Made some notes on how Cursor works under the hood based on their security documentation - it turns out an organization's list of subprocessors offers a loose form of "view source" for their infrastructure! simonwillison.net/2025/May/11/cu…

@simonw I think their most valuable piece is UX and Custom Models(tab / custom apply model) at this point(which enables differentiation compared to 10 other forks). The next piece of differentiation will be background agents, most likely.

@simonw Yep, the subprocessor list is a great way to see how some big startups build their infrastructure. I’ve also learned a lot from seeing how others set up their tech stacks

@simonw The other way to understand their infrastructure is to look at the linkedin of their junior and mid employees. "implemented a Doodad auth system from scratch" 😅

@simonw youtube.com/watch?v=4jDQi9…

@simonw Really interesting to read this and compare it to Windsurf’s architecture. You can see how much effort they have put into being Enterprise ready. Maybe even more than Cursor. windsurf.com/security

@simonw I’d love to read their SOC2 (cannot believe I said that)

@simonw Thanks

@simonw Windsurf were forced to do it much earlier (they were in Dell)

@simonw Great piece Simon!

@simonw Yes, an organizations job listings and GDPR subprocessors reveal quite a lot.

@simonw This. For customers, should be explicit.

@simonw Unable to load your site for some reason.

@simonw peeking under the hood sparks the best hacks!

@simonw How is Copilot handling security?

@simonw it's pretty interesting to see more and more companies list their subprocessors out publicly! in the past, I've had to sign an MNDA, etc (though, usually in the context for also getting audit reports & more)

@simonw What is it about relative paths? Path to what? Why embed it?