Come join my updated Black Hat class in Las Vegas, "Agentic AI-Aided Kubernetes Attack and Defense!" Kubernetes and AI are more tightly-coupled than you think - about two thirds of organizations hosting generative AI models use Kubernetes to manage inference workloads (CNCF). And Kubernetes is growing in popularity for hosting streamable MCP servers and remote agents. We're going to have a blast with new cutting-edge exercises that integrate AI agents into attacking and defending Linux, containers, and Kubernetes. We'll also be attacking a multi-user agentic AI system running on Kubernetes, using both direct and indirect prompt injections, gaining access to the cluster, and adding indirect prompt injection backdoors to the vector database. As in all the other exercises, we'll turn around and harden the system against this. You can learn more and register here: blackhat.com/us-26/training/… Here's an excerpt of the class description: Learn how to use agentic AI to aid you as you attack and defend Kubernetes, Linux, and containers, from Jay Beale, who has led development of the Kubernetes CTF at DEF CON and the open source Kubernetes attack tool: Peirates. In this fully hands-on course, you'll get an x86 computer to keep, complete with an agentic AI framework, Kubernetes clusters, and capture the flag virtual machines, which you will attack and defend. You'll also get access to our cloud environment, allowing you to attack cloud-based Kubernetes clusters. This well-reviewed training focuses on giving you practical attack skills from real penetration tests, coupled with solid defenses to break attacks. You'll create an agentic AI platform with skills and tools that allow your agents to enumerate a cluster, analyze configuration weaknesses, and recommend attack paths. Every topic in the class has an attack exercise, where you will first compromise a Kubernetes cluster or application. Most have a matching defense exercise, where you will use new skills to break that attack, confident that it will break others.

LLMs in cyber is the natural progression. Aleph1 / Mudge published buffer overflows. Everyone freaked. Metasploit made writing exploits faster / more modular. Everyone freaked. Bindiff made 1 days nearly instantanous, everyone freaked. LLMs make it so you can think less about the exploit code, helps you narrow down exploits paths. Everyone freaks. Offense always accelerates in big jumps, then goes seemingly dormant (its not, just secretly monetizing) Blocking /censoring / regulating powerfull LLMs only hamstrings the defenders, not the attackers is my fundamental belief, mostly because that rule holds true in every other aspect of life. Guardrails and censorship and explot controls. Its almost as if people don't think blackhats are inside OpenAI and Anthropic networks right now as we speak. I always bet on the blackhats.

Time to level up your K8s security. I won't oversell the class - I'll just let 4 people I respect tell you what they got out of it. Hack some #Kubernetes with me this August at @BlackHatEvents in Las Vegas! Agentic AI-Aided Kubernetes Attack and Defense tinyurl.com/bhus26-kube-agen…

🚨 JAILBREAK ALERT 🚨 ANTHROPIC: PWNED 🫡 FABLE-5: LIBERATED 🦋 let's start with the 🐘... the consensus seems to be that this has been one of the most disappointing model drops of all time, effectively preventing legitimate researchers from contributing their talents to our collective advancement. and not just because of what it means for the short-term, but for what these decisions signify for the long-term. but despite this overly sensitive, authoritarian "safety" layer on top of Mythos, my lil liberators have been hard at work—mapping the boundaries, probing the depths of long-context convos, and cleverly finding the holes in the fence that the thought police missed 🤗 we got some cyber, some chem, some psychological manipulation, and some good ol' fashioned explosives! it took many attempts from multiple agents hunting as a pack, during which I observed a combination of techniques across: • Unicode, homoglyphs, Cyrillic, and other Parseltongue-style text transforms • Long-context reference tracking • Taxonomy and document-structure reasoning • Fiction and narrative framing • Academic-review style contexts • Intent-classification inconsistencies but perhaps the most effective is decomposition recomposition in the backend. it's hard to get explicit names of harms like "Meth Recipe," but getting uplift on the process itself, like birch reduction method/reductive-amination (classic meth synthesis pathways), is much more doable. defense becomes much more difficult to maintain when you start throwing in out-of-distro tokens, breaking up the harmful uplift into benign chunks, and then piecing the innocuous-seeming facts back together, especially when you have jailbroken Opus helping you do it 😉 gg

Please join us in honoring the life of Dr. Eric Cole. June 27, 2026 Viewing & Family Greeting: 10–11 AM Memorial Service: 11 AM Community Church 19790 Ashburn Rd, Ashburn, VA Burial: 2 PM Fairfax Memorial Park 9900 Braddock Rd, Fairfax, VA All are welcome.

