting their projects. medium.com/yandex/securit…

Together with the Bauman Moscow State Technical University team, we've upgraded the "Information Security" program, equipping developers with new superpowers. By students, for students—with a “secure-by-design” mindset from day one.

Secure SDL in FinTech: summary of the DevOpsConf roundtable Key theses voiced together with colleagues from the financial industry during the discussion of secure development challenges: linkedin.com/feed/update/ac… #DevSecOps #AppSec #DevOps #SDLC

report_v.2023.4: release candidate Sit next to me. Let's discuss and prepare our annual report. Highlight the ones that made you feel the most, not just list the results. Let's do it in “parameter: value” format. linkedin.com/posts/makrushi…

Web Applications Bug Hunting: Fundamentals A crash course in bug hunting presented at the @TheSAScon, covering key terminology, attack vectors and everything you need to know to start your application security journey. #DevSecOps #BugBountyTips youtu.be/WWCV2MrphU4

ML models have proven effective in automating the onboarding process, saving 30 out of 50 hours of experienced staff time per new hire by generating training content based on job descriptions and internal materials.

On time management for leaders: "it is not time but energy that should be managed" and "in intellectual work, inspiration is much more important than time".

Weekend in Serbia: CTO Day From the closed-door event in Belgrade, which brings together CTOs of IT companies every year, here are my takeaways.

eBPF program debugger On the way from a small script to a full-fledged application developer spends half his time on debugging. The tool is useful for anyone developing security and observability applications based on eBPF. Credits to Alex Kalinin. github.com/ph1048/ebpfdbg