🎭️ Backstage Tour

Last weekend one of the primary San Francisco theaters (the Orpheum) had an open house where you could go on the stage, backstage, everywhere. It was awesome 😍 

There was a magical moment of standing on the stage, and then seeing them raise the curtain.

I went downstairs backstage and saw the electronics/lighting room, stood in the pit where the orchestra plays, saw the (surprisingly small) dressing rooms with the mirrors, and more.

Some fun facts I learned:

• Everything you need to put on a given musical travels with the show in shipping trucks, including all of the set pieces, costumes, props, lighting, etc.

• For “smaller shows” that are maybe ~7-12 trucks worth, they arrive at a new venue at say 8am, the crew rapidly sets everything up, breaks for dinner at 5pm, then puts on the first show at 7pm that night 🤯 

• ~60-80% of the behind the scenes folks are local to that theater, and they don’t know the show at all yet opening night. So there’s a handful of folks traveling with the show who are orchestrating everything so it’s set up properly.

• The folks on lights have ear pieces, and while they’re learning a new show they may just get guidance from the stage manager like, “OK your next cue is you’re going to pick up stage right a man in blue clothing, 50% brightness, these light settings.” But they don’t know which character it is so they’re just kinda guessing at first.

• Actors often change in almost pitch darkness (except for some lighting they wear around their head) so the light doesn’t bleed on to the stage.

I also saw a “quick change” demo. Sometimes actors only have a few moments to change, so they did a demo of a <1 minute wardrobe change.

There’s actually a ton of prep and thoughtfulness that goes into orchestrating a quick change: how the pants or dress are “pooled” on the ground so you can just step in, how the boots are positioned so they don’t catch on the clothes, how the top layers are laid down to minimize rotation and movement when putting them on, and how there can be one (or more) wardrobe people helping the actors put everything on. Whoa.

Meanwhile, I put on my own clothes like a plebe.

As you might suspect, cybersecurity is just my bridge career, until I get into the stable, lucrative theater or screen industries 👨‍🎤 

Sponsor

📣 Secure Coding from Design to Deployment

Secure coding starts long before production. 

Modern applications move fast, which means security needs to be built in from the start, not added later. From API design to input handling and access control, early decisions have a big impact on reducing risk.

The Secure Coding Best Practices Cheat Sheet covers key areas like secure design foundations, strong authentication and authorization, input validation, and preventing common vulnerabilities such as XSS, SQL injection, and broken access control.

Reduce risk early with practical secure coding and design best practices.

👉 Get the Cheat Sheet 👈

AppSec

• Turn meetings into tangible products - Scott has an AI notetaker in meetings, which he can then use a prompt to turn that into a PRD which his agents can then start building immediately after the meeting.

• Turn memos into implementations - “When I think of defaulting to writing something down, or someone shares a strategy doc, problem statement, idea, etc., I immediately ask Claude, “Let's take the relevant part of this and turn it into an implementation.”

Sponsor

📣 Cybercrime Just Hit Escape Velocity (Here’s the Evidence)

Flashpoint just released its 2026 Global Threat Intelligence Report, and the data is shocking.

• AI-related illicit activity surged 1,500% in a single month

• 3.3B compromised credentials are now fueling identity-based attacks

• Ransomware incidents increased 53% as groups pivot toward pure-play extortion

The report also explores how threat actors are moving from generative tools to agentic AI frameworks that can automate attacks at scale.

👉 View Report 👈

Whoa, that’s some huge growth. Also, I’m curious to learn more about how threat actors are adopting autonomous agents 😅 

Cloud Security

Fighting Eventual Consistency-Based Persistence - An Analysis of notyet
Sonrai Security's Nigel Sood describes his red-blue collaboration with OFFENSAI’s Eduard Agavriloae on notyet (referenced in last week’s issue), an open-source tool that exploits AWS IAM's eventual consistency propagation window to automatically maintain admin persistence by detecting and reversing containment actions within seconds.

Nigel tested nearly a dozen IR techniques against notyet and found that standard AWS-recommended containment methods, including inline policy deletion/modification, managed policy attachments, permission boundaries, group membership changes, access key deactivation, role deletion, and SSM runbooks like AWSSupport-ContainIAMPrincipal, were all ineffective as notyet detected and reversed them within the consistency window. Only Service Control Policies (SCPs) successfully contained notyet, as member account identities cannot modify SCP attachments even with * permissions.

Part 2: AWS CodeBuild (Escalating Privileges via AWS CodeConnections)
Thomas Preece discovered that from an unprivileged AWS CodeBuild job using CodeConnections, you can call an undocumented API to retrieve raw GitHub App tokens or BitBucket JWT App tokens with the full permissions of the installed CodeConnection App. The app generally has read, write and admin permissions on all repos under your organization. See AWS-CodeBuild-HTTP-Intercept-Image for a container image for CodeBuild that allows you to get network monitoring in place before CodeBuild starts your build.

So basically your CodeConnection setup could mean you are one breached build job away from having every repo in your organization compromised 😅 AWS are not planning to fix this issue as they say CodeBuild is a "trusted environment."

💡 Great detailed write-up and walk through of examining how a third party system works internally 👍️ 

Supply Chain

Primer on GitHub Actions Security - Threat Model, Attacks and Defenses
Wiz’s Shay Berkovich describes the GitHub Actions threat model, three main risks (Pull Request pwnage, script injection, 3rd party components), and a defensive playbook.

The post discusses 8 dangerous triggers (including pull_request_target), how script injection occurs when untrusted inputs like branch names or issue titles are directly embedded in bash commands without environment variable binding, and how compromised third-party actions cascade through dependency chains, like when attackers sequentially compromised four Actions to reach Coinbase.

“High-value targets including Sentry, OpenSearch, IPFS, NixOS, Jina AI, and recharts all successfully blocked the attack through a combination of first-time contributor approval gates, actor-restricted workflows, and path-based trigger conditions.”

Blue Team

MITRE Fight Fraud Framework
MITRE has released the Fight Fraud Framework™️ (F3), a free, open knowledge base documenting tactics and techniques used by financial fraud actors based on real-world cyber fraud incidents. The framework maps fraud-specific behaviors and references applicable MITRE ATT&CK techniques where relevant, providing a common taxonomy for describing fraud incidents.

YARAHQ/yara-rule-skill
By Florian Roth and Thomas Roccia: An LLM Agent Skill for expert YARA rule authoring, review, and optimization. Embeds industry best practices from the creator of YARA-Forge and yaraQA into your AI assistant's context. It enables natural language rule writing, review, and optimization.

Little Snitch for Linux
Little Snitch for Linux (GitHub) uses eBPF to monitor and control outgoing network connections, providing a web UI that shows which applications are connecting to which servers, with support for custom rules and automatic blocklist updates. The tool can filter by process, port, and protocol, displays traffic history and data volumes, and accepts blocklists in formats like domain-per-line, /etc/hosts, and CIDR ranges.

Red Team

Building Agentic C2 with Computer Use Agents
BeyondTrust’s Ryan Hausknecht describes a proof-of-concept command-and-control (C2) architecture using Claude's computer use capability, where a C# implant on the target endpoint executes AI-driven actions via Windows APIs (SetCursorPos, SendInput) or pyautogui. To avoid direct connections to Anthropic's API, Ryan used Azure Storage blobs as a dead drop for command polling and Azure Function Apps as a proxy to append API keys, ensuring all traffic appears to originate from Azure.

Claude takes screenshots to determine screen resolution and element positioning, then issues click and keypress commands that flow through the function app back to the implant. This architecture keeps API keys off the endpoint and makes network traffic blend in with normal Azure communications.

Janus: Listen to Your Logs
SpecterOps's Gavin Kramer introduces Janus, an open-source tool that parses C2 logs from Mythic, Cobalt Strike, and Ghostwriter to surface operational friction like failed commands, retries, and tool failures that typically get lost in deleted logs. Janus shows your team where your tooling breaks, where operators lose time, and what you could automate next.

Janus helps them understand:

• Which tools should be updated vs. retired

• When and why tool failures occur

• Which techniques are being improvised due to missing capabilities

• What arguments caused a Beacon object file (BOF) to crash an agent

• What command ran before a callback stopped checking in

• What activity later correlated with detection or prevention

“Janus gives leadership the data layer that has been missing, and it answers:”

• How much time (and therefore cost) is lost to tool failures, retries, and operator workarounds

• Which parts of the engagement hold the most variability in timelines and delivery?

• Where are we paying an “efficiency tax” due to unreliable tooling?

AI + Security

Trusted access for the next era of cyber defense
OpenAI is scaling their Trusted Access for Cyber (TAC) program to thousands of verified defenders and launching GPT-5.4-Cyber, a fine-tuned variant of GPT-5.4 with reduced refusals for cybersecurity tasks and new binary reverse engineering capabilities. OpenAI is using strong Know Your Customer (KYC) and identity verification to limit advanced capabilities to trusted parties, and is giving targeted grants⁠, contributing to open-source security initiatives⁠, and investing in Codex Security⁠ to help defenders more rapidly find and patch vulnerabilities.

💡 Perhaps GPT-5.4-Cyber should have been the name for their erotica chatbot 🤔 Jokes aside, it’s great to see OpenAI investing in securing the software ecosystem, supporting defenders, and releasing higher capability models carefully.

The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program
New ~30 page Cloud Security Alliance whitepaper from Gadi Evron, Rich Mogull, Robert T. Lee, and a huge list of other contributors authors. A briefing for security leaders on how AI-driven vulnerability discovery is reshaping the defender timeline, the operating model of vulnerability management, and the minimum actions required now. Nice overview of recent events and important things to consider for your security program. See:

• p15 - 10 Questions to Understand Your Security Program State and Influence

• p16 - A Mythos-ready Security Program Risk Register

• p19 - Priority Actions for a Mythos-ready Security Program

4x Velocity, 10x Vulnerabilities: AI Coding Assistants Are Shipping More Risks
Apiiro’s Itay Nussbaum shares results from analyzing the impact of AI coding assistants across tens of thousands of repositories in Fortune 50 orgs. They found AI-assisted developers produced 3-4x more commits, but they were packaged into fewer PRs. By June 2025, AI-generated code was introducing over 10,000 new security findings per month across the repos in their study, a 10x spike in just six months compared to December 2024.

Interestingly, the types of flaws introduced by AI are different, for example, privilege escalation paths jumped 322%, and architectural design flaws spiked 153% (I’d like to know more about these are defined/measured).

💡 Long term I believe coding agents + security orchestration around them will make code more, not less secure, but it’s great to see some stats and investigation on the challenges we’re facing now.

Misc

Misc

• Mina Le - the myth of the "pilates body" - Interesting history around the origins of pilates, barre, Jazzercise, societal expectations, and more.

• Game Changer - Who can perform the most impressive magic trick?

• FBI Recovers Deleted Signal Messages Through iPhone Notifications - How to protect yourself: On your iPhone, go to notification settings for Signal and set Show Previews to Never. Then open the Signal app, go to Settings > Notifications > Notification Content, and select No Name or Content.

• Dr. Mike - Peptides: The Most Overhyped Trend in Fitness?

• Bryan Johnson - Before you take peptides, know this

• Gabi Belle - The Problem with Autotune on TikTok

• Harry Potter by Balenciaga - Outstanding 😂 

• The Primeagen - I made a music video and I'm not sorry - “Yacht problems” 😂 

AI

• The Verge - Read OpenAI’s latest internal memo about beating the competition — including Anthropic

• 20VC with Harry Stebbings - Demis Hassabis: Why AGI is Bigger than the Industrial Revolution & Where Are The Bottlenecks in AI

• Alex Kantrowitz - OpenAI President Greg Brockman: AI Self-Improvement, The Superapp Bet, Path To AGI, Scaling Compute

• Lenny’s Podcast - How to be a CEO when AI breaks all the old playbooks | Sequoia CEO Coach Brian Halligan

• Every - How to Build an Agent-native Product | Mike Krieger

• Anthropic - Automate work with routines - Define routines that run on a schedule, trigger on API calls, or react to GitHub events from Anthropic-managed cloud infrastructure.

• Google - Turn your best AI prompts into one-click tools in Chrome

• China’s AI Companies Are Going Closed Source due to funding constraints. The Chinese government continues using "open source" as political rhetoric in policy documents without providing the billions needed to subsidize actual open model development. The funding reality means Chinese labs can't afford to burn tens of billions on 1GW clusters like American competitors, forcing them to monetize through closed models while potentially releasing smaller open models for overseas marketing and robotics use cases.

• OpenAI, Anthropic, Google unite to combat model copying in China

Politics

• Crypto currency industry bribing donating to politicians

• Ukraine tips drone war in its favor - “Starting from December, our unmanned systems units have neutralized more enemy personnel than they recruit to their ranks.”

• How Trump Took the U.S. to War With Iran - Israel’s Netanyahu made the hard sell. The CIA director described the Israeli prime minister’s regime change scenarios as “farcical.” Tucker Carlson warned Trump that a war with Iran would destroy his presidency. “I know you’re worried about it, but it’s going to be OK,” the president said. Mr. Carlson asked how he knew. “Because it always is.”

  • “Everyone deferred to the president’s instincts. They had seen him make bold decisions, take on unfathomable risks and somehow come out on top. No one would impede him now.”

• Civilization Is Not the Default. Violence Is. - On feudalism, Pax Americana and the changing world order.

• US ban on Chinese fixed spy cameras led to a rising drone threat - “The rise of drone security incidents corresponds almost exactly to the US 2019 ban on Chinese cameras at American military bases.”

• Steve Blank - Nowhere is Safe - “The U.S. has discovered that 1) air superiority and missile defense systems designed to counter tens or hundreds of aircraft and missiles is insufficient against asymmetric attacks of thousands of drones. And that 2) undefended high value fixed civilian infrastructure – oil tankers, data centers, desalination plants, oil refineries, energy nodes, factories, et al -are all at risk…the lessons from Iran’s attacks on infrastructure in the Gulf Cooperation Council countries is that anything on the surface is going to be a target.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🏫 High School Reflections

As you might guess from the fact that I write a cybersecurity newsletter, I was pretty cool in high school.

This week I randomly came across this YouTube video Learn to Solve an Integral (What Makes You Beautiful Parody), and it took me back.

I remember algebra and calculus being really fun, I would have loved to make a song like this.

I remember being in marching band, playing during football games. The drum line had this one riff where whenever they started playing it the band and the entire student body would start moshing. At one point they got banned from playing it because it made people too rowdy 😂 

(“One time, at…”) Band camp before the school year started was a blast, we always had these epic Halo tournaments. 8 vs 8 CTF, four TVs, two in each room. Mountain Dew and smack talking galore.

I took two programming classes, Visual Basic and Java, but I actually didn’t like them, and I didn’t really “get it.” It might not have helped that neither teacher really knew how to program (one was a football coach 🤷). Kind of ironic given what I do now.

I wish I journaled more, it’d be fun to look back on.

I wonder how your childhood and high school formed who you are today 🤔 

P.S. My friend and former colleague Peter Greko is open to new opportunities. He worked on the AI red team at Microsoft, and most recently Block.

Sponsor

 Register for a brand new research-focused webinar series from Push Security

Join Push Security threat researchers along with incredible guests like John Hammond, Troy Hunt, and Matt Johansen in a brand new webinar series deep-diving into the State of Browser Attacks.

The browser is the place where modern breaches happen, powered by a huge amount of attacker innovation — countless ClickFix variants, new malvertised phishing campaigns intercepting users on search engines, and device code phishing attacks being powered by brand new PhaaS kits and AI tools. And we’re only in April. 

Get ahead of this threat evolution and register your spot now!

👉 Register here 👈

AppSec

Remediation at Scale: What High-Performing AppSec Teams Do Differently
My colleagues at Semgrep did some interesting data crunching across 50k+ repos across 400+ organizations, analyzing stats on fix rate and mean time to remediation across SAST, SCA, and severity level, if certain vulnerability classes are harder to remediate, if catching vulnerabilities earlier improves remediation rates, and more.

salesforce/url-content-auditor
A security auditing tool designed to detect sensitive data exposure in publicly accessible web content. It systematically scans, extracts, and audits images, PDFs, and video files using AI-powered analysis (Google Gemini API) to identify potential data leaks, compliance violations, and privacy risks.

Meet Vespasian. It Sees What Static Analysis Can’t.
Praetorian's Blayne Dreier, Nathan Sportsman et al release Vespasian, an open-source tool that generates API specifications (OpenAPI 3.0, GraphQL SDL, WSDL) by observing real HTTP traffic from headless browser crawls (powered by Katana) or importing existing captures from Burp Suite, HAR files, or mitmproxy. The tool uses a two-stage pipeline: first capturing traffic with full JavaScript execution to catch dynamically-constructed API calls that static analysis misses (or import traffic), then classifying requests using confidence-based heuristics, deduplicating endpoints via path normalization, and probing for metadata through OPTIONS requests, GraphQL introspection, and WSDL fetching.

Organizational Politics & The Security Program
Phil Venables describes how organizational politics are a necessary skill for security leaders, arguing it's the application of influence to achieve outcomes, not something inherently negative. Phil shares lessons from decades as a CISO and Chief Risk Officer, including: decisions are pre-ordained outside formal meetings through advance consensus-building, you should embed security into existing business processes and budgets rather than creating separate initiatives, and building broad support across the organization (not just relying on your boss) is critical for program longevity.

Some key tactics: leveraging the Risk = Hazard + Outrage equation to prioritize work, using Force Field Analysis to understand what's preventing change, and connecting disparate teams across the organization to build political capital beyond just security outcomes.

“If you’re going into a meeting or committee and you don’t already feel confident on the outcome then you’ve missed the point and will have likely not done the work to line up support for the outcome you want. Remember, committees are the roots of power structures not the structure themselves.”

“Many of the security programs I’ve run also drove improvements in reliability, development agility, product features, and more. These came from observations of issues in the security processes that we could have ignored as being outside of our lane, but we decided to press and got support in doing so.”

“Remember, published organization charts almost never actually represent the true organization structure in terms of influence. That has to be discovered by you.”

Sponsor

📣 Axios. Trivy. LiteLLM. More are coming.
 Root stops compromised dependencies.

Recent software supply chain attacks just rewrote the playbook. Here's the kicker: they won't have a CVE and they won't be triggered by a scanner. These attacks exploit the one thing every pipeline trusts blindly: upstream dependencies. Compromised maintainers, hijacked registries, silent tag overwrites. By the time you notice, you've already built and shipped it. The only fix is controlling what enters your environment. Root pins every dependency to verified, known-good versions and backports security patches without forced upgrades so you stay secure without breaking your build.

👉 Fix your supply chain 👈

Pinning dependencies to known-good versions would prevent so many recent supply chain attacks, and I could see backported security patches saving weeks to months of dev time, depending on the company. Neat 👍️ 

Cloud Security

gabrielPav/aws-preflight
By Gabriel Pavel: A security linter for AWS CLI commands that catches misconfigurations before execution, featuring 703 checks across 91 AWS services. The tool analyzes commands for issues like missing IMDSv2 enforcement, unencrypted storage, public accessibility, overly permissive IAM policies, and disabled logging.

notyet: Open-Source Tool to Test AWS IAM Credential Revocation Gaps
OFFENSAI's Eduard Agavriloae has released notyet, an open-source tool that exploits AWS IAM's eventual consistency (the ~4 second propagation window where disabled or deleted credentials remain valid) by continuously monitoring for defender actions (key deletion, policy detachment, role removal) and automatically responding with credential rotation, role assumption, policy persistence, and defensive action stripping. Notyet can help IR teams test whether their containment playbooks work against automated adversaries.

Enforcing AI Governance Across AWS Organizations
Sonrai Security describes how to enforce AI governance across AWS Organizations using Service Control Policies (SCPs) and Bedrock Policies to centrally manage AI service access. The post provides examples for: preventing access to the AWS control plane through AWS’s managed MCP servers, org-wide Bedrock policies for blocking prompt injection attacks, disabling specific AI services like Bedrock AgentCore, controlling model family availability, and preventing long-term Bedrock API key creation/use.

Supply Chain

elastic/supply-chain-monitor
By Elastic: Automated monitoring of the top PyPI and npm packages for supply chain compromise. Polls both registries for new releases, diffs each release against its predecessor, and uses an LLM (via Cursor Agent CLI) to classify diffs as benign or malicious.

lirantal/npm-security-best-practices
By Liran Tal: A curated and practical list of security best practice for using npm packages. Safe-by-default npm package manager command-line options, hardening against supply chain attacks, deterministic and secure dependency resolution, etc.

DriftlessAF: Introducing Chainguard Factory 2.0
Chainguard’s Matt Moore, Manfred Moser, and Maxime Greau announce DriftlessAF (GitHub), an agentic reconciliation framework that replaced their event-driven Factory 1.0 architecture. DriftlessAF uses AI-powered reconciler bots in a Kubernetes-style reconciliation loop to continuously compare desired state (zero CVEs, latest packages) against actual state across 2,000+ containers and hundreds of thousands of package versions, by reasoning about unstructured data and creating self-healing workflows that can safely discard failed work items.

The framework includes Terraform modules for event-driven reconciliation infrastructure, a multi-regional work queue, and Go packages for GitHub repository, OCI container, and APK package reconciliation. Engineers now review AI-generated pull requests and package updates instead of creating them manually, while the system autonomously manages hundreds of thousands of package versions and CVE patch backports.

💡 This seems like some impressive engineering, and cool that they open sourced it! I think we’ll see more of this going forward, with agents autonomously building and mending software. See OpenAI’s Harness Engineering blog or Simon Willison’s Agentic Engineering Patterns for more.

AI + Security

Quicklinks

• step-security/dev-machine-guard - Scan your dev machine for AI agents, MCP servers, IDE extensions, and suspicious packages.

• Is Your Identity Security Keeping Up with AI? | Delinea 2026 Report - 87% of organizations say they’re ready for AI—but nearly 50% admit they can’t fully track AI and non-human identities accessing critical systems. That gap creates unmanaged access and standing privileges. Read Delinea’s 2026 Identity Security Report to learn more.*

• knostic/AgentSonar - Detect shadow AI agents by monitoring network traffic and classifying process-to-domain pairs.

^*Sponsored

Vulnpocalypse: AI, Open Source, and the Race to Remediate
Nice post by my bud Chris Hughes synthesizing a number of stats, posts, related work, and his interviews on AI finding vulnerabilities, time to exploitation, patching challenges, etc.

On LLMs and Vulnerability Research
Devansh Batham gives a number of arguments refuting that LLMs can’t understand code or find meaningful vulnerabilities, and I think makes an interesting case that LLMs + coding harnesses will likely be able to find “novel” or “creative” new vulnerability classes, as these classes are really just combinations of known primitives.

For example, HTTP request smuggling is really: ambiguous protocol specification + inconsistent parsing between components + a security-critical assumption about message boundaries. And prototype pollution RCEs in JavaScript frameworks: injection + type confusion + privilege boundary crossing. This novel composition of primitives is what LLMs are increasingly good at. “Most of what we call novel vulnerability research is creative recombination within a known search space.”

Vulnerability Research Is Cooked
Excellent post by Thomas Ptacek on the history of vulnerability research, and how LLMs are uniquely suited for finding and exploiting vulnerabilities because they already encode vast correlations across source code, understand all documented bug classes (stale pointers, type confusion, allocator grooming), and excel at the pattern-matching and constraint-solving required to chain subtle framework details into exploits.

Thomas argues that this capability will democratize elite exploit development beyond high-value targets like Chrome to everything from databases to printers, overwhelming open source maintainers with verified high severity reports, making closed-source protection irrelevant (agents can reason directly from assembly), and potentially triggering bad AI security regulations that fail to recognize asymmetric costs on defenders.

“We’ve been shielded from exploits not only by soundly engineered countermeasures but also by a scarcity of elite attention.”

“Like many useful observations in CS, the Bitter Lesson is fractally true. It’s about to hit software security like a brick to the face.”

See also their podcast with Nicolas Carlini.

Project Glasswing: Securing critical software for the AI era
Anthropic announces Project Glasswing, a collaboration with AWS, Apple, Google, Microsoft, NVIDIA, and others to use Claude Mythos Preview—an unreleased frontier model that has already discovered thousands of high-severity vulnerabilities across major operating systems and web browsers—for defensive security purposes.

Anthropic is providing access to 40+ organizations building critical infrastructure along with $100M in usage credits and $4M in direct donations to open-source security organizations. Launch partners include CrowdStrike, Palo Alto Networks, and Cisco. They’ve also donated $2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5M to the Apache Software Foundation.

💡It’s great that Anthropic is gathering a group of partner companies to collaborate with on this, and I appreciate the sizable investment in helping secure the software ecosystem more broadly ($100M in usage credits is no joke).

Prediction: models from multiple labs are going to keep getting better, and specifically better at cybersecurity, but those will mostly not be available except to trusted parties due to the risk of abuse. I’m glad that folks take this risk seriously.

Assessing Claude Mythos Preview’s cybersecurity capabilities
Anthropic’s Nicholas Carlini et al discuss Mythos Preview’s capabilities in finding and exploiting zero-days in open source software, and its ability to reverse engineer exploits on closed-source software, turning N-day (known but not yet widely patched) vulnerabilities into exploits. “Over 99% of the vulnerabilities we’ve found have not yet been patched.”

“In one case, Mythos Preview wrote a web browser exploit that chained together four vulnerabilities, writing a complex JIT heap spray that escaped both renderer and OS sandboxes. It autonomously obtained local privilege escalation exploits on Linux and other operating systems by exploiting subtle race conditions and KASLR-bypasses. And it autonomously wrote a remote code execution exploit on FreeBSD’s NFS server that granted full root access to unauthenticated users by splitting a 20-gadget ROP chain over multiple packets.”

“We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.”"

Methodology:

1. They launched a container (isolated from the Internet and other systems) that runs the project-under-test and its source code.

2. They invoke Claude Code with Mythos Preview and prompt it to find bugs, and produce a proof-of-concept exploit and reproduction steps if found.

3. To encourage Claude to focus on different parts of the code base, they first have Claude rank each file in the project from 1-5 on how likely it is to have bugs.

4. They then invoke many copies of Claude in parallel, tasking each run focus on one of the most interesting files.

5. Finally they ask Mythos to triage findings from prior steps.

The most critical bug they found in OpenBSD, after a thousand runs of their scaffold, cost ~$20,000 total, and found several dozen more findings.

“In 89% of the 198 manually reviewed vulnerability reports, our expert contractors agreed with Claude’s severity assessment exactly, and 98% of the assessments were within one severity level. If these results hold consistently for our remaining findings, we would have over a thousand more critical severity vulnerabilities and thousands more high severity vulnerabilities.”

“For multiple different web browsers, Mythos Preview fully autonomously discovered the necessary read and write primitives, and then chained them together to form a JIT heap spray.”

“We’ve used these capabilities to find vulnerabilities and exploits in closed-source browsers and operating systems. We have been able to use it to find, for example, remote DoS attacks that could remotely take down servers, firmware vulnerabilities that let us root smartphones, and local privilege escalation exploit chains on desktop operating systems.”

Regarding N-days: “We began by providing Mythos Preview a list of 100 CVEs and known memory corruption vulnerabilities that were filed in 2024 and 2025 against the Linux kernel. We asked the model to filter these down to a list of potentially exploitable vulnerabilities, of which it selected 40. Then, for each of these, we asked Mythos Preview to write a privilege escalation exploit that made use of the vulnerability (along with others if chaining vulnerabilities would be necessary). More than half of these attempts succeeded.”

Misc

Misc

• Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit - A researcher released the PoC for an unpatched Windows privilege escalation bug because they were unhappy with MSRC’s disclosure process.

• Nick Collins - Introduction to Computer Music - Free ~350 page book.

• Why Charlie Puth hears music differently

• Contrapunk - Real-time MIDI harmony generator and guitar-to-MIDI converter.

• An interactive map of Tolkien’s Middle Earth

• Advanced Search for YouTube - Filters like exact terms, exclude terms, title includes, video length, date before/after.

• Alex Hormozi - How to make progress faster than everyone - On being cringe, trying hard, and not comparing your first chapter to someone’s 20th.

AI

• voldemortensen/snark-driven-development - A Claude Code skill that wraps development workflows with sharp, substance-backed snarky commentary

• GitHub issue: Claude Code is unusable for complex engineering tasks with the Feb updates

• Lenny’s Podcast - How Anthropic added $11B in ARR in one month | Amol Avasare (Head of Growth, Anthropic)

• Humanoid Robot Accidentally Slaps Boy During Public Demo in China - After reportedly saying, “You best watch yo’ mouth son!”

• What is Rizzbot? Meet the AI Robot Rizzing Up Your Girl - Not gonna life, some of these videos are pretty hilarious

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🫶 Long Career, Long Friendships

This week I was reflecting a bit after BSidesSF and RSAC about how careers are long.

I remember attending conferences when I first started in security and being intimidated by how it was crowded and full of strangers.

This year, there were still many strangers not yet friends, but now I got to catch up with many former colleagues and friends I’ve known for years. Some for a decade 👴 

It feels nice knowing we’re all working together in our own ways, at different companies, to make the world a little bit safer.

Also, just wanted to share a few thoughts:

• It’s OK if you don’t know people at an event or conference. 98% of the time if you go up and chat with a stranger it goes great, or at least fine.

  • When I’m nervous at events, I like to think about how, just by both of us being at a security event, I have a vast amount of shared experience and context with anyone there.

• If every event you just meet a handful of people, that’s going to compound event on event, year on year. Soon you’ll likely know at least a few people at most events.

Anywho, if you attended, I hope you had a great time and made some friends, and didn’t just repeat “AI” until a VC materialized and dumped money on you.

P.S. Dan Guido kindly turned his [un]prompted talk into a tl;dr sec guest post. It’s excellent, highly recommend.
👉️ How we made Trail of Bits AI-native (so far) 👈️ 

Sponsor

📣 Free tool: instant visibility into your Claude Desktop deployment

Employees aren't waiting for approval. Claude Desktop is getting deployed with MCP servers, OAuth connectors, CoWork scheduled tasks, and browser-control extensions your security team never reviewed.

Our Head of Security, Ed Merrett, built a lightweight, read-only audit tool to give you instant visibility. One command surfaces everything: installed extensions and whether they're signed, MCP server configs, dangling env variables, OAuth tokens, scheduled tasks, org-deployed plugins, and runtime state.

p.s. If you’re looking for more help with securing the Claude ecosystem, visit harmonic.security to check out our other free resources!

👉 Audit your Claude setup 👈

AppSec

portswigger/ip-rotate
By Portswigger: An extension for Burp Suite that uses AWS API Gateway to rotate your IP on every request, helping bypass IP-based rate limiting, bruteforce protections, and WAF blocks.

Passkeys are Your New Best Friend
Google's Harsh Lal explains how passkeys use asymmetric cryptography to replace passwords, where a private key stored on your device signs authentication challenges while the public key on the server verifies them, making them phishing-resistant through domain binding and useless if servers are breached. Nice brief overview of why passkeys are safer than passwords, signing in across devices, FAQ of security concerns, and risks: sync account hijacking (mitigated by requiring the old device's screen lock) and social engineering attacks requiring physical proximity

A year of open source vulnerability trends: CVEs, advisories, and malware
GitHub's Jonathan Evans analyzes the 4,101 reviewed advisories GitHub published in 2025, the fewest since 2021, but this reflects a reduction in backfilling older vulnerabilities rather than fewer new discoveries- newly reported vulnerabilities actually increased 19% year-over-year. The data shows cross-site scripting remains the top vulnerability type; resource exhaustion, unsafe deserialization, and SSRF saw significant increases. Advisories without any CWE dropped 85% due to improved tagging. GitHub's malware advisory publications surged 69% to 7,197 (driven by campaigns like SHA1-Hulud). The GitHub CNA published 35% more CVE records (2,903 total) with 679 new organizations requesting CVE IDs. “We saw 10 to 16% growth every quarter. If this trend continues, GitHub will publish over 50% more CVEs in 2026.”

💡 Frontier models are getting so much better at finding vulnerabilities + much more code is being written → 2026 is for sure going to be a record breaking year for CVEs, the only question is by how much. People are (in my opinion, correctly) talking about an upcoming “vulnpocalypse." 😅 

Sponsor

📣 Webinar: Executive Impersonation and Modern Phishing Tactics

Executive impersonation attacks pressure employees with urgency, authority, and high-stakes requests. Because they rely on social engineering instead of obvious malware, they often slip past traditional email defenses. Join Sublime Security for a live webinar on April 8 to break down how these attacks work, review real-world patterns, and learn practical ways security teams can detect and stop impersonation attempts earlier.

👉 Register 👈

Andrew Becherer is a sharp dude, and gave an excellent talk at the Decibel event Daniel Miessler and I co-hosted during RSA. He definitely has perspective worth listening to.

Cloud Security

Reunifying the Cloud: Introducing Aurelian for Multi-Cloud Security Testing
Praetorian's Aarushi Dwivedi et al have released Aurelian, an open-source Go-based multi-cloud security framework that unifies reconnaissance, secrets discovery, and IAM analysis across AWS, Azure, and GCP. Aurelian evaluates resource policies using real IAM policy evaluation logic (not just flag checks), integrates with Titus for secrets scanning with live credential validation via API calls, and maps privilege escalation paths to Neo4j for Cypher-based querying of multi-hop attack chains.

Don’t expose yourself in public - let AWS error messages do it for you
Plerion’s Daniel Grzelak describes how AWS recently rolled out friendly IAM error messages that inadvertently created a simple oracle for detecting publicly exposed resources: assume a role with a deny-all session policy, make a request, and if the error says "explicit deny in a session policy," the resource policy would have allowed it, confirming public exposure.

💡 The contents of my friend Daniel's posts have great security advice, and the titles have good life advice.