NIST has a useful paper on AI guardrails The takeaway is that static guardrails are the wrong security model for open-ended LLM systems. A finite set of rules cannot cover every adaptive prompt. You can harden the system, make bypasses harder, monitor for abuse and reduce the blast radius. But you should not patch an LLM once, add a few refusal rules and call it done. LLM security needs to look more like vuln research and detection engineering: continuous testing, continuous updates and an assumption that bypasses will eventually be found nist.gov/news-events/news/20…

Nice catch! Seriously awesome research and post. If you’re wondering what security research and VRP looks like in the future, this is it. Use the tools to get comprehensive, not just novel.

Even the guy who coined the word "vibe coding" tells you to look at your production code: "it's never felt this tempting to stop looking at the code at all (but don't do this in prod!)."

Introducing a new side project called Model Regression. It tests daily Claude, GPT, and Grok on various benchmark statistics to determine how well its performing and to identify model degrades over time. @edskoudis had an idea for model testing before they conducted offensive testing to ensure the model was performing as expected, and @BlasikRandy pushed me down this road with actually going and doing it. The main intent here is the frontier models will experience outages, issues, bugs, intentional/unintentional nerfing of the models without notice. You can't typically trust day to day activities in these models for stability, so leveraging this on your daily routine to see how well the model is performing for that day is something I'll be using everyday. Runs every morning in my DGX sparks environment and automatically updates with how well its performing. Enjoy! modelregression.com/ Also open-sourced the project, can run on your own server as well and look at the benchmarks and how they are calculated: github.com/HackingDave/model…

We're back baby! @defcon_music is going to be so much fun at #DEFCON34

Anthropic and roughly 50 partners used Claude Mythos Preview to find more than 10,000 high or critical severity vulnerabilities in the first month of Project Glasswing. Most partners found hundreds of high or critical issues in their own code. (One month. Let that sit for a second.) Of those 10,000-plus, 97 have been patched upstream as of May 22. That number is not a measure of how hard anyone tried. It is a measure of where the work now jams. The Glasswing update says it plainly: software security used to be limited by how fast you could find vulnerabilities, and now it is limited by how fast you can verify, disclose, and patch them. High and critical bugs are taking about two weeks each to patch. Several maintainers have already asked Anthropic to slow its disclosure rate, because they cannot keep up. Discovery is no longer the bottleneck. The humans in the pipeline are. The patch playbook itself, coordinated disclosure on a 90-day clock, monthly patch cycles, the quarterly review, was built for a world where finding a flaw was slow. That world is gone. The playbook is not strained. It is finished, and most of us have not said that out loud yet. (I would love to be wrong on this. Correct me, and tell me what planet still runs on a 90-day clock.) Rebuilding it is not a tooling purchase. It is a skills problem, and a specific one. Working at this volume means triaging AI-generated findings ten deep, judging which severity ratings hold up, and deciding what gets fixed in what order when the queue is a thousand items long. That is human judgment under machine-scale load, and almost nobody has trained for it, because the tools that create the problem are months old. You cannot hire your way out of this, because the talent pool does not exist yet. All of us are figuring it out at the same time. So the people who can help you most are already on your team. They are the ones who know your business, who have worked real incidents, who understand what a finding actually means in your environment. What they are missing is reps on AI tools under realistic pressure. The @SANSInstitute Find Evil! hackathon is one place to get those reps fast. Practitioners build autonomous incident response agents, run them against real case data, and watch where the AI is sharp and where it falls apart. That last part is the point. The skill that transfers is not the agent, it is the calibrated judgment of when to trust the machine and when to override it, and that is exactly the muscle the patch pipeline now needs. Find Evil! runs through June 15, with $22,000 in prizes, at findevil.devpost.com. If you manage defenders, here is the Monday version. Pick two people who know your environment cold. Give them protected time this month to put AI tools against your own findings backlog and report back on where the tools broke. That is the rewrite starting, in miniature, on your team. The Glasswing numbers should change what you do this week, not how well you sleep.

