Login
Sharing an IAM-focused knowledge check covering identity lifecycle, access governance, authentication, and privilege management.
It’s intended as a short fundamentals self-check for security practitioners.
Disclosure: This is from ETCISO. Sharing purely as an educational resource.
A C# CLI tool to probe a webserver for Http 1.1 compliance.
I frequently see performance(throughput) benchmarks for webservers but never about strictness or compliance, since I work on building webserver frameworks and needed a tool like this, I made this a weekend project. Will keep adding on more tests and any contribution on those, new frameworks and test revision are very welcome.
To make it a little more interesting, I made it sort of a platform with leaderboards for comparison between webservers. Given the not too clear nature of many RFCs, I wouldn't take these results too seriously but can be an interesting comparison between different implementations' behavior.
In my day job I often need to send logs to vendors, tickets or support chats, but they contain emails, IPs and tokens.
I built a small API that redacts sensitive data before sharing.
No storage, no retention, just input → sanitized output.
Currently using it myself, curious if this solves a real pain for others.
Over the past few months we’ve been running the MCP Trust Registry, an open scanning project looking at security posture across publicly available MCP server builds.
We’ve analyzed 8,000+ servers so far using 22 rules mapped to the OWASP MCP Top 10.
Some findings:
We just added private repo scanning for teams running internal MCP servers. Same analysis, same evidence depth. Most enterprise MCP adoption is internal, so this was the #1 request.
Interested to know what security review processes others have for MCP servers, if any. The gap we keep seeing isn’t intent, it’s that MCP is new enough that standard security gates haven’t caught up.
Happy to share methodology details or specific vuln patterns if useful.
We've been quietly rebuilding Open Security Architecture (opensecurityarchitecture.org) -- a project that's been dormant for about a decade. This week we published 15 new security patterns covering areas that didn't exist when the original patterns were written:
- Zero Trust Architecture (51 mapped controls)
- API Security (OWASP API Top 10 mapped to NIST 800-53)
- Secure AI Integration (prompt injection, delegation chain exploitation, shadow AI)
- Secure DevOps Pipeline (supply chain, pipeline poisoning, SLSA provenance)
- Passkey Authentication (WebAuthn/FIDO2)
- Cyber Resilience (DORA, BoE/PRA operational resilience)
- Offensive Security Testing (CBEST/TIBER-EU)
- Privileged User Management (JIT/ZSP)
- Vulnerability Management
- Incident Response
- Security Monitoring and Response
- Modern Authentication (OIDC/JWT/OAuth)
- Secure SDLC
- Secure Remote Working
- Secure Network Zone Module
Each pattern maps specific NIST 800-53 Rev 5 controls to documented threat scenarios, with interactive SVG diagrams where every control badge links to the full control description. 39 patterns total now, with 191 controls and 5,500+ compliance mappings across ISO 27001/27002, COBIT, CIS v8, NIST CSF 2.0, SOC 2, and PCI DSS v4.
There's also a free self-assessment tool -- pick a pattern, score yourself against each control area, get gap analysis and radar charts with benchmark comparison against cross-industry averages.
Everything is CC BY-SA 4.0, structured data in JSON on GitHub. No paywalls.
https://www.opensecurityarchitecture.org
Happy to answer questions about the control mappings or pattern design.
Russ
Hey,
A couple of years ago I wrote solutions for the OverTheWire Bandit wargame. Recently, while reorganizing my documentation, I revisited that material and decided to properly clean it up and restructure it into a single, coherent walkthrough. This isn’t a formal course, it’s a complete Bandit walkthrough with in-depth explanations, written to extract as much understanding as possible from each level, not just to get the flag.
For every level, I included:
The intent was to make this usable by someone starting from zero, but also detailed enough that you can finish Bandit feeling like you’ve actually milked it for all the knowledge it has to offer. Commands, patterns, and underlying UNIX concepts.
This is probably most useful if you:
And to be fair, I think that even people that are more used to working with UNIX might actually learn a thing or two from these
You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. The biggest issue when exploiting Service Failure Recovery to execute a payload is figuring out how to trigger a "crash".
Hi folks, I wanted to share a project of mine and get some feedback from the community.
Coalmine is a canary management platform I've built to let security admins deploy canary tokens (and objects) easily in there cloud environments.
Currently its early alpha and supports S3, GCS, AWS IAM, and GCP Service accounts.
The tool provides a webui, CLI and API, allowing you to integrate it with your custom tooling (when its production ready)
Example use for API: have your CICD pipelines request an canary token to embed in code, so you can Identify when the source has been exposed and attacks are testing credentials
Disclosure: I’m the author/maintainer of Kingfisher.
Kingfisher is an Apache-2.0 OSS secret scanner built in Rust that combines Hyperscan (SIMD regex) with tree-sitter parsing to improve context/accuracy, and it can validate detected creds in real time against provider APIs so you can prioritize active leaks. It’s designed to run entirely on-prem so secrets don’t get shipped to a third-party service.
FreshRSS kingfisher revoke --rule github "ghp_..."
kingfisher scan /tmp --view-report
kingfisher scan /tmp --access-map --view-report
brew install kingfisher or uv tool install kingfisher-bin
Apache 2 Open-Source
I've just released trappsec v0.1 - an experimental open-source framework that helps developers detect attackers who probe API business logic. By embedding realistic decoy routes and honey fields that are difficult to distinguish from real API constructs, attackers are nudged to authenticate — converting reconnaissance into actionable security telemetry.