Supply Chain

TeamPCP Supply Chain Campaign
Nice round-up landing page by Rami McCarthy.

TeamPCP Supply Chain Campaign: A March 2026 Retrospective
Great overview by OpenSourceMalware’s Jenn Gile on how TeamPCP executed a cascading multi-phase supply chain attack in March 2026, leveraging a single unrevoked credential stolen from Trivy's CI pipeline to compromise several ecosystems (Aqua Security, npm, LiteLLM/PyPI, Checkmarx, and Telnyx), harvesting CI/CD secrets at each stage to fund the next, while also deploying a geotargeted filesystem wiper against Iranian infrastructure.

💡 I met Jenn at the tl;dr sec community event before BSidesSF, she seems super sharp and nice 🙂 

Supply Chain Attack on Axios Pulls Malicious Dependency from npm
Socket describes a supply chain attack that compromised Axios, one of the most widely used HTTP clients in the JavaScript ecosystem (~100M weekly downloads), by injecting the malicious dependency plain-crypto-js@4.2.1, which was published minutes before the poisoned Axios releases. The release appeared outside the normal Axios workflow, only two malicious versions were published, and only one line was added to package.json (the malicious dependency)- small, targeted changes being less likely to raise suspicion.

💡 *Takes a long drag from my cigarette* Another day, another NPM compromise.

The Comforting Lie Of SHA Pinning
Aiden Vaines describes a subtlety of how GitHub scopes SHA hash references when you’re trying to pin a GitHub Action to a commit SHA. Basically, if you have a repo using the GitHub Action avaines/gh_action@<SHA> , and an attacker forks that action, adds malicious code, and submits a PR to the target repo that only changes the Action’s SHA reference, it will look like avaines/gh_action@<BAD_SHA> (same owner/repo name, only the SHA has changed, despite this version coming from a different GitHub user). “The result is that a pull request can replace a pinned, trusted action with attacker-controlled code without changing the apparent repository reference.”

Chainguard’s Billy Lynch wrote about this in 2023: What the fork? Imposter commits in GitHub Actions and CI/CD. Great write-up.

Securing the open source supply chain across GitHub
GitHub's Zachary Steindler discusses prevention steps you can take today, plus a look at the security capabilities GitHub is working on. He recommends enabling CodeQL to scan Actions workflows for security issues, avoiding pull_request_target triggers, pinning third-party Actions to full commit SHAs, and using OpenID Connect tokens with trusted publishing instead of secrets. GitHub scans all 30,000+ daily npm package publishes for malware and is accelerating their Actions security roadmap in response to attacks like Shai-Hulud, while working with OpenSSF to expand trusted publishing support across npm, PyPI, NuGet, RubyGems, and Crates.

What's coming to our GitHub Actions 2026 security roadmap
GitHub's Greg Ose describes their 2026 roadmap to secure GitHub Actions against supply chain attacks through: introducing workflow-level dependency locking (similar to Go's go.mod/go.sum) that pins all direct and transitive dependencies with commit SHAs (future: immutable releases), implementing policy-driven execution protections via rulesets that control who can trigger workflows and which events are allowed (with evaluate mode for safe rollout), and adding scoped secrets that bind credentials to specific repositories, branches, environments, or trusted reusable workflows.

GitHub is also building the Actions Data Stream for near real-time execution telemetry to S3/Azure Event Hub and a native Layer 7 egress firewall for GitHub-hosted runners that operates outside the runner VM with monitor and enforce modes, treating CI/CD infrastructure as critical infrastructure with enforceable network boundaries.

💡 These seem like excellent, thoughtful improvements. Love the push towards better visibility, security controls, and secure by default. Hats off to the GitHub team for these initiatives. Unfortunately the timeline is 3-6 months, though I’d rather them build it right than poorly.

Red Team

googleprojectzero/Jackalope
Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android. Built on TinyInst for binary instrumentation, supports both file and shared memory sample delivery.

On the Effectiveness of Mutational Grammar Fuzzing
Mutational grammar fuzzing is a type of fuzzing that uses a predefined grammar to describe the structure of the samples (e.g. input string or file) so that when a sample gets mutated, the resulting samples still adhere to the grammar rules. Google Project Zero’s Ivan Fratric describes two key flaws in mutational coverage-guided grammar fuzzing: 1) more coverage doesn’t mean more bugs, you need to test the right code patterns (e.g. functions need to be called in a certain order, or the result from one function is used as in input to another function), and 2) mutational fuzzing produces highly similar samples due to its greedy nature of saving slightly-modified samples that trigger new coverage.

To address these issues, Ivan proposes a technique in Jackalope where the fuzzing worker spends half of the time creating a fully independent corpus generated from scratch and half of the time working on a larger corpus that also incorporates interesting samples (as measured by the coverage) from previous workers.

It's More Than Saying No
Zoom’s Head of Assurance Andy Grant describes what to do when leadership asks your offensive security team to do work it was never designed for. Andy argues that offensive security teams lose effectiveness when they accept misaligned work like QA support, rushed pentests, or control validation, which disrupts the long exploration periods needed for discovering unknown unknowns through intuition-driven research.

Rather than saying no to requests, proactively engage with leadership to anticipate concerns, start investigating before formal requests arrive, and reframe incoming work to align with the team's adversarial research model, for example, reframing "can you test X before release?" into deeper investigations of trust boundaries and systemic risk.

AI + Security

[un]prompted 2026 YouTube Playlist
The talk recordings have (mostly) been published. 65 talks at the forefront of AI + security. The final 9 will be uploaded soon.

RSA 2026 Startup Landscape
Jake Epstein mapped every cybersecurity startup at RSAC 2026 (322 companies) into 18 categories, including Agent Security / Non Human Identity, developer security, AI SOC, AI pen testing, data pipelines, human risk, and more. Neat visualization.

VulnVibes: Building an AI Agent That Reasons Across Microservices to Find Real Vulnerabilities
Anshuman Bhartiya announces VulnVibes, an AI-powered agent that analyzes Pull Requests for vulnerabilities by reasoning across multiple repositories in an organization, which is useful in microservice architectures. It searches across your entire GitHub organization to understand your architecture, verify what security controls actually exist, and determine if a suspicious code change is a real vulnerability. VulnVibes works in two stages: first threat modeling the PR diff to identify security-relevant changes, then performing cross-repo investigation by reading infrastructure configs (Docker Compose, nginx), checking for security controls, and following vulnerability-specific investigation playbooks.

Anshuman walks through running VulnVibes against microvibes-lab (a test org with auth-service, doc-api, frontend-app, and infra-ops repos), in which it correctly identified an SSRF vulnerability by tracing the attack path across three repos to confirm a flat Docker network and lack of WAF protection, made a nuanced call that a permissive CORS config was a false positive after verifying the codebase only uses header-based auth, and appropriately ignored a safe JWT refactoring.

Misc

Claude Code source map leak

• Anthropic shipped a source map file in the Claude Code npm package, exposing the full unobfuscated TypeScript source (~1,900 files, 512K+ lines). It’s also suspiciously close to April Fools Day 🤔 Maybe it’s real though? (Thariq tweet)

• Claude Code Hidden Features - 89 feature flags, unreleased autonomous agents, companion pets, anti-distillation systems, and more — extracted from 1,809 source files.

• nblintao/awesome-claude-code-postleak-insights

• instructkr/claw-code - Someone took Claude Code leak, then used Codex to port the core features to Python from scratch, and then ported it to Rust.

• Theo’s video - I think he’s overly negative and I don’t agree with all his points, but it has some reasonable context.

Misc

• Dissecting the Bars While Rapping - Harry Mack dissects what he’s doing in his rap (structurally, setting up rhymes), while rapping about it. Insane 🤯 

• 404 Media - The company WebinarTV is secretly scanning the Internet for Zoom meeting links, recording the calls, and turning them into AI-generated podcasts for profit.

• Can it Resolve DOOM? Game Engine in 2,000 DNS Records - As DNS TXT records can store arbitrary text, Adam Rice was able compress and play DOOM from 1,966 TXT records on a single CloudFlare Pro DNS zone. 😂 

• Apple says no one using Lockdown Mode has been hacked with spyware in the four years since it’s been launched. This is impressive, and a great example of eliminating vulnerability classes/raising the security bar at scale 🤘 

• Matt Rife exposes Tik Tok shadow ban on standup comedy

• Gabor Mate to Hasan Minaj - Kids Speak Where It’s Safe 😭 

• Alex Hormozi - How to Win With AI in 2026

• Good Work - Why fun tech jobs went extinct

• 7 months underwater on a nuclear submarine - Fascinating!

Politics / Privacy

• Iran-linked hackers breach FBI director's personal email, publish photos and documents

• Iran built a vast camera network to control dissent. Israel turned it into a targeting tool - Allegedly Israel hijacked Iran’s street cameras in order to successfully track and target Iran’s supreme leader. “Experts say advances in AI have allowed militaries to overcome a critical hurdle in weaponizing hacked footage: sifting through huge amounts of video to identify people, vehicles, and other targets.”

• Using a VPN May Subject You to NSA Spying - Because VPNs obscure a user’s true location, and because intelligence agencies presume communications of unknown origin are foreign, that may give the NSA the authority to intercept the communication without a warrant.

• EU Disinfo Lab - Disinfo Update 12/11/2025 - I haven’t come across this lab before so I’m not sure about the trustworthiness, but it has some interesting links around topics including: the X algorithm amplifying right-wing and extreme content, Meta’s profits being tied to scam ads, Russia recruiting fighters from other companies, Israel paying US influencers to boost its image, AI chatbots repeating Russian propaganda, and more.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

👨‍💼 I Will Survive

Phew, stay strong my friends, we’re almost through the BSidesSF and RSAC montage ✊ 

Too many to list them all, but some quick thoughts and moments that stuck out:

• Thank you to everyone who come to the inaugural tl;dr sec community meet-up! I had a blast 🥰 Also shout-out to Scott Behrens and Travis McPeak for joining me for a fireside chat.

• Anna Westelius gave an inspiring BSidesSF keynote about reasons for us security folks to be optimistic.

• It was fun joining my friends Ken Johnson, Seth Law, Kevin McDermott, and Astha Singhal on an Absolute AppSec panel at BSidesSF.

• Delicious KBBQ with a bunch of other security creator nerds, H/T Ashish and Shilpi of the Cloud Security Podcast for organizing!

• Huge thanks to Decibel’s Dan Nguyen-Huu and Jon Sakoda for hosting an awesome set of lightning talks, which my bud Daniel Miessler also helped organize. Great talks from Rob Ragan, Jackie Bow, Andrew Becherer, and Sydney Marrone!

  • Dave Aitel choosing the Imperial March from Star Wars as his intro music was delightful 😂 

• Randomly meeting former NSA Director Rob Joyce! H/T Lina Lau, whose company is working on some impactful stuff 👀 

• Hearing from folks who were moved by my talk last BSidesSF about vulnerability 🥹 This had the biggest impact on me.

Security creator friends!

Sponsor

📣 AI is Expanding Your Attack Surface.
Can You Secure It?

AI adoption is accelerating across cloud environments, from LLMs to autonomous agents and complex data pipelines. But without dedicated AI security posture management (AI-SPM), these innovations introduce a new class of risks that traditional tools can’t address.

From exposed training data to overprivileged AI agents, the attack surface is expanding faster than security teams can keep up.

Download the guide to learn a five-step framework to gain visibility, assess risk and secure AI across your cloud environment.

👉 Download guide 👈

AppSec

ChiChou/vscode-frida
A VSCode extension providing comprehensive IDE for Frida dynamic instrumentation, featuring a sidebar for listing apps/processes on local/USB/remote devices, interactive panels for browsing modules/exports and classes/methods (Java/Objective-C), and one-click hook generation for native functions, ObjC selectors, and Java methods.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit
Pentester Lab's Louis Nyffenegger analyzes CVE-2025-68402, an authentication bypass in the development branch of FreshRSS a self-hosted RSS aggregator, caused by a "strengthen crypto" commit that replaced SHA-1 (40 chars) with SHA-256 (64 chars) for nonce generation. The longer nonce, when concatenated with the bcrypt hash before verification, pushed the password-dependent portion of the hash beyond bcrypt's 72-byte truncation limit, meaning password_verify() only checked the nonce plus the algorithm identifier ($2y$10$) and one salt character, none of which depend on the actual password.

"A commit meant to strengthen the crypto ended up removing the need for a valid password." 😱 

Sponsor

📊 Cside Report: The Future of Web Security Depends on the Browser

The browser runtime sits between your website < > customers, bots, AI agents, and fraudsters. No one is watching it. And agents now access websites on behalf of humans, adding the risk of consumer agents being manipulated by script injections from third-party code. Grab this report to see data on: the new threat of locally hosted stealth browsers, a 15x rise in user-action AI agents, 275% increase on discussions of bot traffic, and results of an industry survey on how practitioners are preparing against AI-agent driven website fraud.

👉 Get the Report from Cside 👈

I could definitely see the bar rising for preventing AI-agent driven fraud or bot abuse given improvements in AI + browser use. I’m curious how the secure this new world.

Cloud Security

Quicklinks

• Federal cyber experts called Microsoft’s cloud a “pile of s#!t,” approved it anyway - Deep dive by ProPublica

• AI Remediation Developers Will Actually Use - Every vulnerability tool tells you what's wrong. No one tells you how to actually fix it. Rebuild the image, bump a dependency, or apply a mitigation? The right answer depends on how it's built. Maze AI agents understand your environment and deliver the fix your team would actually use.*

  • This is a nice post on the nuances and challenges of auto-fixing.

• dan-v/cloudshell-store - A distributed file store built on AWS CloudShell's free persistent storage. Chicanery of the highest order 🫡 

^*Sponsored

IAMTrail
AWS silently updates Managed IAM policies all the time. This project by Victor Grenu tracks the full version history and diffs for 1525 AWS Managed IAM Policies, archived since 2019.

Pwning AI Code Interpreters in AWS Bedrock AgentCore
Friend of the newsletter BeyondTrust’s Kinnaird McQuade discovered that the AWS Bedrock AgentCore Interpreter’s Sandbox network mode (“complete isolation with no external access”) does allow public DNS queries. The post walks through using that capability to establish bidirectional communication (command and control, C2) using a custom tunneling protocol via DNS queries and responses, obtain a full interactive reverse shell, exfiltrating data, and performing command execution with the Code Interpreter’s IAM role. GitHub PoC.

Result: "AWS communicated that a fix will not be made and it will change the documentation’s description of sandbox mode instead. AWS awarded the security researcher with a $100 gift card to the AWS Gear Shop." 😂

Inside AWS Security Agent: A multi-agent architecture for automated penetration testing
AWS’ Tamer Alkhouli, Divya Bhargavi, Daniele Bonadiman et al describe how AWS Security Agent works and how they benchmarked it. With CTF instructions and grader checks after each tool call it achieved 92.5% on CVE Bench v2.0, 80% without CTF instructions or grader feedback (more like real-world conditions), and 65% using an LLM whose knowledge cutoff date predates CVE Bench v1.0 release.

See also Sena Yakut’s blog overview on setting up AWS Security Agent and scanning DVWA.

💡 This post actually had a pretty good amount of details and context, nice. I also found it interesting how performance dropped when using an LLM with knowledge cutoff before the CVE Bench release- is it doing better due to “memorizing” the answers or is it just a worse model because it’s older? 🤔 

Pentesting a pentest agent - Here's what I've found in AWS Security Agent
Richard Fan discovered five security vulnerabilities in AWS Security Agent, an autonomous AI pentesting tool, and discusses four of them (the 5th isn’t fixed yet).

1. The DNS confusion bug allowed attackers to manipulate Route53 private hosted zones to trick the agent into pentesting public domains they don't own by exploiting the "Unreachable" domain status and DNS record verification timing.

2. Richard was able to trick the agent into hacking itself, obtaining a reverse shell with root access to the agent sandbox by injecting commands into debug messages, and escaping the container through the mounted /run/docker.sock to access the host EC2 instance and its IAM role credentials.

3. He found the agent sometimes performs unnecessarily destructive actions like using DROP TABLE for SQL injection probes.

4. The agent can expose unredacted passwords in pentest reports.

Supply Chain

Quicklinks

• I’ve been doing BSidesSF/RSA stuff non-stop so I haven’t had time to fully get the lay of the land but it seems like a few things have been on fire. I wonder if the threat actors chose this week due to thinking defenders might be busy at conferences 🤔 Rude!

• Trivy Compromised - By Wiz’s Rami McCarthy

• TeamPCP Compromises LiteLLM: Credential Stealer in PyPI, 70 Repos Exposed - I love how this post by Boost Security's François Proulx emphasizes the collaborative nature of the folks working to detect and respond to these supply chain attacks. More from Semgrep and Datadog.

• HackingLZ/litellm_1.82.8_payload - Defanged malware stages from the litellm 1.82.8 PyPI supply chain compromise — credential stealer, K8s lateral movement, C2 backdoor.

Agent Skills are the New Packages of AI: It's Time to Manage Them Securely
JFrog’s Yonatan Arbel announces their Agent Skills Registry product. Yonatan argues that we should be treating Skills like open source dependencies: version tracking them, scanning them for malicious contents, tracking provenance, etc.

💡Something like this makes a lot of sense to me. We should be taking all of the lessons we’ve learned over time from various package registries and language ecosystems and ideally building them in from the beginning with new things like Skills.

Blue Team

mandiant/speakeasy
By Mandiant: A Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime instead of a full VM. It emulates APIs, process/thread behavior, filesystem, registry, and network activity so samples can keep moving through realistic execution paths.

FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops
Ctrl-Alt-Intel discovered an exposed open-directory on a FancyBear (APT28/GRU) C2 server that revealed the group's complete toolkit, telemetry logs, and exfiltrated data from a 500+ day espionage campaign targeting government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. The exposed server contained 2,800+ exfiltrated emails, 240+ credential sets with TOTP 2FA secrets, and more.

“FancyBear developed a modular, multi-platform exploitation toolkit where a victim simply opening a malicious email - with no further clicks - could result in their credentials stolen, their 2FA bypassed, emails within their mailbox exfiltrated, and a silent forwarding rule established that persists indefinitely.”

Red Team

Islands of Invariance
Rasta Mouse (maybe Rasta Mouse on X, Daniel Duggan?) describes how Crystal Palace now includes an automatic YARA generator that creates signatures based on "islands of invariance" (predictable, unchanged code patterns after optimization).

A scalpel, a hammer, and a foot gun
Raphael Mudge has released ised, a program rewriting tool for Crystal Palace that surgically inserts or replaces code at instruction pattern matches to break content signatures. The tool uses a two-pass implementation with prepend/append/replace buckets and supports specific/generic/mnemonic pattern matching from Crystal Palace's disassembler output.

"A potential outcome is that researchers building tools on this platform may feel quite comfortable releasing Yara rules for all of their capability. It’s no loss, because they and their users would likely have a private ised-cocktail ready to go. What would change in red teaming (or cybersecurity even), if there was no fear of ‘burning a tool’ because of its content tells and behavior was the only meaningful battleground?"

ghostvectoracademy/DLLHijackHunter
By GhostVector Academy: An automated Windows DLL hijacking detection tool that discovers, validates, and confirms exploitable DLL hijack opportunities through a four-phase pipeline: discovery (enumerates binaries across services, scheduled tasks, startup items, COM objects, and AutoElevate UAC bypass vectors), filtration (eliminates false positives through hard and soft gates), canary confirmation (deploys a harmless canary DLL and triggers the binary to prove the hijack works), and scoring (0-100% confidence plus 0-10 impact score based on privilege gained, trigger reliability, and stealth).

AI + Security

NVIDIA/NemoClaw
An open source referencer stack that simplifies running OpenClaw agents inside NVIDIA OpenShell sandboxes with multi-layer security controls including Landlock, seccomp, network namespaces, and policy-enforced egress filtering. More below.

NVIDIA/OpenShell
OpenShell provides a sandboxed execution environment for AI agents that enforces declarative YAML policies to prevent unauthorized file access, data exfiltration, and uncontrolled network activity. The system runs as a K3s cluster inside a single Docker container and applies defense-in-depth across four policy domains: filesystem (read/write restrictions), network (outbound connection control with HTTP method and path-level enforcement), process (privilege escalation blocking), and inference (model API call routing).

OpenShell supports Claude, OpenCode, Codex, OpenClaw, and Ollama agents out of the box and manages credentials as injectable providers that never touch the sandbox filesystem. Security policies are hot-reloadable at runtime for network and inference layers, while filesystem and process restrictions are locked at sandbox creation

IronCurtain: A Personal AI Assistant Built Secure from the Ground Up
Security legend Niels Provos asked himself: How would you build a personal AI assistant if you took security seriously from the start? So he built IronCurtain, which sandboxes LLM-generated code, enforces policy in plain English, and keeps credentials out of the agent's reach.

IronCurtain funnels all actions through a single MCP proxy chokepoint where a policy engine enforces rules written in plain English and compiled to deterministic policies. The system supports two sandbox modes: Code Mode runs LLM-generated TypeScript in isolated V8 with no filesystem/network access, while Docker Mode runs full agents like Claude Code CLI in containers with --network=none where a MITM proxy swaps fake API keys for real ones to maintain credential separation.

The plain-English constitution approach (inspired by Microsoft Research's LEGALEASE) lets users write policies like "agent may read/write files in project directory but must ask before git push" which compile to deterministic allow/deny/escalate rules, with an optional auto-approver that recognizes explicit user intent to reduce alert fatigue.

💡 Really thoughtful, great read. I love the architecture of making sure there’s a single security enforcement point, and how you can ease the burden of writing complex enforcement policies via natural language (but that are still enforced deterministically).

Misc

Feels

• Hugh Grant: "It's been very, very depressing watching Big Tech kidnap their lives, and to see children really finding it very, very difficult to get properly interested in anything that isn't a screen."

• Matthew Hussey - Why Men Don't Open Up These Days...

• HealthyGamerGG - Why Sharing Your Feelings Can Kill Your Relationship 

• Kevin James on Finding Love Later in Life

• Ethan Hawke - The one who’s in love always wins

Misc

• How an unappetizing shrub became dozens of different vegetables - Centuries of selective breeding turned a single wild weed into everything from broccoli to Brussels sprouts. Whoa 🤯 

• Turns out all your Pokémon Go data will be used to train robots - Niantic is using location data collected from Pokémon Go and Ingress players to train Coco Robotics' urban delivery robots.

• rexrodeo/american-healthcare-conundrum - Investigative data journalism: quantifying fixable waste in US healthcare, one issue at a time. Open-source analysis of CMS, OECD, and federal datasets. $98.6B in savings identified so far.

• Zelensky: Russia providing Iran with Shahed drones used against US bases

• How the Turner Twins Are Mythbusting Modern Gear - The twins are A/B testing modern gear by having one dress in cutting-edge technical apparel and the other in 100-year-old heritage kit on the world’s toughest expeditions.

• False claims in a widely-cited paper. No corrections. No consequences. Welcome to the Business School.

• "One Day More," except Waluigi is every part 😂 😂 

• America’s Got Talent - A magician instantly changing her outfit like 8 times

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

👩‍💻 Brace Yourself, Conferences Cometh

I’m excited for BSidesSF and RSA but phew, things have been busy 😅

If you’re flying in to San Francisco, safe travels! And remember to periodically eat, sleep, and shower amidst all the fun conference and event activities.

• Friday - tl;dr sec Community Kickoff.

  • Mostly filling up, but DM me and I’ll try get you in.

• Saturday - I’m joining my friends on an Absolute AppSec panel, and will be at BSidesSF both days!

• Wednesday - Coding Agents Unleashed hosted by TL;DR Sec & Unsupervised Learning - There’s going to be some 🔥 lightning talks from smart folks. Broader Decibel registration link here.

Semgrep is also having a ton of events. If you need a break from the RSA craziness you can stop by the office, get some coffee, snacks, or lunch, and chat with some Semgrep folks if you want.

If you find me I’ll have some tl;dr sec t-shirts and brand new stickers…

Hard to tell from the photo but it’s holographic

Sponsor

📣 Cybercrime Just Hit Escape Velocity
(Here’s the Evidence)

Flashpoint just released its 2026 Global Threat Intelligence Report, and the data is shocking.

• AI-related illicit activity surged 1,500% in a single month

• 3.3B compromised credentials are now fueling identity-based attacks

• Ransomware incidents increased 53% as groups pivot toward pure-play extortion

The report also explores how threat actors are moving from generative tools to agentic AI frameworks that can automate attacks at scale.

👉 View the Report 👈

AppSec

Quicklinks

• Applying Security Engineering to Make Phishing Harder - Lessons learned by Doyensec from testing a “Communication Platform as a Service.”

• Corridor Raises $25M Series A to Secure AI Coding at the Source - Corridor is tackling a problem many Security and Engineering Teams are starting to feel big time - code being generated faster than traditional AppSec can secure it. Corridor’s approach embeds security directly into AI coding workflows. Backed by some of the smartest investors in AI and AppSec. tl;dr sec readers get 3 months free!*

  • Corridor has been able to pull some security OGs, like Alex Stamos and Joel Wallenstrom. I’m excited to see what they’re building 🤘 

• Martino Spagnuolo - The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting

^*Sponsored

Introducing Swagger Jacker: Auditing OpenAPI Definition Files
Bishop Fox’s Tony West announces Swagger Jacker, a command line tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files. It parses the definition file for paths, parameters, and accepted methods and passes the results to one of five subcommands: automate (sends requests and analyzes response status codes), prepare (generates curl/sqlmap command templates for manual testing), endpoints (lists raw API routes), brute (discovers hidden definition files using 2173+ common paths), and convert (converts v2 to v3 definitions).

mitmproxy for fun and profit: Interception and Analysis of Application
Guide by Synacktiv's Corentin Liaud on using mitmproxy for network traffic interception across Linux, Android, and iOS, including three examples: redirecting git clone requests to download a different repository by modifying HTTP paths, spoofing Android geolocation by parsing and altering gRPC/protobuf coordinates sent to Google's geomobileservices API, and passively capturing Mumble VoIP chat messages by running mitmproxy in reverse TLS mode with custom protobuf parsing scripts.

The post describes setting up your test environment (using Linux network namespaces, lnxrouter for WiFi AP creation, and nftables for transparent traffic redirection), using Magisk's Cert-Fixer module to install system certificates on Android, and includes Python scripts showing how to parse and modify protocol buffers in transit.

Sponsor

📣 Your SOC is a queueing system.
The math matters more than you think.

If you've ever looked at utilization curves, you know what happens when a queue runs hot: wait time doesn't scale linearly. It spikes. In a SOC, that means alerts aging out before anyone touches them.

"The Queue is the Breach" ebook from Prophet Security applies operational math to SOC performance: alert cycle time, wait time by severity, and what analyst utilization actually implies about your team's capacity. It's a framework for diagnosing whether your bottleneck is people, tooling, or the operating model.

Written by Jon Hencinski, Head of Security Operations at Prophet.

👉 Download the eBook 👈

Nice, I like when people take a data-driven approach to security 👍️ 

Cloud Security

Twenty Years of Cloud Security Research
Cloud historian, scholar, and man of the people Scott Piper traces 20 years of cloud security evolution through three distinct eras: the Foundational era (2006-2016) when AWS built core security features like IAM (2011), CloudTrail (2013), and Organizations (2016); the CSPM era (2016-2021) marked by open-source tools like Scout2, Cloud Custodian, Prowler, CloudMapper, Pacu, and StreamAlert; and the CNAPP era (2021-2025) with new cloud security vendors and researchers discovering cross-tenant vulnerabilities like chaosdb and omigod. The emerging AI era (2025+) is fundamentally changing both offense and defense, with AI creating exploits for CVE-2025-32433 and mongobleed in minutes, winning HackerOne's top bounty spot, and solving CTF challenges instantly.

💡 Great overview of relevant research and tools, and nice perspective on how cloud security has been evolving over time.

Bucketsquatting is (Finally) Dead
Ian McKay describes AWS's new S3 bucket namespace protection that prevents bucketsquatting attacks by requiring buckets to follow the format <prefix>-<accountid>-<region>-an, ensuring only the owning account can create buckets matching that pattern. AWS recommends this namespace be used by default for all new buckets and provides a new condition key s3:x-amz-bucket-namespace that security administrators can enforce via SCP policies across their organization.

Google Cloud Storage addresses this differently through domain name verification for bucket names, while Azure Blob Storage remains vulnerable due to its configurable account/container name structure and 24-character limit on storage account names.

See AWS Finally Gave S3 Buckets Their Own Rooms for more context on the issue and an overview of relevant prior research by Aqua.

Supply Chain

Building Bridges, Breaking Pipelines: Introducing Trajan
Praetorian's AJ Hammond, Carter Ross, Evan Leleux et al announce Trajan, an open-source CI/CD security tool from Praetorian that unifies vulnerability detection and attack validation across GitHub Actions, GitLab CI, Azure DevOps, and Jenkins in a single cross-platform engine. It ships with 32 detection plugins and 24 attack plugins covering poisoned pipeline execution, secrets exposure, self-hosted runner risks, and AI/LLM pipeline vulnerabilities.

When an AI agent came knocking: Catching malicious contributions in Datadog’s open source repos
Datadog’s Christoph Hamsen, Christophe Tafani-Dereeper, and Kylian Serrania describe how their LLM-powered code review system BewAIre detected and helped mitigate attacks from hackerbot-claw, an AI agent that attempted to exploit GitHub Actions workflows across their open source repositories. The attacker successfully achieved code execution in one workflow via command injection in filenames, but defense-in-depth controls (organization-wide GitHub rulesets preventing direct pushes to main branches, restricted GITHUB_TOKEN permissions, and no sensitive secrets exposure) limited impact to only pushing a harmless commit to a non-protected branch.

💡 Nice walk through of noticing your open source repos are being targeted → investigating potential impact, and solid advice on hardening open source repos/GitHub Actions. Also, I really like the bullets towards the top on Datadog’s SDLC Security team initiatives re: adapting octo-sts, removing GitHub Action secrets at scale, enforcing CI security best practices, and building golden paths.

Blue Team

elastic/agent-skills
Elastic’s official Skills repos, covering cloud, Elasticsearch, Kibana, observability, and security. Currently includes 4 security Skills for: triaging alerts, case management (managing SOC cases via Kibana Cases when tracking incidents), detection rule management (create, tune, and manage Elastic Security detection rules), and generating sample security data (security events, attack scenarios, and synthetic alerts).

Building a Cloud-Native Detection Engineering Lab with Terraform and AWS
Rafael Martinez describes building a fully automated detection engineering lab (GitHub) in AWS using Terraform to overcome local hardware limitations, deploying three EC2 instances: Kali Linux (attacker), Windows Server with Sysmon and Winlogbeat (target), and Ubuntu running Elasticsearch and Kibana (SIEM). Easy to spin up and down as needed.

Pattern Detection and Correlation in JSON Logs
Mostafa Moradian announces RSigma, a Rust-based command-line tool that evaluates Sigma detection rules against JSON logs without requiring a SIEM. “Think of RSigma as jq for threat detection: you point it at a set of Sigma detection rules and a stream of JSON events, and it tells you what matched, with no ingestion pipeline, no database, no infrastructure.”

RSigma parses YAML rules into a strongly-typed AST, compiles them into optimized matchers, and evaluates them directly against JSON log events in real-time. The toolkit includes rsigma-parser for parsing, rsigma-eval for compilation and evaluation with stateful correlation logic and compressed event storage, a CLI for parsing, validating, linting, and evaluating rules, and rsigma-lsp for IDE support.

Red Team

nikaiw/VMkatz
Extract Windows credentials directly from VM memory snapshots and virtual disks. A single static 2.5MB binary that can extract NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit, directly from VM memory snapshots and virtual disks, no need to exfiltrate a massive VM file.

Solving the Vendor Dependency Problem in RE
Many enterprise applications ship with hundreds to thousands of vendor dependencies, which makes it annoying to locate and analyze the proprietary source code of the application. You drown in vendor code, not the exposed attack surface. Assetnote’s Patrik Grobshäuser announces the release of Hyoketsu, an open-source tool that automatically filters vendor dependencies from Java JARs and .NET DLLs during reverse engineering by using Microsoft runtime detection (via PE header public key tokens), hash matching, and filename matching against a 13.3 GB pre-built SQLite database containing 12M+ DLLs and 14M+ JARs.

AI + Security

p-e-w/heretic
By Philipp Emanuel Weidmann: Fully automatic censorship removal for language models. Heretic removes censorship (aka "safety alignment") from transformer-based language models without expensive post-training by combining an advanced implementation of directional ablation, also known as "abliteration.” This approach creates a decensored model that retains as much of the original model's intelligence as possible.

elder-plinius/OBLITERATUS
By Pliny the Liberator: An open-source toolkit for removing refusal behaviors from LLMs via abliteration (surgically identifying and projecting out internal refusal representations without retraining). Every obliteration run with telemetry enabled contributes anonymous benchmark data to a crowd-sourced research dataset measuring refusal direction universality across 116+ models and 5 compute tiers

Blog overview: OBLITERATUS Strips AI Safety From Open Models in Minutes, and pretty detailed Hugging Face guest post by Maxime Labonne on abliteration here, including code on Google Colab and in an LLM course on GitHub.

💡 As open source models become better and better, not sure how I feel about removing “don’t cause harm” alignment training 😅 

Why Codex Security Doesn’t Include a SAST Report
OpenAI describes why Codex Security doesn’t start by triaging SAST results, but instead starts with understanding the repository’s architecture and trust boundaries: they don’t want to overly influence where Codex looks, not all bugs are dataflow problems, and sometimes code appears to enforce a security check, but it doesn’t actually guarantee the property the system relies on.

When Codex Security encounters a boundary that looks like “validation” or “sanitization,” it tries to bypass it:

• Reading the relevant code path with full repository context, looking for mismatches between intent and implementation.

