Zack Korman
@zkorman.com
CTO at Pistachio. I build AI cybersecurity stuff.
Every Microsoft Entra tenant is weird in some way, but every IT admin is convinced they’re totally normal. We have thousands of customers at Pistachio, and we still meet admins who surprise us. “Of course we put company name in the email field and email in department”
November 6, 2025 at 10:15 PM
Every Microsoft Entra tenant is weird in some way, but every IT admin is convinced they’re totally normal. We have thousands of customers at Pistachio, and we still meet admins who surprise us. “Of course we put company name in the email field and email in department”
@wyden.senate.gov thought you might be interested. Microsoft Copilot allowed users to bypass the audit log and Microsoft did nothing to disclose that: pistachioapp.com/blog/copilot...
Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
pistachioapp.com
August 22, 2025 at 7:37 AM
@wyden.senate.gov thought you might be interested. Microsoft Copilot allowed users to bypass the audit log and Microsoft did nothing to disclose that: pistachioapp.com/blog/copilot...
If you have an audit log and you have an API, then requiring the “enterprise package” to access the audit log via the API isn’t cool. Specifically: GitHub.
August 7, 2025 at 4:09 PM
If you have an audit log and you have an API, then requiring the “enterprise package” to access the audit log via the API isn’t cool. Specifically: GitHub.
Not knowing things about technology is a great way to feel young. I’m not ignorant, it was just “before my time” (2019).
July 21, 2025 at 5:59 PM
Not knowing things about technology is a great way to feel young. I’m not ignorant, it was just “before my time” (2019).
Giving a vendor time to fix a vulnerability makes sense, but I can’t help but feel the practice is being abused and therefore produces worse security outcomes. When large orgs want to move fast they absolutely can; taking 90 days to fix a vulnerability is a choice.
July 19, 2025 at 2:49 PM
Giving a vendor time to fix a vulnerability makes sense, but I can’t help but feel the practice is being abused and therefore produces worse security outcomes. When large orgs want to move fast they absolutely can; taking 90 days to fix a vulnerability is a choice.
Every time a VC posts “AI-first companies can build billion dollar businesses with 10 people because they can use AI agents, not people, to scale”, I’m tempted to send them a deck that is a pure operations play. Put your money where your mouth is. “Walmart but AI”
July 18, 2025 at 5:22 PM
Every time a VC posts “AI-first companies can build billion dollar businesses with 10 people because they can use AI agents, not people, to scale”, I’m tempted to send them a deck that is a pure operations play. Put your money where your mouth is. “Walmart but AI”
If AI is so good at writing code, why is Gemini 2.5 pro only available on the global endpoint? Why does batch processing for 2.0 work everywhere BUT global? Why can’t I fine tune 2.5? Can’t some PM at Google just vibe code these things for me?
June 17, 2025 at 7:34 PM
If AI is so good at writing code, why is Gemini 2.5 pro only available on the global endpoint? Why does batch processing for 2.0 work everywhere BUT global? Why can’t I fine tune 2.5? Can’t some PM at Google just vibe code these things for me?
Are we fine sharing screenshots from the other place? If so, one comment: skill issue.
June 7, 2025 at 6:44 AM
Are we fine sharing screenshots from the other place? If so, one comment: skill issue.
If everyone is supposedly building cutting edge AI apps, then why are all of the AI models’ APIs and client libraries so poorly documented and buggy? It really gives away how little people are doing with AI beyond the very basics
June 6, 2025 at 6:36 PM
If everyone is supposedly building cutting edge AI apps, then why are all of the AI models’ APIs and client libraries so poorly documented and buggy? It really gives away how little people are doing with AI beyond the very basics
One good thing about AI is that encourages people to think more about building “software that does the job for you” instead of “software that enables you to do the job” and I think that is long overdue.
November 24, 2024 at 9:10 AM
One good thing about AI is that encourages people to think more about building “software that does the job for you” instead of “software that enables you to do the job” and I think that is long overdue.
