Andy Ellis

One reasonable choice is you authorize that computer for that user to log in on it, or you make it impossible for that user to use that computer.

What often happens is people say, well, by policy, you can't do it, but we won't support you.

But then that means you don't actually have a good authentication system in place if you're allowing the person to log in from an unknown computer.

I don't even want to use the word trust.

I just want to say known.

Like when we first did our zero trust implementation over a decade ago, my attitude was, if you've got 12 computers at home you're going to log in on, I'm going to put a credential on every single one of them so that I know that they're yours.

We'll worry about trust later.

But the first thing I want to do is say you can't log in from an unknown device.

Then we'll worry about trust.

So first of all, just as a warning to everything, they can vibe code every solution out there.

Almost any company you could build their basic functionality that they have in a weekend.

If you're an amazing developer vibe, coding makes that a little bit faster, but basic functionality is not what people tend to buy.

Right.

Nobody's buying threat locker since I've got Danny here, like just to do the basics of what threat locker can describe in 30 seconds.

It's the details and the hard work of making sure things work at scale, right?

Why do people still use Google search?

Isn't hard search at high quality is.

So be careful, like if you're vibe coding your SCA, if you wanted really good SCA, you might not get that out of vibe coding.

So it's just your cautionary tale.

But here's the answer, which is think of your vibe coding agent, whether it's Claude or something else, as a new sort of fractional employee, and you should be onboarding them and teaching them how to do their job.