How has AI-assisted development impacted secrets leakage?
Vibe coding with AI is fast, but how can we make it safer
The present and future of security for the Model Context Protocol.
Infographic with five new facts about the tj-actions attack.
Build resilient GitHub Actions workflows with lessons from recent attacks.
Disclosure and discussion of CVE-2025-30154 in action-setup.
A comprehensive methodology for investigating and tracking real-world supply chain attacks exploiting GitHub Actions
Using the tj-actions/changed-files incident to expose the raw reality of rapid response research in cloud security
Tips and tricks for handling the fact that conference talks and engineering blogs are often quilted from small omissions and half-truths.
A talk expanding on the ideas first shared in ramimac.me/scorecarding
Learn how AWS VPC Endpoint CloudTrail logs can help you troubleshoot endpoint policies and strengthen your network's security against data exfiltration.
A dense, practical walkthrough of scaling cloud security programs, distilled from the best talks and posts out there
Exploring the many (many) ways you can delete resources in AWS
A framework for understanding where your organization sits in its security canary journey
Breaking down three sophisticated cloud threat actors and how canary infrastructure could detect them, with diagrams
Responsibly disclosing risks in using SSM Command Docs for software distribution.
Examining why GuardDuty alone probably isn't enough for AWS threat detection
AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.
Documenting a minor AWS vulnerability where the RDS snapshot public sharing confirmation checkbox wasn't actually enforced
An analysis of the thousands of public SSM Command documents, including identification of secret leakage.
Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.
Deep dive into publicly exposed AWS DocumentDB snapshots, including a disclosure affecting millions of Cinemark customers
How to use Semgrep for Terraform security - from evangelizing secure-by-default modules to catching subtle IaC footguns
What happens when you leak AWS keys on GitLab instead of GitHub? Spoiler - nobody cared
Revisiting Scott Piper's 2020 analysis of AWS ABAC - things are only a little better
A curated set of references to bootstrap your work on any of Daniel Grzelak's 15 cloud security research ideas
Use Steampipe queries to identify and reduce over-privileged IAM permissions with Access Advisor
A simple Terraform trick to minify SCPs and stay under AWS character limits
Introducing a fifth AWS-specific phishing attack via SES email verification
A rapid fire tour of problems you'll encounter scaling a cloud security program past Scott Piper's AWS Security Maturity Roadmap
A surprising SSM default that can grant shell access when you only intended port forwarding
A practical walkthrough for setting up RDS IAM Authentication with a bastion host and SSM port forwarding
A rapid fire tour of problems you'll encounter scaling a cloud security program, with opinions on build vs buy
Practical guidance on when to use S3 Access Logs vs CloudTrail Data Events, and how to operationalize each
How to use Service Control Policies to allowlist AWS regions and services, dramatically reducing attack surface
A look at what AWS could (and should) do to harden their SSO device code authentication flow against phishing
Four AWS-specific phishing vectors beyond commodity credential theft, including SSO device code and CloudFormation attacks
Written companion to my DEFCON Cloud Village talk on getting your bearings in novel cloud environments
A methodology for rapidly orienting yourself in unfamiliar cloud environments and prioritizing the risks that matter
A BSidesCT talk analyzing over a dozen public AWS breaches, common root causes, and how to proactively secure your environment
A BSides Boston talk covering quick AWS security improvements for any organization plus big-picture considerations for enterprise environments
A survey of open-source tools for AWS IAM security, from PMapper and Parliament for assessment to Policy Sentry and Repo Kid for maintenance
A curated collection of the best non-Amazon resources for learning AWS security, extending the official Ramp-Up Guide
A BSidesCT talk on securing AWS environments, covering the shared responsibility model and open-source auditing tools like ScoutSuite
Announcing sadcloud, a Terraform tool for spinning up intentionally insecure AWS environments for testing and training
A 4-hour workshop from BASC 2019 covering the AWS shared responsibility model, open-source auditing tools, and hands-on CloudGoat exercises
Study notes from the CSA Security Guidance covering cloud concepts, governance, legal, compliance, and infrastructure security
Study notes from the ENISA cloud security report, covering risks, vulnerabilities, and information assurance requirements
Why I decided to pursue a part-time online master's degree in Information Security Leadership while working full-time as a pentester
A playbook for evaluating S3 Intelligent Tiering with napkin math, plus tips for derisking the migration
Adding a "Send Responses to Comparer" feature to the Autorize Burp extension for faster authorization testing triage
A rundown of Android security testing tools and methods, from Manitree and MobSF to drozer and manual testing
Fixing a false positive in MobSF's APK certificate analysis by checking the manifest for SHA256 usage
Adding optional flags to the S3 bucket enumeration tool for filtering private bucket output and controlling wordlist permutations
A small fix to aquatone's subdomain takeover detection for CloudFront, checking both HTTP and HTTPS
Revisiting Scott Piper's 2020 analysis of AWS ABAC - things are only a little better
Use Steampipe queries to identify and reduce over-privileged IAM permissions with Access Advisor
A practical walkthrough for setting up RDS IAM Authentication with a bastion host and SSM port forwarding
A survey of open-source tools for AWS IAM security, from PMapper and Parliament for assessment to Policy Sentry and Repo Kid for maintenance
Dozens of hours reading State of Cloud Security reports that I think miss the mark.
Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.
A universal theory for incrementally moving a cloud-native org to Zero Touch Prod, with AWS production access primitives
Why the security industry lacks small vendors fixing undifferentiated problems, plus 5 fixable gaps for security teams
Secure by Design is trending but we haven't seen a breakout startup - what makes selling secure defaults hard
Walking through the history and challenges of the RASP market, and whether the new ADR acronym will fare any better
Why there are so many *AST and *SPM startups, and why they keep getting acquired
How startups can build customer love and achieve rapid growth by word of mouth
Security’s pivot from 'Department of No' to 'Department of Yes' misses the real lesson - how to say 'No' the right way.
Practical tips for handling security alerts when you don't have a dedicated SOC
Asymmetric workloads are a double-edged sword - security can add outsized costs on orgs just as orgs can on us
Security Engineering is mainstream in certain circles - here's what we can learn from the challenges
Summarizing Wiring the Winning Organization and applying the lessons to security programs
Cross-company collaboration in security is rarely zero sum - a practical guide and call-to-action
First security hire is a weird job - here's a counterfactual guide on what to avoid
A comprehensive methodology for investigating and tracking real-world supply chain attacks exploiting GitHub Actions
Are agentic browsers the new Flash? A 2025 review of new attacks, vendor security layers, and a roadmap for navigating AI browser risks.
Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.
Shai-Hulud 2.0 supply chain attack - reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.
I am annoyed at the common traps security vendors fall into when producing research.
How secure are top private AI companies? Find out from our scans and disclosures.
Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.
Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.
Using the tj-actions/changed-files incident to expose the raw reality of rapid response research in cloud security
A deeper look at the Nx supply chain attack. Analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.
Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.
Tips and tricks for handling the fact that conference talks and engineering blogs are often quilted from small omissions and half-truths.
How has AI-assisted development impacted secrets leakage?
Vibe coding with AI is fast, but how can we make it safer
Infographic with five new facts about the tj-actions attack.
A talk expanding on the ideas first shared in ramimac.me/scorecarding
How to analyze and prioritize CVEs in cloud security.
Build resilient GitHub Actions workflows with lessons from recent attacks.
The present and future of security for the Model Context Protocol.
Learn how AWS VPC Endpoint CloudTrail logs can help you troubleshoot endpoint policies and strengthen your network's security against data exfiltration.
Disclosure and discussion of CVE-2025-30154 in action-setup.
I'm joining the leading cloud security startup, hoping to "work for the Security Industry, at Wiz."
Security’s pivot from 'Department of No' to 'Department of Yes' misses the real lesson - how to say 'No' the right way.
Dozens of hours reading State of Cloud Security reports that I think miss the mark.
Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.
A dense, practical walkthrough of scaling cloud security programs, distilled from the best talks and posts out there
Exploring the many (many) ways you can delete resources in AWS
A framework for understanding where your organization sits in its security canary journey
Breaking down three sophisticated cloud threat actors and how canary infrastructure could detect them, with diagrams
Responsibly disclosing risks in using SSM Command Docs for software distribution.
Practical tips for handling security alerts when you don't have a dedicated SOC
Examining why GuardDuty alone probably isn't enough for AWS threat detection
AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.
Documenting a minor AWS vulnerability where the RDS snapshot public sharing confirmation checkbox wasn't actually enforced
An analysis of the thousands of public SSM Command documents, including identification of secret leakage.
Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.