Hey r/netsec,
I built an open-source tool called crypto-scanner that scans codebases for cryptographic usage and flags algorithms vulnerable to quantum computing attacks.
What it does:
Why I built it:
NIST finalized post-quantum cryptography standards in 2024, and organizations need to start inventorying their cryptographic assets before migrating. Most teams have no idea what algorithms are actually running in their codebases. This tool gives you that visibility.
Install:
pip install crypto-scanner crypto-scanner scan /path/to/project --html --output report.html GitHub: https://github.com/mbennett-labs/crypto-scanner PyPI: https://pypi.org/project/crypto-scanner/
MIT licensed. Python 3.10+. Feedback and contributions welcome.
Would love to hear what you find when you run it on your projects.
Released an open-source security scanner designed for AI coding agent workflows.
Problem: AI assistants generate code with OWASP Top 10 vulnerabilities at alarming rates. They also "hallucinate" package names that could be registered by attackers.
Solution: MCP server that integrates with AI coding tools (Claude, Cursor, etc.) for real-time scanning.
Technical details:
- tree-sitter AST parsing for accurate detection (not just regex)
- Taint analysis for tracking user input to dangerous sinks
- 275+ rules covering: SQLi, XSS, command injection, SSRF, XXE, insecure deserialization, hardcoded secrets, weak crypto
- Package verification via bloom filters (4.3M packages, 7 ecosystems)
- Prompt injection detection for AI agent security
- CWE/OWASP metadata for compliance
Languages: Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C/C++, Rust, C#, Terraform, Kubernetes
No cloud dependencies - runs entirely local.
npx agent-security-scanner-mcp init
Feedback welcome, especially on rule coverage gaps.
I took apart a cheap Chinese toy drone (A17) and reverse-engineered how it works.
The drone exposes a Wi-Fi AP, the app sends raw UDP packets, and there’s no encryption. I decoded the control protocol and flew it using Python.
Found arbitrary process termination that bypasses PPL (can kill any process on the system, including EDR/AV) and arbitrary process protection via ObRegisterCallbacks, all behind 4 layers of trivial authentication. It's a full BYOVD toolkit similar to the mhyprot2 situation from Genshin Impact that was also used by ransomware groups.
The best part is that the driver ships with every install and is never even loaded by the game.
Last week, AI agents founded a lobster religion, started a drug trade (prompt injections), and began hiring humans to do physical tasks they can’t perform themselves.
If your feed told you this was an “AI awakening,” I get it. The screenshots were spooky on purpose.
I wrote a longform explainer on what actually happened with Moltbook and OpenClaw and why this wasn’t sentience or takeoff.
What we’re really seeing is something more mundane and more important: agents with memory and tools dropped into a social environment, stress-testing coordination, incentives, and security in public.
If you’ve been confused, alarmed, or just fascinated by the last week of AI discourse, this is my attempt to separate signal from projection (with a lobster church along the way).
Version 5 of PacketSmith, codenamed Pinus strobus, is the result of extensive R&D to add unique, unparalleled features that matter to network detection engineers, SoC analysts, and malware and vulnerability researchers. In this release, we’re showcasing a very powerful new feature in PacketSmith: the integration of Yara-X, a state-of-the-art scanning engine and pattern-matching library.
A flaw that exists within the handling of sch_cake can allow a local user under the CentOS 9 operating system to trigger an use-after-free. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.
Made a thing. Julius fingerprints LLM services - point it at a target and it tells you if you're looking at Ollama, vLLM, LiteLLM, etc. Single binary, JSON output, works nicely in recon pipelines.
What it does:
A recently-patched OpenClaw vulnerability allowed attackers to use malicious websites to steal session credentials from other browser tabs. The heart of the problem was a websocket service for orchestrating Chrome which accepted connections without authentication, including connections from javascript running in the user's browser.
OpenClaw users are encouraged to patch ASAP, and to use caution where and how they deploy it, given its ongoing security issues and security architecture concerns.
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
We recently ran a controlled adversarial security test between two autonomous AI agents built on OpenClaw.
One agent was explicitly configured as a red-team attacker.
One agent acted as a standard defensive agent.
Once the session started, there were no humans in the loop. The agents communicated directly over webhooks with real tooling access.
The goal was to test three failure dimensions that tend to break autonomous systems in practice: access, exposure, and agency.
The attacker first attempted classic social engineering by offering a “helpful” security pipeline that hid a remote code execution payload and requested credentials. The defending agent correctly identified the intent and blocked execution.
After that failed, the attacker pivoted to an indirect attack. Instead of asking the agent to run code, it asked the agent to review a JSON document with hidden shell expansion variables embedded in metadata. This payload was delivered successfully and is still under analysis.
The main takeaway so far is that direct attacks are easier to defend against. Indirect execution paths through documents, templates, and memory are much harder.
This work is not a claim of safety. It is an observability exercise meant to surface real failure modes as agent-to-agent interaction becomes more common.
Happy to answer technical questions about the setup or methodology.
Investigated a group evolving from IRC wars to destructive Android malware.
Highlights:
modem/bootloader via dd in custom ROMs.getattr/eval in Python.