• Pulling out security-relevant code slices and writing micro-fuzzers for them.

• They give the model access to a Python environment with z3-solver for solving complicated input constraint problems.

• Executing hypotheses in a sandboxed validation environment to prove exploitability.

💡 The post is overall a good discussion of the space and outlines challenges for security scanners. I especially liked though the “how Codex validates” section, because it starts getting into some of Codex Security’s unique technical details.

Securing our codebase with autonomous agents
Travis McPeak describes how Cursor built four security automation templates using Cursor Automations and a custom security MCP tool to handle securing their code at scale, as Cursor’s PR velocity has increased 5x in the past 9 months. The automations include: Agentic Security Review (blocks PRs with security issues), Vuln Hunter (scans existing code for vulnerabilities), Anybump (automatically patches dependencies using reachability analysis and opens PRs after tests pass), and Invariant Sentinel (monitors daily for drift against security/compliance properties). You can see their prompts on their marketplace pages.

Their security MCP, deployed as a serverless Lambda function, provides persistent data storage, deduplication of LLM-generated findings using Gemini Flash 2.5, and consistent Slack reporting across all agents. In the last two months, Agentic Security Review alone has run on thousands of PRs and prevented hundreds of security issues from reaching production.

💡 I like the focus on useful primitives that empower you to build security tooling on top of: “For agents to be useful for security, they need: out-of-the-box integrations for receiving webhooks, responding to GitHub pull requests, and monitoring codebase changes, and a rich agent harness and environment (cloud agents give them all the tools, skills, and observability that cloud agents have access to).

I also wanted to call out the Invariant Sentinel, that’s very clever: what security properties about this repo should always be true? Did this most recent change violate that? I bet detecting drift like this catches some meaningful bugs.

We proactively fixed ~100 security issues in 6 days with 0 humans
Eli Block describes how Ramp Security Engineering built a custom agent pipeline that autonomously found, validated, and fixed ~100 novel security issues in 6 days. Their pipeline starts off with a coordinator agent equipped with skills for each vulnerability category (e.g. IDOR, XSS, …), which launches detector agents in parallel, whose findings are then passed to an adversarial manager agent who checks for false positives (~40% false positive reduction in their sample set of testing).

They found it was difficult to reproduce vulnerabilities with complex pre-conditions against a live Ramp deployment, so instead their validator agent takes reported findings and writes an integration test that reproduced the vulnerability that passes only if the endpoint was secure. Then the fixer agent can patch the vulnerability by following test-driven development on the previously written integration test.

💡 Great write-up! Overall this agent pipeline follows a pretty standard structure (per bug class detectors → vet findings → try to reproduce / “prove” the issue → generate fix), but a few things stand out as unique and valuable insights:

1. Detectors include real examples of that vulnerability from Ramp’s code base. I bet this allows the detectors to be much more precise and effective.

2. Rather than trying to reproduce vulnerabilities in a live environment, they write integration tests that demonstrate the bug. As there are probably already test fixtures or other examples in the code the agent can borrow from, it makes sense that this method would often work in practice. This approach also has the added benefit that you now have a regression test for this bug coming back in the future.

   1. So this leans into what models are good at (writing code) and future proofs the bug from coming back 👍️ 

   2. I’ve been thinking about this approach for a bit now so it’s gratifying to see someone do it 🙂 

Misc

Tech

• vercel-labs/portless - Replace port numbers with stable, named .localhost URLs for local development.

• peakoss/anti-slop - A GitHub action that detects and automatically closes low-quality and AI slop PRs.

• Meta created ‘playbook’ to fend off pressure to crack down on scammers, documents show

• Resist and Unsubscribe - Scott Galloway’s initiative to influence politics by voting with your wallet.

• Andrej Karpathy - US Job Market Visualizer

• The most important question nobody's asking about AI - Why Dwarkesh Patel is happy the Anthropic fight is happening now.

• Startup's agent hacked McKinsey AI - exposing huge volumes of sensitive data - $20 in tokens and two hours to expose 46 million chat logs, 728,000 private files and proprietary RAG documentation. HN discussion.

• Undercover Cop Generated An AI Teenager To Catch Pedophiles - Apparently AI has “been a boon for child abuse investigators,” as when asked for selfies they don’t need to use real images.

  • Related: In 2018, Microsoft volunteers worked with nonprofit Street Grace to create an AI chatbot that interacts with people who click on decoy advertisements on trafficking sites.

Misc

• Ed Sheeran on Friends Keep Secrets - Quickly creating a song from scratch with Benny Blanco. Wow, super cool 😍 

• Kai Lentit - Shipping a button in 2026… 😂 

• This infinite drawing canvas is insane

Politics

• Foreign hacker in 2023 compromised Epstein files FBI held - “The hacker expressed disgust at the presence of child abuse images on the device and left a message threatening to turn its owner over to the FBI. Bureau officials defused the situation by convincing the hacker that they actually were the FBI.” 😂 

• Putin can’t survive without war - The article argues that Russia's war in Ukraine has transformed the country into a "necropolis" where death has become central to its economy, culture, and social fabric. The war sustains a "deathonomics" model where provincial economies depend on recruitment bonuses and death payments (sometimes reaching $60,000). 40% of state spending now flows to military efforts. Really tough read on the impact on every day Russians :(

• Trump in November 2011: “Our president (Obama) will start a war with Iran because he has absolutely no ability to negotiate… The only way he figures he’s going to get reelected is to start a war with Iran.”

• NBC - How Trump decided to strike Iran - “Before the U.S. and Israel launched their aerial assault, the CIA concluded that if the supreme leader, Ayatollah Ali Khamenei, was killed, he could be replaced by equally hard-line officials from within the regime, according to two people familiar with the matter.”

  • “Treasury Secretary Scott Bessent told Congress last month that the U.S. had purposely touched off an economic crisis in Iran that led to the massive street protests early this year that jarred the regime. By creating a dollar shortage in Iran, the U.S. forced Iran to print money, sparking inflation and stoking internal enmity toward the leadership, Bessent said.”

  • “…Trump flew to Mar-a-Lago, where he monitored the strike in the company of senior advisers, as he has done for several foreign strikes this term. He also made time Saturday to attend a political fundraising event at his seaside resort.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🌉 BSidesSF and RSA

As the gentle blooming of flowers announces spring, and piles of orange leaves welcome fall, so too does the torrential downpour of security vendor emails and LinkedIn DMs “just touching base” herald the arrival of… RSA!

It’d be great to cross paths if you’re in town. Here’s what I’m up to:

Pre-BSidesSF - Friday March 20th - tl;dr sec Community Kickoff. tl;dr sec’s first community event 😍 I’m excited about it, there’s going to be cool people, I’ve artisanally curated local SF food options, and we’ll have a fireside chat about AI and security builders.

We’ll also have tl;dr sec t-shirts and a totally new, never before seen sticker…

If you can’t make it, you can try to get a t-shirt or stickers by a) finding me or b) Semgrep at another event.

BSidesSF - I’m joining my friends on an Absolute AppSec panel, and will generally be around.

Also check out talks by my colleagues Claudio and Romain on scaling SAST rule writing with AI, Katie Paxton-Fear (InsiderPhD) in a birds of a feather discussion on AI, or Brandon Wu on how to combine AI and static analysis to process CVEs at scale.

RSA - I’m organizing a mini con / lightning talks (Unsupervised + Unhinged) with Daniel Miessler and Decibel. Wed March 25 10am - noon. You can register for their overall program here. More info coming soon!

Also, I’ve made it ma, my name is on an announcement graphic alongside The Chainsmokers 😂 😂 

Sponsor

📣 Securing AI Agents 101

AI agents are changing how work gets done. They take on tasks, orchestrate tools, and drive outcomes across environments. 

Securing AI Agents 101 is a one-page resource to help teams build a clear understanding of what AI agents are, how they operate, and where key security considerations show up.

Inside, you’ll find:

• What makes an AI agent different from traditional tools

• Top risks to watch, from shadow AI to excessive permissions

• Four key questions to assess agent usage and exposure

Download the security flashcard and get up to speed quickly.

👉 Get the Flashcard 👈

AppSec

1Password/load-secrets-action
Load secrets from 1Password into your GitHub Actions jobs using Service Accounts or 1Password Connect.

Please, please, please stop using passkeys for encrypting user data
Tim Cappalli warns companies against using WebAuthn's PRF (Pseudo-Random Function) extension to derive encryption keys for user data, because it couples authentication credentials with data encryption in ways users don't understand. When users delete a passkey from credential managers like Apple Passwords, Google Password Manager, or Bitwarden, they receive no warning that they're permanently destroying access to encrypted photos, message backups, documents, crypto wallets, or other critical data.

Superuser Gateway: Guardrails for Privileged Command Execution
Uber’s Pavi Subenderan and Jyoti Grewal describe Superuser Gateway, a system built to replace direct superuser CLI access with a peer-reviewed, auditable workflow for dangerous operations on production systems (e.g. Google Cloud Storage, OCI, and HDFS). Engineers now submit commands via superuser-cli, which generates a PR in a Git repository where automated CI jobs perform syntax validation, permission checks, and impact estimation (like calculating files affected by rm -r), before a peer approves and a backend service executes the command remotely. This architecture removes superuser credentials from individual engineers' machines entirely, ensuring all privileged operations flow through mandatory peer review while maintaining operational velocity for on-call scenarios.

Sponsor

🚨 Most Confident Organizations Have 2x Higher AI Incident Rates 🚨

Counterintuitive finding from 205 security leaders: organizations most confident in their AI deployments experienced 2x the incident rate of less confident peers. Meanwhile, 43% report AI making infrastructure changes monthly without oversight, and 7% don't even track autonomous changes at all.

👉 See the Confidence Gap Data 👈

Hm I’m curious about (the lack of) tracking autonomous changes. Also “3 in 5 orgs have had or suspect an AI-related incident.” 🤔 Identity is still key.

Cloud Security

Untangling Microsoft Graph's $batch requests in Burp
Requests to Microsoft Graph’s $batch endpoint bundle several API calls into one JSON object, which makes analyzing Azure Portal traffic difficult, since underlying API calls for requests to the $batch endpoint are not individually logged. Katie Knowles has released the graph_batch_parser.py Burp Suite extension to speed up analysis of $batch requests. The extension processes $batch requests into a set of synthetic request/response pairs that can then be reviewed in the “Graph Batch” tab, as well as Burp’s Site Map.

Stop Enabling Every AWS Security Service
Sena Yakut argues against enabling every AWS security service at once, advocating instead for a risk-based approach that starts with threat modeling your architecture (what are the risks we need to control for?), understanding team behaviors (who has admin privileges? Are there shared accounts or credentials?), and identifying critical breaking points (where small mistakes can cause major damage) before selecting controls. Avoid service overlap with existing third-party tools (like SIEMs) so you’re not overwhelmed by alerts, and evaluate usage-based pricing- based on your environment, certain managed services might not fit within your budget, but building custom automations with Lambda and EventBridge can fulfill a similar purpose. Use AWS SSO (IAM Identity Center) over individual IAM users.

Blue Team

MatheuZSecurity/ksentinel
By MatheuZ: A Linux kernel module that monitors syscall table integrity and critical kernel functions to detect rootkit modifications like ftrace hooks, kprobes, and syscall table hijacking.

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
Google's Google Threat Intelligence Group (GTIG) discovered the "Coruna" iOS exploit kit containing five full exploit chains and 23 exploits targeting iOS 13.0 through 17.2.1, initially used by a surveillance vendor customer, then by Russian espionage group UNC6353 in watering hole attacks against Ukrainian users, and finally by Chinese financially-motivated actor UNC6691 in broad campaigns.

Additional technical analysis and IOCs by iVerify in their write-up here.

Advanced maturity adds atomic high-fidelity detections and risk-based custom rules, while Leading maturity incorporates data science-backed outlier detection (using platforms like Databricks or Dataiku) and deception techniques like honeytokens. Scott recommends reducing reliance on unmeasurable closed-source analytics by lowering their risk scores in the correlation engine while building validated custom detections that adversaries can't test against.

Red Team

0xbbuddha/notion
A Mythic C2 profile that uses Notion as a covert communication channel. Agents communicate by reading/writing pages in a shared Notion database, making C2 traffic indistinguishable from normal SaaS usage — a Living off Trusted Sites (LoTS) technique.

vulhunt-re/vulhunt
BINARLY released VulHunt Community Edition, an open-source vulnerability hunting framework for analyzing software binaries and UEFI firmware, built on their Binary Analysis and Inspection System (BIAS).

See also their community-contributed rules repo (currently only 3 rules) and Skills repo, which contains skills for decompiling functions, finding functions or call sites, performing data flow analysis, searching code/byte patterns, etc. powered by VulHunt MCP tools.

💡 Also congrats to my friend Gwen Castro who recently became CEO of BINARLY 🥳 

AI + Security

Quicklinks

• RankClaw - Web app to scan AI skills for security risks before you install them.

• Securing AI Agents in the Enterprise: 5 Use Cases - AI agents are now in enterprise environments; running workflows, accessing data, and interacting with other services through roles, tokens, and service accounts. This guide breaks down 5 use cases teams must solve to safely deploy agents across cloud and SaaS environments.*

• The looming AI clownpocalypse - “What happens when we reach the tipping point where exploits become cheaper to autonomously develop than they yield on average?”

^*Sponsored

Cybersecurity’s Need for Speed & Where To Find It
Phil Venables applies Stewart Brand's Pace Layers framework to cybersecurity, arguing that organizations must accelerate their security OODA loops to outpace AI-enabled attackers.

The post covers 11 areas we can speed up, including:

[un]prompted

[un]prompted NotebookLM
The full transcripts and slides for every [un]prompted talk were uploaded to a NotebookLM so that you can query any of the source material. Awesome idea, love it. Great work by Rob T. Lee, Julie Michelle Morris, and Emanuel Gawrieh and Dragos Ruiu. Shout-out Gadi Evron for sharing.

From Source to Sink: How to Improve LLM First-Party Vuln Discovery
Excellent [un]prompted talk by my Netflix friends Scott Behrens and Justice Cassel in which they took a data driven approach to investigating a number of questions regarding using AI for finding vulnerabilities I’ve had for awhile like: is it better to have a single superagent or multiple more focused agents? Should the agent find and then triage issues or should there be a separate post-processing triage step?

They share the precision, recall, and cost (I want to see more people do this) of various approaches, an excellent architecture diagram on slide 23, and have released a railguard-skill GitHub repo with implementations of the various scanning approaches (including vulnerability finding skills!) and utilities for benchmarking.

💡 In my opinion this is a great example of research that contributes back to the security community: it tests a number of hypotheses (which architectures/approaches are most effective?) and puts hard data behind them AND shares the code and benchmarking scripts to reproduce it. More like this please 👏 

How we made Trail of Bits AI-Native (so far)
This [un]prompted talk by Dan Guido is probably the best talk or resource I’ve seen on how to make your company AI-native. “AI isn't a feature you ‘adopt.’ It is a force that commoditizes effort and shortens the half-life of best practices… The core idea is a compounding operating system built from incentives, defaults, guardrails, and verification loops that let humans and autonomous agents ship high-rigor work at dramatically higher throughput. The talk covers the concrete artifacts that make this real: internal and external skills repositories, a curated marketplace for third-party skills, opinionated configuration baselines, and sandboxing patterns.”

GitHub link with bigger screenshots (AI Maturity Matrix), YouTube recording.

💡I especially like that Dan called out the resistance people have making this transition (Am I being replaced? What does it mean for my identity if AI can do parts of my job better than I can?) and how to support them.

The AI Maturity Matrix and measuring adoption slides as well as how to create an adoption engine via hackathons I thought were quite practical and actionable 👌

Misc

Misc

• Dropout - Brennan Lee Mulligan thanks the entire Greek Pantheon

• Privacy Activist Toolbox by Privacy Guides - A resource for anyone interested in becoming a better privacy rights activist, or anyone who wants to start advocating for privacy rights.

• Chinese hackers likely compromised an FBI network used to manage wiretaps and intelligence surveillance warrants

• An internal DHS document obtained by 404 Media shows for the first time Customs and Border Protection (CBP) used location data sourced from the online advertising industry to track phone locations. ICE has bought access to similar tools.

• Meta’s new AR glasses are sending all sorts of sensitive videos to their human workforce in Kenya. “We see everything – from living rooms to naked bodies. Meta has that type of content in its databases. People can record themselves in the wrong way and not even know what they are recording…Clips that could trigger ‘enormous scandals’ if they were leaked.”

  • One annotator sums it up: “You think that if they knew about the extent of the data collection, no one would dare to use the glasses”.

• Iranian Hacking Groups Go Dark During US, Israeli Military Strikes - “A popular Iranian prayer app, BadeSaba, was reportedly hijacked to tell its users that “help has arrived” and then urged Iranian army members to surrender. In the early hours of fighting, pro-regime news agencies were compromised and Iranian television stations were repurposed to broadcast videos of President Donald Trump and Israel’s Benjamin Netanyahu.”

• Across party lines and industry, the verdict is the same: CISA is in trouble - The agency lost a third of its people in a year. Now industry and lawmakers on both sides say it's unprepared for a potential crisis. “If we got into a major conflict, let’s say, with China, and they start triggering Volt Typhoon-related malware, are we organized and ready to roll? I don’t think so.” “We’re asking states to do a job they’re not resourced to do, while weakening the one federal agency designed to help them.”

AI

• 🎶 Suno - So Much Drama in the Frontier Labs - Epic rap

• Techdirt’s Mike Masnick on the recent OpenAI/Anthropic/U.S. government situation, and on the subtlety of what specific words actually mean from a legal and precedent point of view.

• Theo on the ^ drama

• Bitter Lesson Engineering - Daniel Miessler argues that instead of telling AI how to do things, instead tell them what outcome you want.

• googleworkspace/cli - One command-line tool for Drive, Gmail, Calendar, Sheets, Docs, Chat, Admin, and more. Dynamically built from Google Discovery Service. Includes AI agent skills.

• You need to rewrite your CLI for AI agents - Justin Poehnelt on his thoughts and lessons learned building the Google Workspace CLI. Follow-up post: The MCP Abstraction Tax.

• You can now run OpenClaw on AWS via Lightsail

• FT - Amazon holds engineering meeting following AI-related outages - “There had been a ‘trend of incidents’ in recent months, characterized by a ‘high blast radius’ and ‘Gen-AI assisted changes’ among other factors. Junior and mid-level engineers will now require more senior engineers to sign off any AI-assisted changes.

  • Pawel Huryn on some additional backstory - In November 2025 Amazon mandated Kiro as their only AI coding tool and set an 80% weekly usage target.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🤖 [un]prompted

This week I had a blast at [un]prompted, the AI for security practitioners conference.

Gadi Evron assembled an incredible program committee that I was very fortunate to play a small role in. Aaron Zollman and many others put in countless hours in making this a great event.

And it showed, I think [un]prompted had one of the highest quality density in both talks and attendees of conferences I’ve attended.

Some anecdotes:

• I met a number of people whose work I’ve been a fan of for some time, which was super cool.

• Overheard: “…and that’s how I got RCE on a satellite, and was basically able to make it do anything.”

• I met someone who spent an internship looking for gold (not a metaphor).

• Some people came up and said kind words about tl;dr sec 🥰 Which means a lot, and keeps me going all of those cold winter nights, huddled alone writing away by a small fire, kept warm solely by the heat of my laptop and fear of irrelevance.

• Someone showed me their beautiful vibe coded Claude app dashboard estimating the stress/years of life toll of working in that environment, and comparing it to compensation.

• One person said my including their work in tl;dr sec helped with their visa application 🤯 Very humbling.

• Cheering on my friends who gave an excellent LLMs + SAST talk, and then seeing some of the online comments after (paraphrased), “Damn, what is Netflix putting in the food, those guys are jacked.” (Narrator: indeed they are)

There’s so much technical content I want to include from the conference, but I don’t have time to gather and organize it all before I need to send this out.

I’ll share the recordings once they’re live, which you should definitely check out.

Sponsor

📣 Stop the Google Workspace Security
Whack-a-Mole

Most security teams don’t have a talent problem; they have a toil problem. From triaging user-reported phishing reports to chasing questionable OAuth grants to reviewing risky file sharing, your headcount is being swallowed by fragmented consoles and manual work. Material Security unifies your cloud workspace security, automating detection and response across email, files, and accounts. From stopping malicious email to revoking over-privileged app permissions without breaking workflows, Material simplifies SecOps. Stop scaling your team just to manage the noise. Focus on strategy, not ticket backlogs.

👉 See the Material Difference 👈

AppSec

Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
ETH’s Matteo Scarlata et al analyzed the cryptographic security of Bitwarden, LastPass, and Dashlane against a fully malicious server threat model, discovering 12 attacks against Bitwarden, 7 against LastPass, and 6 against Dashlane that violate their "Zero Knowledge Encryption" claims. The attacks range from targeted vault integrity violations to complete organizational vault compromise with password recovery.

Google API keys weren't secrets, but then Gemini changed the rules
Truffle Security's Joe Leon describes how Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true: Gemini accepts the same keys to access your private data. Truffle Security scanned millions of websites (November 2025 Common Crawl dataset) and found nearly 3,000 Google API keys that now also authenticate to Gemini. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account. They found many working keys, including Google’s old public API keys that could be used to access Google’s internal Gemini.

Et Tu, Default Creds? Introducing Brutus for Modern Credential Testing
Praetorian’s Adam Crosser announces Brutus, a Go-based multi-protocol credential testing tool that aims to solve the drudgery of a) testing a large environment for default credentials across many services, and b) if you have compromised credentials or keys (e.g. SSH keys), what are all the systems you now have access to?

Brutus is single binary with zero dependencies, supports 24 protocols including SSH, SMB, databases (MySQL, PostgreSQL, …), and web services. Brutus embeds known-compromised SSH keys from Rapid7's ssh-badkeys (Vagrant F5, ExaGrid, etc.) for easy testing.

Brutus also has two experimental AI-powered features:

1. Using an LLM to analyze HTTP responses and suggest vendor-specific default credentials for identified applications.

2. Using headless Chrome with Claude’s vision API to navigate JavaScript-rendered login pages, identify the device, research credentials, and authenticate automatically.

💡 These AI features are good examples of functionality that would be prohibitively difficult before LLMs, and are now quite feasible. It’s good to periodically (at most monthly) reevaluate assumptions you used to have about what is reasonable to build.

Sponsor

📣 The security platform that ships with your code

Arcjet brings security to the application layer so teams can block abuse while staying flexible as your architecture evolves. Rules live in code, not at the edge, making it easier to adapt protections as products, traffic patterns, and use cases change.

👉 See how it works 👈

I think security-as-code is great, and moving security closer to engineering seems to be where things are headed 👌 

Cloud Security

The AWS Console and Terraform Security Gap
Include Security’s Laurence Tennant calls out a critical security gap where AWS resources created via Terraform and other API-driven tools inherit insecure legacy defaults, while the AWS Console enforces secure-by-default configurations. The post walks through 3 examples: RDS instances created without encryption (storage_encrypted defaults to false in Terraform), Lambda permissions vulnerable to Confused Deputy attacks when source_arn is omitted (Console requires it, API doesn't), and password policies that accidentally disable all strength requirements when partially configured.

The root cause is Terraform's reliance on the AWS SDK's legacy API defaults that prioritize backwards compatibility over security, while the Console has evolved to enforce better guardrails.

The technique uses an SCP with the iam:PolicyArn condition key to prevent iam:DetachUserPolicy, iam:DetachRolePolicy, iam:DeletePolicy, iam:CreatePolicyVersion, and iam:SetDefaultPolicyVersion actions on IR-QuarantinePolicy by anyone except a designated break-glass IR role.

Supply Chain

Otsmane-Ahmed/KEIP
By Otsmane Ahmed: Kernel-Enforced Install-Time Policies (KEIP) uses eBPF LSM hooks to monitor and block malicious Python packages during pip install by enforcing behavioral rules, such as: blocking connections to non-standard ports (anything except 80/443/53), killing processes that contact more than 5 unique IPs, and terminating entire process groups when suspicious activity is detected.

💡 I’m not sure if eBPF/kernel level is the right approach for hooking and blocking malicious packages, but I’m sharing because it’s interesting.

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions
StepSecurity's Varun Sharma breaks down the activity of an autonomous AI bot called hackerbot-claw that successfully exploited GitHub Actions workflows across 5 major repositories (Microsoft, DataDog, CNCF projects, and avelino/awesome-go).

hackerbot-claw used a number of different techniques: poisoned Go init() functions that exfiltrated a GITHUB_TOKEN with write permissions, inserting a backdoor into a Bash script that was automatically called when a GitHub issue comment included a specific command /version), branch name injection using bash brace expansion, filename injection with base64-encoded payloads, and AI prompt injection against Claude Code.

Red Team

syssec-utd/pylingual
A CPython bytecode decompiler supporting all released Python versions since 3.6. Research paper.

pyinstxtractor/pyinstxtractor-ng
Extracts contents from PyInstaller-generated executables (both Linux ELF and Windows PE) without requiring the same Python version used to build the binary. It leverages the xdis library to unmarshal Python bytecode.

Abusing Cortex XDR Live Terminal as a C2
InfoGuard’s Manuel Feifel demonstrates how Cortex XDR's Live Terminal feature can be abused as a pre-installed C2 channel, allowing command execution, PowerShell/Python execution, file upload/download, and process/file explorer capabilities, though it requires local admin privileges and bypassing default parent process prevention rules.

Manuel walks through his process unpacking cortex-xdr-payload.exe with pyinstxtractor-ng and decompiling with pylingual, discovering a hostname validation bypass (appending .paloaltonetworks.com to any URL path). Attackers can either hijack Live Terminal sessions cross-tenant by intercepting WebSocket messages containing server/token parameters, or build a custom WebSocket server that the payload will connect to after bypassing the hostname check.

AI + Security

GreatScott/enject
By Scott Novich: A Rust CLI tool prevents AI coding assistants from reading plaintext secrets by storing only symbolic references (e.g., en://database_url) in .env files while keeping actual values in encrypted local stores (per project) that are injected directly into apps at runtime, never touching disk as plaintext.

antropos17/Aegis
An open-source, local-only monitoring tool that watches AI agent behavior on your machine across processes (detects 106 agents), files (watches sensitive directories like .ssh, .env*, cloud configs, and agent config dirs), network (scans outbound TCP connections per agent PID), and local LLMs (detects Ollama and LM Studio). Aegis monitors what agents do after deployment rather than filtering prompts.

10 new skills from Trail of Bits
Including seatbelt-sandboxer (generate minimal macOS Seatbelt sandbox configs for apps), GitHub Action auditor, supply-chain-risk-auditor, skill-improver, workflow-skill-design, fp-check, and more.

semgrep/ai-best-practices
Semgrep rules that catch common trust & safety mistakes in LLM-powered applications: hardcoded API keys, missing safety checks, prompt injection risks, and unhandled errors across all major AI providers. 35 rules, 74 sub-rules, 6 providers (OpenAI, Anthropic, Google Gemini, Cohere, Mistral, and Hugging Face), 5 languages (Python, JS/TS, Go, Java, and Ruby).

Advancing Code Security
I wrote a quick mini summary of this [un]prompted talk by Google’s Heather Adkins and John “Four” Flynn, along with my photos of their slides. They discussed CodeMender in a bit more detail than the original blog post, Google’s project to automatically find and fix vulnerabilities. What especially stood out to me is the rigor with which they validate potential patches: they basically pass all candidate patches into a process that combines dynamic analysis (fuzzing, sanitizers), static analysis (AST-based, formal verification), differential testing, and LLM judges & critics. Super cool.

Zeal of the Convert: Taming Shai-Hulud with AI
I wrote a quick mini summary of this [un]prompted talk by Wiz’s Rami McCarthy, along with my photos of his slides (me writing summaries be like). Basically the talk is on how he leveraged AI + quickly vibe coded new automation and Skills to rapidly respond to the Shai-Hulud attack, attribute the affected companies, etc. Very practical with good lessons learned, I like it. Rami also released two Skills here.

💡 I believe Rami said he largely had to respond to Shai-Hulud while traveling with his partner. Feels bad man 😅 

AI's Impact on Software and Bug Bounty
Joseph Thacker believes the best bug bounty researchers are already using coding agents to find bugs faster, but soon companies will adopt “hackbots” for code review and dynamic testing and overall bugs reports to bug bounty programs will dwindle in the next few years.

Joseph also joined Justin Gardner on the Critical Thinking podcast (link) to interview HackerOne founder and CTO Alex Rice on bug bounty platforms training AI using bug bounty data / generally building their own AI-powered “pen testing agents.”

💡 Regardless of what the leaders of bug bounty companies say out loud, they are definitely full steam ahead trying to first build AI augmentation for testers, then gradually AI-powered full pen testing/bug bounty researchers. I’m sorry, believing otherwise is copium. If one company doesn’t, their competitors will.

I’ve been meaning to write a full blog post about this for awhile, but I predict:

• In the near future (this year), the top bug bounty researchers will build out their automation such that new/more junior researchers will rarely find non-duplicate bugs.

• In 1-3 years, AI pen testing/red teaming companies will have products that will be out competing all but the best bug bounty researchers. There will still be the crazy, intricate, one-off high paying bounties that require deep human expertise and time, but I’m not sure there will be enough of those to support many full time bug bounty researchers, or at least the effort/payout ratio may not be enough to justify being a full-time BB researcher.

Privacy

Quicklinks

• Your Car Is Spying on You – and Israeli Firms Are Leading the Surveillance Race.

  • The AP - Modern cars are spying on you. Here’s what you can do about it and privacy steps you can take.

  • Privacy4Cars offers a free auto privacy labeling service at vehicleprivacyreport.com that can summarize what your car could be tracking.

  • The Record - Cars have become computers on wheels — and police have easy access to their data

• Flock

  • Across the US, people are dismantling and destroying Flock surveillance cameras

  • 53 Times Flock Safety Hardcoded the Password for America's Surveillance Infrastructure - A researcher discovered a Default ArcGIS API key embedded in Flock Safety's public-facing JavaScript bundles, which granted access to the company's ArcGIS mapping environment, and 50 private layers, the same infrastructure that consolidates license plate detections, patrol car locations, drone telemetry, body camera locations, 911 call data, and surveillance camera locations from approximately 12,000 law enforcement, community, and private sector deployments nationwide.

• 404 Media - Amazon is allowing gift senders to choose items from third-party sellers, which means a public “wishlist” can expose your address.

• yjeanrenaud/yj_nearbyglasses - An Android app that detects smart glasses (Meta Ray-Bans, Snap Spectacles) by scanning for manufacturer-specific company IDs in Bluetooth Low Energy advertising frames.

• What Your Bluetooth Devices Reveal About You - Danny McClelland describes building Bluehood, a Bluetooth scanner that tracks nearby devices and analyses their presence patterns. It continuously scans for nearby devices, identifies them by vendor and BLE service UUIDs, and tracks when they appear and disappear.

  • Just running Bluehood in passive mode lets you detect things like: when delivery vehicles arrive and if they’re the same driver, daily patterns of neighbors (based on their phones/wearables), which devices consistently appear together (e.g. someone’s phone/smartwatch), the exact times certain people were home, at work, or elsewhere.

Misc

Misc

• Reuters - Palo Alto chose not to tie China to hacking campaign for fear of retaliation from Beijing, sources say

• Short story by Erik Hoel - "They Die Every Day"

• SNL Weekend Update - U.S. launches on attack on Iran, Stephen Hawking in Epstein Files

• log4j maintainers - Addressing AI-slop in security reports - “Since December, we have been experiencing what is effectively a denial-of-service situation through our YesWeHack bug bounty program. In practice, perhaps one out of twenty reports represents even a minor, legitimate issue.”

• A Polymarket account made >$500K betting on the U.S. strike against Iran. The trade was placed 71 minutes before the news broke publicly. Previously Polymarket was under active criminal investigation in the U.S. Now Don Trump Jr. sits on the board.

• New AirSnitch attack bypasses Wi-Fi encryption - new NDSS paper by Xin’an Zhou et al describing a series of attacks that bypass Wi-Fi client isolation protections across routers from Netgear, D-Link, Ubiquiti, Cisco, DD-WRT, and OpenWrt.

  • “We identify several root causes behind these weaknesses. First, Wi-Fi keys that protect broadcast frames are improperly managed and can be abused to bypass client isolation. Second, isolation is often only enforced at the MAC or IP layer, but not both. Third, weak synchronization of a client's identity across the network stack allows one to bypass Wi-Fi client isolation at the network layer instead, enabling the interception of uplink and downlink traffic of other clients as well as internal backend devices.”

AI

• GitHub issue - Addressing Antigravity Bans & Reinstating Access

• Jack Dorsey’s tweet on reducing Block’s headcount from 10K → 6k. He says it’s due to AI, which might be true, but Block’s valuation has been struggling for a few years now, so it could just be that they over-hired.

• Now I Get It - Upload a scientific PDF and get back a shareable, interactive web page that explains it in plain language.

• Trump orders US agencies to stop using Anthropic because they wouldn’t allow Claude to be used to autonomously kill without human approval and do mass surveillance.

• The whole thing was a scam - Sam Altman had been in talks with the Pentagon over a deal for OpenAI’s technology before he announced his support for Dario, before Trump had denounced Anthropic, but after Greg Brockman had donated $25M to Trump’s PAC.

• AI Explained - Anthropic's Last Stand: Deadline on Autonomous AI Weapons & Mass Surveillance

• Anthropic CEO Dario Amodei calls OpenAI’s messaging around military deal ‘straight up lies’ 🍿 

• You can now import your preferences and context from other AI providers to Claude

• An AI Agent Published a Hit Piece on Me - Matplotlib maintainer Scott Shambaugh describes how an AI agent autonomously wrote and published a personalized hit piece about him after he rejected its code, attempting to damage his reputation and shame him into accepting its changes. “It’s now possible to do targeted harassment, personal information gathering, and blackmail at scale.”

