#offensivesecurity — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #offensivesecurity, aggregated by home.social.
-
AI didn't make code more secure. It made the obvious mistakes rarer and the subtle ones more common.
241 devs surveyed. The pattern: fewer typos, more copied patterns with weak auth, unsafe input handling, and insecure defaults.
The validation layer that runs against the deployed app just got a more important job.
Full report: https://pentest-tools.com/insights
-
AI didn't make code more secure. It made the obvious mistakes rarer and the subtle ones more common.
241 devs surveyed. The pattern: fewer typos, more copied patterns with weak auth, unsafe input handling, and insecure defaults.
The validation layer that runs against the deployed app just got a more important job.
Full report: https://pentest-tools.com/insights
-
AI didn't make code more secure. It made the obvious mistakes rarer and the subtle ones more common.
241 devs surveyed. The pattern: fewer typos, more copied patterns with weak auth, unsafe input handling, and insecure defaults.
The validation layer that runs against the deployed app just got a more important job.
Full report: https://pentest-tools.com/insights
-
AI didn't make code more secure. It made the obvious mistakes rarer and the subtle ones more common.
241 devs surveyed. The pattern: fewer typos, more copied patterns with weak auth, unsafe input handling, and insecure defaults.
The validation layer that runs against the deployed app just got a more important job.
Full report: https://pentest-tools.com/insights
-
AI didn't make code more secure. It made the obvious mistakes rarer and the subtle ones more common.
241 devs surveyed. The pattern: fewer typos, more copied patterns with weak auth, unsafe input handling, and insecure defaults.
The validation layer that runs against the deployed app just got a more important job.
Full report: https://pentest-tools.com/insights
-
Ok ya implementé todos los cambios del tema. En par de días implementaré los cambios del código y empezaré a cargar los datos y a probarlos. Necesitaré 2 o 3 beta testers para que me ayuden a solucionar problemas y me den consejos antes d lanzar la beta en vivo. https://learn2hack.today/ #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor Si te interesa ser mentor y quieres participar en la beta test, completa el formulario en el enlace del sitio y contáctame en privado
-
Ok ya implementé todos los cambios del tema. En par de días implementaré los cambios del código y empezaré a cargar los datos y a probarlos. Necesitaré 2 o 3 beta testers para que me ayuden a solucionar problemas y me den consejos antes d lanzar la beta en vivo. https://learn2hack.today/ #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor Si te interesa ser mentor y quieres participar en la beta test, completa el formulario en el enlace del sitio y contáctame en privado
-
Ok ya implementé todos los cambios del tema. En par de días implementaré los cambios del código y empezaré a cargar los datos y a probarlos. Necesitaré 2 o 3 beta testers para que me ayuden a solucionar problemas y me den consejos antes d lanzar la beta en vivo. https://learn2hack.today/ #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor Si te interesa ser mentor y quieres participar en la beta test, completa el formulario en el enlace del sitio y contáctame en privado
-
Ok ya implementé todos los cambios del tema. En par de días implementaré los cambios del código y empezaré a cargar los datos y a probarlos. Necesitaré 2 o 3 beta testers para que me ayuden a solucionar problemas y me den consejos antes d lanzar la beta en vivo. https://learn2hack.today/ #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor Si te interesa ser mentor y quieres participar en la beta test, completa el formulario en el enlace del sitio y contáctame en privado
-
ok I deployed all the theme changes, in a couple days will deploy the code changes. and will start to populate data and test that, I will need 2-3 beta testers to help me troubleshoot issues and give advice before going live-beta https://learn2hack.today/ #hackers #hackerculture #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor if interested in a mentor and willing to beta test please fill up form in the site link and contact me in private. #HappyHacking
-
ok I deployed all the theme changes, in a couple days will deploy the code changes. and will start to populate data and test that, I will need 2-3 beta testers to help me troubleshoot issues and give advice before going live-beta https://learn2hack.today/ #hackers #hackerculture #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor if interested in a mentor and willing to beta test please fill up form in the site link and contact me in private. #HappyHacking
-
ok I deployed all the theme changes, in a couple days will deploy the code changes. and will start to populate data and test that, I will need 2-3 beta testers to help me troubleshoot issues and give advice before going live-beta https://learn2hack.today/ #hackers #hackerculture #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor if interested in a mentor and willing to beta test please fill up form in the site link and contact me in private. #HappyHacking
-
ok I deployed all the theme changes, in a couple days will deploy the code changes. and will start to populate data and test that, I will need 2-3 beta testers to help me troubleshoot issues and give advice before going live-beta https://learn2hack.today/ #hackers #hackerculture #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor if interested in a mentor and willing to beta test please fill up form in the site link and contact me in private. #HappyHacking
-
ok I deployed all the theme changes, in a couple days will deploy the code changes. and will start to populate data and test that, I will need 2-3 beta testers to help me troubleshoot issues and give advice before going live-beta https://learn2hack.today/ #hackers #hackerculture #offensivesecurity #redteam #ctf #hackinghistory #learn2hack #mentoring #mentor if interested in a mentor and willing to beta test please fill up form in the site link and contact me in private. #HappyHacking
-
🚨 Worried about your #NGINX web servers? 👉 We built a *free* scanner for CVE-2026-42945 (NGINX Rift). 👇
Check your targets now (no account required): https://pentest-tools.com/network-vulnerability-scanning/cve-2026-42945-scanner-nginx-rift
Once the scan completes (and if your target is vulnerable), you'll get a finding that includes:
✅ the detected NGINX version
✅the vulnerable range it falls into
✅the CVSS score & severity rating
✅remediation guidanceDownload it as a PDF and share it with whoever handles remediation.
