🆕 Conference Coverage

I’m trying something new this issue!

Each section is largely composed of talks and/or tools from Hacker Summer Camp that seemed interesting.

There were hundreds of talks and tools so I haven’t had time to review everything, but I’m giving this a try to see if people like it. Feel free to let me know 👇️ 

P.S. Last week I said I was going to be at the Level Up party, but HSC being as it is, I didn’t end up making it. If you were there and I missed you I apologize 🙏 Hope to catch you next time!

Sponsor

📣 Fortify Your Google Workspace, from Gmail to Drive. No Extra Headcount Required

Protect the email, files, and accounts within Google Workspace from every angle. Material Security unifies advanced threat detection, data loss prevention, and rapid response within a single automated platform so your lean team can do more with less. Deploy in minutes, integrate with your SIEM, and let “set-it-and-forget-it” automation run 24/7. Gain multi-tenant visibility with enterprise-grade security without enterprise overhead.

👉 Start Simplifying Your Google Workspace Security 👈

I like how quick Material is to get set up with, and how you can easily query across all the Google Workspace things.

AppSec

HTTP/1.1 must die: the desync endgame
This year on “James Kettle breaks most of the Internet,”™️ James argues that HTTP/1.1 must be abandoned due to fundamental flaws that make request smuggling attacks inevitable, specifically, that the boundaries between individual HTTP requests are weak. James introduces several novel classes of HTTP desync attacks, including 0.CL and Expect-based desync, and walks through critical issues in major CDNs like Akamai, Cloudflare and Netlify. (Black Hat abstract and slides)

This research resulted in $350,000 in bug bounties, and James has released HTTP Request Smuggler v3.0 for detecting parser discrepancies.

💡 They found an HTTP/1.1 desync internal to Cloudflare’s infrastructure, exposing 24M websites to complete takeover, for which they received… $7,000 -_- Shame! 🔔 

AI Agents for Offsec with Zero False Positives
XBOW’s Brendan Dolan-Gavitt (@moyix) describes techniques that enable AI agents to find vulnerabilities at scale, fully autonomously and with zero false positives. The key is developing robust exploit validators that can conclusively determine whether an exploit claimed by the agent is real, allowing the agent to make arbitrarily many attempts without increasing the amount of human effort needed to review the results. They tested thousands of web apps on Docker Hub and found over 200 zero days.

Slides here, XBOW’s Hacker Summer Camp recap blog here.

Detecting Taint-Style Vulnerabilities in Microservice-Structured Web Applications
Fudan University’s Fengyu Liu et al propose a novel security analysis approach, named MTD, that can detect taint-style vulnerabilities in real-world microservice applications. The approach consists of three phases: 1) MTD identifies the entry points accessible to external malicious users by applying a gateway-centric analysis, 2) MTD utilizes a new data structure (service dependence graph), to bridge inter-service communication, and 3) MTD employs a distance-guided strategy for selective context-sensitive taint analysis to detect vulnerabilities.

MTD discovered 59 high risk zero day vulnerabilities (31 CVEs) across 25 OSS microservice apps and 5 apps from Alibaba Group.

💡 Neat talk, this is a tough problem space and cool research! Some LLM usage, mostly around route rule extraction on slides 20-21.

Sponsor

📣 Get to Zero Alerts as Fast as Possible

Security teams lose hours chasing CVEs that are not actually exploitable in their code, while real supply chain attacks slip through the cracks. Socket protects your code from both vulnerable and malicious dependencies. We monitor every package release across all major open source registries in real time, flag threats within minutes, and use reachability analysis to slash false positives by up to 80%. Get started instantly—no setup and no code access required.

👉 Try the Free GitHub App 👈

It’s been neat to see all of the malicious packages Socket has been catching, I appreciate their technical blog posts.

Cloud Security

Kernel-Enforced DNS Exfiltration Security: Framework Built for Cloud Environments to Stop Data Breaches via DNS at Scale
Black Hat talk by Vedang Parasnis building on his Masters thesis describing a framework (GitHub) built to disrupt DNS-based C2 channels and DNS tunnelling at scale by moving DNS exfiltration security directly into the Linux kernel. Using eBPF-driven endpoint security enforcement, the framework runs threat intelligence across the entire kernel network stack and mandatory access control layer, performing high-speed DPI by parsing DNS directly inside the kernel.

The framework also leverages a userspace deep learning model trained on diverse DNS payload obfuscation techniques, and supports dynamic domain blacklisting, dynamic in-kernel network policy creation, and threat event streaming.

Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications
The blog version of the Black Hat talk (slides) by Eye Research’s Vaisha Bernard describing how misconfigured multi-tenant applications allowed him to gain access to 22 internal Microsoft services, including letting him administer Copilot, build his own version of Windows, approve his own bounty payouts and more 😅 The vulnerability stems from applications not properly validating the issuing tenant of access tokens, allowing authentication via any Azure AD tenant (e.g. your malicious one).

💡 Very cool walk through and findings. Also, a friendly reminder that researchers can find critical issues like this, nation states continuously break into companies via new Sharepoint and Exchange vulnerabilities, and Microsoft’s market cap is still ~$4T.

ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
The blog version of Naor Haziz’s Black Hat talk (Abstract | Slides | GitHub PoC) describing “ECScape,” a technique to steal IAM credentials from other ECS tasks running on the same EC2 instance by impersonating the ECS agent.

• ECS tasks retrieve credentials via a local metadata service with a unique credentials endpoint for each task. By leveraging how ECS identifies tasks in this process, a malicious actor could masquerade as the ECS agent and obtain credentials for any task on the host. No container breakout (no hostroot access) required.

• The stolen keys work exactly like the real task’s keys. CloudTrail will attribute API calls to the victim task’s role, so detection is tough.

• Mitigations: Use Fargate for isolation, disable IMDS access for tasks, isolate privileged tasks, and monitor for suspicious IAM role usage.

Supply Chain

When 'Changed Files' Changed Everything: Uncovering and Responding to the tj-actions Supply Chain Breach
Black Hat talk by StepSecurity’s Varun Sharma and Ashish Kurmi on how they discovered and responded to the backdooring of the tj-actions/changed-files GitHub Action. The talk and whitepaper conclude with key lessons (don’t use mutable references, such as tags like latest, baselining CI/CD pipeline activity is quite helpful) and defensive strategies (prefer immutable references, like pinning GitHub Actions to commit hashes, configure CI/CD runners with least privilege).

Your Traffic Doesn't Lie: Unmasking Supply Chain Attacks via Application Behaviour
Netskope’s Colin Estep and Dagmawi Mulugeta discuss BEAM (Behavioral Evaluation of Application Metrics), an open source tool that contains a novel technique for detecting supply chain attacks purely from web traffic—no endpoint agents, no code instrumentation, just insights from the network data you're probably already collecting. Basically BEAM builds a model of what each application’s (e.g. Notion, Spotify, Slack, …) behavior looks like, including user agent strings, DNS query patterns, time taken for requests and responses, time interval regularity, etc., and then identifies anomalies.

💡 This is a cool idea and I love that they open sourced their work. I also wonder how practical this is to deploy in practice. Like, how feasible is baselining each app (e.g. orgs having a long tail of apps)? What about apps that have highly variable behavior?

Blue Team

FACADE High-Precision Insider Threat Detection Using Contrastive Learning
Google’s Alex Kantchelian, Elie Bursztein, Casper Neo et al present FACADE: Fast and Accurate Contextual Anomaly DEtection, Google’s internal AI system for detecting malicious insiders (GitHub). FACADE has been used successfully to protect Alphabet by scanning billions of events daily over the last 7 years.

Facade leverages a novel self-supervised ML system that detects suspicious actions by considering the context surrounding each action using a custom multi-action-type model trained on corporate logs of document accesses, SQL queries, and HTTP/RPC requests. Facade leverages a novel contrastive learning strategy that relies solely on benign data to overcome the scarcity of incident data. Through this + an innovative clustering approach, Facade is highly accurate, having a <0.01% false positive rate.

Autonomous Timeline Analysis and Threat Hunting
Google’s Alex Kantchelian, Maarten van Dantzig, Diana Kramer et al introduce the Sec-Gemini digital forensic agent and its integration with Timesketch, the an open-source timeline analysis tool. The agent is can autonomously perform digital forensic analysis on large and varied log volumes encountered in real–world incidents. They give examples of the agent’s proficiency in threat hunting (identifying and explaining evidence of system compromise without needing predefined attack signatures) and evaluate performance on a dataset of 100 diverse, real-world compromised systems.

From the slides: “Sec-Gemini finds 53% of critical indicators across millions of logs for under $3.” Neat.

