Harness engineering: Preparing TypeScript codebases for coding agents
Vibe coding is upon us, but it works best when the codebase has strong affordances. Here's how to prepare a TypeScript codebase for coding agents like Claude Code and Cursor.
Musings on software, security, and the world.
All of my long-form thoughts on what I'm learning, what I'm building, and what I'm thinking about. I hope you find something interesting here.
Cyber 2028
Cyber is shifting from a labor-bound craft industry to a capital-bound one. That changes offense, defense, and state power all at once.
The economic failures of penetration testing
Information asymmetry, moral hazards, and perverse feedback loops in the penetration testing market.
Making sense of React4Shell / React2Shell (CVE-2025-55182)
A deep dive into the React4Shell / React2Shell vulnerability (CVE-2025-55182), a critical remote code execution vulnerability in the React Server Components Flight Protocol.
Executing arbitrary Python code from a comment
Can you execute arbitrary Python code from only a comment? We explore how Python's overzealous ZIP file detection can lead to unexpected code execution vulnerabilities when well-escaped user input is injected into comments or string literals in Python source files.
What would happen if I died tomorrow?
A reflection on the impact of a single life and the choices we make.
Leaving Cambridge and co-founding Hacktron AI
In a few weeks, I'll be leaving Cambridge and working on Hacktron AI full-time. We're going to shape the future of AI-assisted security research.
My NRIC number was public for four days. Should it have been?
The NRIC numbers of individuals became available to anyone on the public internet through a new feature in the ACRA portal. My thoughts on the incident and why it is a big deal.
An introduction to CodeQL and data flow analysis
The fundamentals of static code analysis, taint tracking, and problems that CodeQL is solving under the hood.
Why I'm "quitting" (offensive) security
I don't think I can ever truly quit security, but I'm ready to take a pause on popping shells and start building things that last. Here's a reflection on my journey so far and why I'm taking a step back.
I used to write about security and CTFs on infosec.zeyu2001.com and ctf.zeyu2001.com. These will remain up so that backlinks to popular writeups don't break, but this blog is where I'll be posting new content.