About

A security engineer who builds the thing he secures.

Sayo Ogunlegan, CISSP, founder of Atypical Tech

I'm Sayo. I started Atypical Tech because I kept watching teams hand real power to AI agents and just hope.

I didn't come to security from security. I came from building: fourteen years of it, first as a full-stack engineer shipping consumer, media, and platform products, then as the person responsible for making software safe to ship at all.

I learned to secure software the only way that sticks, by building it first.

Somewhere along the way I stopped writing features and started writing the guardrails: AppSec programs, DevSecOps pipelines, code-signing and PKI, the security plumbing that lets a team move fast without shipping its next breach. I earned my CISSP. Then AI changed what “fast” even means, and I went looking for the new edge.

I found it on an AppSec team at a large enterprise. We turned on a commercial SAST scanner and it surfaced more vulnerabilities than anyone could ever work through, a backlog no one could clear, and an engineering org too buried to touch them. So I built an AI agent to triage them: read each finding, gather the context I would, score the real risk. It used judgment the way I would. That's what made it an agent, not a script. Manual review fell dramatically, and the daily flood of noise drained away.

But the volume it cleared isn't what I'm proud of. Once engineers saw how much the agent filtered out, they started trusting the findings that made it through, and security stopped being the team that cried wolf.

Here's why that story is the whole company. I didn't just build an agent. I built a safe one, and that meant thinking like an attacker about what an agent actually is: a program that reads untrusted input and then acts. Every finding it ingested was untrusted input. A poisoned one could try to talk the agent into acting outside its job: prompt injection turning it into a confused deputy, using its own access to do the attacker's work.

So I never handed it mine. It ran in a scoped container with a scoped toolkit, with its own least-privilege identity and its own keys, scoped to exactly one job. Even a hijacked call had nowhere to pivot. The blast radius was the triage, not the company, and every action traced back to the agent, not to me.

An agent needs its own identity for the same reason a person does, so you always know who did what.

So when I tell you I'll secure your agent (scope it, give it its own identity, put boundaries and observability around it), I'm not reading from a framework. I'm describing what I already built. I built a safe agent before I offered to secure anyone else's.

We operate what we advise, and I'll be honest about what that actually means, because the absolute version of that line is marketing, not engineering.

I hold Atypical's own infrastructure to the same patterns I'd design for a client (scoped identities, boundaries, observability), but I apply them as they make sense for where we actually are, not wholesale. Security is point-in-time: what's sound today gets revisited as the stack changes. Our setup evolves the same way a client's will, because that's how real systems work.

Security is point-in-time: not a box you check once, but a call you keep making.

So I won't prescribe anything wholesale, because prescribing wholesale isn't sound engineering. What I bring is judgment from running these systems myself: when a pattern earns its keep, when it's overkill, and what it actually costs to live with. That's the difference between advice from the sidelines and advice from someone carrying the same tradeoffs you are.

Ten principles guide every engagement, and they're the foundation of our ROBOT Framework, the methodology for designing safe, predictable, auditable agentic systems.

Constraints aren't the opposite of capability. They're the permission to use it.

Outcome First

Start with the result you need. Work backward to the simplest path that gets you there. Technology is a means, not an end.

Context Second

Once the outcome is clear, gather context. Understand constraints, dependencies, and the human systems around the technical ones.

Constraints Before Capabilities

Define what automation should never do before expanding what it can do. Safety comes from clear boundaries, not clever features.

Remove, Reduce, Reveal

First remove unnecessary steps entirely. Then reduce complexity in what remains. Finally, reveal the clearer signals that emerge.

Safety Before Autonomy

Earn trust through safe, incremental automation before expanding scope. Speed without safety isn't speed. It's just risk.

Low-Risk Wins First

Start small. Start in non-production. Build trust through quick, obvious wins before expanding scope. Credibility is earned incrementally.

Human-Centered AI

Automation should augment human judgment, not replace it. Keep humans in the loop where it matters. Remove them only from the noise.

Transparent Decision-Making

Automated systems must explain how they reach conclusions. Audit trails aren't optional. Humans should never just trust a black box.

Intelligence Over Complexity

Solutions should simplify workflows, not add new tooling burdens. If automation creates more overhead than it removes, it's not intelligent.

Never Break Availability

Automation that threatens uptime isn't worth having. Safety and reliability are non-negotiable.

We build for technical leaders putting AI agents into production: the people who feel the pain first.

Engineering & platform leaders

Shipping agentic features and accountable when they misbehave.

Hands-on technical founders

Putting an AI agent in the critical path of the product.

AppSec & security teams

That want agent-security depth on tap, not another full-time role to fill.

Teams without dedicated security

That need senior expertise a hire-stage team can't yet justify hiring full-time.

In general: anyone giving an AI real power who isn't willing to just hope it behaves.

I built my first safe agent because the alternative was hoping. If your agents already have the keys, let's make sure that's actually safe.