For the last year, one word has represented the conversation living at the intersection of AI and cybersecurity: speed. Speed matters, but it’s not the most important shift we are observing across the threat landscape today. Now, threat actors from nation states to cybercrime groups are embedding AI into how they plan, refine, and sustain cyberattacks. The objectives haven’t changed, but the tempo, iteration, and scale of generative AI enabled attacks are certainly upgrading them.

However, like defenders, there is typically a human-in-the-loop still powering these attacks, and not fully autonomous or agentic AI running campaigns. AI is reducing friction across the attack lifecycle; helping threat actors research faster, write better lures, vibe code malware, and triage stolen data. The security leaders I spoke with at RSAC™ 2026 Conference this week are prioritizing resources and strategy shifts to get ahead of this critical progression across the threat landscape.

The operational reality: Embedded, not emerging

The scale of what we are tracking makes the scope impossible to dismiss. Threat activity spans every region. The United States alone represents nearly 25% of observed activity, followed by the United Kingdom, Israel, and Germany. That volume reflects economic and geopolitical realities.¹

But the bigger shift is not geographic, it’s operational. Threat actors are embedding AI into how they work across reconnaissance, malware development, and post-compromise operations. Objectives like credential theft, financial gain, and espionage might look familiar, but the precision, persistence, and scale behind them have changed.

Email is still the fastest inroad

Email remains the fastest and cheapest path to initial access. What has changed is the level of refinement that AI enables in crafting the message that gets someone to click.

When AI is embedded into phishing operations, we are seeing click-through rates reach 54%, compared to roughly 12% for more traditional campaigns. That is a 450% increase in effectiveness. That’s not the result of increased volume, but the result of improved precision. AI is helping threat actors localize content and adapt messaging to specific roles, reducing the friction in crafting a lure that converts into access. When you combine that improved effectiveness with infrastructure designed to bypass multifactor authentication (MFA), the result is phishing operations that are more resilient, more targeted, and significantly harder to defend at scale.

A 450% increase in click-through rates changes the risk calculus for every organization. It also signals that AI is not just being used to do more of the same, it is being used to do it better.

Tycoon2FA: What industrial-scale cybercrime looks like

Tycoon2FA is an example of how the actor we track as Storm-1747 shifted toward refinement and resilience. Understanding how it operated teaches us where threats might be headed, and fueled conversations in the briefing rooms at RSAC 2026 this week that focused on ecosystem instead of individual actors.

Tycoon2FA was not a phishing kit, it was a subscription platform that generated tens of millions of phishing emails per month. It was linked to nearly 100,000 compromised organizations since 2023. At its peak, it accounted for roughly 62% of all phishing attempts that Microsoft was blocking every month. This operation specialized in adversary-in-the-middle attacks designed to defeat MFA. It intercepted credentials and session tokens in real time and allowed attackers to authenticate as legitimate users without triggering alerts, even after passwords were reset.

But the technical capability is only part of the story. The bigger shift is structural. Storm-1747 was not operating alone. This was modular cybercrime: one service handled phishing templates, another provided infrastructure, another managed email distribution, another monetized access. It was effectively an assembly line for identity theft. The services were composable, scalable, and available by subscription.

This is the model that has changed the conversations this week: it is not about a single sophisticated actor; it is about an ecosystem that has industrialized access and lowers the barrier to entry for every actor that plugs into it. That is exactly what AI is doing across the broader threat landscape: making the capabilities of sophisticated actors available to everyone.

Disruption: Closing the threat intelligence loop

Our Digital Crimes Unit disrupted Tycoon2FA earlier this month, seizing 330 domains in coordination with Europol and industry partners. But the goal was not simply to take down websites. The goal was to apply pressure to a supply chain. Cybercrime today is about scalable service models that lower the barrier to entry. Identity is the primary target and MFA bypass is now packaged as a feature. Disrupting one service forces the market to adapt. Sustained pressure fragments the ecosystem. By targeting the economic engine behind attacks, we can reshape the risk environment.

Every time we disrupt an attack, it generates signal. The signal feeds intelligence. The intelligence strengthens detection. Detection is what drives response. That is how we turn threat actor actions into durable defenses, and how the work of disruption compounds over time. Microsoft’s ability to observe at scale, act at scale, and share intelligence at scale is the differentiation that matters. It makes a difference because of how we put it into practice.

