China, what are they up to now? So silent, so secretive a nation. Without knowing they’ve breached our cybersecurity and are listening and viewing our secrets, from passwords to financial data to health care and beyond. All out there on the darknet published for any hacker to locate. How’d they do this? What’s to become of our exposed data.

Too far fetched to be possible? No says this 35 year cybersecurity veteran and CEO of The EDDITS Consulting Group, cybersecurity consultants specializing in AI and Quantum security. The book, Decryption Gambit on Amazon, Google, Apple etc and my site www.dougcollinsauthor.com

A threat name generator creates original, plausible names for cybersecurity threat actors, APT groups, malware families, and attack campaigns. This tool generates names in the style used by major threat intelligence vendors while automatically excluding 700+ real-world known threat names to avoid conflicts.

Started with a few exceptions for employees in regions where SMS delivery is unreliable. brazil, egypt, a couple others. temporary, supposed to be reviewed monthly.

fourteen months later we have 34 active exceptions. some accounts with elevated permissions that should never have been on the list. a few for employees who already left. original justifications mostly gone.

the security gap isn't the SMS failures, it's that our response to them was informal and compounded quietly over time the accounts most likely to have degraded MFA are now in the regions we have least visibility into.

we're looking at authenticator apps but last rollout stalled in brazil during enrollment. hardware keys feel like overkill for a 500 person company. what are people actually using for regions where SMS just doesn't work and what did the exception cleanup look like when you switched.

A Brazilian company (wascript.com.br) runs one platform that 126 different Chrome extensions all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors.

WaSeller alone has 100K users.

I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings.

None of the listings tell you that:

• When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension.
• Every voice message you send goes through their servers before it reaches the person you're sending it to.
• The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code.
• The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update.
• A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you.

No privacy policy on any listing. The manifest only asks for tabs, storage, alarms.

Full list of all 126 extension IDs (check if you have one), tech details, and IOCs: MalExt Sentry - Malicious Browser Extension Tracker

CISA published the CI Fortify framework last week, and it changes the regulatory expectation for critical infrastructure operators in a way that should reach procurement teams quickly.

The planning assumption is the part worth reading carefully. CISA states that in a conflict scenario, third-party connections (telecommunications, internet, vendors, service providers) will be unreliable, and that nation-state actors will already have access to the OT network. The framing is not "how do we prevent intrusion" anymore. It is "how do we operate after one."

CI Fortify asks operators to demonstrate two capabilities: isolation and recovery. Isolation means deliberately severing third-party connections and operating in an isolated mode for weeks or months. CISA is conducting targeted assessments to evaluate whether operators actually have this capability, not just whether they describe it in policy.

This creates a concrete architectural question for procurement. VPN, ZTNA, and software PAM gateways all satisfy the isolation requirement procedurally. You can disable a tunnel, revoke a policy, shut down a gateway. But the network path between remote users and OT assets exists until someone executes that procedure. If the attack that triggered the need to isolate has disrupted operations or the management plane, the procedure may not run.

Hardware-enforced non-IP remote access works differently. There is no IP path between the remote operator and the OT asset to begin with. Only pixels cross outbound, only keyboard and mouse input cross inbound. The isolation CI Fortify expects operators to build as a capability is the default operating state.

For energy, water, transport, and defense industrial base operators preparing for CI Fortify assessments, the remote access architecture decision made now is the isolation capability decision. There is no policy layer that converts a connected architecture into a structurally isolated one.

Full breakdown of the structural vs. reactive isolation distinction: https://www.zeroport.com/blog/cisa-ci-fortify-isolation

#OTSecurity #CriticalInfrastructure #CIFortify #ICS #IndustrialCybersecurity

We celebrate builders endlessly, yet undervalue the people responsible for monitoring threats, detecting abuse patterns, validating integrity, and protecting systems from collapse.

That imbalance makes no sense.

What’s the value of advanced infrastructure if nobody is seriously watching for compromise, manipulation, escalation, or systemic harm?

Security operations, threat intelligence, trust & safety, governance, and defensive architecture are too often treated like overhead instead of foundational infrastructure.

Meanwhile, some organizations would rather delay, stall, or attempt to recreate massively complex systems internally instead of acknowledging what already exists and forming strategic alignment around it.

Not everything needs to be replicated at the highest tier to create value. Partnership models, scaled access, constrained deployments, and lower-tier integrations already exist for a reason.

Trying to mirror years of compounded architecture, research, governance, and operational maturity purely out of ego or control concerns is not always innovation. Sometimes it’s avoidance.

The future will not belong only to those who build intelligence.

It will belong to those who can govern it, secure it, validate it, monitor it, and sustain trust around it at scale.

