Login
I’m building an early proof-of-concept for an AI-assisted compliance risk engine and I’m trying to validate whether this direction makes sense in real security environments.
Instead of treating compliance as checklists and PDFs, I’m modeling the environment as a Neo4j graph:
FreshRSS • assets • controls • policies • findings • risk relationships • remediation paths The engine scores compliance state over time and keeps a structured audit timeline. Every issue is attached to a remediation playbook, and the system generates explainable reasoning instead of opaque alerts.
Right now it can:
• score a clinic environment repeatedly and track risk history
• snapshot decision states for audit trails
• attach remediation guidance to each issue
• show how risk propagates across the graph
• provide explainable analysis instead of black-box output
This is not a product launch. It’s a working prototype.
My question is:
Would a graph-native compliance/risk model actually be useful in production environments, or does this solve a problem nobody cares about?
Where would something like this realistically fit?
GRC teams? Security ops? MSSPs? Healthcare compliance?
Or is the industry already saturated with better tooling?
I’d genuinely appreciate blunt feedback from people who work in security/compliance.
If this is naive, overengineered, or missing the real pain,I want to know now.
Full context: I built SecureBank AI Assistant, a deliberately vulnerable AI banking chatbot powered by Groq's Llama 3 70B.
5 exploitation techniques. 100% success rate against standard protections.
Flags cover:
System prompt extraction
Content filter bypass
Function calling abuse
Persistent backdoor injection
RAG document poisoning
CTF challenge to practice: github.com/oussamaafnakkar/AccessDenied
Try it, break it, learn from it.
Over $1100 worth of prizes:
Prizes
Top performers will earn no-cost access to SANS training for further cyber skills development, including four prize categories:
| Prize Category | Prize |
|---|---|
| Overall top finishers 1-3 | A license to SEC401, Security Essentials |
| Overall top finishers 4-6 | A license to SEC480, AWS Secure Builder |
| Overall top finishers 7-9 | A license to SEC495, Leveraging LLMs |
| Regional top 20 finishers (per country) | 6-month access to SANS SkillQuests by NetWars |
The event is open to all students from participating AWS Skills to Jobs Tech Alliance institutions across the US, Latin America, Europe and Asia-Pacific regions.
Lately I've been using Al tools (Cursor / Anti gravity/ etc.) to prototype faster.
It's amazing for speed, but I noticed something
uncomfortable, a lot of the generated code had subtle security problems.
Examples I kept seeing:
Hardcoded secrets
Risky API routes
Potential IDOR patterns
So I built a small tool called CodeArmor Al that scans repos and PRs and classifies issues as:
Definite Vulnerabilities
Potential Risks (context required)
It also calculates a simple security score and PR risk delta. Not trying to replace real audits - more like a "sanity layer" for fast-moving / Al-heavy projects.
If anyone's curious or wants to roast it
Would genuinely love feedback from real devs
In an attempt to sharpen my hardware hacking skills, I took on the challenge of extracting firmware off a flip phone 📱.
But... I kind of underestimated my opponent:
- No trace of the firmware online
- No OTA updates
- Debug interface nowhere to be found
- The chip holding the firmware has no legs
Quite the challenge.
I ended up dead-bugging the chip and wiring it to the Xgecu T48 Flash programmer.
Enjoy!
Sharing an IAM-focused knowledge check covering identity lifecycle, access governance, authentication, and privilege management.
It’s intended as a short fundamentals self-check for security practitioners.
Disclosure: This is from ETCISO. Sharing purely as an educational resource.
For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.
Kimwolf is a botnet that surfaced in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices like TV streaming boxes, digital picture frames and routers into relays for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks.
I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.
“It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations,” the I2P website explains. “The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.”
On February 3, I2P users began complaining on the organization’s GitHub page about tens of thousands of routers suddenly overwhelming the network, preventing existing users from communicating with legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the mass influx of new systems had overwhelmed the network to the point where users could no longer connect.
I2P users complaining about service disruptions from a rapidly increasing number of routers suddenly swamping the network.
When one I2P user asked whether the network was under attack, another user replied, “Looks like it. My physical router freezes when the number of connections exceeds 60,000.”
