AI Authorship Question
An 800-line open-source scanner for how much of your code an AI wrote, and how much of it you shipped without reading.
Subho Halder UPDATED APR 23, 2026
Right now.
Most days I’m writing prototype code to see if an idea actually holds. Some days are spent with design partners figuring out which problems are sharp enough to build against. Just published SecLens on arXiv, a piece of how I’m thinking about evaluating AI inside security workflows. The next call is who the first hire should be.
Health is back on the priority list. Cooking my way through YouTube recipes. Running agent experiments on two Mac minis at home, making OpenClaw talk to Hermes to see how they behave. Long drives into nature, chasing sunsets.
latest
replying to: I told my investor 61% of my code was AI-assisted. The real number was 94%
The moat question is the part of your comment i find most interesting and i dont think you're wrong about it. One correction on framing first. the 61% in the title isnt what i told the investor, its the average the tool returned on my repo. what i actually told him was "60-70 percent" which was a guess, i genuinely didnt know. the title compressed that into a cleaner 61/94 … replying to: I told my investor 61% of my code was AI-assisted. The real number was 94%
yeah this is the reframe i keep hitting on. Libs, boilerplate, SO copy pastes, scaffolds. We were already conducting more than composing long before agents showed up. Whats different now is granularity, agents work at statement level not library level so the "where did I actually decide something" signal is smeared across diff hunks instead of concentrated in architectural … replying to: I told my investor 61% of my code was AI-assisted. The real number was 94%
Honest answer: most of what I know about my codebase I still know from actually working in it. The tool gives me aggregates I wouldn't otherwise see. Two things to separate. The "66% AI authorship" number is pulled from git trailers. Claude Code, Copilot, Cursor, Codex, Gemini, Devin, Windsurf all auto-add Co-Authored-By: lines on commits. The tool reads those directly. No … replying to: I told my investor 61% of my code was AI-assisted. The real number was 94%
Sure. The numbers come from a benchmark I've been running called SecLens. 12 models, 8 OWASP Top 10 categories, 10 languages, 35 scoring dimensions. Paper's linked in the footer of the scan output (https://arxiv.org/abs/2604.01637) if you want the methodology. So "Python + Opus 4.6 = 63% detection" means "this model caught 63% of seeded vulns in Python code during the … this year
replying to: I told my investor 61% of my code was AI-assisted. The real number was 94%
A few people DMed asking what the actual output looks like. Here it is on another one of my repos (overwatch-backend, a Django service). Different shape than the one in the post: → npx @mattersec/vibecheck scan ✦ vibe check repo: mattersec-labs/overwatch-backend commits: 50 range: Apr 2026 AI AUTHORSHIP 66% ████████████████▒▒▒▒▒▒▒▒ 33 / 50 Confirmed: Claude-code (Anthropic) 32 … replying to: I told my investor 61% of my code was AI-assisted. The real number was 94%
Yeah, the 94% freaked me out too! Claude's been writing and rewriting it but thankfully nothing major has changed. Your second point is the one I can't stop thinking about. "If who pays you understands" is doing a lot of work in that sentence. Most investors, clients, eventual acquirers don't know the difference between "AI-assisted" and "mostly AI." We all use the same … I told my investor 61% of my code was AI-assisted. The real number was 94%
Last Tuesday, an investor asked how much of my codebase was AI-written. I said "a lot, maybe 60-70 percent." I was guessing. I had no idea. The answer wouldn't leave me alone. Over the weekend I built a git-history …
replying to: I made a CLI to self-host your OpenClaw on your VPS
https://preview.redd.it/hyj8h3m7d5pg1.jpeg?width=1198&format=pjpg&auto=webp&s=a43b295a39b92bc86aa83560f0d405144bac7c70 Love that there is an auto-provision on DO, but having auto-provision for AWS, GCP would have been better! replying to: Show HN: Clawsec - Open-source plugin for OpenClaw that blocks dangerous actions
Hi HN, we built Clawsec as a security layer for OpenClaw.ai (openclaw.ai).The problem: AI agents are getting good enough to run shell commands, query databases, and manage infrastructure autonomously. But one hallucinated rm -rf / or a prompt injection that exfiltrates your .env can do real damage.Clawsec intercepts agent actions before execution and blocks anything matching … 2025
2024
replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Hi u/needsleep31 thanks for your question! Cloud security is a very vast topic for me to answer. I would suggest you go through the following resources which would help you to understand cloud security in a better way: Follow Security Blogs/Knowledgebase of various cloud providers: aws.amazon.com/security/blog azure.microsoft.com/en-us/blog/security … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Hey! Thanks for the question. Since you already have experience with web and backend development, you have a head start in understanding the core concepts of application security. In cybersecurity, knowing how apps are built helps you understand how to secure them. Here are some specific areas to focus on, given you want to shift into Mobile App Security: OWASP Mobile Top 10 … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Hey! Congrats on completing the CS50x course :) that’s an excellent entry point into the world of tech! Since you’re already familiar with programming basics, transitioning into cybersecurity and DevOps is a great next step. I have already given a similar answer here, if you want to get started towards cybersecurity. On the DevOps side, you’ll want to get comfortable with … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Thanks for the question! Let me quickly dive into this: I have been running Appknox since a decade now, what I saw, it was only 5-6 years ago companies have started setting up DevOps pipeline for Mobile Apps. These pipelines were generally used to build out the binary of the mobile apps using tools like fastlane, they ship it to respective playstores/appstore. If you look … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
I believe that cybersecurity is a field that is fun and satisfying for me. I get to break things, and understand fundamental reason of how systems work. Currently I am spending time on Mobile Kernels, and I recently gave a talk about how I wrote a mobile Kernel drivers to bypass RASP systems. replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Thanks for the question! I generally follow these resources and communities: Krebs on Security: Brian Krebs does a great job covering cybersecurity news and breaches Dark Reading: Another go-to source for the latest in cybersecurity GitHub repositories: I search for topics and keep it as my bookmarks, you can check my lists: https://github.com/subho007?tab=stars Reddit … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Thank you for your question! Indeed, post-quantum security is an interesting topic, it has been attracting more and more attention with the development of quantum computing. Although I am not deeply specialized in a post-quantum topic, I won't be able to answer your question, but I'll still try to dig at it. Post-quantum security is mostly focused on breaking encryption … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Thanks for the question! It’s great that you’re already thinking about security and taking steps like using ORMs and SSL certificates, although they are not enough since the fundamental for ORMs is to create make it easier for a developer to abstract out DB queries and SSL Certificate help in verifying the integrity of the connection. Still, these are good starting points … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Quitting my job to go full-time on the startup was both exciting and terrifying, definitely a rollercoaster of emotions! I had been working in security for a few years, and while I enjoyed the stability of a corporate job, I always had that itch to build something of my own. Starting Appknox with Harshit felt like the right opportunity, and we knew there was a growing need for … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
I agree with u/Ksbest26 that the companies you are applying to might have some requirements in terms of having security certifications done. Getting the resumes selected by HR to be forwarded to the team who is hiring is sometime challenging, and the quickest way to solve that would be to have these certifications in your Resume replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Great question! While cybersecurity experts and software engineers often have different focuses, their roles can sometimes overlap, especially in how today's world, where we are integrating security in different stages of the development cycle and these roles are not mutually exclusive. In fact, there’s often a significant overlap, especially with the rise of DevSecOps and the … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
I just remembered that I need to answer that part. Yes, it is possible. While an MBA may give you a high package from the start, a solid technical foundation can lead to even higher salaries in the long run — without compromising on learning. In 15 years, it's very possible to reach high-level packages in cybersecurity, especially as you specialize and move into leadership … replying to: I’m Subho Halder, Co-founder & CEO of Appknox — AMA
Hi Bhupesh, thanks for the invite :) I'll try to answer your questions in concise. It’s not uncommon for developers to prioritize features and performance over security, especially when facing tight deadlines. In my experience, the challenge has been shifting security from being seen as a 'blocker' to being seen as a 'quality enabler.' Few things which we have tried to … 2017
2016
2015
2014
feed refreshed daily.
subscribe
Occasional notes on what I'm building, what's breaking, and what the AI × security boundary looks like from the inside. No spam, unsubscribe anytime.