Yanir Tsarimi

I hacked Microsoft's AI bot for healthcare on a Friday night Within hours I could access data of multiple healthcare organizations, but it didn't stop there Microsoft fixed the issue, and then I did it again, and again, and again.. Here's the story of Lethal Injection: 💉

NGINX Rift is the new 18-year-old nginx RCE. Every version since 2008 in scope. We scanned 1,465 configs from 528 popular GitHub repos to see how bad it really is. What we found, and where the real attack surface actually lives 👇

To exploit this to RCE you need: 1. ASLR disabled (or some way to leak info) 2. The nginx server configuration to have a "set" + "rewrite" directives. The rewrite has to have '?' in its replacement rule (second arg) So the attack surface is probably much less than what it seems. Nice finding and the part about the exploitation is also great, I recommend reading the blog.

We just shipped v1 of code security review at @EnclaveAI. A lot has already been said about SAST, AI SAST, and everything in between. We're putting exploitability at the center, with cloud & runtime context coming next! Free plan is pretty generous (credit card needed), but happy to drop more credits in, if needed (DM me).

@alongubkin @EnclaveAI Thanks Alon :) Happy we could help

If you haven't tried @EnclaveAI yet, it's a must-have. It finds real vulnerabilities and you can connect their MCP to Claude Code / Codex to fix them!

@HaifeiLi They are filtering for evident impact. Everyone is swamped with AI reports now. And if Big Sleep is finding those memory bugs before they are reported, they have no value

What could be the real reason behind the dramatic decision on Chrome bug bounty? (I’m just being curious,😅 especially while studying the impact of AI on vulnerability discovery) 1. We can use AI to find all/most the bugs so we don’t need external help anymore. Chrome security stay the same or beyond. 2. We got so many AI slopping reports through the bounty program which cost our engineers great time, we reduced the prices dramatically so nobody will be even interested in sending AI slops! 3. We will shift the bug hunting work to internal teams. Chrome security stay the same or beyond. 4. Unfortunately we miscalculated previously, the volume of bugs surpassed our expectation and our budget is broken, so we had to reduce the price per bug (even dramatically). 5. We don’t care Chrome security anymore, nobody can leave that because Chrome is a monopoly.😅 (no need to vote for this one) 6. Others, please specify? Ref: x.com/loobeny/status…

Yesterday we had a GitHub RCE Today’s new cPanel CVE is a complete auth bypass to root Can’t wait for tomorrow

More details: enclave.ai/blog/anyone-co…

I've discovered CVE-2026-32173 by steering a single agent The vuln: you could listen to anyone's AI chat stream on Azure SRE agent. Including LLM thinking, commands, tools. The auth check was there, but at the wrong place. Patched. Critical, Information Disclosure. $20k bounty

Our CPO @yanir_ found a massive wiretap vuln in Microsoft’s new Azure SRE Agent. Anyone with a free Microsoft account could silently watch the agent work in real time. 🧵

"I think security is going to become the hottest job in the future..look how sexy it’s become in the last couple of weeks." As Anthropic prepares to deploy Mythos asymmetrically, now’s the time to get proactive and procure before attack surfaces grow further. Watch co-founder and CEO @talhof8’s full @tbpn interview on the future of AI-powered defense.

been deep in building LLM harnesses and kept hitting the same problem. context window gets polluted fast and everything degrades instead of guessing I dug through how Claude Code, Codex, Cline and OpenCode actually handle it. turns out they all independently landed on the same patterns wrote it all up as an open wiki. covers the obvious stuff like caching and truncation but there are levels to it github.com/yanirz/token-w…

After @AnthropicAI's Project Glasswing was announced, it's clear we're entering a new era for AI in security research, and it's exciting to see it play out at this level. Some thoughts: 1. Finding a vulnerability is one thing, proving it's exploitable is another challenge entirely. Mythos genuinely stands out here. Autonomously writing a full ROP chain for a 17-year-old FreeBSD bug, chaining 4 vulnerabilities into a JIT heap spray across major browsers, producing 181 working exploits for a Firefox JS engine... That's end-to-end vulnerability research. Really impressive step forward for the security community! 2. Zero-days are called that because they were undiscovered - and finding unknown unknowns is genuinely hard. In the demo I shared yesterday, we found the same FreeBSD 0-day, and guiding the model where to look was a big part of it. What @AnthropicAI showed with Mythos is a meaningful leap from where the rest of us are today. 3. With that, Nicholas Carlini has been showing a compelling approach: target specific files, "tokenmaxx" the model's attention on security-relevant code, and let it explore through a simple agent loop. The tooling and scaffolding around the model matters as much as the model itself. 4. The cat and mouse game between offense and defense is only going to get faster and more intense. The same capabilities that find vulnerabilities will be available to attackers. But the good news is that this also gives defenders better tools to find and fix issues before they're exploited -- security teams will be able to cover more ground, faster, than ever before. 5. We can expect more teams, more approaches, and more breakthroughs here. This is the beginning of a much larger wave in AI security research!

@momo_dev @talhof8 We do a pretty thorough coverage analysis on your codebase from the jump. However, sometimes we miss things, so nudging in the right direction can help. We are always iterating on improving our engine, and expect this to improve dramatically.

@talhof8 how much do you have to hint it where to look for?

This is really impressive! With the proper harnesses, and some guidance, we were actually able to find that same FreeBSD zero-day using Sonnet 4.6.

Most people don't know about OpenAI/Anthropic's Batch API. It's not instant, but it definitely helps to save costs when doing LLM-guided testing or fuzzing. I use it to generate large volumes of test cases. Very useful if you're building a system that works with complex and unpredictable input. 50% off for tokens is hard to beat. I ran it on my own codebase and found 30 bugs I didn't know about. The tests are not perfect, but it always catches a lot of bugs and edge cases. What I do is I orchestrate a few subagents, a QA engineer → test generator → judge loop works very well. The QA engineer generates or improves a test quality script. The test generator runs batch API generation scripts. I use both OpenAI and Anthropic for diversity. The judge looks critically at the generated tests and suggests improvements to be added to the quality script.

A year ago a friend asked me if LLMs could actually find real vulns. I told him: maybe in 5 years. A few weeks ago we started digging into OSS. What came back was bigger than expected. Vulnerabilities in packages sitting inside 100k+ repos, quietly affecting servers at Fortune 500s and major cloud infrastructure. Nobody had found them yet. And I never opened Burp Suite once. I just sat there staring at the screen. It felt surreal. These weren't trivial bugs. Real back-and-forth, nudging, course correction. But the model got there. On critical infrastructure. On its own. Here's the thing nobody talks about: the hard part isn't reproducing a known vuln. It's finding the one nobody's looked for yet. That's the gap we've been obsessing over. That's what Enclave does. Autonomous security research, starting with the bugs hiding in the open source your stack depends on. Still a lot to figure out. But I haven't felt this excited about security in a long time. If you're a security researcher or work in AppSec, I'd love to show you what we're building. DMs open.

Wildest one yet. The ability to generate a token to any user within any tenant is unprecedented

We (+@sagitz_ @ronenshh @hillai) found a series of unauthenticated RCEs in core @KubernetesIO project "Ingress-NGINX". The impact? From zero permissions ➡️ to complete cluster takeover 🤯 This is the story of #IngressNightmare 🧵⬇️

1/ 🚨Recently, our research team found CVE-2025-25182, A critical security finding in Government Communications Headquarters (GCHQ), the UK's intelligence and security agency, maintained project, Stroom.

Hello to everyone coming from Daniel Boctor's YouTube video. Happy to see you liked my research. Will soon share new AI/cloud research with an even greater impact