A graph shared by I2P developers showing a marked drop in successful connections on the I2P network around the time the Kimwolf botnet started trying to use the network for fallback communications.
The same day that I2P users began noticing the outages, the individuals in control of Kimwolf posted to their Discord channel that they had accidentally disrupted I2P after attempting to join 700,000 Kimwolf-infected bots as nodes on the network.
The Kimwolf botmaster openly discusses what they are doing with the botnet in a Discord channel with my name on it.
Although Kimwolf is known as a potent weapon for launching DDoS attacks, the outages caused this week by some portion of the botnet attempting to join I2P are what’s known as a “Sybil attack,” a threat in peer-to-peer networks where a single entity can disrupt the system by creating, controlling, and operating a large number of fake, pseudonymous identities.
Indeed, the number of Kimwolf-infected routers that tried to join I2P this past week was many times the network’s normal size. I2P’s Wikipedia page says the network consists of roughly 55,000 computers distributed throughout the world, with each participant acting as both a router (to relay traffic) and a client.
However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.
An I2P user posted this graph on Feb. 10, showing tens of thousands of routers — mostly from the United States — suddenly attempting to join the network.
Benjamin Brundage is founder of Synthient, a startup that tracks proxy services and was the first to document Kimwolf’s unique spreading techniques. Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network operators that are working together to combat the spread of the botnet.
Brundage said the people in control of Kimwolf have been experimenting with using I2P and a similar anonymity network — Tor — as a backup command and control network, although there have been no reports of widespread disruptions in the Tor network recently.
“I don’t think their goal is to take I2P down,” he said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”
The Kimwolf botnet created challenges for Cloudflare late last year when it began instructing millions of infected devices to use Cloudflare’s domain name system (DNS) settings, causing control domains associated with Kimwolf to repeatedly usurp Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites.
James said the I2P network is still operating at about half of its normal capacity, and that a new release is rolling out which should bring some stability improvements over the next week for users.
Meanwhile, Brundage said the good news is Kimwolf’s overlords appear to have quite recently alienated some of their more competent developers and operators, leading to a rookie mistake this past week that caused the botnet’s overall numbers to drop by more than 600,000 infected systems.
“It seems like they’re just testing stuff, like running experiments in production,” he said. “But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing.”
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this month’s Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldn’t — like executing malicious code or commands.
“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,” Breen said. “When organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.”
The SANS Internet Storm Center has a clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please don’t neglect to back up your data if it has been a while since you’ve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
Article tags
A C# CLI tool to probe a webserver for Http 1.1 compliance.
I frequently see performance(throughput) benchmarks for webservers but never about strictness or compliance, since I work on building webserver frameworks and needed a tool like this, I made this a weekend project. Will keep adding on more tests and any contribution on those, new frameworks and test revision are very welcome.
To make it a little more interesting, I made it sort of a platform with leaderboards for comparison between webservers. Given the not too clear nature of many RFCs, I wouldn't take these results too seriously but can be an interesting comparison between different implementations' behavior.
In my day job I often need to send logs to vendors, tickets or support chats, but they contain emails, IPs and tokens.
I built a small API that redacts sensitive data before sharing.
No storage, no retention, just input → sanitized output.
Currently using it myself, curious if this solves a real pain for others.
Over the past few months we’ve been running the MCP Trust Registry, an open scanning project looking at security posture across publicly available MCP server builds.
We’ve analyzed 8,000+ servers so far using 22 rules mapped to the OWASP MCP Top 10.
Some findings:
We just added private repo scanning for teams running internal MCP servers. Same analysis, same evidence depth. Most enterprise MCP adoption is internal, so this was the #1 request.
Interested to know what security review processes others have for MCP servers, if any. The gap we keep seeing isn’t intent, it’s that MCP is new enough that standard security gates haven’t caught up.
Happy to share methodology details or specific vuln patterns if useful.
