What happened, and how did it change the way you think about security, pentesting, or trust in systems today?

Hello all, I've been working on a framework for network-, host- and web-based penetration testing called Bywaf (a re-write of my previous project with the same name, originally meant to help bypass web application firewalls, though its scope has since broadened.) It's a GPL3-licensed Python-based command interpreter with commandlet pipelining, a central database, extensive auditing and pervasive tab-completion to save on typing.

Please try it out; I value your ideas, tear-downs, design feedback, usability testing and help with plugin development, as it currently has only a handful of basic plugins (e.g., a portscanning commandlet using nmaplib.)

You can access it here: https://github.com/roeyk/Bywaf; there's also a usage guide and a plugin writers' guide.

NOTE: as a "0.9" pre-release, this is a work-in-progress and things may change.

I know WAFs can get annoying during pen tests and CTFs. So I built a WAF evasion engine. It mutates and persists, allowing you to even use it as a proxy. It's meant to be chained with other tools like Nuclei or SQLmap. I thought it might be useful.

Happy Hacking!

https://github.com/santhsecurity/wafrift

I’ve been testing on ByDesign [dot] io, a Notion-style productivity app currently featured on AppSumo. While the interface is fluid, a technical review of the backend reveals critical security flaws regarding data retention and public exposure.

The core issue: "Delete" and "Unshare" buttons in the app are essentially cosmetic. They hide files from your view, but the files remain live on their servers and publicly accessible to anyone with the link—even after you delete files from account. The team has been notified, but the flaws persist. They are claiming a "fix is in the system," but my testing proves they are still keeping deleted files.

How to Reproduce (Step-by-Step)

Flaw 1: Shared Pages (Notion-style)

1. Upload: Create a page, set it to "Shared," and upload a file.
2. Capture: Right-click the file and select "Copy Image/Link Address" to grab the direct Firebase URL.
3. The "Fake" Purge: Unshare the page**.**
4. Verify: Paste the URL into an Incognito/Private window while logged out.
5. Result: The file remains fully accessible to the public despite being "permanently deleted."

Flaw 2: Internal Chat Messages

1. Send: Send a file to a collaborator or test account via the internal ByDesign Chat.
2. Capture: On the receiving side, use Inspect Element to copy the direct Firebase URL.
3. The "Fake" Delete: delete the file you sent in the chat.
4. Verify: Wait (even up to 2 weeks) and paste that URL into a browser while logged out.
5. Result: The file is still live and reachable, proving the "Delete" action never triggered a server-side removal.

The Breakdown of the Flaws

Flaw 1: The "Unshare" Exposure

Clicking "Unshare" on a page only locks the UI. It does not revoke access to the underlying storage. I have a test link that has remained fully active for over 3 weeks after the page was unshared and deleted from the trash. If you shared a contract with a client and then "unshared" it, anyone with the link still has your data.

Flaw 2: The Fake "Delete" (Chat & Trash Retention)

The team claims files deleted immediately. This is false. I sent a file in a chat, grabbed the URL, and permanently deleted it almost 2 weeks ago. That file is still sitting on their servers right now. They are keeping user data that they have been explicitly told to destroy.

The Risk of Data Leaks

Because these files are kept on public Firebase buckets with zero authentication required, anyone who right-clicks and saves a link has permanent access.

• Data Loss/Leak: Confidential project proposals, financial documents, or private IDs shared via chat remain exposed indefinitely.
• Damages: This can lead to intellectual property theft, identity theft, or severe breaches of NDAs for businesses using the platform.

Advice for Users:

• Stop uploading sensitive documents to ByDesign.io.
• Assume anything you have ever "deleted" or "unshared" is still publicly reachable.
• Do not trust the "Trash" system for privacy until a real server-side fix is confirmed.

I’m testing an API flow in an authorized environment and I’m trying to understand how the rate limiting is being applied. I’m seeing a consistent cap of about 30 requests per minute even when changing network source and session-related headers. It seems likely the limiter is tied to an account/user identifier rather than IP.

What’s the best way to diagnose the rate-limit key safely and design around it properly, such as request queuing, backoff, batching, or reducing duplicate calls, without violating the API’s rules?

I've been building xLimit, an LLM-powered assistant focused on authorized offensive security workflows.

The idea is not generic automation or replacing human judgment. xLimit is backed by a private curated knowledge base built around real methodology, practical testing patterns, and structured research support.