A universal theory for incrementally moving a cloud-native org to Zero Touch Prod, with AWS production access primitives
Why the security industry lacks small vendors fixing undifferentiated problems, plus 5 fixable gaps for security teams
Four controls platforms can use when building a custom-domain feature to make it resilient to subdomain takeover down the road
Secure by Design is trending but we haven't seen a breakout startup - what makes selling secure defaults hard
Walking through the history and challenges of the RASP market, and whether the new ADR acronym will fare any better
Asymmetric workloads are a double-edged sword - security can add outsized costs on orgs just as orgs can on us
Security Engineering is mainstream in certain circles - here's what we can learn from the challenges
Deep dive into publicly exposed AWS DocumentDB snapshots, including a disclosure affecting millions of Cinemark customers
Summarizing Wiring the Winning Organization and applying the lessons to security programs
Why there are so many *AST and *SPM startups, and why they keep getting acquired
Every practical and proposed defense against prompt injection
How to use Semgrep for Terraform security - from evangelizing secure-by-default modules to catching subtle IaC footguns
What happens when you leak AWS keys on GitLab instead of GitHub? Spoiler - nobody cared
Cross-company collaboration in security is rarely zero sum - a practical guide and call-to-action
First security hire is a weird job - here's a counterfactual guide on what to avoid
Awesome secure by default libraries to help you eliminate bug classes
How startups can build customer love and achieve rapid growth by word of mouth
A playbook for evaluating S3 Intelligent Tiering with napkin math, plus tips for derisking the migration
Revisiting Scott Piper's 2020 analysis of AWS ABAC - things are only a little better
A curated set of references to bootstrap your work on any of Daniel Grzelak's 15 cloud security research ideas
Use Steampipe queries to identify and reduce over-privileged IAM permissions with Access Advisor
A simple Terraform trick to minify SCPs and stay under AWS character limits
From Turing tests to Private Access Tokens - tracing nearly 30 years of human interaction proofs
Introducing a fifth AWS-specific phishing attack via SES email verification
A rapid fire tour of problems you'll encounter scaling a cloud security program past Scott Piper's AWS Security Maturity Roadmap
A surprising SSM default that can grant shell access when you only intended port forwarding
A practical walkthrough for setting up RDS IAM Authentication with a bastion host and SSM port forwarding
A deep dive guide to securely building product features on top of AI APIs
A rapid fire tour of problems you'll encounter scaling a cloud security program, with opinions on build vs buy
Analyzing the RSA Innovation Sandbox finalists for Return on Security
Practical guidance on when to use S3 Access Logs vs CloudTrail Data Events, and how to operationalize each
How to use Service Control Policies to allowlist AWS regions and services, dramatically reducing attack surface
Curated guides for handling security at a startup or as the first security hire
A look at what AWS could (and should) do to harden their SSO device code authentication flow against phishing
Four AWS-specific phishing vectors beyond commodity credential theft, including SSO device code and CloudFormation attacks
Looking back at the notable public cloud breaches of 2022 with Houston Hopkins
Collected stories and insights from Staff+ Security Engineers on their career paths and work
A practical guide to purchasing and extracting value from security services like pentests
A curated meta-database of resources that compile lists of security incidents and breaches
Runbooks for removing secrets and sensitive data from Git history, whether in a PR or merged to main
A comprehensive guide to buying and getting value from security services, from scoping to vendor selection to assessment readout
Nearly 200 references compiled for my BSidesSF talk and tldrsec guide on buying security services
Walkthrough of 20+ real AWS breaches, their root causes, and lessons learned for proactive defense
How we defined security team values at Cedar and the process we used to get there
Written companion to my DEFCON Cloud Village talk on getting your bearings in novel cloud environments
A methodology for rapidly orienting yourself in unfamiliar cloud environments and prioritizing the risks that matter
A BSidesCT talk analyzing over a dozen public AWS breaches, common root causes, and how to proactively secure your environment
A BSides Boston talk covering quick AWS security improvements for any organization plus big-picture considerations for enterprise environments
A survey of open-source tools for AWS IAM security, from PMapper and Parliament for assessment to Policy Sentry and Repo Kid for maintenance
A compendium of OAuth 2.0 Authorization Code grant vulnerabilities that can be identified from an end-user perspective
Study notes from the CSA Security Guidance covering cloud concepts, governance, legal, compliance, and infrastructure security
Study notes from the ENISA cloud security report, covering risks, vulnerabilities, and information assurance requirements
Why I decided to pursue a part-time online master's degree in Information Security Leadership while working full-time as a pentester
A curated collection of the best non-Amazon resources for learning AWS security, extending the official Ramp-Up Guide
Adding a "Send Responses to Comparer" feature to the Autorize Burp extension for faster authorization testing triage
A BSidesCT talk on securing AWS environments, covering the shared responsibility model and open-source auditing tools like ScoutSuite
Announcing sadcloud, a Terraform tool for spinning up intentionally insecure AWS environments for testing and training
A 4-hour workshop from BASC 2019 covering the AWS shared responsibility model, open-source auditing tools, and hands-on CloudGoat exercises
Part 3 of a three-part guide focusing on hardening Chrome browser configuration for enterprise deployments
Part 2 of a three-part guide focused on hardening the ChromeOS configuration for enterprise use
Part 1 of a three-part guide covering the baseline device security posture for enterprise Chromebooks
Using the Shodan API to find and analyze typos in HTTP security headers across the internet
A rundown of Android security testing tools and methods, from Manitree and MobSF to drozer and manual testing
Fixing a false positive in MobSF's APK certificate analysis by checking the manifest for SHA256 usage
Adding optional flags to the S3 bucket enumeration tool for filtering private bucket output and controlling wordlist permutations
A small fix to aquatone's subdomain takeover detection for CloudFront, checking both HTTP and HTTPS
Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.
