News & notes

Writing from the studio.

Release notes, engineering field reports, and the occasional essay on craft, privacy, and the work of building software that respects the people who use it.

Engineering
June 18, 2026 · 9 min read

On-device inference is finally boring (and that's good news)

After three years of weekly model releases, the on-device story has finally stabilized. We dig into what's actually shippable today, what's still a research demo, and how to think about the build-vs-call decision for privacy-sensitive products.

Releases
June 4, 2026

gzyuans Studio v3.0 — open beta

Our design and engineering toolkit graduates from alpha. Highlights: visual regression in CI, per-token audit logs, and a privacy linter that catches data leaks before review.

Engineering
May 22, 2026 · 12 min read

A practical guide to threat modeling for small teams

STRIDE is great, but it's also a lot. Here's the lighter-weight process we use with every gzyuans client — four steps, one afternoon, and a list of decisions you'll actually make.

Company
May 8, 2026

Welcoming three new senior practitioners

We're growing — carefully. Three new teammates joined this quarter, all with backgrounds in privacy-preserving ML, design systems, and platform engineering. Here's what they'll be working on.

Engineering
April 21, 2026 · 7 min read

Why we still hand-write our database migrations

ORM auto-migrations are great for prototypes and terrible for the next five years. A short post on the discipline of explicit, reversible, reviewed schema changes.

Releases
April 3, 2026

Northwind Console goes 1.0

After 14 months of partnership with Northwind, their operator console is now generally available. We share what shipped, what we cut, and what we'd do differently.

FAQ

Things people
often ask first.

For audit and discovery work, typically within 2 weeks. For embedded team engagements, 4–6 weeks. The slower timeline is by design — we want to make sure we're the right fit before we say yes.
Yes, mutual NDAs are standard and we sign them same-day. We're comfortable with strict data-handling terms, on-shore-only engineers, and air-gapped environments.
Almost always yes. We've shipped in nearly every modern web, mobile, and backend stack. We'll be honest if a piece of your stack is causing more harm than good — but we won't insist on rewriting it for the sake of it.
Occasionally, for early-stage teams where the work is material to the company's success. We structure it as a fixed-price cash component plus a small equity kicker — never as a substitute for fair compensation.
Currently 9 senior practitioners, all full-time. No contractors, no offshore bench. Everyone has 8+ years of production experience in their discipline.
We write a written handover document, run a handover week with your team, and stay on call for 30 days post-engagement. The codebase is yours in full — including the design files, the recordings of design crits, and the rationale behind every decision.
Subscribe

Get our quarterly notes.

Four emails a year. Long-form, no tracking pixels, no "growth hacks." Cancel with a single click from any email.