Ranking 20 pentesting tools, with offsec director @SwiftSecur1 How are they used, and why? (These are for REAL pentests, not web apps) youtube.com/watch?v=UL46Ex0F…

OffSec in the train #OffSec #OSCE3 #OSEE

🎩 🚩 Two new CVEs: CVE-2026-53770 and CVE-2026-54320 Closed two reports on open source projects and both landed a CVE. Sharing them because they hit the same blind spot: what happens to permissions when a user's state changes. Holding the vendor names and full write-ups until the disclosure window closes, but the bug classes are worth talking about now. - CVE-2026-53770, Personal access tokens retain team-scoped abilities after member removal or role downgrade (High): Personal Access Tokens stayed glued to their team and their permissions after the user was removed from the team or downgraded in role. The API authorized by reading the team_id straight off the token, without checking whether the user was still a member. Translation: an ex-member with an old token kept reading and modifying the team's resources like nothing happened. The code already had the correct validation on the session path. It checked live membership on every call. That same check never made it to the token path. The same question, "is this user still on the team?", got answered correctly on one route and skipped on the other against the same database. That's what makes it an implementation bug, not a design one. The pattern was already there, they just didn't apply it where it mattered. --- - CVE-2026-54320, Cross-tenant organization takeover via invitation acceptance with an unverified email (High, CVSS 8.4): Organization invitations could be accepted with an email that matched but was never verified. Creating an organization already required a verified email. Accepting or declining an invitation didn't. On identity providers with self-service signup, you registered the target email, left it unverified, accepted the invitation, and dropped into the org with whatever role the invitation carried, up to Owner. You cross the tenant boundary without ever touching the mailbox. Same pattern in both cases: authorization validates state when the credential is issued, then forgets to re-check it when the credential is used. If you've got a flow that handles membership or roles, go look at that gap. That's where these bugs hide. **Full technical breakdowns and vendor credits once the disclosure window closes.** #CyberSecurity #BugBounty #CVE #AppSec #OffSec #InfoSec

Will eventually be an offsec tool :)

Looking to start an @offsectraining in-person meetup in NYC - if you’re interested in participating or helping out, let me know Will be looking for presenters who are in NYC 🗽 #offsec #redteam #cybersecurity #meetup #hacker #hackermeetup #defcon #networking #cybermeetup #nyc

Are there any CTF/cyber range providers based in China(Chinese equivalent of HTB/THM/OffSec etc that offer public previews of some of these cyber ranges ?

It’s not about its offsec risks.., the govt doesn’t want China distilling the model our nation is investing trillions into and gaining on them in the AI / intelligence race

RON!! #OffSec #OSEE

I got OSEE. Thank you💜 @offsectraining #OffSec #OSEE

とりあえずそこ行ってから 取ってからまぁSANS選ぶかOffsec選ぶかの違いくらいですかね🤔

Is it just me or is Fable basically unusable? I'm getting usage violations for almost any request and for things that have nothing to do with offsec.

Big additions to the offensive security team this week. Taggart Solomon joins as Offensive Security Manager after 5 years of cyber operations with the U.S. Army, NSA, and USCYBERCOM. Indivara Kolluru is spending his summer with us as an intern working with our offsec team, researching how AI systems fail before attackers figure it out. Welcome, Taggart and Indivara. Drop them a congrats in the comments. #OffensiveSecurity #Praetorian #PraetorianGuard

🚨 THE GLOBAL OFFENSIVE IS LIVE Introducing the OffSec Global Leaderboard — ranked by XP. Earned by doing the work.Not videos. Not screen time. The actual work. The question is: where does YOUR country rank? 🔗 Check your rank now → bit.ly/4eaKPza Not earning XP points yet? Start here. bit.ly/3Q6DyZf Drop your flag your rank below. Let's see which country runs the board. 👇 #OffSecWorldCup #GlobalOffensive #TryHarder

I wish to take an offsec certification before the year runs out

🟢 Your AI security dashboard is green. All lights go. So was every dashboard that preceded a board-level AI breach this year. That's the Green Light Illusion — the most expensive blind spot in 2026 security stacks. Automated tooling reports zero vulnerabilities because it wasn't built to catch the threat classes that actually break LLMs, RAG pipelines, and agentic systems. We mapped the gap. The AI Blind Spot: Why Your Security Stack is Failing the Adversarial Test → bit.ly/4v3owTh #OSAI #AIRedTeaming #OffSec #TryHarder

If anyone want's to help fund OffSec Projects ^^. BTC: 1JKvVk4qrwzjj1d53HvegSUsMwJXL1QN13 LTC: Lfv8oVg2mj4Dge5cG6WaFbbeAfyvaABfW1 ETH: 0x968BcCFDB9486F9398E62d42aE336A4B2d233384 XMR: 4B1kJ1pRDT9TNEptAYA3ukXECmy4FeTP9Xh6FfPRU3Ld2gibvhwVWZkNcEdoVEsbq11R9TWvoKiFVSqBpBqzWSnKLWxHkmS