The AppSec Founders Are All Building UEC

Trimmed to bullet-point summary 2026-05-09 — original prose archived at _archive/blog-articles-pre-trim-2026-05-09/appsec-founders-are-all-building-uec.md. Pending rewrite in voice.

Convergence Observation

  • Five AppSec / AI-security / adjacent founders Miessler interviewed in 2025 independently converged on the same architecture under different names.
  • Underlying shape: Unified Entity Context (UEC) — Miessler’s decade-old framing. Single living model of the organization with AI as the lens on top.
  • Different accents — unified data lake, living world model, behavioral risk rating, agents that know which vulns matter, “unified context and taste.”

The Five Accents

  • Harry Wetherald, Maze (UL Member 2025-09-22). Most backlog vulnerabilities are not actually exploitable. Agents investigate every one against environment context (the way a senior engineer would). Output: 90+% smaller list. Harry: “shuffling a pack of cards where most cards should never be in there.”
  • Sarit Tager, Prisma Cloud / Palo Alto (UL Member 2025-07-29). Palo Alto merged Prisma Cloud + Cortex into a single unified data lake. Code findings + cloud posture + runtime + identity + SOC signals coexist in same graph. Pitch: “is this thing actually in production, exposed, reachable?” Non-security users come asking inventory / ownership / criticality questions — signal that the abstraction is right. UEC from defender side.
  • Jason Haddix + Daniel Miessler RSA 2025 review (UL Member 2025-05-08, off-floor). Vendor floor desperate; off-sites where real builders converged on the architecture. Sam Altman on stage spontaneously described UEC nightmare (compromised assistant with telos, journals, preferences). AIxCC cyber reasoning teams: model upgrades helped less than fixing scaffolding. Adobe/Google/OpenAI VM rebuild — strip CVSS/CVE entirely, pull raw advisory text, rate everything against own company context layered on rock-solid asset management.
  • Bar-El Tayouri, Mend AI (UL Member 2025-05-06). AI security is AppSec with a fuzzy interface. Companies have 10× more AI components than they realize. First job: discovery — honest map of every model / prompt / MCP server / agent / tool. Then “behavioral risk rating”: system prompt + model + retrieval + tools = single context-aware score because the combination is the vulnerability.
  • Grant Lee, Gamma (UL Member 2025-09-18). Outlier (slide decks). Product = design partner inferring format from user / audience / idea / medium. UEC of the presenter. Even far from security, same move.

Why Convergence

  • Either everybody read the same blog post (they didn’t quote Miessler), or the shape is being forced by the ground.
  • Vertical software was a pre-AI compromise — needed a specific UI on a specific schema to answer a specific set of questions.
  • Strong models + large context dissolve the compromise. The vertical app becomes unnecessary if the underlying entity is modeled well enough.
  • Sarit’s signal: users outgrow the security product because the graph is the best inventory in the company; operations / legal / business owners all query it. Abstraction eats its category.

Author Identity Update

  • PAI re-described: not scaffolding, but a UEC — specifically a UEC of self.
  • Telos = living model (goals, beliefs, projects, constraints).
  • Memory = delta layer.
  • Retrieval = lens.
  • Algorithm = action engine.
  • Same architecture as the AppSec founders, single-person scale.

Predictions for 2026-2027

  • Security spend → graph not scanners. Scanners become inputs. Vendors selling siloed findings collapse into “we just ingest into your lake.” Palo Alto already; Microsoft Graph API as pre-UEC.
  • AppSec + AI security merge. Bar-El’s premise: every AI component is an AppSec component with a fuzzy interface. No separate “AI security” industry by 2027.
  • Attackers ship UEC first. No governance overhead. Harry’s line: imagine attackers now have 20K employees instead of 20.
  • Personal UEC follows corporate UEC by ~2 years. What Palo Alto does for a Fortune 500 = what PAI does for one person. Same architecture, different blast radius.

Sources

  • Harry Wetherald on Maze (UL Member 2025-09-22)
  • Sarit Tager on Prisma Cloud / Cortex (UL Member 2025-07-29)
  • Jason Haddix + Daniel Miessler RSA 2025 review (UL Member 2025-05-08)
  • Bar-El Tayouri on Mend AI (UL Member 2025-05-06)
  • Grant Lee on Gamma (UL Member 2025-09-18)
  • UEC framing — Miessler “Unified Entity Context” member essay (2025-05-15)