Skip to main content

I'm a security leader. To learn AI security, I built the tool I wished existed, using AOD.

Overview

AI changed the threat surface faster than I could read about it. So I did the most security thing I could think of and tried to build the defense. That tool is Tachi, a threat-modeling and AI-reasoning vulnerability scanner. AOD is the methodology that took me from a one-line idea to a shipping, governed product. This is how far one kickstart went.

It started with one command

I didn't start with a blank repo and a vague ambition. I ran one /aod.kickstart, described what I wanted, an AI threat-modeling tool, and it handed back a sequenced, governed backlog of 10 seed features. The whole shape of a product. A threat-modeling engine, an orchestrator plus six STRIDE agents and two AI-specific agents. The outputs that make it useful, SARIF for CI, a narrative report with attack trees, a visual infographic. And the scaffolding around it, an interface contract, platform adapters, worked examples.

From idea to a plan I could actually execute, in a single step. That is the part that usually kills a side project. Not the code. The not-knowing-where-to-start.

Then it kept going

The kickstart didn't just hand me a plan. It got all 10 seed features working in about three days. A complete core, those plus quantitative risk scoring, compensating-controls analysis, PDF reporting, and the infographic pipeline, came together in about two weeks. From there Tachi kept expanding on its own cadence, every feature through the same gates, from Issue to PRD to spec to plan to tasks to merged PR.

~3 daysto all 10 seed features working
~2 weeksto a complete core
65+governed features and counting
50+releases (v4.0.0 to v4.42.0)
50/50OWASP coverage, five frameworks
46architecture decision records

The arc, in plain terms. A working threat-modeling engine by late March. Full OWASP coverage closed across five frameworks through April and May. Then enterprise hardening on top, a security disclosure policy, secret-scanning, a least-privilege permissions baseline. Five blueprint campaigns, each a themed batch of features, drove the expansion without it turning into chaos.

And it stopped being just me. Tachi is open source, and contributors I had never met cloned the repo and shipped working changes before I could say hello. They didn't need onboarding from me. The AOD harness ships inside the repo, so it already showed them the work.

What to do next

AOD is how a security leader, not a full dev team, went from an idea to a shipping, governed product. If you have an idea stuck at where do I even start, that is the gap it closes.

Have a use case to discuss? Discuss your use case (opens in new tab)