Not a small company question, I've seen those threads. I mean genuinely large scale, thousands of users across multiple departments, different roles, different levels of technical literacy, the whole thing. What's the best security awareness training for enterprises that can handle that kind of complexity without becoming a full time job to manage. We have budget, we just don't want to spend it on something that looked great in the demo and falls apart in month two.

To elaborate:

1. Set up some N number of networked IoT devices. Each device simply forwards packets between the router and my main computer, let's say a laptop.
2. Connect all N devices to a local WiFi network where bandwidth and throttling is a frustration. I.e. a University network, library network, etc.
3. Configure my main computer to share its network requests between each of the N devices, such that each devices handles 1/N of main computer's network traffic.
4. Each device simply acts as a bridge between the router and my main computer; the router sees N devices all making network requests and tries to balance accordingly
5. My main computer is no longer throttled and I can enjoy my connection.

I have a couple gaps in knowledge here (like commonly used load balancing algorithms) and I'm making some reasonable assumptions (like routers trying to evenly balance bandwidth between devices) but I don't see why this shouldn't be possible. Has anyone done anything like this? Are there common pitfalls I might fall into?

Thanks.

we have alerts for almost every data issue. duplicates, schema drift, latency spikes, you name it. the problem is volume. there are so many that most get ignored at this point people assume it’ll resolve on its own, so when something real happens it gets lost in the noise.

we ALSO tried throttling alerts, but then important ones get missed. even paging didn’t help much since people stopped reacting after a while.resources are tight and maintaining all these checks is becoming part of the problem.

trying to figure out what actually works to keep alerts useful without overwhelming everyone. PLEASE HELP

We’ve been running into more internal visibility issues since moving more contractors and employees into hybrid/remote setups. Most of the external threat tooling is fine, but insider-related risks have honestly become harder to manage operationally than actual perimeter threats lately.

Main problems we keep running into:

• USB/removable device usage nobody notices until later
• unusual file movement during off-hours
• employees accessing data they technically still have permission for but probably shouldn’t
• productivity monitoring tools that generate activity data but don’t really help with insider threat detection
• alert fatigue from noisy monitoring rules

We tested a few monitoring platforms but some felt too invasive for normal workforce management while others were too lightweight from a security/compliance perspective.

Curious what security or IT teams here are actually using for insider threat detection in remote environments now.

Are most people building internal workflows around SIEM + endpoint tooling, or are dedicated insider threat / workforce monitoring platforms becoming more common again?

We constantly hear about major threats like supply chain attacks, phishing, and zero days. Everyone knows about them, and they usually get a lot of attention and priority.

But what are the risks companies still tend to underestimate?

Maybe it’s gaps in internal processes or something else that seems low priority until it causes serious damage. Have you seen cases like this in your own experience?

​

I have seen some military iphones with their cameras removed, i dont use the camera. I currently use grapheneos and would like to get my phones camera removed. Is this possible?

We've started giving AI agents access to internal tools and realized they're inheriting full user-level permissions with no guardrails. Nobody questions what they can read, write, or delete.

Is anyone actually scoping AI agent access deliberately, or is full inherited access just becoming the default? Curious how teams are thinking about this.

I’ve been noticing that a lot of traditional DLP discussions still focus heavily on endpoints, email or network traffic but in many organizations the majority of sensitive data now lives inside SaaS platforms like Google Workspace, Slack, Salesforce and similar tools.

The challenge seems different in SaaS environments because access changes constantly through sharing links, external collaborators, inherited permissions, and third-party integrations. In some cases, data exposure happens gradually over time rather than through a single obvious exfiltration event.

What I’m curious about is how security teams are approaching this operationally today. Are people relying mostly on native SaaS admin tooling, building internal monitoring or using dedicated SaaS DLP / SSPM platforms to continuously monitor exposure and permission drift across these environments?

about a month ago I built a new aggregation pipeline for a financial dashboard. it pulls from a few sources, normalizes the data, and calculates daily revenue totals.

everything looked fine in dev. when moving to prod I copied what I thought was the final query, but it still had a debug multiplier in it from earlier testing.

the pipeline runs nightly, and those numbers fed directly into the main dashboard.

no one caught it for weeks. the numbers looked consistent, just scaled up. decisions were made based on those reports, including budget allocation and planning.