AI across the full attack lifecycle

When we step back from any single campaign and look for a broader pattern, AI doesn’t show up in just one phase of an attack; it appears across the entire lifecycle. At RSAC 2026 this week, I offered a frame to help defenders prioritize their response:

• In reconnaissance: AI accelerates infrastructure discovery and persona development, compressing the time between target selection and first contact. 

• In resource development: AI generates forged documents, polished social engineering narratives, and supports infrastructure at scale. 

• For initial access: AI refines voice overlays, deepfakes, and message customization using scraped data, producing lures that are increasingly difficult to distinguish from legitimate communications. 

• In persistence and evasion: AI scales fake identities and automates communication that maintains attacker presence while blending with normal activity. 

• In weaponization: AI enables malware development, payload regeneration, and real-time debugging, producing tooling that adapts to the victim environment rather than relying on static signatures. 

• In post-compromise operations: AI adapts tooling to the specific victim environment and, in some cases, automates ransom negotiation itself. 

The objective has not changed: credential theft, financial gain, and espionage. What has changed is the tempo, the iteration speed, and the ability to test and refine at scale. AI is not just accelerating cyberattacks, it’s upgrading them.

What comes next

In my sessions at RSAC 2026 this week, I shared a set of themes that help define the AI-powered shift in the threat landscape.

The first is the agentic threat model. The scenarios we prepare for have changed. The barrier to launching sophisticated attacks has collapsed. What once required the resources of a nation-state or well-organized criminal enterprise is now accessible to a motivated individual with the right tools and the patience to use them. The techniques have not fundamentally changed; the precision, velocity, and volume have.

The second is the software supply chain. Knowing what software and agents you have deployed and being able to account for their behavior is not a compliance exercise. The agent ecosystem will become the most attacked surface in the enterprise. Organizations that cannot answer basic inventory questions about their agent environment will not be able to defend it.

The third is understanding the value of human talent in a security operation using agentic systems to scale. The security analyst as practitioner is giving way to the security analyst as orchestrator. The talent models organizations are hiring against today are already outdated. But technology can help protect humans who may make mistakes. Though it means auditability of agent decisions is a governance requirement today, not eventually. The SOC of the future demands a fundamentally different kind of defender.

The moment to lead with strategic clarity, ranked priorities, and a hardened posture for agentic accountability is now.

If AI is embedded across the attack lifecycle, intelligence and defense must be embedded across the lifecycle too. Microsoft Threat Intelligence will continue to track, publish, and act on what we are observing in real time. The patterns are visible. The intelligence is there.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

The post Threat actor abuse of AI accelerates from tool to cyberattack surface appeared first on Microsoft Security Blog.

Threat actors are increasingly abusing HTTP cookies as a control channel for PHP-based webshells on Linux servers. Instead of exposing command execution through URL parameters or request bodies, these webshells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality.

This approach reduces visibility by allowing malicious code to remain dormant during normal application behavior and execute only when specific cookie conditions are met. This technique has been observed across multiple execution contexts, including web requests, scheduled tasks, and trusted background workers.

The consistent use of cookies as a control mechanism suggests reuse of established webshell tradecraft. By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.

Cookie-controlled execution behavior

Across the activity analyzed, HTTP cookies acted as the primary trigger for malicious execution. Instead of exposing functionality through visible URL parameters or request bodies, the webshell logic remained dormant unless specific cookie values were present. Only when those conditions were satisfied did the script reconstruct and execute threat actor–controlled behavior.

Threat actors likely prefer this approach because cookies blend into normal web traffic and often receive less scrutiny than request paths or payloads. In PHP, cookie values are immediately available at runtime, for example through the $_COOKIE superglobal, allowing malicious code to consume attacker-supplied input without additional parsing. By shifting execution control into cookies, the webshell can remain hidden in normal traffic, activating only during deliberate interactions. This reduces routine logging and inspection visibility while enabling persistent access without frequent changes to files on disk.

Observed variants of cookie-controlled PHP web shells

Although the core technique remained consistent across incidents, the PHP implementations varied in structure and complexity. The following examples illustrate how attackers adapted the same cookie-controlled execution model across different environments. 

