Konvu Security Blog
Insights, guides, and best practices for security professionals and engineering teams.
What the EU Cyber Resilience Act requires
A practical breakdown of what the EU Cyber Resilience Act requires by September 11, 2026 (Article 14 reporting) and December 11, 2027 (full applicability).
Read
Six months of silent secret scanning
A coding agent committed .env.bak to our main branch. Our gitleaks hook had been a silent no-op for six months. Here is what we rebuilt at the org level.
Read
Konvu is a Cyber Startup Award 2026 finalist
Konvu is a finalist for the Cyber Startup Award 2026 at Infosecurity Europe. Lucas will pitch on June 2nd and give a talk on vulnerability management on June 3rd.
Read
A quarter of CVEs on our own repos
Everyone quotes +30% CVEs in Q1 2026. On our own repos the number is +314% quarter over quarter. Under 2% were actually exploitable. Here is the data and what it means for AppSec teams.
Read
The False Positive Tax on Open Source
We forked Metabase, enabled Dependabot, and found 53 vulnerabilities. Every single one was a false positive. Open source vulnerability management is broken on both sides.
Read
What Is Reachability Analysis (And Why It Misses Real Vulnerabilities)
Reachability analysis is a useful first filter for SCA findings, but it misses exploitable vulnerabilities and flags non-exploitable ones. We prove it with real CVEs and working exploit code.
Read
Automatically Reproducing Bug Bounty Reports with AI Agents
Reproducing a vulnerability from a bug bounty report means deploying someone else's app from scratch, at the right version, with the right config. We built AI agents that do it automatically.
Read
The Zero-Day clock is ticking. We showed the future of VM at RSAC LaunchPad.
Konvu pitched at RSAC LaunchPad 2026. Here's the problem we presented, what our customers helped us build, and what's next for vulnerability management.
Read
Konvu Selected as RSAC Launch Pad Finalist
Konvu has been selected as one of three finalists for the RSAC Launch Pad competition at RSAC 2026. We'll pitch our AI-powered exploitability engine to top-tier VCs on March 24 in San Francisco.
Read
Konvu Named a Supply Chain Innovator in the 2026 Latio AppSec Market Report
Konvu has been recognized as a Supply Chain Innovator in Latio's 2025 Application Security Market Report, validating our approach to exploitability analysis over simple reachability.
Read
How to Scale Vulnerability Triage Without Breaking Audit Requirements
Vulnerability volumes exceed human triage capacity, but auditors demand every finding accounted for. Evidence-based triage bridges the gap between scale and compliance.
Read
Why Static Code Reachability Is Not Enough: From "Reachable" to Truly Exploitable
Learn why static code reachability isn't enough for AppSec and how exploitability analysis slashes false positives and turns scanner noise into real risk.
Read
Teaching AI Agents Without Fine-Tuning with Context Learning
Konvupero Fall Edition welcomed Anyshift's Ghazi Felhi to explore Agentic Context Engineering (ACE) - teaching AI agents without fine-tuning.
Read
The Future of Vulnerability Management
For the past decade, security measured progress by vulnerability count. Detection wasn't progress, it was paralysis. Learn how agentic AI changes everything.
Read
Being a Junior Software Engineer in 2025
Being a junior engineer in 2025 looks different. AI handles repetitive coding, leaving higher-leverage problems that demand judgment, curiosity, and product intuition.
Read
Smooth Operations: Agentic Triage in Production
How Konvu uses agentic systems to autonomously triage security vulnerabilities in production, keeping sensitive code in-boundary while centralizing decisions.
Read
Navigating Kubernetes: Hard-Won Lessons from Agent Injection Webhooks
Building a Kubernetes mutating admission webhook? Learn from our experience deploying agent injection across clusters, from bootstrapping to namespace scoping.
Read
You don't need an AI agent framework, or why frameworks are the new Juicero
A practical lightning talk on building AI agents without frameworks. Build the loop, add the tools, measure, then earn the complexity.
Read
Handling GitHub App Admin Approval Workflows
Building GitHub integrations for enterprise customers? Learn how to handle admin approval workflows, capture context, and automate installation fulfillment.
Read
How Konvu got its name
The real story behind the Konvu name and a repeatable, two-hour process you can use to pick a strong .com without drama.
Read
We helped build a YC Startup. Now we're building our own, The YC Way.
The YC principles we learned at Sqreen and still live by at Konvu. Build something people want, write code, talk to users, and focus on one problem at a time.
Read
Using Java Dynamic Instrumentation to Detect Exploitable Vulnerabilities at Runtime
How Konvu uses Java dynamic instrumentation to identify truly exploitable vulnerabilities, reducing false positives and focusing remediation efforts.
Read
Navigating the Maze of Maven Dependencies - A Survival Guide
A comprehensive guide to understanding and managing Maven dependencies, including conflict resolution, best practices, and common pitfalls.
Read
How We Built Konvu for Global Scale From Day One
How Konvu built a global company from day one - lessons from US incorporation, international culture, and early market commitment by European founders.
Read