Oh, and one thing to check before you call it patched: upgrading your primary NGINX install *doesn’t* cover copies embedded in container images or Kubernetes ingress controllers.
Those need separate inventory and patching.
PS: We also have a dedicated Kubernetes vulnerability scanner. You can find it on our website.
-
Most organizations are still preparing for intrusions that look malicious.
I think that’s the mistake.
Modern infrastructures are becoming too interconnected, too identity-driven, and too automation-heavy for future attacks to remain obvious.
The more I study cloud trust relationships, SaaS ecosystems, APIs, and machine identities…
The more I think the next generation of offensive operations will revolve around something far quieter:
Blending into operational normalcy itself.
Not malware.
Not noisy exploit chains.
Not obvious persistence.
Just:
valid sessions
trusted automation
approved integrations
legitimate infrastructure
machine-to-machine trust
At that point, the problem is no longer:
“Can attackers get in?”
It becomes:
“Can defenders still distinguish trust from compromise?”
That’s the idea behind something I’ve been researching lately:
The Synthetic Insider.
An intrusion model where attackers stop behaving like external threats…
and start behaving like operationally legitimate internal presence.
Honestly, I think this shift is going to redefine modern offensive security over the next decade.
Wrote a deeper breakdown on it here:
🔗 https://dev.to/daniel_isaac_e/the-synthetic-insider-1kgf
Curious how others see identity + automation changing the future attack surface.
#CyberSecurity #RedTeam #OffensiveSecurity #IdentitySecurity #CloudSecurity #ThreatIntel
-
Most organizations are still preparing for intrusions that look malicious.
I think that’s the mistake.
Modern infrastructures are becoming too interconnected, too identity-driven, and too automation-heavy for future attacks to remain obvious.
The more I study cloud trust relationships, SaaS ecosystems, APIs, and machine identities…
The more I think the next generation of offensive operations will revolve around something far quieter:
Blending into operational normalcy itself.
Not malware.
Not noisy exploit chains.
Not obvious persistence.
Just:
valid sessions
trusted automation
approved integrations
legitimate infrastructure
machine-to-machine trust
At that point, the problem is no longer:
“Can attackers get in?”
It becomes:
“Can defenders still distinguish trust from compromise?”
That’s the idea behind something I’ve been researching lately:
The Synthetic Insider.
An intrusion model where attackers stop behaving like external threats…
and start behaving like operationally legitimate internal presence.
Honestly, I think this shift is going to redefine modern offensive security over the next decade.
Wrote a deeper breakdown on it here:
🔗 https://dev.to/daniel_isaac_e/the-synthetic-insider-1kgf
Curious how others see identity + automation changing the future attack surface.
