Frank Wang

My newsletter, Frankly Speaking, is back! I'm launching a freemium version but with more consistent articles and hot takes on my experience as an engineer and former VC working in cybersecurity: franklyspeaking.substack.com/p/frankly-spea… Subscribe here: franklyspeaking.substack.com/subscribe

so are there going to be more security eng listings now?to be honest, it's hard to hire a good fit these days.

@abh1sek yeah it's unclear how an oauth compromise led to IAM access, especially you are using an idp + short lived credentials for infra

Vercel got pwned. Everyone is rotating secrets and writing about what happened. No one seems to be asking the question that how a single employee breach led to production compromise? What happened to IAM, reducing blast radius and boring old security primitives.

@GergelyOrosz this is actually quite common. a lot of the large company breaches, like okta, have been detected by their other customers first. it's a matter of how much a company invests into security.

Few things are more embarrassing for any company than to only learn from your customer that you have been breached. It's what happened with Context ai. Vercel acted as their security team. This could well be a business-ending event, as it shows the startup cannot be trusted.

@kanavtwt security is thankless

people in cybersecurity must be having the time of their lives

@andrewchen this isn't a hot take at all. it's a well known fact that AI exposes those who create unnecessary work to justify their existence.

hot take :) The biggest and most productive people in the AI era are the folks who are already good at their jobs. AI as a multiplier, not an equalizer/democratizer

@remondimi @speechu the issue is that most security people aren't providing reasonable solutions to this problem short of complaining about it and wanting people to slow down.

AI has made this a really big problem. Companies are trying to ship as quickly as ever on one side, leaving less room for quality assurance. On the other side, AI has enabled bad actors to automate an increasingly sophisticated attack vectors for both social engineering and more technical attacks. Stay safe out there!

The Vercel hack now makes it four weeks straight of high profile breaches. Hoping for a small blast radius for those affected. I don’t think the pendulum swings back, we need to start building for assumed compromise.

@amritwt all the vibe coders learning about security today also.

Imagine the pressure on Vercel right now

@gregisenberg it is, but it also needs to evolve.

This is why cybersecurity is the best startup category to build in right now Every major platform is getting breached in 2026. vercel, snowflake, the list keeps growing. AI made it 100x easier to build. it also made it 100x easier to attack. If you're building a cybersecurity startup right now, your timing is perfect The attack surface is expanding every single day and the buyers have never been more plentiful Be safe out there

@IntCyberDigest we likely need a new generation of security people...

🚨 Today's Vercel breach must be a coincidence 👀

all vibe coders learning about security incident and response today…

Building on my last post about AI breaking security categories, I’m reviewing the major players in AI-Enabled ProdSec. Why I’m betting on @ItsClearlyAI and @devarmorHQ for the future of integrated engineering. open.substack.com/pub/franklyspe…

Traditional AppSec is being swallowed by frontier models. 🤖 Part 1 of my new series is live: Defining "AI-Enabled Product Security" and why the decentralization of security talent is the best thing to happen to the industry in a decade. Deep dive: open.substack.com/pub/franklyspe…

Gartner categories don’t make sense in an AI-native world where every environment is heterogeneous. 📉 I’m starting a new series of practitioner-led research to define the categories that actually matter. First up: AI-Enabled Product Security. open.substack.com/pub/franklyspe…

