thinkn
  • Product
    Manifesto
    The reason we exist
    Founder Studioprivate beta
    Make better product decisions faster
    Belief SDKinvite only
    Add belief states to your AI system
    Request Access →Join the private beta waitlist
  • Docs
  • Pricing
  • FAQ
  • Docs
  • Pricing
  • FAQ
Sign In
Welcome
  • Hack Guide
  • Introduction
  • Install
  • Quickstart
  • FAQ
  • The Problem
  • Memory vs Beliefs
  • Drift
  • Examples
  • Finance
  • Health
  • Engineering
  • Science
cases/engineering.mdx

Engineering

Security analysis and system design, where hidden assumptions cause vulnerabilities.

What Is at Stake

In engineering, every codebase carries an implicit assumption: there are no security vulnerabilities. That assumption is rarely stated, never tracked, and almost always wrong. A dependency with a known CVE. An API endpoint missing authorization checks. An input that is sanitized in one path but not another. These are beliefs about the system's security posture, and when they go unexamined, breaches follow.

Security decisions rest on assumptions: about input validation, about access control, about dependency integrity, about how components interact at trust boundaries. When these assumptions are implicit, they compound. When they are explicit, agents can gather evidence to prove or refute them.

What Beliefs Make Visible

Security assumptions as trackable beliefs

Every system carries implicit security beliefs: "All user inputs are sanitized." "No dependency has a critical CVE." "The auth middleware covers every state-changing endpoint." These are assumptions with varying levels of evidence.

1┌──────────────────────────────────────────────────────────────┐
2│  SECURITY POSTURE                                            │
3│                                                              │
4│  ● "No critical CVEs in dependencies"  74% │ last audit 30d  │
5│  ● "All API routes require auth"       81% │ middleware scan  │
6│  ● "SQL injection mitigated"           92% │ parameterized    │
7│  ● "No secrets in source control"      65% │ 3mo old scan     │
8│    └─ ⚠ Decayed -- last scanned 90 days ago                  │
9│                                                              │
10│  Gap: "No SSRF analysis on new webhook handler"              │
11│  Gap: "Rate limiting untested on file upload endpoint"       │
12│                                                              │
13│  The security assumptions are explicit, measurable,          │
14│  and tracked over time. When a 3-month-old scan              │
15│  decays, the system flags it for re-verification.            │
16└──────────────────────────────────────────────────────────────┘

Vulnerability investigation

A security agent starts with the assumption "there are no vulnerabilities in the codebase" and then gathers evidence to challenge it. A dependency scan finds a high-severity CVE in a transitive dependency. A static analysis tool flags an endpoint missing authorization. Each finding is evidence that refutes the original assumption, and the system tracks exactly how confidence shifted.

Post-incident, the ledger shows when "no critical CVEs in dependencies" was last validated, which scans supported it, and which advisory contradicted it before the exploit.

Cross-boundary contradiction detection

A microservice architecture has dozens of implicit trust boundaries. Service A assumes Service B validates its inputs. Service B assumes callers are already authenticated. These assumptions exist in different teams' mental models. When they contradict, the gap in validation is invisible until an attacker finds it.

Belief state infrastructure makes these cross-boundary assumptions explicit and detectable. An agent reviewing code, configs, and security policies can surface: "Service A's assumption that Service B validates input conflicts with Service B's reliance on upstream authentication."

What Agents Can See That We Cannot

A single security engineer holds the context for their area. A belief-aware agent can maintain structured assumptions across an entire codebase, tracking dependency claims, access control beliefs, input validation hypotheses, and secret management posture across every service, with evidence and decay.

When a dependency is updated, the agent can trace which downstream security assumptions might be invalidated. When a new CVE advisory contradicts a previous "no known vulnerabilities" claim, the conflict is flagged across every service that depends on that package. These cross-cutting concerns are precisely what humans miss because no individual holds the full picture.

Temporal decay in security

Security assumptions decay faster than most. A dependency audit from last week is relevant. A penetration test from a year ago, before three major refactors, is nearly worthless. Temporal decay models this naturally. Dependency scans and secret audits decay faster than architectural invariants like "we use parameterized queries," and the system reflects this.

1const beliefs = new Beliefs({
2  apiKey: process.env.BELIEFS_KEY,
3  agent: 'security-agent',
4  namespace: 'security-review',
5  writeScope: 'space',
6})
7
8await beliefs.add('No critical CVEs in production dependencies', {
9  confidence: 0.88,
10  evidence: 'npm audit + Snyk scan 2024-03-10',
11})
12
13await beliefs.add('All API endpoints enforce authentication', {
14  confidence: 0.81,
15  evidence: 'Middleware coverage scan 2024-03-10',
16})
17
18// Three months later, the scan evidence has decayed
19// The agent flags it for re-verification before release

Science

Hypothesis tracking across experiments.

Learn more

Drift

Why assumptions compound without infrastructure.

Learn more
PreviousHealth
NextScience

On this page

  • What Is at Stake
  • What Beliefs Make Visible
  • Security assumptions as trackable beliefs
  • Vulnerability investigation
  • Cross-boundary contradiction detection
  • What Agents Can See That We Cannot
  • Temporal decay in security