ost secrets scanners work the same way. They maintain a list of regex patterns — one for AWS access keys, one for GitHub personal access tokens, one for Stripe keys, one for JWT headers — and they scan your code looking for matches. When a pattern fires, they report a finding. When it doesn't, they stay silent. This works well for secrets that have distinctive, consistent formats. An AWS access key always starts with AKIA followed by 16 uppercase alphanumeric characters. A GitHub PAT has a recognisable prefix. A private key has a PEM header. Regex catches these reliably. But it's only part of the problem. And the part it misses is exactly where real breaches happen. This is the story of why I built a machine learning secrets detector — what the existing approaches get wrong, what ML adds, and what the combined system catches that neither approach catches alone. The Two Failure Modes of Existing Tools Before building anything, I spent time understanding where the leading tools fail.…