Loader with execution gating and layered obfuscation

One observed implementation introduced an additional execution gate before processing any cookie input. The loader first evaluated request context and reconstructed core PHP functions dynamically using arithmetic operations and string manipulation. Sensitive function names were intentionally absent in cleartext, significantly reducing obvious indicators and complicating pattern-based detection. 

After the initial base64 decoding, the PHP script did not immediately reveal obvious command functionality. Instead, it exposed a second, deliberate layer of obfuscation. Critical operations were rebuilt programmatically at runtime, with function names and execution logic assembled character-by-character. This design ensured that meaningful behavior remained concealed until execution conditions were satisfied.

Only after these runtime checks passed did the script begin parsing structured cookie input. Cookie values were segmented and transformed into function identifiers, file paths, and decoding routines. If a secondary payload was not already present, the loader reconstructed it from encoded data, wrote it to a dynamically determined location, and transferred execution using ‘include’. 

This layered approach separated deployment, obfuscation, and activation into distinct stages. Under routine traffic, the file appeared inert. When supplied with deliberate attacker-controlled input, however, it transitioned into a fully functional execution framework.

Direct cookie-driven payload stager

Another observed implementation relied on structured cookie data without extensive preliminary gating. The script segmented cookie input to reconstruct operational components such as file handling and decoding functions. As with the previous loader, it conditionally wrote a secondary payload to disk and executed it if absent.

Although simpler in structure, this variant achieved the same objective: staged deployment and execution controlled by cookie values rather than visible request parameters.

Cookie-gated interactive webshell

A streamlined variant was also observed in which a single cookie value acts as an execution key. When the expected cookie condition is met, the script enables threat actor–controlled actions, including direct execution of supplied input and, in some cases, file upload. Unlike staged loader chains, this implementation operates within a single script and does not rely on a separate secondary payload written to disk.

In this design, cookies primarily serve as a validation mechanism rather than a payload container.

Observed attack flow: Persistence through scheduled tasks

During incident investigation, we analyzed a compromise in which the threat actor prioritized durable, low-noise persistence within a hosted Linux environment. After obtaining access to the victim’s hosting account, the threat actor used the platform’s legitimate management interface, such as a control panel workflow, to register a cron job. In environments that provide restricted shell access, for example via /usr/local/cpanel/bin/jailshell, authenticated users can execute commands within their account boundary, including registering or launching scheduled tasks. Because these actions follow normal administrative paths, they appear as routine account-level operations rather than overt system modifications.

In shared hosting scenarios, this level of access is typically equivalent to user-level control within the account’s isolated environment. While it does not indicate root-level compromise or control of the underlying server, it provides sufficient capability to modify web content, deploy PHP scripts, and schedule recurring execution through cron. These permissions are often enough to convert temporary access into persistent remote code execution within the hosted account.

As illustrated in the diagram, the cron job executed at regular intervals and invoked a shell routine that reconstructed an obfuscated PHP loader into a web-accessible location. This behavior was intentionally implemented to maintain persistence. If the loader was removed, the scheduled task recreated it on the next execution cycle. The job also applied restrictive file permissions, making manual modification or removal more difficult during incident response.

This “self-healing” mechanism, controlled by the threat actor, allowed the malicious file to reappear after cleanup attempts, complicating remediation and enabling a more stable foothold within the affected hosting account.

Once deployed, the PHP loader followed the same low-visibility pattern described earlier. It remained inactive during normal traffic and activated only when specific cookie conditions were met. On activation, it dynamically rebuilt functionality at runtime and transferred execution to threat actor–controlled logic. By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs.

Commonalities and delivery methods

Across the activity analyzed, a consistent operational pattern emerged. While individual implementations varied in structure, each relied on multi-layer obfuscation to conceal sensitive functionality and cookie-gated execution to control activation. Under routine traffic conditions, the scripts remained dormant. Only when specific cookie values were supplied did the malicious logic reconstruct and execute. Whether deployed as a staged loader or an interactive webshell, the objective remained consistent: controlled activation with minimal observable footprint.