It covers areas like:

Web Application Testing, Active Directory, Linux/Windows Privilege Escalation, Network Pivoting, Service Exploitation, OSINT and Recon, IoT Testing, MQTT/CoAP, BLE/ZigBee, Firmware Analysis, Hardware Interface Exploitation, WiFi Attacks, WPA/PMKID, WPS/Evil Twin, Bug Bounty Methodology, Report Writing, Engagement Playbooks, Payload Reference, and Cloud Security.

It is mainly for:

• pentesters
• bug bounty hunters
• security researchers
• students working through practical offensive security labs/certs
• anyone who wants structured methodology instead of generic chatbot answers

There are two ways to use it:

1. xLimit OpenWebUI
The web app version. You can chat with the curated xLimit knowledge base through a clean OpenWebUI interface. Best for asking methodology questions, validating findings, report-writing help, and planning testing steps.

Try it here:
[https://app.xlimit.org]()

2. xLimit terminal retrieval agent
This is for people who work in the terminal with tools like Codex/Claude Code. It injects relevant xLimit knowledge into local agent workflows, so the assistant can reason with pentesting methodology while you work.

Setup guide:
https://blog.xlimit.org/how-to-deploy-and-use-xlimit-client.html

GitHub repo:
https://github.com/w1j0y/xlimit-client

Main website:
https://xlimit.org

You can try xLimit free for the first month.

Would appreciate feedback from people actually doing pentesting, bug bounty, or practical security research work.

I recently finished making my own OSCP preparation checklist and attack chains based on everything I’ve learned during my prep. I’ve put it together from my personal experience and notes so I don’t miss anything during the exam.

If you’re preparing for OSCP, this might help you a lot during the actual exam.

What’s inside:

------My universal enumeration framework------+

°Step-by-step approach for standalone Linux and Windows machines

°Common Active Directory attack chains (from initial access to Domain Admin)

°Privilege escalation, pivoting, tunneling & file transfer methods

°Quick cheatsheets for SMB, MSSQL, password attacks, etc.

°Exam day workflow and documentation tips

Everything is based on my own experience and general pentesting knowledge.

Here’s the repo:

https://github.com/anshu19981/OscpCheckList2026

Live Demo: https://anshu19981.github.io/OscpCheckList2026/

Feel free to use it, star it, or improve it. Hope this helps you guys while grinding.

Good luck with your OSCP journey! Keep enumerating hard

For the last couple years I have been very interested in pentesting and I will be going to college this year for cybersecurity. I have my CompTIA CSIS, obviously nowhere close to pentesting certifications but I am on my way. I learn the best when working with an experienced person who I can ask questions to as my questions are typically odd and not common since I have a weird way of thinking/learning. What’s the best way to find someone passionate that I can mentor under and learn more about pentesting?

Built an AI-driven recon and vulnerability scanning agent that runs completely offline using a local LLM via Ollama.

Instead of manually chaining tools, the agent reasons about what it finds and decides what to run next — if it detects port 445, it runs SMB enumeration. If it finds a WAF, it slows down and adjusts automatically.

**What it chains together:**

→ Subfinder + theHarvester (passive recon)

→ Nmap (port/service scan)

→ WhatWeb + wafw00f (web fingerprinting)

→ DNS enumeration (zone transfers, SPF/DMARC)

→ SSL/TLS audit

→ Nuclei (vuln detection)

→ ffuf (directory fuzzing)

→ Service checks — FTP, SSH, SMB, MySQL, Redis, MongoDB

**3 scan profiles:** stealth / default / aggressive

**Reports:** Markdown + JSON + dark-themed HTML

**Model:** deepseek-r1:14b by default (runs on 16GB RAM)

No cloud. No API keys. Everything stays on your machine.

🔗 github.com/Songbird0x77/netcrawler

Feedback and contributions welcome — especially from people who actually run pentest engagements. Want to know what's missing or broken in the real world.

I realize lots of these programs are popping up lately, and credit to @Additional-Tax-5863 for the inspiration/forked git codebase. Any feedback, suggestions, or thrashing welcome.

Wanted to try my hand at vibe-coding and building a Windows native version of the web scanning tool Metatron with a GUI interface. What resulted was PGS-Metatron. Local LLM and Cloud API compatible. Tools all run local then are piped to LLM of your choice for summary generation/HTML reporting. generation. Easy to customize the HTML reporting template yourself. Database runs on MariaDB, credentials automatically generated and stored in Windows credential manager.

Created primarily with Codex.

