Rojan Rijal

@adnanthekhan What has been your experience with Bedrock like specially around the cost? Have been thinking of doing something similar for a different use case but I am not sure what the cost would be like.

Gato-X platform is starting to come together... This is a very simple example in my test org but I've used the tool to find impactful misconfigs in OSS projects already. Features: - Real-time monitoring of thousands of orgs using only a single PAT. - Ability to create bulk scans of up to 50,000 repos (takes 2-3 hours) - AI triage through Amazon Bedrock with ability to customize triage prompt per finding type. - AI report generation - does 80-90% of the work. All that's left is PoC creation! - Discord/Slack notify with ability to configure severity/vuln type thresholds. Runs on an 8 GB RAM Ubuntu VM on a Proxmox server in my office closet.

@disputifier @disputifier let us know if we can help in any way! No expectations or selling anything.

Just wanted to provide an update to everyone who has seen today’s news There was a security vulnerability which led to an exploit that a hacker used to refund Shopify orders across a handful of our clients. However, no clients have taken or will take any financial losses Most of these refunds were able to be canceled by the processor, and we will be reimbursing 100% of losses for any clients that weren’t able to cancel refunds. This issue impacted <.1% of our customers. Only a small number of customers on the Shopify app were impacted. Regardless, it was an absolute abhorrence that this occurred and is being taken extremely seriously. The issue was resolved permanently and will not occur again. Alert coverage If you are on Disputifier, your alerts will continue to function and prevent chargebacks. If you uninstalled Disputifier today, we will continue to handle alerts and refunds over the weekend regardless. It is important to ensure that we have an active collaborator access account in order to process refunds during this time. Impact to existing merchants As I mentioned, no clients will experience any financial loss from this situation. We did take our merchant-facing app down as a temporary measure. App access will be restored as soon as possible. Even while you cannot access the app, you will still be getting alerts and these will still be refunded. Go forward: Disputifier will continue to help protect merchants from chargebacks. We will invest heavily in cyber security and ensure that any vulnerabilities are prevented or promptly resolved. We will continue cooperating with law enforcement to bring this individual to justice. We truly appreciate everyone who’s reached out in support of us and look forward to sharing more updates as they become available. For any questions, please feel free to reach out to us at incidentresponse@disputifier.com

Yesterday a quasi-judicial body in Italy fined @Cloudflare $17 million for failing to go along with their scheme to censor the Internet. The scheme, which even the EU has called concerning, required us within a mere 30 minutes of notification to fully censor from the Internet any

If you are building a vibe coded app and launching a product out of it, hit us @OphionSecurity and we will do a security assessment and have actionable security measures ready within 72 hours. #vibecoding #security #cybersecurity

I just got access to an attacker's daily diary. Here is what I learned 👇 🕘 9:00 AM: Clock in. 🔎 9:12 AM: Google Dork says dev-login.company.com is still alive. 😎 9:30 AM: No rate limits, no auth. Just vibes. 🗃 10:00 AM: Dumped staging DB from test-api-v2.company.net. 😬 10:20 AM: Reused creds work on prod. Consistency is key. 🛡 10:45 AM: Oh no… a WAF! 😈 10:46 AM: JK, it’s only on www. Your 12 forgotten subdomains are unprotected. 🥪 12:00 PM: Lunch break. Your asset inventory is crying is forgottenland. 💀 2:00 PM: You schedule a pentest. 📅 2:01 PM: For next quarter. 🪄 3:00 PM: Still pivoting. Still no alert. 🎯 4:30 PM: Internal Jenkins on an old subdomain. Secrets everywhere. 💰 4:45 PM: Got user data, employee data, AWS keys. It’s a buffet. 🕔 5:00 PM: Clock out. Easy day. jk..... Attackers don’t follow your IR plan. They don’t wait for your quarterly pentest. They don’t work 9–5. They hunt exposed assets, old creds, shadow subdomains, public GitHub leaks, leaked data in SaaS that will give away more information or give PII etc. They’re hacking every minute. Are you? #attacksurfacemanagement #offensivesecurity #cybersecurity #hacking #continuousmonitoring #assetinventory #offensivemonitoring

I hacked UberEats in 2017. Here is the story. #ubereats #hacking #uber #cybersecurity #bugbounty

It was amazing to present at @_kernelcon_ today. Thank you for the gift KernelCon team! #kernelcon #offensivesecurity #researchontheroad

💥 Q1 Update from the Field: Real-World Hacking with Orion 💥 In Q1, we pointed Orion, our offensive Attack Surface Management platform, at a large enterprise to see what it could uncover. The results speak for themselves: 🔍 𝟵 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗿𝗲𝗽𝗼𝗿𝘁𝗲𝗱 🚨 𝟴 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹, 𝟭 𝗛𝗶𝗴𝗵 🤖 The High severity finding was discovered entirely by Orion with no human involvement 💰 Approximately $𝟰𝟱,𝟬𝟬𝟬 in rewards from responsible disclosure 🌐 Orion also surfaced multiple vulnerabilities in widely-used open-source software such as a supply chain vulnerability in a Microsoft repository The 9 issues had the potential to expose millions of users’ sensitive data including 𝗦𝗦𝗡𝘀, 𝗗𝗼𝗕𝘀, 𝗲𝗺𝗮𝗶𝗹𝘀, 𝗮𝗻𝗱 𝗮𝗱𝗱𝗿𝗲𝘀𝘀𝗲𝘀. If exploited, they could have led to major regulatory fines, incident costs, and increased insurance premiums. 𝗤𝟮 𝗴𝗼𝗮𝗹: 𝟱𝟬+ 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗳𝗶𝗻𝗱𝗶𝗻𝗴𝘀 𝗮𝗰𝗿𝗼𝘀𝘀 𝗺𝘂𝗹𝘁𝗶𝗽𝗹𝗲 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝘀. 𝗟𝗲𝘁’𝘀 𝗴𝗼 🔍⚔️ #OffensiveSecurity #AppSec #RedTeam #SecurityAutomation #BugBounty #ASM