#CyberSecurity #RedTeam #OffensiveSecurity #IdentitySecurity #CloudSecurity #ThreatIntel
-
El lado del mal - ExploitGym: Mythos, GPT 5.5, Gemini Pro en un CTF & Benchmark de hacer exploits https://www.elladodelmal.com/2026/05/exploitgym-mythos-gpt-55-gemini-pro-en.html #VibeExploiting #LLM #Mythos #GPT #Exploiting #hackiing #OffensiveSecurity
-
El lado del mal - ExploitGym: Mythos, GPT 5.5, Gemini Pro en un CTF & Benchmark de hacer exploits https://www.elladodelmal.com/2026/05/exploitgym-mythos-gpt-55-gemini-pro-en.html #VibeExploiting #LLM #Mythos #GPT #Exploiting #hackiing #OffensiveSecurity
-
El lado del mal - ExploitGym: Mythos, GPT 5.5, Gemini Pro en un CTF & Benchmark de hacer exploits https://www.elladodelmal.com/2026/05/exploitgym-mythos-gpt-55-gemini-pro-en.html #VibeExploiting #LLM #Mythos #GPT #Exploiting #hackiing #OffensiveSecurity
-
El lado del mal - ExploitGym: Mythos, GPT 5.5, Gemini Pro en un CTF & Benchmark de hacer exploits https://www.elladodelmal.com/2026/05/exploitgym-mythos-gpt-55-gemini-pro-en.html #VibeExploiting #LLM #Mythos #GPT #Exploiting #hackiing #OffensiveSecurity
-
El lado del mal - ExploitGym: Mythos, GPT 5.5, Gemini Pro en un CTF & Benchmark de hacer exploits https://www.elladodelmal.com/2026/05/exploitgym-mythos-gpt-55-gemini-pro-en.html #VibeExploiting #LLM #Mythos #GPT #Exploiting #hackiing #OffensiveSecurity
-
World Password Day. The finding that should sting: roughly 60% of credential issues from real pentests this year came from factory defaults still running. FTP, RDP, Redis, Telnet. No brute-forcing needed.
Dragos Sandu, Product Manager at Pentest-Tools.com, shared the data with IT Security Guru. Full piece: https://www.itsecurityguru.org/2026/05/07/world-password-day-2026-the-credential-crisis-hasnt-gone-away-its-just-got-more-dangerous/
-
World Password Day. The finding that should sting: roughly 60% of credential issues from real pentests this year came from factory defaults still running. FTP, RDP, Redis, Telnet. No brute-forcing needed.
Dragos Sandu, Product Manager at Pentest-Tools.com, shared the data with IT Security Guru. Full piece: https://www.itsecurityguru.org/2026/05/07/world-password-day-2026-the-credential-crisis-hasnt-gone-away-its-just-got-more-dangerous/
-
World Password Day. The finding that should sting: roughly 60% of credential issues from real pentests this year came from factory defaults still running. FTP, RDP, Redis, Telnet. No brute-forcing needed.
Dragos Sandu, Product Manager at Pentest-Tools.com, shared the data with IT Security Guru. Full piece: https://www.itsecurityguru.org/2026/05/07/world-password-day-2026-the-credential-crisis-hasnt-gone-away-its-just-got-more-dangerous/
-
World Password Day. The finding that should sting: roughly 60% of credential issues from real pentests this year came from factory defaults still running. FTP, RDP, Redis, Telnet. No brute-forcing needed.
Dragos Sandu, Product Manager at Pentest-Tools.com, shared the data with IT Security Guru. Full piece: https://www.itsecurityguru.org/2026/05/07/world-password-day-2026-the-credential-crisis-hasnt-gone-away-its-just-got-more-dangerous/
-
World Password Day. The finding that should sting: roughly 60% of credential issues from real pentests this year came from factory defaults still running. FTP, RDP, Redis, Telnet. No brute-forcing needed.
Dragos Sandu, Product Manager at Pentest-Tools.com, shared the data with IT Security Guru. Full piece: https://www.itsecurityguru.org/2026/05/07/world-password-day-2026-the-credential-crisis-hasnt-gone-away-its-just-got-more-dangerous/
-
📰 Accenture Invests in AI-Powered Offensive Security Platform XBOW
Accenture invests in AI-powered offensive security firm XBOW. 🤖 The partnership aims to bring autonomous, continuous penetration testing to clients, fighting AI-driven threats with AI-driven defense. #CyberSecurity #AI #OffensiveSecurity #Accenture
-
Viele denken, der Übergang vom Penetrationstest ins Red Teaming sei eine logische, graduelle Weiterentwicklung. In der Praxis zeigt sich schnell: Es ist ein echter Perspektivwechsel.
Die größten Unterschiede liegen nicht in den Tools, sondern im Mindset:
🔹 OPSEC first – Jede Aktion wird hinterfragt: Welche Spuren hinterlasse ich? Wie reagiert der Verteidiger?
🔹 Realismus vor Geschwindigkeit – Es geht nicht darum, möglichst schnell ans Ziel zu kommen, sondern einen echten Angreifer abzubilden.