Shai-Hulud 2.0 supply chain attack - reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.
Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.
Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.
A deeper look at the Nx supply chain attack. Analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.
Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.
Infographic with five new facts about the tj-actions attack.
Disclosure and discussion of CVE-2025-30154 in action-setup.
Are agentic browsers the new Flash? A 2025 review of new attacks, vendor security layers, and a roadmap for navigating AI browser risks.
Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.
Shai-Hulud 2.0 supply chain attack - reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.
How secure are top private AI companies? Find out from our scans and disclosures.
Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.
Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.
A deeper look at the Nx supply chain attack. Analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.
Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.
Tips and tricks for handling the fact that conference talks and engineering blogs are often quilted from small omissions and half-truths.
How has AI-assisted development impacted secrets leakage?
Vibe coding with AI is fast, but how can we make it safer
Infographic with five new facts about the tj-actions attack.
A talk expanding on the ideas first shared in ramimac.me/scorecarding
How to analyze and prioritize CVEs in cloud security.
Build resilient GitHub Actions workflows with lessons from recent attacks.
The present and future of security for the Model Context Protocol.
Learn how AWS VPC Endpoint CloudTrail logs can help you troubleshoot endpoint policies and strengthen your network's security against data exfiltration.
Disclosure and discussion of CVE-2025-30154 in action-setup.
A dense, practical walkthrough of scaling cloud security programs, distilled from the best talks and posts out there
Exploring the many (many) ways you can delete resources in AWS
A framework for understanding where your organization sits in its security canary journey
Breaking down three sophisticated cloud threat actors and how canary infrastructure could detect them, with diagrams
Practical tips for handling security alerts when you don't have a dedicated SOC
Examining why GuardDuty alone probably isn't enough for AWS threat detection
Documenting a minor AWS vulnerability where the RDS snapshot public sharing confirmation checkbox wasn't actually enforced
A universal theory for incrementally moving a cloud-native org to Zero Touch Prod, with AWS production access primitives
Why the security industry lacks small vendors fixing undifferentiated problems, plus 5 fixable gaps for security teams
Secure by Design is trending but we haven't seen a breakout startup - what makes selling secure defaults hard
Asymmetric workloads are a double-edged sword - security can add outsized costs on orgs just as orgs can on us
Security Engineering is mainstream in certain circles - here's what we can learn from the challenges
Summarizing Wiring the Winning Organization and applying the lessons to security programs
Every practical and proposed defense against prompt injection
Cross-company collaboration in security is rarely zero sum - a practical guide and call-to-action
Awesome secure by default libraries to help you eliminate bug classes
How startups can build customer love and achieve rapid growth by word of mouth
A deep dive guide to securely building product features on top of AI APIs
A rapid fire tour of problems you'll encounter scaling a cloud security program, with opinions on build vs buy
Curated guides for handling security at a startup or as the first security hire
Looking back at the notable public cloud breaches of 2022 with Houston Hopkins
Collected stories and insights from Staff+ Security Engineers on their career paths and work
A practical guide to purchasing and extracting value from security services like pentests
Walkthrough of 20+ real AWS breaches, their root causes, and lessons learned for proactive defense
How we defined security team values at Cedar and the process we used to get there
Written companion to my DEFCON Cloud Village talk on getting your bearings in novel cloud environments
A compendium of OAuth 2.0 Authorization Code grant vulnerabilities that can be identified from an end-user perspective
A curated collection of the best non-Amazon resources for learning AWS security, extending the official Ramp-Up Guide
Announcing sadcloud, a Terraform tool for spinning up intentionally insecure AWS environments for testing and training
Part 3 of a three-part guide focusing on hardening Chrome browser configuration for enterprise deployments
Part 2 of a three-part guide focused on hardening the ChromeOS configuration for enterprise use
Part 1 of a three-part guide covering the baseline device security posture for enterprise Chromebooks
Using the Shodan API to find and analyze typos in HTTP security headers across the internet