I've been on the other side of this table for years, negotiating contracts with DevSecOps and cybersecurity vendors. I know exactly what these tools cost and what you actually get for them.
Two weeks ago, I found myself needing to do a threat model. Instead of reaching out to a vendor, I sat down with Claude Code and built a repeatable process to generate one. It worked. Then I asked myself, what if I turned this into one of those $50K security reports we buy from security companies?
That's how Tachi was born. An open source automated threat modeling kit that does what I used to pay consultants five figures to deliver. And I never have to pay for a threat model again. Or at least, I only have to pay in tokens.
The build vs. buy math has fundamentally changed. If you can build it in under two weeks, why pay someone?
Right now, it's critical to be learning how to develop an agentic process. You cannot make risk decisions about capabilities you don't understand.
Glad to see you added in the "AI pitfalls" part - because that is likely to be a serious issue.
Before turning over your company to an army of agents, remember three things:
1) Human-in-the-loop does not scale.
2) AIs are fundamentally unreliable - just like humans. So deterministic systems are required to keep them under control.
3) Have a human security expert review security agents just like they are supposed to review everything else.
you got it
Agree, I've implemented a dozen automatizations already via AI. But AI as a tool here, not as a solution 🙃
amazing
I've been on the other side of this table for years, negotiating contracts with DevSecOps and cybersecurity vendors. I know exactly what these tools cost and what you actually get for them.
Two weeks ago, I found myself needing to do a threat model. Instead of reaching out to a vendor, I sat down with Claude Code and built a repeatable process to generate one. It worked. Then I asked myself, what if I turned this into one of those $50K security reports we buy from security companies?
That's how Tachi was born. An open source automated threat modeling kit that does what I used to pay consultants five figures to deliver. And I never have to pay for a threat model again. Or at least, I only have to pay in tokens.
The build vs. buy math has fundamentally changed. If you can build it in under two weeks, why pay someone?
Right now, it's critical to be learning how to develop an agentic process. You cannot make risk decisions about capabilities you don't understand.
If you don't believe me, try it yourself. Tachi is open source and free to use: https://github.com/davidmatousek/tachi