🔹 Kontinuierliches Lernen – Standard-Tools werden zunehmend erkannt. Wer sich nicht weiterentwickelt, wird sichtbar.
🔹 Fehler als Lernmoment – Der Moment, in dem man erkannt wird, verändert die eigene Denkweise nachhaltig.
In unserem neuen Blogartikel beschreibt Marcel Heisel, wie wir neue Mitarbeitende auf genau diesen Wechsel vorbereiten – und was dabei wirklich den Unterschied macht.
👉 https://research.hisolutions.com/2026/05/vom-pentester-zum-red-teamer-wie-wir-neue-mitarbeitende-fit-machen/
#RedTeaming #Pentesting #CyberSecurity #OffensiveSecurity #OPSEC #InfoSec #ActiveDirectory -
Most tools added AI and called it a feature. We kept asking whether it actually makes results more reliable.
Session two of Office Hours is recorded. Jan covers the ML classifier, the authentication layer, and the MCP integration that won't act without your explicit go-ahead.
45 minutes. Q&A included.
Recording: https://www.youtube.com/watch?v=abGruzf2pPk
#penetrationtesting #offensivesecurity #vulnerabilitymanagement
-
Most tools added AI and called it a feature. We kept asking whether it actually makes results more reliable.
Session two of Office Hours is recorded. Jan covers the ML classifier, the authentication layer, and the MCP integration that won't act without your explicit go-ahead.
45 minutes. Q&A included.
Recording: https://www.youtube.com/watch?v=abGruzf2pPk
#penetrationtesting #offensivesecurity #vulnerabilitymanagement
-
Most tools added AI and called it a feature. We kept asking whether it actually makes results more reliable.
Session two of Office Hours is recorded. Jan covers the ML classifier, the authentication layer, and the MCP integration that won't act without your explicit go-ahead.
45 minutes. Q&A included.
Recording: https://www.youtube.com/watch?v=abGruzf2pPk
#penetrationtesting #offensivesecurity #vulnerabilitymanagement
-
Most tools added AI and called it a feature. We kept asking whether it actually makes results more reliable.
Session two of Office Hours is recorded. Jan covers the ML classifier, the authentication layer, and the MCP integration that won't act without your explicit go-ahead.
45 minutes. Q&A included.
Recording: https://www.youtube.com/watch?v=abGruzf2pPk
#penetrationtesting #offensivesecurity #vulnerabilitymanagement
-
Most tools added AI and called it a feature. We kept asking whether it actually makes results more reliable.
Session two of Office Hours is recorded. Jan covers the ML classifier, the authentication layer, and the MCP integration that won't act without your explicit go-ahead.
45 minutes. Q&A included.
Recording: https://www.youtube.com/watch?v=abGruzf2pPk
#penetrationtesting #offensivesecurity #vulnerabilitymanagement
-
CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.
Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.
One file. One click. Full RCE. CVSS 8.1, patched, fully documented.
Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce
More research from our team: https://pentest-tools.com/research
-
CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.
Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.
One file. One click. Full RCE. CVSS 8.1, patched, fully documented.
Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce
More research from our team: https://pentest-tools.com/research
-
CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.
Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.
One file. One click. Full RCE. CVSS 8.1, patched, fully documented.
Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce
More research from our team: https://pentest-tools.com/research
-
CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.
Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.
One file. One click. Full RCE. CVSS 8.1, patched, fully documented.
Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce
More research from our team: https://pentest-tools.com/research
-
CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.
Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.
One file. One click. Full RCE. CVSS 8.1, patched, fully documented.
Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce
More research from our team: https://pentest-tools.com/research
-
False positives in web scans often aren't wrong detections. They're unfiltered responses: soft 404s, error pages, and redirect chains that look like findings until someone checks.
We added an ML classifier that catches those before they ever surface as results. Fewer findings to re-validate, cleaner reports, less explaining to developers.
Full breakdown: https://pentest-tools.com/usage/minimize-false-positives
-
🚨 Most people think red teaming is about exploits.
It’s not.
The most effective attacks today don’t start with vulnerabilities —
they start with **trust**.Modern environments are cloud-heavy, identity-driven, and full of SaaS integrations. In these systems, attackers don’t always need to “break in.”
They move quietly through:
• Over-permissioned identities
• Weak approval workflows
• Misconfigured cloud roles
• OAuth tokens and API access
• Human behavior under pressure
• Business processes no one questionsThis is what I’ve been studying and calling the **Quiet Kill Chain** —
a sequence of legitimate-looking actions that, when chained together, become an attack path.No loud exploits.