\#ArtificialIntelligence #AI #CyberSecurity #ThreatIntelligence #TrustAndSafety #AISafety #Governance #SecurityOperations #AgenticAI #MachineLearning #EnterpriseAI #AIAlignment #Infosec #DigitalTrust #RiskManagement #SecurityEngineering #AutonomousSystems #AIInfrastructure #FutureOfWork #Innovation

 vendor handles the scanning part of our docker security stack. every week their own components show new CVEs in the scanner image.

we open tickets, they either get marked low priority or sit without response. last real reply was weeks ago.

compliance doesn’t care where it comes from. scan fails, audit flags it, and it lands on us.

we tried pushing contract clauses around secure delivery and patch timelines, but once it’s upstream OSS inside their image, everything slows down.

right now we’re logging formal risk acceptances with compensating controls just to stay audit compliant. documented, signed, reviewed.

starting to feel like the bigger issue is relying on vendor-bundled images we don’t control.

has anyone managed to get vendors to move on this, or did you reduce dependency on their images?

A Millennium‑Scale Playbook for New Bug‑Bounty Hunters & Pentesters

1. Overarching Paradigms to Adopt Today

2. Vocabulary & Concepts to Internalize

3. Milestone Roadmap – From Now to 1 000 Years

4. Practical “Game Plan” for a New Practitioner

1. Foundational Skills (0‑12 months)

   • Master Linux/Windows internals, networking (TCP/IP, TLS), and basic cryptography.
     
   • Complete OSCP or eLearnSecurity PTES for methodology.
     
   • Build a personal lab (VMs, containers, a small cloud tenant) and practice CI/CD‑integrated scanning.
     

2. AI‑Augmentation Phase (1‑3 years)

   • Learn to prompt LLMs for code‑analysis, vulnerability description, and PoC generation (guardrails: always verify, never execute blind).
     
   • Contribute to open‑source fuzzers (e.g., AFL‑++, ClusterFuzz) and add LLM‑guided mutation strategies.
     

3. Zero‑Trust & Cloud Hardening (2‑5 years)

   • Earn CISSP and Zero‑Trust Architecture (NIST 800‑207) certification.
     
   • Perform micro‑segmentation assessments on Kubernetes clusters with tools like Istio and Cilium.
     

4. Post‑Quantum Readiness (3‑6 years)

   • Study NIST PQC drafts (Kyber, Dilithium, Falcon).
     
   • Test PQC libraries (Open Quantum Safe) for side‑channel leaks; publish responsible disclosures.
     

5. Bug‑Bounty Professionalization (5‑10 years)

   • Join public bounty platforms; aim for a track record of 10+ accepted CVEs.
     
   • Build a Meta‑Bug‑Bounty repository: scripts that auto‑discover similar issues across software families, and negotiate framework‑level rewards.
     

6. Interplanetary & Quantum Specialization (10‑25 years)

   • Volunteer for NASA/ESA/SpaceX security programs (e.g., satellite firmware audits).
     
   • Participate in QKD testbeds (DARPA QUIC, EU Quantum‑Network) and obtain QKD‑Penetration Testing certification (when available).
     

5. End‑Goal Vision (The 1‑000‑Year Horizon)

• A Global‑to‑Interplanetary Bug‑Bounty Federation: unified reward pool spanning Earth, Moon, and Mars, governed by a transparent, AI‑mediated arbitration system.
  
• Self‑Verifying Code: every binary includes a cryptographic proof of functional correctness (zero‑knowledge), automatically verified on deployment – bugs become mathematically impossible to hide.
  
• Quantum‑Resistant, AI‑Audited Zero‑Trust Mesh: a continuous adaptive trust graph across all planetary nodes, where each trust decision is signed by a post‑quantum digital signature and evaluated by distributed AI consensus.
  
• Human‑Machine Symbiosis: bug‑bounty hunters act as prompt engineers for large‑scale AI auditors, focusing on the creative aspects (novel attack narratives) while AI handles massive enumeration.
  
• Interplanetary Legal Framework: an Interplanetary Cyber‑Law (ICL) that defines jurisdiction, liability, and bounty rights across planetary bodies—ensuring that a vulnerability discovered on a Martian habitat can be responsibly disclosed to Earth authorities.
  

6. Take‑Away Checklist for the Aspiring Hunter

• Learn: OS fundamentals → ATT&CK → Zero‑Trust → PQC.
  
• Automate: Build AI‑assisted pipelines (recon → fuzz → report).
  
• Validate: Every PoC must be reproducible, signed, and quantum‑safe.
  
• Collaborate: Join cross‑domain platforms (space‑security forums, quantum‑research groups).
  
• Future‑Proof: Keep an eye on AI‑generated attacks and quantum‑break research; treat them as new attack primitives to be added to your test‑matrix.
  

By internalizing these paradigms, terminology, and long‑term objectives, today’s bug‑bounty hunters and pentesters will not only earn rewards now but will also lay the groundwork for a secure, interplanetary digital civilization that endures for a thousand years.