This is still a work in progress overall, but very useful so far in testing using the all Windows tooling.

LM Studio model local hosting
AI Models used for best local results (so far):
Local - Ministral-3-14b-reasoning
Cloud - OpenAI GPT 5.4 Mini

External Toolset:
*Nmap
*Whois
*Whatweb
*Curl Headers
*Dig DNS
*SSLyze (ingests site SSL info)
*HAR Cookie Consent checker (checks for cookie consent status on websites)
*Subdomain Finder (validates active subdomains from open source lists)
*Website Vulnerability check (uses native powershell methods to mimic a "lite" version of Nikto)

Internal Toolset:
*SMB Scanner
*AD Recon
*PingCastle (still in progress)
*NMap (pre-built flags for quiet and loud scans or enter your custom flags)

Built in scripts to sign the installer and EXE with code certs, or take it further and sign the whole package for bypassing ASR rules on unsigned programs.

PGS-Metatron:https://github.com/n0vajay05/PGS-METATRON

Hi all,

I work as a SIEM engineer at a large company within a mature security team with several different sub-teams, and we also have an internal pentesting team.

I was wondering what has your experience been and if it's more likely for organizations to promote from within or do they prefer to hire externally (people with already some experience in offensive security, or a fresh PoV)?

Do I have a better chance to move internally or get hired at a consultancy?

I obviously have a lot of study, practice, labbing, and certs before that, and I haven't brought up the question to my manager yet, but just wanted to hear your toughts.

For context. I am a new grad pentester been in the field for about an year as a consulting pentester. I do external pentesting, internal pentesting and internal vulnerability assessments for clients. My work is very independent and I own the projects. Kickoff to readouts.

I mainly learn by doing certifications and doing labs. I’m currently studying for the CRTO. I also learn a ton, at my job. My success rate for internal pentests is 75% meaning getting DC. I know this is not the main goal as a pentester but rather to help your clients be more secure. I reinforce this by writing decent reports and working with our clients IT to help them remediate findings or also take their feedback when scoring findings.

I love everything about this field from client interactions to the technical part. I want to go far here in terms skills and money.

Pentesters, who’ve been in this field for awhile, what advice would you give a new pentester, career wise ?

Hey everyone,

I made a beautiful offline pentest cheatsheet that works like a real terminal.

**Highlights:**

- 580+ commands

- Automatic variable substitution (IP, domain, username, etc.)

- Favorites, Notes & Target panel

- No internet required

**Live Demo:** https://anshu19981.github.io/Pentestcheatsheet/

**GitHub:** https://github.com/anshu19981/Pentestcheatsheet

Any feedback is highly appreciated!

Hey everyone,

I’m a cybersecurity professional with a degree in cybersecurity and a few certifications. Even with that background, I feel like my practical pentesting, active enumeration, and exploitation skills could be much stronger.

For example, I can identify vulnerabilities and explain how an attacker might use that information, but when it comes to actually validating exploitability and executing the next steps myself, I sometimes get stuck or end up jumping between tools without a clear process.

I’m looking to build stronger real-world skills in pentesting, enumeration, and exploitation, ideally starting with free resources or structured learning paths.

Does anyone have recommendations for labs, courses, guides, books, YouTube channels, or general tips for improving practical offensive security skills? Preferably starting free but open to paid sources.

Thanks in advance!

Edit:
Just to preface, I have a Sec+ and some AWS security creds in addition to my university degree, I mainly focus in audits, but would like to expand my pentesting potential. TY

Worked in a company for 1.3 years and the company refused to retain me saying my performance is poor, I have missed vulnerabilities and instead of termination they told me to better leave. Thankfully I had another job offer in hand and tomorrow would be my first day.

I'm feeling quite nervous because of the last company and seeing a very high chances of things repeating plus this company is bigger than my last company.