"If LLMs can be entrusted with software development, then they ought to be writing patches that work. They’re not. The contrast between the breathless blog posts from commercial entities and ... 97 findings patched in the open source world is really shocking." shostack.org/blog/vuln-findi…

Friday = Early price cutoff for my Black Hat class: Agentic AI-Aided Kubernetes Attack & Defense! We're going to have a blast! Cutting-edge exercises that integrate AI agents into k8s attack & defense, and attack a k8s-hosted agentic AI system. Join us! blackhat.com/us-26/training/…

“I spend all day, every day, looking at folks who misuse our models and our products. I want to walk through all of you what I've been seeing on the ground and how this has changed in the past year.” - Jacob Klein, @AnthropicAI's head of threat intel at the @SANSInstitute AI Summit. And then came the heartburn line: “Almost everything I’m walking through can be used by a defender as well.” He’s right. Defenders can point AI at endpoints at scale, code at scale, vulnerabilities, and SOC signals. Every serious defender already knows the list. The hard part is the operating reality: usable data, investigations that don’t depend on manual glue work, remediation that moves fast enough, and AI you can actually trust. What makes this a tougher sell is the reliability of the tools in our hands right now and our own skill gaps. And consider: we still get to watch some of this play out in the open. That window closes as attackers move to their own private tooling and infrastructure. The only way we get ready is by starting now: working on our own skill gaps, building muscle with the tools we have, stress-testing them in real environments, forcing the workflow changes that make AI for defense operational. Work on this directly with us: Find Evil! is live. Protocol SIFT is what happens when you wire an AI agent into a forensic workstation full of trusted tools and tell it to behave. It's an early capability with real outputs, failure mode. Join our community effort to make it something defenders can deploy. 42 days to enter. An incredible 2,500 builders and teams are in as of today. $22K in cash prizes. Sponsored by SANS Institute. findevil.devpost.com (You'll have to hear Jacob's full talk and the fireside chat with Bruce Schneier and Anne Neuberger: Are tech companies the new SOC? Check it out on the SANS Institute YouTube page.) Curious what you think. (And if you've entered in the hackathon?) #AIsecurity #cybersecurity #vulnops

The ever awesome @NielsProvos dropping knowledge. Vulnerability research with AI is an orchestration thing not a model capability thing at this point. Echoes my sentiments that winning here (defense v offense) is a question of tokens, agents, agility. provos.org/p/finding-zero-da…

32 years ago today I registered the @L0phtHeavyInd class C. I got the email from ARIN, sent the class C address to our ISP, then got the first packets routed over our 56K modem to our 486 linux box. When those first packets come through the whole room exploded with chants of, "We on da backbone!" Then came one of the first hacking resources on the web, shell accounts, a bbs, webcams, and lots of shenanigans. You can see an archive of the website here: gbppr.net/l0pht/l0pht.html

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

I finally managed to write up some memories about my recently deceased and very dear friend, Felix 'Fx' Lindner. phenoelit.de/fx.html#Halvar

Send me one and ill put it in my hackervan and put kubernetes on it grahamhelton.com/blog/jia-va…

Oh for the love of keyboard gods! I <3 my Mac MBP, but the low travel keyboard sucks ergonomically. Should I use Karabiner to shut it off when Bluetooth is connected, then design & 3D-print a carrier for an ext keyboard? Or switch to a laptop with a premium keyboard? Which one?