Netsec Explained

Exactly! LLMs will not lead to AGI.
www.instagram.com/reel/DMVO5nT...

Study referenced:
arxiv.org/abs/2507.06952

To be clear, I'm not saying this to name and shame. It's common enough, that I hope people will learn from real life examples. I also just really wish people will stop doing it!

Come on all, let's be smart about this.

When AI Has Root: Lessons from the Supabase MCP Data Leak

Last year, I presented one of the top presentations on AI security at RSAC 2024.

In there I explicitly said "do not give your AI root access. It will be a confused deputy, I will add you to my list of examples".

Well, guess who got added to the list?

www.pomerium.com/blog/when-ai...

YouTube video by AI Engineer Prompt Engineering and AI Red Teaming — Sander Schulhoff, HackAPrompt/LearnPrompting

Awesome presentation from HackAPrompt.
youtu.be/_BRhRh7mOX0

From the ChatGPT community on Reddit: ChatGPT vision of users treating it. Prompt inside come show yours! Explore this post and more from the ChatGPT community

These are incredible, and not creepy at all.
www.reddit.com/r/ChatGPT/s/...

YouTube video by Will Francis ChatGPT Adding Watermarks to Text Output? #ai #chatgpt

Think something was written with ChatGPT? Turns out the latest models have an unintentional watermark.
youtube.com/shorts/qt4r_...

I've always been a fan of building a yardstick and then seeing how you and your organization measure up against it. My question is what are the yardsticks that you use to measure how well a security team is doing?

So glad you take write ins.

GitHub - microsoft/AI-Red-Teaming-Playground-Labs: AI Red Teaming playground labs to run AI Red Teaming trainings including infrastructure. AI Red Teaming playground labs to run AI Red Teaming trainings including infrastructure. - microsoft/AI-Red-Teaming-Playground-Labs

Big news, Microsoft just open sourced their AI red team labs.
aka.ms/AIRTlabs

Quick poll for a security friend. If you are a dev:

Do you know what threat modeling is?
Do you do it?
Why or why not?
If so what does that look like for you?

He must not have very many friends IRL, because I can't even think of a single one I'd replace with a chat bot.

YouTube video by ThePrimeTime AI Money Glitch

Someone mentioned this in my comments the other day, but I didn't even think about the possibility of a deluge of bad/false AI generated bug reports being a problem in AppSec. and yet, here we are.

youtube.com/shorts/BInml...

I think it will primarily settle into being a copilot, a quick research and problem solving tool for technical issues.

What I do worry about is when a new technology comes out (like Rust), the AI won't have the millions of Stack Overflow posts to pull from.

Sending you good vibes!

AI Agents Fail in Novel Ways, Put Businesses at Risk Microsoft researchers identify 10 new potential pitfalls for companies that are developing or deploying agentic AI systems, with failures potentially leading to the AI becoming a malicious insider.

This is a very interesting read on new and unique ways that AI agentic systems fail. What are your thoughts?

www.darkreading.com/vulnerabilit...

That's the ideal, but I'm worried about rent seeking behavior. Gatekeeping info and capital to charge at a premium. There's been a lot of talk about technofeudalism lately. There's even prominent figures in the administration that have stated they want to use AI and automation to replace labor.

YouTube video by TrojAI AI Red Teaming: Breaking AI to Build a Secure Future

About a month ago, I was asked to hop on a panel with some very talented people to discuss our thoughts on the state of AI security and red teaming. Check it out!

www.youtube.com/watch?v=HzqK...

Congrats! What did you do to monetize your skills for those 10 days? Bug bounty, speaking, social media, etc.?

YouTube video by Netsec Explained Get Started in AI CTFs

AI isn't just LLMs. Here's all the places to go to learn how to hack more traditional AI/ML. Inspired by the AI Village challenges at Defcon.

www.youtube.com/watch?v=hnNZ...

YouTube video by Netsec Explained Real-world Attacks on LLM Applications

If you want to learn how to hack AI, I have a video for that. Check it out!

www.youtube.com/watch?v=_4Q9...

No friends? No problem.