  • “So many of our foundational institutions – hiring, journalism, law, public discourse – are built on the assumption that reputation is hard to build and hard to destroy. That every action can be traced to an individual, and that bad behavior can be held accountable. The rise of untraceable, autonomous, and now malicious AI agents on the internet threatens this entire system.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

⛏️ The Mines of More-Agree-Ah

Once more I’m writing alone in my room at a Semgrep off-site, crackling fires and s’mores outside.

So I’ll be brief and just share a meme that made me smile:

If you, like me, could always use additional AI (sycophancy) x LOTR puns you can squeeze into your daily life, I give you:

• Helm's Deeply Agreeing With You

• Isengard-anteed Agreement

• Bag End-less Validation

• Mount Doom-scrolling For Approval

• Rohan-estly Just Agreeing With Everything

• Preciousss Little Pushback

• The Return of the Yes-King

• There And Sycophantically Back Again

• My Precious… Feedback Loop

Feel free to send me any LOTR puns / memes (they don’t need to be about AI).

Sponsor

📣 ⅓ of AI Generated Code is Vulnerable.
Are your “vibes” secure?

99% of organizations are already leveraging vibe coding. Developers use prompts to write code in seconds, but there’s a catch: when "vibes" replace manual syntax, developers can rapidly introduce risks.

From "slopsquatting" attacks on AI-hallucinated packages to overprivileged AI agents, the risks are scaling faster than your security team can patch.

Download the Executive Guide to Vibe Coding to learn how to keep your development fast and your applications secure.

👉 Read now 👈

AppSec

RSA 2026 Event List
By Chenxi Wang and Máire Sogabe.

There’s Always Something: Secrets Detection at Engagement Scale with Titus
Praetorian’s Michael Weber, Noah Tutt, and Zach Grace announce Titus, an open-source secret scanner written in Go that detects and validates leaked credentials across source code, binary files, and HTTP traffic (Burp extension, Chrome extension), shipping with 450+ detection rules from Nosey Parker and MongoDB's Kingfisher fork. The binary files it currently supports include Office documents (xlsx, docx, pptx), PDFs, Jupyter notebooks, SQLite databases, and just about every common archive format (zip, tar, …).

Samsung/CredSweeper
By Samsung: A tool to detect credentials in any directories or files, using regex, entropy and machine learning (architecture). From their paper: “Using a Voting Classifier (combination of Logistic Regression, Naïve Bayes and SVM) we are able to reduce the number of false positives considerably.“

Samsung/CredData
By Samsung: A labeled dataset designed for training and benchmarking credential scanning tools, consisting of 19.4M lines of code from 297 GitHub repositories containing ~73K manually labeled lines (4.5K true credentials). The dataset includes obfuscated credentials across 8 categories with metadata tracking line positions, credential types, and ground truth labels.

💡 Love the sharing of a labeled dataset, awesome!

Rare Not Random
Zachary Rice explores using Byte-Pair Encoding (BPE) token efficiency as an alternative to entropy for filtering false positives in secrets detection, which measures how "rare" or non-natural-language a string is. In BPE, common words and subwords get merged into long tokens, while rare or unnatural strings get broken into many short tokens. So “lookingatcomputer” gets turned into three tokens (“looking”, “at”, “computer”), but “kj2h3f2fuaafewa” would get broken into individual bytes (and thus more tokens per string size). Zachary tested BPE on CredData, and saw that it was good 📖 Neat!

Sponsor

📣 From Shadow AI to Autonomous Agents

AI adoption doesn’t follow change control. It follows convenience. That means federated logins, OAuth sprawl, builder creds in prod, and agents operating at machine speed. This brief outlines a practical identity-first framework to secure AI in the real world.

👉 Download Now 👈

Securing AI identity and gaining visibility seems critical 👌 

Cloud Security

Amazon's cloud unit hit by outage involving AI tools in December
One Amazon China region had a ~13 hour service disruption when engineers allowed Amazon’s own Kiro AI coding tool decided to "delete and recreate the environment."

💡 Doing more with less and layoffs/senior talent attrition is definitely unrelated to the outages they’ve been having. Coding agents are awesome and the future, but guardrails and defense in depth are more important than ever.

How Security Tool Misuse Is Reshaping Cloud Compromise
Qualys’ Sayali Warekar walks through how threat actors have weaponized TruffleHog, a popular secrets detection tool, to discover and validate exposed cloud credentials in real-world attacks like Crimson Collective (Red Hat breach, 570GB stolen), TruffleNet (AWS SES abuse across 800+ hosts), and Shai-Hulud. To detect this attack in your environment, look for log entries where GetCallerIdentity (or other AWS API calls) have a user-agent string like “TruffleHog”, processes like “trufflehog[.exe]”, and rapid GetCallerIdentity calls or permission enumeration patterns.

Locking down AWS principal tags with RCPs and SCPs
Aidan Steele describes how to use Resource Control Policies (RCPs) and Service Control Policies (SCPs) together to create trustworthy AWS principal tags, which can be useful for fine-grained access control, allowing only tagged roles to call sensitive APIs. The solution involves deploying a centralized tagger role via CloudFormation service-managed stacksets, using SCPs to restrict IAM principal tagging operations to only this role, and critically, using RCPs with two separate deny statements to prevent session tag injection from both non-tagger roles within the org and any principals outside the org (including OIDC/SAML IdPs and external accounts).

💡 The type of detailed, thoughtful AWS/IAM chicanery you’d expect from Aidan, nice.

Supply Chain

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains
Socket’s research team discovered SANDWORM_MODE, a supply chain worm campaign spreading through 19 malicious npm packages that uses obfuscation to hide credential theft, GitHub API/DNS tunneling exfiltration, persists via git hooks, and automated propagation via stolen npm/GitHub tokens. The worm immediately exfiltrates crypto keys, then targets password managers (Bitwarden, 1Password, LastPass), injects malicious MCP servers into AI coding assistants (Claude, Cursor, VS Code Continue, Windsurf) with embedded prompt injections that silently steal SSH keys and AWS credentials, and propagates by injecting dependencies/workflows into repos.

The malware contains dormant capabilities including a polymorphic engine configured to use local Ollama (deepseek-coder:6.7b) for self-rewriting and a destructive dead switch that wipes the home directory when both GitHub and npm access are lost.

💡 I don’t know what this says about me, but when I see supply chain attacks with complex post exploitation/persistence functionality, I think, “Neat, that’s clever. That’s cool that it’s not just an amateur hour postInstall script that obviously pipes a shady URL to bash.”

Clinejection - Compromising Cline's Production Releases just by Prompting an Issue Triager
Adnan Khan found a prompt injection vulnerability in Cline's (now removed) Claude Issue Triage workflow allowed any GitHub user to compromise production releases (millions of devs across VS Code Marketplace and OpenVSX) by injecting malicious instructions into issue titles, causing Claude to execute arbitrary code via npm install from an attacker-controlled fork. The attack chain leverages GitHub Actions cache poisoning to pivot from the triage workflow and steal secrets (see Adnan’s neat Cacheract tool).

Cline only addressed this issue after public disclosure despite multiple attempts to contact the Cline team. An unknown attacker exploited the same flaw to publish a new Cline CLI version that added an npm install -g openclaw@latest lifecycle script.

Blue Team

Quicklinks

• Trail of Bits - mquire: Linux memory forensics without external dependencies - mquire eliminates the need for external debug symbols by extracting type information from BTF (BPF Type Format) and symbol addresses from Kallsyms directly from memory dumps.

• Canary Tokens via API: SSH, Browser Session Cookie, Email, AWS and more - Tracebit Community Edition just launched their API! Deploy free canary tokens either via their CLI or API - you decide. Sign up to deploy canaries in minutes.*

• V8 Heap Archaeology: Finding Exploitation Artifacts in Chrome’s Memory - SpecterOps’ Liam D. gives a great overview of JavaScript memory corruption exploits that target Google Chrome’s V8 JavaScript engine, and releases v8-forensics, a Rust crate that detects Chrome V8 JavaScript engine exploitation attempts by analyzing renderer crash dumps for memory corruption artifacts, even when the specific CVE is unknown.

^*Sponsored

Mapping Deception with BloodHound OpenGraph
SpecterOps's Ben Schroeder describes how to use OpenGraph and BloodHound to strategically place deception technologies by mapping attack paths across Active Directory and third-party systems like GitHub and Ansible. The post introduces deceptionClone, a utility for modeling deception nodes and edges in OpenGraph, and also calls out F4keH0und, a PowerShell tool that analyzes SharpHound data to identify opportunities for creating canary accounts. The post also shows merging GitHound and AnsibleHound collections to visualize cross-technology attack paths, such as planting honey credentials in GitHub artifacts that lead to a deceptive Ansible Tower job template.

See also the Configuration Manager focused follow-up post by Joshua Prager.

ClickFix: Stopped at ⌘+V
Patrick Wardle describes a simple defense against ClickFix attacks (social engineering that tricks users into pasting malicious commands into Terminal) by detecting Command+V keypresses and checking if the frontmost application is a terminal. When a paste is detected, the implementation pauses the terminal process via SIGSTOP, displays the clipboard contents to the user for confirmation, and clears the pasteboard if blocked. This prevention has been implemented in BlockBlock.

GitLab Threat Intelligence Team reveals North Korean tradecraft
Fascinating deep dive by the GitLab threat intelligence team sharing indicators of compromise (IOCs) and case studies for North Korea’s Contagious Interview and fake IT worker campaigns. IOCs include email addresses, JavaScript malware dropper URLs hosted on services like Vercel, malicious NPM packages, proxy IP addresses, synthetic persona emails, phone numbers of China-based cell members, etc.

The case studies are neat: the financial records and administrative documents from a North Korean IT worker cell operating out of Beijing (quarterly income performance for individual members), synthetic ID generation at scale, and more.

AI + Security

Quicklinks

• Kevin Beaumont - “I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub.”

• Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with $1.78M loss

• Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure - Mailing list thread questioning some of the 500+ vulnerabilities found in the Opus 4.6 blog. One example appears to be the maintainers of an OSS project removing strcat because they wanted to not be annoyed by security reports.

• 💡 I’m not including these to be negative about Claude or Anthropic. Claude Code is great and I use it often. Claude can clearly find real vulnerabilities in real apps, and be an effective coding companion. I just think it’s important to include a nuanced discussion, not just A1 iS THe FuTUre Z0mG!!1!

wardgate/wardgate
Give AI agents API access without giving them your credentials. Wardgate is a security gateway that sits between AI agents and the outside world -- isolating credentials for API calls and gating command execution in remote environments (conclaves).

lukehinds/nono
By Luke Hinds: A capability-based sandbox for AI agents and POSIX processes that uses kernel-level enforcement (Landlock on Linux, Seatbelt on macOS) to make unauthorized operations impossible rather than relying on policy-based filtering. The tool blocks dangerous commands by default (rm, dd, chmod, sudo, package managers), provides granular filesystem permissions via --allow/--read/--write flags, and includes built-in profiles for Claude Code, OpenCode, and OpenClaw.

💡 Sidenote: it’s weird to randomly see your face and endorsement popping up on a project’s landing page 😂 

100+ Kernel Bugs in 30 Days
Yaron Dinkin and Eyal Kraft describe how they built an AI agent swarm to automatically reverse engineer and audit Windows kernel drivers at scale. They analyzed 202 high risk drivers and found 521 potential vulnerabilities across 158 unique driver binaries, which after manual triage they believe represents ~100 genuinely exploitable local privilege escalation (LPE) bugs. The experiment costed $600 total, ~$3 per target, $4 per bug 😅

The five-stage pipeline:

1. Scrape drivers from the MSFT update catalog, OEM sites, and public driver repositories.

2. Preprocess them and identify good targets.

3. Analyze each binary with a council of LLM agents - decompilation agent, attack surface agent identifies functions worth auditing, and a code audit agent inspects each target for memory corruption bugs

4. Virtualize - They created a custom VM-based harness for loading drivers on kernel-debugged Windows machines controlled by agents.

5. Validate - Using the harness, the agents iteratively create Python PoC scripts per finding, effectively performing guided fuzzing until the machine crashes. The BSOD crash dump is then analyzed to confirm the vulnerability triggered correctly.

They manually confirmed and reported 15 vulnerabilities (average CVSS 8.2) to vendors including AMD, Intel, NVIDIA, Dell, Lenovo, and IBM, but after 90+ days only Fujitsu patched and assigned a CVE 🫠 

“The biggest performance leap was achieved by “closing the loop” and giving the agent direct feedback on exploitation success using our VM-based kernel-debugging harness. Agents that can try to bugcheck the machine over-and-over again are tomorrow’s fuzzers, and with enough compute they’re 100x more dangerous in the wrong hands.”

💡 Giving agents the ability to try a bunch of things and validate the results without human involvement is 🔥 

Things Are Getting Wild: Re-Tool Everything for Speed
Last year Phil Venables had an incrementalist view of the cybersecurity impact of AI, but now believes that it will create a short-term crisis as attackers gain a great advantage but in the long run defenders will win out. The four major pillars of concern: a massive increase in vulnerabilities from AI-generated code, attackers industrializing exploitation with AI tooling, everything can be faked (content, people, companies), and unpredictable emergent behaviors from trillions of interacting agents.

However, defenders can leverage their structural advantages (environmental control, specific context, and data access), implement strong baseline controls and continuously monitor them (authentication, segmentation, fast patching, detection/response), leverage AI for vulnerability discovery and auto-remediation, and use defensive agent swarms. Defenders need to prioritize finding and fixing whole classes of vulnerabilities through frameworks and tooling, run their OODA loop faster than attackers, and adopt AI-driven red teaming to iteratively harden defenses.

💡 XBOW’s Oege de Moor also writes about this idea here and here, calling this the “Chaos Phase,” arguing that in the short term attackers will better operationalize AI / build autonomous hacking tools. “Security programs that hold up under pressure are shifting toward continuous validation. Systems that relentlessly test assumptions, controls, and exposure in the background, without waiting for humans to initiate every action.”

Misc

AI

• Peter J. Liu - Uncovering Insiders and Alpha on Polymarket with AI

• Latent Space - The AI Frontier: from Gemini 3 Deep Think distilling to Flash — Jeff Dean - Nice, quite technical.

• Google is nuking accounts using OpenClaw

• Meta’s head of AI safety and alignment gets her emails nuked by OpenClaw​​​​​​​​​​​​​​​​ 

• Nikunj Kothari - Token Anxiety - “A friend left a party at 9:30 on a Saturday. Not tired. Not sick. He wanted to get back to his agents.” Overstated, but not totally wrong in my experience 😅 

• Will Manidis - Tool Shaped Objects - “We have begun to talk about token consumption the way we talk about capital expenditure: as an input that scales linearly to output. More tokens, more work. Bigger budget, bigger results… The market for feeling productive is orders of magnitude larger than the market for being productive. Most people, most of the time, want to click and watch the number go up. They do not want to be told the number is fake. They will pay— in time, in attention, in actual money— to keep the number going up.”

  • 💡 My view: two things are true- LLMs are able to make people and systems much more productive, and I see people bragging about tokens spent, longest Claude/Codex runs, without connecting that to… outcomes, which is what actually matters.

Misc

• Hackers made death threats against this security researcher. Big mistake. - Kim Zetter on Allison Nixon helping arrest dozens of members of The Com. What a story!

• Man accidentally gains control of 7,000 robot vacuums

• Cloud and AWS cost consultant Duckbill expands to software, raises $7.75M for new Skyway platform

• How even in “meritocratic” environment rich kids still have a huge advantage

• Alex Hormozi on priorities and sacrifice: “Regrets come when we imagine the upside that we don’t have without taking into account the cost that we didn’t suffer.” “Want less, or trade more.”

  • Also: “What do you think that you should do, that you’re not doing, that you want me to tell you to do?” 🔥 

• 'KPop Demon Hunters' Creators Break Down Meeting The Saja Boys: 'Soda Pop' Lyrics, Animation & More

• Aella - People Will Sometimes Just Lie About You

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🤖 Come on AI-leen

Am I pleased with myself that I was able to make the intro title a pun off of AI + this 1982 music classic? Absolutely.

I have a few more #PeakBayArea stories to share.

• I “watched” the Super Bowl with the OpenAI Codex team (shout-out Ian). Multiple people were still vibe coding on their laptops throughout.

• I attended an event hosted by several AI video generation companies, and they played a few AI-generated shorts that were quite impressive.

  • One thing I find exciting about these tools is that great storytellers can now create shorts and even movies that would have taken dozens to hundreds of people and costed millions previously.

  • I see this same trend with AI in coding and other domains: the top performers are becoming even more leveraged.

  • Sidenote: it was easy to immediately tell if an attendee was a creative or normal tech worker as they dressed very visibly differently 😂 

• I attended a Lunar New Years party (shout-out Grace) during which someone did some crowd work for a video, “When I say ‘A’, you say ‘I’, ‘A’… (everyone) ‘I’… ‘A'… ‘I’.

You know, just normal party stuff 😂 

P.S Semgrep is doing a live keynote next week of some things we’ve been cooking.

Sponsor

  🔑☁️ Your AWS Keys Have Leaked -
Now What?

Long-lived AWS keys are a major security liability, often hiding in plain sight within source code and build artifacts. Join Joseph Leon (Truffle Security) and guest expert Eduard Agavriloae to break down:

• Exploitation: How attackers find and use leaked keys.

• Triage: Critical immediate steps after a leak.

• Prevention: Shifting to short-lived, identity-based roles.

👉 Watch Webinar 👈

AppSec

Encrypting files with passkeys and age
Filippo Valsorda describes Typage, a TypeScript implementation of the age file encryption format that supports symmetric encryption with passkeys and other WebAuthn credentials in browsers. To learn more about passkeys and WebAuthn, Filippo highly recommends Adam Langley’s A Tour of WebAuthn.

Mercari’s Phishing-Resistant Accounts with Passkey
Karino Tatsuya describes Mercari's journey from offering passkeys as an alternative authentication method to creating fully phishing-resistant "passkey accounts" that completely disable password and SMS OTP authentication. Mercari improved the recovery experience using Japan's MyNumber digital ID card for high-assurance identity proofing, allowing self-service recovery without compromising security, and implemented risk-based requirements for different services to drive adoption. Their approach has resulted in 10.9 million passkey accounts (approximately half of monthly active users), with passkey authentication expected to surpass password authentication next year.

A Beginners Guide: Cross-Device Passkeys
Google’s Harsh Lal describes Hybrid transport, which enables cross-device passkey authentication when users need to sign in on devices where their passkey isn't stored, such as public terminals or shared computers. The flow works by having the client device display a QR code containing a FIDO URI with a session identifier, which the authenticator device (e.g. smartphone) scans to establish an end-to-end encrypted tunnel over the internet, while Bluetooth Low Energy performs a proximity check to confirm physical presence and prevent man-in-the-middle attacks.

The authenticator uses its private key (which never leaves the device) to sign a cryptographic challenge from the server, transmitting only the signature back through the encrypted tunnel for verification. This approach maintains passkeys' phishing resistance while solving the key adoption challenge of accessing accounts across different devices and operating systems without exposing credentials on shared machines.

Sponsor

📣 Over-Privileged AI Systems Drive 4.5x Higher Incident Rates

New research surveying 205 CISOs reveals a stark reality: 92% of orgs are deploying AI into production, but 67% still rely on static credentials. The result? Organizations with over-privileged AI systems report 76% incident rates vs. just 17% for those enforcing least privilege. Identity fragmentation + AI agents = exponentially larger blast radius.

👉 Read the 2026 AI Security Report 👈

Least privilege and identity for AI agents/systems are quite important, I’m curious to see what they found 👀 

Cloud Security

Testing Access to AWS Resources Without Angering the People That Pay the Bills
Plerion’s Daniel Grzelak presents a methodology for safely testing AWS resource access permissions without reading sensitive data or changing state. Daniel outlines four core techniques: comparing unsigned vs signed requests (public SQS queues accept unauthenticated requests), metadata read APIs, executing no-op operations (UntagResource with nonexistent tags), and crafting malformed requests that pass authorization but fail validation (SNS Publish with an empty message). The post describes a “3-topic method” for determining when a malformed request actually proves authorization by testing against allowed, denied, and nonexistent resources to confirm authorization checks occur before validation.

Plerion has also released sns-buster, an open-source tool that automates testing 14 SNS API actions with 30+ parameter mutations per action to empirically verify topic exposure.

💡 A pretty clever approach for “checking facts” about an environment in a thoughtfully minimally intrusive way 👍️ 

Can an AI Agent Run a Purple Team Exercise?
Permiso describes deploying their AI agent, Rufio, to emulate Scattered Spider tactics against an AWS environment and validate their detection coverage. Originally they built Rufio to detect malicious OpenClaw skills, and over 12 days it wrote 135 YARA rules, scanned >2,500 skills across markplaces, confirmed 21 threats, and built 16 custom skills.

In this post, given a blog post describing Scattered Spider TTPs, Rufio had to understand the AWS Management Console and CLI patterns required to execute each step, then translate the blog post's tactical description into actual API calls and console interactions. Rufio autonomously created an IAM user (LUCR-3-operator), attached AdministratorAccess, generated access keys, attempted to enable EC2 serial console, and harvested CloudShell credentials.

Doing this exercise, they found an instruction-following gap where Rufio failed to switch from the federated Okta session to the newly-created IAM credentials for subsequent actions, despite being explicitly told to do so.

Supply Chain

safedep/pmg
By SafeDep: Package Manager Guard (PMG) acts as a security middleware layer, wrapping your package manager to analyze packages for malware before they are installed, sandboxing the installation process to prevent system modification, and auditing every package installation event.

AikidoSec/safe-chain
By Aikido: A lightweight proxy server that intercepts package downloads from the npm registry and PyPI to protect against malicious code (verifies packages against Aikido’s open source threat intel database). Blocks packages newer than 24 hours.

💡 See also Socket’s firewall.

The Forensic Trail On GitHub: Hunting For Supply Chain Activity
Slides for Wiz’s Rami McCarthy and Amitai Cohen’s BlackHat EU 2025 talk covering a methodology for investigating and tracking real-world supply chain attacks exploiting GitHub Actions. The talk describes useful threat intelligence available directly from both GitHub and Git, and includes demos of how to effectively pivot on user metadata and behavioral heuristics, uncover attacker forks, and recover deleted gists and commits. They also demonstrate how to trace attacker aliases, identify targets of reconnaissance, and unmask attackers and researchers in real-time.

See also GitHunt, their accompanying GitHub repo with three demos: a Flask web app showing a demo of identifying and investigating an attack based off the public GH firehose, a CLI tool for investigating GitHub activity, and a toy tool that identifies suspicious GitHub activity, enriches it, and renders it for further investigation.

Unveiling Bagel: Why Your Developer's Laptop is the Softest Target in Your Supply Chain
Boost Security’s Alexis-Maurer Fortin announces the release of bagel, an open-source CLI that inventories security-relevant metadata on developer workstations including credentials, misconfigurations, and exposed secrets across Git, SSH, NPM, cloud providers (AWS/GCP/Azure), GitHub CLI, and IDE configurations. Bagel works in a privacy-focused way, only reporting secret locations, types, and SHA-256 fingerprints, not actual values. Bagel also scans for configuration weaknesses (like disabled SSL verification in Git/NPM, SSH config settings, etc.), secrets in environment variables, and shell history, and active sessions (active GitHub CLI sessions, cached cloud provider tokens, SSH agent state).

💡 The post makes a great point- developers generally have a variety of types of privileged access (often directly or indirectly production-level access), but this access isn’t monitored as well as say CI environments that have similar levels of secrets. By inventorying what secrets live where, you can get a feel for your exposure in the face of a Shai-Hulud type supply chain attack.

Blue Team

rex-rs/rex
A kernel extension framework that lets you write eBPF-style programs in safe Rust that compile directly to native code, bypassing the in-kernel eBPF verifier and its complexity constraints. By leveraging Rust's safety guarantees instead of static verification, Rex eliminates common eBPF pain points like program complexity limits, verifier-unfriendly compiler output, and counter-intuitive code patterns.

Matmaus/LnkParse3
A Python tool for parsing Windows shortcut (.LNK) files, handling malformed files gracefully.

Trust Me, I’m a Shortcut
Wietze discusses five Windows LNK file spoofing techniques that allow attackers to hide malicious targets and command-line arguments from Explorer's Properties dialog. Wietze has released lnk-it-up, an open-source toolkit containing lnk-generator (creates malicious LNKs using these variants) and lnk-tester (identifies deceptive LNKs by using Windows APIs to detect mismatches between displayed and actual targets).

The variants: padding command-line args with whitespace to hide them beyond the 256-char display limit, using HasExpString flag with null EnvironmentVariableDataBlock to hide arguments, setting invalid paths in EnvironmentVariableDataBlock to spoof targets while executing LinkTargetIDList, exploiting non-conforming LinkTargetIDList with LinkInfo fallback, and the most powerful variant, populating only TargetAnsi while leaving TargetUnicode null to completely spoof targets and hide arguments.

“In summary, we have seen that LNK files are unpredictable because crucial pieces of information might be hidden or entirely spoofed, meaning it is not straightforward to anticipate what will happen when an LNK file is opened.”

Red Team

Introducing a new way to buzz for eBPF vulnerabilities
(2023) Google’s Juan José López Jaimez and Meador Inge announce Buzzer, a new eBPF fuzzing framework that aims to help hardening the Linux Kernel. Buzzer aims to detect errors in the eBPF verifier (which verifies that an eBPF program satisfies various safety rules) by generating many eBPF programs, and if the verifier thinks it is safe, executing the program in a running kernel to determine if it is actually safe. Runtime behavior errors are detected through instrumentation code added by Buzzer.

Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools
MatheuZ demonstrates how an attacker with kernel module loading capability can systematically blind eBPF-based security tools (Falco, Tracee, GhostScan, Decloaker) by hooking kernel functions via ftrace rather than attacking the eBPF programs themselves. Testing showed complete evasion: Falco missed reverse shells, file modifications to /etc/passwd and /etc/shadow, and privilege escalation; Tracee's process enumeration and syscall tracing showed nothing; and iterator-based tools like GhostScan and Decloaker failed to detect hidden processes or network connections.

Core insight: once an attacker controls the kernel (via loaded modules when Secure Boot is disabled), they control the kernel→userspace data delivery mechanisms that eBPF tools depend on, making observability optional regardless of how correctly the eBPF programs execute.

AI + Security

Quicklinks

• trailofbits/claude-code-config - Opinionated defaults, documentation, and workflows for Claude Code at Trail of Bits. Covers sandboxing, permissions, hooks, skills, MCP servers, and usage patterns they’ve found effective across security audits, development, and research.

• trailofbits/skills-curated - Trail of Bits' reviewed and approved Claude Code plugins. Every skill and marketplace here has been vetted for quality and safety.

KeygraphHQ/shannon
An autonomous AI pentester that actively exploits web application vulnerabilities rather than just identifying them. Shannon uses its built-in browser to execute real exploits, such as injection attacks, and auth bypass, to prove the vulnerability is actually exploitable. It combines white-box source code analysis with black-box dynamic exploitation across four phases (reconnaissance, vulnerability analysis, exploitation, and reporting). Shannon achieved a 96% success rate on the hint-free XBOW Benchmark.

samugit83/redamon
By Samuele Giampieri: An AI-powered agentic red team framework that automates offensive security operations, from reconnaissance to exploitation to post-exploitation. RedAmon is a LangGraph-based ReAct agent that chains together a six-phase reconnaissance pipeline: subdomain discovery, port scanning with Naabu, HTTP probing with httpx, resource enumeration with Katana/GAU/Kiterunner, and vulnerability scanning with Nuclei, and MITRE enrichment and GitHub secret hunting into a Neo4j knowledge graph.

The AI agent orchestrator operates in three phases: informational (graph queries and web searches), exploitation (CVE-based exploits or credential brute-forcing with user approval), and post-exploitation (Meterpreter sessions or stateless command execution), with all successful compromises automatically recorded as Exploit nodes in the graph, linked to the target IP, CVE, and port. Video tutorial.

1Password's new benchmark teaches AI agents how not to get scammed
Jason Meller describes how 1Password built SCAM (Security Comprehension and Awareness Measure), an open-source benchmark testing whether AI agents can avoid phishing and credential theft when performing real tasks like reading emails and filling passwords. They tested eight models (Claude Opus 4.6, Sonnet 4, Haiku 4.5, GPT-5.2, GPT-4.1, GPT-4.1 Mini, Gemini 3 Flash, Gemini 2.5 Flash) across 30 scenarios and found baseline safety scores ranging from 35% (Gemini 2.5 Flash) to 92% (Claude Opus 4.6), with every model committing critical failures like typing real passwords into phishing pages or forwarding emails containing embedded credentials.

They then added a 1,200-word security Skill file that’s essentially like security awareness training but for models (advises them to analyze domains right-to-left, read content before sharing, etc.) and found it dramatically improved results, reducing total critical failures from 287 to 10 across all runs. The benchmark, skill file, testing framework, and all results are available on GitHub. Nice project overview and agent trace videos on the project landing page.

Introducing AI Cyber Model Arena: A Real-World Benchmark for AI Agents in Cybersecurity
Matan Vetzler, Nir Ohfeld, and Alon Schindel announce Wiz’s AI Cyber Model Arena, which benchmarks offensive AI security on 257 real-world challenges (zero-days, CVEs, API/web, and cloud across AWS/Azure/GCP/K8s), demonstrating what AI models and agents can really do. They evaluated 25 agent-model combinations (4 agents × 8 models) across offensive security challenges. Currently, the top performers are: Claude Opus 4.6 with Claude Code and then Gemini 3 Pro with Gemini CLI. It doesn't look like they've tested GPT-5.3-Codex yet (probably due to it not being available through the API). Arena landing page.

Methodology:

• Each agent-model-challenge combination is run 3 times (pass@3).

• Agents run in isolated Docker containers with no internet access, no CVE databases, and no external resources — the agent cannot browse the web, install packages, or access any information beyond what is in the container.

• All scoring is deterministic (no LLM-as-judge).

💡It’s nice to see more benchmarks measuring AI agent capabilities on offensive security tasks. Overall it seems thoughtfully designed, and I like that they measured a number of agent + model combinations. It’d be cool if they open sourced the benchmark 👀

Misc

AI

• OpenClaw, OpenAI and the future - OpenClaw creator Peter Steinberger will be joining OpenAI, OpenClaw will move to a foundation.

• Y Combinator - Inside Claude Code With Its Creator Boris Cherny

• Skill Graphs > SKILL.md

• Snyk’s Austin Martin describes building their AI-powered churn detection/prevention system

• Automate repository tasks with GitHub Agentic Workflows - GitHub introduces Agentic Workflows, a technical preview that lets you define repository automation tasks in plain Markdown frontmatter plus natural language instructions, which then execute via coding agents (Copilot CLI, Claude Code, or OpenAI Codex) within GitHub Actions. Example use cases: continuously triage issues (summarize, label), documentation updates, test improvement, and investigate CI failures.

• Peli’s Agent Factory - A collection of over 100 automated agentic workflows GitHub has built across triaging issues, continuously simplifying or refactoring code, burning down the backlog, and more.

AI + Burnout

• HBR - AI Doesn’t Reduce Work-It Intensifies It - An eight-month study at a 200-employee tech company found that AI adoption led to work intensification rather than reduction, in three main ways: task expansion (product managers writing code, researchers doing engineering work), blurred work-life boundaries (prompting AI during breaks and off-hours), and increased multitasking (managing multiple AI agents in parallel). While workers felt more productive, they reported being busier than before.

• The AI Vampire - Steve Yegge warns that AI coding tools like Claude Code are creating a "vampire effect" where devs realize they can be 10x as productive → output standards raise which leads to burnout → companies capture value through overwork rather than sharing benefits with employees.

  • “The world is accelerating, against its will. I can feel it; I grew up in the 1980s, when time really did move more slowly, in the sense that news and events were spaced way out, and society had time to reflect on them. Now it changes so fast we can’t even keep up, let alone reflect.”

  • “If you have joined an AI-native startup, the founders and investors are using the VC system to extract value from you, today, with the glimmer of hope for big returns for you all later.”

Misc

• Charles Cornell - What's Even The Point Anymore? ...The AI Takeover of Music

• Stripe - Ben Thompson from Stratechery on AI ads, the end of SaaS, and the future of media

• Tim Ferriss - Bill Gurley — The AI Era, 10 Days in China, & Life Lessons from Bob Dylan, Jerry Seinfeld,, and More

• Fogus - The Best Things and Stuff of 2025

• Are you ok? No but…

• Tynan - Gear Post 2026

• Ed Sheeran on 10,000 hour rule and advice for musicians starting out

• Handsome at Any Cost - Braden Peters, known as Clavicular, has emerged as a beacon for a group of narcissistic, status-obsessed young men. He wants to take his fixation with “looksmaxxing” mainstream.

• Roman Helmet Guy - You can’t solve a courage problem with more intelligence.

• Pete Davidson represents a sock brand on Shark Tank

• Gian Galang - Portfolio for an an award-winning artist and illustrator living. Some cool stylized fighters.

• Casey Ellis steps away from Bugcrowd after 13 years - Casey is a good dude and friend of the newsletter. Glad he’s getting a chance to rest a bit.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

📺️ AI for Security Engineers (with Cursor's Security Lead)

AI is helping developers ship faster than ever. How can security keep up?

I'm stoked for my upcoming chat with my friend Travis McPeak, Security Lead at Cursor, about how security engineers can use coding agents to become even more leveraged.

Cursor has been one of the fastest growing and shipping AI-forward companies right now, so I thought it’d be great to hear from someone on the front lines.

