A subtle AWS privesc hiding in SageMaker lifecycle configs, and what it reveals about execution roles.

Professional self-hosted phishing platform built for enterprises, red teams, and security providers. Deploy locally for complete control over campaigns, data, and infrastructure with unlimited simulations and full privacy.

Posted by esmurf - 39 votes and 9 comments

Generate HTML/SVG payloads for testing Server-Side Request Forgery vulnerabilities.

Posted by filippo_cavallarin - 17 votes and 0 comments

Utilizing the Chrome DevTools Protocol to delegate C2 HTTP-traffic.

With over 3 billion users globally, mobile instant messaging apps have become indispensable for both personal and professional communication. Besides plain messaging, many services implement...

Compromising Developers with Malicious Extensions - VS Code, Cursor AI, and the Backdoor You Didn't See Coming.

We're excited to announce Tracebit Community Edition, a completely free-forever platform to deploy security canaries.

Model Context Protocol connects LLM apps to external data sources or tools. We examine its security implications through various attack vectors.

Critical React RCE vulnerability (React2Shell CVE-2025-55182) threatens Next.js apps. Learn how to detect with JFrog Xray and patch immediately.

Cloud security starts with thinking like the adversary—hack, test, and assess cloud environments built from real-world attacks.

Reverse engineering a dummy KAISTDE format and generating parsers with Kaitai Struct.

Air-gapped cybersecurity assistant for security professionals. 100% offline AI-powered analysis tool for Nmap, Volatility, BloodHound, Metasploit, YARA, and more. Built for environments where cloud AI isn't available.

Deploy free honey tokens across your infrastructure in minutes. Real-time alerts when credentials are used. No credit card required.

A comprehensive guide on extending Burp Scanner with custom scan checks.

We break down a new infostealer attack that combines the ClickFix technique with a shared chat containing malicious user guides on the official ChatGPT website.

Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025).

Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish.…