0:00
/

Building an AI AppSec Engineer

Why MTTR is quietly lying to your AppSec team

Nobody has ever loved their AppSec tools. For years they flooded teams with findings that never answered the only question that mattered, which of these can actually hurt us. JJ, co-founder and CEO of Gecko Security, thinks AI finally changes that, and he brought a former Disney and Costco CISO along to pressure-test the idea from the buyer's chair.


Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 20,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.


Why this conversation matters

This conversation sits right on the fault line running through AppSec today, where cheap AI discovery is burying teams in findings while the context needed to prioritize them keeps getting harder to assemble.

JJ makes the technical case for reasoning across code, architecture, and runtime at once, and Ryan Knisley grounds it in the messy reality of enterprise security, from broken metrics to tool sprawl to the uncomfortable speed at which CISOs are now being asked to trust automation.

If you build or lead an application security program, this is a clear-eyed look at what is about to consolidate and what still needs a human.

Key takeaways

  • An AI security engineer beats another scanner. Gecko reasons across code, infrastructure, and documentation so a finding arrives already tied to whether it is reachable in production and what data it would expose, which is the context legacy SAST never had.

  • Exploitability is decided outside the code. The product logic, architecture, and runtime that determine whether a bug matters live in design docs and Slack threads, not in the file a scanner reads, so context-free findings are mostly noise.

  • Business logic will not fall to a bigger model. JJ’s example is an endpoint with no auth check, which is critical in a document store and normal in a social app, and no LLM staring at the code alone can tell the two apart without the surrounding system of truth.

  • Chaining flips the priority list. As Ryan puts it, nobody attacks the lows, but the real question was always which low can get us, and connecting issues into an attack path finally answers it, sometimes demoting a paper critical and promoting ten chained lows.

  • The old severity list is breaking under commoditized offense. With exploit development getting cheap and agents running campaign-level attacks, defenders working down a flat list of misaligned severities are structurally behind.

  • Recurrence rate should replace MTTR. JJ argues MTTR rewards closing the same bug over and over with a fresh clock, so Gecko measures how many findings are variants of a class you already fixed and treats the class, not the ticket, as the unit of work.

  • You can buy time with a one-line mitigation. When properly fixing a chain would take three teams and weeks, Gecko can identify the single link to sever and stand up something like a Lambda to kill the attack path today, borrowing decades-old SecOps thinking for vulnerabilities.

  • Cal.com is the canary for open source in the AI era. AI coding tripled its pull request volume against a one-person security team, and once attackers could cheaply read every public change, openness became a liability, so it went closed source and consolidated four tools into one.

  • Consolidation is about risk and people, not just cost. Ryan’s shiny object problem leaves teams unable to take vacation because one person owns a tool, and collapsing the stack buys depth, cross-training, and less complexity to defend.

  • Judgment is the job that survives. As finding and fixing get automated, both guests land in the same place, that the scarce human work becomes deciding what correct looks like in your system and owning the risk you accept on purpose.

Notable quotes

“a fake metric that makes teams look good”

Ryan Knisley, on why MTTR rewards the wrong behavior.

“we’re gonna get dusted, we’re gonna get left behind, we’re gonna get absolutely owned”

Ryan Knisley, on the teams that are slow to adopt AI.

“the scarce thing left is the judgment”

JJ, on what stays human once finding and fixing get cheap.

Listen and watch

YouTube

Spotify

Apple Podcasts

Resources

Gecko Security

-> Check Out Gecko Security! <-

Subscribe

If this kind of practitioner-first take on AppSec and AI is useful to you, subscribe to Resilient Cyber for more conversations and writing on cybersecurity, AI, and the forces that shape both.

Discussion about this video

User's avatar

Ready for more?