Offensive Security / AI Red Teaming @ NVIDIA. Ex-GenAI and OffSec Red Teaming Lead at Meta. Ex-Principal Consultant and Researcher @ NCC Group/iSEC Partners.
Joined March 2014
- Tweets 20,235
- Following 2,493
- Followers 6,000
- Likes 79,733
1,784 Photos and videos
Pinned Tweet
Apr 1
Current Status feels like this is no longer going to be fiction...
1
2
1,345
Interesting bug, pre-auth server-side stack-based buffer overflow.. Do we have more details?
‼️🚨 Unauthenticated attackers are gaining SYSTEM on domain controllers with crafted packets.
The vulnerability being exploited is CVE-2026-41089, a CVSS 9.8 hole in Windows Netlogon, and exploitation in the wild has been confirmed.
A patch has existed since May 12. Every DC still behind is not just vulnerable, but according to the Centre for Cybersecurity Belgium are also actively being pwnd.
3
2
38
8,652
Aaron Grattafiori retweeted
Jun 12
Fascinating! @google caught a cyber criminal group scamming 100,000 Americans via text message at scale using Gemini to quickly build fake gov and branded sites that stole credit card numbers and PII.
Jun 12
Today, we filed a lawsuit to permanently dismantle a group of organized cybercriminals accused of using AI tools — including Gemini — to scam Americans via fake text campaigns. Here’s what to know:
◾Our suit targets core software developers in a cybercrime operation known as the “Outside Enterprise.” The group has allegedly weaponized AI to quickly generate highly convincing fake government and brand websites intended to steal victims’ credit card numbers and personal information.
◾The group used AI and different Google products — including our trademarks and logos — as part of these phishing campaigns.
◾The scale of the operation is massive: More than 100,000 victims have been scammed, with losses estimated in the millions.
4
25
140
16,030
Aaron Grattafiori retweeted
Jun 9
We've known about LLM test-time compute scaling since @OpenAI o1.
Yet 2 years later labs still report scalar evals for models; safety orgs are still surprised when a scaffold does better via 100x inference; and RSPs still ignore inference budget when deciding critical thresholds.
33
68
860
80,613
Aaron Grattafiori retweeted
Jun 9
Strong Model Alone = 70
Strong Model Good Harness = 85
Strong Model Good Harness Expert = 100
As far as we can tell, no. There is only anecdotal evidence, along with claims from AI pentesting vendors.
If a strong model can do everything by itself, then what exactly have these vendors been building? It is understandable that people would prefer a story in which the harness, workflow, and surrounding infra matter a great deal. It's also why people keep flexing "0-days" in OpenSSL, FFmpeg, or nginx, despite limited real-world impact.
That said, Niels Provos was not trying to sell anything, and he and several people have reported good results with IronCurtain despite using relatively weak models.
Most importantly, what Google achieved with Chrome suggests that a good harness may be quite valuable. Google does not appear to have access to anything more capable than Mythos, which means they likely scanned Chrome using Mythos itself or something less powerful. Yet they still uncovered hundreds of bugs.
There is, however, another explanation. Google may simply have better Chrome/V8 experts who can extract more value from Mythos. This remains our preferred hypothesis.
What provides a real advantage: domain knowledge accumulated over many years, or a harness vibe-coded in an afternoon? We think the answer is fairly obvious.
1
1
8
1,263
As far as we can tell, no. There is only anecdotal evidence, along with claims from AI pentesting vendors.
If a strong model can do everything by itself, then what exactly have these vendors been building? It is understandable that people would prefer a story in which the harness, workflow, and surrounding infra matter a great deal. It's also why people keep flexing "0-days" in OpenSSL, FFmpeg, or nginx, despite limited real-world impact.
That said, Niels Provos was not trying to sell anything, and he and several people have reported good results with IronCurtain despite using relatively weak models.
Most importantly, what Google achieved with Chrome suggests that a good harness may be quite valuable. Google does not appear to have access to anything more capable than Mythos, which means they likely scanned Chrome using Mythos itself or something less powerful. Yet they still uncovered hundreds of bugs.
There is, however, another explanation. Google may simply have better Chrome/V8 experts who can extract more value from Mythos. This remains our preferred hypothesis.
What provides a real advantage: domain knowledge accumulated over many years, or a harness vibe-coded in an afternoon? We think the answer is fairly obvious.
Are there public measurements of how much improvement good harness offers?
5
13
81
14,313
Aaron Grattafiori retweeted
Jun 8
Discovery of N-day vulnerabilities are largely solved at scale by the Mythos and Opus models, for both proprietary and open-source software.
