The default pattern
Patch-on-breach
Security becomes a project the morning after a vulnerability ships or an audit fails. The breach gets patched, the next vulnerability lands, the cycle repeats.
- Security work happens the quarter before an audit, or the morning after a breach hits production.
- AI-generated code lands without review; vulnerabilities are discovered when an attacker or a security researcher finds them first.
- Hardcoded API keys leak in commits, get rotated under pressure, leak again two months later because the prevention pattern was never put in place.
- Policies live in a Google Doc nobody reads; the engineering team has no idea what the policy says they do.
- Logs are 'we keep CloudWatch for thirty days' until the regulator (or the post-mortem) asks for a year.
- Incident response plan is a wiki page from 2022, never tested, written by someone who has left.


