Luke Turvey

VULNSY - A Pentest Reporting Platform for Security Teams Built by pentesters, for pentesters.

@0xTib3rius @InsiderPhD I’m the same as this and it makes it very annoying trying to explain why I dont have a methodology to show clients lol

@InsiderPhD I don't use a methodology either. Methodologies are great for juniors. Seniors and above test using instinct and vibes.

People always ask me about pentesting and I don’t think I could ever be a pentester: when I find my best bugs I very rarely follow any kind of methodology when I hack. I’m very much reliant on instinct and vibes. Once I’ve found 1 or 2 bugs I get bored too.

Since everyone is vibe coding now, are we slowly losing the skill to actually code and debug?

I once witnessed a colleague raise a great high risk finding. Client was using S3 as part of their web platforms file upload. The issue he raised, was you could download a browser plugin to remove the content-disposition header which *might* allow for download of malware or provide RCE (on amazon?) 🙂

@0xTib3rius Once overheard a convo where a web app pentester was explaining to a client a “vulnerability”: if you log in, you can see the password in burp suite Client: “but there’s https” Web app pentester: “uhh maybe you ahh encrypt again with base64”

It's not web pentesting, we're all dumb af.

@ZackKorman @sherrod_im @SecurityCollins Clauding..... TOKEN USAGE EXCEEDED - Upgrade to dishwasher maxx plan to continue dish washing.

@TurvSec @sherrod_im @SecurityCollins I want my dishwasher to need a Claude subscription

This is like rejecting the advent of washing machine. Enjoy that washboard and river water I guess.

The LG AI Sense Clean Dishwasher offers advanced cleaning performance with smart, resource-efficient features. Its AI Sense Clean technology uses digital turbidity sensors and deep learning to detect the level of dirt in real time, automatically adjusting cycles for optimal results while saving water and energy. The Auto Detergent Dispenser further enhances efficiency by dispensing the right amount of detergent based on dish soiling, allowing up to one month of use per refill. QuadWash Pro improves cleaning power and shortens wash time by using fine air bubbles, completing a full wash and dry cycle in just one hour for normally soiled dishes. For added convenience, users can update the dishwasher’s software via a mobile app, ensuring access to the latest features even after purchase.

Barely related, but I always hated emptying the dishwasher growing up so when I got to uni I wouldn’t use the dishwasher we had and would just do it by hand and I kept that up until I was like 25 then one day decided to use a dishwasher again and oh my god it’s so much better than washing dishes by hand

@IceSolst @UK_Daniel_Card @snyksec Yes

I love cybersecurity (computers being silly) but I fucking hate cybersecurity (lamp shade on head, grifter bootcamps, 50 cold LinkedIn sales dms per day, soc2 auditors, DNSSEC, “omg Firefox rce, we are so cooked”, “omg Cisco hacked”, 99 billion feet peaks LEEKED, @snyksec)

@n_o_t_h_a_n_k_s Welcome Back.

patch tuesday exploit tuesday lunchtime

If you use @Burp_Suite and may find it useful to have all your target endpoints as a OpenAPI doc to: - give to your clients for added value - import to postman for further testing - use for bug bounty tasks Here you go 😇

@ZackKorman Okay nice nice. I took that learning point and came up with this name, what do you think?

@TurvSec Just coffee. Drop the bean. Cleaner that way.

Today reminded me of how important it is for junior people in cybersecurity to have the right mentors. If you ever feel unsure about what to do, please DM me. I will respond and try to help.

@ZackKorman Can I have a job? I will pretend to be the AI until you have VC investment to pay for real tokens

Soon I’m going to be able to talk about my startup, Embroidery, and what we do. But I need to ask for help. I’m trying to build an AI cybersecurity company. That means I’m up against giant vendors that lie, cheat, and fear-monger their way to the top. I can’t beat that alone. This industry has so many problems and we deserve better, but the only way to make it better is to beat the people who make it bad. That means I need help. That doesn’t mean buying my product. It means doing what you can, big or small: - If you see that my product might be useful to your company, help get me a meeting. - If you know someone it might help, help put me in touch. - If you don’t know anyone, help me with feedback. I need so much input from people. I’m always happy to jump on a call to talk no matter who you are or what you do. - And if nothing else, just reply to my posts to say you don’t hate me. That helps me not quit. I’ll post next week about what we are building, but I wanted to say this now. It’s awkward having to ask for help from people, but I don’t stand a chance without it. If you can help me, please know it means the world to me.

@FollowIncentiv @Lifeinvestmoney Underrated post

@Lifeinvestmoney Wait until he finds out some people do this for $58k and a pizza party.

You're offered $3million but you have to show up at an office 5 days a week every week for 30 years and it's divided and paid out weekly Do you take it?

@ShitSecure This is a very timely post, I literally just started looking at doing the same for testing and coding. I know pretty much nothing about local models. Is there a reason you chose Qwen3 27b over others? How have you set it up?

Making progress with an autonomous local Pentest LLM pipeline - using Qwen3 27b it's finding and verifying real vulnerabilities and creating a full report including Management-Summary already for us. 🧐 Better than many web vulnerability scanners as it even found e.G. IDOR.

@ZackKorman @GergelyOrosz

@TurvSec @GergelyOrosz Luke.

We now know AI agents broke a lot of past assumptions at. GitHub on expected service load + growth. What other services / domains are next where load could/should surge thanks to more AI agents used to do stuff?

@ZackKorman @GergelyOrosz Totally agree, that's why we built vulnsy.com Automate pentest/red team reporting and vuln management. Now with added .md support, let the AI report for you.

@GergelyOrosz Project/task management software. Jira, trello, notion, etc.

Its been a while..

I used Opus for weeks before getting banned (now an approved cyber dude). But during that ban, I used Sonnet for 2 weeks and I noticed absolutely no difference in the quality of findings/exploit PoCs. It's really good imo Dunno if its because I know what I want it to do verses Mythos just doing things where people don't know?

You don’t need to steal access to Mythos, it’s already available in Claude Code it’s called “Opus 4.7”

Well, the finding in this last case was a broken access control that lets basic users become admins (user=admin parameter in profile update endpoint) Instead of fixing that parameter, the applied fix just produced a forbidden response to every endpoint under the /api/user/* path. So now, not even admins can administer users anymore Welcome to the future!

@TurvSec Claude or Codex. Good for the industry bringing fixes immediately.

The last 3 web app security assessments I have conducted, the developers have produced fixes for my findings within the day I raise them... This has rarely happened. More typical that orgs take weeks to implement a fix. Something tells me this is Claudes fault.