Current Scope of #Linux EDRmetry Playbook #redteam #blueteam #dfir #edr Also, the official webpage has been published! defensive-security.com/edrmetry/ Work in progress 🩵🩷✌️

I tried my hand at exploiting an nday on the Google Container Optimized OS instance in kCTF but sadly was very late to the party. Here is my exploit write-up for it. I learned a lot during the process, let me know what you think. I'll post TL;DR in thread h0mbre.github.io/Patch_Gapping_…

It was a fun SCaLE 22x talk with great questions and participation from the audience! We managed to build a functional container by hand without any container tools. There was cheating to do less :-) And we also explored the magic of lazy loaded containers and eStargz! #scale22x

New release by fwsGonzo: TinyKVM, a tool to sandbox statically compiled Linux executables with a near-zero performance overhead.🤯

Here are my slides from BSides Reykjavik * Backdooring a container image (Vault) * Exfiltrate secrets via DNS * Update to pillage registry tool (originally created by Josh Makinen) canva.com/design/DAGgrY1…

My keynote at offensivecon 2025, "How Offensive Security Made Me Better at Defense": Video: youtu.be/60BcjiChncE Slides: docs.google.com/presentation/d…

AOT translation of Linux ELF to WASM

RingReaper can bypass falco and modern linux EDRs. Check: github.com/MatheuZSecurit… Detailed article: matheuzsecurity.github.io/hacking/evadin… #malware #io_uring #edr #rootkit #falcon #linux

Wrote up my seccomp-diff tool which will extract seccomp BPF from a PID/ container and let you diff it with other things. The initial release with Jay Beale at Shmoocon was more of a POC. This adds some nice features if you're into seccomp. More info: antitree.com/2025/07/seccom…

Learn how Beelzebub runs honeypots inside your Kubernetes cluster to detect lateral movement It fakes real services, captures attacker commands like docker ps or ls, and logs them for analysis via Grafana or fluentd ➜ ku.bz/W4M7dx2xy

SeaBee - Interesting project that enforces policy-based access control on eBPF objects. It protects a userspace process and its eBPF programs from a variety of attacks, including: - Signals that would kill the userspace program - Ptracing the userspace program - Unauthorized eBPF

We found a new container escape affecting all container runtimes using @NVIDIA GPUs. The crazy part? The exploit is just three lines long 🤯 This is the story of #NVIDIAScape 🧵👇

ZeroNights CFP is open 🔥 Long time no see. ZN will take place on Nov 26, 2025 zeronights.ru The program committee is accepting talks in Offensive and SecOps tracks, rewarding exclusive in-person presentations Submit cfp.zeronights.ru/zeronights-202… @cfptime

I'm releasing my latest project today: seccompare.com Ever wonder if your custom seccomp profile is secure? Or is it actually less secure than RuntimeDefault? antitree.com/2025/07/introd…

Confused about how runAsNonRoot, capabilities, seccomp, and AppArmor relate to each other in Kubernetes? Our new article shows exactly how each SecurityContext field maps to Linux syscalls and kernel Finally understand what you're actually configuring: learnkube.com/security-conte…

Kubernetes on-prem security overview 🌟 kubesec-diagram.github.io

You can solve most security problems in either a churny or a chill way. Here's an example: patching k8s nodes can either be reactive when there is a high severity vulnerable or it can be proactive by making nodes ephemeral. Run latest AMI and Amazon Linux updates at boot.

Let's go! Offensive / #redteam #Linux Mindmap v16/09/2025 as a core for EDRmetry Linux Matrix - your Comprehensive Hands-On Attack TTPs Catalog Full view is here: edu.defensive-security.com/content-assets…

This was a fun one! Docker just patched a high-severity vulnerability I found in Docker Compose (CVE-2025-62725, rated CVSS 8.9). I discovered that including an OCI include statement in a Docker Compose YAML file could lead to an arbitrary file write on the host at OCI

The 1st alpha of OpenTelemetry eBPF instrumentation (OBI) is live 🎉 Originally Grafana Beyla, OBI brings zero-code, zero-downtime telemetry to any app. Read the blog post: opentelemetry.io/blog/2025/obi-…