RT @uraniumhacker: We are doing #VibeSecurityForAI If you are an AI startup (pre-seed or seed ) we will test your application for free. We…

Not yet a full multiplayer but doing some basic "Simon Says" style game with increasing difficulties. Will add leaderboard style system soon. Open to ideas to improve it further @levelsio taptastic.app

@aidenybai Not even kidding, @aidenybai you should look into integrating this into a phishing platform that security teams can use. It is killer to deploy quick phishing exercises in pentests.

Introducing Same.​dev Clone any website with pixel perfect accuracy One-shots Nike, Apple TV, Minecraft, and more!

tj-actions compromise is a great reminder that pinning the action/dependency to a commit SHA instead of a version tag is safer and securer. We monitor repositories of some public organizations, and most of them are safe because they use a SHA like tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf. However, if an organization is pinning the malicious commit they are still vulnerable: 0e58ed8671d6b60d0890c21b07f8835ace038e67 stepsecurity.io/blog/harden-ru… #github #supplychain

🚨 Continuous Monitoring Prevents Million-Dollar Breaches 🚨 In cybersecurity, threats evolve but so should our defenses. At Ophion Security, we continuously monitor Fortune 500 companies’ public assets not just domains and IPs, but also SaaS services, cloud assets, and web applications that often slip under the radar. In October, we identified a vulnerability in a Fortune 500 subdomain that exposed highly sensitive PII (DoB, SSN, Addresses, Phone Numbers) to unauthenticated users. Fast forward a few months: Our continuous monitoring flagged a new but similar asset: a different domain, but familiar API patterns in its JavaScript. Recognizing the fingerprint of a shared infrastructure, we re-tested the vulnerability from October. It was still exploitable. We immediately reported it. 💡 Key takeaway? Cyber risks don’t end when you fix a single issue. Without continuous monitoring, this vulnerability could have gone unnoticed until an attacker found it first. 🛡️ Proactive security isn’t just an option it’s a necessity. If you’re not continuously monitoring your entire attack surface, someone else is. And they may not have your best interests in mind. #CyberSecurity #ContinuousMonitoring #BreachPrevention #AttackSurfaceManagement #CTEM #Pentest

I reached level 11 in Taptastic! 🎮 Final speed: Super Fast Tiles: 9 The pattern that defeated me: 🟩 🟨 🟨 🟨 🟦 🟦 🟦 🟨 🟦 🟩 🟩 🟨 Can you beat my score? #Taptastic #memorygame #challenge taptastic.app/?score=11

🧵 Securing Your @DecagonAI Chat Bot 🧵 We've seen a growing number of organizations using Decagon.ai's chat bot to enhance customer support with AI. A quick post on how to make sure you deploy it securely based on a recent issue we saw. 🚨 The issue? If X-Decagon-Auth-Signature isn't required, chat history can be accessed solely using X-Decagon-Auth-User-Id—which is often just a User ID from the core application. 🔍 Example scenario we tested: 1️⃣ Log into the company's core app. 2️⃣ Extract our User ID from the application. 3️⃣ Use it in Decagon's SDK to authenticate and load past chat history. 4️⃣ Identified ways to disclose User ID of other users in the company's core app. 5️⃣ Used other user's User ID to get their chat history. 💡 Why does this matter? User IDs, even if UUID-based, are often not private and can be exposed in various parts of an application. If the same User ID is used for Decagon authentication without a secure signature mechanism, an attacker could extract and replay it to access someone else's chat history. 🔐 Solution: Ensure your Decagon integration requires X-Decagon-Auth-Signature for proper authentication and does not rely solely on User IDs. ⚠️ Important: This is NOT a Decagon vulnerability, it's a misconfiguration that security teams should be aware of as companies rapidly integrate AI-powered tools. #genai #aisecurity #attacksurfacemanagement

Announcing: Ask Us Anything Security - A free security advisory for startups Security often gets pushed to the back burner at startups until something breaks or a big deal requires it. But what if you could get expert security guidance without the overhead? At Ophion Security, we have worked with startups and large enterprises to secure their products, cloud environments, and compliance posture without slowing down growth. As part of that mission, we’re offering free security advisory ask us anything, and we’ll personally reply with actionable advice. ✅ Worried about SOC 2, ISO 27001, or customer security questionnaires? ✅ Unsure if you’re protecting customer data correctly? ✅ Need guidance on securing your cloud infra, SaaS stack, or engineering workflows? ✅ Question about getting the right pentest done and what should be in scope? Drop your security questions here, and we’ll respond within 24 hrs, no strings attached: forms.gle/UtFbbD3m7Lbs78… #startupsecurity #growth #founders #security #TechStartups #CloudSecurity

Live chat histories contain treasure trove of data. From answers to security questions to credentials and more. We found a way to access it all in Cisco's Webex Connect. Read here: ophionsecurity.com/post/cisco-web… #vulnerability #vulnerabilitydisclosure #attacksurfacemanagement

As we build Orion actively, we run it against real world targets with disclosure policy. We did the same for Microsoft. Checkout the demo page to see how we are monitoring more than 4,000 users and 160,000 repositories of Microsoft and other organizations. app.storylane.io/share/uj1vg9vo… #githubactions #githubsecurity #bugbounty #attacksurfacemanagement