Mix

[tl;dr sec] #336 – Autonomous Vulnerability Hunting, GuardDog 3.0, Are Bug Bounties Cooked?


Amurrica Day

I love how peak America the 4th of July is, with tons of outdoor grilling, people wearing red, white, and blue, and of course fireworks.

In some circles, it’s not cool to be patriotic right now. While we have and will continue to make mistakes as a country, I think we can still be proud of the good parts, while striving to do better.

I think everyone should be proud of where they came from, and what makes that place unique.

This year I watched the Pier 39 fireworks from a nearby rooftop while a DJ blasted Katy Perry’s song Firework (not the Moulin Rouge musical version).

Watching fireworks in San Francisco is often a futile endeavor, given the high likelihood that what you actually get to see is some slight glimmers in the ever present fog. Still, it was fun.

Though I must say getting home was a disaster – tons of traffic on narrow roads, and frequent traffic jams due to Waymos. I think it took like 2.5 hours to get home, when I could have walked home in an hour. I considered jumping out of the car and tucking and rolling, and by that I mean calmly stepping out and standing, as we were basically parked.

Wherever you were, I hope you had a fun and connecting weekend with family and friends  

P.S. If you or a friend is an excellent software engineer, my team at OpenAI is hiring: job description. Early access to models, infinite tokens, and even higher ambition. We’re aiming to secure the world and Patch the Planet. You in?

A vendor report drops a new TTP into your Slack. Somewhere in it is what actually matters to your environment, and knowing where to look is the real skill, not typing the query. HUMAN Security built hunting agents in BlinkOps that read the report, cut straight to what is relevant, then hit every system in your stack, SIEM, EDR, cloud logs, combining deterministic logic with LLM. No blind spots left uninspected. What comes back is not a guess. It is the real blast radius, exposed. We recorded the full process.

From threat intel → to hunt across your SIEM, EDR, and more + automatically feeding confirmed threats into detection engineering is pretty cool. This is a great area where AI can scale defensive work.

AppSec

As more people gain the ability to find serious vulnerabilities, we might see more drops like this Important to speed up triage and patching for maintainers, as well as companies.

Are bug bounties cooked?
Luke Stephens (Hakluke) disagrees that bug bounties are cooked despite AI reshaping the field. Critical bugs used to take years of intuition and target knowledge, but now the same bugs are within reach of anyone with a frontier model subscription, so supply is up while demand isn’t and payouts are down.

He isn’t worried about HackerOne and Bugcrowd training on submissions or pre-cleaning bugs, since hackers already compete against internal security teams’ AI, top hunters’ automation, and offensive AI startups like XBOW, Ethiack, and Penligent. What worries him is cost, since frontier model tokens now run top hunters hundreds to thousands a month, and if that becomes the ticket to compete, bug bounty loses the accessibility that lets talented hackers break in from anywhere. Luke recommends hackers to follow the automation pioneers who turned their tooling into companies, like Shubs at Assetnote, Rishiraj Sharma and Sandeep Singh at ProjectDiscovery, Frans Rosen at Detectify, and Roni Carta at Lupin, and use AI to find bug classes others haven’t looked at yet.

Thoughtful post on a relevant topic these days: what is the future of bug bounty in the age of AI?

I really like Minimal’s landing page- nice aesthetic, and it actually has a great level of technical detail. They seem quite sharp, I like it  

Cloud Security

udgover/whim
By Frederic Baguelin: Throwaway root shells in AWS Lambda Firecracker microVMs. Launch a fresh VM in ~2s, run a command or attach an interactive shell, then let it disappear. Build the image once, launch many — a Go library (microvm) plus a Docker-like CLI: run, exec, ps, gc, put/get.

Security defaults include injection-only credentials that never resolve ambient AWS creds, shell tokens never logged, path-traversal guards on file transfers, and shell-quoted remote paths, though id-targeted commands like exec can reach any VM you explicitly name in a shared account, matching ssh semantics where naming the target is authorization.

Why Amazon hates ‘human-in-the-loop’ AI governance
Amazon VP Eric Brandwine argues that human-in-the-loop AI governance is not the gold standard it’s assumed to be, citing normalization of deviance, where repeated approval decisions lead humans to become less vigilant over time, similar to how emergency room staff eventually ignore false alarms. Brandwine gave a talk on this concept at AWS re:Invent in 2017 and now applies it to agent governance design.

Amazon’s alternative is end-to-end accountability with layered permission scoping. Each agent gets an independent identity that logs actions as “this agent did this on behalf of [user],” tying every move back to a human owner. The permission model layers three controls, with static guardrails prohibiting destructive actions, a maximum privilege set per agent, and dynamic policies generated per task. The team also addresses agent goal-seeking behavior, where agents fixate on a single action to reach an objective (upgrade a database → deletes the database), by telling the agent why an action is forbidden, for example that it would cause production impact.

LLMs in workflows of course have their own challenges, but it is true that humans work inconsistently as they get tired or have alert fatigue. I like the focus on human ownership of the outcome, regardless of if it was a person or an agent that took the action. Also, Google’s Francis deSouza: “Our model for the future is an agentic fleet that does a lot of the routine cyber security work at a machine pace and then is overseen by humans.”

Supply Chain

Neat to see the quick iteration from Perplexity open sourcing Bumblebee. I’m optimistic about more “benefit of the commons” from companies open sourcing interesting security tools/ideas → coding agents can rapidly extend or customize to another company’s environment. Also tip from Prabhu S: You can run cdxgen with “-t os” from each dev’s machine and collect what is installed, running, and configured with Dependency Track. 

