Report denied? That’s just fuel for the next hunt. #motivation #bugbounty

Monitor header actions. Smuggling, cache tampering, and CORS misconfigurations can be detected through slight header variations (Content-Length, Transfer-Encoding, Vary). Record raw requests, not only responses. #CyberSecurity #BugBounty

Consistency builds hunters. the bounties are just the proof. #infosec #motivation

Which takes longer: a Burp active scan or a bounty payout? #BugBounty

#Microsoft is facing fierce backlash from the #Infosec community after threatening legal & law enforcement action against a researcher who dropped unpatched #Windows zero-days following a dispute over bug disclosures. #CyberSecurity #TechNews

running an llm agent? two boundaries do the work, you need both. filesystem isolation keeps its hands off ssh keys and aws creds. network isolation stops it phoning home to c2 or smuggling tokens out a markdown image tag. #sandboxing #AIsecurity #cloudsecurity

a sandbox is a throwaway jail cell for code. you book the prisoner, let it run its sentence in milliseconds, then demolish the cell. fine, until the prisoner writes its own escape plan at runtime and nobody reads it first. that’s an llm agent. #AIagents #infosec #appsec

crazy. Microsoft absolutely deserves pushback back.

frontier AI models can now escape a container on their own for about a dollar in #API usage. the model does the recon, picks the #CVE, and hands back the shell. that's not a pentest engagement. that's pocket change.

The Great Emu War Dial (1980s) – Early Australian hackers used home-built “wardialers” to scan every phone number in a city for modems, mapping out entire corporate networks overnight. #hackers

> Early testers report that Opus 4.8 is more likely to flag uncertainties about its work and less likely to make unsupported claims. anthropic, do you think that opus 4.7 was *not* desperately insecure and uncertain about its work? because I have a couple months of stuff that says otherwise

Claude Opus 4.8 is here and yes, it seems to be the ever long awaited bugfix version for 4.7

Introducing Claude Opus 4.8: it builds on Opus 4.7 with sharper judgment, more honesty about its own progress, and the ability to work independently for longer than its predecessors. Available today at the same price.

I had early access to Opus 4.8. Was impressed by it. Here is Opus 4.8's one shot of "create a visually interesting shader that can run in twigl, make it like an infinite city of neo-gothic towers partially drowned in a stormy ocean with large waves" (this is all done with math, no premade assets)

Just witnessed a team deploy a "quick solution" that inadvertently created a new vulnerability. #CyberSecurity #BugBounty

The grind is the training. the payout is the bonus. #bugbounty #hacking

does “act as a security expert” make the ai write safer code? persona prompting doesn’t move security consistently. naming the exact controls, the exact cwes to ban, the exact functions to kill is what works. a costume gives the model a vibe. constraints give it guardrails. #AISecurity #OpenSSF

ran the same to-do app build twice. first pass, no security prompt: full login flow that never created a session, every endpoint open, stored xss through a filename in an onclick handler. second pass with the security prompt loaded, those entire bug classes were just gone. #AICoding #XSS #info

drop a rules file in the repo and the ai inherits the same guardrails every session. claude code reads CLAUDE.md, copilot reads .github/copilot-instructions.md. name the cwes to ban and the functions to kill inside it. five minutes of setup #Cursor #ClaudeCode #Copilot

“Cybersecurity experts have been really clear for years that there’s just simply no safe way to verify a user’s age.”

“Heightened Cybersecurity Risks Associated with Frontier AI Models” www.dfs.ny.gov/industry-gui...

google shipped a background agent that reads Gmail and Drive 24/7 and acts on its own. an attacker emails it a poisoned message, it forwards the data on the next sweep, nobody clicks a thing. www.toxsec.com/p/ai-agent-s... #AISecurity #PromptInjection #cybersecurity #infosec

BNP Paribas works with Mistral on a European answer to Anthropic’s Mythos Locked out of the most powerful #AI cybersecurity model in production, the eurozone’s biggest bank is helping build its own. thenextweb.com/news/bnp-par... #FinTech #FinServ #Banking #CyberSecurity

CERT-In's 12-hour patch push shows how AI is killing the old vulnerability window. Exposed critical systems can no longer sit in weekly patch queues. https://www.hexon.bot/blog/cert-in-12-hour-patch-deadline-ai-assisted-attacks #CyberSecurity #AI #AppSec

google shipped a background agent that reads Gmail and Drive 24/7 and acts on its own. an attacker emails it a poisoned message, it forwards the data on the next sweep, nobody clicks a thing. www.toxsec.com/p/ai-agent-s... #AISecurity #PromptInjection #cybersecurity #infosec

first time you watch an AI browser do your research for you, it's a trip. hands off the keyboard, tabs opening on their own, words typing themselves. i'm a fan. i also do threat math for a living. and this thing takes screenshots of exactly what you see. sit with that one. #aisecurity #agents

