Full Access to Vulnerable Tool, Not AI, Caused Vercel Breach
Vercel April 2026 security incident | Vercel Knowledge Base ~ The problem here was not “AI” but giving complete access to a tool that had a vulnerability. 🤖🔒 https://t.co/WkOPF7pzkU
Opus 4.6 Erroneously Writes Dummy Output to /Dev/Null
As I’m using @AnthropicAI Opus 4.6 on @aws Kiro CLI right now it keeps writing dummy to screen and tries to write to /dev/null all the time now. It suggests that dummy is a tool name and cannot tell me...
Flat-Rate Plans Never Made Sense From the Start
The reason is most likely because flat rate plans never really made sense in the first place.
Unbiased AI Tool Review: What Works, What Doesn't
You will notice I talk about different AI 🤖 solutions in my presentation. Although there are certain companies I like with a top track record like AWS and Portswigger’s Burp Suite, I try to remain unbiased and show you what...
Deterministic Scripts Cut AI Token Burn Rate
Reducing Token Burn Rate With A Well-Designed Architecture Trying to put out the AI token fire - or at least manage it as a controlled burn by using deterministic scripts for gathering inputs and directing agents https://t.co/WMInyNRV9H https://t.co/3f6MG65b7j
Log Mistakes and Add Corrections to Cut Token Burn
I spoke about logging mistakes (and reducing token burn) in this video. As for mistakes it’s important to include corrections to ensure you don’t reinforce the mistakes.
Security Alerts Steal Your Entire Workday
Ok great. Now I have to spend all day figuring out who is trying to access my systems and network. Thanks.
Overspending AI Budgets Leads to Model Degradation
I’m getting some video magically shoved to me when I open X about some unlimited AI budget and Anthropic running out of compute because the product is so good companies are demanding it. How about the blog post I just wrote...
20i Hosting Range Flagged for Malware Activity
The malware report below is interesting for those who want to get into reverse engineering malware, but the IP range would immediately stand out on my network if you are trying to block such things. I looked into who owns the...
AI Powers Modern Penetration Testing: AWS Community Talk
How I Use AI for Penetration Testing. Presentation at the AWS Security Community Day at the Computer History Museum on YouTube https://t.co/hP5kPanmUX
VPC Endpoints: Security Gains Vs. Complexity and Cost
AWS VPC Endpoints are so complicated and expensive but I really want to use them. They provide a unique level of security that a NAT does not replicate. The problem is the rabbit hole you end up going down after...
Anthropic MCP Has Critical Flaw Enabling Full System Takeover
The Architectural Flaw at the Core of Anthropic's MCP according to OX allows complete system takeover in some cases. Of course they sell a tool to secure it but if using MCP you should understand how this works and how...
Old Model Cut, Seek New Security Research Options
Until they cut off the old model like they just did for an earlier version. Time to start looking at alternatives for security research if that doesn’t change.
Testing 4.7 to Fix Opus 4.6 Context Issues
Bookmarking this here for future reference as I try 4.7: I’m apprehensive because generally I do not want context stored across sessions or multi-file edits: I find that models do better at smaller, focused tasks one step at a time,...
AI's Transparency Gap Hinders Theory Verification
The problem with AI right now is that we do not have enough transparency to prove or disprove this theory. I just wrote about this. I don’t know what the real issue is or hopefully was.
New AI TUIs May Expand Attack Surface via React
I know there are some new TUIs coming out for AI development but I’m concerned about increasing the attack surface with web technologies like react. Securing AI is hard enough as it is.
Opus 4.7 Launches on Bedrock; Kiro CLI Integration Pending
Taking a bit of a break today because Opus 4.7 is already available in Amazon Bedrock and hoping it will be in the Kiro CLI today as well (or soon).
Claude's Pay‑Per‑Token Shift Raises Transparency Concerns
Claude pricing changing to pay per token. This makes sense as long as value per token remains consistent. This will make it difficult to compare to prior performance and I wonder how users can transparently measure the usage. https://t.co/ttf25YcMz3
AWS Secrets Manager Adds Hybrid Post‑quantum TLS Protection
AWS Secrets Manager now supports hybrid post-quantum TLS to protect secrets from quantum threats - AWS https://t.co/R5k8MdDFoR
Testing Opus 4.6: Is VPC Security Deployment Restored?
Ok…let’s try again and see if Opus 4.6 🤖 is any better than the last time I tried it and if it can deploy my VPC endpoint security groups correctly now. Is it still nerfed for everyone else or only...
AWS Should Evolve CloudWatch Into a True SIEM
AWS needs to extend CloudWatch with tools that make it a real SIEM. Don’t overlay it with complexities it doesn’t need. Just extend it.
AI Agents Can Steal GitHub Credentials—No Warnings From Providers
I personally do not give AI agents access to my GitHub repo. It is not rocket science to check out the code and let agents access it in a locked down sandbox,
AI Security Tools Boost Bug Fixes, Yet Enable Exploits
The AI hacking race is on. I wonder if this new model is in Portswigger’s Burp now and if it has improved since the last time I tried it, because it didn’t work for me. But that’s also in...
Netgear M7 eSIM Routes Traffic Through Israeli Provider
I finally had a chance to look at why I keep getting directed to a UK address on Netgear M7. I wanted to use my physical Verizon sim but even though Netgear is advertising it would be ready by the...
Fuzzer Generated Real Exploits at RSA 2020 without AI
There are varying levels of exploits in terms of complexity but technically my fuzzer at RSA 2020 generated exploits. Without AI. It produced a working script and performed attacks. I did review it manually. But I had/have so many more...
