Notes on Consulting, Security, AI - and the occasional Ink.https://uncategorized.blog/https://uncategorized.blog/posts/the-chaos-engine-how-chunked-prefill-unmasked-the-non-linear-nature-of-text-diffusion/https://uncategorized.blog/posts/the-chaos-engine-how-chunked-prefill-unmasked-the-non-linear-nature-of-text-diffusion/A 26 GB text-diffusion model demanded 523 GB of RAM. The fix was one parameter — and the parameter changed what the model said. Running diffusiongemma at its full 262K context on a Mac.Fri, 12 Jun 2026 00:00:00 GMThttps://uncategorized.blog/posts/be-one-of-the-eyes-catching-supply-chain-attacks-with-a-12b-model-on-your-laptop/https://uncategorized.blog/posts/be-one-of-the-eyes-catching-supply-chain-attacks-with-a-12b-model-on-your-laptop/Routine package review is a waste of a frontier model's intelligence — and a job a 12B open model can do, offline, on hardware you already own. Here's the proof, and an invitation.Wed, 10 Jun 2026 00:00:00 GMThttps://uncategorized.blog/posts/turbo3-vs-q8_0-what-kv-cache-quantization-really-costs-on-an-rtx-5090/https://uncategorized.blog/posts/turbo3-vs-q8_0-what-kv-cache-quantization-really-costs-on-an-rtx-5090/A benchmark of two KV cache formats on Gemma-4-31B, and what the numbers actually mean for people who use long context.Tue, 14 Apr 2026 00:00:00 GMThttps://uncategorized.blog/posts/the-play-pretend-problem/https://uncategorized.blog/posts/the-play-pretend-problem/Walk into any large enterprise’s security team and ask them to show you what they’ve built. You’ll see tools. Lots of them. A SAST platform, an SCA scanner, a CSPM dashboard, maybe a GRC suite, probably a SIEM. You’ll see policies — information security policy, acceptable use, data classification, incident response. You’ll see frameworks — […]Tue, 31 Mar 2026 00:00:00 GMThttps://uncategorized.blog/posts/the-problems-nobody-talks-about-in-security-consulting/https://uncategorized.blog/posts/the-problems-nobody-talks-about-in-security-consulting/There’s a version of security consulting that looks great on paper. A pentest gets scoped, executed, and delivered as a PDF. The client receives it, files it somewhere, maybe fixes a few things, and everyone moves on until next year. The tools are there. The frameworks are there. The compliance checkboxes get ticked. And yet […]Tue, 31 Mar 2026 00:00:00 GMThttps://uncategorized.blog/posts/the-tool-dependency-problem/https://uncategorized.blog/posts/the-tool-dependency-problem/Every CISO I’ve ever spoken to has a version of the same conversation at least once a quarter. A vendor calls. The pitch is some variation of: “Our platform finds vulnerabilities faster, with fewer false positives, and integrates with your existing workflow.” The demo looks good. The dashboard is clean. The marketing says it’ll reduce […]Tue, 31 Mar 2026 00:00:00 GMThttps://uncategorized.blog/posts/the-dev-sec-friction-problem/https://uncategorized.blog/posts/the-dev-sec-friction-problem/There’s a meeting that happens in almost every organisation with both a security team and a development team. Someone from security presents a list of findings. The developers sit there, arms folded — literally or figuratively. The findings get acknowledged, maybe assigned, and then nothing happens for weeks. Or months. Or ever. Security blames dev […]Mon, 30 Mar 2026 00:00:00 GMThttps://uncategorized.blog/posts/the-one-who-held-the-sacred/https://uncategorized.blog/posts/the-one-who-held-the-sacred/He spoke of passion that kneels in flame –not the kind that pleads.He carried fire as faith,and they gave him to those who feared the heat. He turned from gold-lined thrones,chose creed over compromise.Now debt grips the hands he freed,chained to the very seats he refused. He counts broken words –each promise a dropped coin […]Mon, 30 Mar 2026 00:00:00 GMThttps://uncategorized.blog/posts/the-pentesting-delivery-problem/https://uncategorized.blog/posts/the-pentesting-delivery-problem/Ask any pentester how their findings get delivered and the answer is almost always the same: a PDF. Sometimes polished with a cover page and an executive summary, sometimes a Word doc hastily converted. But the mechanism hasn’t changed in decades — a document gets produced at the end of the engagement, emailed to someone […]Mon, 30 Mar 2026 00:00:00 GMThttps://uncategorized.blog/posts/ai-didnt-find-the-cve-the-workflow-did/https://uncategorized.blog/posts/ai-didnt-find-the-cve-the-workflow-did/Everyone’s arguing about whether AI “works” in security. Wrong question. The right question is: are you building workflows that let it work, or are you pasting code into ChatGPT and calling it a day? I’ve spent the past year building CRIA (Code Risk Intelligence Agent) — a structured, multi-stage pipeline for security code review. No magic prompts. No […]Wed, 25 Mar 2026 00:00:00 GMT