The delivery mechanism followed a similarly deliberate design. In multiple environments, web-facing processes such as php-fpm spawned shell commands that reconstructed obfuscated PHP files using the recognizable echo | base64 -d > file.php pattern. In other cases, equivalent commands were executed within restricted shell environments, such as through cPanel jailshell, or established via scheduled tasks at the hosting account level.

Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code. The repeated use of base64 reconstruction combined with multi-layer runtime obfuscation separated deployment, concealment, and activation into distinct phases. This layered design allowed the malicious code to blend into normal operational activity while maintaining reliable remote code execution.

Why persistence enables long-term remote code execution

In the attacks analyzed, persistence was deliberate, not incidental. Rather than depending on a single exploit or a short-lived foothold, the threat actor turned initial access into a repeatable mechanism for remote code execution (RCE). By combining scheduled tasks with obfuscated PHP loaders, they preserved the ability to execute code even after the original entry point was remediated or access paths were disrupted.

Persistent RCE provides long-term flexibility. It allows threat actors to return on demand to run additional commands, deploy follow-on payloads, alter application behavior, or pivot to other resources without repeatedly re-triggering the same exploit chain. This reduces operational risk and can limit the number of noisy intrusion attempts that might otherwise raise alerts.

In shared hosting environments, account-level access is often sufficient to create scheduled tasks, modify web content, and run arbitrary PHP within the affected site’s boundaries. When execution is further protected behind cookie-gated activation, the malicious logic can remain dormant during routine activity and activate only when the threat actor supplies the correct input. Over time, this durable access can support data theft, expansion to adjacent applications, or compromise of connected services, often with minimal visible disruption.

Mitigation and protection guidance 

Microsoft recommends the following mitigations to reduce the impact of PHP webshell–based compromises discussed in this report. These recommendations build on established guidance from previous Microsoft Defender research and align with protections available across Microsoft Defender XDR to help organizations prevent, detect, and respond to post-compromise web shell activity targeting web servers and application workloads. 

Strengthen Hosting Account Security 
Enforce multi-factor authentication for hosting control panels, SSH access, and administrative interfaces. Monitor for unusual login activity, particularly from unfamiliar IP addresses or geographies, as compromised account credentials are often sufficient to deploy webshells and create persistence mechanisms. 

Restrict Web Server Process Execution 
Limit the ability of web‑facing services such as php‑fpm or application worker workloads to spawn shell processes. Restrict the execution of shell interpreters (sh, bash, dash) and commonly abused encoding or file ingress utilities such as base64, curl, and wget from web server execution contexts unless they are explicitly required by the application.  

Advanced Hunting can be used to surface cases where web server workloads spawn shell interpreters or execute encoded or file‑retrieval commands, as these patterns provide high‑signal indicators of webshell execution and command injection attempts. 

Audit and Monitor Scheduled Tasks 
Regularly review account‑level cron jobs and scheduled tasks across web servers and application hosts. Unexpected entries that invoke shell commands or write files into web‑accessible directories may indicate persistence mechanisms used to deploy, restore, or re‑activate malicious webshell loaders.  

Advanced Hunting can be used to identify cron‑initiated execution patterns, including unusually short execution intervals (for example, recurring one‑minute jobs) and command lines associated with file creation, script execution, encoding utilities, or file ingress tools. These behaviours are commonly observed during web shell persistence and recovery activity following initial compromise 

Inspect Suspicious File Creation in Web Directories 
Focus on suspicious content deployment into web directories by monitoring the command‑line techniques used to write or retrieve files, rather than relying on file creation telemetry alone. Attackers frequently deploy PHP web shells by decoding obfuscated payloads inline (for example, using echo piped to base64 -d with output redirection) or by downloading scripts via file ingress tools such as curl or wget from web server or application execution contexts.  

Advanced Hunting can be used to identify these behaviors by querying process execution events for decoding pipelines, redirection operators, or network retrieval utilities associated with web-facing workloads, providing high‑signal visibility into webshell deployment activity. 

Limit Control Panel Shell Capabilities 
Where hosting control panels are used, restrict or disable shell access such as jailshell wherever possible. If shell access is required, enforce strict access controls and closely monitor command execution to reduce the risk of attackers abusing these environments to deploy or interact with malicious PHP loaders and webshells.