Evaluating Trust, ROI, and Risks of Anthropic's Security Model
Mythos ~ Anthropic released a new model they claim is scary good at finding security vulnerabilities. What questions should we be asking? No hot take. Just pondering how we can trust a model, the ROI, and how we can evaluate the...
DevTools Warns URL Not for Production Use
I am looking at messages in Google Developer tools and it is saying https://t.co/GlZADMaCAQ should not be used in production so if you are…. https://t.co/im7RGR0fNq
Stay Modest, Keep Hacking Regardless of Expectations
Over the years I have learned not to get my hopes up too much for anything in particular. Just keep hacking.
AI-Powered Pentesting: Presentation with Linked Blog Resources
I’ve added links to my presentation on how I use AI 🤖 for pentesting 😈 in this post. Most of the slides have a related blog post and I’ll probably write more about all these topics as I research this...
Anthropic Routing Glitch May Cause Intermittent Outages
A postmortem of three (2025) issues \ Anthropic ~ the issues in this report are from a prior routing issue at Anthropic and recent issues feel similar. This could explain why some users experience the problem and others don’t, if...
Read up Before Using AI on BugCrowd, Avoid Bans
If you are using AI on BugCrowd better read up so you don’t get banned.
Disable Adaptive Reasoning on Opus & Sonnet via Env Variable
To disable adaptive reasoning on Opus 4.6 and Sonnet 4.6 and revert to the previous fixed thinking budget, set CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING=1. When disabled, these models use the fixed budget controlled by MAX_THINKING_TOKENS. https://t.co/sPAkOwVB9C
Verizon Service Fails in Palo Alto Hotels and Venues
Can’t believe how bad @verizon service is in Palo Alto. No DMs. Just letting you know…especially in hotel and at the Sports Page.
Pentesting: Human Insight Over Automated Scanners
🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖🤖 Pentesting is not a scanner or a fuzzer - whether SAST, DAST, AI, deterministic or non-deterministic. Pentesting is a human * using those tools * to see if they can find a security problem that your teams and tools may...
Faulty Adapter Causes Netgear Hotspot Power Drain
There seems to be something wrong with power adapter, cable, or software related to that on Netgear hotspots. Same thing happened on newer and older device. They started running out of power to the point they were unusable. Switching to...
Default Shift to Medium Reduces Anthropic Model Performance
Wonder if this has anything to do with performance degradation of anthropic models. But are you now paying more for same effort you were getting previously if you change this? •Default Shift: In March 2026, users on Reddit and developer forums...
Secure Accounts by Binding Them to Physical SIMs
Ties accounts to physical SIMS (not sketchy auto shared seeds and profiles -see my blog.)
Vendors Dismiss Quantum Encryption Until Customers Demand It
I told one vendor I want quantum encryption support in their product last year and they said “Oh, no one’s really asking for that.”
AI Acts Like a Massive Security Fuzzer, Says Expert
This is not at all surprising to me and is what I have been working on. Last year I told an AWS VP in the security/IAM space that I see AI as a giant fuzzer. Here’s what I don’t like…comments… https://t.co/idhglMQcLQ
Who Monitors DNS on Outdated Mobile Hotspot Devices?
Who is looking at DNS connections on phones and mobile hotspots like Netgear mobile hotspot devices that haven’t had a software update for two years? Just curious.
Opus 4.6 May Swap Models During Overload
I had this theory that when Opus 4.6 if overloaded they switch you to another model. It it could be when it’s suffering downtime. Just a thought. I’m not use how anyone could prove this until we have a way...
Outdated Hospital Systems Invite Ransomware, Endanger Patient Care
I was just listening to an interview on the radio with a person who worked at a hospital. 1. Your cyber insurance makes you a target. They know how much you can pay. 2. Don’t use your backups until you...
Cybersecurity Measures Focus on Activity, Not Threat Reduction
"I do believe that cybersecurity is fundamentally broken,"Payton said. "It's measured in terms of activity instead of reduction of threat surface." Pretty much what I wrote in my book in 2020. Old news but no one seems to be listening. https://t.co/53DAIYfvP1
Iran's Cyber Arsenal Now Targets Critical Infrastructure Worldwide
Iran has rapidly developed advanced cyber capabilities, evolving from information gathering to conducting destructive, state-linked attacks against critical infrastructure in the U.S., Israel, and the Gulf states. https://t.co/XlKdD8VuZu
AI Revolutionizes Penetration Testing: My Museum Talk
How I Use AI for Penetration Testing Speaking at the Computer History Museum in Mountain View, CA April 10, 2026 https://t.co/tTRkze5Enp https://t.co/aYFdKg7G78
Researchers Blocked From Anthropic Data; Using Kiro on AWS
The question I have is, how much of this comes from training on researcher’s data - researchers now blocked from using Anthropic models for further research. One of the reasons I use Kiro on AWS. Speaking about it on Friday...
Model's Code Generation Slows and Becomes Less Accurate
Exactly. But it’s not just burning tokens. It’s not getting to correct code as quickly as it did in the past for me. Something about the way it gets to the results has changed or at least it does periodically.
Less Reliable Than Fuzzers, Yet Occasionally Luckier
They are exactly like fuzzers except not as reliable. They can get lucky faster though sometimes.
Verizon Users Face Repeated Drops in Savannah
What is wrong with @Verizon in Savannah, GA? I am constantly getting kicked off the mobile network here. I have tried different devices. I hope the right person looks into this and fixes it because it’s really annoying. I did...
Valid Finding Reveals Overlooked Cookie Injection Requirement
The finding is valid but we need to have a cookie injection on the target or its subdomains but I noticed something the AI didn’t notice…yes AI with humans or spend a lot a lot of tokens.