Ash

@rad9800 lemonmaxxers assemble

I cannot recommend drinking lemon juice - I am currently 400ML through this 1L bottle. I look to finish the remaining 600ML over the next few hours.

@nikseeth I obviously do not cheer for the breach of any company, but I imagine that people in the SOC 2 world who have been shouting from the hilltops for years about the disingenuousness of automated SOC 2 platforms, feel very vindicated rn

So a YC backed LLM tool was just compromised with a vicious supply chain attack, but don't worry they were certified SOC 2 with Delve.

@IceSolst @Atredis @DistrictCon "If that is what you want." "This is hard work." "I will do what I must." "This hammer is heavy." "Can I have some shoes?" I don't think they could release a game like this nowadays lmao

@_bin_Ash @Atredis @DistrictCon AK47s for everyone

THEY MADE A WORM IN C&C GENRALS Insane blog post by Bryan Alexander from @Atredis, presented at the @DistrictCon junkyard atredis.com/blog/2026/1/26…

PSA technique is not completely dead The implied attack path of the post is coerce auth from system -> relay to LDAP -> computer account writes its own attribute Post patch, there are still use cases for shadow creds. (GenericAll, GenericWrite, or AddKeyCredentialLink, etc).

I guess we'll talk a bit about modern red teaming. The difficulty has increased severely. Lots of people be like just vibe code a stage0 with legit code for your pretext. How are you delivering it to bypass app control? Lots of words, no substance.

@ConsciousHacker lots of people who used to post cool stuff on Twitter, got consulting jobs, and now are 🤐🤐🤐

Stop listening to people that don't do the work. Those people are loud. Listen to people that do. The people that do the work are typically quiet.

Excited to disclose my research allowing RCE in Kubernetes It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout. Unfortunately, this will NOT be patched.

@WYTCHRR @hourlybladee What is it like living that close to holy ground?

@hourlybladee This was at the Bojangles down the road from me

bladee north carolina moment

@tcstacks_ If you’re really good at infosec you can be wrong and still get paid

@_bin_Ash we have a lot in common (we get paid whether or not we're right)

I thought infosec twitter was toxic until I discovered meteorology twitter

@techspence @jeffmcjunkin MFA on SMB when? @Microsoft

MFA on RDP internally is a great step towards restricting lateral movement, but don't get tunnel vision. There's still: SMB, WinRM, WMI

@GrahamHelton3 If I had followed this I would have become a lifelong SAP admin

The biggest one: "You should specialize early".

@OutflankNL @StanHacked @mariuszbit Whoa!! awesome congrats y’all

📢 Big News! @mariuszbit is joining Outflank! He ticks all the boxes: Experienced #offsec researcher ✓ Respected name in red teaming ✓ Built RMF tooling for initial access ✓ His work is coming to OST✓ The red hoodie fits perfectly ✓ Welcome Mariusz! outflank.nl/blog/2026/01/2…

@jamieantisocial People who say this have obviously never heard of spongemaxxing Always try to be around smart people. Ask them for advice. Find people building or doing cool things and ask them about it I’m lucky to feel dumb on a daily basis at work when I talk to colleagues

"avoid asking too many questions or you will seem dumb" 🤡

Why does my Washer machine need AI

@tcstacks_ Ok but what about pentesting 2?

look one day pentesting is gonna be hard, but today is not that day

@Blurbdust @ch1gg1ns Thank u Mr Losby ❤️❤️❤️

The blog with how to use the rainbow tables for Net-NTLMv1 is finally live! cloud.google.com/blog/topics/th… My slides from presenting at BRCC are still available if you're curious about how crazy of a three year journey it was to get them created. content.burningrivercybercon.com/talks/nic-losb…

@HackingLZ @HackingDave brb telling Google marketing to dislike this post

@_bin_Ash @HackingDave You spelled Claude code wrong

Using AI for coding is literally the single greatest thing that has happened in my lifetime around coding except for the creation of Python 😂

@vysecurity Also somewhat related but there are SO many super super talented red teamers that are _not_ on Twitter/x at all. Take what u read on here with a grain of salt

@vysecurity Some of the most talented people I've had the pleasure of working with are great because of this. ofc technically they are gifted, but I learned to most from people who thing strategically about how to break in, what to do next, what levers to pull to get someone to do xyz, etc

Red Teaming isn’t just hacking; it’s strategic thinking to expose real weaknesses before attackers do. I’ve led ops where a simple phishing pivot cracked enterprise forts wide open. Key: Blend social eng with tech exploits for max realism. Thread: 1/3