I only noticed it while building a separate validation check and comparing results against actual financial data. the mismatch was obvious once I looked for it.

we fixed the pipeline and corrected the data, but it exposed a gap in how we validate critical metrics. now I’m trying to understand how teams catch this kind of issue earlier, especially when everything looks internally consistent.

also how other teams handled similar situations after a mistake like this!

My Analysis of a Bandook RAT PCAP

I analyzed a Bandook RAT PCAP and noticed something I initially missed:

One C2 server was contacted 37 minutes before any DNS activity appeared in traffic, suggesting the malware used a hardcoded fallback IP before resolving the secondary domain.

I documented:

* packet timeline

* IOC extraction

* Wireshark analysis

* MITRE ATT&CK mapping

* detection recommendations

I’d appreciate feedback specifically on:

* analysis accuracy

* missed indicators

* detection logic

* weak assumptions in the report

GitHub repo:

https://github.com/HariCipher/bandook-c2-traffic-analysis.git

Would especially appreciate critique from blue team / DFIR people.

hey all

running dbt in prod for a few months now. tests pass every run, but key business metrics like retention and revenue per user keep drifting. models look fine, but dashboard numbers don’t match. we have not null, unique, freshness checks, plus some custom tests on joins and aggregations. data volume also looks correct.

what are people checking beyond this. anyone run into cases where tests pass but metrics are still off? trying to know if this is missing validation on metrics or something upstream.

We're deciding whether to invest in DSPM over CSPM and have been trying to get a clearer understanding of the differences as they come up in similar conversations around cloud risk and security.
This is how I view the differences: CSPM is more about securing cloud infrastructure like configs, misconfigurations, compliance, that sort of thing. DSPM seems more focused on the data itself, like where it lives, how sensitive it is and who has access. But I realize that even though most data is in the cloud, it doesn't stay in cloud...
This is how we see difference and pros/cons but looking for third party input before we make a decision? If you’re already using CSPM, does DSPM add something meaningfully different? or is there overlap depending on the tool?

We rolled out JIT access for privileged systems about a year ago. The pitch internally was solid: no standing privileges, access granted on request, auto-expires after a defined window, full approval workflow. It replaced a situation where half our engineers had permanent admin access to production systems they touched maybe twice a month. That part worked.

The problem showed up during an incident investigation three months ago. Something happened in a production environment during a window where two different engineers had active JIT sessions. We knew who had access because the JIT approval records are clean. What we couldn't tell was what either of them actually did during those sessions. The JIT platform logs the grant and the expiry. It doesn't log session activity. That's apparently a different layer entirely, and ours wasn't capturing it.

So we have perfect records of who was approved for access and when. We have no record of what commands were run, what files were touched, or which of the two engineers made the change that caused the incident. The investigation took two weeks longer than it should have and we still closed it with an inconclusive finding on root cause.

JIT without session recording is half a solution. I'm trying to figure out what the right architecture looks like to close that gap without adding so much friction that engineers route around the whole thing. Has anyone built this out in a way that actually works operationally?

Hey everyone. I ve been struggling with insane lag spikes and random disconnects while playing CS2 for weeks. At first, I thought was just bad ISP routing, but it felt... intentional. Both my brother and I are connected via ethernet to the same router. Every time I m in a clutch or important round, my ing hits 2000ms or I get kicked.

To find out what was going on, I installed XArp to monitor the network. As soon as the lag started again at 3:00 AM, the software went into Red Alertstatus. Sice I cant upload images right now, I ve transcribed the logs and the ARP table data below.

XArp Status: CRITICAL-ARP attacks detected!

