In a rush to adopt and experiment with AI, developers and other technology practitioners are willing to cut corners. This is evident from multiple recent security incidents, such as: 

• Platform resource abuses (attackers hijack cloud infrastructure to power their own LLM applications) 
• Vendors offering unsafe 3rd-party model execution (Probllama) 
• Model escape vulnerabilities in hosting services (Replicate, HuggingFace and SAP-AI vulnerabilities)  

Yet another side-effect of these hasty practices is the leakage of AI-related secrets in public code repositories. Secrets in public code repositories are nothing new. What’s surprising is the fact that after years of research, numerous security incidents, millions of dollars in bug bounty hunters’ pockets, and general awareness of the risk, it is still painfully easy to find valid secrets in public repositories.   — Read More

#cyber

Through progressive poisoning and manipulating an LLM’s operational context, many leading AI models can be tricked into providing almost anything – regardless of the guardrails in place.

From their earliest days, LLMs have been susceptible to jailbreaks – attempts to get the gen-AI model to do something or provide information that could be harmful. The LLM developers have made jailbreaks more difficult by adding more sophisticated guardrails and content filters, while attackers have responded with progressively more complex and devious jailbreaks.

One of the more successful jailbreak types has seen the evolution of multi turn jailbreaks involving conversational rather than single entry prompts. A new one, dubbed Echo Chamber, has emerged today. — Read More

When people think of St. Louis, it’s often the Gateway Arch or the Cardinals that come to mind. Just across the Missouri River is one of the “Show Me” state’s oldest European settlements, dating back to 1769, St. Charles. Front just a stone’s throw from where Lewis and Clark set off on their famous expedition, something more than baseball statistics, historical trivia, or architectural wonders was being discussed in early June: security, compliance, and risk, at ShowMeCon 2025. 

Around 400 practitioners gathered for two full days of sessions, villages, and a CTF run by MetaCTF. There was much discussion of the industry’s distinction between controls, policies, and security. A general theme emerged that real security demands context, rigor, and adaptive posture, not just checking the box.Here are just a few highlights from the 2025 edition of ShowMeCon.  — Read More

I’ve had a number of requests to write a post about how to start and grow a new security program – or a substantial reassessment and rebuild of an existing program. 

This is a difficult one to write because, as you all know, there is no one size fits all approach. Starting from scratch in a 10 person startup is very different from (re-)building a security program in a more established organization. What I’ve tried to do here, instead, is to develop a framework and step by step guide to apply to pretty much any type of organization. It might be that in applying this you only need, for your risk and stage of development, to go halfway in the various steps. Some time later, as your organization grows in size, stature or criticality then you might need to do the whole thing. 

There are 4 phases of maturity each with their own steps. But basically it’s all about (1) start facing in the right direction, (2) getting the basics done, (3) making those basics more routine / sustainable and then, if you need to (4) making it much more advanced / strategic.  — Read More

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site. — Read More

Detection-in-depth is an evolution of the classic cybersecurity principle known as defense-in-depth. Defense-in-depth means that no single security control can fully protect an environment—instead, multiple layered defenses must work together to slow down, detect, and ultimately stop adversaries.

These layers create redundancy, ensuring that if one layer fails, another stands ready to catch the threat. Detection-in-depth applies this same layered philosophy specifically to detection and monitoring. Rather than relying on a single detection point, it ensures that adversary activity can be caught at multiple stages, through multiple methods, and across multiple levels of abstraction. This creates a resilient, overlapping detection strategy that minimizes blind spots and maximizes the chance of identifying attackers anywhere in their kill chain progression. — Read More

With the rise of traffic from AI agents, what’s considered a bot is no longer clear-cut. There are some clearly malicious bots, like ones that DoS your site or do credential stuffing, and ones that most site owners do want to interact with their site, like the bot that indexes your site for a search engine, or ones that fetch RSS feeds. 

Historically, Cloudflare has relied on two main signals to verify legitimate web crawlers from other types of automated traffic: user agent headers and IP addresses. The User-Agent header allows bot developers to identify themselves, i.e. MyBotCrawler/1.1. However, user agent headers alone are easily spoofed and are therefore insufficient for reliable identification. To address this, user agent checks are often supplemented with IP address validation, the inspection of published IP address ranges to confirm a crawler’s authenticity. However, the logic around IP address ranges representing a product or group of users is brittle – connections from the crawling service might be shared by multiple users, such as in the case of privacy proxies and VPNs, and these ranges, often maintained by cloud providers, change over time.

… Today, we’re introducing two proposals – HTTP message signatures and request mTLS – for friendly bots to authenticate themselves, and for customer origins to identify them. In this blog post, we’ll share how these authentication mechanisms work, how we implemented them, and how you can participate in our closed beta. — Read More

Tired of repeating yourself? Automate your web security audit trail. In this post I’ll introduce a new Burp AI extension that takes the boring bits out of your pen test.

Web security testing can be a grind: documenting every step, writing the same notes over and over, and repeating it all across every engagement. But what if your workflow could document itself – while you hacked?

Meet “Document My Pentest”, your silent co-analyst for security testing. It’s an open-source Burp Suite extension that watches your requests in real time, understands what you’re probing for, and automatically builds a clean, structured record of your findings – capturing exactly what you did and how you did it. When you’re ready, hand it off to AI and generate a report. No more boring note taking. Just results. — Read More

A Markov Chain Simulation to compare two competing strategies.

… By using wargaming, security teams can model cyber threat scenarios, apply different defense measures (like firewalls, endpoint protection, and SOCs), and observe how these defenses alter the attacker’s likelihood of success. This provides a better understanding of where resources should be allocated and how to improve defense measures.

In this post, we’ll use wargaming to evaluate whether investing in security detection and response capabilities is worthwhile. The approach involves modeling a simple cyber intrusion as a Markov Chain and adding a detection step to analyze how it affects the likelihood of a successful attack. — Read More

As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models — models that, by accident or malice, can generate existential threats to humanity. Although Guillotine borrows some well-known virtualization techniques, Guillotine must also introduce fundamentally new isolation mechanisms to handle the unique threat model posed by existential-risk AIs. For example, a rogue AI may try to introspect upon hypervisor software or the underlying hardware substrate to enable later subversion of that control plane; thus, a Guillotine hypervisor requires careful co-design of the hypervisor software and the CPUs, RAM, NIC, and storage devices that support the hypervisor software, to thwart side channel leakage and more generally eliminate mechanisms for AI to exploit reflection-based vulnerabilities. Beyond such isolation at the software, network, and microarchitectural layers, a Guillotine hypervisor must also provide physical fail-safes more commonly associated with nuclear power plants, avionic platforms, and other types of mission critical systems. Physical fail-safes, e.g., involving electromechanical disconnection of network cables, or the flooding of a datacenter which holds a rogue AI, provide defense in depth if software, network, and microarchitectural isolation is compromised and a rogue AI must be temporarily shut down or permanently destroyed. — Read More

#cyber