At the height of One Million Checkboxes's popularity I thought I'd been hacked. A few hours later I was tearing up, extraordinarily proud of some brilliant teens. A thread about my favorite story from running OMCB....

I always tell people interested in TI and DFIR that books and the tools/methods they describe are just half the journey. Most of what I've learned about threat actors - their methods, tools, and techniques - came from reading threat reports. While I started by extracting IOCs

I want autonomy. Did you get your copy of the Work Chronicles 2025 calendar? Link in bio.

Does clicking “yes” do anything at all or does FREAKY BILL just get off to making me feel like a clown every day

🌶️ Active Fortinet Zero-Day Exploitation ITW 🌶️ cloud.google.com/blog/topics/th… #zeroday #fortinet #inthewild

Decision by Exhaustion

We are generally way too overconfident in understanding adversary intent in cyberspace. Activity is straightforward, attribution is tricky and intent is often opaque and relies on organizational politics and bureacracy inside organizations.

FLARE is releasing a tool today that I've been working on over this year that helps break down binaries into smaller functional clusters and uses Gemini to describe their relationships, behavior and the overall malware functionality. It's called XRefer and it is out for you to

🚀 How to build an offensive AI security agent: 🤖 I've been wanting to play with ReAct agents to see what complex workflows I can automate when it comes to offensive security testing. I finally got around it yesterday and I was able to build a functional security testing

The best formula I've found for my career so far. Find something to hack. Research it. Hack it better. Build tooling. Tell people about it. -> repeat.

Great write up of using AI agents in a cybersecurity context: anshumanbhartiya.com/posts/hackagent

#100DaysofYARA 2025 edition begins tomorrow! Any #CTI or #detectionengineering folks looking for a self-paced challenge to start the year with a laid back & fun community? Look no further! The challenge is simple - write a YARA rule every day for 100 days

I have a hard time recognizing or appreciating Chinese innovation when I have spent my career responding to intrusions, particularly 🇨🇳 hacks of tech & data companies while at Mandiant. For so many in infosec, it’s impossible to differentiate breakthroughs from decades of

Now, you can ask: "what if my tasks at work are simple enough to where GPT does solve it all, easily? Can't I just use it for that?" Congratulations. You may have discovered the path to being unemployed. If the AI does everything you can do, *why would they keep you around*?

Parts of it may well be deemed "outdated". But the reason college curriculum is structured as it is instead of being a grand industry tour on the Hot Topic Of The Day is that by teaching fundamentals, you teach students *how* to think, learn, and work. AI just bypasses that.

genuinely writing yara rules is just like a macrodata refinement bad vibes + scary numbers = probably malware give me my waffle party

We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth

This is a great summary. We (and by we I mean mostly Will Oram) have been using variants of this diagram to describe the inversion of attack paths to identity-based intrusions - a major trend in our incident response cases over the past year.

Using CTFs to benchmark LLM bug finding is pretty awesome