Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass. Daniel Heinsen explores cross-domain compromise tradecraft within the same tenant. Read more ⤵️ ghst.ly/3ISMGN9

New blog! Here's our case study on using LLMs for accelerating offensive R&D. Our post details how we used Large Language Models to identify and exploit trapped COM objects. Next week at BlackHat we'll drop even hotter stuff on offensive AI research. 🔥 outflank.nl/blog/2025/07/2…

BloodHound OpenGraph makes adding nodes and edges simple, but building effective attack graph models? That's where the real work begins. Andy Robbins breaks down the theory, best practices, and requirements you need to know. ghst.ly/44Zv7DJ

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. Chris Thompson unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs. github.com/olafhartong/Ba… Slides available here: github.com/olafhartong/Pr…

We're at BlackHat USA. At 1.30 PM our Outflank researcher Kyle Avery will present his work on how he trained a 7B parameter LLM to defeat Microsoft Defender for Endpoint. An accompanying blog post will go out later today and we'll release the model on Hugging Face. Stay tuned!

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️ Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

We are breaking down our State of Attack Path Management report. Join Jared Atkinson, Andrew Chiles, & Elad Shamir as they discuss some key takeaways from the report to help you understand & address attack paths before they're exploited. Register 👉 ghst.ly/aug-web-tw

if you want to train a model yourself with GRPO: 1. find a verifiable task: jasonwei.net/blog/asymmetry… 2. add a new reward function to open-r1: github.com/huggingface/op…

Join our webinar, happening next Thursday and get a full break down of the report from authors Jared Atkinson, Andrew Chiles, and Elad Shamir. Register at ghst.ly/aug-web-tw

Lots of tooling around the new Bloodhound "OpenGraph" standard this week including vCenterHound from MOR DAVID and the bhopengraph library from Rémi GASCOU (Podalirius). blog.badsectorlabs.com/last-week-in-s…

BloodHound isn't just for Active Directory anymore. 🤯 Walter.Legowski dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB

Military veterans bring discipline, problem-solving skills, & strategic thinking to #cybersecurity; exactly what our industry needs. Join us for veteran-led insights on: ✅ Resume tips ✅ Application strategy ✅ Life working at a security firm 👉 ghst.ly/sep-web-tw

Sure, a bunch of NPM packages got backdoor'd (again), but don't miss the great research and tools released last week! blog.badsectorlabs.com/last-week-in-s…

If you're attending BSidesMTL this weekend, make sure you catch Scoubi's presentation. He will dive into BloodHound OpenGraph & how you can now ingest & visualize Identity Attack Paths & relationships from any platform, repository, or app. ➡️ bsidesmtl.ca

Big post this week with lots of great write ups and tools. Wild that China's great firewall source code was leaked! 🔥🧱🇨🇳 blog.badsectorlabs.com/last-week-in-s…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Win32_Process has been the go to WMI class for remote command execution for years. Steven explores a new WMI class that functions like Win32_Process and offers further capability. Read more ⤵️ ghst.ly/4gyPbkr

The only conference dedicated to Attack Path Management is back! 3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy. 🎟️ Save 25% with early bird: specterops.io/so-con

Submit your talk to the #SOCON2026 CFP at sessionize.com/socon-2026/ The deadline for submissions is November 15th, 2025 at 23:59 ET