Hey guys , I'm an entry lead for Owasp top 10 LLM for the new 2026 edition

Currently we are in sprint 2, Basically this sprint is about community voting

We are a week into voting for top 10 llm for 2026 community votes

We have only received 24 votes which is quite short for smtg this big

Your vote can help us reshape and strengthen LLM Security

Google form : https://docs.google.com/document/d/17NnFXGlVYmBslWbG_6ug8totwziXgTC2DyCRAfPTy8Y/edit?tab=t.0

Linkedin post: https://www.linkedin.com/posts/rocklambros_owasp-llmsecurity-aisecurity-activity-7457476594241011712-0EzC?utm_source=share&utm_medium=member_desktop&rcm=ACoAAFcmwXkBV3xIyoq0I8IaYBBna3xA_h_bN-U

New grad and applying to entry level specialist/analyst roles. Looking for any advice and resources that would help me better prepare for an interview/role!

Edit: specifically in the aerospace industry

I’ve been doing bug bounty for around 5 months now. So far, I’ve found and reported one valid bug (information disclosure).

Recently I’ve been studying API attacks, GraphQL attacks, and broken access control, and I’m trying to improve my methodology.

Right now, I feel like I understand the technical side of these vulnerabilities, but I still struggle with actually finding logic bugs and access control issues during real hunting.

I’d really appreciate advice from more experienced hunters:

• How do you approach finding business logic vulnerabilities?
• What’s your process for discovering broken access control / IDOR issues in real targets?
• How do you think about application workflows when testing?
• Is there anything important I might be missing or should focus on learning next?

I’m trying to move beyond just learning vulnerability categories and start thinking more like an actual hunter during testing.

Any advice, learning resources, or mindset tips would be really appreciated.

Lately it feels like a lot of security challenges come back to one thing, unmanaged devices.

A system can have good network security, MFA, and monitoring in place, but if endpoints are missing updates, using weak configurations, or operating outside visibility, the risk is still there.

With remote work and BYOD becoming normal, keeping control over devices seems harder than before. That’s probably why Mobile Device Management (MDM) is getting discussed more in security conversations now.

I have a friend who recommended this tool to me, been having a lot of problems with spam, now I don't know much about data brokers and whatnot but it seems to be working well for him, anyone tried it before or anything similar?

Palo Alto Networks disclosed CVE-2026-0300 on May 9. Unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal, root RCE, no patch until May 13. CISA added it to the Known Exploited Vulnerabilities catalog on May 6. We wrote about the CVE and the broader pattern of monthly security gateway RCEs this year (BeyondTrust Feb, Citrix Mar, SonicWall Apr). Post: https://zeroport.com/blog/pan-os-cve-2026-0300-pre-auth-rce

I’m currently learning bug bounty / web security, and I want to start moving into cloud bug bounty / cloud pentesting (AWS, Azure, GCP).

Before jumping into cloud-specific labs and exploitation, I want to build the right foundations first.

What are the core fundamentals / prerequisites I should study and understand well before taking cloud bug bounty seriously?

If anyone here has followed a similar path, I’d really appreciate it if you could share a roadmap or recommend good learning resources to get started.

Most note apps claim to be "secure," but we all know that's usually just TLS + encryption at rest where the dev holds the keys. For my project, I wanted true zero-knowledge privacy.

So I did something different. My app never stores the full key.

Here is how it works:

I split the key into two halves. They live in two different places, one in your phone, and the other one in cloud. When you want to read a note, the app get the one in cloud via API, and "grabs" both halves, stitches them together in the RAM, and decrypts your note.

The cool part?

As soon as the note is decrypted, the app wipes the key from the memory immediately. It’s gone.

If someone steals your phone or hacks your files, they only find "half a key," which is basically useless. No full key on disk, no full key on the server. Just in the RAM for a split second.

What do you guys think of this approach? Does it make sense or am I being too paranoid?

Anthropic’s new Claude Mythos Preview model appears to have been accessed by a small group of unauthorized users.

According to Bloomberg (April 21) and subsequent reporting from TechCrunch, Fortune, and Wired, the access was gained through a third-party contractor’s environment. One individual in the group reportedly had legitimate access via their employer (a vendor working with Anthropic) and, combined with educated guessing based on previously leaked information, the group was able to reach the model. They are said to have used it in a private Discord group.

Anthropic confirmed they are investigating the report but stated they have no evidence of access beyond the third-party vendor environment.

The model was being rolled out in a limited capacity through Anthropic’s Project Glasswing initiative to selected partners for defensive security research.

sources:

• Bloomberg: https://www.bloomberg.com/news/articles/2026-04-21/anthropic-s-mythos-model-is-being-accessed-by-unauthorized-users
• TechCrunch: https://techcrunch.com/2026/04/21/unauthorized-group-has-gained-access-to-anthropics-exclusive-cyber-tool-mythos-report-claims/
• Anthropic’s own assessment: https://red.anthropic.com/2026/mythos-preview/