Are you into the thrill of uncovering fresh CVEs or the challenge of rooting out older misconfigurations for rewards? #BugBounty #CyberSecurity

sometimes i wonder if the developers left those exposed s3 buckets just to keep us entertained. #bugbounty

four gates used to stand between a new tool and the data. procurement, classification, logging, oversight. paste a contract into a public chatbot and all four read zero. the tool shipped before the policy even knew it existed. #ShadowAI #DataGovernance #CISO

hitl is security theater if the agent controls the render. you’re not reviewing the action. you’re reviewing attacker-crafted text that describes the action. clicking approve proves a human was present, not that a human understood what they approved. #AIAgent #ZeroTrust #OffensiveSecurity

if you run ai agents, audit what context they pull before generating approval dialogs. any external source, github issues, web fetches, user docs, is an injection surface. the dialog is only as trustworthy as its inputs. #BlueTeam #AISecOps #OWASP

CISA is now crowdsourcing threat intelligence! 🌐 The agency has launched a new public submission process for its Known Exploited Vulnerabilities (KEV) catalog, allowing anyone to report actively exploited vulns. 🛡️ #CISA #KEV #Cybersecurity #InfoSec 🌐 cyber[.]netsecops[.]io

⚠️ ACTIVE EXPLOITATION ALERT: Flaws in Microsoft Defender (CVE-2026-41091, CVE-2026-45498) are being used by attackers to gain SYSTEM privileges and disable AV. Patch the Malware Protection Engine immediately! #CyberSecurity #Vulnerability #PatchNow 🌐 cyber[.]netsecops[.]io

storing secrets in a .env file while vibe coding? good. now confirm .env is in your .gitignore. the ai will happily create the file, stuff it with your live api keys, and never add it to gitignore. that one line is worth more than a hundred docs. #gitleaks #secretsmanagement #infosec

Hackers are increasingly using #AI to detect software flaws & accelerate attacks, shrinking defense windows from months to mere hours, according to Verizon's annual #DataBreach report. #CyberSecurity #TechNews www.teiss.co.uk/news/news-sc...

Big payouts don’t come from luck. they come from showing up when others didn’t. #infosec

poisoned #vscode extension cracked github's internal repos. a #github employee installed a malicious extension version, the endpoint got %owned, and the attackers pivoted into github's internal source. roughly 3,800 repos walked out the door before #secrets were rotated.

Over half of enterprises use gen AI, but few have reached maturity in cybersecurity and risk assessment

For my newsletter & blog this.weekinsecurity.com, I wrote about why many in cybersecurity are talking about AI — but crucially, why I think it's also all the more important to *not forget* about the cybersecurity basics and best practices, which are still the leading causes of damaging breaches.

we might be witnessing a change thanks to ai. discovering vulnerabilities is going from a niche specialty to prolific.

Voting Machine Pwnage (DEF CON 25, 2017) – Hackers broke into dozens of U.S. election machines in the new Voting Village, exposing insecure admin passwords and unpatched firmware within hours. #Defcon #Hackers

The best thing you can do right now is reduce your attack surface. This and my other thoughts on the #AI era of cybersecurity in this Infosecurity Magazine piece by @dannypalmer.bsky.social www.infosecurity-magazine.com/news-feature...

this is going to be a game changer. imagine the crisis if TLS couldn’t implement a quantum resistant cipher suite?

good read imo.

250 poisoned docs is enough to backdoor an llm. doesn't matter how big the training set is. AISI and the alan turing institute proved it. your AppSec pipeline scans for what, exactly? #AISecurity #SupplyChain www.toxsec.com/p/cia-triad-...

What to expect from Google this week This story originally appeared in The Algorithm, our weekly newsletter on AI. To get stories like this in your inbox first, sign up here. When Google opens its... #Artificial #intelligence #App #Artificial #intelligence#App#artificial#intelligence#The #Algorithm Origin | Interest | Match

Mentorship Monday! Cool stuff. Mentorship is super important in this community.

If your "AI driven security audit" is "Built by a 20-year cybersec engineer" then really you ought to know what a security.md file is for, and not just create random issues in repos.

250 poisoned docs is enough to backdoor an llm. doesn't matter how big the training set is. AISI and the alan turing institute proved it. your AppSec pipeline scans for what, exactly? #AISecurity #SupplyChain www.toxsec.com/p/cia-triad-...

adversary simulation sounds cooler than “pretend bad guy,” but that’s the job. #redteam