Own Your Tools & Get Ready for the Cyber AI

This is our status report after one month from the public launch. Our goal is simple: we want to encourage everyone to own their AI stack. One part of that is "own your tools". Last month proves that we were on point. We have seen various vendor attacks & a bunch of supply chain attacks.

So, in this post we are going to explore what we can do about it.

You are Responsible for Your Product

It doesn't matter where you deploy your product or what tools you use. At the end of the day, it's your product & you are responsible for it.

This topic was resurfaced a few weeks ago because of the Pocket OS story on X. Apparently, Cursor & Claude deleted their production DB & the owner is blaming the tools & services they use.

Even if those tools & services are wrong, at the end of the day it's your responsibility. You can't delegate that to some other party.

Mythos & Cyber Models are Coming for You

Have you heard about the copy.fail attack? Basically, it's a way to get root access in any Linux machine using a simple python command. Literally all of the Linux machines are vulnerable to this issue.

Interestingly, this bug was found using an AI-assisted cyber tool backed by a South Korean security firm. Anyone can purchase that tool even right now. This could be a marketing stunt for their service, but the trend is real. AI-assisted cyber attacks are becoming the norm.

So, regardless of whether you are managing a product or a casual user, you need to pay close attention to what tools you use & stay up to date. Especially, act today & get ready for the worst.

---

Unlike previous times, most of these attacks are automated & backed by some AI agents. So, the best way to get rid of these attacks is to go minimal & have a deep understanding of what you use.

In reality, it's very hard to understand all the tools we use. But we can pick a strong base & use a minimal amount of external tools. At the same time, we can start replacing some of these tools with custom & minimal versions.

AI Tokens are Still Cheap, Use Them

Most of the coding agents backed by AI labs are served at discounted prices. Some Neo-clouds are offering cheap tokens plans for Chinese models. We can use these cheap tokens to get rid of some of the unwanted supply chain risks. At the same time, we can implement some custom tools with the right requirement we need.

If your product has really good end-to-end testing suite, this process will be quite easy. Maybe use these tokens to step-up your testing suite.

Think about Hosting Again

Usually, we rely on external services for hosting both apps & databases. We understand that not all can manage this infrastructure. But make sure to choose correct service providers & use best practices. Always keep backup options & create some action plan for worst case scenarios.

We don't recommend the self-hosting route if you don't know what you are doing. But if you are technical enough, but using cloud services to save time, it's time to think again. With the AI agents, you can do a lot these days. So, you could use the saved time for self-hosting & maintenance.

---

What We Did at OKBrain

After launching the OKBrain Harness last month, we added a couple of key features. But most of the development was focused on hardening the system & replacing supply chain tools with our implementations. Let us dive down:

TouchID base SSH Keys

We deploy our harness on MacBooks & self-host them. So, SSH is a key tool for deploying, debugging & monitoring. Sometimes, we need to access the production environment inside the dev servers & the SSH-based workflow was not the best.

We wanted a more secure workflow & the solution was right in front of us. Apparently, it's possible to create SSH keys based on the Apple TouchID. So, we did it. Now every time we make an SSH command, we need to verify it with the TouchID. No one can see the private key.

This even gives us crazy features like letting coding agents access some prod & staging environments. Because they need our finger to do anything actionable, we are in control.

Technically, this is based on Apple's Secure Enclave. In other devices, you can do the same with devices like YubiKey Bio.

No AI SDKs

Developers are addicted to some AI SDKs & frameworks to access a very simple API endpoint. Nowadays almost every AI provider supports OpenAI or Anthropic-like API endpoints. Most of the edge cases are already fixed at the API level. The agent loop is nothing magical. It's just a never-ending loop with a couple of tricks.

So, you can ask a coding agent to build an AI SDK based on the direct APIs. At least, add some future plans to build your own SDK.

We were using Vercel's ai-sdk. It's good but nothing groundbreaking. Once we figure out our use cases, we simply ask a coding agent to build a custom SDK based on our needs. It was just a few minutes of work for the coding agent.

We have an extensive end-to-end testing suite. This helped a lot in this process. Coding agents were able to easily verify & implement everything we needed.

Replacing Ngrok

We wanted to access our Mac-hosted harness from the web. A reverse tunnelling proxy was the perfect answer. We used ngrok because we were familiar with it. It's a pretty good product with a decent pricing option.

But we had to run a tool inside our production server. It's not even open-source. So, that's a very substantial supply chain risk.

So, we started building a replacement using vanilla Node.js & it was a massive success. The server is hosted on a cheap GCP instance. Our solution even has custom features like tunnelling via multiple network interfaces at the same time.

Now we own the tool & we know how to take care of it. As a bonus, the cost went down too. Earlier we had to pay for the request count, but now it's just the GCP server cost.

Replacing Parallels & OrbStack

This is the biggest win we had so far. We don't like to run AI agents inside our dev machines or inside direct production MacBooks. We don't trust any of these agents.

So, we use Virtual Machines (VMs) to run those agents including our own AI harness. We ended up using Parallels for development boxes & OrbStack for production. It's not that we like either of these tools, but there were no other good solutions.

One day, we stumbled upon a YouTube video explaining Apple's Virtualisation Framework. Damn, it's so powerful and so simple to use. So, we started building our own Parallels. We lack Swift or macOS dev experience & struggled at first. But Codex with GPT 5.5 came to the rescue.

Now, we replaced Parallels with our VM host app: OKRun. We are testing it with dev VMs right now & soon we will migrate our production VMs as well.

Now It's Your Time

The goal of this post is not to brag about what we did, but to show you what's possible. As the initial step, you can inspect your package.json (or similar) & start trimming it down.

You'll end up loving that decision in the coming months.