Kshitiz

214 posts

Kshitiz

@kshitizh

Building @ypal_security | Founding Engineer / Product & Security @Security_Pal

KTM-MPLS-SF-NYC Katılım Mayıs 2013

199 Takip Edilen461 Takipçiler

Kshitiz@kshitizh·2d

@eve_silb the death of duo arc is wild because most marketing teams would've killed the idea in the deck review. takes real conviction to ship something that weird. nice breakdown.

English

Eve@eve_silb·2d

x.com/i/article/2050…

ZXX

576

Kshitiz@kshitizh·4d

with all the distribution Vanta has, moving into HRIS might be the next right move 😂

Pukar C. Hamal 🏔🗽 🌁@pchamal

the counteroffensive from Vanta is impressive

English

517

Kshitiz@kshitizh·5d

great launch, but the “we ARE your stack” pitch only covers identity + device + HR controls, call it 1/3 of SOC 2. CC3 risk assessment, CC7 system ops, CC8 change mgmt, CC9 BCP — all live in your product, not your HRIS. and even the controls Rippling automates still need a human to defend the design to an auditor. this is exactly why we’re building @ypal_security . evidence collection is the easy part.

Matt MacInnis@stanine

Today, we launched @Rippling Automated Compliance, starting with SOC 2. We have a unique advantage here: we aren't telling you how to fix your stack, because we ARE your stack. device management, identity and access management, HR, performance management...

English

763

Kshitiz retweetledi

Pukar C. Hamal 🏔🗽 🌁@pchamal·6d

the wonderful students at the Nepali Student Association at @Stanford are hosting a great event this Wednesday do join if you can!

English

1.4K

Kshitiz@kshitizh·6d

couldn't have said it better. customers > batch dinners 🙏

Pukar C. Hamal 🏔🗽 🌁@pchamal

@kshitizh @garrytan @ypal_security Good thing @ypal_security already has massive paying customers. Revenue > Dilution

English

248

Kshitiz@kshitizh·6d

Here's what I'm noticing as we build @ypal_security : Every compliance platform launched "agents" this quarter. Vanta, Drata, Sprinto the category is converging on "autonomous compliance." But the controls that actually need to pass an audit aren't evenly distributed in difficulty. The easy 70%: CC6, CC8, A1 — really do feel automatable. Click through, evidence is clean, verdict is clear. The hard 30%: CC1.2 board oversight, CC3.3 fraud risk, CC4.1 monitoring of your own controls require judgment no agent has yet. And those are exactly the ones auditors probe at audit time. So we did the asymmetric thing. We use AI heavily underneath. MCPs pull evidence from your stack live. Drift detection runs daily. Cross-system reconciliation joins HR rosters against access lists. The bookkeeping is mostly done. Then a calibrated human vCISO, same one for the entire engagement, does the judgment work auditors actually probe. When your auditor pushes back on a control, the person who picks up the phone wrote the reasoning not some AI slop. That's the shape compliance work wants.

English

176

Kshitiz@kshitizh·27 Nis

got cooked by @garrytan's GStack today. told me i'm top 10%, then said the other 90% is vibes, batch pressure, and weekly dinners with billion-dollar founders. sorry Garry, gonna have to pass, building @ypal_security is the batch pressure rn gstack is super cool btw

English

247

Kshitiz@kshitizh·24 Nis

Your SOC 2 report says you do vendor risk management. It doesn't list the 40+ AI tools your engineers OAuth'd into Google Workspace this quarter. Third-party risk stopped being about your big SaaS vendors. It's every "Continue with Google" button on the internet.

English

168

Kshitiz@kshitizh·24 Nis

Vercel's breach didn't start at Vercel. It started at Context AI , a third-party AI tool one of their employees had OAuth'd into Google Workspace. Context AI got popped. Attackers pivoted through the OAuth app into the employee's Workspace, then into Vercel. OAuth is the new lateral movement.

English

418

Kshitiz retweetledi

Pukar C. Hamal 🏔🗽 🌁@pchamal·24 Nis

I will be speaking at @Harvard and @MIT this weekend about why Nepal is the perfect destination for advanced compute clusters given: 1️⃣ The geographic proximity to rising inference demand from 3.5 Billion people in APAC, IndoPacific and MENA and $35 Trillion+ in regional GDP! 2️⃣ Plentiful low-cost and efficient hydropower for energy and cooling! 3️⃣ Access to a rapidly up-skilling and diligent labor pool! There has never been a bigger, better win-win-win scenario in history!! Win for Nepal🇳🇵 Win for the United States 🇺🇸 Win for the World 🌏 The United States AI stack will lead to the biggest peace 🕊️ dividend in history! #siliconPeaks #USA #Nepal #PaxSilica #AI #Compute #Peace #Energy #Hydro #techNepal #security #gdp #developmentEconomics #NVIDIA #chips cc @SwarnimWagle

Pukar C. Hamal 🏔🗽 🌁@pchamal

Nepal should be part of Pax Silica. I am hopeful our GREAT US Ambassador to India, The Honorable Sergio Gor @USAmbIndia is able to invite Nepal onto the efforts here. It will bring lasting peace and stability to the region and it will ensure billions of people in the IndoPacific and APAC region have access to the best models and AI infrastructure. Long the USA 🇺🇸 🚀🇳🇵Nepal Partnership! cc The Honorable @jacobhelberg @UnderSecE who has done incredible work on this front 🙏. state.gov/pax-silica

English

4.8K

Chris Pordon@PordonChris·21 Nis

If your org is building, selling, or USING any AI, you're going to need to know what this is.

