Lights up in the office 💜

This work is published as part of GhostWorks, an AI-focused engineering and research initiative at SpecterOps, focused on the disciplined exploration of frontier AI-enabled cybersecurity tooling. Read more: ghst.ly/4otZ1rJ

Most prompt engineering still boils down to vibes. @xpnsec.com explores GEPA, a framework for optimizing prompts using eval results, execution traces, & iterative refinement. Read this practical look at bringing measurable engineering practices to AI agents. https://ghst.ly/4vGffAp

New blog post is up looking at what GEPA is, and how it can be used for refining prompts for security agents. This post was published as part of the @specterops.io GhostWorks initiative. Can't wait to show what we've been working on! specterops.io/blog/2026/06...

My talk has been accepted to Blackhat USA, hyped for this one!!!! 🎉🎉 See y'all there o/ blackhat.com/us-26/briefi...

In his latest research, @xpnsec.com tears apart VS Code Dev Tunnels and finds a C2 framework underneath — REST → WebSocket → SSH → MsgPack RPC, remote exec, file ops. Find the Ouroboros tool and protocol breakdown here: https://ghst.ly/4mZ4arb

If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s 😝). The blog post is now live, detailing how we can use Dev-Tunnels for lateral movement, and allow pivoting from GitHub/Entra ID access. specterops.io/blog/2026/05...

Next week at WWHF Mile High I'll present a major update to roadrecon, with some awesome features I wanted to add for a while! Friday 9am in track 1 for those attending 😀

What do you MEAN the president audibly SHIT himself live on camera and they immediately cancelled the press conference and rushed everyone out of the room like it's a fire drill, and it happened two days ago, and I'm just hearing about it NOW?

Beach walk with the doggos 🐶

Finally watching Welcome to Derry, took until the final few episodes to see Pennywise but the show stands well on its own 🎈

AI tooling and MCP servers are entering enterprises fast, often faster than security teams can assess the risks. During a recent engagement, @xpnsec.com found a new Claude Code vuln (CVE-2025-64755) while exploring MCP abuse paths. 👀 Read the details: ghst.ly/49ybl4W

Still here.. still lurking

My second post for the month is now live 🎉

Talking Heads released a music video for Psycho Killer and it's fucking awesome :D www.youtube.com/watch?v=CJ54...

🚨 New blog post alert! @xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs. Read more: ghst.ly/4koUJiz

New blog post is up! Stepping out of my comfort zone (be kind), looking at Meta's Prompt Guard 2 model, how to misclassify prompts using the Unigram tokenizer and hopefully demonstrate why we should invest time looking beyond the API at how LLMs function. specterops.io/blog/2025/06...

The level of snark in my upcoming blogpost is next level... And I'm not even sorry!

Didn’t know this impressive fact. @xpnsec.com did you?

You've been prepping for #OSCP exam day, and it finally arrives. 🙇 In Part 4 of his blog series, @anam0x.bsky.social focuses on the test & how to maximize the educational, financial, & professional value of the exam experience. Read more: ghst.ly/4lHDw4M 🧵: 1/4

Worked on a simple POC last night for connecting Mythic up to LiteLLM (pointing to Claude) for riding shotgun on a C2 session. Only using shell cmd, but provides oversight and hints to potential paths to explore. Quite happy for a weekend project :D youtu.be/C9J5okm6cA4

New AI Slop Avatar, who dis?

WinRMS relay (@Defte_), plaintext Zip attacks (@pfiatde), SQL Server Crypto deep dive (@_xpn_), FindUnusualSessions (@podalirius_), and more! blog.badsectorlabs.com/last-week-in...

Slides from my SOCON 2025 presentation are now up on GitHub github.com/xpn/Presenta...

Awesome post from @atomicchonk.bsky.social on NLP Tokenizing. We need more content like this to show the "how" behind the LLM :) www.corgi-corp.com/post/tokeniz...

Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

New blog post 🤗

Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...

Love this article. It’s something that I’ve tried to follow throughout my career, having a line of sight to business profit centres. Even more important in the days of tech layoffs www.seangoedecke.com/where-the-mo...

1 year anniversary at SpecterOps, so many personal and professional achievements in a short space of time. My advice for anyone getting into this field, try and make sure that you work companies and colleagues that push you beyond your comfort level. \o/

I did a talk!! #socon2025

Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:

Talking tomorrow so can just enjoy today before the nerves kick in 🤣 #socon2025

#SOCON2025 Time \o/

We are excited to see everyone at #SOCON2025 tomorrow! 🙌 Get the details on everything you need to know before arriving at the conference: specterops.io/so-con

Paged Out! #6 is out! pagedout.institute Totally free, 80 pages, best issue so far! 'nuff said, enjoy! (please repost to help spread out the news!)

Too true! xD

Spent the evening deep diving into MCPs and started a new project: roadrecon_mcp_server! This #MCP takes the web GUI output from the awesome ROADtools by @dirkjanm.io and offers tools to Claude (or your #AI agent of choice) to interact with the data: github.com/atomicchonk/...

Slides ported to SO-CON deck, time to work my presenting skillz \o/

Prepping slides for SO CON 2025... meme time ;)

First time for me :D Not just a hacker.. but a mother fuckin' muffin maker!! (only when on PTO, when bored and cba h4xx0ring).

On PTO and bored, so playing around with MCP by exposing Mythic APIs to Claude and seeing what the result. Attempting to have it emulate threat actors while operating Apollo in a lab... would make a good sparring partner :D www.youtube.com/watch?v=ZooT...

Brilliant talk from @scott.hanselman.com on the realities on LLMs. The temperature demo is such a good way to explain the "magic" behind text generation. www.youtube.com/watch?v=kYUi...

#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API. Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp

A nice reminder that everyone underrates their skills and talent www.youtube.com/watch?v=dZCr...

Just arrived 🍏

When the senior takes over the assessment youtube.com/clip/UgkxQcl...

Time to start selling “mishing” engagements 🤑💰💸