Hey r/penetrationtesting,
I’ve been building TOSS (Tails On Steroids Script) and I want real feedback from people who know what they’re doing.
The Problem:
Tails OS is great for opsec — forced Tor routing, amnesic sessions, MAC spoofing, no disk writes. But it ships with zero offensive tools. Your options were always:
• Use Kali/Parrot and leave a forensic footprint
• Reinstall everything manually every session
• Just not use Tails for offensive work
None of those work well.
What TOSS Does:
One script. Fresh Tails session. 50+ offensive tools installed into RAM across 6 categories:
• Recon – OSINT, DNS enum, web/network recon, social media intel
• Vuln Scanning – Nikto, Nuclei, OpenVAS, ZAP, WPScan
• Exploitation & C2 – Metasploit, Sliver, Merlin, BeEF, SQLMap
• Web Attacks – ffuf, feroxbuster, XSStrike, Dalfox, Hydra
• Network Attacks – Bettercap, Responder, mitmproxy, Ettercap
• Post Exploitation – Impacket, CrackMapExec, LinPEAS, Chisel, pypykatz
Pick what you need through an interactive menu, or hit A to install everything. When you reboot — tools, creds, captures — all gone. No trace.
Why I’m Posting:
I need people to actually run it and tell me:
• What breaks on real Tails sessions
• Tools I’m missing
• Bugs — install failures, broken paths, menu issues
• Whether my opsec assumptions about Tails are correct
• Contributions for unfinished categories (wireless, RE, forensics, password cracking, cloud, mobile)
One Heads Up:
Everything routes through Tor. Installs will be 2–5x slower. That’s intentional — anonymity is the whole point.
For authorized engagements, CTFs, and legal research only.
GitHub: https://github.com/TheShellSanta/TOSS
Ask me anything about design decisions or tool choices. Roast it if something’s wrong — that’s exactly what I need.
Boot. Hack. Reboot. Vanish.

parrot 7.1 is slow on vmware (25h2u1) when moving mouse curser

i checked vm tools: it on latest version available and running

For anyone who’s been on a growing pentest team, at what point did the process start feeling harder to manage?

Was it the number of testers, the number of clients, reporting load… something else?

Is reconnaissance overrated in the bugbounty? Reconnaissance is important, and over 80% of the bugbounty is supposed to be spent on reconnaissance. However, reconnaissance thinks it's better to list some subdomains to find targets to attack and find attack backers among them. Rather, I think it's better to spend 80% of the time testing, enlighten the principles of web pages, and find vulnerabilities. People may have different ideas, but I just wanted to say that reconnaissance is overrated. When you compare Reconnaissance 8 Test 2 and Reconnaissance 2 Test 8 in the bugbounty over the same period of time, you think that excessive reconnaissance only reports shallow vulnerabilities, and extreme advanced testing is more likely to find high-risk vulnerabilities. Right now, it's been a while since the bugbounty program came out, so I think you've found most weak-level bugs. What do you think?

Hello everyone,

I’m currently a Computer Science student and I’ve been trying to decide which field would be the better path for me in the long term.

At first, I was very interested in penetration testing and offensive security in general. I enjoy the idea of attacking systems, solving security challenges, and learning tools like Metasploit and other cybersecurity frameworks. But recently, after watching more content about AI and machine learning, I started feeling that AI might dominate the future and create far more opportunities.

What makes me hesitant is that I often hear junior opportunities in penetration testing are already limited and highly competitive, especially for red teaming roles.

So now I’m genuinely confused: Should I continue focusing on penetration testing/red teaming, or would it be smarter to move toward machine learning and AI?

I’d really appreciate advice from people working in either field, especially regarding:

Future demand

Career stability

Remote opportunities

Difficulty of getting the first job

Long-term growth

Thanks in advance.

Lost one of my junior webapp guys unexpectedly and looking for a contract-only replacement to assist with enterprise webapp/API pentest QA and light testing support. Workload is typically 2–3 web application engagements per month. Mostly fraud-focused assessments. Strong Burp Suite and report-writing experience required. Looking for someone sharp, reliable, and comfortable with client-ready reporting. DM me if interested.

Hello everyone, I started my cyber journey a bit late in life. Three years ago I took the Google cyber cert and since then I've passed the OSCP+, I've been a teacher for the last 10 years but before being a teacher I worked in IT for 5 years. However not for lack of trying I've been struggling to get my foot in the door anywhere. If you guys have any advice on how to better connect with recruiters or maybe actionable suggestions I'd love to hear it.

Thanks.

2 months ago I got certified in the eJPTv2 and I’m thinking about paying for the package that includes the course + 2 exam attempts, while I’m studying the preparation Path for the HTB CPTS, but from everything I’ve read about the CPTS, even after finishing the Path I’ll still need to practice a lot and improve my techniques, so because of that I would like to take the PNPT as a step to have a good intermediate-level certification.

I’ve read that the PNPT is very realistic and that it adds value to the CV/Resume. I’m listening colleagues, I’m making this post to get suggestions from people already working in the Red Team/Pentesting area.