Advanced hunting queries that track command execution from control panel restricted shells can help identify abuse patterns in which attackers leverage legitimate hosting features to maintain access or execute post-compromise tooling. 

Microsoft recommends the following mitigations to reduce the impact of this threat in Linux environments protected by Microsoft Defender for Endpoint: 

• Enable cloud-delivered protection in Microsoft Defender for Endpoint on Linux or the equivalent capability in your antivirus solution. Cloud-based protection helps rapidly detect and block emerging attacker tools, including newly deployed PHP webshells and post-compromise scripts that may evade traditional signature-based detection. 

• Ensure real-time protection is enabled on Linux servers to continuously scan files written to disk, including web directories commonly targeted during PHP web shell deployment (such as /var/www, application upload paths, and temporary directories). 

• Enable behaviour monitoring to detect suspicious runtime activity associated with webshell abuse, such as anomalous child processes spawned by web server processes, execution of system utilities from PHP interpreters, credential access attempts, or data staging and exfiltration behaviours.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. 

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Security teams can leverage Copilot to assist with the analysis and interpretation of obfuscated or heavily encoded scripts, helping accelerate triage and improve understanding of attacker tradecraft during web shell and post-compromise investigations. 

Microsoft Security Copilot prompts

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:   

• Incident investigation   

• Microsoft User analysis   

• Threat actor profile   

• Threat Intelligence 360 report based on MDTI article   

• Vulnerability impact assessment   

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Microsoft Defender XDR threat analytics

Advanced Hunting queries    

Web Server Spawning Shell 

DeviceProcessEvents 
| where InitiatingProcessFileName in~ ("php-fpm", "httpd", "apache2", "nginx") 
| where FileName in~ ("bash", "sh", "dash") 
| project Timestamp, DeviceName, AccountName, 
          InitiatingProcessFileName, InitiatingProcessCommandLine, 
          FileName, ProcessCommandLine, FolderPath 
| order by Timestamp desc 

Base64 Decode Writing PHP File 

DeviceProcessEvents 
| where FileName in~ ("bash", "sh", "dash", "jailshell") 
| where ProcessCommandLine has "base64" 
| where ProcessCommandLine has ".php" 
| project Timestamp, DeviceName, AccountName, 
          ProcessCommandLine, 
          InitiatingProcessFileName, 
          InitiatingProcessCommandLine 
| order by Timestamp desc 

tee Writing PHP Files

DeviceProcessEvents 
| where ProcessCommandLine has "tee" 
| where ProcessCommandLine has ".php" 
| project Timestamp, DeviceName, AccountName, 
          InitiatingProcessFileName, 
          ProcessCommandLine 
| order by Timestamp desc 

cPanel / jailshell Abuse

DeviceProcessEvents 
| where FileName in~ ("jailshell", "cpanel") 
| project Timestamp, DeviceName, AccountName, 
          FileName, ProcessCommandLine, 
          InitiatingProcessFileName, InitiatingProcessCommandLine 
| order by Timestamp desc 

High-Risk Combined Pattern

DeviceProcessEvents 
| where InitiatingProcessFileName in~ ("php-fpm", "httpd", "apache2", "nginx", "cron", "crond") 
| where ProcessCommandLine has "base64" 
| where ProcessCommandLine has_any (".php", "public_html", "vendor") 
| project Timestamp, DeviceName, AccountName, 
          InitiatingProcessFileName, 
          ProcessCommandLine 
| order by Timestamp desc

Unexpected Shell from Backend Workers

DeviceProcessEvents 
| where InitiatingProcessCommandLine has_any ("artisan", "queue:work", "fwconsole") 
| where FileName in~ ("bash", "sh", "dash") 
| project Timestamp, DeviceName, 
          InitiatingProcessCommandLine, 
          ProcessCommandLine 
| order by Timestamp desc 

Repeated Execution Pattern (1-Minute Cron)

DeviceProcessEvents 
| where InitiatingProcessFileName in~ ("cron", "crond") 
| summarize count() by DeviceName, ProcessCommandLine, bin(Timestamp, 1m) 
| where count_ > 10 
| order by count_ desc

MITRE ATT&CK™ Techniques observed

This campaign exhibited the following MITRE ATT&CK™ techniques across multiple tactics. For detailed detection and prevention capabilities, see the Microsoft Defender XDR Detections section below. 

