Command & Conquer'd: Worming RCEs through a classic multiplayer game. Check out the full writeup from our DistrictCon Junkyard submission here: buff.ly/tp7EzQ8 By Bryan Alexander and Jordan Whitehead #Security #modding #rce

Exploiting this game was fun! I think everyone should go find bugs in their childhood games, a load of them are on github and they all love to just read in files from the network

Only my fuzzing apps not crashing.

It’s been said before but I’ll say it again. Attack surface is the new 0day, especially with the use of AI agents at this stage.

HT3 was mid jestergooning when a group of Vendors came and spiked our Cortisol levels 😭 Is Ignoring the Vendors while munting and mogging printers more useful then RCE ghidrafishing in the Pwn2Own?

1/ Agentic LLMs can automate vuln detection. Very exciting, but doesn't address the hardest part (imo) of vuln research: prioritization. Can we reliably explore the search space and separate signal from noise? I wrote a paper (and OSS tool) to solve this. arxiv.org/pdf/2512.06155

Gregely is one of the smartest macOS VR guys I know! Highly recommend his training.

I finally understand the cobalt strike dude. The future is here.

Twitter blue teamers when you use novel killchains because it's too advanced vs Twitter blue teamers when you attack ADCS because it's too simple

❗️🇵🇱 A threat actor is selling initial access to a Polish state government server. System details indicate the server is running Linux (Linux 4.18.0-553.lve.el8.x86_64, AlmaLinux/CentOS-based environment).

cagent: An agent sandbox that allows Docker-in-Docker. I use this for development and security testing. Work in progress but it's useful and ergonomic for my use cases. github.com/noperator/cage…

it’s raining bugs with Claude. seems like a fundamental shock to the ecosystem is about to occur

I wrote a short blogpost on the quirks of grammar fuzzing (and, more generally, structure-aware fuzzing) and a simple trick I used to get more bugs out of it more quickly. projectzero.google/2026/03/mutati…

Happy Friday and always remember... Fuck Netanyahu and the murderous Zionist child killing regime.

We decided to revisit an old research problem with some new LLM powered tooling. Check out our latest blog post to see how we approached this research, and the new Java deserialization gadget chains it discovered in just two days! buff.ly/CeAQZ2B

I am financially censored. All the banks closed my bank accounts for criticizing Israel and U.S. war crimes at the UN I cannot have a bank account. I cannot have a credit or debit card. I cannot make or receive payments I’m not a criminal. I represent people’s voice at the UN!

After much reflection, I have decided to resign from my position as Director of the National Counterterrorism Center, effective today. I cannot in good conscience support the ongoing war in Iran. Iran posed no imminent threat to our nation, and it is clear that we started this

Hiring for several offensive security research roles 🔍 📱 Senior Offensive Security Researcher — Android Chromium Sandbox Security 🌐 Offensive Security Researcher — Browser 🍎 Offensive Security Researcher — iOS Kernel Role links in the first reply. Please share if someone

I wrote something: sockpuppet.org/blog/2026/03/3…

My kinda hot take on the Mythos stuff is really that there is so little money in offensive research that it's still not really that hard to find bugs. These AI companies are operating with budgets that make the entire offensive research of all big tech combined look like a joke