← Writing

Most developers think a security architecture review is about finding vulnerabilities. It isn't.

2 min read

Originally published on LinkedIn, May 8, 2026.

Most developers I've spoken to think a security architecture review is about finding vulnerabilities.

It isn't.

By the time you're looking for vulnerabilities, the expensive decisions have already been made. The framework is chosen. The integrations are built. The data flows are established. Finding a vulnerability at that stage means reworking something that's already woven into four other systems.

A security architecture review done right happens before any of that. It's not "find what's broken." It's "find what will be impossible to fix later."

The difference is the same as the difference between a structural engineer reviewing blueprints and one reviewing a building that's already been constructed. One changes a line on a drawing. The other involves demolition.

How most reviews happen
After the build
Looped in at 'we're almost done' — findings become rework across 4+ systems
How they should happen
Before the build
Looped in at 'we're about to start' — findings change a line on a drawing

Most enterprises do the second kind.

Not because they don't know better. Because the review gets scheduled after the sprint, not before it. Because the security team gets looped in at "we're almost done" instead of "we're about to start." Because somewhere along the way, the review became a gate to pass rather than a conversation to have.

The result isn't a vulnerability. It's a permanent architectural debt that no patch will ever fully close.

The takeaway

"The most expensive security debt in most enterprises wasn't introduced by an attacker. It was scheduled into a sprint."

More writing

Cybersecurity has a marketing problem.

The industry sells $200,000 platforms to detect advanced persistent threats while the average enterprise still can't reliably tell you who has admin access to its finance system.

May 7, 20261 min read
← All writing