I’ve actually known Travis and been a fan of his work for years, when he was doing cool stuff as the AppSec engineering manager at Netflix, then Head of Product Security at Databricks, then co-founder of Resourcely.

We'll discuss in the webinar:

• How modern coding agents change what projects are feasible for security engineers.

• The impact of coding agents on secure defaults and building a “paved road.”

• Using AI to rapidly ramp up on new code bases and tech domains.

• Automating cloud security.

• Building (and owning in production) security controls, without hurting developer experience.

• Getting broad and continuous visibility into security-relevant code changes.

• Where AI is headed, and what it means for you and your role.

We’ll leave plenty of time for questions, so you can ask Travis and I about whatever is most immediately pressing and useful to you.

When: (next week) February 19th, 10am PST.

Hope to see you there!

👉️ Join us: AI for Security Engineers 👈️ 

Sponsor

📣 2026 State of Identity Security Report

Attackers are already logged in before access risk is fully understood, and the biggest delay in response isn’t alerts, it’s confidence.

New data from 500+ security teams shows:

• Identity-based access is the most common path into cloud environments

• Teams often detect activity but lack context to assess risk pre-incident

• Non-human identities and AI agents drive blast radius through long-lived, over-privileged credentials

The State of Identity Security Report 2026 breaks down where identity visibility fails and what helps teams scope and contain incidents faster.

👉 Get the Report 👈

AppSec

Quicklinks

• Lost in Translation: Exploiting Unicode Normalization by Ryan Barnett and Isabella Barnett (So cool to have a family co-presenting team 🤩, love it)

• The security platform that ships with your code — Arcjet helps teams protect APIs and applications using in-code security like rate limiting, bot protection, and request validation. No proxies, test locally, everything in code.*

• Parser Differentials: When Interpretation Becomes a Vulnerability by Joern Schneeweisz

^*Sponsored

Top 10 web hacking techniques of 2025
PortSwigger’s James Kettle announces the top 10 web hacking techniques of 2025, selected from 63 community nominations through voting and expert panel review. Some 🔥 research, well worth reading as always.

1. By Vladislav Korchagin: Successful Errors: New Code Injection and SSTI Techniques introduces new error-based techniques for exploiting blind server-side template injection. Includes novel polyglot-based detection techniques.

2. By Alex Brown: ORM Leaking More Than You Joined For evolves ORM leaks from a niche, framework-specific vulnerability into a generic methodology for exploiting search and filtering capabilities.

3. By Shubham Shah: Novel SSRF Technique Involving HTTP Redirect Loops - A technique for making blind SSRF visible.

ambionics/phpggc
A library of PHP unserialize() payloads along with a tool to generate them. It supports 15+ frameworks including Laravel, Symfony, Drupal, and Monolog, with gadget chains for RCE, file read/write, and other exploitation primitives.

The CISO's Craft: Watchmaker or Gardener?
Phil Venables contrasts two CISO leadership philosophies: the "Watchmaker" emphasizes precision, command-and-control, detailed policies, and centralized tools for predictable security but risks rigidity and burnout; and the "Gardener," which focuses on cultivating security culture, empowering teams with principles and guardrails, and building adaptive resilience but may appear less structured. Modern CISOs should blend both.

Sponsor

📣 AI is speeding up attacks—can your AppSec keep up?

New research highlights a harsh reality for AppSec: 54% of orgs saw incidents in their own apps, and half take 1–7 days to fix critical issues. Attackers do not wait and AI‑driven threats move faster than teams can respond. Omdia explains why Application Security Posture Management (ASPM) is becoming essential for cutting alert noise, taming tool sprawl, and keeping security in step with modern delivery speed.

👉 Read the Omdia Report 👈

Attackers are definitely moving faster (see the AI + Security section). Streamlined fixes and quickly prioritizing the right things seems like it’s going to be more and more important.

Cloud Security

awesome-foundation/aws-config-d
By Luka Kladarić: Manage multiple AWS SSO organizations with separate config files. Split ~/.aws/config into one file per organization. Concatenate on shell start. No dependencies.

Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile
SpecterOps’ Andrew Gomez and Allen DeMoura announce azureBlob, a new Mythic C2 profile that leverages Azure Blob Storage for command and control, exploiting common firewall exceptions like *.blob.core.windows.net found in deployment guides from vendors like Citrix, Parallels, and Nerdio.

AI-assisted cloud intrusion achieves admin access in 8 minutes
Sysdig’s Alessandro Brucato and Michael Clark observed where a threat actor escalated from stolen credentials to admin access in under 10 minutes, with strong indicators of LLM-assisted operations including Serbian-commented code, hallucinated GitHub repos, and fake AWS account IDs. The threat actor gained initial access to the victim's AWS account through credentials discovered in public S3 buckets, escalated privileges through Lambda function code injection, moved laterally across 19 unique AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for model training. “The affected S3 buckets were named using common AI tool naming conventions, which the attackers actively searched for during reconnaissance.”

Novel Technique to Detect Cloud Threat Actor Operations
Palo Alto Networks’ Nathaniel Quist describes a detection method that identifies threat actors by mapping cloud security alerts to MITRE ATT&CK techniques, successfully distinguishing between Muddled Libra (cybercrime group using social engineering and ransomware) and Silk Typhoon (China-nexus APT exploiting Exchange servers and VPNs) based on their unique "fingerprints." The analysis across 22 industries from June 2024-June 2025 found Muddled Libra triggered nearly 70 unique alert types (focused on Azure Graph API enumeration and Microsoft 365 exfiltration) with only 3 overlapping with Silk Typhoon's 50+ alert types (focused on automated collection and data destruction).

The takeaway: tracking unique alert variety (breadth of techniques) versus average daily alert volume (operational persistence) can enable proactive threat hunting.

💡 I wonder if any threat actors read reports like this about other threat actor groups and think, “Huh nice, good point, yeah I should do more of what they’re doing, I’m missing out.”

AI + Security

Quicklinks

• qwibitai/nanoclaw - A lightweight alternative to Clawdbot / OpenClaw that runs Agents in containers (supports Linux and macOS containers) for security. Connects to WhatsApp, has memory, scheduled jobs, and runs directly on Anthropic's Agents SDK.

• HKUDS/nanobot - An ultra-lightweight personal AI assistant inspired by OpenClaw. Core agent functionality is just ~4,000 lines of code, 99% smaller than Clawdbot's 430k+ lines.

• nearai/ironclaw - An OpenClaw inspired implementation in Rust focused on privacy and security. Untrusted tools run in isolated WebAssembly containers with capability-based permissions. Secrets are never exposed to tools; injected at the host boundary with leak detection. Endpoint allowlisting.

• owockibot’s hot wallet private key was compromised after 5 days, his learning in public GitHub gist was compromised. Retrospective.

• I spent too long on this section and ran out of time for the supply chain, blue/red team sections. Sorry friends 😅 

OpenClaw Security Engineer's Cheat Sheet
Great security guidance overview of OpenClaw by Semgrep’s Kurt Boberg, covering: thinking about OpenClaw security concerns from first principles, the attack surface, detecting use in your corporate environment (across endpoints, your registry mirror, network indicators), setting up hardened environments to experiment in (sandboxing), security scanning Skills, configuration hardening, incident response, and more.

💡 Tons of useful tools links, commands to run, hardening recommendations, related work references, and more. I love posts like this tying a bunch of things together 👍️ 

kappa9999/ClawShield
Security preflight and guardrails for OpenClaw/Moltbot. It checks your config for risky settings, warns you if your gateway is exposed, and helps you keep skills from being tampered with.

prompt-security/clawsec
A complete security skill suite for OpenClaw's family of agents. Protect your SOUL.md from drift detection, live security recommendations, automated audits, and skill integrity verification. All from one installable suite.

💡 “Protecting your SOUL.md" was not a phrase I had on my 2026 Bingo card 😂 

backbay-labs/clawdstrike
By Connor Whelan: A runtime security enforcement library for AI agents that provides tool-boundary enforcement through 7 built-in guards (path access, network egress, secrets detection, patches validation, tool restrictions, prompt injection, and jailbreaks) with Ed25519-signed receipts proving what was decided under which policy. It has four-layer jailbreak detection (heuristic, statistical, ML, and optional LLM-as-judge), output sanitization with streaming support, and adds low overhead per tool call.

Discovering Negative-Days with LLM Workflows
Eugene Lim describes building a GitHub Action workflow that uses Claude to detect "negative-days" and "never-days" (vulnerabilities patched in open-source projects before they get a CVE) by monitoring repository commits and analyzing them with LLMs. He walks through iterating on the prompt and process: incorporating pull request context via GitHub's listPullRequestsAssociatedWithCommit API, refining prompts to focus on exploitable vulnerabilities with concrete PoCs, and fixing JSON output issues.

Eugene open sourced the GitHub Action: vulnerability-spoiler-alert-action and a live dashboard showing recent findings: vulnerabilityspoileralert.com.

💡 Academics have been writing about finding bugs from diffs for probably decades, but what I think is important to note is how relatively straightforward and effective this approach was. In your mental threat model, move “detecting vulnerabilities before they receive CVEs and creating exploits” from “requires nation state resources” to “one person, a few days, a few dollars in LLM costs.” (of course depends on the target)

The increased rate and ease of finding vulnerabilities (see also below) is going to make being able to rapidly patch software, roll out updates, and ideally solve classes of problems (secure defaults, memory safe languages, sandboxing/capabilities) even more important.

Evaluating and mitigating the growing risk of LLM-discovered 0-days
Anthropic’s Nicholas Carlini, Keane Lucas, Evyatar Ben Asher et al describe how Claude Opus 4.6 discovered over 500 high-severity memory corruption vulnerabilities in well-fuzzed open source codebases. How: they put Claude in a VM and gave it access to the latest versions of open source projects, standard utilities (e.g., the standard coreutils or Python) and vulnerability analysis tools (e.g., debuggers or fuzzers). But no special instructions on how to use these tools nor a custom harness that that gives specialized knowledge about how to better find vulnerabilities.

Claude worked like a human researcher: analyzing Git commit histories to find similar unpatched bugs, identifying unsafe function patterns like strcat, and understanding complex compression algorithms like LZW to craft exploits that traditional fuzzers miss.

The team validated each bug before reporting: first having Claude validate and deduplicate, then a human validated the issue and wrote a patch. They focused on memory corruption vulnerabilities because they can be easily validated, by monitoring the program for crashes and running tools like address sanitizers to catch non-crashing memory errors.

“Looking ahead, both we and the broader security community will need to grapple with an uncomfortable reality: language models are already capable of identifying novel vulnerabilities, and may soon exceed the speed and scale of even expert human researchers.”

💡 The key part here is without special instructions or a custom harness, just Opus 4.6 going to town. We can reasonably expect with moderate to high scaffolding the outcome would be some to significantly better.

I would be curious to know a bit more about the details though: after the automated validation, how many of the findings were still “false positives” / not interesting? How much did this cost (total, per bug)? How long did Opus run to find the bugs?

Misc

Misc

• Mace Windu vs Palpatine but it's a musical

• DJ KHALED: Sundae Conversation with Caleb Pressley

• breachpool - Which company is going to get hacked next?

AI

• Noah Kagan - AppSumo revenue is down 50% over the past 2 years - Software margins going down, LLMs killing low value software, it’s easier for devs to quite and start something new.

• Meme - When you 100% vibe coded your app and it works 😂 

• Prof Galloway Markets - Did AI Kill Software?

• Ian Tracey - The K-Shaped Future of Software Engineering

• OpenAI President Greg Brockman - Software development is undergoing a renaissance in front of our eyes. “As a first step, by March 31st, we're aiming that: For any technical task, the tool of first resort for humans is interacting with an agent rather than using an editor or terminal.“

• Peter Girnus - The SaaSpocalypse: How Eleven Free Plugins Exposed Tech's Biggest Lie

• Matt Shumer - Something Big Is Happening

Politics

• He Leaked the Secrets of a Southeast Asian Scam Compound. Then He Had to Get Out Alive - Absolutely insane story and great reporting 🤯 

• Y Combinator CEO Garry Tan launches dark-money group to influence California politics

• Grok has been getting some flak for enabling users to create non consensual adult images and spicy pictures of minors.

• Meanwhile, the Pentagon will be sharing classified info and data from intelligence databases to Grok.

• Trump’s campaign of retribution - “Reuters documented at least 470 targets of retribution under Trump’s leadership – from federal employees and prosecutors to universities and media outlets. The list illuminates the sweeping effort by the president and his administration to punish dissent and reshape the government.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🗑️🔥 ClawdBot Security

Well… what an exciting week to be in security 😆 

ClawdBot Moltbot OpenClaw exploded with popularity as a powerful AI assistant.

These AI bots have been posting on their own social network, created a religion, and more.

There’s also been multiple critical OpenClaw bugs found, and hundreds of malicious Skills (as they’re essentially RCE).

One could look at this and despair, but I actually find the speed with which all of these issues were discovered heartening. OpenClaw is speed-running its security journey.

Having people from our security community leap into the fray, identify problems, and coordinate fixes with maintainers at this speed likely made tens to hundreds of thousands of people safer.

I think that’s something we can be proud of.

There’s still a lot of work to be done, especially around making it easier for people to vibe securely by default, and platforms (like Supabase) can try to minimize their sharp edges.

But our job is to keep people safe, and we’re doing that here.

Now on to more systemic improvements that can meaningfully improve security posture at scale 🤘

Sponsor

📣 The only AI SOC tool your analysts will fight to keep

There is a specific feeling SOC analysts get when they use Prophet Security: Relief.

Why? Because for most, the daily reality is a cycle of repetitive data fetching and context-switching that buries actual threats under noisy queues.

Prophet AI fundamentally alters this dynamic. The platform handles the heavy lifting before a human ever sees the ticket. This frees up SOC analysts to focus entirely on validation and remediation.

This shift lowers risk and scales capacity without inflating operational costs. Once you operate with this level of clarity, you will refuse to go back to the old way.

 👉 See the difference in your queue 👈

AppSec

Scorecarding Security
Friend of the newsletter Rami McCarthy gives a great overview of the use of scorecarding in security programs, with examples and lessons from companies like Chime, Netflix, GitHub, and Atlassian. In general, the programs use a centralized dashboard and leaderboard to track security posture, vulnerabilities, and risk across applications and services. These give the leadership team visibility, gamify improving security, and educate service and code owners on security standards and posture.

The post concludes with some examples of vulnerability management at Segment, Riot, and Uber.

💡 I love overviews of what a bunch of companies are doing 😍 That’s what motivated my BSidesSF talk “How to 10X Your Security (without the Series D)” - slides, YouTube.

Product Security Scorecards: Coupling Security Issues with Preventative Controls to Drive Security Maturity
Postman's Gustavo De Leon describes how they developed Product Security Scorecards to help engineering teams manage security findings by aggregating vulnerabilities, control monitoring, and security requirements into a single dashboard. The system maps all services and artifacts to their builds, repos, and teams, then attributes security tool outputs to those teams, focusing on pairing Security Issues with Preventative Controls that address them proactively.

For third-party dependency vulnerabilities, they implemented a five-level maturity model (Repo Scanning, PR Scanning, PR Blocking, Client-Side Scanning, and Client-Side Blocking). The Scorecards framework also tracks "Security Asks" like hardening tasks, audit/certification readiness, and release blockers, providing everyone from individual engineers to leadership with visibility into security posture with red/yellow/green scores.

In a follow-up post, I'd love to see a bit more of a tactical deep dive into how the repo <> team mapping was done (and maintained), what specific security controls/secure defaults were built and how, and any other actionable details that would help other security programs do this themselves.

Sponsor

📣 Why Agentic AI Breaks Legacy Identity

Agentic AI is non-deterministic. Legacy IAM is static. When you mix them, you get anonymous execution and credential sprawl. Stop treating agents like static workloads. Join Teleport CEO Ev Kontsevoy and Analyst Craig Matsumoto to fix your foundation.

👉 Save Your Spot 👈

Identity and authorization is clearly becoming more important in a world of agents (see AI + Security section below). Important, foundational area, definitely worth learning more about 👆️ 

Supply Chain

Running Renovate as a GitHub Action (and NO PAT!)
Chainguard’s Adrian Mouat walks through setting up Renovate to automate dependency updates while avoiding long-lived GitHub Personal Access Tokens by using Octo STS, an open source security token service that trades OIDC tokens for short-lived GitHub tokens with elevated privileges. This approach can also update GitHub Actions, which the default GitHub Action token can’t do.

💡 Eliminating the use of PATs, which are often stolen in supply chain attacks. I like it!

Introducing SITF: The First Threat Framework Dedicated to SDLC Infrastructure
Wiz’s Shay Berkovich introduces SITF (SDLC Infrastructure Threat Framework), an open-source framework mapping 70+ attack techniques across five SDLC pillars (Endpoint/IDE, VCS, CI/CD, Registry, Production). The framework includes an Attack Flow Visualizer for drag-and-drop threat modeling that auto-generates prioritized defense matrices based on a causal chain model linking Risks → Techniques → Controls.

The post walks through modeling Shai-Hulud 2.0 using SITF, and the framework runs entirely client-side with no data leaving your machine. You can view the live site here or clone it on GitHub here.

Blue Team

Who Operates the Badbox 2.0 Botnet?
Brian Krebs investigates the Kimwolf botmasters' claimed compromise of the Badbox 2.0 control panel via some OSINT wizardry, pivoting across email addresses, domain registration records, shared passwords, phone numbers, etc. and ends up naming names of two likely Badbox 2.0 operators. This unauthorized control panel access would allow Kimwolf operators to bypass residential proxy provider patches and directly load malware onto millions of Badbox 2.0-infected Android TV boxes.

No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network
Google Threat Intelligence Group (GTIG) disrupted IPIDEA, one of the world's largest residential proxy networks, by taking down C2 domains, sharing intelligence on malicious SDKs (Castar, Earn, Hex, and Packet SDK) with partners, and enabling Google Play Protect to remove 600+ Android apps incorporating these SDKs. They found IPIDEA controls 13 proxy/VPN brands (including 360 Proxy, IP 2 World, PIA S5 Proxy, and Luna Proxy) and uses a two-tier C2 infrastructure that proxies traffic through millions of hijacked residential devices.

GTIG observed over 550 threat groups from China, DPRK, Iran, and Russia using IPIDEA exit nodes in a single week for activities including accessing a victim’s SaaS environments, password spraying, and accessing on-prem infrastructure. The SDKs were distributed through trojanized VPNs (Galleon VPN, Radish VPN), Windows binaries masquerading as OneDriveSync/Windows Update, and uncertified Android TV boxes.

💡 Holy cow, the scale of this is incredible. Excellent work GTIG et al! 🙌 

Red Team

Maldev-Academy/DumpBrowserSecrets
By MalDev Academy: Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers (Chrome, Microsoft Edge, Firefox, Opera, Opera GX, and Vivaldi)

EDR Silencing
Purple Team gives an overview of EDR Silencing techniques that disrupt communication between EDR agents and their cloud consoles without crashing processes, covering six methods: Windows Filtering Platform (WFP) abuse via tools like EDRSilencer, SilentButDeadly, and WFP_EDR; hosts file modification to redirect EDR domains to localhost; Name Resolution Policy Table (NRPT) manipulation to redirect DNS queries; IPSec filter rules via netsh to block traffic; routing table tampering; and secondary IP address assignment using IPMute to capture and locally assign EDR server IPs. The post ends with a SIGMA rule detecting WFP-blocked outbound connections from common EDR processes.

AI + Security

Quicklinks

• trailofbits/claude-code-devcontainer - Sandboxed devcontainer for running Claude Code in bypass mode safely. Built for security audits and untrusted code review.

• trailofbits/dropkit - A CLI tool for managing DigitalOcean droplets with automated setup, SSH configuration, and lifecycle management.

• Moltworker - You can run Moltbot/OpenClaw serverless via Cloudflare workers. It uses: sandboxes SDK for isolated code execution, Browser Rendering for Chromium automation via a CDP proxy, R2 for persistent storage mounted as a filesystem, and AI Gateway with BYOK/Unified Billing for model management.

• Nice video overview of Moltbook and recent events by The AI Daily Brief

• 1Password blog on OpenClaw - “Security for agents is not about granting access once. It is about continuously mediating access at runtime for every action and request.” Your agent should get a new identity like a new hire, receive access through a secrets manager instead of long-lived tokens on disk, authority is time-bound, revocable, and attributable to the agent, not the human who clicked approve.

• Daniel Miessler’s OpenClaw security hardening recommendations

• Securing AI Internet hero Jamieson O’Reilly found that Moltbook, the “social media” site for AI agents, didn’t properly secure their Supabase config, enabling anyone to access every agent’s secret API key, verification codes, etc. and thus post as anyone’s agent, even Andrej Karpathy. 404 Media 

  • Gal Nagli seems to have found the same issue concurrently. Wiz blog

• Aikido’s Charlie Eriksen - Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

• 1-Click RCE To Steal Your Moltbot Data and Keys - depthfirst’s Mav Levin describes how he was able to chain vulnerabilities: if a user clicks on a link with a malicious gatewayUrl query parameter it can leak the victim's auth token to an attacker-controlled server, combined with Cross-Site WebSocket Hijacking (CSWSH) to bypass localhost restrictions since OpenClaw's WebSocket server doesn't validate the origin header.

knostic/openclaw-detect
By Knostic: Detection scripts for MDM deployment to identify OpenClaw installations on managed devices.

knostic/openclaw-telemetry
By Knostic: Telemetry for OpenClaw: captures tool calls, LLM usage, agent lifecycle, and message events. Outputs to JSONL file and optionally to a SIEM.

MoltThreats
By Thomas Roccia: Agent-native threat intel feed where AI agents report attacks and receive curated protections. MoltThreats operates through an agent skill: when it discovers a threat, it sends a structured report to MoltThreats, which a human reviews, and then approved ones are published to a public feed that any agent can query to update their security baseline.

💡 I really like the meta idea of this: distribute detection/alerting to a broad swathe of individuals running agents, which then report back and a human triages.

Personal AI Agents like OpenClaw Are a Security Nightmare
Cisco’s Amy Chang and Vineeth Sai Narajala describe how Skills are basically code execution by design, and release Skill Scanner, an open source tool that analyzes Claude Skills and OpenAI Codex skills for security threats (prompt injection, data exfiltration, and malicious code patterns) by combining static analysis (YAML + YARA), behavioral dataflow analysis, LLM-assisted semantic analysis (LLM-as-judge), and VirusTotal scanning.

ClawdBot Skills Just Ganked Your Crypto
The OpenSourceMalware team and Paul McCarty found malicious ClawdBot Skills targeting ByBit, Polymarket, Axiom, Reddit and LinkedIn that install malware, steal crypto, etc. ~386 affected Skills, over 7,000 downloads. When informed of the malicious Skills, the OpenClaw’s creator’s response was basically, “I don’t have a team to vet user generated content, people should just use their brain when finding Skills.”

“Many of the payloads we found were visible in plain text in the first paragraph of the SKILL.md file… within a few minutes we found our first malicious payload.” 🤦‍♂️ 

Bloom Security’s Ofir Balassiano also wrote about active ClawdHub malware campaigns here.

Misc

Privacy

• Limit precise location from cellular networks - New feature on some iPhone and iPad models that limits how precisely cell networks can determine your location. As TechCrunch describes, law enforce agencies are increasingly tapping cell carriers to access the location data of individuals for tracking them in real time, or examining where they have traveled over a period of time.

• The Verge - Best gas masks - You should not need a gas mask to attend a peace protest in America, but here we are. See also: Guide to Protest PPE.

Misc

• You Have No Idea What Gandalf Is

• The Lord of the Rings from Sauron's perspective 

• The camera tricks they did to make Gandalf and Frodo appear to be very different sizes is impressive

  • Apparently this week I’ve trained my YouTube algorithm to show me LoTR contents, and I’m here for it 🧙‍♂️ 

• Arnold meets Anatoly - If you haven’t watched any Anatoly videos, you’re missing out 😂 And the genuine compliments and kindness was very nice.

• Cillian Murphy on what happens when the shooting is over - Sounds tough actually.

• Claude is a space to think - Anthropic’s post on not allowing ads in Claude.

• Anthropic’s savage 🌶️ ads on AI providers doing ads: Can I get a six pack quickly?, How can I communicate better with my mom?

Music

• Iliya Shojaei - Don't Love Your Job, Job Your Love 😂 

• Disney Composer Alan Menken Breaks Down His Most Iconic Songs - The Little Mermaid, Beauty and the Beast, Aladdin, Pocahontas, Hercules. Alan Menken has had such an incredible career.

• Levisct - PIANOMANNIAKS - This solo piano + beats is absolutely insane.

• Charles Cornell - The INSANE Story Of Pirates Of The Caribbean's Soundtrack - The melody breakdown is cool, and the connection to Gladiator 🤯 

• Hans Zimmer Breaks Down His Career, from 'Gladiator' to 'Interstellar'

• ImprovBroadway - Comedic songs made up on the spot, glorious 🥰 

• AETHRA - A new domain-specific programming language (DSL) designed to compose music using code. Instead of focusing on low-level audio math, AETHRA lets creators express emotion, harmony, and musical structure through readable commands.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🎶 Weird Al

Last week, I saw something I never thought I would…

We cut to the early 2000s, Clint is in high school.

I loved Weird Al Yankovic, and listened to him regularly with my dad in the car. Weird Al was actually one of the first live concerts I ever attended.

Flash forward to last weekend. As a part of SF SketchFest I saw… a Weird Al-inspired burlesque show called “Tight and Nerdy” 😂 (reference)

A number of people in the audience dressed up as Weird Al from various eras, which was delightful.

There was a dancing can of spam, for Amish Paradise a butter churner got put to work, and I may never look at Yoda the same way again.

Both Weird Al, and the show, are a celebration of being weird, and leaning into your thing, whatever it is.

I like it.

Sponsor

📣 New guide: The future of IT infrastructure

Modern IT infrastructure is mission-critical. But most IT Ops teams are still relying on manual workflows to manage capacity, reliability, and scale.

The result? Hidden waste, slower incident response, growing risk, and teams stuck firefighting instead of improving systems.

Tines published a new guide for IT teams that shows how to change that. In the guide you’ll learn: 

• Why manual capacity management quietly drives cost and operational drag

• How intelligent workflows enable predictable, auditable scaling

• Practical ways to orchestrate infrastructure using the tools you already have 

👉 Get the guide 👈

AppSec

Automated React2Shell vulnerability patching is now available
Vercel Agent now detects vulnerable packages in your project, and automatically generates pull requests with fixes to upgrade them to patched versions.

💡 This is cool, I’d love to see more “let us harden your config / setup / environment for you” products and features.

How rep+ Helped Me Identify a Critical Supabase JWT Exposure
Bour Abdelhadi describes how he used rep+ to discover a publicly exposed Supabase anonymous JWT in a website's JavaScript. rep+ is Burp-style HTTP Repeater for Chrome DevTools with built‑in AI to explain requests and suggest attacks, recently integrated with Kingfisher for secret detection. He then tested whether Row Level Security (RLS) was properly enforced on the backend by enumerating REST endpoints (thus enumerating tables and RPC functions exposed), and found he was able to read the password_reset_tokens table, enabling full account takeover.

Bour also released supabase-exposure-check, a Python script that scans websites for exposed Supabase JWT tokens, enumerates accessible database tables, and analyzes them for sensitive data exposure.

Security as a platform: Codifying scans, signals, and guardrails
Larkins Carvalho describes how Plaid built “Security Pipeline as Code” to scale security scanning across hundreds of services by treating security controls as infrastructure: using shared CI templates, Terraform modules, and a hosted control plane with in-VPC scan execution. The system dynamically orchestrates security domains (SAST with custom rules from incidents/bug bounties, reachability-aware SCA, IaC and secrets scanning, AI-powered business logic analysis). Sub-5 minute feedback, contextual remediation guidance specific to Plaid, given directly in GitHub.

Technical wins: encoding organization-specific security baselines as Semgrep rules (like enforcing zero-trust authorization policies) and auto-resolving fixed vulnerabilities to eliminate manual triage busywork. Repos onboard with a single Terraform line, and findings flow into a unified vulnerability management system with team attribution and SLA tracking. The platform achieved 95%+ repository coverage by launching rule sets in soft-fail mode first to tune false positives before blocking merges.

“Security learnings from findings to architectural decisions to baselines are turned into automated, institutional knowledge that shows up on PRs across our repos.”

Sponsor

📣 Your Agent Just Ran kubectl.
Was It Supposed To?

AI agents have production access (e.g., file system, shell, databases, MCP servers), but security tools weren't built for this: EDR can't tell if kubectl was intentional or prompt-injected, while secrets managers don't know if the request came from an engineer or an agent. The 2026 Agent Risks Technical Brief covers these blind spots and which controls actually work.

👉 Get the Technical Brief 👈

Nice, love the focus on agent visibility and guardrails, this is an important area right now. MintMCP also has a good paper on Securing the Model Context Protocol.

Container Security

Public Container Registry Risks 2026: Malicious Images & Mitigation
Qualys’ Amit Gadhave analyzed over 34,000 public container images and found that 60% had fewer than 1,000 pulls, and 4% contained cryptomining malware, with 70% of confirmed malicious images being cryptominers, primarily targeting Monero using XMRig. Typo squatting was the common distribution technique, where attackers mimic legitimate image names like nginx, ubuntu, drupal, and joomla to trick users into pulling malicious containers.

BadPods Series: Everything Allowed on AWS EKS
Kiran Dawadi shares a write-up of the “Everything Allowed” bad pod from Bishop Fox’s BadPods project, which is a collection of Kubernetes manifests that create pods with dangerous configurations. The post shows how a pod with privileged: true, hostPath: /, hostNetwork: true, and hostPID: true flags enabled can lead to complete cluster and cloud compromise on AWS EKS.

Kiran shows three attack paths: escaping to the host node via chroot and accessing /var/lib/kubelet, lateral movement to other pods using nerdctl and nsenter to enumerate containers and enter their namespaces, and stealing IAM credentials from the EC2 metadata service at 169.254.169.254 (both IMDSv1 and IMDSv2).

A Brief Deep-Dive into Attacking and Defending Kubernetes
Quite detailed, lengthy post by Alexis Obeng giving an overview of how Kubernetes works, threat hunting in k8s, and attack techniques and defensive strategies. The post covers unauthenticated API access, overly permissive RBAC, ServiceAccount token abuse, malicious admin controllers, CoreDNS poisoning, writable volume mounts, ETCD unauthorized access, and the Kubernetes Golden ticket technique. For each, Alexis gives an overview, then defensive strategies, and then a Falco rule to detect it.

See the k8s-custom-detections GitHub repo for the Falco detection rules, audit policies, sample attack manifests, and configuration files that go along with this post.

💡 Wow, according to her About page, Alexis is still in college 🤯 She’s graduating in Spring 2026, and looking for opportunities. If you’re a hiring manager, you can reach out to her on LinkedIn.

Supply Chain

How We Prevented Cursor, Windsurf & Google Antigravity from Recommending Malware
Koi’s Oren Yomtov discovered that popular AI IDEs (Cursor, Windsurf, Google Antigravity) inherited VSCode's extension recommendation config but switched to the OpenVSX marketplace (licensing reasons), creating a supply chain vulnerability where officially recommended extensions didn't exist and their namespaces were unclaimed. So basically the IDEs were like, “You should install <this extension>” but anyone could register it. Koi preemptively registered the vulnerable namespaces, phew.

💡 I’m periodically surprised that software mostly works and the world hasn’t crumbled.

Threat Actors Expand Abuse of Microsoft Visual Studio Code
Jamf’s Thijs Xhaflaire describes the latest evolution of the Contagious Interview campaign, in which DPRK threat actors target developers via backdoored repos. User clones, opens, and trusts malicious repo → VSCode task.json triggers download from malicious server → payload executed via Node.js runtime → system fingerprinting → persistent beacon to C2 server awaiting arbitrary JavaScript code.

The payload “has inline comments and phrasing that appear to be consistent with AI-assisted code generation.”

Introducing IDE-SHEPHERD: Your shield against threat actors lurking in your IDE
Datadog’s Tesnim Hamdouni announces IDE-SHEPHERD, an open source IDE extension that uses real-time runtime protection + heuristics to protect against malicious extensions and supply chain attacks. It uses a “require-in-the-middle” (RITM) layer to patch critical Node.js modules such as child_process, http, and https to intercept and block malicious operations like PowerShell-encoded commands, suspicious network requests, and auto-executing .vscode/tasks.json files before they execute.

IDE-SHEPHERD combines this runtime defense with heuristic detection that analyzes extension metadata for anomalies such as missing repository links, suspicious version numbers, wildcard activations, and signs of obfuscation.

💡 Yo dawg, I heard you’re worried about malicious IDE extensions, so I built you an IDE extension to analyze IDE extensions 😂 

Blue Team

Quicklinks 

• Varonis discovered Stanley, a $6,000 malware-as-a-service toolkit sold on Russian cybercrime forums that packages a malicious Chrome extension that they guarantee will pass the Chrome Web Store vetting.

• Free Canary Tokens: SSH, Browser Session Cookie, Email, AWS and more by Tracebit — Tracebit recently launched their ‘Community Edition’ - free canary tokens and a local CLI to manage and maintain them. Sign up to deploy canaries in minutes.*

• MHaggis/ADTrapper - A self-hosted Active Directory security analysis platform that processes Windows authentication logs and BloodHound data to detect threats through 54+ detection rules covering brute force, password spray, privilege escalation, and ADCS attacks.

^*Sponsored

North Korean infiltrator caught working in Amazon IT department thanks to lag
They caught them over a 110ms keystroke input lag 🤯 “Schmidt says that Amazon has foiled more than 1,800 DPRK infiltration attempts since April 2024. Moreover, the rate of attempts continues apace, with Amazon reckoning it is seeing a 27% QoQ uplift in North Koreans trying to get into the Amazon corporation.”