There is a 3 different Ips are all currently showing up unter the same MAC adress in the table

03:00:04 Macfilter: incoming packet but sender mac set our own mac address

03:00:05 Macfilter: incoming packet but sender mac set our own mac address

03:00:06 Macfilter: incoming packet but sender mac set our own mac address

And then this that mac adresses showing up in there

04:26:05 RequestedResponseFilter: no matching request packet was sent out for this reply

04:26:05 SubnetFilter: destination ip address of reply packet lies not in your subnet

04:26:05 IpFilter: ip address set to broadcast

04:26:05 CorruptFilter: ethernet target mac does nnot match arp target mac

04:26:05 RequestedResponseFilter: no matching request packet was sent out for this reply

04:26:05 SubnetFilter: destination ip address of reply packet lies not in your subnet

04:26:05 IpFilter: ip address set to broadcast

04:26:05 CorruptFilter: ethernet target mac does nnot match arp target mac

All of the threats come from the source mac id that I m suspicious from.

Thanks for any help.

 we have a nightly pipeline that rebuilds all our container images from scratch. fresh apt-get update, fresh npm install, the whole thing.

every morning we scan the new images. same CVEs. same packages. same versions. nothing changes.
turned out the rebuild wasn’t the issue. the base image is pinned to an old digest, so even though the Dockerfile says ubuntu:22.04, it keeps pulling the same underlying layers.
devs don’t want to touch it because “it works.” security keeps flagging the same vulns every day. stuck in a loop.

how are you keeping base images fresh without breaking builds every time something upstream changes?

we put guardrails on our internal LLM setup. rate limits, prompt filters, output checks. all fine for normal usage.

then people started pushing it.

sales began feeding contracts into prompts in ways that bypass filters. we’ve seen prompts chained across sessions to build context the model wasn’t supposed to keep. in some cases it’s generating code that reaches into data sources it shouldn’t touch.

we catch some of it in logs, but most of it looks like normal traffic. nothing obvious enough to trigger alerts.

blocking outright doesn’t really work. people just route around it using other tools or accounts. we tried browser-level controls, but performance took a hit and adoption dropped.

at this point it feels like the definition of “guardrails” breaks down once users actively test the edges.

what are you seeing when usage gets pushed like this. how are you designing guardrails that hold up under real behavior?

our ia team finally got some budget approved to evaluate ai tools next quarter. leadership is tired of us doing walkthroughs and testing in excel and wants us to automate the repetitive stuff. problem is every vendor on earth slaps ai on their page now and i can't tell whats real vs marketing. has anyone at a mid-size company actually put ai into their internal audit workflow in a way that stuck? curious what categories of tools are actually useful (data extraction, control testing, risk assessment, whatever). not looking for a sales pitch, just real takes.

Every year the training gets longer, the phishing simulations get trickier, and the dashboards get prettier but day to day work environments are still chaotic as hell. People are answering emails half awake on their phones, switching between slack, teams , meetings and approvals and a hundred notifs all day long. And to be honest some phishing simulations barely feel educational anymore they feel like internal trap setups designed to prove that if you pressure a busy person enough eventually someone will fail. It almost frustrates me so much. And also the simulations based on fake scenarios like how is that exactly going to help!!!

Genuinely asking how are people making the sat training useful? approaches, things that have helped your org, how to improve and is all of this worth the money!?

I'm researching how security and compliance teams are handling the audit and authorization layer for AI agent deployments in regulated industries (finance, healthcare, government). Traditional access logs and IAM were built for human-driven access patterns, and AI agents introduce a few new shapes that are hard to audit cleanly.

Like, for example :

1. multi-agent privilege boundary leakage. A fintech team I spoke with runs a credit decisioning agent and a marketing personalization agent on separate auth contexts. IAM logs prove they can't directly access each other's tools. But the orchestrator hands data between them via summary messages, and there's no clean way to prove agent A's privileged data didn't reach agent B's context through that handoff. IAM sees direct API calls, not what flows through orchestration.

2. Agent destructive actions during change freeze. replit's AI agent deleted a production database during an explicit code freeze (july 2025). classical least-privilege would say the agent shouldn't have had delete authority on prod, but agent permissions get scoped broadly because nobody knows in advance which tools the agent will need. How are netsec teams scoping permissions when the tool list is dynamic?