The Leaderboard Illusion Measuring progress is fundamental to the advancement of any scientific field. As benchmarks play an increasingly central role, they also grow more susceptible to distortion. Chatbot Arena has emerged ...

"When a metric becomes a target it ceases to be a useful metric."

arxiv.org/abs/2504.20879

This made me feel good! The perfect compliment from someone on my talks:

"You've made a difficult topic interesting, and explained it in a way that's memorable"

I'm curious. How would you define or describe the following?
* AI red teaming
* AI pentesting
* jailbreaks vs prompt injections
* AI agents

With all the semantic games in the AI+security space, let's settle on some common definitions and descriptions.

Going to #RSA? I’ll be speaking at Aegis of Tomorrow: An AI & Security Summit on Monday, April 28 from 3–5pm.

I’ll be sharing a framework for cutting through AI hype and prioritizing cybersecurity investments based on how attacker capabilities are actually evolving.

👉 Register here: lu.ma/9j1p8ixj

Holy shit, holy shit, holy shit.

YouTube video by Sabine Hossenfelder New Research Reveals How AI “Thinks” (It Doesn’t)

You've heard of "Vibe Coding", now let me introduce you to "Vibe mathematics"!

Some think in the next 2 years, we'll have AGI. I think it'll discover astrology instead. Do you think it's a Cancer, or Sagitarios?

youtu.be/-wzOetb-D3w?...

Web Application Pentesting and the Importance of Specialization with Tib3rius by Phillip Wylie Show About The Guest:Tib3rius is a penetration tester with over ten years of experience, specializing in web application security. He is the creator of the popular tool Autorecon, which is widely used for enumeration in the OSCP exam and CTF challenges. Tib3rius also offers courses on Udemy and Hackers Academy, focusing on privilege escalation techniques for Windows and Linux. Summary:Tib3rius joins Phillip Wylie on The Phillip Wylie Show to discuss his background in penetration testing and his specialization in web application security. He shares insights into the development of his tool Autorecon, which was initially created for the OSCP exam but gained popularity in the community. Tib3rius also talks about the importance of specialization in offensive security and offers advice for those looking to start a career in penetration testing. He highlights the value of bug bounty hunting as a way to gain practical experience and shares his thoughts on the OWASP Top Ten and the future of web application security tools. Key Takeaways: Autorecon, a tool created by Tib3rius, is widely used for enumeration in the OSCP exam and CTF challenges. Specializing in a specific area of penetration testing, such as web application security, can lead to becoming a subject matter expert and increase value to a company. Bug bounty hunting can provide practical experience and count as valuable experience in the field of penetration testing. The OWASP Top Ten has evolved from a list of the top ten vulnerabilities to a list of categories, covering a wide range of web application security issues. The future of web application security tools, such as Kaido, remains to be seen, but competition in the field can lead to improvements and alternatives to existing tools. Quotes: "I think specialize in something and learn that thing well, and you'll be fine." - Tib3rius "Bug bounty hunting is a great thing to go into because you'll get some experience actually testing real applications." - Tib3rius "The OWASP Top Ten has become a catch-all category that covers almost every vulnerability." - Tib3rius Socials and Resources: https://twitter.com/0xTib3rius http://youtube.com/Tib3rius https://tib3rius.com/ https://courses.tib3rius.com/ https://linktr.ee/tib3rius

Web Application Pentesting and the Importance of Specialization with Tib3rius podcasters.spotify.c...

Had a fantastic presentation on building useful AI agents at cyphercon this weekend. Don't worry, I'll be posting a video on my channel soon. So stay tuned!

YouTube video by TrojAI AI Red Teaming: Breaking AI to Build a Secure Future

Recently, I was on a panel talking about AI red teaming with some very knowledgeable people. We shared a lot of good insights that you can take away. Check it out!

youtu.be/HzqKWgGjndk?...

How to Hack AI Agents and Applications Learn how to hack AI agents and applications with this expert guide. Find vulnerabilities, prompt injection risks, and testing strategies for AI security.

How to hack AI agents:
josephthacker.com/hacking/2025...