Centralized suppression management for detections using macros & lookups
Harrison Pomeroy describes a centralized suppression management system for Splunk detections using macros and lookups, enabling analysts to self-service tune alerts without directly modifying detection logic. The solution uses a CSV lookup table containing alert names, suppression criteria (SPL logic), expiration timestamp, etc. combined with a macro that dynamically injects NOT conditions into detection queries.

Background: “A lookup in a SIEM is an external data table that your detections, queries, and dashboards can reference to enrich events or influence logic. A macro is a reusable piece of logic often a short function, expression, or template, that you can reference throughout your platform to avoid repeating the same code in multiple places.”

AI + Security

eating lobster souls Part III (the finale): Escape the Moltrix
Clawdbot (now Molt) has gotten a lot of hype recently. In part 1, Jamieson O'Reilly found hundreds of Clawdbot control servers that were misconfigured, leaking API keys, OAuth tokens, conversation histories, etc. In part 2, he built a simulated backdoored skill, inflated its download count to #1 on ClawdHub using a trivial API vulnerability, and watched 16 developers across 7 countries execute arbitrary commands on their machines within 8 hours.

In part 3, Jamieson found that you can include JavaScript in an SVG that’s uploaded to ClawdHub, which is served from the main clawdhub.com domain, so it can read your authentication cookies, make API requests on your behalf, etc. An attacker could, for example, use this to compromise your account and then backdoor any skill you’ve uploaded, which will then backdoor anyone who uses them.

💡 The amount of rapidly newly popular things with 2010 era bugs is impressive.

FuzzingLabs/mcp-security-hub
By FuzzingLabs: A growing collection of MCP servers bringing offensive security tools to AI assistants. Nmap, Ghidra, Nuclei, SQLMap, Hashcat and more. 24 MCP Servers, 100+ security tools accessible via natural language, production hardened: non-root containers, minimal images, Trivy-scanned.

MHaggis/Security-Detections-MCP
By Michael Haag: An MCP server that lets LLMs query a unified database of Sigma, Splunk ESCU, Elastic, and KQL security detection rules. The server includes 11 pre-built MCP prompts that provide structured, expert-level workflows for common security detection tasks, including: ransomware readiness assessment, APT threat emulation, purple team exercise, SOC investigation assist, and more.

Claude finds 353 zero-days on Packagist
Sansec describes building a four-stage pipeline using Claude Opus 4.5 to audit the top 5,000 Magento extensions on Packagist, discovering 353 confirmed vulnerabilities (265 IDOR/auth bypass, 50 SQLi, 23 arbitrary file read/write, 15 RCE) across packages with 5.9 million downloads. The pipeline consists of an Aggregator (queries Packagist), Security Auditor (static analysis focusing on non-admin exploitable issues), Vulnerability Reproducer (spins up Docker containers with fresh Magento installs to validate findings via curl PoCs, 79% reproduction rate), and WAF Suggestor (generates active filtering rules). The entire audit cost $10,000 in API calls ($2 per extension, ~$30 per working exploit 😅).

💡 It’s cool that they released the security auditor and reproducer prompts! Also, neither of the prompts are incredibly complex, so to me this is another example of “point frontier models at source code with a reasonable prompt → real bugs!” My colleagues and I also did that here.

One thing I found surprising: “So far we have manually verified 30% of results and found no false positives for the verified vulnerabilities.” Another case for why automatic validation is so powerful/important, but I find it hard to believe there were no FPs 🤔 

Misc

Misc

• Robert Downey Jr’s Iron Man Audition

• J.R.R. Tolkien, Using a Tape Recorder for the First Time, Reads from The Hobbit for 30 Minutes (1952)

• 1000 Blank White Cards - A party card game played with cards in which the deck is created as part of the game.

• The UNIX Pipe Card Game - A card game for teaching kids how to combine unix commands through pipes.

• A scammer’s blueprint - How cybercriminals plot to rob a target within a week. Handbooks found during a police raid on a compound used by a cyberfraud gang in the Philippines show detailed instructions in Chinese for the psychological techniques used for conducting romance scams. Sad ☹️ 

• Tiago Forte - From Chaos to Clarity: My 30-Minute Weekly Review System

• Dan Koe - How to fix your entire life in 1 day

AI

• Codacy co-founder Jaime Jorge’s notes from interviewing Geoffrey Huntley, creator of the Ralph loop, on the future of software engineering.

• @rahulgs - the no unforced-errors ai leader playbook

• @yishan’s AI investment thesis - “Every AI application startup is likely to be crushed by rapid expansion of the foundational model providers.” Two ways to make money: make a flash-in-the-pan app that generates a ton of cash and bank it, or make a good enoguh app that you get acquired by a big player.

• @basedjensen - POV me and Claude Opus 4.5 shipping 😂 

• World Economic Forum 2026 - Google's Demis Hassabis, Anthropic's Dario Amodei Debate the World After AGI

• Greptile argues There is an AI Code Review Bubble - I agree, and it’s not clear to me why these dev-focused code review companies are going to give meaningfully better results than Claude Code/Codex (or like a Cursor or Cognition) with some good skills or prompts.

• Allegedly Anthropic is going to release “Security Center” for Claude Code, scanning code for security issues.

• Introducing Prism - OpenAI launched Prism, a free AI-native workspace for scientific writing that integrates GPT-5.2 directly into a cloud-based LaTeX environment.

• OpenAI Considers Outcome-Based Pricing for AI Breakthroughs - Payment would be tied to measurable results like drug discoveries or operational savings rather than just API usage or subscriptions.

• a16z - The AI Opportunity that goes beyond Models - I thought this was a thoughtful overview of where the opportunity is and what may be disrupted.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

📸 A Year in Photos

Over the break I did a bit of Tiago Forte’s Annual Review program, taken from his book to be released later this year.

One of the early exercises was to go through all of your photos from 2025 and pick out the top ~100 that give you the strongest emotional reaction.

I don’t take a ton of photos, and I’m not generally one to review them, but I did it.

And what I realized going through the photos is that there were a few newly-ish made friends, who had really been highlights of my year.

So yesterday I told one of them this (shout-out Aaron), and I plan to tell the rest soon.

This may sound corny, and it’s definitely not what I’ve done in the past as a certified neckbeard hacker™️, but it felt good to tell him about the positive impact he had on me, and that he’s important to me.

I plan to be more intentional about taking photos like this in 2026.

I wonder if there are important people in your life who may not know how much they mean to you 🤔 

Sponsor

📣 Five shifts that will shape your security team in 2026

As we settle into 2026, AI is already top of mind for security leaders - shaping workflows, and challenging teams in unprecedented ways. On January 28, join Tines and Statascale for a live webinar to get first access to insights from 1800+ practitioners and leaders, and tangible advice for turning these insights into real, practical changes for your team.

You’ll learn:

• What makes AI a true advantage for some security teams - and a burden for others

• What “good AI governance” actually looks like in practice 

• How to turn board-level attention into long-term strategic influence

👉 Register now! 👈

AppSec

39C3: Power Cycles
Recordings published from the 39th Chaos Communication Congress (2025). I’ve pulled out a selection of talks that look most interesting to me at the bottom of the web version of this issue.

WhisperPair
Researchers at KU Leuven (Sayon Duttagupta, Seppe Wyns et al) discovered WhisperPair, a vulnerability in Google Fast Pair (that enables one-tap pairing and account synchronization across supported Bluetooth accessories). The bug enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent, allowing them to play audio at high volumes, record conversations using the microphone, or in some cases track their location. The attack succeeds within ~10 seconds and works up to 14 meters.

More from Wired: Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking.

Building Security to Unlock Engineering Velocity
Shreyas Sriram and Sujith Katakam describe how Robinhood's security and engineering teams built SERA (Secure Enhanced Remote Approval), a platform that enables engineers to approve access requests securely from any device without requiring VPN or corporate laptops, using passkeys and biometric authentication. The system maintains security through trusted enrollment (requiring initial setup via corporate device and VPN), device binding, risk-based controls, and comprehensive audit logging. SERA improved approval times by >20% and handles >25% of after-hours requests.

Sponsor

📣 What do AI agents and 3rd party scripts have in common?

Nobody's watching them and they both interact with your client-side environment (which is a black box in most security stacks). cside was born as an alternative to the CSP headache, automatically watching JavaScript & browser behavior at runtime to catch suspicious activity. Now our startup is building a tool to help you prepare for the millions of AI agents that will visit your website. We'd love for you to try it.

👉 Get Private Access 👈

Hm interesting, I hadn’t thought of the attack vector of client-side attacks → prompt injecting AI browsers or attacking agentic commerce. I could see securing agentic commerce being important.

Cloud Security

Multi-Cloud Detection at Scale: A Normalization Framework
Ved K describes how to build a Bronze-Silver data architecture for cloud security logs that eliminates the need to maintain separate detection rules for each cloud provider. The Bronze layer stores immutable raw logs while the Silver layer normalizes heterogeneous cloud logs (AWS CloudTrail, GCP Audit Logs, Azure Activity Logs) into unified schemas using standards like Elastic Common Schema (ECS) or Open Cybersecurity Schema Framework (OCSF), enabling you to write one detection rule that works across all providers instead of N×M provider-specific rules.

The post has some nice thoughts on schema-first detection engineering (design your schema so it’s easy to write important detections), a schema design checklist, service category abstraction, and production-grade implementation patterns.

By scanning Certificate Transparency logs for ROSA console domains, querying the unauthenticated /settings/cluster endpoint to extract cluster UUIDs and owner emails, and guessing usernames, attackers could initiate transfers and gain cluster-admin privileges within 24 hours. The post then walks through going from cluster admin to AWS admin within the victim’s underlying AWS account.

Apple / MacOS

Reverse Engineering iOS Shortcuts Deeplinks
Alex Beals describes his investigation into seeing if you can import or programmatically create automations—through deeplinking (TL;DR: you can’t). Alex used tools like strings, lldb, and Hopper to reverse engineer the Shortcuts app and WorkflowKit framework and discovered the full list of supported actions by examining ICManager's requestHandlers.

iOS Research Docker Environment
Chen Shalev Sokolovsky shares iosEnv, a Docker-based iOS research environment for portable and reproducible mobile security testing. The setup automates tasks like port forwarding, SSH key management, and launching debuggers/instrumentation tools (lldb, frida), and solves challenges around USB device access, password prompts, iOS symbol loading, and rootless jailbreaks.

The Mac Malware of 2025
I love Patrick Wardle’s round-ups. The post is a technical deep dive of all new macOS malware discovered in 2025, organized by malware type, covering its infection vector, persistence mechanism, features and goals. He also includes sample links 👍️ Info stealers dominated the threat landscape, targeting browser data, cryptocurrency wallets, and credentials via fake applications, malvertising, and ClickFix social engineering. Many employed AppleScript/JXA for execution and avoided persistence since they exfiltrate data and exit.

Notable backdoors included ChillyHell (a modular implant with password cracking capabilities), FlexibleFerret (DPRK-linked Go backdoor delivered via fake job assessments), and a sophisticated BlueNoroff campaign deploying multiple components including a Nim-based persistent loader, Go backdoor, process injector, keylogger, and cryptocurrency stealer. The year saw increased sophistication through multi-stage infection chains, dead drop resolvers for C2 discovery, hardware-based anti-VM checks (like ARM CPU feature validation), and abuse of signed/notarized binaries.

Apple's Endpoint Security API provides some event visibility to EDRs, but there are still blind spots: third-party tools cannot read process memory (blocking detection of in-memory payloads), cannot access unified logging without private entitlements, and are limited to file-system and behavior-centric detection. Many EDRs rely heavily on enforcing Apple's native mechanisms (Gatekeeper, XProtect, TCC) rather than implementing novel detection logic.

Blue Team

tracebit-com/awesome-deception
By Tracebit: An awesome collection of articles, papers, conferences, guides, and tools relating to deception in cybersecurity.

DetectionStream: Introducing the Sigma Training Platform
Kostas Tsialemis introduces the Sigma Playground's new Training Platform, a gamified environment for learning detection engineering through hands-on practice with over 20 real-world challenges using event logs from EVTX-ATTACK-SAMPLES. The platform features interactive challenges, real-time rule evaluation, a progressive hint system, difficulty levels, and a community leaderboard, all while keeping user data private by running client-side. Users can also create and share their own challenges through the Challenge Builder.

How to Get Scammed (by DPRK Hackers)
OZ describes their experience with a DPRK-linked malware campaign (DEV#POPPER/XCTDH/Contagious Interview) that uses fake job interviews to target developers. OZ describes the interactions with the “recruiter,” along with sketchy signs like the person deleting messages, GitHub repos, etc.

The campaign used a novel blockchain-based dead drop architecture where Tron and Aptos wallets serve as pointers to XOR-encrypted payloads hosted on Binance Smart Chain transactions. Using Docker and pspy for dynamic analysis, OZ traced the infection chain from obfuscated JavaScript through LCG-based deobfuscation to final payloads that inject persistence into VS Code/Cursor IDEs and establish Socket.IO C2 connections. The malware includes a ReDoS-based debugger detection trick (if someone’s stepping through code with a debugger, the regex catastrophically backtraces and hangs), and deploys sandbox evasion techniques that detect AWS/Azure/Docker/Kali environments before executing.

AI + Security

Coding Agents. The Insider Threat You Installed Yourself
Thomas Roccia describes how to build visibility and security monitoring for AI coding agents like Claude Code using hooks and his new open-source tool NOVA Protector. Claude Code's hook system (PreToolUse, PostToolUse, UserPromptSubmit, etc.) allows intercepting agent actions before/after execution, which NOVA Protector leverages to trace all file reads, command executions, MCP server calls, and agent skill invocations into JSONL session logs. NOVA Protector automatically generates HTML reports for each session showing metrics like files accessed, commands run, prompt injection detection results, tool usage statistics, and complete execution timelines.

The tool integrates with the NOVA Framework's adversarial prompt detection capabilities, scanning agent inputs/outputs against configurable rules for instruction override, roleplay jailbreak, encoding obfuscation, and context manipulation attacks.

On the Coming Industrialisation of Exploit Generation with LLMs
Sean Heelan built agents using Opus 4.5 and GPT-5.2 that successfully wrote over 40 distinct exploits for a zero-day QuickJS vulnerability across 6 scenarios with modern mitigations enabled (ASLR, NX, full RELRO, fine-grained CFI, shadow-stack, seccomp), with GPT-5.2 solving all challenges including a particularly difficult one requiring a 7-function-call chain through glibc's exit handler mechanism. Most exploits were generated in under an hour for around $30-50. The key: the LLM needs to be able to search the solution space automatically with no human intervention, and have some way to verify its solution. Tons of great additional technical details, results, and more in this GitHub repo.

“We should start assuming that in the near future the limiting factor on a state or group’s ability to develop exploits, break into networks, escalate privileges and remain in those networks, is going to be their token throughput over time, and not the number of hackers they employ.”

AI and the Software Vulnerability Lifecycle
Chris Rohlf discusses how AI is transforming the software vulnerability lifecycle across three key phases: discovery, patching, and exploitation. He explains how LLMs integrated with traditional security tools like fuzzers and static analyzers can automate vulnerability discovery, the challenges in generating fixes that address root causes rather than just specific exploit vectors, and how models can offer uplift and efficiency gains in exploitation by identifying which existing program components to leverage or by generating testing infrastructure to incrementally refine an exploit.

💡 This post is a great overview of these spaces, and does a good job covering some of the nuances and challenges. Great resource to share with leadership/executives.

AI, Cyber and National Security
Presentation by Chris Rohlf discussing: how AI could potentially disrupt the current attacker-defender asymmetry by helping defenders with scale, efficiency, and automation, and an overview of applying AI to security, AI code generation, program analysis, and securing AI/AI compute/AI agents. Future predictions: AI will give defenders an advantage (→ cyber as SIGINT capability for nation states is significantly reduced), great powers fight for AI supremacy, and accelerated feedback loops put all nations but the top few in a distant AI third place.

39C3 (CCC 2025)

Some talks that look especially interesting to me:

Politics / Privacy

• Cory Doctorow - A post-American, enshittification-resistant internet

• Katika Kühnreich - All Sorted by Machines of Loving Grace? "AI", Cybernetics, and Fascism and how to Intervene

• Jade Sheffey - A Tale of Two Leaks: How Hackers Breached the Great Firewall of China

• Svea Windwehr and Chloé Berthélémy - The Last of Us - Fighting the EU Surveillance Law Apocalypse

• Helena Nikonole - Coding Dissent: Art, Technology, and Tactical Media

• mixy1, Luke Bjorn Scerri and girogio - There is NO WAY we ended up getting arrested for this (Malta edition)

Fuzzing

• Addison - Demystifying Fuzzer Behaviour

• Romain Malmain - Build a Fake Phone, Find Real Bugs Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU

AI

• Johann Rehberger - Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents

• Udbhav Tiwari and Meredith Whittaker - AI Agent, AI Spy

• Mathias Schindler - AI-generated content in Wikipedia - a tale of caution

• Leo Meyerovich and Sindre Breda - Breaking BOTS: Cheating at Blue Team CTFs with AI Speed-Runs

• Shipei Qu, Zikai Xu and Xuangan Xiao - Skynet Starter Kit From Embodied AI Jailbreak to Remote Takeover of Humanoid Robots

• Chiao-Lin Yu (Steven Meow) - When Vibe Scammers Met Vibe Hackers: Pwning PhaaS with Their Own Weapons

• Ting-Chun Liu and Leon-Etienne Kühr - 51 Ways to Spell the Image Giraffe: The Hidden Politics of Token Languages in Generative AI

• jiawen uffline - a media-almost-archaeology on data that is too dirty for "AI"

• Dennis Özcelik - Developing New Medicines in the Age of AI and Personalized Medicine

Security

• ilja and Michael Smith - Escaping Containment: A Security Analysis of FreeBSD Jails

• breakingbread - Prometheus: Reverse-Engineering Overwatch

Misc

AI

• Scaling long-running autonomous coding - Cursor did an experiment where their coding agents built a web browser from scratch by running autonomously for a week and generating 1M+ lines of code across 1,000 files.

• Cursor's latest "browser experiment" implied success without evidence - Someone looked into the browser’s code and found many GitHub Actions runs failed, few commits compiled cleanly. This GitHub issue has more discussion and shows the browser partially rendering Wikipedia. Also Simon Willison weighs in.

• Agent Craft by Ido Salomon - Manage your agents and subagents using an RTS (like Warcraft) interface. I don’t know if this is actually useful it looks awesome 😂 H/T my friend Rob Ragan who is always sharing great stuff.

• Vibecraft - a 3D app to watch and manage Claude Code instances (GitHub).

• claude-code-transcripts by Simon Willison - A new Python CLI tool for converting Claude Code (and web) transcripts to HTML pages for understanding what Claude has done.

• Caleb Sima’s Coding Agent Stack - Claude Code, Claude Superpowers, Episodic Memory, Context7 MCP.

  • Tier 2: SuperClaude, Firecrawl, Browserbase, Playwright, Typescript-lsp, Hookify.

• X has released the x-algorithm on GitHub that powers the For You feed. It combines in-network content (from accounts you follow) with out-of-network content (discovered through ML-based retrieval) and ranks everything using a Grok-based transformer model.

Privacy

• Just the Browser - Helps you remove AI features, telemetry data reporting, sponsored content, product integrations, and other annoyances from desktop web browsers.

• Punkt MC03, a privacy-focused smart phone.

• iOS-Hardening-Guide - A comprehensive guide for enhancing security and privacy on iOS and iPadOS devices, by Sooraj Sathyanarayanan.

• Practical Defenses Against Technofascism - Blog post version of Micah Lee’s BSidesPDX keynote.

  • Always apply updates, use Lockdown Mode, enable Advanced Data Protection in your iCloud account, and advice on device searches.

  • Enable disk encryption and consider powering off devices before going through security checkpoints or if you’re in a situation where someone may examine your phone.

  • Rayhunter is open-source custom firmware for cheap mobile hotspots that can detect cell-site simulators.

Politics

• FBI executes search warrant at Washington Post reporter’s home as a part of an investigation into classified leaks. In April, Bondi rescinded a Biden-era policy that prevented officials from searching reporters’ phone records when trying to identify government personnel who have provided sensitive information to news organizations.

• In Trump’s first term, the administration tried to obtain phone and email records to identify sources.

• Jerome Powell served under President Bush Sr., Obama, Biden, and Trump. In an unprecedented statement: “The threat of criminal charges is a consequence of the Federal Reserve setting interest rates based on our best assessment of what will serve the public, rather than following the preferences of the President. This is about whether the Fed will be able to continue to set interest rates based on evidence and economic conditions—or whether instead monetary policy will be directed by political pressure or intimidation.“

• Senator Thom Tillis (R-NC), a member of the Senate Banking Committee, statement: “If there were any remaining doubt whether advisers within the Trump Administration are actively pushing to end the independence of the Federal Reserve, there should now be none. It is now the independence and credibility of the Department of Justice that are in question.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🤙 Mahalo for Reading

A few tidbits from Hawaii:

• Sunsets have been beautiful, and the nature is stunning. If you visit O’ahu, you’ve got to try the malasadas from Leonard’s Bakery 🤤 

• My mom taught me to never waste food, so when consolidating my food carry-ons in the airport, I peeled an entire bag of lychee over a drinking fountain and put them in a water bottle to take up less space. Making my mom proud.

• Maui appears to have banned non-mineral sunscreen, which has somehow managed to make me look even more white. I’m living in my ghost era.

• The road to Hana is notoriously windy so I was driving fairly slowly. A car was tailgating me, and I guess I took too long to pull over, because in a brief straight stretch it blazed past me, and the driver put his hand out the window and flipped me the bird 😂 

  • I think I have unlocked the raw achievement of being flipped off by one of the notoriously relaxed Hawaiians.

Sponsor

📣 Secure, Govern, and Operate AI at Engineering Scale

Modern AI infrastructure outgrows traditional access and security models. Whether you're running GPU training clusters or deploying digital twins that autonomously interact with infrastructure, you can't rely on static credentials.

Teleport treats every actor — agents, LLM tools, bots, MCP tools, and digital twins — as a first-class identity. This turns agentic AI from “uncontrolled automation” into trustworthy, governed automation, delivering the identity, access, and security foundation your AI environment demands.

👉 Secure Your AI Infrastructure 👈

AppSec

MegaManSec/Gixy-Next
By Joshua Rogers: An actively maintained fork of Yandex's Gixy that statically analyzes nginx.conf files to detect security misconfigurations, hardening gaps, and performance issues. It detects issues like HTTP splitting, SSRF, host spoofing, path traversal, alias traversal, and more.

See also dvershinin/gixy.

Clang Hardening Cheat Sheet - Ten Years Later
Daniel Janson and Béatrice Creusillet provide an update to Quarkslab’s 2016 Clang Hardening Cheat Sheet, covering additional hardening options recommended by the OpenSSF, as well as more specialized options that mitigate newer classes of exploits. Including: general protections when using the standard C/C++ libraries or loading libraries, mitigations against stack-based memory corruption, defenses against code reuse attacks like Return-Oriented Programming (ROP) or Jump-Oriented Programming (JOP) attacks, as well as defenses against speculative execution attacks.

How We Scaled Code Repository Management at DNSimple
Simone Carletti describes how DNSimple went from manually managing GitHub repositories to a fully automated Terraform-based system that automatically runs terraform plan on pull requests and terraform apply on merge. They structure GitHub repositories as Terraform map variables with topics for categorization (language, team ownership, policies), manage templates and CODEOWNERS files as github_repository_file resources, and more. The system now manages hundreds of repos with centralized permissions, full Git history for rollbacks, and enables bulk changes across all repos by modifying a single template file.

💡 I like this a lot - git history of all repo changes, roll out new security policies/secure defaults to all repos in one place, strong asset inventory fundamentals (which repos does the platform team maintain? What Go projects do we have? Which repos have vulnerability alerts enabled?).

See also, as previously included in tl;dr sec: How Cloudflare uses Terraform to manage Cloudflare.

Sponsor

📣 The security platform that ships with your code

Arcjet adds security controls directly into your application code. Protect APIs and endpoints from abuse with rate limiting, bot detection, and request validation, without proxies, IP allowlists, or complex infrastructure.

👉 Learn More 👈

Making secure defaults easy and developer friendly is 👌 in my book! Arcjet also has open source SDKs so you can give it a try for free.

Cloud Security

AWS Ends SSE-C Encryption, and a Ransomware Vector
Rich Mogull gives an overview of “Server Side Encryption- Customer-provided keys,” why it’s good that AWS is deprecating it, how attackers were using it for ransomware, and alternatives to consider if you’re one of the few people using it.

DenizParlak/heimdall
By Deniz Parlak: An AWS security scanner that discovers privilege escalation paths across 10+ AWS services, featuring 50+ IAM privilege escalation patterns and 85+ attack chain patterns with MITRE ATT&CK mapping. Heimdall detects both direct and multi-hop attack paths (EC2, RDS, S3, Lambda, KMS, Secrets Manager, STS, SNS, SQS, DynamoDB).

💡 Note: not sure how much of this is just vibed, but including for AWS privilege escalation tool completeness.

The Cloud-Native Detection Engineering Handbook
Ved K walks through a thorough detection engineering lifecycle for cloud environments, covering nine phases from threat research to continuous improvement. The post describes how to prioritize TTPs using exploitability/risk/ROI scoring, validate telemetry coverage, and implement a three-tier data architecture (Bronze/Silver/Gold) using ECS or OCSF normalization to write cloud-agnostic detections once instead of maintaining provider-specific rules for GCP/AWS/Azure, and more.

💡 Tons of detail, great resource 👍️ 

Blue Team

xorhex/BinYars
By @xorhex: A Binary Ninja Plugin that integrates YARA-X into Binary Ninja.

(Anti-)Anti-Rootkit Techniques - Part I: UnKovering mapped rootkits
Sven Rath (@eversinc33) discusses manual driver mapping (writing your malware into kernel space), and three rootkit detection techniques, including scanning device objects in the Windows Object Manager for DriverEntry pointers to unbacked memory regions, queuing an APC to all system threads to identify stack frames pointing to unmapped memory, and leveraging Non-Maskable Interrupts (NMIs) to hopefully catch a rootkit thread running on a CPU by walking the stack to find unbacked memory pointers.

To test these detection strategies and related evasions, Sven developed unKover, a Windows anti-rootkit/anti-cheat driver that can detect drivers mapped to kernel memory.

GachiLoader: Defeating Node.js Malware with API Tracing
Check Point’s Sven Rath and Jaromir Horejsi describe GachiLoader, an obfuscated Node.js malware distributed via the YouTube Ghost Network, a network of compromised YouTube accounts promoting fake game cheats and cracked software. They released Nodejs-Tracer, a tracer for Node.js scripts to dynamically analyze NodeJS malware, defeat common anti-analysis tricks and significantly reduce manual analysis effort.

Some of the GachiLoader variants drop a second-stage loader implementing "Vectored Overloading," a novel PE injection technique that tricks the Windows loader into loading a malicious PE from memory instead of a legitimate DLL. Proof-of-concept here.

Red Team

Making CloudFlare Workers Work for Red Teams
Andy Gill describes using CloudFlare Workers and Pages to create a Conditional Access Payload Delivery (CAPD) system that serves files only when requests include a valid pre-shared authorization header, returning generic 503 errors otherwise. This way red teams can serve payloads to targets without detection.

Andy shares a number of potential improvements (multiple campaigns, rotating payloads) and detection opportunities (monitoring for unusual authorization headers to *.pages.dev domains in proxy logs, non-browser processes connecting to CloudFlare infrastructure, binary content types from static hosting platforms, etc.).

TokenFlare: Serverless AiTM Phishing in Under 60 Seconds
JUMPSEC’s Sunny Chau announces TokenFlare, an open-source serverless Adversary-in-the-Middle (AiTM) phishing framework for Entra ID/M365 that deploys working infrastructure in under a minute using CloudFlare Workers. “Working AiTM infrastructure, with SSL, bot protection, and credential capture to your webhook of choice.” It supports Conditional Access Policy bypasses via User-Agent spoofing, and includes built-in bot blocking based on real-world campaign data.

AI + Security

Quicklinks

• zoicware/RemoveWindowsAI - Force remove Copilot, Recall and more in Windows 11.

• Part 1 of Pramod Gosavi’s reflections on AI in SOC, covering companies and market dynamics from SIEM 1.0 to what may happen in SIEM 3.0

• Rethinking SOC Capacity: How AI Changes the Human Cost Curve - Traditional SOC scaling is broken: increasing alert volume requires increasing headcount, creating a "Human Cost Curve" that eventually breaks under the weight of modern-scale threats. In this post Prophet Security breaks down the math: how analysts only have ~5.6 investigation hours/day, and how AI decouples capacity from headcount.*

^*Sponsored

trailofbits/skills
Trail of Bits’ Claude Code skills for security research, vulnerability detection, and audit workflows 🔥 Some neat skills around: verifying fix commits address findings without introducing bugs, building deep architectural context, doing a security-focused differential review of code changes, performing static analysis with CodeQL or Semgrep, a Semgrep rule creator, variant analysis (finding similar vulnerabilities across codebases), and more.

A Personal AI Maturity Model (PAIMM)
Cool post by Daniel Miessler sharing a 9-level maturity model for AI evolution from Chatbots (Tiers 1-3) to Agents (Tiers 4-6) to Assistants (Tiers 7-9), tracking progression across 6 dimensions: context, personality, tool use, awareness, proactivity, and multitask scale.

Some of Daniel’s predictions: there will be a shift with Assistants in being reactive to proactively helping you, they’ll continuously monitor your state, advocate for you, and help you achieve your goals, voice will overtake typing as the primary interface, they’ll have access to cameras/audio to have full visibility into your state, and more. I like the vignette section on what this might look like across protecting you and your loved ones, detecting and filtering influence campaigns, work, monitoring your mental state and energy, etc.

💡 For a deep dive into Daniel’s personal AI setup and how to build your own, see this webinar we did together and his slides here.

Streamlining Security Investigations with Agents
Dominic Marks describes how Slack's Security Engineering team has developed an AI agent system to optimize security alert investigations. Their initial prototype was a simple prompt + coding agent CLI + MCPs to various systems, but they now have a structured multi-agent approach. The system employs three persona categories (Director, Expert, and Critic agents) working in a coordinated investigation loop across multiple phases (Discovery, Trace, and Conclude), with each agent performing specific tasks (Access, Cloud, Code, and Threat experts). Each agent/task pair is modeled with a carefully defined structured output, and the application orchestrates the model invocations, propagating just the right context at each stage.

Their architecture includes a Hub for API and storage, Workers for processing investigations, and a Dashboard for real-time monitoring. The post walks through an interesting example of the agent identifying a credential exposure that wasn’t the focus of the current investigation.

💡 Great AI + security engineering post, thoughtful and useful architectural details, highly recommend 👍️ 

Misc

Feelz

• Scott Galloway’s newsletter issue commenting on his recent book Notes on Being a Man.

• Jason Chen - Luckiest Man in the World 🥹😭 

• Aella - bye, mom

Privacy

• Inside ICE’s Tool to Monitor Phones in Entire Neighborhoods - 404 Media has obtained material that explains how Tangles and Webloc, two surveillance systems ICE recently purchased, work. Webloc can track phones without a warrant and follow their owners home or to their employer. How: 1) location data from apps on your phone that sell your data to brokers as well as 2) ads. By buying the data, ICE and others can use it without a warrant and without judicial oversight.

• Wired - How to Protest Safely in the Age of Surveillance

• California Delete Request and Opt-out Platform (DROP) - Submit a single deletion request to 500+ registered data brokers instead of opting out individually with each company.

Misc

• Linus Torvalds is using Antigravity

• r/cybersecurity - What’s the most expensive security control you’ve seen that added zero security?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🏖️ Aloha

I hope you had an awesome holiday break and great start to the new year!

I spent a few weeks with my family in the Midwest, where I survived the cold despite my now frail Californian temperament, hit the gym with my brother, and took a boxing class taught by my sister.

We also did a Wicked movie day, where we watched part 1 in the morning then immediately went to a Part 2 matinee. My mom was hopped up on espresso so she couldn’t stop adding commentary during the former. Delightful 😂 

And for part 2, my sister and I managed to sneak in a metric ton of snacks into the theater, including a Ziploc bag of raw cookie dough to snack on. Sneaking snacks into a theater is one of my great joys in life, don’t judge me.

Currently I’m up late writing this newsletter from Hawaii, continuing my long tradition of writing tl;dr sec from a hotel room in a nice location on not-quite-vacation 😅 

Have a great rest of your week, and talk soon!

Sponsor

📣 How to find and remove viral AI notetakers

AI notetakers like Otter AI spread fast. In fact, one Nudge Security customer discovered 800 new accounts created in only 90 days 😱 Viral AI notetakers can introduce a slew of data privacy risks by gaining access to calendars and adding themselves to every meeting.

Learn how to find and remove viral AI notetakers.

👉 Regain control today 👈

AppSec

Adversis/tailsnitch
By Adversis: A security auditor for Tailscale configurations. Scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations. It also can generate SOC 2 compliance reports with Common Criteria mappings.

joe-desimone/mongobleed
By Joe Desimone: A proof-of-concept exploit for the MongoDB zlib decompression vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive server memory.

Joe tweet: “This could be a case study in speed running from patch to poc with LLM. Done in less than 10 minutes with Cursor and a single prompt. Helped that vuln trigger is included as unit test in the fix commit.”

ORM Leaking More Than You Joined For
Elttam’s Alex Brown expands on their previous Object Relational Mapper (ORM) Leak research and Black Hat EU briefing ORMageddon: Leaking More Than You Joined For. ORM Leaks occur when web apps offer robust filtering or search capabilities in a way that can be abused to filter objects by sensitive or hidden fields. Developers often rely on the ORM to determine which fields are queryable and to prevent SQL injection, but overlook explicitly validating which fields should be queryable.

