Adam Avenir

Adam is the founder of disreGUARD.

Previously at his company &yet, he cofounded the Node Security Project (which became npm audit), and the consultancy ^Lift Security, which served as the first security advisors for companies like GitHub, npm inc, and Auth0.

He also cofounded Code4rena, which pioneered the audit contest model, bringing hundreds of auditors to compete to secure smart contracts in highly effective audits. He is also a cofounder of Talky and SimpleWebRTC.

He's spent over a decade teaming up with great people and agents to find structural security problems early and building the tooling and communities to address them.

Hi, it's me, Adam. I'll break out of the biospeak bubble for now.

When Sonnet 3.6 was released, I felt the AGI. I realized that with the right prompting and context management, and with enough tokens and surrounding harness software, it was possible to get Sonnet to build just about anything.

What did I want to build? The dumbest most boring thing possible, of course.

After I sold Code4rena in summer of 2024, I was stuck carrying the ball on sales until I quit a couple months later. (Maybe that was the goal? lol)

Anyway, doing sales for C4 was a nightmare: full-globe timezone and customers nearly all in a rat's nest of Telegram chats that made it so easy to drop the ball or miss an opportunity. I wanted to build a tool to just keep me up to date on all the Telegram threads I was in and I wanted to cross reference that with our CRM so I'd know what to prioritize.

There was only one problem: Simon Willison.

Well, prompt injection was the problem, but I blame Simon.

I've been a fan of Simon and his wide-ranging work since I first read the incredibly well written Django docs. As a result of followign him, I was very familiar with the risks of prompt injection, having read all of his research since he first coined the term "prompt injection".

So, knowing the risks, I couldn't just wire up Sonnet with Telegram and HubSpot API access. The risk of leaking customer data or private chats was too high. Yes, I could build defenses, but doing that was onerous and there weren't great patterns.

That led me to over a year of obsessing every single day over prompt injection.

Which brings us here.

Adam Avenir

Articles by Adam Avenir

The auditor in the airlock: a security pattern for AI agent decisions

Hardening OpenClaw: a practical prompt injection defense

sig: instruction signing for prompt injection defense

Injection is inevitable. Disaster is optional.