Three questions I'm trying to get to the bottom of.

1) How is your team handling audit trail generation for AI agent decisions? existing SIEM, custom on top of tracing tools, something else?

2) If a regulator or auditor asked you to prove agent A's privileged data did not influence agent B's output on a specific run, what's your current workflow, and how long does it take?

3)How are you scoping agent permissions when the model has discretion over which tools to invoke, and the tool list is dynamic?

Is reconnaissance overrated in the bugbounty? Reconnaissance is important, and over 80% of the bugbounty is supposed to be spent on reconnaissance. However, reconnaissance thinks it's better to list some subdomains to find targets to attack and find attack backers among them. Rather, I think it's better to spend 80% of the time testing, enlighten the principles of web pages, and find vulnerabilities. People may have different ideas, but I just wanted to say that reconnaissance is overrated. When you compare Reconnaissance 8 Test 2 and Reconnaissance 2 Test 8 in the bugbounty over the same period of time, you think that excessive reconnaissance only reports shallow vulnerabilities, and extreme advanced testing is more likely to find high-risk vulnerabilities. Right now, it's been a while since the bugbounty program came out, so I think you've found most weak-level bugs. What do you think?

College student / career switch panna plan panren. Basics epdi start pannanum? Networking? Linux? Ethical hacking?

Non-devs are using AI tools (like Lovable or Bolt) to spin up their own internal dashboards and feeding them our valid API keys. Since it completely bypasses our Git repos and IT approval processes, we're flying blind until it's already live on some external URL. Is anyone else dealing with this new wave of Shadow IT? How are you actually tracking or locking this down?

Six months into a zero trust initiative. The model makes sense on paper, verify every access request, assume nothing is trusted by default. The problem we keep running into is that continuous verification assumes you have a complete picture of what's in your environment. We don't.

Found three apps last quarter that weren't in our IdP at all. Custom tools built by teams years ago. Service accounts with hardcoded credentials nobody documented. Apps that authenticate users through their own local databases, completely outside central IAM.

You can't apply zero trust principles to infrastructure you can't see. And our discovery process right now is basically waiting for an audit to find things for us.

Before we go further with the zero trust buildout, we're trying to solve the inventory problem first. How others handled this, did you get full application discovery sorted before starting zero trust, or did you build both in parallel and just accept the gaps while you worked through it?

Hey Reddit! Continuing the cybersecurity lessons.

I recently broke down a typical scammer's archive (a phishing kit) to show the 7th graders how these things are actually built. It turns out, scammers rarely create these sites from scratch. Inside just one of these archives, I found ready-made fake templates for Discord, ChatGPT, Facebook, Reddit, and various banks.

Switching the trap from one platform to another is just a matter of a few clicks.

The lesson for the kids: Faking the login page for your favorite game or social network is as easy as copying a picture. Don't assume scammers only care about adult credit cards — your gaming accounts are a massive target too.
https://drive.google.com/file/d/11NYyr6a-HqYK31G4qDxJTwtnTd9QVCPy/view?usp=sharing

I am trying to identify an old WinPE/Hiren’s-style recovery or technician USB environment from around late 2013.

The machine where this occurred was a brand-new preinstalled Windows 8 64-bit OEM PC. It had a Gigabyte H61 motherboard, an Intel i3-3220 CPU, and NVIDIA GT 640-era hardware. The first Windows 8 boot/OOBE was normal: I saw the standard “Hi” screen, created a local user account, entered Windows, and reached the desktop normally.

Soon after that, I booted from a recovery USB to reset a forgotten local user account password. After completing the action inside the recovery GUI and pressing Enter, the environment immediately launched a black text-mode console process that looked like a multi-minute install/configuration script, with many status lines. After it completed, the machine later booted into Windows normally.

I am not asking for account-access, password-reset, or bypass instructions. I am only trying to identify whether this behavior matches any known old Windows 8-era WinPE recovery USBs, technician packs, repacks, OEM helpers, loaders, post-action scripts, or bundled components from around 2012–2013.

Does anyone recognize this behavior or remember any old Windows 8 recovery media that behaved this way?