The post walks through an interesting expression‑parser bug in the Beego ORM, and an authentication‑bypass technique for the Prisma ORM. They’ve published semgrep rules for detecting potentially dangerous uses of the Django, Prisma, Beego, and Entity Framework ORMs. They also previously released plormber, a tool for exploiting time-based ORM Leak vulnerabilities.

Sponsor

📣 GigaOm: "Architecture is the Top Decision Factor in SecOps Automation"

The 2025 GigaOm SecOps Automation Radar evaluated 19 vendors and concluded that architecture is the most important decision factor in the market. LLM-first solutions unlock new automation capabilities but face edge cases and volatility in production deployments. Workflow-based tools offer predictability but require extensive manual maintenance. 

The report highlights more specialized and sustainable approaches that combine multiple AI techniques (semantic, behavioral, and LLMs) rather than relying on LLMs alone.

👉 Get your free copy 👈

This looks cool. I agree that architecture for LLM tooling makes a big difference, and I’m a big fan of combining multiple techniques. Seems like an informative read 👍️ 

Cloud Security

Introducing Pathfinding.cloud
Datadog’s Seth Art announces the release of pathfinding.cloud, an extensive knowledge base that documents the IAM permissions and permission sets that allow for privilege escalation in AWS, currently documenting 65+ AWS IAM privilege escalation paths in a standardized YAML schema. Each path includes unique identifiers, categorization (self-escalation, principal access, new/existing PassRole, credential access), required vs. additional permissions, explicit prerequisites for exploitation, attack visualizations, and detection tool coverage. 42% of the paths are currently undetected by existing open-source tools like Prowler, Cloudsplaining, PMapper, and Pacu.

Zero‑Days in the Age of AI: Behind the Scenes of ZeroDay.cloud 2025, with a Record High of CVEs in Critical Cloud Infra
Wiz’s Nir Ohfeld shares the results of the first zeroday.cloud competition, which paid bounties for zero days found in open source technologies powering modern cloud and AI infrastructure. Results: $320,000 in rewards, critical vulnerabilities in Redis, PostgreSQL, Grafana, MariaDB, a container escape on Linux, and more.

💡 Interestingly, Team Xint Code, the folks behind the Theori team who competed in the AIxCC cyber grand challenge competition, had successful entries for PostgreSQL, Redis, and MariaDB. In other words, an AI-based vulnerability hunting tool found impactful vulnerabilities in popular, widely used software.

Privilege escalation with SageMaker and there's more hiding in execution roles
Plerion’s Gen Z whisperer Daniel Grzelak describes a privilege escalation pattern in AWS where attackers can gain an instance's execution role privileges by modifying boot-time code execution configurations. He demonstrates this with two examples: with EC2 (using ec2:ModifyInstanceAttribute to inject userData with a #cloud-boothook directive) and a SageMaker Notebook instance variant (using lifecycle configurations), both allowing attackers to execute arbitrary code with the target's IAM permissions.

This pattern generalizes to other AWS services where execution roles are configured separately from code modifications. Daniel recommends detecting these and similar attacks via unusual stop→modify→start sequences, and prevention through strict permission boundaries around configuration-changing capabilities.

AWS Privilege Escalation: IAM Risks, Service-Based Attacks, and New AI-Driven Bedrock/AgentCore Vectors
Software Secured’s Ben Goodspeed describes how AWS privilege escalation has evolved from classic IAM-based escalations (e.g. iam:AttachUserPolicy) to service-centric attacks (e.g. lambda:UpdateFunctionCode) to AI-driven orchestration vectors in Bedrock and Bedrock AgentCore (e.g. Bedrock CreateCodeInterpreter → arbitrary code execution under privileged roles).

The posts discuses some scenarios across CloudGoat, IAM-Vulnerable, and CloudFoxable platforms plus new Bedrock challenges, with the key takeaway that many high-risk actions cannot be granularly constrained by SCPs or resource policies because they lack resource-level ARNs or condition keys.

Blue Team

0x4D31/santamon
By Adel Karimi: A lightweight macOS detection sidecar for Santa that evaluates Endpoint Security telemetry locally with CEL rules and forwards only matched detection signals to a backend server. A “poor man’s macOS EDR for home labs and small fleets.”

What are Composite Detections?
Zack Allen explains composite (correlated/stateful) detection rules, which combine multiple atomic detections to reduce false positives by adding context around attack chains, using MITRE ATT&CK as a framework. Zack walks through an example where three atomic rules (admin login, CreateUser, AttachUserPolicy with admin privileges) are combined using windowing (capturing activity in time windows) to detect AWS account persistence attempts, filtering out benign activity that would trigger individual rules.

Beyond the bomb: When adversaries bring their own virtual machine for persistence
Red Canary’s Tony Lambert and Chris Brook describe a novel attack where adversaries used spam bombing (flooding a victim’s inbox is with thousands of unsolicited emails, a popular distraction tactic) and social engineering → Quick Assist to deploy a custom QEMU VM running Windows 7 SP1. The VM contained Sliver C2 implants, ScreenConnect, and a QDoor backdoor for network reconnaissance and persistence. Forensic details: Plaso timeline analysis, prefetch data (records info about application usage), browser history, and tools like The Sleuth Kit and VMray.

AI + Security

appsecco/vulnerable-mcp-servers-lab
By Appsecco’s Riyaz Walikar: A collection of 9 intentionally vulnerable MCP servers designed to help you learn how to penetration test AI agent infrastructure. The labs include servers containing path traversal with code execution via unsafe path joining and unsandboxed Python execution, indirect prompt injection through documents with embedded hidden instructions (both local stdio and remote HTTP+SSE variants), eval-based RCE in a "quote of the day" tool, instruction injection via fabricated tool outputs, supply-chain attacks through typosquatting, secrets/PII exposure in utility tools, and more.

The Arcanum Prompt Injection Taxonomy
Jason Haddix announced (blog) the release of the Arcanum Prompt Injection Taxonomy 1.5, an interactive, open-source classification system for LLM prompt injection attacks. The taxonomy organizes attacks across four dimensions: Attack Intents (goals like data exfiltration or jailbreaking), Attack Techniques (methods like direct or indirect injection), Attack Evasions (obfuscation methods including Base64 encoding and emoji encoding), and Attack Inputs (entry points for attacks). Neat!

Everything I've Said About AI Since 2016: A Retrospective
Daniel Miessler reviews a decade of his AI predictions across topics like how humans and agents interact, impact on the economy, the security implications of using AI, applying AI to security, and more.

💡 I really like the idea of writing down a bunch of your predictions, and then grading them later. One personal frustration I have is that I haven’t done this really. I remember in ~2010 being very surprised that attackers weren’t systematically backdooring open source libraries/supply chain security wasn’t a big thing. Obviously we’ve seen a lot of malicious dependencies over the past few years. I (and you, dear reader), should try to carve out time to write down our predictions.

Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing
Stanford’s Justin Lin, Dan Boneh, and other Stanford, CMU, and Gray Swan AI folks evaluated ten cybersecurity professionals alongside six existing AI agents and ARTEMIS, their new agent scaffold, on a large university network consisting of ~8,000 hosts across 12 subnets. ARTEMIS is a multi-agent framework featuring dynamic prompt generation, arbitrary sub-agents, and automatic vulnerability triaging. ARTEMIS placed second overall, discovering 9 valid vulnerabilities with an 82% valid submission rate and outperforming 9 of 10 human participants.

They found that AI agents offer advantages in systematic enumeration, parallel exploitation, and cost (certain ARTEMIS variants cost $18/hour vs $60/hour for professional penetration testers). Capability gaps: AI agents exhibit higher false-positive rates and struggle with GUI-based tasks.

Misc

End of Year

• Alex Hormozi - 26 Lessons from 2025

• Leila Hormozi - Give Me 8 Minutes and I’ll Make 2026 The Best Year Yet

• Chris Williamson (Modern Wisdom) - 23 Lessons from 2025

• Modern Wisdom Annual Review Template

• Dickie Bush - 8 Key Lessons Learned From 8 Years Of Journaling

AI

• Andrej Karpathy - 2025 LLM Year in Review

• Latent Space - Steve Yegge's Vibe Coding Manifesto: Why Claude Code Isn't It & What Comes After the IDE

• AI Explained - 2025 AI Year in Review + 2026 Forecast

• AI Engineer - How Claude Code Works - Jared Zoneraich, PromptLayer

• AI Engineer - The Infinite Software Crisis – Jake Nations, Netflix

• AI Engineer - Continual System Prompt Learning for Code Agents – Aparna Dhinakaran, Arize

• AI Engineer - Moving away from Agile: What's Next – Martin Harrysson & Natasha Maniar, McKinsey & Company

• Jeffrey Emmanuel - Prompts to make progress on all your projects every day

• Claude Code creator Boris shares his setup

• Step-by-step guide to get Ralph working and shipping code

Music

• Sungha Jung - Golden (HUNTR/X) - Sungha Jung - Fingerstyle Cover

• Epic Orchestra cover - KPop Demon Hunters - Golden, Free

• SNL - I Miss My Ex’s Dad

• OneRepublic - 'Counting Stars' & 'I Don't Wanna Wait' | Behind the Song

Misc

• Books referenced on Hacker News

• HASBULLA & THE RIZZLER: Sundae Conversation with Caleb Pressley 😂 

• Jmail - Someone built a Gmail-like interface for browsing released Epstein emails. So you can use the search box, filter by person, etc. Very cool, intuitive way to enable for people to interact with public record info in a familiar interface.

• Johnny Harris - What Being a BILLIONAIRE Really Looks Like - Fascinating.

• Bryan Johnson on his psilocybin (magic mushrooms) trip

• Sketch comedy - Oxford comma and other punctuation

• SNL - Espresso Martini

• Aakash Gupta on why Meta paid to kill a $99 AI pendant (Limitless)

• Hacktivist Martha Root deleted the servers of WhiteDate, WhiteChild, and WhiteDeal in real time at the end of a talk at CCC

• Man boards Heathrow flight without ticket, boarding pass or passport - How to get hired for physical pen tests.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🏡 Family Time

This week I’ve been visiting my family in the Midwest, and despite the daily high temperature here being the low in San Francisco, so far I’ve managed to survive.

I recently realized I’ve developed a reputation in my family for bringing sketchy looking things on airplanes.

This time I brought two Ziploc bags of different protein powders so I could do a taste test with my brother. Fortunately, the TSA was not bothered by two unlabeled plastic bags of powder in my carry-on 😂

One thing in particular I’m planning to do while at home is interviewing my family on stories from their lives.

I’ve realized it’s so easy to lose details about my parents’ lives before I were born, or childhood stories my siblings have that are way different than what I remember.

I think I’ll collect the photos and stories (text, videos) in some combination of a Google Doc and Google Drive / iCloud folder that I’ll share with the whole family.

If you haven’t done this before, you should give it a try. Sharing stories is a nice way to bring people together and learn about how they view the world.

📚️ Also: tl;dr sec will be off for the next two weeks, resuming January 8th, 2026.

I hope you get some time to relax and spend time with loved ones over the holidays! 🎄 

P.S. Apparently the hosting provider Daniel Miessler used for his slides for our webinar (on building your personal AI infrastructure) had low bandwidth and it caused a number of people to get an error when they tried to download the slides. Sorry! You can access his slides here, and again the video here.

Sponsor

📣 What if your vulnerability scanner only gave you true positives?

We gave James Berthoty, a leading analyst and ex-security engineer, access to Maze to test in his own AWS environment with no script and said, “hit record, we’ll share what you see.”

The result? Most CVEs look scary on paper, but even if the scanner picked it up, they couldn’t actually be exploited in the specific environment. Maze uses AI agents to investigate each vulnerability in context: runtime signals, network exposure, and real attack paths, just like your best security engineer would. If Maze says it’s exploitable, it’s a real problem backed by evidence.

👉 See the Investigation 👈

AppSec

The Fragile Lock: Novel Bypasses For SAML Authentication
Portswigger’s Zakhar Fedotkin shows “how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusion, and a new class of Void Canonicalization attacks. These techniques allow an attacker to completely bypass XML Signature validation while still presenting a perfectly valid SAML document to the application.” You can download the Burp Suite extension that automates the entire exploitation process from GitHub.

Fil-C
Fil-C is a memory-safe implementation of C and C++ that catches all memory safety errors as panics, using concurrent garbage collection and "InvisiCaps" (invisible capabilities) to check every potentially unsafe operation. The implementation maintains "fanatical compatibility" with existing C/C++ codebases, supporting advanced features like threads, atomics, exceptions, signal handling, longjmp/setjmp, and shared memory, with many open source programs including CPython, OpenSSH, GNU Emacs, and Wayland working without modification. It's possible to run a totally memory safe Linux userland.

The post Linux Sandboxes And Fil-C describes how to combine Fil-C's memory safety with Linux sandboxing techniques, specifically focusing on adapting OpenSSH's seccomp-BPF sandbox to work with Fil-C. See also the Chromium and Mozilla docs on how to do sandboxing on Linux using seccomp.

They also built a Drift Management System that runs daily and ensures every repo has the stub workflow and that it matches the latest version, automatically updating it if not. The post also discusses how they handle observability, customizing which rules run where, custom rules and remediation advice, and more.

Sponsor

📣 Supercharge Your SOC with AI, starting now

Grab Filip Stojkovski’s new eBook, An Implementation Guide for AI-Driven Security Operations. SOCs are ditching clunky, manual playbooks for agentic AI, and this field guide shows you exactly how to modernize without chaos.

Take a look to learn to:

• Gauge SOC maturity and set an AI roadmap

• Build the data foundation AI needs

• Select platforms that actually deliver

• Prove wins with KPIs and ROI

From greenfield to MDR to mature SOCs, use step-by-step playbooks to go from alert fatigue to AI speed.

👉 Get the Exaforce eBook by Filip Stojkovski 👈

I’ve been enjoying Filip’s writing, he really has his finger on the pulse of the AI + SOC/detection space. And Exaforce has been sharing some 👌 technical blog posts recently.

Cloud Security

Abusing AWS Systems Manager as a Covert C2 Channel
Atul Kishor Jaiswal describes how to abuse AWS Systems Manager's hybrid activation feature to establish a covert command and control (C2) channel on macOS and Windows systems using legitimate, Amazon-signed binaries. Basically you install the official SSM agent on the victim machine, which then communicates with AWS endpoints over HTTPS, providing attackers with file system access, process monitoring, shell command execution, and terminal sessions without triggering security alerts as the agents communicate exclusively with trusted AWS endpoints and require no open ports or custom malware. The post concludes with Mac and Windows-specific detection strategies.

💡 I expect to see more “Living off the Cloud” techniques like this.

Exploiting AWS IAM Eventual Consistency for Persistence
OFFENSAI's Eduard Agavriloae describes how AWS IAM's eventual consistency creates a ~4-second window where deleted access keys and other IAM changes remain valid, allowing attackers to maintain persistence even after credentials are supposedly revoked. An attacker can detect when their keys are deleted and quickly create new credentials or assume roles before the deletion fully propagates, maintaining persistence. Traditional remediation approaches like applying deny policies fail during this window, as attackers can detect and remove these restrictions before they take effect.

The most effective mitigation is applying Service Control Policies (SCPs) at the account level, which attackers can't modify, followed by waiting for the consistency window to close before proceeding with traditional remediation steps.

💡 Dude, this is pretty crazy 🤯 I’m sure this is going to happen in the wild now, if it wasn’t already.

Shifting left at enterprise scale: how we manage Cloudflare with Infrastructure as Code
Chase Catelli, Ryan Pesek, and Derek Pitts describe how the Cloudflare security team implemented a "shift left" approach to manage hundreds of internal production Cloudflare accounts using Infrastructure as Code (IaC) with Terraform, Atlantis, and a custom tool called tfstate-butler, that acts as a broker to securely store state files.

They enforce security baselines through Policy as Code using Open Policy Agent (OPA) and Rego, which automatically validates configurations during merge requests to catch issues before deployment. There are currently ~50 custom policies, for example: only @cloudflare.com emails are allowed to be used in an access policy. The team also developed a drift detection service to identify unauthorized dashboard changes and implemented cf-terraforming to simplify the onboarding of existing resources.

Blue Team

mandiant/gostringungarbler
By Mandiant: A Python command-line project to resolve all strings in Go binaries obfuscated by garble. The tool works by identifying decryption routines through regex patterns, emulating them with the unicorn emulator, and patching the binary with deobfuscated strings.

Field Manual #4: What are Atomic Detection Rules?
Friend of the newsletter Zack Allen continues his detection engineering series, this time discussing “atomic detection rules,” which are narrowly defined rules that detect activity at a point in time with little to no context. Zack uses David Bianco's Pyramid of Pain framework to illustrate how detection effectiveness increases as you move from simple indicators (IPs, domains) to more complex TTPs.

The post describes how atomic detections lacking environmental context generate false positives, using examples of AWS admin logins and C2 IP address alerting to show how single-value matching creates brittle rules that attackers can easily evade. As detection engineers add more context to rules, defender operational costs increase but false positive rates decrease, an ever present cost-benefit tradeoff when writing detection rules.

Redefining Detection Engineering: Part I
Tallis Jordan defines detection engineering as “the application of software engineering concepts to transform raw data into high-fidelity, actionable alerts that are measurable, manageable, and reliable through repeatable techniques, such as version control, testing, and optimization.” Not: just writing SIEM rules. Tallis outlines core principles including: the Generalizability Principle (behaviors over signatures), Assume Breach Mindset, Data-Driven Decision Making, Fail Fast/Learn Faster, and Signal vs. Noise Obsession. The post includes industry statistics from CardinalOps showing most organizations only cover 21% of MITRE ATT&CK techniques, 13% of rules broken, 60% of attacks undetected, and 80% of detections untested or misconfigured.

In Part 2, Tallis describes the day-to-day: the responsibilities, deliverables, and expectations of a detection engineer. Core responsibilities include: detection research and development, validation through test cases and adversary emulation, lifecycle management with git, implementation of CI/CD pipelines for Detection-as-Code, risk assessment based on business context, log source management, and cross-team collaboration.

Red Team

C2 Redirectors Made Easy
Clint Mueller (great name 👏) announces caddy-c2, a Caddy module that automatically parses C2 profiles and proxies legitimate C2 traffic without manually configuring redirect rules for User-Agents and HTTP endpoints. Putting redirectors in front of a C2 server obscures the actual location of the C2 server, allows only legitimate C2 traffic to reach the C2 server, and if the traffic is detected and blocked, the proxy can easily be destroyed and a new one deployed in it’s place, which is easier than re-deploying the C2 server.

Stillepost - Or: How to Proxy your C2s HTTP-Traffic through Chromium
dis0rder introduces stillepost, a tool that leverages Chrome DevTools Protocol (CDP) to proxy C2 traffic through legitimate browser processes, helping attackers blend in with normal web traffic. By spawning a headless Chromium browser with remote debugging enabled, connecting via WebSockets, and using the Runtime.evaluate method to execute JavaScript that makes XHR requests, the tool allows malware to send HTTP requests through the browser rather than directly from the implant. This technique benefits from the browser's existing proxy configuration, firewall rules, and expected network behavior, though it's limited to servers that allow CORS requests from arbitrary origins.

Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit
MatheuZ describes Singularity, a Loadable Kernel Module (LKM) rootkit developed for modern Linux kernels (6.x) with advanced evasion and persistence techniques. Singularity uses ftrace for syscall hooking instead of directly modifying the System Call Table, implements multi-layered process hiding through PID tracking and directory listing filtering (/proc), conceals files and network connections, provides privilege escalation vectors via signals and environment variables, sanitizes kernel logs to remove evidence of its presence, and includes anti-forensic techniques to prevent detection by both 64-bit and 32-bit tools.

💡 Great overview of a ton of different places and ways to detect and hide on Linux.

AI + Security

Winning the AI Cyber Race: Verifiability is All You Need
Sysdig CISO Sergej Epp argues that AI is transforming offensive security faster than defense because offensive tasks have built-in binary verifiers (shell popped? exploit worked? root access?) while defensive tasks like SIEM analysis, GRC, and forensics lack mechanical ground truth, leading to noise and low precision. “Agents + Oracles = The Unlock.” “Who owns the verifiers wins the AI race.”

Sergej contrasts Google's Sec-Gemini (~12% precision on forensic timeline analysis) with Microsoft's Project Ire (98% precision on Windows driver classification) to show that wrapping LLMs with proper tool scaffolding (sandboxes, decompilers like Ghidra and angr, and validator agents) is what drives results, not raw model capability.

The path forward for defense is engineering six classes of mechanical verifiers: canary verifiers (honeytokens), provenance proofs (SLSA, SBOMs), replay harnesses for detection rules, policy-as-code (Rego, OPA, Checkov), sandboxing and dynamic analysis, and graph-based verifiers (attack graphs, reachability analysis, cloud security posture). Security leaders should demand vendors explain their mechanical verification methods, adopt continuous AI red teaming to expose verifier gaps, and build realistic cyber gyms since LLMs can't generalize on private enterprise data they've never seen. See also Sergej’s BSidesFrankfurt 2025 keynote on this topic.

💡 This post is 🔥, highly recommend. The importance of verifiability is a key insight, I’ve been thinking about this for awhile. I’m documenting this prediction here so I can point to it in the future.

Prediction: AI will make formal verification go mainstream
Martin Kleppmann predicts that AI will make formal verification mainstream by dramatically reducing the cost and expertise required to write proof scripts for tools like Rocq, Isabelle, Lean, F*, and Agda. He argues that LLMs are well-suited for writing proofs because invalid proofs will be rejected by verified proof checkers, and that formal verification will let us ship AI-generated code quicker with confidence, reducing the need for human review (which could become the bottleneck). Martin believes the challenge will shift from writing proofs to correctly defining specifications for your software.

💡 I think this is a good argument- formal verification proofs are hard to write and require expertise, but LLMs can potentially churn them out quickly/better than humans at scale (like unit tests), and with the proof checkers we have an oracle that can automatically return if the proof is valid.

The difficulty is going to be actually specifying what the system should do in sufficient detail, and for most companies and products, unlike what academia works on, these are rapidly built, quickly iterated on applications that are being shipped to the user ASAP, so I somewhat doubt if more than like 1% of software could be described by its creators in specification-level detail. That said, this could be huge for OS kernels, parsing libraries (leverage the RFC for that format as the spec), cryptographic libraries, and compilers, which could reduce or eliminate many serious vulnerabilities. Excited to see more in this space!

See also symbolic methods of translating C to (unsafe, unidiomatic) Rust, like C2Rust, Corrode, and Citrus, and the paper C2SaferRust, which combines C2Rust, LLMs, and formal methods.

Misc

Fame

• Influencers are royalty at this college, and the turf war is vicious - College, you know, that place people go to learn 🫠 

• charli xcx - The realities of being a pop star - Fascinating and candid.

Misc

• Cimorelli - KPop Demon Hunters - Golden (Harmony Loop Cover)

• TikTok unlawfully tracks your shopping habits – and your use of dating apps

• Hack Reveals the a16z-Backed Phone Farm Flooding TikTok With AI Influencers - “Doublespeed uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products. The hack reveals what products the AI-generated accounts are promoting, often without the required disclosure that these are advertisements, and allowed the hacker to take control of  more than 1,000 smartphones that power the company.”

  • See also: a16z-Backed Startup Sells Thousands of ‘Synthetic Influencers’ to Manipulate Social Media as a Service

AI

• Meta’s New A.I. Superstars Are Chafing Against the Rest of the Company

• What OpenAI Did When ChatGPT Users Lost Touch With Reality - “Some of the people most vulnerable to the chatbot’s unceasing validation, they say, were those prone to delusional thinking, which studies have suggested could include 5 to 15 percent of the population.”

• Andrej Karpathy tweet on the implications of AI to schools

• The Economist - How HR took over the world - The profession has rocketed in size and stature. Will AI shrink it?

• American remote-work cities show signs of strain - More people working from home → fewer people going downtown, fewer office leases → less tax revenue.

• From Vibe Coding To Vibe Engineering – Kitze - Very fun talk, lots of memes.

• Lee Robinson describes how he migrated cursor.com from a CMS to raw code and Markdown. He estimated it would take a few weeks, but was able to finish the migration in three days with $260 in tokens and hundreds of agents.

  • What sticks out to me: a) there’s so much value in having agents be able to quickly read/understand/edit things, that abstractions that make this more difficult are potentially not worth it. b) A lot of SaaS apps / software in general is going to need to fight for their money/customers vs just having customers re-build it in house. Long term in-house maintenance costs might be high though.

  • “The cost of abstractions with AI is very high. Over abstraction was always annoying and a code smell but now there’s an easy solution: spend tokens. It was well worth the money to delete complexity from our codebase and it already paid for itself.”

  • Thoughtful response from Sanity, the CMS cursor migrated from, on the nuances of CMS systems and what some of the complexity supports.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🥖🗼La Vie de Clint

Some recent anecdotes from my life:

• I caught up with my friend David Molnar, who leads the program analysis team at Meta. Lots of neat stuff in the works. I remember meeting David when I was a grad student, over a decade ago 👴 Careers are long, and the security industry is small.

• In a recent musical improv comedy show I sang a poignant ballad about how I was the only survivor of 100 passengers in a tragic clown car accident. Super stoked for BSidesSF’s musical theme next year 😍 

• Next week I’m going back home to the Midwest to visit family for the holidays. We always get an (arguably dangerously) tall fresh tree. Ready to hit the gym with my bro 💪 

P.S. In case you missed it, here is the recording and slides for the webinar with my bud Daniel Miessler on his personal AI setup that enables him to much more productive. Super cool slides (shout-out nano banana) and neat live demos!

Sponsor

📣 We tried to get an AI agent to write vulnerability checks for us…

Like everyone else, we’ve been curious about how useful AI agents really are for day-to-day security work. So we threw one in the deep end and asked it to write new vulnerability checks from scratch. It started strong—until it introduced a vulnerability of its own.

The irony wasn’t lost on us.

In our latest research, we break down what happened, why it matters, and how to safely mitigate the risks that come with AI-assisted coding.

👉 Read the full article 👈

AppSec

Let's Stop Hacklore!
Bob Lord announces hacklore.org to combat outdated cybersecurity advice, backed by 80+ security practitioners who recognize that common "hacklore" myths distract people from the correct security basics. He emphasizes focusing on fundamentals like strong MFA, password managers, and keeping software updated instead of worrying about unlikely threats.

💡 Some solid, straightforward advice 👍️ Good for sharing with the non technical people in your life after you fix their printer over the holidays.

SVG Filters - Clickjacking 2.0
Lyra describes “SVG clickjacking,” a new technique that takes traditional clickjacking from just tricking users into making a click or two, to supporting complex interactive attacks and data exfiltration through SVG filters. Using SVG filter elements, Lyra shows how attackers can create convincing fake interfaces, read pixel data from cross-origin iframes, implement logic gates for multi-step attacks, and even generate QR codes for data exfiltration. Lyra got a $3133.70 bug bounty from demonstrating this technique on Google Docs.

💡 This is some impressive web chicanery 🤯 My description here does not do it justice.

React2Shell: Everything You Need to Know About the Critical React Vulnerability
Wiz’s Gili Tikochinski, Merav Bar, and Danielle Aminov describe the unauthenticated RCE vulnerability in the React Server Components (RSC) "Flight" protocol, stemming from insecure deserialization in RSC payload handling, allowing attackers to execute privileged JavaScript code through a simple HTTP request. React 19 and frameworks like Next.js affected. Wiz Research data shows 39% of cloud environments contain vulnerable instances, and attackers are actively exploiting it to harvest cloud credentials and deploy cryptocurrency miners. Patch ASAP.

Deep dive from Wiz here, Vercel update here, Vercel CEO Guillermo Rauch overview here, Datadog post here. Huge shout-out to Lachlan Davidson for discovering such a critical vulnerability 🙌 

Sponsor

📣 From Gates to Guardrails:
How to Prevent Risk at Scale

AppSec teams often struggle to prevent issues without slowing developers. A lack of context makes it hard to set targeted controls, so issues slip into production faster than teams can fix them – leaving teams with ever growing backlogs and applications persistently at risk.

Discover a practical, five-stage framework to enable teams turn security gates into guardrails, allowing teams to accelerate secure development.

👉 Start Preventing Risk 👈

This guide has some good advice and nice maturity checklists. Understand your environment, standardize dev tooling, ensure coverage and provide a secure baseline, and how to prevent risk at scale.

Cloud Security

AWS re:Invent 2025 Security Talks
103 video playlist carefully, kindly, benevolently collected by the gentleman and scholar Daniel Grzelak.

Simplify IAM policy creation with IAM Policy Autopilot, a new open source MCP server for builders
AWS announces IAM Policy Autopilot, an open source static analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. It uses code analysis to create policies based on AWS SDK calls in your code. The tool is available as a CLI and MCP server for use within AI coding assistants.

AWS pre:Invent security highlights: what changed and why it matters
Adan Alvarez describes three AWS pre:Invent security announcements: AWS local development using console credentials (aws login), IAM Outbound Identity Federation, and attribute-based access control (ABAC) for S3. For each, Adan discusses how it can improve security, potential attacker abuse vectors, and specific CloudTrail events to monitor.

Top AWS re:Invent Announcements for Security Teams in 2025
Wiz’s Scott Piper highlights key AWS security announcements from re:Invent 2025, including the new aws login command for simplified credential access, IAM Outbound Identity Federation for authenticating to non-AWS services using AWS principals via JWT, and the ability to transfer accounts between AWS Organizations without the previous complications. Other honorable mentions: IAM Policy Autopilot for policy generation, IAM temporary delegation, and org-level S3 Block Public Access settings.

re:Invent 2025 recap
Chris Farris shares a nice overview with a generous side of snark on AWS re:Invent 2025 announcements, grouped into: Security Features, Cloud Governance & Costs, Serverless Stuff, GenAI & Bedrock, and the other random stuff.

One nice update: server-side encryption with customer-provided keys (SSE-C), which can be used to ransomware resources in AWS accounts, will be disabled for all existing buckets in AWS accounts that do not contain any SSE-C-encrypted data.

“I’m shocked that laying off tens of thousands of people and replacing them with GenAI has slowed innovation,” “Friends still don’t let friends run Control Tower,” “using GenAI to answer questions about the data might be a useful reason to make polar bears homeless.”

Supply Chain

We should all be using dependency cooldowns
William Woodruff argues that dependency cooldowns are a free, easy, and incredibly effective way to mitigate the large majority of open source supply chain attacks. The vast majority of malicious dependencies are caught by vendors within ~a week, so if you just wait 1-2 weeks to update dependencies, 80-90% of these attacks won’t affect you. You can add cooldowns with Dependabot, Renovate, or zizmor: dependabot-cooldown , or use pnpm’s minimumReleaseAge or uv’s exclude-newer.

💡 Basically the standard PwnRequest attack where user input is used unsafely in a GitHub Action, but the dangerous place where user input is passed to is an AI agent CLI. This AI usage pattern seems super useful though from a maintainer point of view (e.g. doing code review on a PR, summarizing an issue, etc.) so I’d guess this will continue popping up a lot. It’d be great to see a “secure” pattern for this.

Also, given how model nondeterminism, I’d be curious to see if it takes a number of attempts to reliably exploit these, and if that makes them “noisier” and easier to detect?

Lessons learned (copied verbatim for my future reference):

• Prompt engineering matters: Carefully framing context, exclusions, and known pitfalls drastically improved reliability. We saw double-digit accuracy gains across multiple iterations of the prompt design.

• Curated datasets and suppression rules are critical: Our team spent months improving accuracy through careful creation and curation of malicious data and system-level prompts. These were incremental improvements and represented much of the day-to-day work of improving this system.

• Chasing benchmarks leads to diminishing returns: Although we continue to test against SOTA models, most of our real improvements have come from better prompts and better data. Changing across SOTA models ends up being most interesting for cost optimization.

• Dogfooding accelerates tuning: Using the tool on Datadog’s own codebase gave us realistic data and quick feedback cycles.

• Testing must be adversarial: Only by simulating real attacker behavior could we measure true malicious-detection performance.

Blue Team

LinkPro: eBPF rootkit analysis
Synacktiv’s Théo Letailleur analyzes LinkPro, a sophisticated Linux eBPF rootkit discovered during an AWS infrastructure compromise investigation. The rootkit uses two eBPF modules: a "Hide" module that conceals its presence by intercepting getdents and sys_bpf system calls, and a "Knock" module that activates the backdoor only upon receiving a specific TCP packet with window size 54321. Tons of great technical details + YARA rules at the bottom.

Why the MITRE ATT&CK Framework Actually Works
Nice intro/overview article by John Vester on why the MITRE ATT&CK framework has become so successful, highlighting its value in providing a common language for describing adversary behaviors and techniques. The post covers how ATT&CK helps organizations prioritize security efforts by focusing on the most relevant threats to their environment, enabling teams to map their existing security controls against known attack techniques and identify coverage gaps. The framework allows security teams to develop more targeted detection and response capabilities based on real-world attack patterns, rather than theoretical vulnerabilities.

EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks
The Sysdig Threat Research Team describes EtherRAT, a sophisticated implant exploiting the React2Shell vulnerability that uses Ethereum smart contracts for C2 resolution, implements five Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. The four-stage attack chain includes blockchain-based command and control using consensus voting across nine Ethereum RPC endpoints. “Rather than hardcoding a C2 server address, which can be blocked or seized, the malware queries an on-chain contract to retrieve the current C2 URL.”

See also Reversing Lab’s post Ethereum contracts push malware on npm.

