Blog
Technical deep-dives on protecting proprietary code from LLM APIs.
The breaches that defined AI security in 2025: code leaked through Cursor, API keys exposed in Claude sessions, enterprise IP in Copilot context windows. Here is exactly how Pretense prevents each attack vector.
A clear, visual walkthrough of Pretense's request flow, mutation algorithm, and 30-second deployment. After reading this, you know exactly what Pretense does and how to run it.
A synthetic composite showing how a regulated FinTech team deployed Pretense after a CISO stop-work order, protected 2.3M proprietary identifiers, and maintained 94% developer productivity with a full SOC2 audit trail.
Redaction tools remove information from prompts, but they break LLM context and output quality. Here's why mutation (replacing identifiers with semantically equivalent synthetics. That is the right approach.
Nightfall is the incumbent in AI data loss prevention. We did a detailed technical and cost comparison. Here is how Pretense stacks up on every dimension that matters to enterprise security teams.
Claude Code is transforming how engineers write code. But every prompt you send contains proprietary identifiers. This guide shows exactly how to route Claude Code through Pretense in under 5 minutes.
The mutation algorithm being documented is a feature, not a bug. If the algorithm is public knowledge, security does not depend on keeping it secret. It depends on keeping your mutation keys private. Like SSL: the protocol is public, your certificate is private.
SOC2 CC6.7 and CC7.2 now effectively require demonstrating control over AI tool usage. Here is a practical guide with ready-to-use control documentation, the four artifacts your auditor wants, and a template control statement you can use today.
Most developers do not think about what they are sending to AI tools. This is a practical primer on what leaves your machine, where it goes, what is actually at risk, and three rules every developer should follow before using AI on production code.
Most companies prohibit sending proprietary code to external APIs. It is in the employee handbook you did not read. Here is how to use AI tools anyway, pragmatically and safely.
Pretense started as a solution to our own problem. We were using Claude to build Pretense, and realized we were sending proprietary code to Anthropic. Here is the full story.
Most security tools are black boxes. Pretense's mutation engine is fully documented and auditable. Here is why that decision makes Pretense more trustworthy, not less.
Opinionated predictions on where AI security is heading: audit trails, breach incidents, data residency law, mutation replacing redaction, and the CISO evolving from gatekeeper to architect.
From a single CLI package to a 17-package monorepo with VS Code extension, GitHub Action, MCP server, and dashboard. Here is what changed and what we learned.
Code mutation replaces proprietary identifiers with semantically equivalent synthetics before sending to LLM APIs. Unlike redaction, it preserves context so the AI still produces useful output. Here is how it works and why it is the right architectural choice.
GitHub Copilot sends your code to Microsoft servers. For most teams that is acceptable. For teams with proprietary algorithms, client contracts, or regulated data, it requires a protection layer. Here is a practical guide to using Copilot safely.
AI coding tools are now standard developer infrastructure. For CISOs, that creates a new attack surface: every code completion, every prompt, every context window is a potential data exfiltration channel. This guide covers the threat model, control framework, and enforcement mechanisms.
SOC2 Type II auditors are increasingly asking about AI tool usage controls. CC6.7 requires demonstrating that third-party data access is controlled. If your team uses Copilot, Cursor, or Claude, you need a documented control. Here is what to build.
Cloud DLP tools scan your data after it reaches their servers. For AI coding tools, that is too late: the data left your network the moment the developer hit autocomplete. Local-first security stops exfiltration before transit, not after.
Manual code review catches some secrets and proprietary identifiers before AI prompts are sent. But it catches roughly 40% of them, introduces 2-3 day delays, and does not scale with team growth. Here is a detailed comparison.
Financial services firms face stricter data handling requirements than most industries. Sending proprietary trading algorithms or client-identifying code to AI APIs creates real regulatory exposure. Here is how regulated FinServ teams are solving this without blocking developer productivity.
HIPAA does not prohibit using AI coding tools. It prohibits sending protected health information to unauthorized parties. If your codebase references patient data structures, claim identifiers, or PHI schemas, standard AI tools create real compliance exposure. Here is how to close the gap.
One email per week. Technical depth. No marketing fluff.