It’s time to seriously rethink vulnerability disclosure and time-to-fix timelines. Cascading effects across the software supply chain are becoming a serious bottleneck.
Jun 8
Frontier models are also really good at finding and exploiting n-day vulnerabilities, doing so on timescales of hours. Read about some recent work from my team studying these capabilities! red.anthropic.com/2026/n-day…
5
27
99
22,349
Jun 8
This is very concerning IMO. You don't know what's behind the API and nobody is reading the code or tool calls very closely these days. 😬
You could do some amazing bugdoors, intel, subtle weakening, get agents to execute just one extra command, etc.
Jun 7
This is a pretty striking shift toward Chinese models by American AI startups since the start of the year. substack.com/@profgmarkets/p…
2
490
Jun 7
Ok that's pretty funny and clever.
EDRChoker uses Policy-based Quality of Service (QoS) to set hard bandwidth caps (throttling) on Endpoint Detection and Response (EDR) agents, causing them to always time out - effectively blocking them.
#itsecurity #securityblog #altimalware
zerosalarium.com/2026/06/edr…
14
2,913
17 Oct 2024
N. Korean hackers steal US$3 bln in cryptocurrency since 2017 to fund nuclear program: report en.yna.co.kr/view/AEN2024101…
2
20
84
9,464
Jun 6
This is probably skewed towards high due to people under-reporting lower severity vulnerabilities. But it's still pretty ridiculous to see aggregated.
Jun 5
AI companies say their models are getting better at finding software vulnerabilities. Is that bearing out in public data?
Introducing our Cyber Vulnerabilities explorer, which visualizes Common Vulnerabilities and Exposures (CVE) reported to the CVE Program since 2022.
2
447
Jun 6
😵💫
Jun 5
Understanding all the causes of increased disclosures is complicated. But we observe a sharp uptick in High and Critical CVEs around the time of Anthropic’s release of Mythos Preview to Project Glasswing partners in late March. OpenAI’s Daybreak cybersecurity program also launched in May.
2
2
809
Jun 5
RT @wongmjane: DeepSeek V4 “improved” the code and said nothing happened in Tiananmen Square on June 4, 1989
485
Aaron Grattafiori retweeted
Jun 5
Image taken from @atmoio but this explains perfectly how AI will not "find all vulnerabilities". You see that from Pwn2Own. That's not saying throw AI out, it's saying to do what we've always done, to turn over rocks while others are swimming in the pool.
2
6
30
4,585
Jun 3
"the population of AI-enabled actors is not only growing but also drifting towards the riskiest activities in our framework [...]
If this trend continues, these operational techniques won’t be a differentiating factor anymore and will become the baseline tomorrow"
Jun 3
How well do the security community's techniques hold up against AI-enabled cyberattacks?
We examined 832 malicious accounts and mapped their activity onto a longstanding database of tactics and techniques used by threat actors.
Here's what we learned:anthropic.com/news/AI-enable…
1
326
Aaron Grattafiori retweeted
Jun 3
My final paper from my time at @GraySwanAI is out! In this ICML-bound collaboration with @mattmdjaga, Matt Fredrikson, and @zicokolter, we propose a new method for evaluating AI agents' ability to refuse potentially harmful cybersecurity queries 🧵 1/14
3
4
14
1,278
Jun 3
Classic
Jun 3
In our simplest bypass, we prepended 100,000 blank lines to a malicious skill. ClawHub's scanner truncated the file before reaching the payload, then marked the skill safe. blog.trailofbits.com/2026/06…
2
7
52
5,873
Jun 3
This is the most interesting part:
"The attack was discovered by Codex, which chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold."
blog.calif.io/p/codex-discov…
9
32
2,661
Aaron Grattafiori retweeted
Jun 2
Meta gave zero updates about the AI bot hacking incident until it got to the press. And when they do, it’s just tucked as replies under someone’s tweet
Congrats on laying off T&S and automating the accounts support with gullible AI bots tho, hope you liked that promo packet.
Jun 1
Even my Instagram account got hacked
The password got changed without my knowledge and I was getting different password reset attempts throughout yesterday. And I got repeatedly logged out from the IG iOS app
Quite concerning
20
104
1,175
79,705
Aaron Grattafiori retweeted
Jun 1
OAIC's CFP is now open!
The first conference dedicated to the cutting edge of the offensive use of AI is returning for its second year. Speakers will enjoy three nights at a four-star beachfront resort, which includes all meals and drinks, three exclusive parties, and a Michelin-star welcome dinner.
Please see sessionize.com/offensive-ai-… for accepted topics.
1
8
25
3,146