Joseph Thacker

👑 WE WON! 🎉 LFGGGG! @Rhynorater @0xLupin @monkehack and I won MVH at the Google Live Hacking Event in Tokyo last week! It was focused on their AI products. We also had an awesome time in Japan. I'll post some of the highlights below.

@elonmusk Got a free month link?

Try Tesla FSD (self-driving)!

Absolutely absurd if this is true

The Research Lab is on fire this week, we just got a new writeup from SharkazFR: - TOCTOU race condition leads to full ATO on popular open source automation platform n8n lab.ctbb.show/writeups/tocto…

@thedawgyg Yeah but that doesn’t mean they’re using it well or efficiently

@rez0__ yea i have a memory file setup that they all use and store memories into. im having to tell claude to check its memory much more often now, none of the others are having this problem

Opus 4.6 has a bad habit the last few days of outright lying... they must be making it more human... Have had multiple (more than 5) instances where it claims to have completed a task, then when I ask for info about the task and confirmation, it admits t didn't do the task and doesn't have an excuse on why. Then will do the task right then (finally).

@7urb01 It might have been demo! 😝

🙈

@YShahinzadeh Wow. You’re insane

@rez0__ also got this one tonight

Feb 24, 2026 08:35PM ➜ submited Feb 24, 2026 10:46PM ➜ report was triaged Feb 25, 2026 12:23PM ➜ bug patched Mar 17, 2026 02:55PM ➜ bounty awarded

@ryancbarnett @thedawgyg @PortSwigger @CaidoIO @BugBountyDEFCON YESSSSSS

@rez0__ @thedawgyg @PortSwigger haha @rez0__ @CaidoIO I will be wearing this @BugBountyDEFCON this year 😂

@PortSwigger is dead wrong for this one. Making a claim that allowing people to BYOK for AI does not do shit for your own AI policies, if anything it would make it easier for you to abide by them since you offload the responsibility to the user and not yourself. It may be time to start thinking of using something other than Burp if they are going to force you to use their shitty AI instead of something that works well.

Two things @rez0__'s been running in his Claude Code setup worth stealing: 1. Self-improving CLAUDE .md loop Add this somewhere in your file: "Anytime I get frustrated, anytime I have to re-explain something you didn't understand, or anytime you try a command and it fails repeatedly, add that lesson to the Applied Learning section in your CLAUDE .md" Next time the same situation comes up, it already knows where your session files live, which commands work on your system, whatever it had to figure out the hard way. Saves you time, usage and frustration. 2. Discord as a remote Claude Code interface He got tired of Claude RC not supporting --dangerously-skip-permissions so he built a Discord bot. Each task spawns its own thread as a session, tool calls render as diff blocks with green for additions, red for removals. There's also a resume command at the top of every thread so he can jump back in from a VPS. Takes voice messages and attachments. He uses it to validate findings, check logs, host files, all from his phone without touching his laptop.

😊

We had to release this one before @rez0__'s brain started returning 429s. Everything you always wanted to know about using AI to help you hack. ...or is it you who's helping the AI? 👀 youtu.be/qTX9u-EsjmM

@OriginalSicksec github.com/caido/skills

@rez0__ skill4agent.com/en/skill/caido… ?

claude code in caido go brrrr

hooks bypass perms and the model doesnt even see it

How it feels submitting AI-assisted findings.

@hrishioa @minu_who @simonw Same issue with “ai hacking”. Which does it mean!?

Simon ( @simonw)'s new agentic Engineering patterns guide is crazy useful - but it also raises the question, before it confuses us all - is Agentic Engineering engineering with agents, or engineering agents? If I said Hammer Engineering, would that mean engineering with hammers or engineering hammers?

alright it's back to this thursday. we're so back.

WE DID IT ! WE RAISED $5.9M PRE-SEED 🥳🎉🎉