PentesterLab

💥🐹 4 new Go Code Review Labs just dropped! 🐹💥 Read the code, peek at the diff, find the bug. Sharpen your skills: pentesterlab.com/badges/golang-…

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟮𝟰, 𝟮𝟬𝟮𝟲 This is why we can't have nice things... 🪲 𝗝𝘂𝗽𝘆𝘁𝗲𝗿 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 𝗚𝗮𝘁𝗲𝘄𝗮𝘆 Another great write-up from the elttam team. As always, it’s well explained, with enough details to understand both the issue and the process they followed to get there. I also like this one because it shows how something that looks “only” like user-controlled configuration can become a much bigger issue once it reaches Kubernetes and privileged execution paths. elttam.com/blog/jupyter-e…. 🤖 𝗠𝗲𝗮𝘀𝘂𝗿𝗶𝗻𝗴 𝗟𝗟𝗠𝘀’ 𝗶𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝗡-𝗱𝗮𝘆 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝘀 How much time do models need to create exploits for N-day vulnerabilities? A really interesting comparison of Anthropic models’ efficiency at building exploits for known vulnerabilities. Another signal, if you needed one, that your time-to-patch needs to shrink dramatically. red.anthropic.com/2026/n-days/. 🎆 𝗕𝘆𝗽𝗮𝘀𝘀𝗶𝗻𝗴 𝗮 𝟯 𝗹𝗮𝘆𝗲𝗿 𝗦𝗩𝗚 𝘀𝗮𝗻𝗶𝘁𝗶𝘇𝗲𝗿: 𝗦𝘁𝗼𝗿𝗲𝗱 𝗫𝗦𝗦 𝗶𝗻 𝗠𝗼𝘇𝗶𝗹𝗹𝗮 Some great content that reads like a course in application security: what was happening, why it was wrong, how to fix it, and the impact of the fix. I especially like the part where the sanitizer is called, but the sanitized output is not actually used. It’s such a good example of why code review is not about spotting the function name you want to see. You need to follow the data and check that the thing being validated or sanitized is the thing that gets stored or rendered. profile-chi-jade.vercel.app/writing/spring…. ⚒️ 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 𝗚𝗼𝗼𝗴𝗹𝗲 𝘄𝗶𝘁𝗵 𝗔.𝗜. 𝗳𝗼𝗿 $𝟱𝟬𝟬,𝟬𝟬𝟬 How much time and effort should you invest in a bug bounty target? This post gives a pretty good answer. It’s not just “use AI and bugs fall out”. It’s more about building a process around a hard target, mapping a huge attack surface, collecting the right inputs, and using AI to help scale parts of the work. A great write-up if you’re interested in how people find vulnerabilities in targets where the easy bugs disappeared a long time ago. brutecat.com/articles/hacki…. 🤖 𝗦𝘁𝗮𝘁𝗲𝗺𝗲𝗻𝘁 𝗼𝗻 𝘁𝗵𝗲 𝗨𝗦 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗱𝗶𝗿𝗲𝗰𝘁𝗶𝘃𝗲 𝘁𝗼 𝘀𝘂𝘀𝗽𝗲𝗻𝗱 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝗙𝗮𝗯𝗹𝗲 𝟱 𝗮𝗻𝗱 𝗠𝘆𝘁𝗵𝗼𝘀 𝟱 Well, well, well, if it isn’t the consequences of your actions... After marketing Mythos as powerful enough to need special access and safeguards, Anthropic has now been asked to suspend access to Fable and Mythos for foreign nationals, including foreign-national Anthropic employees. They complied by blocking access to all customers. Any geopolitical AI expert probably had a busy weekend. anthropic.com/news/fable-myt…. 🗞️ 𝗟𝗮𝘀𝘁 𝘄𝗲𝗲𝗸 @𝗣𝗲𝗻𝘁𝗲𝘀𝘁𝗲𝗿𝗟𝗮𝗯 I spent the week working on new content and updating our Security Code Review in Golang for Developers Training (pentesterlab.com/live-training) for an upcoming private session.

Thanks to @PentesterLab for sending the stickers so quickly — shipped after just one day Also, huge thanks for @Hacker0x01 For PentesterLab Pro license . Really appreciated! #stickers #AppSec

@jundybaba Keep it up!

I just completed @Pentesterlab's Essential Badge!!! one step at a time

Thanks to @PentesterLab , i received the stickers. These are amazing! #stickers #AppSec

Specially thanks to @PentesterLab @snyff

A surprising number of people learn web security before they learn how the web works. We've added 4 new labs to our Web Fundamentals badge: 💻 Client-side code 🖥️Server-side code 🗄️ Databases 🔑 Sessions No hacking required. Just the foundations.