Kshitiz@kshitizh

ISO 42001 is becoming the SOC 2 of AI. Most AI-first founders have never heard of it. They will by Q4.

English

363

Kshitiz@kshitizh·21 Nis

@PordonChris @PordonChris you nailed it, especially the USING part. Everyone assumes compliance only hits builders. But the AI Act puts obligations on deployers too. Your sales team running AI on prospect data? That's in scope.

English

Kshitiz@kshitizh·21 Nis

@RealNickLink Yep. And the gap between "knew it was coming" and "suddenly in every enterprise RFP" is going to be shorter than people think.

English

Nick Link@RealNickLink·21 Nis

@kshitizh That's actually crazy. Well, we all knew it was coming eventually!

English

Kshitiz@kshitizh·21 Nis

ISO 42001 is becoming the SOC 2 of AI. Most AI-first founders have never heard of it. They will by Q4.

English

595

Kshitiz@kshitizh·21 Nis

@eve_silb If you sell B2B, prospects and customers are starting to ask for it in security reviews. Still early, but I'm seeing it show up in enterprise vendor questionnaires next to SOC 2. Worth getting ahead of.

English

Eve@eve_silb·21 Nis

@kshitizh what is it?

English

Kshitiz retweetledi

Pukar C. Hamal 🏔🗽 🌁@pchamal·18 Nis

These guys are working on the correct AI-native approach to SOC 2 and compliance maze It's worth a look

Kshitiz@kshitizh

"Compliance platforms" sold founders a lie. You still write the policies. You still chase the evidence. You still answer the auditor. The software just charges you $30+K/year to watch you do it. 🧵

English

1.2K

Kshitiz@kshitizh·12 Nis

@LeverCRO @garrytan ahh, new age of vibe securing😂

English

Vance Lever@LeverCRO·12 Nis

@garrytan Vibe-coded our SOC 2 compliance dashboard in February. Just in time for our audit on March 3rd. The auditor asked to see the underlying controls. I explained the controls were also vibe-coded. Our VP of Legal called it "not how audits work." She no longer works here.

English

Garry Tan@garrytan·12 Nis

Applied research at the app level happens in the open with open source now Just in time software is a brave new world

λux@novasarc01

i was going through the hermes agent architecture and codebase and one thing that really stood out to me is that hermes is taking a much more explicit route to self-improvement than most agent systems usually imply. like it is not doing some offline trajectory mining where you collect lots of traces, run some separate extraction pipeline, cluster behaviors and then distill them into skills later. instead i think hermes feels much more like agent-mediated procedural distillation: the model itself notices that a workflow is reusable and writes it out into a durable artifact through the skill interface. in fact there is no separate skill-extraction model, no embedding-based clustering pass and no dedicated replay-style learning loop in the main design (hermes is doing act, notice, write, reuse all in one loop). also the interesting part is that the same runtime that acts is also the runtime that writes down its own reusable procedures.

English

165

30.1K

Kshitiz@kshitizh·12 Nis

There's a real grain of truth here, a lot of compliance tools sell complexity because that's their business model. But SOC 2 done lean actually forces good hygiene: least-privilege access, real incident response plans, vendor risk reviews. The problem isn't the framework, it's the industry built around making it feel like you need a 6-month project and $150K to get there. You don't.

English

Triode@Triode_in_situ·12 Nis

@loftwah SOC 2 from my experience has nothing to do with security and everything to do with enriching companies that conduct audits.

English

Loftwah@loftwah·12 Nis

A lot of people get caught up in complexity around SOC 2 and what is actually required. I was involved in an audit and getting an organisation compliant before and I put these notes together on what ACTUALLY matters. gist.github.com/loftwah/181ecb…

English

234

Kshitiz@kshitizh·12 Nis

Great breakdown. Having gone through this with multiple startups, the biggest unlock is realizing SOC 2 readiness is 80% "things you should already be doing" (access controls, incident response, change management) and 20% documentation proving you do them. Most founders overcomplicate it because the audit industry has an incentive to make it feel harder than it is.

English

Keşfet

@eve_silb @ypal_security @Stanford @garrytan @Harvard @MIT @SwarnimWagle @PordonChris