💡 The “Exploration Graph as Agent Memory” section starting on slide 25 and the example after are particularly cool. I want to think about this more 🤔 

Red Team

Zero Trust, Total Bust - Breaking into thousands of cloud-based VPNs with one bug
DEF CON 33 talk by AmberWolf’s David Cash and Rich Warren on how they found critical vulnerabilities in leading Zero Trust Network Access (ZTNA) solutions from Zscaler, Netskope, and Check Point. They demonstrate the process of external recon, bypassing authentication and device posture checks (including hardware ID spoofing) and abuse insecure inter-process communication (IPC) between ZTNA client components to achieve local privilege escalation. They show it’s possible to circumvent traffic steering to reach blocked content, exploit flaws in authentication flows to undermine device trust, and even run malicious ZTNA servers that execute code on connecting clients. Slides | Blog Post

Training Specialist Models: Automating Malware Development
Outflank’s Kyle Avery describes how a small, specially trained LLM (Dante-7B, based on Qwen2.5-Coder-7B) can outperform large generalist models at generating evasive shellcode loaders capable of bypassing Microsoft Defender for Endpoint. The model was trained using reinforcement learning with verifiable rewards (RLVR), allowing it to learn through trial and error without requiring a dataset of working examples.

The training loop was: “write me a shellcode loader”, and the reward function for the verifier tested that the shellcode loader compiled without errors, successfully made a callback to a Cobalt Strike Teamserver, and raised as few AV/EDR alerts as possible. Dante-7B performed better than much bigger models: DeepSeek R1, Gemini 2.5 Pro, Sonnet 3.7. See also Kyle’s Black Hat USA 2025 talk and this post by an OpenAI researcher and contributor to o1 on the value of training on verifiable tasks.

💡 Verifiable tasks and evals are where’s it at. See also Brendan’s talk on “AI Agents for Offsec with Zero False Positives” for more.

AI + SAST

More Flows, More Bugs: Empowering SAST with LLMs and Customized DFA
Tencent Security’s Yuan Luo, Zhaojun Chen, Yi Sun, and Rhettxie describe using LLMs to automatically identify sources and sinks in open source frameworks, which allowed CodeQL to reproduce more historical CVEs. They also developed patches for the data flow analysis (DFA)'s QL language library addressing language feature challenges, including Java reflection handling, partial native method support, and value passing model optimization.

Let LLM Learn: When Your Static Analyzer Actually 'Gets It'
By Zong Cao, Zhengzi Xu, Yeqi Fu et al describe an approach the found >70 previously unknown bugs in software projects including VirtualBox and medical device systems:

“We propose an innovative approach that facilitates incremental semantic knowledge learning using reasoning models. Our method reframes the role of static analysis; instead of relying directly on its predefined rules, we leverage it to identify and extract relevant code segments which serve as focused learning material for the LLM. We then strategically partition complex codebases into meaningful, semantic-level slices pertinent to vulnerability propagation. Leveraging these slices, our framework incrementally teaches the LLM—potentially guided by human annotations—to summarize and cache valuable semantic knowledge.”

Thinking Outside the Sink: How Tree-of-AST Redefines the Boundaries of Dataflow Analysis
Sasha Zyuzin and Ruikai Peng discuss Tree-of-AST, a new framework that combines large language models with abstract syntax tree analysis. It leverages a unique Locate-Trace-Vote (LTV) methodology that enables autonomous tracking of data flows within large-scale projects, even in the absence of predefined source patterns. Their system autonomously generates working exploits with a success rate above the industry average for similar tools.

Misc

AI + Security X threads

• Dan Guido on AIxCC results - Some interesting trends and highlights. Congrats Team Atlanta for getting 1st, Trail of Bits for getting 2nd, and Theori for 3rd.

• Ian Klatzco live tweets the USENIX Security ML / AI Track

Feelz

• School of Life - Why We Need to Take It Slowly in Love

• Mark Manson - 14 Brutal Truths I Know at 40 and Wish I Knew at 20

• HealthyGamer (Dr. K) - How to Be More Emotionally Available (And Why It’s So Important)

• Hasan Minhaj - My Therapy Session with Dr. Gabor Maté

• Stanford GSB - Last Lecture Series: How to Design a Winnable Game – Graham Weaver

• My First Million - How to live a dope life | Tim Ferriss

Misc

• KathaaVerse - Transform any book into your own interactive adventure

• Why I chose OCaml as my primary language

• My First Million - Hormozi Teaches Me Everything He Knows in 90 Minutes

• Scott Galloway on My First Million - The great USA reset: why I'm getting out now - Due to recent U.S. internal policy and how we’re treating other countries, Scott is shifting his portfolio to more EU and Asia stocks as he believes the U.S. may have a 10-15 year period of poor returns. tl;dr sec is not financial advice nor your financial advisor.

• Daniel Miessler - I'm Worried It Might Get Really Bad

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler