O Promptbook substitui um pentest?

Não. Ele ajuda a encontrar sinais e organizar a revisão. Validação de impacto, cadeia de exploração e confirmação de correção ficam no Pentest Manual.

Por que o Pentest Manual não fica em checkout comum?

Porque escopo, autorização, ambiente e risco operacional precisam ser avaliados antes da proposta.

AI engineer or AI developer: what changes when the product charges customers?

The title matters less than the risk boundary

People search for "AI engineer", "AI developer", "engenheiro de IA", and "desenvolvedor de IA" to understand who to hire. For SaaS that charges customers, the useful answer is: someone must be responsible for product, security, and operations, not only for calling a model.

Building an AI feature can be fast. Running that feature in production with login, paid plans, customer data, uploads, automation, and tool-using agents requires a different kind of judgment.

What the product needs

Clear customer-data separation.
Permissions by role and plan.
Logs without secrets or unnecessary personal data.
Limits for prompts, uploads, and tool calls.
Fallback when model, API, or agent fails.
Review of checkout, subscription, refunds, and access release.
Evidence a B2B customer can understand.

When to bring security in

If the AI feature only summarizes public text, risk is lower. If it reads private data, calls tools, changes billing, exports reports, answers customers, or executes workflows, review needs to level up.

The founder point

You do not need to memorize job titles. You need to know who owns the decision when an AI-built app starts handling real users, real payments, and real data.

A good AI engineer builds. Good security asks what happens when that build receives permission, money, and customer data.

The title matters less than the risk boundary

Building an AI feature can be fast. Running that feature in production with login, paid plans, customer data, uploads, automation, and tool-using agents requires a different kind of judgment.

What the product needs

Clear customer-data separation.
Permissions by role and plan.
Logs without secrets or unnecessary personal data.
Limits for prompts, uploads, and tool calls.
Fallback when model, API, or agent fails.
Review of checkout, subscription, refunds, and access release.
Evidence a B2B customer can understand.

When to bring security in

The founder point

You do not need to memorize job titles. You need to know who owns the decision when an AI-built app starts handling real users, real payments, and real data.

A good AI engineer builds. Good security asks what happens when that build receives permission, money, and customer data.