
Key Takeaways
- Real incident data from enterprise environments is what separates meaningful security frameworks from theoretical ones, and that data only flows into the community if practitioners are willing to bring it there.
- The relationship between hands-on research and community work is not one-directional. Every stage, working group, and government conversation sharpens how you look at the threats waiting for you the next morning.
- Frameworks like the OWASP Top 10 for Agentic Applications are not built in labs. They are built from thousands of real incidents, distilled carefully enough to be shared without exposing the organizations they came from.
- Advising governments and speaking globally is not separate from the day job. It is how the day job creates impact beyond the walls of the organizations you directly protect.
The Sentence I Cannot Stop Thinking About
A few years ago, I was sitting across from a security leader at a large enterprise. They had just deployed their first wave of AI agents. When I asked how they were thinking about the security of it, they paused for a moment and then said something I haven’t forgotten.
“I don’t know where to start. I don’t even know what I should be afraid of, except for the fact that I know I should be afraid.”
I felt that. Not just as a researcher, but as someone who had been in enough of those rooms to know it was not one person’s gap. It was the whole industry’s gap. The technology had moved faster than the frameworks designed to protect it, and security teams were being asked to defend something nobody had fully mapped yet.
That feeling is a big part of what drives the community work I do. Because the only way that gap closes is if the people who have visibility into what is actually happening are willing to bring it out into the open.
What the Day Job Actually Looks Like
At Zenity, I lead AI security research. My team’s job is to understand the threat landscape facing enterprises deploying AI today, not in theory but in practice, and to build detection that protects them with high enough recall and low enough noise that security teams can actually act on it. That last part matters more than people realize. A detection mechanism that generates too much noise does not make a security team safer. It just makes them exhausted.
That work gives me something genuinely hard to come by: visibility at scale. Across hundreds of thousands of activities spanning different enterprises, different applications, and different industries, I have seen thousands of real incidents. Most of them will never be written about. The organizations they happened to have no interest in becoming a case study, and I respect that completely.
But the patterns those incidents reveal, the ways attacks repeat across different environments, the gaps that keep appearing in the same places, the controls that keep failing for the same reasons, that knowledge belongs to the community. Finding ways to share it responsibly, at the right level of abstraction, without exposing anything sensitive, is something I think about constantly. And honestly, staying silent about it has never felt like an option to me.
When Research Becomes a Framework
When John Sotiropoulos and Ron F. Del Rosario from the OWASP Agentic Security Initiative asked if I would be willing to lead the Top 10 for Agentic Applications project, and they were explicit about why they wanted someone with my background. They understood that a framework built from real incident data would land differently than one built from theoretical modeling. That trust meant a lot to me, and I did not take it lightly.
What went into that framework was not invented. The threat categories of goal hijacking, rogue agents, cascading failures, and supply chain attacks kept appearing in real environments, across different organizations, in ways that existing frameworks had no language for. The incidents I had seen over the years, going back well before Zenity, were what gave me the conviction that these were the right things to be naming and prioritizing.
Steve Wilson and Ads Dawson, who led the OWASP Top 10 for LLMs and essentially laid the foundation for how the industry thinks about AI security, gave their time and feedback throughout the process. Having their trust, alongside the trust of hundreds of contributors from across the world who joined the effort, was something I did not take for granted.
The measure of it, for me, is not the scale of adoption. It is walking into a conversation with a client or a prospect and seeing that their success criteria for detection and response is the OWASP Agentic AI Top 10. That still humbles me every time.
The Other Direction
Here’s the part that doesn’t get talked about enough. The knowledge does not only flow one way.
Every stage I speak on, and I speak on many across different countries and different kinds of audiences, adds a new layer to how I think. A perspective from a researcher at a different institution that reframes something I had been looking at from only one angle. A government conversation where I realize a particular class of attack is being thought about at a national policy level, which tells me something important about where it’s heading. Exposure to how different communities, academic institutions, and regulatory bodies are processing the same threats gives me a richer picture than any single environment could.
Advising governments is some of the most grounding work I do. Those conversations force a kind of clarity that is different from talking to security practitioners. Policymakers need to understand not just what the threat is, but what the consequences are, who bears them, and what levers actually exist to address them. Preparing for those conversations makes me a sharper researcher. Every time.
The Agentic Research Council, which I am part of alongside representatives from Oxford, Microsoft Research, and the UK’s LASR, is built explicitly around this dynamic. The goal is to close the distance between academic research and enterprise defense, not because one is more valuable than the other, but because each has access to knowledge the other genuinely needs. That bridge is where the most important work is going to happen over the next few years.
Why I Keep Showing Up
I have committed to doing both things, the deep technical work and the community work, for as long as I can. Not because it’s easy, because it’s not. But because that security leader’s words have never left me. The feeling in that room. The honest admission that they knew there was something to be afraid of, but had no map for it yet.
When you’ve seen what I’ve seen, like the incidents, the patterns, and the gaps that keep appearing in the same places across different organizations, staying on the sidelines isn’t something I’m able to do. The knowledge has to go somewhere useful. The community is where it belongs.
That is a solvable problem. Not by one person, not by one framework, and not quickly. But the community is building the tools and the shared knowledge to solve it. And I intend to keep contributing to that for as long as I can.
Be Part of the Work
If you are working in AI security, as a researcher, a practitioner, a security leader, or someone building these systems, the community needs what you know. The OWASP Agentic Security Initiative is open, the Agentic Research Council is bringing together new voices across academia, industry, and government, and there are more forums and working groups forming every month.
The field is young. The problems are real. And the most valuable thing any of us can contribute is direct, honest knowledge of what is actually happening.
Explore the OWASP Top 10 for Agentic Applications and reach out to OWASP if you want to be part of the work.
All ArticlesRelated blog posts

Proof Over Prediction: What Happens When You Actually Watch Who's Attacking AI Infrastructure
Customer telemetry shows how AI agents behave in a limited set of production environments and what risks they carry....

Zenity Labs: The Bleeding Edge
At Zenity, we like to say we don't only exist on the bleeding edge; we are the bleeding edge. It's a defensible...

AI Agents Are Already Running the Enterprise. Security Hasn't Caught Up.
For years, conversations about AI security risks were framed as forward-looking. Organizations were told to prepare...
Secure Your Agents
We’d love to chat with you about how your team can secure and govern AI Agents everywhere.
Get a Demo