References

• Microsoft Security Blog – Ghost in the Shell: Investigating Web Shell Attacks 
  https://www.microsoft.com/en-us/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/  

• Gigamon – Investigating Web Shells 
  https://blog.gigamon.com/2022/09/28/investigating-web-shells/  

• Imperva – What Is a Web Shell? 
  https://www.imperva.com/learn/application-security/web-shell/  

• Acunetix – An Introduction to Web Shells 
  https://www.acunetix.com/blog/articles/introduction-web-shells-part-1/  

This research is provided by Microsoft Defender Security Research with contributions from Yashashree Gund and other members of Microsoft Threat Intelligence.

Learn more

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps

Explore how to build and customize agents with Copilot Studio Agent Builder 

Microsoft 365 Copilot AI security documentation 

How Microsoft discovers and mitigates evolving attacks against AI guardrails 

Learn more about securing Copilot Studio agents with Microsoft Defender  

The post Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments appeared first on Microsoft Security Blog.

This is a guest post from John Arundel, a Go writer and teacher who runs a free email course for Go learners. His most recent book is The Deeper Love of Go.

Ahoy, maties! Cap’n Long John Arundel here with more tips on sailing the good ship GoLand. This time, we’ll lay aloft to the crow’s nest and turn our spyglass on Junie, the JetBrains AI coding agent.

If you’re new to Junie and AI tools, and aren’t sure where to start, think of this as your treasure map to the hidden gold of GoLand productivity. Arrr you ready to start coding like a pirate?

Flying the black flag

Your first voyage with AI development tools can be a perilous one, veering from calm seas of code to storms of syntax errors and test failures. So, will your AI agent be a trusty first mate, or just an unpredictable stochastic parrot squawking nonsense from your shoulder?

Junie is pretty smart, and she can tackle any task you choose, but she needs the guidance of a good cap’n. To help you stay on course, I’ve put together a handy six-step workflow I like to call “Code like a PIRATE”. Aye, ‘tis another o’ my made-up acronyms—but ye’ll find it easy to remember, me hearties [Are we doing the pirate thing for the whole article?—Anna]

“P” is for Plan

Every good voyage begins with a map. When you set Junie a task, tell her where the ship’s headed, so she’ll know which direction to steer. (I’m sure Junie won’t mind me calling her “she”; fun fact, lots of pirates were women—including quite a few of the men).

Ask Junie to draw up a quick chart for the voyage, but not to set sail until you’ve approved it:

Arr, Junie, me fine lass. I’m a swashbuckling pirate cap’n who needs a Go program to help me share out the booty from my latest captured Spanish galleon. Don’t code anything yet, but show me a brief plan of how the tool might work.

It’s important to get this stuff right before you even leave the dock, so don’t be afeared to spend a bit of time refining the plan. [I’m “afeared” we might be wearing out the salty sea-dog bit already—Anna]

“I” is for Iterate

Even the boldest captains don’t try to cross an ocean in a single leap. It’s more effective to island-hop, sailing a short distance at a time and checking you’re still on course. Give Junie one small task at a time, starting with the simplest possible program that could be useful:

Let’s start with a really simple prototype. I’d like to be able to run the ‘booty’ calculator and answer two questions: the number of crew, and the number of pieces of eight to be divided among them.

Assume everyone has an equal share. The tool should print out how much each crew member is due. Write just enough code to achieve this, and then we’ll think about the next stage.

With too vague a heading, Junie can end up going a bit adrift, like any of us: don’t hesitate to cry “Avast heaving there!” and interrupt her if that happens. Rowing back when the project has gone too far in the wrong direction will cost you a lot of time and doubloons [Seriously, clap a stopper on the pirate speak for now—Anna]. Sorry, I meant to say “tokens”.

“R” is for Review

Once Junie has completed each iteration, go through the code line by line to check and review her work. She’s pretty good at delivering what you asked for, but she doesn’t necessarily know how you want it. For example:

Nice job, Junie, but I have a few suggestions for improvement.

