In short
Maarten De Bont, M365 developer at Sirus, recaps day two of Techorama 2026. App builders lower the barrier, but product thinking still comes first. Security basics still decide whether systems hold up. Agents are here to stay - their quality depends on guardrails, context, tests and human review.
Day one of Techorama was mostly about AI becoming part of real development work. Agents, coding assistants, Power Platform, hallucination detection, MCP and tool use all pointed in the same direction: the model is only one part of the system.
Day two continued that thread from a different angle. The sessions were less about whether AI can help and more about what needs to be around it: product thinking for app builders, security basics that are actually followed, and agents with clear instructions, context, tools, tests and review.
App builders lower the starting barrier
Elio Struyf opened the day with a session on AI app builders like Bolt, Lovable and Replit. The audience picked the type of app, the target users and a must-have feature. The result was a tool for SMDs, with search functionality and an Easter egg. That prompt went into an app builder, and the room watched what came out.
These tools clearly have a place. They remove setup work and make it easier for non-developers to test an idea quickly. A founder can validate a concept. A product person can create a rough prototype. A designer can start from a Figma file and get something interactive. For experienced developers, the conclusion is different: app builders are useful for quick validation, but most developers will prefer AI tools that keep them closer to the code, such as Cursor, Claude Code, Codex or Copilot.
Think before you prompt
A good point from Elio’s talk was that prompting should not be the first step. Before using an app builder, you still need to think about the product. Who is the user? What do they need to do? What is the core data model? What should stay out of version one?
That last question is easy to skip. When features are cheap to generate, scope becomes easier to lose. AI also makes it easy to rebuild something that already exists, but that does not automatically make it a good idea. The useful question is not only “can I build this?”, but also “should I build this?”
Security still depends on basics
Christian Wenz gave a practical session on the new OWASP Top 10 from an ASP.NET Core and Blazor perspective. The demos covered broken access control, misconfiguration, supply chain failures, cryptographic failures, injection, insecure design, authentication failures, integrity failures, logging failures and mishandling exceptional conditions. A lot of it was familiar, which was the point. The basics still need to be in order.
Paula Januszkiewicz reinforced that from a broader cybersecurity angle. Her session focused on the gaps teams keep leaving behind: misconfigured identity, weak credential handling, poor monitoring, lateral movement that is not detected, and incident response that works on paper but not under pressure. Modern tools help, but human error, weak configuration and poor follow-up remain major risks.
Agents need structure
In the afternoon, Matthias Heylen and Steven Van De Poel showed how to use and build agents with .NET, Microsoft.Extensions.AI, Microsoft Agent Framework and Microsoft Foundry. Their session made the agent loop concrete: the model receives messages, requests a tool call, the application runs that tool, adds the result back to the conversation and sends everything back to the model.
The important part is what sits around that loop. A useful agent needs more than “be helpful”. It needs a role, scope, domain knowledge, constraints, rules and refusal behaviour. Specs help, but they are never complete. The strongest practical idea was to generate tests from the specification before generating the implementation, so the tests become the executable version of the intent. The RAG demo with Techorama data made the same point from another angle: a model without context guesses, while a system with the right context can answer from something real.
A wider lens
The final keynote by Tom Van De Weghe zoomed out from tools and code. He placed AI in a longer history of technology, strategy and power, with China as an important thread.
That was a useful ending after a day full of app builders, OWASP demos, security failures and agent workflows. It is easy to look at AI only as a developer tool, but the broader story is bigger than that. AI is also becoming part of how companies and countries compete.
My takeaway
My main takeaway from day two is that agents are here to stay. The question is no longer whether these tools will be used. They already are. The better question is how we make their output useful, safe and maintainable.
The answer is not just a better model. Quality still depends heavily on guardrails, prompt engineering, context, tests and human review. The developer role keeps moving toward preparation, orchestration and review. More of the work is about setting direction, creating boundaries, checking output and making sure the system behaves the way we expect. That is still engineering.
Sessions attended
- “From Prompt to Production: Can AI Build Real Apps?” — Elio Struyf
- “Securing ASP.NET Core Today: Lessons from the New OWASP Top 10” — Christian Wenz
- “Modern Cybersecurity Failures: Skills and Misconfigurations That Define the Battlefield” — Paula Januszkiewicz
- “The End of Coding as We Know It: Using and Building Agents That Actually Work” — Matthias Heylen and Steven Van De Poel
- “How 5000 Years of History Is Shaping the AI Era” — Tom Van De Weghe
