The Collicutt Software Company
Software products, developer tools, and applied security engineering
Software company
Build safer software. Ship better tools.
We build developer products and applied security tooling for teams that care about correctness, operations, and real-world outcomes.
The Collicutt Software Company builds practical software for teams that need systems to be safer, more observable, and easier to operate. The focus is on developer tooling, security-conscious product design, and operational software that helps engineering teams detect problems earlier and ship with more confidence.
Products
Developer tools, operational software, and commercial offerings built by the company.
Vary - A novel programming language
Catch the tests that LLMs lie about
You ask an LLM to write tests for your code. It generates a full suite. Coverage hits 90%. Everything passes. You merge it.
A week later, a bug ships. You look at the tests and realize they were checking almost nothing. They asserted that functions returned without errors, but never verified the actual results. The LLM wrote tests that looked right but lied about what they proved.
This is the problem Vary solves. By building mutation testing directly into the language, Vary can flip your bytecode and check whether your tests notice. If a mutation survives, your test was never really protecting you. Run `vary mutate` and find out which tests are real and which ones are theater.
Vary is a statically-typed language that compiles to JVM bytecode. Clean syntax, type inference, null safety at compile time, no semicolons. The compiler has mutation testing built in: it flips bytecode instructions and checks whether your tests notice. If they don't, those tests were never protecting you. One CLI binary handles running, checking, testing, formatting, and mutating. Nothing extra to install.
Books
Technical books and resources for developers and security professionals.
The Safety Continuum
From Dry-Run to Digital Twins: A Guide to Building Safer Systems
Book One - Mechanics of Safety
First in a series about operating complex systems without burning out the people who run them. The book introduces a Safety Continuum, a framework for making day-to-day operations safer and more predictable.
Our industry has poured effort into uptime and availability but largely ignored the experience of the humans holding everything together at 3AM with brittle, dangerous tools. Safety is not the same thing as availability, and we have been treating it as an afterthought.
This volume (and the ones that follow) is about changing that. The tools and practices exist. Operators just need permission to use them.
95 pages ~20,000 words 8.5 x 11 PDF
The Stegalographer Guidebook
They said never write your own encryption. They didn't say anything about steganography.
This guidebook covers Stegalographer, the tool, and steganography more broadly.
Stegalographer adds watermarks and attribution markers to log files. If your logs already flow through a pipeline, Stegalographer slots into that pipeline and encodes information you can verify later, without disrupting anything visible.
Most people think of steganography as hiding messages in images, but the same idea works anywhere you have controllable variation. Distributed infrastructure already produces massive volumes of logs and metrics with natural variation baked in. That variation is a surface you can write on.
The security world has spent decades on encryption and availability. Steganography solves a different problem: provenance and attribution. Who produced this data? Has it been tampered with? These questions matter most in democratic and institutional systems, and they are the ones encryption alone cannot answer.
72 pages ~15,000 words 8.5 x 11 PDF
More Products
A mix of flagship products, supporting tools, and open source assets.
NegaLog
Find the logs that should exist but don't
Monday morning. You walk in to find the payment processing job stopped running Friday at 6pm. No errors. No alerts. It just...stopped. Three days of orders sitting unprocessed. $47,000 in delayed revenue. Angry customers. A manager asking "how did no one notice?"
The job didn't fail - it silently disappeared. Your monitoring watched for errors, but there were none. The absence of expected logs went undetected.
This is why NegaLog exists. Instead of watching for what went wrong, it watches for what should have happened but didn't.
Log analysis tools search for patterns that exist. NegaLog does the opposite: you define what logs should appear, and it tells you what's missing. A Go CLI that handles sequence detection, periodic monitoring, and conditional absence checks across multiple log files.
NegaLog supports commercial plugins for production use. See NegaLog Watch for continuous monitoring.
Stegwav
Detect hidden payloads inside WAV audio files
WAV files show up everywhere: ringtones, sound effects, hold music, test fixtures, and random downloads. Because they are usually treated as just audio, network filters and security scanners can let them pass with less scrutiny than scripts or executables.
In early 2026, TeamPCP started hiding malicious Python scripts and Windows executables inside WAV files as part of supply chain attacks against open-source packages. The files had valid headers, correct MIME types, and looked like audio to ordinary tooling, but the audio data had been replaced with obfuscated code.
Stegwav is an experimental detector for that problem. It parses WAV structure, checks whether the data is actually audio, extracts identifiable payloads, and also looks for LSB steganography hidden inside real audio.
Stegwav is a Go command-line detector for WAV files with hidden payloads. It validates WAV structure, analyzes whether sample data looks like real audio, extracts and identifies embedded payloads such as TeamPCP-style XOR/base64 content, and flags LSB steganography with statistical checks. The public release includes the detector only; the generator is a separate private plugin for authorized research and detection testing.
Stegwav supports commercial plugins for production use. See Stegwav Generator for authorized generator access.
MCP Makefile Server
A Model Context Protocol server that provides makefile target inspection and execution capabilities for AI assistants.
Pure OSS - MIT License - PRs welcome, free to fork
raillock
A cybersecurity CLI tool and Python library for checksumming Model Context Protocol tools and securing your agents against prompt injection attacks.
Pure OSS - MIT License - PRs welcome, free to fork
Safeline
A Python framework for building safety-critical operations with arbitrary stage pipelines, audit trails, locking, and approval workflows.
Pure OSS - MIT License - PRs welcome, free to fork
rmrf
A safer version of `rm -rf`; designed for saving weekends
Pure OSS - MIT License - PRs welcome, free to fork
Go App Template Skeleton
A generic golang application skeleton providing a foundation for building API servers with web interfaces and command-line tools.
Pure OSS - MIT License - PRs welcome, free to fork
plothole
Test your AI-assisted code for missing implementations, TODOs, and other AI generated artifacts
Pure OSS - MIT License - PRs welcome, free to fork
Content
Company writing, videos, and technical publishing.
YouTube
Videos about software, security, tooling, and product ideas.
Server As Code Dot Com
Articles about software systems, infrastructure, security, and applied engineering.
TIDAL SERIES
A newsletter covering computing, cybersecurity, artificial intelligence, and related technical ideas.
Social
Professional profiles and public company-adjacent links.
