David Brosnan

In collaboration with a couple of other leaders in the industry we are releasing SecurityTitles.com - It's an attempt to provide transparency about role levels, expectations and (just for the US market currently, salary ranges). For leaders writing JDs and candidates alike.

Stop asking LLMs to “find vulns.” Start using them to understand code. @Sw4mp_f0x walks through using Claude Code as a force multiplier in app assessments - faster analysis, fewer false positives, better outcomes. Check it out: ghst.ly/4rA3uJd

@leune Very solid list 😁. Love to see Mr. Robot make the cut. Was really fun working while the show was coming out and having non security IT folk approach me about the scenarios/accuracy.

Essential Computer Science Lore Watching a class of undergrad CS students work on a midterm exam for a C programming course was a good motivator to start putting together this list of “Essential CS Lore”. leune.org/2026/03/11/CS-…

@Jhaddix Papa Roach blew me away first time I saw them live. Seeing Rise Against in September!

Went outside last night! Saw Rise Against and Papa Roach :)

⚠️ Giveaway time! ⚠️ 👇 📢 Our new course "Attacking AI" will be Feb 27-28! This two-day course equips security professionals with the tools and methodologies to identify vulnerabilities in AI systems. It's gonna be a BANGER. Syllabus: payhip.com/b/2qPZ1 We are giving away two seats this week! ⁉️How to enter the giveaway: ♻️ Repost this post = 2 Entries 🗣️ Reply = 1 Entry ❤️ Like = 1 Entry

Nothing helps me understand the "it works" mentality of a full-time dev better than going down a rabbit hole of docs and blogs for what I thought was the simple question "what's the 'best' way to get an IP address from a hostname in Python" 😂

@G0LDEN_infosec Yeah I've found it to be similar to "dreading" the gym. The thought of the session can be a daunting, but once you start you just hit the flow.

I still find it so wild how I struggle often to get started coding or hacking. But once I start, I will go for hours and hours and love it. I know it's a normal thing a lot of people experience, but it is still CRAZY to me how the mind works sometimes...

Witnessing a Total solar eclipse on an extremely cloudy day that magically got out of the way for totality really was one of the most surreal experiences of my life. Hope everyone got a chance to see!

@mattjay I don't read as much as I used to but friends convinced me to start reading Mistborn and I've been loving it. Sanderson is great!

Been reading a lot lately. Mostly Brandon Sanderson. What books are you guys reading these days? Anything great?

@coderion_ @LiveOverflow Second this, Ive done gitleaks due to historical reasons. Haven't tried comparing to trufflehog yet

@LiveOverflow gitleaks detect -v --no-git

What's your favorite secrets scanning script that you can just throw at a folder? Bonus points if it also handles domains and http endpoints

Pic of the Day #infosec #cybersecurity #cybersecuritytips #pentesting #cybersecurityawareness #informationsecurity

The next cohort of "The Bug Hunter's Methodology Live" will be: US: March 2nd-3rd EU: March 9th-10th tbhmlive.com Repost, like, and reply for a chance at a free seat! New in v2.5 - More Burp, more JS analysis, more IDOR/MFLAC!

@ctbbpodcast Merry Christmas 🎄!

🎅 Merry Christmas CT Listeners! 🎄

@ippsec Recommend any specific resources? Interested to share your perspective 🙂

I've been learning microservices/grpc for the last couple of months. Really wish I did this sooner because I feel web/rest/etc really held back some creativity and it's hard to break out of some design patterns.

Shoutout to @Jhaddix and his TBHM Live course for getting me to embrace mindmapping. All of the course content been game changing for my workflow and I couldn't recommend it more! Checkout tbhmlive.com for when the next set of courses are being held!

@Jhaddix I was also not a fan of the mesh construction of HM. I ended up going with a steelcase Leap and it has lasted me 4 years of punishment (got it at start of COVID) and holding up real well!

‼️ Ok, fellow basement/office dwellers, I need some help! ‼️ I have been through 5 chairs in 5 years. I'm looking for suggestions. Needs to be ultra comfortable for long sessions and durable enough for long sessions. I have tried: DXRacer ❌ Too firm for long sessions Maxnomic XL ❌ Arm broke off, too firm Serta Office Chair with AIR Technology ❌ 1 wheel/caster area broke Herman Miller ❌ I hate the mesh construction.

Oof that was a tricky one but a good one I completed the Web Security Academy lab: Exploiting server-side parameter pollution in a REST URL @WebSecAcademy portswigger.net/web-security/a…

Congratulations to @NahamSec for hitting the million-dollar milestone on HackerOne! 🤑 NahamSec’s passion for ethical hacking helps protect the world’s top organizations by finding potential vulnerabilities before cybercriminals. Amazing work! 👏

Working in InfoSec watching the rest of IT

🕵️‍♂️ Show & Tell: Here's how I exploited a simple Issue on target app using GraphQL that allowed me to take over any user's account 💰💰 This is a classic case of thinking outside the "box." The app I targeted allowed Inviting users to your organization. When an invite is sent to the victim, they get a link like http://targetapp/invitation/{token}. What was interesting was that the invitation link automatically logged a victim into their account and asked them if they wanted to accept the invitation. 🚨 This grabbed my attention, prompting the question, "Can I somehow acquire that Invitation token?" Considering its potential to let me take over any person's account, I immediately delved deeper into the app and came across a GraphQL operation for retrieving the list of invited users: code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited { email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}] Looking at this, I thought, "What if the 'invited' object has more info than shown?" So, I added the \n token parameter Inside the invited object: code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited {\n token email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}] Surprisingly, it worked! The GraphQL operation returned the token that was sent to victims email. Crafted a URI with the leaked token, like http://targetapp/invitation/{token}, and took over the victim's account. Lesson: Always think outside the box. Instead of just hunting for vulnerabilities, notice odd app behaviors— they might lead you to unexpected weaknesses. Understand how the app works, find flaws, and outsmart the design. 👾 #BugBounty #AppSecurity #ThinkOutsideTheBox #HackerOne #BugBountyTips #SecurityTips #BugCrowd #InfoSec #Bounties #Bounty #Tips #Follow