AI at Anvil Secure: Evolving Technology. Unchanging Standards

By Dana Hehl

Over the last few months, we’ve been asked some version of the same questions by customers, friends, and competitors: “Where are you guys on AI?” and “Do you use AI internally?” 

The honest answer is yes, but probably not in the way people expect. 

At Anvil, our approach to new technology has always been simple: innovate, analyze, iterate. AI is no different. Over the past year or so we’ve spent time testing systems for clients, studying how the tools behave, and analyzing where AI can be used safely and responsibly before integrating it more broadly into how we work. 

AI is clearly changing how security work gets done. The pace is real, the tools are improving quickly, and the bold claims are getting louder. We’ve seen waves like this before: new frameworks, new tooling ecosystems, new promises of automation. Technology moves. The bar shouldn’t. 

At Anvil, we take pride in being experts. That means rigor in analysis, clarity in communication, and accountability for outcomes. Whether a task is supported by AI, automation, or done manually, responsibility stays with us across sales, engineering, project management, technical leadership, and executive oversight. Interpretation, risk framing, client positioning, and final judgment are not delegated to a specific system. 

Internally, we’ve been purposefully slower than many organizations to adopt AI note-takers and similar workflow tools. This is not because we don’t appreciate efficiency, but because protecting client information is part of what we are paid to do. That said, we are using AI in a number of ways that don’t involve client data. For work involving client engagements, AI capabilities are only used when a client explicitly allows it.  

In practice, we’ve found these tools most useful for supportive activities such as research assistance, document creation, brainstorming, organizing notes, preparing presentations or templates, and occasionally generating images or diagrams. So far, they have helped reduce time spent on internal presentation preparation and operational tasks, often cutting hours from research or documentation workflows and helping teams move more quickly from an idea to something concrete.   

You’ll also hear plenty of vendors talking about going “all in” on AI for security testing. Our view is simpler: AI is a tool. Used well, it can increase coverage, reduce repetitive effort, and create more space for meaningful analysis. It can make strong teams stronger. But tools are not substitutes for professional judgment. They can surface patterns and move quickly, but they cannot replace experience, context, or accountability. 

Recently we began providing some SECDEV services for clients, which pushed us to take a closer look at LLM-assisted coding. Anyone who has built software for production knows real development is very different from hobbyist coding. What we observed was straightforward: experienced developers used AI to assist their work and move faster while still reviewing and validating the results. Less experienced developers tended to let AI generate more code than they should have, which often introduced security issues or poorly structured systems. Again, AI is a tool. In the hands of someone who understands the craft, it can accelerate good work. In the hands of someone still learning, it can introduce problems just as quickly. 

At Anvil we’ve also built internal systems to support how we deliver security work. One of those systems is Nexus, our internal workflow and reporting platform. Until recently we were hesitant to add AI-enabled features there. The technology was evolving quickly, and we wanted to understand where it would provide real value rather than adding complexity or unnecessary risk.  

Earlier this year, the company came together in Estoril, Portugal for our annual internal conference, HammerCon, to discuss a range of topics, including how emerging technologies like AI should fit into our work. Engineers, project managers, operations, and leadership shared perspectives from the field. We discussed where these tools were already helping or could help, where further exploration was really needed, and where updated guardrails might be required. Those conversations helped shape a clearer view of how we wanted to approach AI within our own systems.  

Following those discussions, we decided it was time to begin experimenting in a controlled way. We introduced a small set of AI capabilities within Nexus that can be enabled only when a client explicitly allows AI use on an engagement. These capabilities operate within the spirit of our internal AI use policy, which emphasizes transparency, client consent, and the principle that responsibility for interpretation, analysis, and final deliverables remains with us. In other words, AI may assist with parts of the workflow, but clients ultimately control whether it is used for their engagements. 

Client expectations around AI vary widely, and that ultimately determines how these tools get used. Some organizations publish clear policies around AI usage. Others emphasize efficiency and encourage teams to use tools that help them move faster. And some clients prohibit AI entirely in their environments, sometimes even restricting entering their company name into AI systems. 

That’s their decision. Security work runs on trust, and we will always align our tools and processes with our clients’ expectations. 

At the same time, excellence requires exploration. Our engineers evaluate emerging technologies, test new approaches, and contribute research back to the broader security community. Curiosity keeps teams sharp. New capabilities are integrated deliberately, inside structured workflows, before they become part of client delivery. 

There’s a lot of noise right now about autonomy replacing expertise. We see it differently. AI can improve scale and efficiency. Experienced professionals provide context, discipline, and accountability. The work is strongest when both are applied intentionally. 

The technology will keep evolving. We’ll keep evaluating it. Some capabilities will prove valuable. Others won’t. 

But the bar does not move. 

Evolving Technology. Unchanging Standards.