This article explains how I split an XSS security development specification for small local models into core/verify/dev/test overlays, and what I learned while connecting LLM-based judgment to regression-test generation and Jazzer/Jazzer.js fuzzing seeds.

A reading of Korea’s 2025 whole-of-government information protection plan through the structural parallel between the Nightingale myth and the white-hacker discourse. Policy is moving from dependence on individual ethics toward structural accountability, but the transition is not complete.

Through the Nightingale myth, the white-hacker discourse, the Sterbenz lemma, and browser exploit reasoning, this essay argues that the real change LLMs bring lies not in knowledge retrieval but in problem reframing.

The decisive front in national AI strategy is not GPU count alone, but who controls and can prove the flow of data, models, agents, permissions, logs, and verification running on top of those GPUs.

I designed sec-audit-static workflow v2.0, ran it against a real auth-server codebase, and missed two things. This is the record of how those misses were folded back into the tool — through v2.8.

Security controls already exist. The real problem is that we cannot decide which customer, at which moment, deserves how much friction. As the closing chapter of the CAPTCHA·ATO series, this post is about moving from quantity of controls to context of controls — adaptive security as an operational discipline.

Policy is not the only thing that creates change. Once external actors — insurers, customers, supply chains, evaluation services, security SaaS — start pricing the cost, governance eventually follows.

MCP security risks are not about prompt injection. They stem from the same configuration-to-execution escalation pattern that has plagued RPC, local security software, and CI/CD pipelines for decades.

To move from compliance capability to adaptive capability, what do we measure? This post proposes MTTA, MTTP, MTRS, and a minimal execution template for the field.