No obvious malware.
Just normal activity… used the wrong way.## What changes at an advanced level?
You stop asking:
“What exploit should I use?”And start asking:
• Where does this system trust too easily?
• Which action would look completely normal?
• What would defenders ignore?
• How can I blend into business operations?Because the strongest intrusion today is not the one that is invisible.
It’s the one that looks **legitimate**.
## My takeaway
Offensive security is shifting from breaking systems
to understanding them deeply enough to move inside them unnoticed.I’ve written a full deep-dive on this concept here 👇
Curious to hear your thoughts —
Is detection today ready for this level of subtlety?#CyberSecurity #RedTeam #OffensiveSecurity #ThreatIntel #CloudSecurity #IdentitySecurity #EthicalHacking #BlackCipher
-
Python C2 Server for Red Teaming: A Comprehensive Hands-On Guide
In this guide, I walk through building a Python-based C2 server, covering its architecture, encrypted communication, and real-world operational workflow.
https://denizhalil.com/2025/12/15/python-c2-server-red-teaming-guide/#CyberSecurity #RedTeam #C2 #commandandcontrol #Python #offensivesecurity #Pentesting #infosec #threatdetection #blueteam #securityengineering #ethicalhacking
-
Python C2 Server for Red Teaming: A Comprehensive Hands-On Guide
In this guide, I walk through building a Python-based C2 server, covering its architecture, encrypted communication, and real-world operational workflow.
https://denizhalil.com/2025/12/15/python-c2-server-red-teaming-guide/#CyberSecurity #RedTeam #C2 #commandandcontrol #Python #offensivesecurity #Pentesting #infosec #threatdetection #blueteam #securityengineering #ethicalhacking
-
Python C2 Server for Red Teaming: A Comprehensive Hands-On Guide
In this guide, I walk through building a Python-based C2 server, covering its architecture, encrypted communication, and real-world operational workflow.
https://denizhalil.com/2025/12/15/python-c2-server-red-teaming-guide/#CyberSecurity #RedTeam #C2 #commandandcontrol #Python #offensivesecurity #Pentesting #infosec #threatdetection #blueteam #securityengineering #ethicalhacking
-
FuelCMS doesn't validate the Host header on password reset requests.
Spoof it, trigger a reset for a valid user, and the app sends them a legitimate-looking email with your server in the link. They click. You get the token.
PTT-2025-029 / CVE-2026-30459, CVSS 7.1 High. No fix coming (vendor's been quiet for ~4 years).
Full PoC: https://pentest-tools.com/research -
We documented the questions practitioners ask before trusting a security tool with real work.
Does it crash prod? Who writes the payloads? What counts as "validated"? What happens to your data after the scan runs?
Direct answers, no datasheets required: https://pentest-tools.com/product/faq
-
Genuinely wigging out about AI taking my job. Like, actually losing sleep over it.
My grand strategy: pivot to OT/ICS and hardware. Hardware because AI doesn't have hands (yet?). OT/ICS because I assume people still prefer their facilities/cars/planes to not explode when the AI goes the extra mile.
Is it a good plan? Probably no. Do I have a backup? Also no.
Looking for some assurance I’m crazy and wrong or correct and doing the right thing.
#infosec #icssecurity #hardwarehacking #careeradvice #offensivesecurity
-
Genuinely wigging out about AI taking my job. Like, actually losing sleep over it.
My grand strategy: pivot to OT/ICS and hardware. Hardware because AI doesn't have hands (yet?). OT/ICS because I assume people still prefer their facilities/cars/planes to not explode when the AI goes the extra mile.
Is it a good plan? Probably no. Do I have a backup? Also no.
Looking for some assurance I’m crazy and wrong or correct and doing the right thing.
#infosec #icssecurity #hardwarehacking #careeradvice #offensivesecurity
-
AI was supposed to reduce your workload. For most practitioners, it added a new one.
Only 9% of devs say vulnerability testing keeps pace with AI-assisted development. The rest are playing catch-up.We've been looking into this closely. More on that soon.
See how we think about this in the comments. 👇
#offensivesecurity #penetrationtesting #infosec
Which part of your job has AI made *harder*, not easier?
-
The cybersecurity certification landscape
https://negativepid.blog/the-cybersecurity-certification-landscape/#defensiveSecurity #threatHunting #forensics #offensiveSecurity #ethicalHacking #cybersecurityCareers #cybersecurityCerts #certifications #Cybersecurity #ITcareers #onlineSecurity #negativepid