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟮𝟯, 𝟮𝟬𝟮𝟲 Golang and Weak Skill Scanners 🔐 𝗟𝗲𝘁’𝘀 𝘁𝗮𝗹𝗸 𝗮𝗯𝗼𝘂𝘁 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗲𝗱 𝗿𝗲𝗮𝘀𝗼𝗻𝗶𝗻𝗴 A cryptographic look at the encrypted reasoning blobs that get passed back and forth when using the OpenAI and Anthropic APIs. I like this because it does what good security research should do: explain why the mechanism exists, build realistic threat models around it, and then actually test them instead of stopping at speculation: blog.cryptographyengineering.com/2026/05/29/foo…. 👏 𝗚𝗼𝗹𝗮𝗻𝗴 𝗰𝗼𝗱𝗲 𝗿𝗲𝘃𝗶𝗲𝘄 𝗻𝗼𝘁𝗲𝘀 𝗜𝗜 Once again, elttam delivers! I’m a huge fan of little programming-language gotchas because they give you an edge as a code reviewer. These are exactly the kinds of details that turn "looks fine" into "wait, what actually happens here?". If you’re writing or reviewing Go, make sure you read this one: elttam.com/blog/golang-co…. 🤖 𝗧𝗵𝗲 𝘀𝗼𝗿𝗿𝘆 𝘀𝘁𝗮𝘁𝗲 𝗼𝗳 𝘀𝗸𝗶𝗹𝗹 𝗱𝗶𝘀𝘁𝗿𝗶𝗯𝘂𝘁𝗶𝗼𝗻 Trail of Bits bypassed multiple scanners with the kind of tricks every supply-chain security person should already be worried about: hidden files, bytecode, prompt injection, and "trust me bro" explanations. The good news is that they published the skills on GitHub, so get ready for vendors to claim they can now detect them all: blog.trailofbits.com/2026/06/03/the…. 🗞️ 𝗟𝗮𝘀𝘁 𝘄𝗲𝗲𝗸 @𝗣𝗲𝗻𝘁𝗲𝘀𝘁𝗲𝗿𝗟𝗮𝗯 Last week, we released 5 new labs in our JavaScript Sandbox Escape badge (pentesterlab.com/badges/javascr…). Make sure you check them out!

If you are in Belgium 🇧🇪 and want some stickers: pentesterlab.com/stickers/belgi…

Another 5 labs in our JavaScript Sandbox Escape Badge: pentesterlab.com/badges/javascr… !!!

Thank you @PentesterLab I love the stickers, kisses from France 😚

merci @PentesterLab :))) j'aime trop les insectes

📢 Competition alert! Find our awesome @MalwareVillage team at @BSidesVancouver and play our new CTF (PANIC) 👾 The winner of each difficulty level will win a free 1-Month subscription to @PentesterLab! 🥳 A huge thank you to @PentesterLab for the collab 🤝

I just completed @Pentesterlab's Essential Badge!!!

Thank you @PentesterLab for the stickers, Greetings from france

@warthogtk 😊😊😊

Merci beaucoup @PentesterLab !!! Super content de mes magnifiques stickers 😉

@awazez 🎉🎉🎉

Received and put on my Mac ! Thanks @PentesterLab

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟮𝟭, 𝟮𝟬𝟮𝟲 A great week to look into AI-assisted tooling ⚒️ 𝗲𝘃𝗶𝗹𝘀𝗼𝗰𝗸𝗲𝘁 / 𝗮𝘂𝗱𝗶𝘁 An 8-stage vulnerability-discovery agent based on Cloudflare's Project Glasswing. github.com/evilsocket/aud…. 🤖 𝗔𝘂𝘁𝗼𝗻𝗼𝗺𝗼𝘂𝘀 𝗳𝘂𝘇𝘇𝗶𝗻𝗴 𝗽𝗿𝗼𝗰𝗲𝘀𝘀 𝘂𝗻𝗱𝗲𝗿 𝗟𝗟𝗠 𝘀𝘂𝗽𝗲𝗿𝘃𝗶𝘀𝗶𝗼𝗻 Using LLMs to autonomously build and operate fuzzing harnesses cert.pl/en/posts/2026/…. 💰 𝗦𝘁𝘂𝗯𝗭𝗲𝗿𝗼: $𝟭𝟰𝟴,𝟯𝟯𝟳 𝗥𝗖𝗘 𝗶𝗻 𝗚𝗼𝗼𝗴𝗹𝗲 𝗖𝗹𝗼𝘂𝗱 𝗣𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻 A really interesting write-up, mostly in terms of investment and automation some hunters put into their target. brutecat.com/articles/googl….