A copy button can be enough. ClickFix, CrashFix, InstallFix and FileFix all rely on the same basic idea. Get the user to do the first step for the attacker. The page might look like a CAPTCHA, a browser repair prompt or an installer. But once the command runs, the name of the lure matters less than what happens next. Our @jwdfir walks through the artefacts defenders should be looking for after the paste, from PowerShell and user-writable path execution to temp files, persistence, staging activity and follow-on network connections. By the time Digital Forensics and Incident Response teams are called in, the landing page may already be gone. The lure looks simple. The consequences usually aren't. 📌Read here: pentestpartners.com/security… #ClickFix #DFIR #IncidentResponse #Infostealer #CyberSecurity

We recently wrote about a config issue with the Shelly Gen 4 Wi-Fi switch. While our Alan Monie was poking around, he kept looking at how Bluetooth is handled across Shelly's modern device range and found another one. The Shelly Wall Display ships with Bluetooth enabled and RPC exposed over it. On most Shelly devices you can disable RPC independently of Bluetooth. On the Wall Display, you can't it's all or nothing. Why does that matter? The Wall Display's built-in temperature sensor overreads because it generates its own heat, skewing the readings. Shelly's fix was to bundle a separate Bluetooth temperature sensor instead. So, to use a feature Shelly advertised and sold the device on, Bluetooth has to stay on. And if Bluetooth is on, RPC is exposed. Anyone within Bluetooth range could connect to the device unauthenticated, reconfigure it, and pivot onto the home network. Shelly have addressed it in firmware 2.6.2, which is now in the stable branch. If you have a Wall Display, update now. If you don't use the bundled Bluetooth temperature sensor, you can just disable Bluetooth entirely in Settings. 📌Read here: pentestpartners.com/security… #IoTSecurity #BluetoothSecurity #SmartHomeSecurity #CyberSecurity

⏳ Two weeks to go until PTP Cyber Fest 2026. Day one starts with a scenario no organisation wants to face, but every organisation needs to be ready for. Our Ken Munro and Joseph Williams will be joined by Nick Holland from @Shoosmiths on our DFIR Panel, looking behind the scenes during a ransomware incident. The panel will cover the technical investigation, legal considerations, and the key decisions organisations need to make under pressure. 📍 The Fox Pub 📅 Tuesday 2nd and Wednesday 3rd June 🔗 View the full agenda and register for free here: events.rantcommunity.com/Cyb… #CyberFest2026 #DFIR #Ransomware #IncidentResponse #PenTestPartners #RANTCommunity

OT pen test findings need a different kind of context. A finding may be technically correct, but if the recommendation does not fit the environment, it will get pushed aside. Not because OT engineers are ignoring security, but because replacing equipment can be unrealistic, costly, or simply disproportionate to the actual impact. Do that too often and the important findings get lost. In our latest blog post, @cybergibbons explains why useful OT reporting needs more than a raw CVSS score. It needs context around impact, practical remediation, and longer-term strategy. He also breaks down common misconceptions in OT reporting and shows where recommendations often become impractical. A good OT report should not just tell plant teams what is wrong. It should help them work out what matters, what can be fixed now, and what needs to be planned properly. 📌 pentestpartners.com/security… #OTSecurity #ICSSecurity #CyberSecurity

AI in DFIR has a confidence problem. In our latest blog post, @jwdfir looks at why investigator judgement matters so much. He covers how easy it is to latch onto the wrong thing early in an investigation, why context is what turns artefacts into evidence, and what it actually takes to build a clear picture of what happened. He also puts AI to the test. Using event logs from a real DFIR challenge, he shows how an LLM produced a confident answer that still got key parts wrong. That is the risk. AI can assist in DFIR, but a confident answer is not the same as a correct one. 📌Read here: pentestpartners.com/security… #DigitalForensics #IncidentResponse #CyberSecurity #AI

