Prompt injection isn't the only risk in AI chat APIs. See how we found a GraphQL BOLA in a healthcare SaaS AI assistant and why the transport layer matters.
Resources
Blog
Blog
Keep up to date with the latest offensive security news, knowledge, and resources.
Gary Lobermier of Northwestern Mutual on building purple team automation that validates hundreds of MITRE ATT&CK techniques daily.
Discover how a self-propagating XSS worm exploits multi-tenant widget frameworks to autonomously spread across enterprise applications using legitimate API calls, bypassing CSP, evading audit trails, and surviving password changes.
MFA doesn't stop session cookie replay. Endpoint detection doesn't catch fileless malware without behavioral analysis. Here's the full post-phishing kill chain and what actually stops it.
Step-by-step walkthrough of cracking NTLMv1-SSP hashes with rainbow tables, including how to coerce auth, disable ESS, recover NT hashes, and remediate.
Discover how an unsanitized file write endpoint in Omega Enterprise Gateway escalates to SYSTEM-level code execution and what dead code reveals about real-world security bugs.