When we built GSM8K with OpenAI five years ago, it represented the absolute frontier of what was possible. Today, the industry has moved so fast that it’s essentially just the first stepping stone. But the moonshot problems - resolving the Riemann Hypothesis, curing cancer, proving (or disproving!) P vs. NP - remain unsolved. We need a new yardstick for the era of reasoning AI agents. Today, we're introducing Riemann-bench: a new moonshot math benchmark to push the frontier of discovery even further: surgehq.ai/leaderboards/r… Riemann-bench is a verifiable benchmark of extreme-tier mathematical problems. Even with the best tools available, frontier models score below 10%. How we built it: - Leading mathematicians - we collaborated with Ivy League professors, graduate students, and PhD IMO Medalists to gather problems from their own research - tasks that often took the authors weeks to solve independently. - 100% private - to ensure a fully unbiased evaluation for frontier labs, the dataset is kept strictly private and uncontaminated. - Unconstrained agents - unlike benchmarks that force models into rigid loops or strict token limits, Riemann-bench evaluates true, unconstrained AI research agents. We want to see how they actually think. - Double-blind verification - every problem undergoes a strict protocol where two independent domain experts have to solve it from scratch. We asked our contributors why they spend so much time training AI. Their answer was deeply human: They believe collaborative AI is the only way they'll see their life's work - the deepest conjectures in their fields - resolved in their lifetime. We hope solving Riemann-bench will bring us one step closer to solving the Riemann hypothesis, ushering in a new era of Fields Medal-winning discoveries, and helping humanity understand the nature of the universe. Check out the full Riemann-bench leaderboard here: surgehq.ai/leaderboards/r… (Note: We've faced significant API errors running the GPT-5.4 family of models, but hope to resolve those soon.)

Is the security community actually ready for the agentic shift? 🤖 Heading into RSA/BSides with 5 thoughts on why the "AI SOC" is the wrong problem to solve and how frontier labs are redefining who the real security buyer is in 2026. Deep dive: franklyspeaking.substack.com/p/5-thoughts-g…

legacy cyber giants are at a crossroads: become a footnote or become the infrastructure of the agentic era. 🤖 by embracing mcp servers and semantic integrity, incumbents can move from "taxing seats" to "powering actions." open.substack.com/pub/franklyspe…

Claude Code Security is a warning shot for the entire industry. 🎯 Is AppSec dead? Is your SaaS moat melting? I took a deep dive into why foundational labs are eating the application layer and why the "Build vs. Buy" calculus has flipped forever. open.substack.com/pub/franklyspe…

The AI SOC is a faster horse; Deception is the engine. 🏎️💨 Why "Zero Incidents" is a counterproductive metric and how AI is reviving Deception to create an autonomous "Mean Time to Deterrence" loop. open.substack.com/pub/franklyspe…

Google is the secret dark horse of cybersecurity. Between vertical integration, Gemini, and the Wiz acquisition, they’re building the "Anti-Microsoft" stack for a world that scales with code, not headcount. open.substack.com/pub/franklyspe…

"Prognosticative pastry." "A hound circling a tree, nose to bark." These aren’t parodies - they’re actual quotes from SOTA models in response to creative writing prompts, and they’re winning leaderboards that are rewarding slop. We’re introducing *Hemingway-bench*, a new AI writing leaderboard, to fix this: surgehq.ai/leaderboard surgehq.ai/blog/hemingway… We designed Hemingway-bench to push frontier model writing toward genuine nuance and impact. Instead of autograders and two-second vibe checks - both of which love fancy literary devices and dense formatting, over actual quality - we used expert human writers across a variety of fields to judge real-world writing tasks. Why? I love writing. I love reading. Great science fiction is one of the things that's always inspired me. Even in terms of "enterprise value", so much of what we do in our day-to-day involves writing - we want crisp emails and insightful reports, not dry, verbose summaries. Yeah, coding is important - but there's a reason I use CC-assisted apps, but still haven't read a full-fledged AI novel. What did we find? Current leaderboards are easily hacked, and often negatively correlated with actual quality. If a model (over)uses all the stuff you learn about in school (metaphors in every sentence! transition words! complex, flowery phrases!), it ranks high on EQ-bench and LMArena. But that’s not good writing that people actually want. The winners of Hemingway-bench didn't sound like they were trying to win a poetry slam. Gemini 3 Flash, Pro, and Opus 4.5 took the top 3 spots because they had natural voices that didn't sound pretentious. They were poetic and immersive, but in the right ways. When they used wit, they didn't sound cringey and try-hard - they sounded like your naturally funny friend. I'm waiting for the day AI wins a Pulitzer, and hopefully Hemingway-bench helps guide it on its way. Check out the leaderboard and examples here: surgehq.ai/leaderboard And our blog post describing it: surgehq.ai/blog/hemingway…