When I was running AI Safety and Security at Google, I had the same problem every day, and I never truly solved it.
A startup published research on a Gemini vulnerability. A new indirect prompt injection method dropped on X, and we found out about it from a VP who got forwarded the post.
AI moves fast. New attack classes and defense capabilities emerge weekly. The research comes from everywhere: frontier labs, academics, startups, independent red teamers, and cybersecurity vendors. And the people who need this information most have the least time to find it, because they're busy defending systems. That is their job.
I always felt behind as every timely signal was a missed opportunity to be more effective. I tried everything and realized that each source is broken in its own way.
- Academic papers — written for tenure committees. The findings that might change your threat model are buried in 50 pages of academic language.
- Analyst reports — the brilliance of charging both readers and vendors. Real benchmarking and testing replaced with a grid optimized for a purchasing decision.
- LinkedIn — a recruiting platform, funded by career anxiety. Posts drive job offers and sales pipelines. Security insights are just collateral.
- Newsletters — the topics orbit the sponsors. Useful links, good editors. Sponsorship pressure skews coverage toward problems the sponsor sells a solution for.
- OSINT/darkweb feeds — drowning in data. Broad coverage wins market segments. The same firehose. You set up filters and still drown.
- Personal blogs — the best content, whenever the author feels like it. Hard to find and no coverage guarantee.
- Podcasts — an hour to say what a paragraph could. The format rewards conversation over information density. You can't search it, cite it, or skim it.
- Security newswires — noise with timestamps. More pages == more space for ads. Every CVE, every breach, and every vendor announcement becomes breaking news.
- Twitter/X — security's fastest communication channel. Built on a platform designed to bury quality insights.
- Vendor threat reports — a product catalog mapped to intelligence. Real data filtered by marketing to match the vendor's capabilities.
- Webinars, whitepapers — lead generation dressed as research. You trade contact info for a sales pitch.
The feed I wanted never existed and couldn't exist because of three structural problems:
- Existing resources inform but don't enable decisions. Every source is measured by pageviews, leads, or citations, but never by whether it helped you act.
- The business model shapes the content. Coverage orbits whoever is paying. Depth is unprofitable.
- When the product is free, you are the product. Your attention and contact info are sold to vendors. Your engagement feeds an algorithm.
The Weather Report is independent AI security and safety intelligence for defenders. Source-grounded and designed for your outcome.
As AI systems become more autonomous, an AI agent failure is both a security and safety incident impacting people's lives. When defenders make decisions on distorted information, the consequences scale with the capabilities of the systems they're protecting.
The market and existing business models won't fix this, so I removed business from the model. The Weather Report is registering as a 501(c)(3) nonprofit.
It serves the people whose decisions have outsized impact: the CISO securing AI infrastructure for millions of users, the researcher making a frontier model cyber resilient, the red teamer finding vulnerabilities before attackers do, the VC funding the next AI safety company, the founder building it, and many others.
The only metric that matters is whether you made better decisions with The Weather Report. It doesn't need to sell you an umbrella.