1. Instead of creating a bufio.Scanner in main and passing a pointer to it into the askInt function, let’s eliminate some of that paperwork. Change askInt to take just the prompt string, and have it create the scanner internally.
2. The askInt function shouldn’t print error messages and call os.Exit if there’s a scan error. Instead, have it return any error along with the integer result. Let main take care of all the printing and exiting.
3. If there’s an error from strconv.Atoi, include the invalid input in the error message. For example, “Sorry, I didn’t understand %q. Please enter a whole number.”
4. Move the shares calculation into its own function, so that we decouple the input/output code from the business logic. Have it return the share and remainder values, so that main can print them out.

When giving feedback, bundle all your comments together in one message. This lets Junie generate the new version of the program in a single step, saving tokens. If you keep making small comments and asking her to rebuild the whole program each time, you’ll find your pieces of eight—I mean, credits—dwindling rapidly.

Good programs have a harmonious architecture that makes overall sense: everything works the same way everywhere and it all seems to fit together neatly. Junie can’t achieve this without your guidance, so keep a hand on the tiller and help her ensure things slot neatly into a unified structure.

“A” is for Assess

Once Junie has finished the step you asked for, don’t just glance at the code and move on—take a moment to assess whether it actually does what it should. Does the program run cleanly? Do the functions behave as expected? Are there strange side effects lurking in the bilges, waiting to sink your ship later? [What did I just say?—Anna]

Now that you can see the program in action, you might realise it’s not quite what you want. If so, now’s the time to adjust course, either with Junie’s help or by making little steering inputs yourself.

If you’re happy with the assessment, though, you can move on to the next iterative step towards the final program:

Shiver me timbers, Junie, that be some fine work.

Could you now please move the business logic functions into a booty package in the project root, and put the main.go file into a cmd/booty subfolder?

Also, could ye change the plunder calculations so that the captain gets twice the share of a regular crewmember? Print out the captain’s share separately.

“T” is for Test

No old salt trusts a ship that hasn’t been through its sea-trials, and nor should you. As you and Junie build the program, check each new plank is watertight by adding tests to accompany each function. That way, you’ll know as soon as something springs a leak.

Arr, please add some unit tests now for the CalculateShares function. Generate at least ten test cases.

Move the askInt function into the booty package too, and add logic to check that the number entered is always 1 or greater, or return an appropriate error if it’s not.

Have the function take an io.Reader to read input from, and an io.Writer to print prompts to.

Generate two tests for this function, one for valid inputs, one for invalid inputs.

Junie can be a helpful shipmate when it comes to drafting tests, but don’t just accept her handiwork blindly. Ask yourself: What is this really testing? Are there hidden reefs—edge cases—that we’re missing? And, when the tests fail (they’re no use otherwise) do they print something helpful?

Tis a fine set of tests ye have there, Junie. Could you make them all run in parallel?

In the table tests, could you use a map of test cases keyed by name, and then use t.Run in the test loop with the map key as the subtest name? That’ll make it easier on any scurvy dogs trying to understand the failure output.

Don’t try to inspect the error string itself for invalid inputs; that leads to fragile tests. Instead, just check that AskInt returns any non-nil error for these cases.

“E” is for Evaluate

Machine learning is fine, but human learning is even better. After each task, take a little time to analyse what worked, and what could have gone better.

Were your prompts detailed enough? Did Junie sail safely into harbour, or did she end up grounded on a sandbar because her pilot was too busy splicing the mainbrace? Every voyage is a lesson that’ll help you sharpen your prompting skills, anticipate pitfalls, and become a steadier pirate cap’n for the next expedition.

If you remember the chart we’ve drawn here and use it to navigate your next project, with the help of Junie and GoLand, you’ll be ready to truly code like a PIRATE [That’s it, you’re walking the plank—Anna].

Anchors aweigh

Check out the booty calculator project to see what Junie and I built together—try using it to divvy up your own pirate booty with friends. It’s also kind of fun to say “booty”.

Until next time, shipmates, wishin’ ye fair winds and full sails!

Legal disclaimer: JetBrains s.r.o. does not advocate piracy, illegal seizure of vessels on the high seas, or the consumption of rum. Please swashbuckle responsibly.