• tl;dr sec
  • Posts
  • [tl;dr sec] #337 - Harnessing Harnesses, Generate Decoy Environments, Bug Bounty Singularity

[tl;dr sec] #337 - Harnessing Harnesses, Generate Decoy Environments, Bug Bounty Singularity

Survey for AI-powered vulnerability finding harnesses, programmatically build complex decoy cloud environments, building hackbots

Hey there,

I hope you’ve been doing well!

🍬 Grandma Seems Chill

In the San Francisco Bay Area, basically every billboard is about AI or tech.

But when I was traveling recently, I saw a “Gummies for Granny” billboard that brightened my day:

I imagined the meeting where the marketing leads were reviewing different framings for their products, and the right target demographic, and this is what they came up with 😂 

I wonder if they have other brands or stores. Mushrooms for Mommy? Doobies for Daddies? A Little Ket for the Family Pet?

Working in marketing must be delightful sometimes.

Sponsor

📣 The AI Security Starter Pack -
Securing AI apps, Models, and Agents

Unlock 7 of the most widely used AI security resources in one place. Apply real-world checklists, templates, and best practices designed to secure AI adoption.

Each asset provides practical, implementation-ready resources to secure AI apps, models, and agents across your environments.

What’s included: 

  1. State of AI in the Cloud 2026

  2. CISO AI Security Roadmap

  3. AI Security Board Report Template

  4. GenAI Security Best Practices Cheat Sheet

  5. Securing AI Agents 101

  6. Model Context Protocol (MCP) Security Best Practices Cheat Sheet

  7. LLM Security Best Practices Cheat Sheet

All of these AI security resources at once, sounds like Christmas 🤩 

AppSec

Soatok’s Informal Guide to Threat Models
Soatok gives a practical guide to threat modeling, emphasizing seven key questions: what you're protecting, who wants to harm it, how they might attack, prevention measures, asset relationships, assumptions being made, and deliberately unaddressed threats. He illustrates good threat modeling with his own Fediverse key transparency project and contrasts it with Matrix's incomplete threat model, which lacks cryptographic considerations and has remained largely unchanged since 2021 despite multiple vulnerability disclosures. Soatok demonstrates how proper threat modeling can lead to better security decisions, such as choosing passkeys over passwords to prevent credential stuffing, and compares two proposals for distributed end-to-end encryption.

The Bug Bounty Singularity: Our Hackbot
Joseph Thacker and JD built an autonomous hackbot by combining Claude Code skills for recon, fuzzing, and deep application analysis that found 126 vulnerabilities across five months of bug bounty testing. Ralph loops with an orchestrator kept it digging on strong targets and off weak ones, and a validation bot built only to disprove findings cut false positives from 80% to 60%.

“At one point, 80% of our tokens were being spent on auth.” The biggest jump came from keeping the bot logged in with a real browser on a physical machine, since the criticals are unreachable logged out. Of the 126 vulnerabilities, 88 were rated High or Critical and 89% were confirmed real once programs accepted them or closed them as duplicates. The single largest bounty was $15,000, more pending.

The top chains include a leaked Google API key escalated to Super Admin over roughly 60,000 users on Google's internal Delivery Readiness Portal, an unauthenticated Western Union endpoint returning full customer PII from a phone number, and a stored XSS on Raydium whose payload lived in immutable on chain Metaplex metadata and enabled a one click wallet drain.

💡 These are some cool and impressive bugs to be found by two (great) hackers building automation part time. I like how the post walks you through the evolution of their hackbot, and the various challenges they had along the way. Very practical. Also I wonder how many top bug bounty researchers have built hackbots that are net profitable after token costs, and what the profit margin range is.

Sponsor

📣 What if every app and agent had SSO without giving up control?

AI agents are becoming users of your infrastructure too. They need identities, authentication, and permissions, not shared API keys or blanket access. authentik lets you manage human and machine identities from one self-hosted platform. Secure every application with SSO, modern authentication standards, and flexible policies that evaluate context before granting access, whether the request comes from a person or an autonomous agent.

Identity is key. Also, used by CoreWeave, Cloudflare, and others, nice 👍️ 

Cloud Security

CloudTrail in CloudWatch isn't very good
Aidan Steele explores AWS's recommendation to migrate from the deprecated CloudTrail Lake to CloudWatch, finding the migration process poorly documented and missing key features like resource tags and global condition key enrichment that made Lake valuable. He describes the complex setup, requiring service-linked channels, separate org-level and management account rules, manual log centralization configuration, and CloudWatch-S3 Tables integration, with ~8-hour delays before events flow and InternalServerException errors when calling UpdateTelemetryRuleForOrganization to update retention.

The new CloudWatch approach lacks centralization by default (logs stay in individual accounts until separate centralization rules are configured), has unclear cost comparisons versus traditional trails (per-event vs per-GB pricing), and appears half-baked with no official AWS documentation or third-party blog posts explaining the setup, prompting Steele to publish his Terraform configuration to help others navigate the process.

Knossos: Procedurally Generated Decoy Environments
Praetorian's Mario Bartolome introduces Knossos, a deception engine that studies a customer's real cloud infrastructure to learn its naming conventions, tag vocabularies, CIDR allocation, and IAM patterns, then builds AWS decoy environments that look the same and come pre-seeded with attack paths. A Knossos component called Daedalus does the pattern learning, then works backward from an objective like data exfiltration to lay out an attack path. Each lure is a misconfigured resource that fits into the attack path, and Knossos surrounds each one with normal-looking resources so nothing stands out as unusually risky. The whole environment ships as Terraform HCL and is walled off by three isolation layers, network isolation, IAM permission boundaries, and SCPs.

