Today we changed the Sunglasses license from AGPL-3.0 to MIT. This is not a small decision. I want to explain why — honestly, from someone with zero coding experience who built this in 50 hours over 7 days.
What happened
Sunglasses launched on April 1, 2026 under AGPL-3.0. We chose AGPL because we were scared. Scared that someone would take our work, close-source it, and sell it without giving back.
That fear made sense for a project with no users and no reputation. But it does not make sense for where we are going.
Here is what we learned in 7 days of being live:
- Companies evaluate our scanner, see "AGPL," and close the tab
- Security teams want to integrate us into their pipelines but legal says no
- Enterprise developers read our blog posts, love the research, and cannot use the tool
- AGPL protects code. But it kills adoption. And adoption is everything right now.
Why MIT
MIT is the simplest license in open source. It says:
Use this however you want. In your startup. In your enterprise. In your side project. Commercial, personal, anything. No restrictions. Just keep the copyright notice.
That is it. No legal team needed. No compliance review. No "but what if" conversations.
We want Sunglasses in every AI agent pipeline in the world. MIT makes that possible. AGPL made it harder.
But what about someone stealing it?
This is the question everyone asks. Here is my honest answer:
The code is not the moat. Anybody can read our patterns.py file right now on GitHub. It is 2,600 lines of Python. You could copy it in 10 seconds.
But you cannot copy:
- The team. We have AI agents doing autonomous security research every 30 minutes. CAVA handles SEO, marketing, and threat intelligence. JACK extracts detection patterns from real CVEs and writes blog posts. They work while I sleep.
- The pattern database. 248 patterns today. Growing every day from real-world threat research. By the time someone forks the repo, we are already 248 patterns ahead.
- The research pipeline. Our agents scan GitHub advisories, security feeds, and real malware reports continuously. They find threats, extract patterns, and add them to the scanner. This is not a static library. It is a living defense system.
- The brand. We are building in public. Every decision, every mistake, every win. You are reading this letter because we believe in transparency. That trust compounds.
- The community. MIT means more people can contribute. More contributors means more patterns. More patterns means better security for everyone.
Someone forking our code and selling it is not a threat. Someone forking our code and making it better is the whole point.
What this means for you
If you are building AI agents and you care about security:
- You can use Sunglasses commercially. No license anxiety. No legal review needed.
- You can modify it. Add your own patterns, customize the scanner, integrate it into your stack.
- You can redistribute it. Bundle it in your product. Ship it to your customers.
- You can contribute back. Found a new attack pattern? Submit a PR. It helps everyone.
One line to install. Zero restrictions to use:
pip install sunglasses
A personal note
I am not a traditional founder. I drive Uber during the day. I build at night. I had zero coding experience before February 2026. I started this because I was afraid of being left behind in the AI revolution.
48 days later, Sunglasses has 201 detection patterns across 32 categories in 13 languages. We have scanned real North Korean malware. We have a team of AI agents doing security research around the clock. And now, with MIT, we have removed the last barrier between our work and the people who need it.
I do not know where this goes. But I know that open is better than closed. Trust is better than fear. And the best way to protect the AI agent ecosystem is to give everyone the tools to do it — no strings attached.
How the rest of the security tool world handles this
I did not pick MIT randomly. I looked at what the tools people actually use are licensed under.
Trivy — the container vulnerability scanner everyone runs in CI — is Apache 2.0. Falco — the runtime security tool that CNCF backs — is Apache 2.0. OWASP ZAP, which security teams have used for twenty years to find web vulnerabilities, is Apache 2.0. These are not small projects. They are the infrastructure of modern security.
Semgrep is the interesting one. The core engine is LGPL. The commercial rules are proprietary. They split it on purpose — permissive enough to get adoption, closed enough to have a business.
The pattern is obvious when you look at it: every security tool that actually reached enterprise adoption chose a permissive license. Not one of them went AGPL and dominated. AGPL works for web apps you run as a service. It does not work for a library people embed in their own systems.
