Reducing Token Burn Rate With A Well-Designed Architecture
Trying to put out the AI token fire - or at least manage it as a controlled burn by using deterministic scripts for gathering inputs and directing agents
teriradichel.substack.com/p/reducing-t...
I spoke about mistakes in this video. Make sure you add correction text so you don’t reinforce the mistakes.
![How I Use AI for Penetration Testing [Advanced] - Teri Radichel](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:5wfg6rjbadt6nx6art5prokh/bafkreiekkq7ssnp2ztx4hncl3qzgmjymf4k3b2qfudoyxv2xzjvjnvi52a)
How I Use AI for Penetration Testing. Presentation at the AWS Security Community Day at the Computer History Museum on YouTube
youtu.be/nWntvFRwiPw
Oh and by the way I don’t want a dumbed down solution that makes it easier but does not provide the same * network * not application layer controls. I looked at VPC Lattice and it is not equivalent.
BlueSky needs to allow edits and longer posts, or at least do what Threads does and break posts into multiple posts if someone enters one that is too long. Such a pain I post less here.
Lambda *layer. Such a pain to post all that. Not fixing.
Why can’t VPC endpoints be a more cost effective pay per use model like other things on AWS so smaller security conscious customers with a lower budget can afford them?
Maybe I’ll add that to my AWS wishlist on the builder center later.
I just need to use a few lambdas for an authentication solution and to run some jobs and that cost just to deploy the network is up over $50 and I’ve only had the endpoints running a partial month and barely sent any network traffic.
I’m creating a Lambda troubleshooter that has been able to help me uncover most of the issues, but the problem now is the cost.
As I learned last night using a lambda later also requires a Lambda endpoint.
Then you add the security group to each endpoint, make sure dns is configured correctly, etc. etc.
Oh you want to retrieve a secret?
secrets manager endpoint.
You wanted to use SSM parameters?
An SSM parameter endpoint
You want to deploy with CloudFormation?
There’s another endpoint
Execute a lambda using API gateway?
Execute endpoint.
AWS VPC Endpoints are so complicated and expensive but I really want to use them. They provide a unique level of security that a NAT does not replicate.
The problem is the rabbit hole you end up going down after you think you are “just” going to add the free gateway endpoints.
Claude pricing changing to pay per token. This makes sense as long as value per token remains consistent. This will make it difficult to compare to prior performance and I wonder how users can transparently measure the usage.
platform.claude.com/docs/en/abou...
AWS Secrets Manager now supports hybrid post-quantum TLS to protect secrets from quantum threats - AWS
aws.amazon.com/about-aws/wh...
AWS needs to extend CloudWatch with tools that make it a real SIEM. Don’t overlay it with complexities it doesn’t need. Just extend it.
This post is not about Mythos capabilities because I can’t know until I try it. Opus 4.6 was great until is changed and I presume Mythos is better.
These are questions I have about AI risks for businesses that rely on it that I don’t see anyone else asking - or answering.
Go Hornets! We’re kinda neighbors and sort of have a connection to the high school where KK went. 🏀 Had to take a break after doing the necessary. Back on all things AI tomorrow. Finally. Can’t wait! 🤖
Go Hornets! We’re kinda neighbors and sort of have a connection to the high school where KK went. 🏀 Had to take a break after doing the necessary. Back on all things AI tomorrow. Finally. Can’t wait! 🤖
There are varying levels of exploits in terms of complexity but technically my fuzzer at RSA 2020 generated exploits. Without AI. It produced a working script and performed attacks. I did review manually. But I have so many more ideas for that fuzzer with and without AI - bound by time and compute.
Anthropic Mythos ~ Anthropic released a new model they claim is scary good at finding security vulnerabilities. What questions should we be asking?
This is not a hot take. I’m just pondering how much we can trust a model, the purported ROI, and how we can evaluate the risk of relying on it.
I am looking at messages in Google Developer tools and it is saying cdn.tailwindcss.com should not be used in production so if you are….
tailwindcss.com/docs/insrall...
I’ve added links to my presentation on how I use AI 🤖 for pentesting 😈 in this post. Most of the slides have a related blog post and I’ll probably write more about all these topics as I research this further. The PDF has links to related posts.
teriradichel.substack.com/p/how-i-use-...
Awesome video on S3 files youtu.be/zb8TdNJhZCk
The Computer History Museum is such an awesome place for a conference. Thanks to everyone who came to the AWS Community Day!
🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖
Pentesting is not a scanner or a fuzzer - whether SAST, DAST, AI, deterministic or non-deterministic. Pentesting is a human * using those tools * to see if they can find a security problem that your teams and tools may have missed.
🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖
I read all the Mythos hype right before I submitted my talk for today at the Computer History Museum. Did I need to change my slides? Nope.
users on Reddit and developer forums reported that the default was quietly shifted from high to medium for many subscribers, which explains the sudden change in performance. *
Need to check this out later. Flying out to speak at AWS Community Day in Mountain View.
Wonder if this has anything to do with performance degradation of anthropic models. But are you now paying more for same effort you were getting previously if you change this?
* Default Shift: In March 2026…