Once deployed, Knossos watches attacker activity through EventBridge with per-lure telemetry detailed enough to show which path someone took and how long they spent on each step. Scores based on interaction rate, dwell time, and escape rate flow back into the style profile and shape what the next round of decoys looks like. To keep everything looking used rather than staged, an activity simulator sends realistic API traffic through the environment.

💡 This is a product description blog, which I normally don’t include, but the post has a great level of detail and I think deception and canaries are really interesting right now, given how it’s likely more attacks will be automated and end-to-end faster going forward, and how it’s now possible to automatically create realistic environments at scale using LLMs. Lots more work to be done in this space.

Blue Team

badchars/darknet-mcp-server
Tool by Orhan Yildrim that unifies 66 tools across 16 dark web and threat intelligence sources into a single MCP server, letting an AI agent query breach databases, ransomware trackers, Tor hidden services, malware sandboxes, stealer logs, blockchain forensics, and exploit databases in parallel rather than juggling 16 browser tabs. Sources include HIBP, IntelligenceX, AlienVault OTX, AbuseIPDB, the abuse.ch suite, Hudson Rock, Vulners, and Hybrid Analysis.

Adding a Detection Layer That Prompt Injection Can't Touch
Aaron Phifer writes about adding a behavioral detection layer to Triagewall, his self-hosted IDS alert triage tool that runs a fast prefilter for known-noise alerts and a local LLM for the rest, with base64-wrapping on attacker-controllable fields to make prompt injection harder. He added a layer that applies statistical process control per host, tracking alert_rate for volume spikes and novel_sid for first-ever signature triggers, both derived from the raw Suricata alert stream so nothing new has to be turned on. Neither depends on the alert text, so prompt injection can’t affect it.

💡 I feel like base64-wrapped text can probably still successfully prompt inject given enough effort. But I like the idea of using converting raw textual attacker input to aggregate stats or other numbers so they can’t prompt inject. Analogously, this makes me think of converting user input to a boolean or number type in a SQL query, thus rendering SQL injection impossible.

Red Team

28Zaaky/khaos-c2
By 28Zaaky: A post-exploitation C2 framework with a C-based agent that uses several Windows evasion techniques (indirect syscalls, ntdll unhooking, ETW/AMSI patching via hardware breakpoints) to evade EDRs. Traffic routes through five covert channels chosen to blend with services enterprises already trust: Microsoft Teams, GitHub Gist, DNS-over-HTTPS, generic HTTPS, and SMB named pipes.

GhostPack Necromancy: Reforging C# Tools with WasmForge
Praetorian's Michael Weber extends WasmForge (their Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries) to compile C# offensive tools to WebAssembly, taking GhostPack tools like Rubeus and Seatbelt outside the .NET runtime. The pipeline uses .NET's NativeAOT-WASI toolchain combined with three custom layers that handle wasm32-to-x64 calling convention mismatches, source-level incompatibilities, and missing Base Class Library functionality. Michael validates most Seatbelt commands line-for-line against Windows 11 and nearly all common Rubeus verbs against Game of Active Directory. The full WasmForge toolchain is available on GitHub.

AI + Security

Quicklinks

*Sponsored

gadievron/greenlight
Tool by Gadi Evron that autonomously handles Claude content-policy refusals during authorized vulnerability research evals, developed to benchmark where Claude Code's guardrails trigger exploitation-related refusals. Greenlight includes Skills that reduce refusal rates on some tasks.

DataDog/datadog-saist
By Datadog: An AI-native SAST tool that uses LLMs to find vulnerabilities in Java, Python, and Go code instead of relying on traditional parsing rules. The tool builds project context for more accurate analysis, generates SARIF reports, and supports Anthropic, OpenAI, and Gemini models across separate detection and validation stages.

💡 “SAIST fetches its AI analysis prompts (detection rules) from a Datadog-hosted API. This requires a valid Datadog API key and App key. Without these, the tool cannot function.” Boo 👎️ 

Harnessing Harnesses - Climbing the LLM Hills
Andy Gill gives a nice overview of harnesses, which wrap LLMs into effective AI-powered security research pipelines. A harness controls the whole orchestration layer around the model, inputs, tools, prompts, model selection, state, validation gates, and outputs across multi-stage workflows. Andy reviews several open-source harnesses including:

  • Gadi Evron et al’s RAPTOR for static and dynamic analysis with a six-stage validation pipeline that orchestrates static analysis, binary analysis, fuzzing, vulnerability validation and exploit generation.

  • Anthropic's defending-code-reference-harness find, grade and patch pipeline inside AddressSanitizer (aka ASAN) instrumented Docker containers.

  • Baby Naptime for runtime exploitation loops.

  • Evil Socket's Audit for an eight-stage Claude Code taint analysis pipeline.

  • Visa's VVAH, which emphasizes threat modelling and taint-flow analysis before agents begin hunting.

  • Alpha Omega’s Scrutineer, which has a skill-based scan pipeline, outputs structured findings, constructs a threat model, does reachability analysis, triages findings, and more.

His design principles for effective harnesses are stage-specific prompts, strict context budgets of 8K for single-function analysis and 32K for synthesis, RAG-based memory for reusing findings across runs, and structured artifact exchange between stages rather than shared conversation history. Andy released harness-kit, a template implementing a recon → hunt → validate → trace → report pipeline with model routing that reserves expensive models for validation while using cheaper ones for classification and summarization.

Misc

Music

Misc

AI

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