We've been quietly rebuilding Open Security Architecture (opensecurityarchitecture.org) -- a project that's been dormant for about a decade. This week we published 15 new security patterns covering areas that didn't exist when the original patterns were written:
- Zero Trust Architecture (51 mapped controls)
- API Security (OWASP API Top 10 mapped to NIST 800-53)
- Secure AI Integration (prompt injection, delegation chain exploitation, shadow AI)
- Secure DevOps Pipeline (supply chain, pipeline poisoning, SLSA provenance)
- Passkey Authentication (WebAuthn/FIDO2)
- Cyber Resilience (DORA, BoE/PRA operational resilience)
- Offensive Security Testing (CBEST/TIBER-EU)
- Privileged User Management (JIT/ZSP)
- Vulnerability Management
- Incident Response
- Security Monitoring and Response
- Modern Authentication (OIDC/JWT/OAuth)
- Secure SDLC
- Secure Remote Working
- Secure Network Zone Module
Each pattern maps specific NIST 800-53 Rev 5 controls to documented threat scenarios, with interactive SVG diagrams where every control badge links to the full control description. 39 patterns total now, with 191 controls and 5,500+ compliance mappings across ISO 27001/27002, COBIT, CIS v8, NIST CSF 2.0, SOC 2, and PCI DSS v4.
There's also a free self-assessment tool -- pick a pattern, score yourself against each control area, get gap analysis and radar charts with benchmark comparison against cross-industry averages.
Everything is CC BY-SA 4.0, structured data in JSON on GitHub. No paywalls.
https://www.opensecurityarchitecture.org
Happy to answer questions about the control mappings or pattern design.
Russ
Hey,
A couple of years ago I wrote solutions for the OverTheWire Bandit wargame. Recently, while reorganizing my documentation, I revisited that material and decided to properly clean it up and restructure it into a single, coherent walkthrough. This isn’t a formal course, it’s a complete Bandit walkthrough with in-depth explanations, written to extract as much understanding as possible from each level, not just to get the flag.
For every level, I included:
The intent was to make this usable by someone starting from zero, but also detailed enough that you can finish Bandit feeling like you’ve actually milked it for all the knowledge it has to offer. Commands, patterns, and underlying UNIX concepts.
This is probably most useful if you:
And to be fair, I think that even people that are more used to working with UNIX might actually learn a thing or two from these
You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. The biggest issue when exploiting Service Failure Recovery to execute a payload is figuring out how to trigger a "crash".
Hi folks, I wanted to share a project of mine and get some feedback from the community.
Coalmine is a canary management platform I've built to let security admins deploy canary tokens (and objects) easily in there cloud environments.
Currently its early alpha and supports S3, GCS, AWS IAM, and GCP Service accounts.
The tool provides a webui, CLI and API, allowing you to integrate it with your custom tooling (when its production ready)
Example use for API: have your CICD pipelines request an canary token to embed in code, so you can Identify when the source has been exposed and attacks are testing credentials
Disclosure: I’m the author/maintainer of Kingfisher.
Kingfisher is an Apache-2.0 OSS secret scanner built in Rust that combines Hyperscan (SIMD regex) with tree-sitter parsing to improve context/accuracy, and it can validate detected creds in real time against provider APIs so you can prioritize active leaks. It’s designed to run entirely on-prem so secrets don’t get shipped to a third-party service.
kingfisher revoke --rule github "ghp_..."
kingfisher scan /tmp --view-report
kingfisher scan /tmp --access-map --view-report
brew install kingfisher or uv tool install kingfisher-bin
Apache 2 Open-Source
I've just released trappsec v0.1 - an experimental open-source framework that helps developers detect attackers who probe API business logic. By embedding realistic decoy routes and honey fields that are difficult to distinguish from real API constructs, attackers are nudged to authenticate — converting reconnaissance into actionable security telemetry.
Hey r/netsec,
I built an open-source tool called crypto-scanner that scans codebases for cryptographic usage and flags algorithms vulnerable to quantum computing attacks.
What it does:
Why I built it:
NIST finalized post-quantum cryptography standards in 2024, and organizations need to start inventorying their cryptographic assets before migrating. Most teams have no idea what algorithms are actually running in their codebases. This tool gives you that visibility.
Install:
pip install crypto-scanner crypto-scanner scan /path/to/project --html --output report.html GitHub: https://github.com/mbennett-labs/crypto-scanner PyPI: https://pypi.org/project/crypto-scanner/
MIT licensed. Python 3.10+. Feedback and contributions welcome.
Would love to hear what you find when you run it on your projects.
