Elli Shlomo

Introducing Claude Opus 4.8: it builds on Opus 4.7 with sharper judgment, more honesty about its own progress, and the ability to work independently for longer than its predecessors. Available today at the same price.

Remind me of the cloud and cost consumption issue in 2018, when everyone moved their assets to the cloud without tracking costs. The next move in 2016 will be AI cost tracking and bringing some people back.

Are we only one step from the AlphGo moment? An update on Project Glasswing, plus some fresh evaluation results from Mythos Preview. One of the capabilities that has been focused on since the very first tests is exploitation. This is an area where Mythos is a change over previous models and the latest results clearly back that up.

New "Critical" nginx RCE requires LFI as prereq and has 0 practical exploitation odds - CVEs & CVSS are the biggest slop in security and AI just keeps accelerating it

Another day of Hands-on keyboard attack with MDE

I love middleware, whether it’s in the cloud, AI systems, or anywhere else. AI desktop tools introduce many forms of middleware, and some of the examples mentioned in this article focus on the Claude desktop app on macOS, including its bridges and intermediary components that are not built in by default. cyberdom.blog/the-ai-middlew…

Someone at Microsoft definitely got paid by the character. 1️⃣ The Heavyweight Champion (144 Characters) New-MgIdentityAuthenticationEventFlowAsOnGraphAPreAttributeCollectionExternalUserSelfServiceSignUpAttributeIdentityUserFlowAttributeByRefYes. It manages user attributes during external B2C sign-ups. One typo here and you’ve completely broken your customer onboarding flow. 2️⃣ The PIM Time-Bomb New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest Only 65 characters, but easily the most dangerous. Accidentally tab completion to Assignment instead of Eligibility, and congratulations. You just granted a user permanent, active Global Admin rights, bypassing MFA and approval workflows. 3️⃣ The Data Exfiltrator Remove-MgExternalConnectionInformationProtectionLabelAssignment (118 characters). This drops security/sensitivity labels from 3rd-party data connectors (like ServiceNow). Run this in a cleanup script, and your encrypted corporate data is suddenly sitting exposed in the cloud. 4️⃣ The Race-Condition Nightmare: New-MgOnlineMeetingOnlineMeetingLiveShareHostedPresentation (90 characters). Handles advanced Teams meeting features. It’s notorious for API race conditions, so if your script triggers this a millisecond before the backend finishes provisioning the meeting object, it crashes with a cryptic 404. Save your keyboard and your sanity and stop using these autogenerated monstrosities. Drop down to raw API calls using a clean Invoke-MgGraphRequest. Your scripts will be shorter, faster, and far less likely to cause a self-inflicted incident.

Don't be this guy

@anton_chuvakin Security posture is depend on the sysadmin PTO :)

"If your security strategy relies on a sysadmin logging into a server to run apt-get upgrade on a Tuesday morning, you aren't running a modern security program; you’re running a historical reenactment society." #overheard

Our security bug bounty program is now public on HackerOne. We've run the program privately within the security research community, and their findings have strengthened our products. Now anyone can report vulnerabilities and get rewarded. Read more: hackerone.com/anthropic

🚀 The 2026 State of MSP Threat Report breaks down how threats are evolving across RMM, identity, endpoints, and AI-powered attack paths, with real data from the field and clear patterns MSPs can actually act on. okt.to/gA7CcP #MSP #Cybersecurity #ThreatReport

Tools, scripts, and research pocs for purple, AI security, forensic, and cloud security. github.com/guardzcom/secu…

GPT-5.5 just dropped and raises the bar for automated attacks and pentesting. Stronger vuln discovery, better white and black box performance, and sharper decision making, all at the application layer. It goes deeper into logic, wastes less time on basics, and focuses on complex issues like auth bypass, privilege escalation, and business logic flaws. Still, gaps remain, app context is limited, and benchmarks are biased toward known targets. What is tested is proven, and the rest is gray.

No exploit, no malware, no noise, just a compromised OAuth integration with enough access to slip straight into Vercel’s environment and expose what shouldn’t be exposed. Reach more! okt.to/BQ1wyV

Once I saw it, I told myself, "If it were truly that powerful, it should have stopped its own breach," and then I remembered the very old quote, "No one is immune."

😈Everything started with an AI app, even the breach. Another breach has surfaced (this time, Vercel), and once again, the root cause points to OAuth. guardz.com/blog/vercel-da…

Vercel experienced unauthorized internal access via a compromised third party AI OAuth app, affecting some customers vercel.com/kb/bulletin/ve…

From random input to device takeover 😈 One technique in a basic scam bypasses email security, fools detection tools, and grants attackers full device control. guardz.com/blog/from-keyb…