Reposted by Zack Korman
I wrote a blog post on how to use deploy your go application from the terminal using systemd
https://egreb.net/posts/deployment-with-go/
#go #golang
https://egreb.net/posts/deployment-with-go/
#go #golang
August 2, 2023 at 7:05 AM
I wrote a blog post on how to use deploy your go application from the terminal using systemd
https://egreb.net/posts/deployment-with-go/
#go #golang
https://egreb.net/posts/deployment-with-go/
#go #golang
What the hell is SharePoint? I just wanted to put some files in a folder so people could access them, and now it is asking me to make a website.
July 27, 2023 at 9:26 AM
What the hell is SharePoint? I just wanted to put some files in a folder so people could access them, and now it is asking me to make a website.
I wrote about what it is like to build a product that the end user doesn't really want, and why gamification isn't a solution to that: https://pistachioapp.com/blog/you-cant-gamify-security-awareness
You Can’t Gamify Security Awareness
Building a security culture without games? Explore why gamifying security awareness isn't effective and how we've tackled the issue at Pistachio.
pistachioapp.com
July 20, 2023 at 3:42 PM
I wrote about what it is like to build a product that the end user doesn't really want, and why gamification isn't a solution to that: https://pistachioapp.com/blog/you-cant-gamify-security-awareness
How do I harass an airline on here if brands don’t use bluesky
July 19, 2023 at 11:10 AM
How do I harass an airline on here if brands don’t use bluesky
A lot of the conventional wisdom of the startup world comes from an era fundamentally different from today, but lives on because the winners of that era are the VCs of today.
July 10, 2023 at 9:38 PM
A lot of the conventional wisdom of the startup world comes from an era fundamentally different from today, but lives on because the winners of that era are the VCs of today.
Gamification can alter behavior within some macro goal a person already cares about. That’s the point product teams keep missing. The person has to already care.
July 9, 2023 at 2:09 PM
Gamification can alter behavior within some macro goal a person already cares about. That’s the point product teams keep missing. The person has to already care.
Do I just give an invite code to the startup I work at so we starting getting some brands here, or…
July 8, 2023 at 7:07 AM
Do I just give an invite code to the startup I work at so we starting getting some brands here, or…
It feels awkward sending out invite codes to people now. “Yea uh so here is the code for the social media platform that for some reason hates new users”
July 7, 2023 at 11:19 PM
It feels awkward sending out invite codes to people now. “Yea uh so here is the code for the social media platform that for some reason hates new users”
That joke about posts loading here really slaps, glad they decided to pin it to the top of the what’s hot feed for the last 12 hours
July 2, 2023 at 12:03 PM
That joke about posts loading here really slaps, glad they decided to pin it to the top of the what’s hot feed for the last 12 hours
Reposted by Zack Korman
TIRED: Killing your service’s third-party apps
WIRED: Killing your service’s first-party apps
WIRED: Killing your service’s first-party apps
July 1, 2023 at 10:10 PM
TIRED: Killing your service’s third-party apps
WIRED: Killing your service’s first-party apps
WIRED: Killing your service’s first-party apps
I actually didn’t finish reading this tweet so I missed the dumbest part, which is that he is giving new users the lowest rate limit.
July 1, 2023 at 5:40 PM
I actually didn’t finish reading this tweet so I missed the dumbest part, which is that he is giving new users the lowest rate limit.
I wrote some stuff about whitelisting domains for attack simulations, and why Google and Microsoft are bad: https://pistachioapp.com/blog/think-twice-before-whitelisting-for-attack-simulations
Think Twice Before Whitelisting for Attack Simulations
The dangers of whitelisting for attack simulations: what you need to know.
pistachioapp.com
July 1, 2023 at 5:25 PM
I wrote some stuff about whitelisting domains for attack simulations, and why Google and Microsoft are bad: https://pistachioapp.com/blog/think-twice-before-whitelisting-for-attack-simulations
I wrote about prompt injection attacks https://pistachioapp.com/blog/How-Do-We-Solve-AI-Prompt-Injection-Attacks-It-is-a-Secret
Pistachio
pistachioapp.com
June 5, 2023 at 5:06 PM
I wrote about prompt injection attacks https://pistachioapp.com/blog/How-Do-We-Solve-AI-Prompt-Injection-Attacks-It-is-a-Secret
<3 Oslo shutting down the entire transport network so some NATO people can motorcade through the city.
June 1, 2023 at 7:19 AM
<3 Oslo shutting down the entire transport network so some NATO people can motorcade through the city.