There is a widely held belief that OT is too fragile to pen test. That simply connecting a laptop to an OT network will take down everything. This belief is wrong. Or, more accurately, it is a massive oversimplification of a much more nuanced reality. In our latest blog post, @cybergibbons breaks that down properly. Some OT devices are sensitive. Everyone serious in this space knows that. But that does not mean the whole environment is untouchable. The real job is knowing what can be assessed safely, when to stop, and how to work through a network in stages without creating risk. That is the difference between reckless testing and a competent approach to OT testing. 📌Read here: pentestpartners.com/security… #OperationalTechnology #OTSecurity #ICSsecurity #PenTesting #CyberSecurity

If you work in EU financial services, it is time to explore DORA. DORA was introduced because financial services now rely heavily on shared ICT platforms, outsourced providers, and complex digital dependencies. Regulators want financial entities to prove they can keep operating through disruption, not just document policies and hope they hold up. That is the real shift DORA brings... Resilience has to work in practice. It also raises the bar for supplier oversight, contractual control, and evidence that recovery processes hold up under pressure. 📌Read our breakdown here: pentestpartners.com/security… #DORA #OperationalResilience #FinancialServices #CyberSecurity #ThirdPartyRisk

Cloud environments are dynamic by nature. New services appear, teams change, applications scale, and permissions evolve over time. That makes IAM difficult to manage well, and when it is too permissive, attackers do not need public exposure or a complex exploit to get further in. Control plane access can be enough to modify the rules around sensitive resources and work around the protections already in place. In this blog post, we look at an Azure assessment where managed identity abuse let us modify the firewall rules protecting an Azure Key Vault, add our own IP address to the allowlist, and dump secrets. It also covers the IAM issues we see most often in cloud assessments, along with quick wins to reduce IAM risk. 📌 pentestpartners.com/security… #CloudSecurity #IAM #AzureSecurity #AWS #GCP #CyberSecurity

Ghidra is free, extensible, and helpful for reverse engineering firmware, but its learning curve is steep... In this blog post, Adam Bromiley (@OPSEC_failed) shares tips and tricks that make firmware reversing less painful, from finding the load address and interrupt vector table, through to defining a proper memory map and making better use of strings, scripts, LLMs, and more. It's a guide built from real research projects and a lot of hours spent in front of Ghidra’s UI. 📌Read here: pentestpartners.com/security… #ReverseEngineering #FirmwareSecurity #Ghidra #HardwareHacking #CyberSecurity

Some blog posts refuse to die. This is one of them. Back in May 2014, we published a guide on breaking out of Citrix and other restricted desktop environments. People have kept finding it, using it, and sending it around. So our Kieran Larking updated it with the newer breakout paths we see on modern Windows 10 and Windows 11 builds. Some old tricks no longer work. Others still do, just through different doors. The updated post pulls the techniques into one place and focuses on how people actually get out today. Bluetooth file transfer is one example of a newer angle that can matter on a physical endpoint. Dialog boxes and file pickers still get you to places they should not. From there, the practical pivots tend to be into whatever is still exposed, like PowerShell, Task Scheduler, Task Manager, and modern browser behaviour. It is less about one magic shortcut and more about chaining small gaps. If you run Citrix, VDI, or any restricted desktop setup, this is a useful checklist for hardening and for validating that your lockdown does what you think it does. 📌 pentestpartners.com/security… #RedTeam #PenTesting #CyberSecurity

EV batteries are becoming grid infrastructure. That brings real benefits for balancing short term peaks and troughs on the grid, but it also increases the impact of charger security failures. Our earlier EV charger research showed how compromised connected chargers could be switched on and off at scale to create disruptive spikes in demand. With bidirectional charging, the risk grows because chargers can switch between charging and discharging, which increases the power swing per device and creates a new impact for owners by remotely draining vehicle batteries. @TheKenMunroShow points out that as vehicle to home and vehicle to grid charging moves closer to wider rollout, secure design, secure defaults, and proper vulnerability handling need to be built in from the start. 📌Read here: pentestpartners.com/security… #Cybersecurity #EVCharging #SmartGrid #IoTSecurity #EnergySecurity