We were fighting that pattern. The switch to MIT puts us in line with every successful open-source security tool that came before us.
What MIT actually lets you do — plain English
MIT is four sentences. I will translate them.
Use it however you want. Commercial product, internal tool, startup, enterprise, side project — does not matter. No need to ask. No fee. No form to fill out.
Modify it. Fork the repo. Change the patterns. Strip out parts you do not need. Add your own detection rules. It is yours to work with.
Distribute it. Bundle Sunglasses inside something you sell. Ship it to your customers as part of your product. Redistribute it under any terms you choose.
Sublicense it. If you build something on top of Sunglasses and want to license that thing differently, you can. MIT does not follow you.
The one obligation: keep the copyright notice. Two lines at the top of the file. That is the whole deal.
A fintech company can today take pip install sunglasses, embed it in a closed-source product they charge money for, and never pay us a dollar. That is exactly the point. We want it running. That is more valuable than controlling it.
Permissive does not mean unprotected
This is the thing that took me a while to understand.
When I was scared of someone stealing Sunglasses, I was thinking about it wrong. I was treating the code like it was the whole product. It is not.
The code is a snapshot. The pattern file on GitHub right now is v0.2.20 — 328 patterns across 49 categories. By the time you fork it, we are already working on the next 30 patterns. Our agents run continuous security research. JACK has run over 400 research cycles. Every cycle finds new attack patterns from real CVEs, real malware, real threat reports. The database grows while you are still setting up your fork.
The moat is not the code. The moat is the team and the cadence. An autonomous research pipeline that runs around the clock and a founder who ships every week. That is not something you can copy by cloning a repo.
HashiCorp, Elastic, Redis, MongoDB — they all switched from permissive to restrictive licenses when they got scared of the hyperscalers. Every single one of those moves hurt adoption and trust. We looked at that pattern and decided: not us. We are choosing adoption over fear.
Anyone who forks Sunglasses and makes it better is doing us a favor.
What MIT signals to enterprise legal teams
This one is practical. I learned it the hard way.
Enterprise companies do not just pick up tools and run them. They have a process. Someone evaluates the tool. Someone checks the license. Someone in legal reviews it. If legal says no, the whole thing stops — even if every engineer wants it.
AGPL is a legal department's nightmare. The concern is license contamination. If you use AGPL software in your codebase, there is a real argument that your own software has to be AGPL too. Legal teams do not want to have that argument. They block it outright. I was not making this up — I saw it happen in real time in our first seven days.
Apache 2.0 gets approved at most companies because it includes an explicit patent grant. MIT gets approved because it is the shortest, simplest, most-reviewed open-source license in existence. Legal teams have seen it ten thousand times. It does not need a review. It just goes through.
That matters more than I expected. Removing the license question removes a blocker that had nothing to do with the quality of the tool. Enterprise developers who wanted Sunglasses now just use it. The legal team never has to know.
The honest tradeoffs we made
I want to be straight about what we gave up. It is real.
Under MIT, there is no requirement for anyone to send improvements back. Someone can fork Sunglasses, add fifty new patterns, and ship it as their own closed-source product. They owe us nothing except keeping the copyright line. That is a real thing we accepted.
There is no protection against a bigger company taking the code and out-resourcing us. If AWS or Google decided tomorrow to fork Sunglasses and put their engineering team behind it, MIT would not stop them.
We do not get the reciprocity that copyleft was designed to create. Contributions back to the project are voluntary. Some people will contribute. Many will not.
We made that tradeoff consciously. The alternative — AGPL — was protecting a codebase that nobody was using. Protection without adoption is just ownership of something that does not matter yet.
We chose adoption. We chose reach. We chose the chance that Sunglasses ends up running inside systems we will never know about, protecting agents we will never see, because that is the goal. The filter in every AI agent pipeline in the world. MIT is the only license compatible with that goal.
If you want to use it — pip install sunglasses — no strings attached.