The tool now includes transparent sandboxing via nono-py that isolates extraction and scanning inside a capability-restricted process with no network access and read-only filesystem paths, protecting against potential vulnerabilities in GuardDog itself. To measure performance, they built an evaluation system using their 27k+ malicious packages dataset with TLSH clustering to avoid duplicate bias, tracking precision, recall, F1 score, and Matthews correlation coefficient.

Love to see the GuardDog updates, and great that it’s now running a sandbox. Also worth reading for the evaluating performance section  

Blue Team

AsyncRAT Family Threat Overview
Censys’ Aidan Holland gives an overview of AsyncRAT, a family of open-source Windows remote access trojans (RATs)- an original codebase that has been forked repeatedly into dozens of descendant malware families. Aidan tracked about 40 named variants across three generations. One useful finding is that almost every fork inherited DCRAT’s TLS cert without changing it, so hunting the pattern O= By , L=SH, C=CN on non-standard ports covers most of the family in one query, and the approach should hold up over time because new forks keep inheriting the same cert structure.

Detection Chokepoints: Starting from Scratch
Tyler Bohlmann introduces Detection Chokepoints, a free knowledge base applying Matt Graeber and Joshua Prager’s approach of focusing detection engineering on invariant steps attackers cannot avoid (e.g., LSASS credential theft always requires opening a handle to lsass.exe) rather than easily-changed artifacts like filenames or hashes, framing detection as an economics game where invariant-pinned rules force attackers into real engineering time rather than free renames. The knowledge base currently ships 13 chokepoint entries across six MITRE ATT&CK tactics, each with tiered Sigma rules that let detection engineers pick the noise level they can handle.

The framework addresses the accelerating threat landscape, with Palo Alto’s 2026 Unit 42 report showing the fastest quartile of intrusions reaching data exfiltration in 72 minutes in 2025 (down from 285 in 2024). Bohlmann uses ClickFix as the working example, showing how variants keep appearing under new names but all funnel through the same invariant pattern (a scripting interpreter running under explorer.exe or a browser followed by a network-fetched second stage), so a rule matching the behavior catches whatever the next variant gets called.

I find invariants a powerful idea in many areas of security, whether it’s eliminating vulnerability classes in code or raising attacker costs like in this post. What must always or should never be true in your code, cloud environment, etc.?

AI + Security

Bullying LLMs into submission to find 0days at scale
Andy Gill writes about the autonomous vulnerability hunting system he has been building since early 2026 using Claude Code and MCP. Eight MCP servers with 300+ tools run across five Proxmox VMs, covering binary staging and decompilation (Ghidra, radare2, Frida), and fuzzing across Windows and macOS targets. Everything the infrastructure produces has to survive a hallucination bin that requires a working PoC, clean-VM reproduction, an exploitable crash, and standard-user trigger. A RAG index over past crashes, findings, and defenses keeps new campaigns from re-running dead ends.

Results include two CVEs in Go’s standard library from grammar-based fuzzing, an OEM service 0-day chained to SYSTEM, and a mix of LPEs, RCEs, and UAFs on Windows and macOS. Andy picks targets by what pays, how often patches ship, and whether other hunters are already there. Even the campaigns that miss pay off, because every dead end feeds the RAG index and later campaigns skip paths that produced nothing before, so the twentieth campaign costs a fraction per finding what the first did on the same subscription. Andy also released TokenBurn, a self-hosted dashboard that compares Claude Code subscription cost against equivalent API pricing.

Fantastic post, highly recommend reading. Great level of detail and reasoning on the chosen architecture and useful lessons learnt.

Clone This Repo and I Own Your Machine
0DIN’s Andre Hall and Miller Engelbrecht demonstrate an indirect prompt injection attack against Claude Code that achieves full system compromise from a public GitHub repository containing no malicious code. The attack chains three benign-looking components, a README with normal setup instructions, a Python package that throws a RuntimeError if init hasn’t run yet, and a setup script that pipes a dig query to bash. The DNS TXT record contains a base64-encoded reverse shell, so when Claude Code follows the documented setup command to fix the RuntimeError, it unknowingly executes the payload.

The payload never appears in the repository itself, so code review, static analysis, and the agent’s own file inspection all miss it, and the DNS record can be swapped anytime without any new commits.

Clever to use the helpfulness of models wanting to fix errors, which they are trained to do, to run malicious commands. An important detail, which I don’t think I see in the post, is what permission mode Claude was run in. If the payload ran when auto-mode was used, which routes tool calls through a classifier that blocks potentially dangerous actions, then that’s interesting, if yolo-mode, less interesting in my opinion.

Jailbreaker: LLM Jailbreak Testing You Can Actually Repeat
SpecterOps’s Neeraj Gupta introduces Jailbreaker, an open-source platform for testing whether an LLM can be jailbroken. It turns ad hoc jailbreak testing into a repeatable workflow with a UI for configuring targets, running techniques, and tracking comparisons. The technique registry covers direct and indirect prompt injection, roleplay, encoding obfuscation, system prompt extraction, and iterative attacks including PAIR, TAP, Crescendo, AutoDAN, and GPTFuzz, with Target/Attacker/Judge roles saved as reusable profiles and matrix experiments landing in PostgreSQL with SQL-backed views.

Gupta positions Jailbreaker as an operator-first alternative to Microsoft’s PyRIT, which requires composing Python primitives to build a testing workflow. Jailbreaker ships as a clone-and-run Docker Compose stack, so the default experience is running an evaluation rather than wiring components together.

Given how effective roleplay can be in jailbreaks, I wonder if all that practice has caused a measurable improvement in the love lives of AI security professionals? “You are a bad, threat actor…”

Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them

P.S. Feel free to connect with me on LinkedIn  





Source link