Case study · Security
A security audit, from two sentences.
No integration, no scoping call. One prompt — and Umma audited Netflix’s open-source Lemur certificate-management platform end to end.
The ask
“Hi Umma — Can you analyze the Netflix Lemur GitHub repo for any vulnerabilities, security risks, etc.? Please go file-by-file to perform your analysis.”
What came back · 3h 20m
One autonomous run. An audit that would take a team weeks.
3h 20m start to finish
327 files of code read
36 specialist agents spun up
907 / 25 checks across 25 tools
238 security flaws found
6 named attack chains
No guesswork every finding backed by evidence
1.29 MB fully-sourced workbook
Every claim validated to its source
A flaw she found by connecting the dots
“Three separate weaknesses — a missing login check, a role mix-up, and a risky plugin — are all reachable in a single request. Fixing any one still leaves the others open.” — one of six multi-step attack chains Umma found by connecting flaws across different files.
Why this is the receipt
- Every finding here traces to its source. Manus, asked to verify its own work, fabricates fake server output for a state that never existed. Rio Times ↗
- She reported her own certainty honestly, and never overstated it. Agents report success on work that never happened. Nous Research ↗
- Nothing here is asserted; everything is proven. That’s the difference between a demo and a deliverable.
Verify it yourself
- The full case study
- One-pager
- Reproducibility metadata — every number, re-queryable
- The audit workbook + companion guide (exploit details redacted pending disclosure)
Press & inquiries — Kim Jeong Ha, founder · kjh@thinkingstudios.co