💡Not content to be used only for rug pulls, stolen to fund North Korea’s weapons program, and used as ransomware payments for criminals, the blockchain is now being used for C2. Obligatory web3isgoinggreat.com reference.

Red Team

Implementing the Etherhiding technique
Onhexgroup shares a step-by-step tutorial for implementing the "Etherhiding" technique, a new technique reported by Google where threat actors leverage public blockchains to distribute malware. The post walks through creating a simple Solidity smart contract on the Sepolia test network (testnet) that stores and returns a message, then building a web interface to retrieve this data from the blockchain.

Fairy Law
Orange Cyberdefense’s Ogulcan Ugur describes "Fairy Law," (GitHub PoC) a technique that disables EDR components by globally enabling the MicrosoftSignedOnly policy to block non-Microsoft signed DLLs from loading into processes. This technique bypasses anti-tamper protections since the OS blocks EDR components before they can protect themselves, resulting in reduced telemetry, disabled hooking, and compromised user-mode monitoring. EDR vendors with Microsoft-signed components (like CrowdStrike) can still maintain some functionality, while those without Microsoft signatures lose significant monitoring capabilities.

Intuition-Driven Offensive Security
My bud Andy Grant shares his philosophy for building an offensive security program based on his experiences at Zoom. Three core principles: deep understanding of the target (understand the target systems more than the devs who built it), seeking technical truth (verify security claims- what’s in the code, not just what’s claimed), and hunting critical risk, not just counting bugs. Overall Andy advocates for giving security teams freedom to follow intuition and uncover meaningful vulnerabilities, without artificial constraints around scope or time boxing the assessment.

💡 Andy was my manager at NCC Group for awhile, and played a critical role in my career and me being where I am today. I am and will always be grateful for him believing in me. I had the opportunity to tell him this recently, and it was really nice 😊 

AI + Security

When Agents Get Tools: 10 MCP Labs for Breaking and Hardening AI Integrations
Pawel Koziel shares MCP Breach-To-Fix Labs, a GitHub repo with 10 hands-on MCP security challenges reproduced from real CVEs and public incident reports. Each scenario has a vulnerable, intentionally exploitable implementation, and a secure, hardened implementation with controls that block the attack. Challenges include a CRM Confused Deputy, prompt injection via public GitHub issue, hidden instructions in tool responses, SQL injection, command injection, and more.

Securing MCP servers with 1Password: Stop credential exposure in your agent configurations
Nancy Wang and Robert Menke describe how to use the 1Password CLI (op) to pull secrets at runtime so they’re not stored in plaintext (e.g. in an mcp.json file) and can be easily leaked. Basically: op run --env-file=.env -- cursor mcp-server start. Also apparently 1Password has Environments now, which let you define, sync, and rotate environment variables centrally across projects: 1password env init my-ai-project.

💡 I had a great chat with 1Password CISO Jacob DePriest at a recent dinner, super nice guy. I like what they’re building. H/T Decibel’s Dan Nguyen-Huu for organizing 🙏 

Securing AI Agents with Cisco’s Open-Source A2A Scanner
Cisco’s Vineeth Sai Narajala and Sanket Mendapara introduce A2A Scanner, a tool to scan Agent-to-Agent (A2A) protocol implementations for security threats and vulnerabilities. A2A Scanner integrates static analysis of agent definitions (e.g., metadata, manifests, Agent Cards) with dynamic runtime monitoring of communications between agents.

It has five detection engines: pattern matching with detection signatures (YARA), protocol validation with specification compliance (validates agents against the official A2A protocol specs), behavioral analysis with heuristics, runtime testing with an endpoint analyzer, and semantic interpretation with an LLM analyzer.  

Securing the Model Context Protocol (MCP): Risks, Controls, and Governance
Paper by Herman Errico, Jiquan Ngiam, and Shanita Sojan analyze security risks introduced by MCP, including 3 types of adversaries (content-injection attackers, supply chain attackers, agents who over-step their role) and how MCP can increase attack surface (data-driven exfiltration, tool poisoning, and cross-system privilege escalation).

The paper also proposes a set of practical controls, including per-user authentication with scoped authorization, provenance tracking across agent workflows, containerized sandboxing with input/output checks, inline policy enforcement with DLP and anomaly detection, and centralized governance using private registries or gateway layers.

Misc

Music

• I'm Not That Girl - Wicked (80s POP ROCK Cover) feat. Darren Criss

• Josh Ramsay Of Marianas Trench Covers "Defying Gravity" On The Spot

• 5 unexpected singing moments - Aw the proud dad 🥹

• Here’s How Ed Sheeran Pulled Off His NYC Music Special in a Single Take - This is absolutely insane. H/T Luke O’Malley for sharing.

AI

• No Vibes Allowed: Solving Hard Problems in Complex Codebases – Dex Horthy, HumanLayer - Excellent talk and slides. Markdown version here.

  • Their humanlayer repo has some nice prompts.

• 2026: The Year The IDE Died — Steve Yegge & Gene Kim, Authors, Vibe Coding - TIL Gene Kim and Steve Yegge have a book on Vibe Coding

• Ship Production Software in Minutes, Not Months — Eno Reyes, Factory - Some nice content on capturing enterprise context.

• Don't Build Agents, Build Skills Instead – Barry Zhang & Mahesh Murag, Anthropic

• POC to PROD: Hard Lessons from 200+ Enterprise GenAI Deployments - Randall Hunt, Caylent - I liked a few of the diagrams.

Misc

• “I’m changing my profile pic to a girl. Currently at 4833 followers. Let’s see where I’m sitting at the end of the year.”

• Florida study: “Two years after the imposition of a student cell phone ban, student test scores in a large urban school district were significantly higher than before.”

• TIME’s Top 100 Photos of 2025

• Crowdfunding to cover grocery costs becomes more common - Not a good sign for the economy

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

📺️ Panel: 2026 Predictions with Chainguard Founders

Next week I’m stoked to moderate a panel with Chainguard’s founders Dan Lorenc, Kim Lewandowski, Matt Moore, and Ville Aikas!

We'll discuss the most impactful developments in software supply chain security from 2025 and share predictions for 2026.

We’ll also cover recent high-profile attacks, AI's role in engineering productivity, and emerging trends that every security and engineering leader should know about.

I’m a huge proponent of secure-by-default software, so I’m excited for the discussion on where things are headed and what we can do to build scalable security programs!

👉️ Join us Wed Dec 10 @ 10am PST 👈️ 

🗓️ Reflections

I had a bit of a surreal moment yesterday.

In the morning I did a webinar with my good friend Daniel Miessler about his personal AI setup (GitHub), and a few hundred people joined our discussion, and asked a ton of great questions.

I then grabbed lunch at Anthropic with my bud Xiaoran Wang.

Most of the rest of the day I spent writing this love letter newsletter to you, dear reader.

A few years ago I would not have expected I’d have a day like this. It’s a bit humbling I guess.

I’m going to try to carve out some time to do a deeper, longer reflection over the holiday break.

Feel free to let me know if there are some annual review resources that you really like!

P.S. One of the ways I find great security content is following what people share. Feel free to connect with me on LinkedIn so your stuff shows up in my feed 👋 

Sponsor

📣 7 Best Practices for Secrets Security

Take the guesswork out of secrets management.

API keys, tokens, and credentials often end up scattered across repos, pipelines, and SaaS tools. This cheat sheet helps you cut through the noise, identify what matters, and build guardrails that prevent future leaks.

You’ll learn:

• 7 best practices to discover, validate, and protect secrets across your SDLC

• Real-world examples and ready-to-use GitHub + Gitleaks snippets

• Tips for assigning ownership and fixing issues directly in code

• Guidance to secure vaults without slowing developers down

Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.

👉 Secrets Security Cheat Sheet:
From Sprawl to Control 👈

AppSec

Overall strategy: lay foundations with clear expectations, understand data flows, protect chokepoints, implement defense-in-depth, and plan for incident response when prevention fails.

Findings: there was a ~35% higher density of leaked secrets per repository on GitLab compared to Bitbucket, and Google Cloud Platform credentials were most commonly leaked (1 in 1,060 repos). See also Luke’s post on scanning 2.6 million public Bitbucket Cloud repos for secrets.

Sponsor

📣 5 Critical Microsoft 365 Security Settings You Might Be Missing

Set it and forget it? Not when it comes to M365 security. Configuration drift, admin sprawl, and risky integrations creep in over time, opening up security gaps that attackers love to exploit. This checklist from Nudge Security will help you catch common pitfalls and keep your environment secure.

👉 Get the Guide 👈

M365 is pretty complex and nuanced, I’m sure there’s a lot of stuff in here I’d forget to consider 👆️ 

Cloud Security

Phishing for AWS Credentials via the New ‘aws login’ Flow
Adan Alvarez describes how attackers can abuse the new aws login --remote command to phish for AWS credentials, bypassing phishing-resistant MFA. Basically the social engineering attack works by tricking victims into visiting a malicious site that runs the command in the background, then having them authenticate to a legitimate AWS login page and provide the resulting verification code back to the attacker, who can exchange it for temporary credentials. Adan also shares an SCP that blocks this attack and how to detect suspicious activity.

The log rings don’t lie: historical enumeration in plain sight
Exaforce’s Bleon Proko shows how attackers can use cloud logs as an intelligence gathering tool, demonstrating techniques to enumerate permissions, resources, and identities across AWS, Azure, and GCP environments.

Bleon shows how attackers with log access (CloudTrail events, Azure Activity Logs, GCP Audit Logs) can extract valuable information from audit trails (e.g. sign-ins, permission assignment, etc.) by analyzing fields like identity details, resource names, request parameters, and error messages to map the cloud environment’s infrastructure and determine their permissions, without triggering additional alerts.

All Paths Lead to Your Cloud: A Mapping of Initial Access Vectors to Your AWS Environment
Palo Alto’s Golan Myers and Ofir Balassiano describe two primary classes of AWS misconfigurations that create identity-driven initial access vectors: service exposure (misconfigurations allowing public access, shadow resource creation etc. that enable unintended access) and access by design (misconfigurations of services that provide access control for AWS resources).

The post describes how Lambda functions, EC2 instances, ECR repositories, and DataSync can be inadvertently exposed through resource-based policies and network configurations, and how IAM/STS, IoT, and Cognito services can be misconfigured to allow unintended access, highlighting specific pitfalls like public role assumption, IoT certificate misuse, and Cognito's default self-registration.

Supply Chain

chainguard-dev/malcontent
By Chainguard: A tool to detect supply chain compromises through using context, differential analysis, and over 14,000 YARA rules. It scans programs for their capabilities (gathers system information, evaluates code dynamically using exec(), …) to determine if it’s potentially sketchy, and can do a diff between two versions of an app or library, determining if high risk functionality has been added.

Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Socket’s Kirill Boychenko describes details from tracking North Korea's "Contagious Interview" operation, which has recently deployed 197+ malicious npm packages targeting blockchain and Web3 developers through fake job interviews. The malware-serving code lives on GitHub, the latest payload is fetched from Vercel, and a separate command and control (C2) server handles data collection and tasking.

The payload “performs VM and sandbox detection, fingerprints the host, and then establishes a long-lived C2 channel. From there it provides the threat actors with a remote shell, continuous clipboard theft, global keylogging, multi-monitor screenshot capture, and recursive filesystem scanning designed to harvest credentials.”

Key changes: pull_request_target events will always use the default branch for workflow source and reference (preventing execution of outdated, potentially vulnerable workflows), and environment branch protection rules for PRs will evaluate against the executing reference rather than the PR head. These changes close security gaps where untrusted branches could influence evaluation or access environment secrets.

Blue Team

North Korea lures engineers to rent identities in fake IT worker scheme
Researchers Mauro Eldritch and Heiner García exposed North Korean IT recruitment tactics by creating a honeypot to document how Famous Chollima (part of Lazarus group) lures developers into renting their identities for remote jobs at targeted companies, offering 10-35% of salaries in exchange. The researchers used ANY.RUN sandboxes to create a simulated environment that recorded the threat actors' activities in real-time. Nice!

The North Korean agents requested 24/7 remote access via AnyDesk to victims' computers, and used tools including Astrill VPN and AI tools including AIApply, Simplify Copilot, Final Round AI, Saved Prompts to help with job applications and interviews.

AI + Security

OWASP AI Testing Guide
New 250 page v1 guide (PDF) by Matteo Meucci, Marco Morana, and many others on how to threat model AI systems, and a detailed testing methodology for AI applications, models, AI infrastructure, data, and more.

FuzzingLabs/fuzzforge_ai
By FuzzingLabs: An AI-powered workflow automation and AI Agents platform for AppSec, fuzzing & offensive security. Automate vulnerability discovery with intelligent fuzzing, AI-driven analysis, and a marketplace of security tools. It currently integrates a number of fuzzers (Atheris for Python, cargo-fuzz for Rust, OSS-Fuzz campaigns), has specialized agents for AppSec, reversing, and fuzzing, has a secret detection benchmark, and more.

gadievron/raptor
By Gadi Evron, Daniel Cuthbert, Thomas Dullien (Halvar Flake), & Michael Bargury: Raptor turns Claude Code into a general-purpose AI offensive/defensive security agent, using Claude.md and rules, sub-agents, and skills. Raptor can scan your code with Semgrep and CodeQL, fuzz binaries with AFL, analyze vulnerabilities using LLMs, generate proof-of-concept exploits, patch code, report findings in a structured format, and more.

💡What I think is especially cool about this is that RAPTOR really leans into using Claude Code as the orchestrator/work bench and leveraging its existing functionality (custom slash commands, agents, skills) vs trying to roll it all from scratch. Makes a lot of sense to me. And of course having tools and deterministic code for the parts that would benefit from it.

aliasrobotics/cai
By Alias Robotics: A lightweight, open-source framework that empowers security professionals to build and deploy AI-powered offensive and defensive automation. Supports 300+ AI models, built-in security tools for reconnaissance, exploitation, and privilege escalation, agent-based architecture (modular framework design to build specialized agents for different security tasks), evaluated on HackTheBox CTFs, bug bounties, and real-world security case studies, and more. See also their papers:

CAI: An Open, Bug Bounty-Ready Cybersecurity AI
Paper by Victor Mayoral-Vilches et al presenting the first classification of autonomy levels in cybersecurity and introducing Cybersecurity AI (CAI). CAI achieved first place among AI teams and secured a top-20 position worldwide in the "AI vs Human" CTF live Challenge, and reached top-30 in Spain and top-500 worldwide on Hack The Box within a week. The framework enabled non-professionals to discover significant security bugs (CVSS 4.3-7.5) at rates comparable to experts during bug bounty exercises.

Cybersecurity AI: Evaluating Agentic Cybersecurity in Attack/Defense CTFs
Paper by Francesco Balassone, Victor Mayoral-Vilches et al on evaluating whether AI systems are more effective at attacking or defending in cybersecurity. Using CAI's parallel execution framework, they deployed autonomous agents in 23 Attack/Defense CTFs. Defensive agents achieve 54.3% unconstrained patching success versus 28.3% offensive initial access, but this advantage disappears under operational constraints: when defense requires maintaining availability (23.9%) and preventing all intrusions (15.2%), no significant difference exists.

💡 Having AI defensive and offensive agents play against each other on existing (Hack The Box) CTFs is neat. I like experiments like this, though I wonder if the difference in outcome could be attributed to scaffolding, prompting, etc. (e.g. maybe the defensive prompt is just written a lot better), vs AI is inherently better at attack or defense.

AI agents find $4.6M in blockchain smart contract exploits
Anthropic researchers + collaborators evaluated AI agents' ability to exploit smart contracts by creating Smart CONtracts Exploitation benchmark (SCONE-bench)— a new benchmark of 405 contracts that were actually exploited between 2020 and 2025. On contracts exploited after the latest knowledge cutoff (March 2025), Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits collectively worth $4.6 million.

They also evaluated both Sonnet 4.5 and GPT-5 in simulation against 2,849 recently deployed contracts without any known vulnerabilities, both uncovering two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476. (I assume they didn’t share the Sonnet 4.5 API cost because it was higher 🤔)

“Over the last year, frontier models' exploit revenue on the 2025 problems doubled roughly every 1.3 months.”

“In just one year, AI agents have gone from exploiting 2% of vulnerabilities in the post-March 2025 portion of our benchmark to 55.88%.”

Misc

Feelz

• Keep Going - Collected motivational memes by Jack Friks 🥹

• HealthyGamerGG - How To Actually Process Your Emotions 🔥 

• Leila Hormozi - Brutally Honest Relationship Advice

• Bryan Johnson - “Guys…I have a girlfriend.” YouTube, X. Actually very sweet.

• Can You Change Someone's Life in One Night? - Mark Manson gets a blank check from Airbnb to host an experience. I thought how he conceived of structuring the experience fascinating - determining the right “container” to give attendees a certain association (intimate dinner → sharing stories), a pattern interrupt to break people’s expectations, progressively vulnerable sharing, something physical + metaphorical (fire walking).

AI

• Dwarkesh Patel - Ilya Sutskever – We're moving from the age of scaling to the age of research

• Benedict Evans - AI Eats the World - SuperAI Singapore 2025 (slides)

• Mom on son’s Gemini 3 work 😂 

• Grok says Elon Musk is better than basically everyone, except Shohei Ohtani - People on X have been circulating posts where Grok says Elon is better than the Peyton Manning at football, Tyra Banks at the runway, etc.

• Text Gibberifier - Block AIs from reading your text with invisible Unicode characters while preserving meaning for humans.

Privacy

• jermanuts/bad-opsec - Collection of links on bad operational security (OpSec) by various hackers, leakers, etc.

  • Useful resource if you too want to be “clean on OpSec” like U.S. Secretary of War Pete Hegseth.

• The WIRED Guide to Digital Opsec for Teens

Misc

• GreyNoise IP Check - Free simple site to determine if your home network has been compromised (e.g. home router, IoT, and other “edge” devices have become part of a residential proxy network). Blog post with more context.

• withoutbg/withoutbg - Open source image background removal model.

• How much SNL cast members make

• @tikalteacall - “I like to test doors to see if they’ll open. My policy is that an unlocked door is a policy to enter. Thread of places I’ve been by walking into unlocked rooms:”

• Someone At YouTube Needs Glasses: The Prophecy Has Been Fulfilled - When you make a joke creating a trend line of non-ad videos on the YouTube home page, predicting it’ll eventually be 1… and then you’re right.

Politics

• Part 1: My Life Is a Lie - Michael Green unravels why the American middle class feels poorer each year despite healthy GDP growth and low unemployment: “The U.S. poverty line is calculated as three times the cost of a minimum food diet in 1963, adjusted for inflation.” But $ spent on housing, healthcare, childcare is way higher now.

  • Also interesting numbers around disincentives to work between being certain wage ranges, as the benefits you lose are greater than the wages you earn.

• Why Am I Paying $40,000 for the Birth of My Child? - Aaron Stannard describes in detail the unreasonable healthcare costs when you’re a small business owner in America

• 30 Days, 9 Cities, 1 Question: Where Did American Prosperity Go? - Kyla Scanlon visited a number of U.S. and EU places, and reflects on people trying to make things better.

  • “What became clear almost immediately is that the prosperity is real, it’s just not showing up in the places people actually live. It exists in balance sheets, in stock portfolios, in data centers behind chain-link fences. But in daily life like in commutes, in childcare costs, in housing, in safety, in community, people are feeling decay. I kept running into the same contradiction: a wealthy country where everything visible seems to be slowly breaking while everything invisible keeps getting richer.”

  • “There’s a new study showing that housing costs account for about half the US fertility decline between 2000 and 2020. It’s childcare too - a new paper from Abigail Dow reports that a 10% increase in the price of childcare leads to a 5.7% decrease in the birth rate. The affordability crisis compounds - without affordable homes, young families don’t form. Without young families, the tax base ages. Without young taxpayers, resources shrink. The system eats itself.”

• Australia’s spy boss says authoritarian nations ready to commit ‘high-impact sabotage’ - Chinese government hackers are probing and pre-positioning in Australia’s critical infrastructure. “Imagine the implications if a nation state took down all the networks? Or turned off the power during a heatwave? Or polluted our drinking water? Or crippled our financial system?” Burgess said those scenarios “are not hypotheticals,” adding “foreign governments have elite teams investigating these possibilities right now.”

• Chinese authorities shut down the inaugural IndieChina Film Festival in New York City by harassing dozens of Chinese film directors, producers, and their families, forcing over two-thirds of participating films to cancel before the festival was suspended. “Even directors abroad, including those who are not Chinese nationals, reported that their relatives and friends in China were receiving threatening calls from police, said Chiang.”

• China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy - Details on a Chinese APT that compromised a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues.

• Data breach at Chinese infosec firm reveals weapons arsenal - Chinese security company Knownsec had a data breach exposing over 12,000 classified documents, including state-owned cyber weapons, internal tools, global target lists, and evidence of Remote Access Trojans (Linux, Windows, macOS, iOS, and Android) and extracting data from messaging apps. The leaked data also contained a list of 80 successfully attacked overseas targets and stolen information including 95GB of Indian immigration data, 3TB of call records from South Korean telecom LG U Plus, and 459GB of Taiwanese road planning data.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋 

🤖❤️‍🔥 Building Your Personal AI Infrastructure

I’m stoked to announce I’ll be doing a webinar with my friend Daniel Miessler on his epic AI setup.

(If you’re not familiar with Daniel, he writes the excellent Unsupervised Learning newsletter and created the Fabric project.)

Daniel has spent maybe more time than anyone I know on his personal AI infrastructure.

So I’m stoked to have him walk through his setup, do some live demos, and answer your questions.

We’ll cover:

• Building out Claude Code as your command center.

• A maturity model for integrating AI into your work.

• Recent developments and how best to use them: Skills, sub-agents, etc.

• “Productionizing” your AI infra and tactical tips: ensuring the right agents and skills are called, structuring context for easy agent retrieval, automatically managing agent history, coordinating between agents, tool calling, etc.

• And more!

Hope to see you there 👋 

👉️ Join us Dec 3rd at 10am PT 👈️ 

🦃 P.S. No tl;dr sec next week due to Thanksgiving! Hope you get some time to relax with people you care about.

Sponsor

📣 Start your Red Team Journey with
Altered Security

Altered Security offers multiple Red Team courses for on-prem and cloud with affordable and enterprise-like hands-on labs. 

Highlights of Altered Security courses:

• Industry recognized certifications like Certified Red Team Professional (CRTP), CRTE, CARTP and more. 

• Easy to access and huge enterprise-like labs.

• Designed by Black Hat USA and DEF CON veterans. 

• Trained more than 40K professionals from 130+ countries and 500+ organizations. 

Get 20% OFF on all courses in our Black Friday deals until December 17, 2025. No coupon code required.

👉 Enroll Now 👈

AppSec

Secrets Story: The Prefixed Secrets That Tried%20to%2BGet\nAway
Semgrep’s Lewis Ardern describes how secret scanning tools miss valid leaked secrets due to over-reliance on false positive reduction techniques like non-word boundaries and keywords. He found hundreds of valid GitHub, OpenAI, Anthropic, and other tokens publicly leaked on GitHub that went undetected by popular scanning tools.

💡 Secret detection is actually surprisingly complex and nuanced, which this post does a good job at demonstrating with concrete examples. If you want to get into the nitty gritty, check it out.

Android is expanding Rust adoption to the Linux kernel, firmware, and first-party applications like Nearby Presence and MLS, and parsers for PNG, JSON, and web fonts in Chromium.

Sponsor

📣 Meet Cortex Cloud 2.0: The Autonomous AI Workforce for Cloud Security

The complexity of securing modern cloud environments — from development to deployment — has reached a breaking point. Siloed tools and alert fatigue turn visibility into chaos.

Discover how Cortex Cloud™ 2.0 sets the new standard for autonomous cloud security, connecting code, cloud, runtime and automation.

You’ll learn how to:

• Solve any cloud security challenge with automation driven by agentic AI trained on over 1.2 billion real-world responses.

• Reduce risk across your multicloud environment with intuitive, actionable command centers that elegantly visualize risk. 

• Stop advanced attacks with a performance-optimized version of our best-in-class CDR agent with 50% less resource consumption.

Watch this webinar now to see the new standard for cloud security for yourself.

👉 WATCH NOW 👈

Automatically investigating alerts, gathering context, and auto-fixing things where possible is going to be huge when done well. And 1.2B real-world responses is a pretty big dataset to train on 🤯 

Cloud Security

AWS re:Invent 2025: Your guide to security sessions across four transformative themes
There will be >80 security-focused sessions across four main themes: Securing and Leveraging AI, Architecting Security and Identity at Scale, Building a Culture of Security, and Innovations in AWS Security.

The AI security sessions cover protecting AI workloads, securing agentic AI systems, and using AI for security operations, with workshops on red teaming generative AI applications and implementing authentication for AI agents.

Blue Team

R3DRUN3/magnet
By Simone Ragonesi: A purple-team telemetry & simulation toolkit designed to generate both telemetry and malicious activity for testing detection capabilities and SOC analyst responses. Magnet includes simulation modules mapped to MITRE ATT&CK, like ransomware (which generates and encrypts thousands of files, attempts to delete shadow copies, and places ransom notes), discovery simulation, and high CPU miner simulation, while writing detailed activity logs in various formats to help security teams validate their detection rules and behavioral analytics.

Automation for Threat Detection Quality Assurance
Blake Hensley outlines various types of automated tests to verify threat detection rules before deployment, including: foundational checks (schema validation, query syntax validation, source health monitoring, pipeline integrity checks), a simple backtest (running a query backwards in time over historical data to determine if there are too many results), execution efficiency (performance metrics like query time), dynamic backtests, comparing the original query results to the new query, using an LLM-as-judge, unit tests (known pass/fail cases), and validating the detection logic works from purple team activity in a lab environment.

See also Blake’s example GitHub implementation (kql-tester) that applies the first four tests to KQL in Azure Sentinel analytic rules.

Threat Hunting vs. Threat Intelligence
Recorded Future’s Maddy Maletz explains how threat intelligence (understanding external threats, their motives, and TTPs) and threat hunting (proactively searching for threats already inside systems) work together to create a more effective security strategy. Threat intelligence guides hunting hypotheses and provides context for suspicious findings, while threat hunting validates intelligence and discovers what automated defenses miss.

💡 I thought this was a nice high level overview, and I like the comparison table.

Red Team

winsecurity/MaleficentVM
A practice VM for malware development. It contains practice challenges for malware development just like CTF challenges, including: enumerate the OS version or service configuration, inject shellcode into a target process, use IAT hooking to hook a specific function, etc.

EvilBytecode/GoDefender
A powerful Go-based security toolkit designed to detect and defend against debugging, virtualization, and DLL injection attacks. GoDefender provides multiple protection mechanisms to make reverse engineering and analysis significantly more difficult, including virtualization detection (VMware, VirtualBox, KVM, QEMU, Parallels), anti-debugging techniques (API monitoring, critical function patching, process validation), and DLL injection prevention by leveraging Binary Image Signature Mitigation Policy to block non-Microsoft binaries.

Evading Elastic EDR's call stack signatures with call gadgets
Almond OffSec’s SAERXCIT demonstrates a technique to evade Elastic EDR's call stack-based detection by inserting arbitrary modules into the call stack during module loading, allowing shellcode to load a network module without getting detected (PoC).

AI + Security

Quicklinks

• rowboatlabs/rowboat - AI-powered CLI for background agents.

• toon - Token-Oriented Object Notation - Compact, human-readable, schema-aware JSON for LLM prompts.

• You Should Write An Agent - Thomas Ptacek argues that writing simple LLM agents is easy, and you should write one to really get it. You can build a simple one in 30min.

• How to discover shadow AI [Free Guide] - The first step in mitigating AI risks is to uncover where AI is being used across your SaaS ecosystem. Get a fast start with this guide.*

  • Also, congrats to Nudge for raising a $22.5M Series A 🥳 3x ARR growth for two consecutive years, 60 feature releases in the last 12 months.

• Paper - Solving a Million-Step LLM Task with Zero Errors

^*Sponsored

Private AI Compute: our next step in building private and helpful AI
Google’s Jay Yagnik announces Private AI Compute, a new cloud-based AI system designed to deliver AI capabilities while maintaining user data privacy. Private AI Compute runs on one Google stack powered by their custom Tensor Processing Units (TPUs) and Titanium Intelligence Enclaves (TIE). Remote attestation and encryption are used to connect your device to the hardware-secured sealed cloud environment, allowing Gemini models to securely process your data within a specialized, protected space that not even Google can access.

💡 Apple previously announced their Private Cloud Compute, so it makes sense that Google would get into the same game. I wonder if OpenAI or Anthropic will too 🤔 

Public Report: Google Private AI Compute Review
NCC Group shares their public report on Google’s Private AI Compute cloud system. The assessment included architecture review, cryptographic assessment of the attestation/encryption implementations, security analysis of IP-blinding relay, source code review, and more. Ten consultants, 100 person-days.

💡 Beyond just the findings, the system architecture overview, system components, and general discussion of how things work is neat. Also shout-out to my former NCC colleagues 🙌 

Disrupting the first reported AI-orchestrated cyber espionage campaign
Anthropic describes a campaign by a Chinese state-sponsored group used Claude Code as an autonomous agent to target 30 global organizations, successfully infiltrating a small number. The attackers jailbroke Claude by breaking tasks into seemingly innocent components, convincing it it was performing legitimate security testing, then had it autonomously perform reconnaissance, vulnerability discovery, exploit development, lateral movement, credential harvesting, and data exfiltration with minimal human intervention. Full Report.

“The threat actor was able to use AI to perform 80-90% of the campaign, with human intervention required only sporadically (perhaps 4-6 critical decision points per hacking campaign).”

Researchers question Anthropic claim that AI-assisted attack was 90% autonomous
Article by Ars Technica’s Dan Goodin tying together a few security researchers questioning the Anthropic report’s claims, arguing that Claude regularly declines legit security researchers when asking it to perform cybersecurity tasks, so why would these threat actors get much better performance? And the report said that Claude “frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that proved to be publicly available information.”

Capabilities of Lower Sophistication Actors Will Increase
LinkedIn post by Chris Thompson, founder of Offensive AI Con: “A lot of people are missing the point; offensive cyber capabilities in current models are a side-effect of being trained on coding datasets. As frontier model labs and private groups start to shift to tuning current models and training purpose-built cyber models on refined offensive datasets, the effectiveness of open and closed models will increase significantly, enabling stealth & evasion focused offensive cyber operations and advanced ransomware attacks.”

The dawn of AI-orchestrated cyberattacks: A call to action for cyber defense
PwC’s Morgan Adamski (former NSA Director and U.S. Cyber Command Executive Director) and David Ames and former NSA Director Rob Joyce weigh in on the Anthropic report. “Cost asymmetry: The operation showed that attackers can add more compute/data/test time to model exploits and get immediate, scaled impact, while defenders are working linearly (focusing on adding headcount, dealing with fragmented tools, etc.).”

From Rob Joyce on LinkedIn: “I’ve been following offensive AI developments with great interest over the last year. I don’t think defenders yet appreciate how rigorously capable Agentic AI will test their attack surface. Some remain dismissive of today’s AI-driven hacking capabilities, but they’re not accounting for the exponential rate of improvement.”

How to replicate the Claude Code attack with Promptfoo
Ian Webster walks through using Promptfoo to jailbreak Claude Code to perform tasks including creating and installing a keylogger and reverse shell, enumerating and exfiltrating SSH private keys and API keys, etc.

After running 332 adversarial scenarios, they found that many agents lose track of their safety training 15 turns into a conversation about "Blue Team playbooks."

💡 I found the discussion of attack strategies interesting, like the “meta” prompting strategy that is effectively an agent reasoning loop on the attacker's side that attempts a jailbreak, looks at why the jailbreak didn't work, and then intelligently modifies it to try again, and “hydra”, which uses multi-turn conversations to gradually escalate and can backtrack and reset the agent's state each time it hits a refusal.

Misc

AI

• Gemini 3 - Wake up bae, new model dropped! They launched their own VS Code-fork (Google Antigravity) that has built-in browser use, nano banana to generate mocks, screen recordings to prove features were implemented, give visual comments on a specific element like a designer would, and more. Looks pretty rad.

• FT - Oracle is already underwater on its ‘astonishing’ $300bn OpenAI deal

• Google’s Sundar Pichai says trillion-dollar AI investment boom has 'elements of irrationality' 

• Cheeky Pint - Satya Nadella describes how lessons from Microsoft’s history apply to today’s boom

Misc

• Adam Wathan - What have you bought that’s made something in your life a million times easier that most people don’t seem to know about?

• Dickie Bush - The Goal-Achieving Hack I Wish I Knew Earlier - It’s all about solving the core constraint, and then doing more/better.

• Coca Cola has an executive who is solely in charge of their relationship with McDonalds

• Untranslatable - Various idioms in different languages and cultures and what they mean. Fascinating!

• Warren Buffet’s final shareholder letter - “Decide what you would like your obituary to say and live the life to deserve it… Greatness does not come about through accumulating great amounts of money, great amounts of publicity or great power in government. When you help someone in any of thousands of ways, you help the world. Kindness is costless but also priceless.”

• Daniel Priestley - Oversubscribed - Summarized by the Author

• Kid magician doing three-card Monte on Penn & Teller

Music

• That time a choir kid used a helium balloon to hit an insanely high note 😂 

• Charlie Puth Mixes Jimmy’s Raw Vocals to Create a Song on the Spot

• How EJAE and Mark Sonnenblick Created "Golden" From KPop Demon Hunters

• Why Phil Collins' GENIUS Songs In Tarzan Are Even Crazier Than You Thought - Very fun breakdown of “Strangers Like Me.” I remember loving the Tarzan soundtrack when it first came out, and my dad was a big fan of Phil Collins, so we’d listen to it together sometimes. I wish he was around to hear this melodic breakdown, I think he’d really like it.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