Ken Munro spoke at CISO 360 Americas in New York last week. His talk focused on discovering shadow tech. That means finding the smart devices in your buildings that can create back doors into an organisation. He also joined the “Quantum ready, AI resilient” panel on balancing innovation with trust, resilience, and human agency, alongside Rachael Sherman and Sounil Yu. #CISO360 #Cybersecurity #CyberResilience

Covert recording devices are cheap, easy to buy, and easy to use. That is what makes them risky. Tom Roberts bought an off the shelf audio bug for proof of concept work and found a concerning surprise. Several recordings were already on the device! The real risk is not a skilled attacker. It is everyday misuse, driven by frustration, curiosity, or spite. 📌 pentestpartners.com/security… #socialengineering #covertrecording #surveillance #infosec #cybersecurity

Ignoring the dodgy CGI, the l33t speak, and the questionable acting, our @TheKenMunroShow picks apart how much of Hackers (1995) would hold up in the real world today, and what we can learn from it. Some of it is nonsense. Some of it is surprisingly plausible. The most believable parts are the usually the least cinematic. Thirty years on, some of the security mistakes are still showing up. 📌pentestpartners.com/security… #cybersecurity #hackers #hackthegibson #otsecurity #HACKTHEPLANET

The EU Cyber Resilience Act applies to organisations that build, sell, import or distribute products with digital elements into the EU. That includes software, firmware, connected devices and embedded systems. It sets mandatory security requirements across the product lifecycle, covering secure defaults, vulnerability handling and update processes. From September 2026, reporting and vulnerability handling obligations apply. Full compliance is required by December 2027 for products to remain on the EU market. We break down what this means in practice and how teams should prepare. 📌pentestpartners.com/security… #CyberResilienceAct #ProductSecurity #EUCompliance #CyberSecurity #SecureByDesign

Our @AlanMonie reported a vulnerability to Carlsberg that exposed visitor videos and full names from its Copenhagen exhibition. The issue relied on low-entropy wristband IDs embedded in QR codes. There was no real authentication, and rate limiting wasn’t effective. With a bit of time and one laptop, it was possible to brute force access to other people’s photos and videos. Alan reported the issue through Carlsberg’s vulnerability disclosure program via Zerocopter. He waited. He retested when asked. After that, communication stopped, while the issue remained exploitable and disclosure was blocked. More than 150 days after the original report, we have published. This write-up walks through the technical details, the full disclosure timeline, and why responsible disclosure must include disclosure. 📌pentestpartners.com/security… #cybersecurity #carlsberg #responsibledisclosure #gdpr #vulnerabilitydisclosure #infosec

A single exposed secret led to compromise across AWS, GitHub, and Azure. There were no platform integrations and no shared identity architecture. The linkage existed entirely through reused, long-lived, overprivileged credentials. Once those secrets leaked, cloud boundaries stopped mattering. Each environment became a stepping stone to the next. This write-up breaks down the attack path and where small changes make a difference based off of lessons from testing. 📌 pentestpartners.com/security… #cloudsecurity #multicloud #cybersecurity #cloud #AWS #Github

As AI tools fill submission queues with low-value findings, VDP teams are being overwhelmed by trivial duplicates, automated XSS reports, and submissions that don’t help security teams fix real issues. As a result, important findings are increasingly delayed, missed, or buried in the noise. Our latest blog post by @TheKenMunroShow looks at what is going wrong in VDPs and gives practical ways teams can reduce noise, protect signal, and keep disclosure working as intended. 📌pentestpartners.com/security… #cybersecurity #vulnerabilitymanagement #VDP #AIsecurity #infosec #vulnerabilitydisclosureprogram

We investigated a macOS infostealer variant that, at the time, had not been recorded in the wild. Delivered via a single copy and paste terminal command disguised as a Homebrew installer, the malware harvested credentials, staged user data, and attempted exfiltration using only native macOS tooling. Network egress controls prevented data loss and contained the incident to one host. This case shows how quickly modern infostealers can operate without noisy tooling or exploits. Read the full breakdown of the fastest growing malware category in 2025 here: 📌 pentestpartners.com/security… #CyberSecurity #DFIR #ThreatResearch #MalwareAnalysis #macOSSecurity